Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
XoilaFixer.exe

Overview

General Information

Sample name:XoilaFixer.exe
Analysis ID:1647480
MD5:cd3c6e9d220bc5f45ccdbc65958b4595
SHA1:4b1c43a79d6f0827f87a797734ee2ec9cc361e17
SHA256:42e006cd726aa80af62ca03f177476b7c592bce5a77a4b3a074abda88e3dbe5d
Tags:exeuser-BastianHein
Infos:

Detection

XWorm
Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • XoilaFixer.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • XoilaFixer.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Roaming\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • XoilaFixer.exe (PID: 3200 cmdline: "C:\Users\user\AppData\Roaming\XoilaFixer.exe" MD5: CD3C6E9D220BC5F45CCDBC65958B4595)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XoilaFixer.exeJoeSecurity_XWormYara detected XWormJoe Security
    XoilaFixer.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
    • 0xa552:$str02: ngrok
    • 0xa592:$str02: ngrok
    • 0xa650:$str04: FileManagerSplitFileManagerSplit
    • 0xa570:$str05: InstallngC
    • 0xa28c:$str06: downloadedfile
    • 0xa25e:$str07: creatfile
    • 0xa240:$str08: creatnewfolder
    • 0xa222:$str09: showfolderfile
    • 0xa204:$str10: hidefolderfile
    • 0xa1d6:$str11: txtttt
    • 0xabff:$str12: \root\SecurityCenter2
    • 0xa6d6:$str13: [USB]
    • 0xa6bc:$str14: [Drive]
    • 0xa63e:$str15: [Folder]
    • 0xa540:$str16: HVNC
    • 0xac2b:$str19: Select * from AntivirusProduct
    • 0x9f98:$str20: runnnnnn
    • 0x9e38:$str21: RunBotKiller
    XoilaFixer.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xa897:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xa934:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xaa49:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xac8f:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\XoilaFixer.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\XoilaFixer.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
      • 0xa552:$str02: ngrok
      • 0xa592:$str02: ngrok
      • 0xa650:$str04: FileManagerSplitFileManagerSplit
      • 0xa570:$str05: InstallngC
      • 0xa28c:$str06: downloadedfile
      • 0xa25e:$str07: creatfile
      • 0xa240:$str08: creatnewfolder
      • 0xa222:$str09: showfolderfile
      • 0xa204:$str10: hidefolderfile
      • 0xa1d6:$str11: txtttt
      • 0xabff:$str12: \root\SecurityCenter2
      • 0xa6d6:$str13: [USB]
      • 0xa6bc:$str14: [Drive]
      • 0xa63e:$str15: [Folder]
      • 0xa540:$str16: HVNC
      • 0xac2b:$str19: Select * from AntivirusProduct
      • 0x9f98:$str20: runnnnnn
      • 0x9e38:$str21: RunBotKiller
      C:\Users\user\AppData\Roaming\XoilaFixer.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xa897:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xa934:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xaa49:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xac8f:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x5efc1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x5f05e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x5f173:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x5f33f:$cnc4: POST / HTTP/1.1
        00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xa697:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xa734:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xa849:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xaa8f:$cnc4: POST / HTTP/1.1
          00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.XoilaFixer.exe.27d0000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.XoilaFixer.exe.27d0000.0.raw.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
              • 0x9bc4:$str02: ngrok
              • 0x9c0e:$str02: ngrok
              • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
              • 0x9be2:$str05: InstallngC
              • 0x98fe:$str06: downloadedfile
              • 0x98d0:$str07: creatfile
              • 0x98b2:$str08: creatnewfolder
              • 0x9894:$str09: showfolderfile
              • 0x9876:$str10: hidefolderfile
              • 0x9848:$str11: txtttt
              • 0xa21f:$str12: \root\SecurityCenter2
              • 0x9d5e:$str13: [USB]
              • 0x9d44:$str14: [Drive]
              • 0x9cc6:$str15: [Folder]
              • 0x9bb2:$str16: HVNC
              • 0xa24b:$str19: Select * from AntivirusProduct
              • 0x9670:$str20: runnnnnn
              • 0x9510:$str21: RunBotKiller
              0.2.XoilaFixer.exe.27d0000.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x9f31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x9fce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xa0e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xa2af:$cnc4: POST / HTTP/1.1
              0.2.XoilaFixer.exe.2b1b090.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.XoilaFixer.exe.2b1b090.1.raw.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
                • 0x9bc4:$str02: ngrok
                • 0x9c0e:$str02: ngrok
                • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
                • 0x9be2:$str05: InstallngC
                • 0x98fe:$str06: downloadedfile
                • 0x98d0:$str07: creatfile
                • 0x98b2:$str08: creatnewfolder
                • 0x9894:$str09: showfolderfile
                • 0x9876:$str10: hidefolderfile
                • 0x9848:$str11: txtttt
                • 0xa21f:$str12: \root\SecurityCenter2
                • 0x9d5e:$str13: [USB]
                • 0x9d44:$str14: [Drive]
                • 0x9cc6:$str15: [Folder]
                • 0x9bb2:$str16: HVNC
                • 0xa24b:$str19: Select * from AntivirusProduct
                • 0x9670:$str20: runnnnnn
                • 0x9510:$str21: RunBotKiller
                Click to see the 10 entries

                Sigma Signatures

                System Summary

                barindex
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XoilaFixer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XoilaFixer.exe, ProcessId: 2520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XoilaFixer

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                • AV Detection
                • Compliance
                • Networking
                • System Summary
                • Data Obfuscation
                • Persistence and Installation Behavior
                • Boot Survival
                • Hooking and other Techniques for Hiding and Protection
                • Malware Analysis System Evasion
                • Anti Debugging
                • Language, Device and Operating System Detection
                • Stealing of Sensitive Information
                • Remote Access Functionality

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: XoilaFixer.exeAvira: detected
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: XoilaFixer.exeVirustotal: Detection: 56%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: XoilaFixer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: XoilaFixer.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: global trafficTCP traffic: 192.168.2.5:49720 -> 185.172.175.125:505
                Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
                Source: Joe Sandbox ViewIP Address: 185.172.175.125 185.172.175.125
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                Source: global trafficDNS traffic detected: DNS query: abolhb.com
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.000000000299A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, XoilaFixer.exe, 00000000.00000002.3147050297.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.0000000002990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.0000000002990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                Source: XoilaFixer.exe, XoilaFixer.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/76bh/img/main/Imagenep.png
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.5:49718 version: TLS 1.2

                System Summary

                barindex
                Source: XoilaFixer.exe, type: SAMPLEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: XoilaFixer.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: XoilaFixer.exe PID: 2520, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: XoilaFixer.exe, 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
                Source: XoilaFixer.exe, 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs XoilaFixer.exe
                Source: XoilaFixer.exe, 00000000.00000002.3146428190.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXoilaFixer.ehP vs XoilaFixer.exe
                Source: XoilaFixer.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: XoilaFixer.exe, type: SAMPLEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: XoilaFixer.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: XoilaFixer.exe PID: 2520, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: XoilaFixer.exe, Announced.csCryptographic APIs: 'TransformFinalBlock'
                Source: XoilaFixer.exe, Announced.csCryptographic APIs: 'TransformFinalBlock'
                Source: XoilaFixer.exe.0.dr, Announced.csCryptographic APIs: 'TransformFinalBlock'
                Source: XoilaFixer.exe.0.dr, Announced.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: XoilaFixer.exe.0.dr, Announced.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: XoilaFixer.exe.0.dr, Announced.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: XoilaFixer.exe, Announced.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: XoilaFixer.exe, Announced.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: XoilaFixer.exe, 00000005.00000002.1487254508.0000000000948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP
                Source: classification engineClassification label: mal88.troj.evad.winEXE@3/3@2/3
                Source: C:\Users\user\Desktop\XoilaFixer.exeFile created: C:\Users\user\AppData\Roaming\XoilaFixer.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMutant created: NULL
                Source: C:\Users\user\Desktop\XoilaFixer.exeMutant created: \Sessions\1\BaseNamedObjects\pkjQhJlF9B5aPdSm
                Source: XoilaFixer.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: XoilaFixer.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\XoilaFixer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: XoilaFixer.exeVirustotal: Detection: 56%
                Source: C:\Users\user\Desktop\XoilaFixer.exeFile read: C:\Users\user\Desktop\XoilaFixer.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\XoilaFixer.exe "C:\Users\user\Desktop\XoilaFixer.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\XoilaFixer.exe "C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\XoilaFixer.exe "C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: XoilaFixer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: XoilaFixer.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Source: XoilaFixer.exe, Announced.cs.Net Code: Supervisors System.AppDomain.Load(byte[])
                Source: XoilaFixer.exe, Announced.cs.Net Code: Telescope System.Reflection.Assembly.Load(byte[])
                Source: XoilaFixer.exe.0.dr, Announced.cs.Net Code: Supervisors System.AppDomain.Load(byte[])
                Source: XoilaFixer.exe.0.dr, Announced.cs.Net Code: Telescope System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 0_2_00007FF7C79C15CB push eax; retf 0_2_00007FF7C79C15AD
                Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 0_2_00007FF7C79C1505 push eax; retf 0_2_00007FF7C79C15AD
                Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 0_2_00007FF7C79C1512 push eax; retf 0_2_00007FF7C79C15AD
                Source: C:\Users\user\Desktop\XoilaFixer.exeCode function: 0_2_00007FF7C79C1545 push eax; retf 0_2_00007FF7C79C15AD
                Source: C:\Users\user\Desktop\XoilaFixer.exeFile created: C:\Users\user\AppData\Roaming\XoilaFixer.exeJump to dropped file
                Source: C:\Users\user\Desktop\XoilaFixer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XoilaFixerJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XoilaFixerJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: 1A8F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: 1A7B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeMemory allocated: 1A6E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe TID: 3104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: XoilaFixer.exe, 00000000.00000002.3146428190.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\XoilaFixer.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeQueries volume information: C:\Users\user\Desktop\XoilaFixer.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeQueries volume information: C:\Users\user\AppData\Roaming\XoilaFixer.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XoilaFixer.exeQueries volume information: C:\Users\user\AppData\Roaming\XoilaFixer.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XoilaFixer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: XoilaFixer.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XoilaFixer.exe PID: 2520, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPED

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: XoilaFixer.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.2b1b090.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.2b1b090.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XoilaFixer.exe.27d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.XoilaFixer.exe.5a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XoilaFixer.exe PID: 2520, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                Registry Run Keys / Startup Folder                		1
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		LSASS Memory31
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		Security Account Manager13
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Process Injection                		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeylogging3
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647480 Sample: XoilaFixer.exe Startdate: 24/03/2025 Architecture: WINDOWS Score: 88 21 raw.githubusercontent.com 2->21 23 abolhb.com 2->23 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 3 other signatures 2->37 6 XoilaFixer.exe 1 2->6         started        10 XoilaFixer.exe 15 4 2->10         started        13 XoilaFixer.exe 2->13         started        signatures3 process4 dnsIp5 15 C:\Users\user\AppData\...\XoilaFixer.exe.log, CSV 6->15 dropped 39 Antivirus detection for dropped file 6->39 25 abolhb.com 185.172.175.125, 505 HUGESERVER-NETWORKSUS Lithuania 10->25 27 raw.githubusercontent.com 185.199.111.133, 443, 49718 FASTLYUS Netherlands 10->27 29 127.0.0.1 unknown unknown 10->29 17 C:\Users\user\AppData\...\XoilaFixer.exe, PE32 10->17 dropped 19 C:\Users\...\XoilaFixer.exe:Zone.Identifier, ASCII 10->19 dropped file6 signatures7

                Screenshots

                Download Video

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                XoilaFixer.exe56%VirustotalBrowse
                XoilaFixer.exe100%AviraTR/Dropper.Gen

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\XoilaFixer.exe100%AviraTR/Dropper.Gen

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://raw.githubusercont0%Avira URL Cloudsafe

                Domains and IPs

                Download Network PCAP: filteredfull

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                abolhb.com
                		185.172.175.125
                		truefalse
                  		high
                  raw.githubusercontent.com
                  		185.199.111.133
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://raw.githubusercontent.com/76bh/img/main/Imagenep.pngfalse
                      		high
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://raw.githubusercontXoilaFixer.exe, 00000000.00000002.3147050297.0000000002990000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://raw.githubusercontent.comXoilaFixer.exe, 00000000.00000002.3147050297.0000000002990000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXoilaFixer.exe, 00000000.00000002.3147050297.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, XoilaFixer.exe, 00000000.00000002.3147050297.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://raw.githubusercontent.comXoilaFixer.exe, 00000000.00000002.3147050297.000000000299A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.199.111.133
                            		raw.githubusercontent.comNetherlands
                            		54113FASTLYUSfalse
                            185.172.175.125
                            		abolhb.comLithuania
                            		25780HUGESERVER-NETWORKSUSfalse

                            Private

                            IP
                            127.0.0.1

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1647480
                            Start date and time:2025-03-24 22:08:59 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 15s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:XoilaFixer.exe
                            Detection:MAL
                            Classification:mal88.troj.evad.winEXE@3/3@2/3
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 32
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                            • Excluded IPs from analysis (whitelisted): 184.31.69.3, 172.202.163.200, 20.223.36.55, 150.171.28.10, 23.33.40.136
                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target XoilaFixer.exe, PID 2520 because it is empty
                            • Execution Graph export aborted for target XoilaFixer.exe, PID 3200 because it is empty
                            • Execution Graph export aborted for target XoilaFixer.exe, PID 7116 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            22:09:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XoilaFixer C:\Users\user\AppData\Roaming\XoilaFixer.exe
                            22:10:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XoilaFixer C:\Users\user\AppData\Roaming\XoilaFixer.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            185.172.175.125btoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                              Output.exeGet hashmaliciousXWormBrowse
                                SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                  Output.exeGet hashmaliciousXWormBrowse
                                    COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                      mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                        XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                          23khy505ab.exeGet hashmaliciousNjratBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            raw.githubusercontent.comLauncherV8.exeGet hashmaliciousLummaC Stealer, Salat StealerBrowse
                                            • 185.199.109.133
                                            iwr.batGet hashmaliciousQuasarBrowse
                                            • 185.199.110.133
                                            setup.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            setup.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            GADAR.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            GADAR.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            iroklas.exeGet hashmaliciousLummaC StealerBrowse
                                            • 185.199.109.133
                                            abolhb.combtoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            Output.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            Output.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                            • 185.172.175.125
                                            XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                            • 185.172.175.125
                                            23khy505ab.exeGet hashmaliciousNjratBrowse
                                            • 185.172.175.125

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            FASTLYUSRECIPIENT_DOMAIN_NAME.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 185.199.110.133
                                            #Ud83d#Udd0aAudio_Msg Umanitoba.xhtmlGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.192.193
                                            Acgsys#receipt0191.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 185.199.108.133
                                            0064_QB_Payment_Statemnt87T.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 151.101.130.137
                                            https://tfsgroups.com/contact-2/Get hashmaliciousUnknownBrowse
                                            • 151.101.129.229
                                            Sbafla response to shift in trend.msgGet hashmaliciousUnknownBrowse
                                            • 151.101.129.229
                                            https://8tf7eelab.cc.rs6.netGet hashmaliciousUnknownBrowse
                                            • 151.101.129.140
                                            Brave.exeGet hashmaliciousUnknownBrowse
                                            • 151.101.65.91
                                            702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                                            • 151.101.130.137
                                            HUGESERVER-NETWORKSUSbtoawpdtjhjawd.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            Output.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            Output.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                            • 185.172.175.125
                                            Nexol.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, XWormBrowse
                                            • 185.172.175.147
                                            mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                            • 185.172.175.125
                                            5BADc9D4Ir.exeGet hashmaliciousAmadey, SystemBCBrowse
                                            • 185.133.35.21
                                            https://share.hsforms.com/1_vnkKmfHQN2JeD59Dlknqg2nxhoGet hashmaliciousHTMLPhisherBrowse
                                            • 62.192.173.178

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0egeneral.ps1Get hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            general.ps1Get hashmaliciousKdot StealerBrowse
                                            • 185.199.111.133
                                            Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 185.199.111.133
                                            INGOE04.jsGet hashmaliciousAgentTeslaBrowse
                                            • 185.199.111.133
                                            COMPROVATIVO-14996813-MAR#U00c7O-ANCZ0-PD9BC - 208.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                            • 185.199.111.133
                                            25-03-25.exeGet hashmaliciousAgentTeslaBrowse
                                            • 185.199.111.133
                                            RFQ 11054.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 185.199.111.133
                                            Price Inquiry PO 211436.pdf.z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 185.199.111.133
                                            3-25.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 185.199.111.133

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XoilaFixer.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                            File Type:CSV text
                                            Category:dropped
                                            Size (bytes):654
                                            Entropy (8bit):5.380476433908377
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                            C:\Users\user\AppData\Roaming\XoilaFixer.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\XoilaFixer.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):50176
                                            Entropy (8bit):5.579413998347093
                                            Encrypted:false
                                            SSDEEP:768:nwj1+sT2ijuJ4lJ87040qY1guzb+MMyklxfr1puhJOWF82o9Ze:nwjzT2iL/q8rb+MM/2bOH9k
                                            MD5:CD3C6E9D220BC5F45CCDBC65958B4595
                                            SHA1:4B1C43A79D6F0827F87A797734EE2EC9CC361E17
                                            SHA-256:42E006CD726AA80AF62CA03F177476B7C592BCE5A77A4B3A074ABDA88E3DBE5D
                                            SHA-512:00A6980EF286A075F18927364D200645695CA3B8AB3660B92135DE61BA688B1717B193A5EC2B79A0AFD9910DB42573A9C19520FD2D9DD5176F7A13E5135C2C31
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Joe Security
                                            • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Sekoia.io
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: ditekSHen
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g................................. ........@.. ....................... ............@.................................P...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(t..(d......&.....................................................(....*.r...p*. ~.H.*..(....*.r...p*. E/..*.s.........s.........s.........s.........*.r/..p*. M.).*.rC..p*. .6p.*.rY..p*. .O..*.ro..p*. .x!.*.r...p*. ....*..()...*.r...p*. *p{.*.r+..p*.+5s>... .... ....o?...(@...~....-.(6...(0...~....oA...&.-.*.r...p*. \...*.r...p*. ..c.*.r...p*. ....*"(7...+.*:.t....(3...+.*.r...p*. V.;.*.r...p*. ...*.r...p*. ..e.*.r...p*.r...p*. ...*.r...p*. . ..*.r...p*. E.A.*.r1..p

                                            C:\Users\user\AppData\Roaming\XoilaFixer.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\XoilaFixer.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.579413998347093
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:XoilaFixer.exe
                                            File size:50'176 bytes
                                            MD5:cd3c6e9d220bc5f45ccdbc65958b4595
                                            SHA1:4b1c43a79d6f0827f87a797734ee2ec9cc361e17
                                            SHA256:42e006cd726aa80af62ca03f177476b7c592bce5a77a4b3a074abda88e3dbe5d
                                            SHA512:00a6980ef286a075f18927364d200645695ca3b8ab3660b92135de61ba688b1717b193a5ec2b79a0afd9910db42573a9c19520fd2d9dd5176f7a13e5135c2c31
                                            SSDEEP:768:nwj1+sT2ijuJ4lJ87040qY1guzb+MMyklxfr1puhJOWF82o9Ze:nwjzT2iL/q8rb+MM/2bOH9k
                                            TLSH:AD33D7C9A3D50132C1FF5AB219F3520A92F4A593481AC75EBCD515DA3BA7BC88640FE3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:90cececece8e8eb0

                                            Static PE Info

                                            General

                                            Entrypoint:0x40d89e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x67E18AE7 [Mon Mar 24 16:40:07 2025 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd8500x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x5ca.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb8a40xba00fa2cf7d3d27950b16db0ceceb9d26120False0.435525873655914data5.663366865089623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xe0000x5ca0x6003e2607ab137e445929296ac559c79835False0.4192708333333333data4.145944420748221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x100000xc0x20017acbfaf4a563f1c238819a61b0d67b2False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xe0a00x340data0.41466346153846156
                                            RT_MANIFEST0xe3e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                            DLLImport
                                            mscoree.dll_CorExeMain
                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            Comments%Des%
                                            CompanyName%Company%
                                            FileDescription%Title%
                                            FileVersion1.0.0.0
                                            InternalNameXoilaFixer.exe
                                            LegalCopyright%Copyright%
                                            LegalTrademarks%Trademark%
                                            OriginalFilenameXoilaFixer.exe
                                            ProductName%Product%
                                            ProductVersion1.0.0.0
                                            Assembly Version1.0.0.0

                                            Network Behavior

                                            Download Network PCAP: filteredfull

                                            Network Port Distribution

                                            • Total Packets: 61
                                            • 505 undefined
                                            • 443 (HTTPS)
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 24, 2025 22:09:51.131509066 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.131557941 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.131788015 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.152631998 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.152647972 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.347076893 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.347158909 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.351155043 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.351165056 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.351385117 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.406193018 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.407901049 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.452331066 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.581324100 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.581491947 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.581521034 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.581557989 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.581581116 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.581631899 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.583991051 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.587198019 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.587229013 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.587337971 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.587347984 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.587405920 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.590805054 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.593398094 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.593441010 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.593451977 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.595505953 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.595568895 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.595577002 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.598140001 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.598196030 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.598202944 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.603887081 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.603946924 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.604063988 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.604072094 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.604196072 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.607204914 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.610366106 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.610393047 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.610431910 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.610440969 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.610480070 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.613658905 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.613739014 CET44349718185.199.111.133192.168.2.5
                                            Mar 24, 2025 22:09:51.614537001 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:51.627937078 CET49718443192.168.2.5185.199.111.133
                                            Mar 24, 2025 22:09:57.556767941 CET49720505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:09:58.562405109 CET49720505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:00.562405109 CET49720505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:04.562602997 CET49720505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:12.640537977 CET49720505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:20.595168114 CET49732505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:21.609313965 CET49732505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:23.624963045 CET49732505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:27.640568972 CET49732505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:35.640645981 CET49732505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:42.720475912 CET49737505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:43.718750000 CET49737505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:45.718817949 CET49737505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:49.718780994 CET49737505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:10:57.718799114 CET49737505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:08.580179930 CET49744505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:09.593806982 CET49744505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:11.593802929 CET49744505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:15.593800068 CET49744505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:23.609456062 CET49744505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:32.363866091 CET49749505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:33.359687090 CET49749505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:35.375099897 CET49749505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:39.390970945 CET49749505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:47.390969992 CET49749505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:55.358314991 CET49755505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:56.359549999 CET49755505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:11:58.375246048 CET49755505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:02.375160933 CET49755505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:10.375235081 CET49755505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:20.019640923 CET49761505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:21.031524897 CET49761505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:23.047126055 CET49761505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:27.047152042 CET49761505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:35.047087908 CET49761505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:45.785589933 CET49767505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:46.797137022 CET49767505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:48.797208071 CET49767505192.168.2.5185.172.175.125
                                            Mar 24, 2025 22:12:52.797161102 CET49767505192.168.2.5185.172.175.125
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 24, 2025 22:09:51.021795034 CET5870953192.168.2.51.1.1.1
                                            Mar 24, 2025 22:09:51.123230934 CET53587091.1.1.1192.168.2.5
                                            Mar 24, 2025 22:09:57.441762924 CET6254753192.168.2.51.1.1.1
                                            Mar 24, 2025 22:09:57.555185080 CET53625471.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 24, 2025 22:09:51.021795034 CET192.168.2.51.1.1.10x6362Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                            Mar 24, 2025 22:09:57.441762924 CET192.168.2.51.1.1.10xb6e3Standard query (0)abolhb.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 24, 2025 22:09:51.123230934 CET1.1.1.1192.168.2.50x6362No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                            Mar 24, 2025 22:09:51.123230934 CET1.1.1.1192.168.2.50x6362No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                            Mar 24, 2025 22:09:51.123230934 CET1.1.1.1192.168.2.50x6362No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                            Mar 24, 2025 22:09:51.123230934 CET1.1.1.1192.168.2.50x6362No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                            Mar 24, 2025 22:09:57.555185080 CET1.1.1.1192.168.2.50xb6e3No error (0)abolhb.com185.172.175.125A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • raw.githubusercontent.com

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549718185.199.111.1334432520C:\Users\user\Desktop\XoilaFixer.exe
                                            TimestampBytes transferredDirectionData
                                            2025-03-24 21:09:51 UTC101OUTGET /76bh/img/main/Imagenep.png HTTP/1.1
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2025-03-24 21:09:51 UTC873INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 31476
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: image/png
                                            ETag: "0aee22d8b1a8775302266ace0e8334efbe5be1447d6735d7fc3415ee954bc813"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: 4F52:2E2D51:AD81:E0A9:67E1C8C9
                                            Accept-Ranges: bytes
                                            Date: Mon, 24 Mar 2025 21:09:51 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-lga21979-LGA
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1742850591.479874,VS0,VE52
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: e5316142dbdc09df51eabebc03aacd2bcf4c5b14
                                            Expires: Mon, 24 Mar 2025 21:14:51 GMT
                                            Source-Age: 0
                                            2025-03-24 21:09:51 UTC1378INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 b8 00 00 00 00 01 08 06 00 00 00 15 9f 30 71 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 7a 89 49 44 41 54 78 5e ed dd 79 e0 77 dd d7 d0 f3 27 b9 cd 43 48 78 cc b3 50 99 33 67 4c 86 c8 2c 25 f3 3c 66 96 0c a5 90 29 b3 48 14 32 97 24 44 28 95 cc 43 91 84 a8 cc 19 43 32 25 e7 d5 ef fb ae f5 2c e7 9c cf e7 73 5d d7 7d dd f7 f3 b8 fe 58 df 73 ce da 6b de 6b af bd cf 3e e7 7c be 5f f5 ad bf ea ab 7e f6 1f 7a c0 5f 7f c0 57 1d f0 f5 df 8e c1 cf bf ae 8f 3f 3f 07 ba fe a1 e3 fc 0c 7e 87 13 dc 17 09 7f e9 ba fe 25 0e f8 55 0f f8 67 df ce e1 7e c8 01 bf f0 01 ff e6 01 bf fa 01 7c fc 7a 07 fc 5e 03 f7
                                            Data Ascii: PNGIHDR0qsRGBgAMAapHYsodzIDATx^yw'CHxP3gL,%<f)H2$D(CC2%,s]}Xskk>|_~z_W??~%Ug~|z^
                                            2025-03-24 21:09:51 UTC1378INData Raw: 2b 3e 3c 47 c3 cf fe 69 07 6c 7d 3f f6 80 2b 3e 3e 7c db 03 cc 65 f1 fd 8d 07 c8 55 be cf fa a6 0f d5 c0 bf e3 00 e3 9f ad b5 19 ff df f0 00 fa fe db 03 a6 be 6f 74 80 7c ae 0e 01 ba d0 07 e4 92 89 3f 1a 35 48 4d 99 be 90 d3 9a 6d fb 82 5f bd eb de 76 f2 fd bd 07 5c f1 fd d4 03 8c 1b 79 b7 6b 82 fb a2 2b 3e fd a8 b6 fd 8e 07 7c 76 c0 e4 13 f3 2b be 7f ee 00 6b 68 eb 9d 5d 13 fe 9b 03 ae f8 7e b7 03 d8 43 f6 ee e3 e2 79 c6 a7 de 7d a7 03 fe ce 03 b6 3e fb ce 57 7c 72 c9 bd b5 79 7d 8f 5f 73 e4 15 df f7 3b e0 0f 3f 40 ad d1 3e f9 8c d1 2b 3e f3 80 78 aa 45 db 3f fb 1d 57 7c 72 d7 5e b9 31 b7 f9 fe 92 03 ce f8 b4 59 1f 5f b5 99 97 ae f4 c9 cb 7f f2 80 f6 78 26 9f da 7c c5 a7 5f cd 8f 67 f9 a2 56 5c f1 fd bb 07 b8 4f d4 ef 5b df ff 72 c0 95 0f f6 bb bb c7 d8
                                            Data Ascii: +><Gil}?+>>|eUot|?5HMm_v\yk+>|v+kh]~Cy}>W|ry}_s;?@>+>xE?W|r^1Y_x&|_gV\O[r
                                            2025-03-24 21:09:51 UTC1378INData Raw: 3e bb fe df 3a f8 27 2e d6 61 ee b3 ee ee 49 f0 7f 51 6b da 33 dd 62 71 b6 c6 ed 3d b3 47 39 61 4c f1 f5 3f 3c 80 5d ae ff fd 03 9e bd ef 32 56 ca f5 b3 58 5f e5 14 bb e7 fb 6b ec a6 cf 7b 26 e1 c0 2b 72 c5 8d 5c ef 9c d4 56 dc ce 72 c8 7b 4a 9b 6e c7 47 4e 58 bb ce be 9a f7 85 f5 d5 7c ff e1 4e e7 d9 d8 98 ef b1 c3 e9 bf 47 39 78 26 fb 5d c7 84 3e 7f a5 bf dd 37 9c c5 ea d9 38 cb b5 0f 91 77 f6 dd f4 bb f6 5d 67 dd 8f 58 0b b2 e9 6b c3 78 65 af f9 e5 43 de 8f 99 a7 ae da 9c ef fd 1e f3 fb 7c 87 76 c3 be df b1 af 3c eb 8b be 9b d7 fc e9 1c ec fb af e6 d3 ee c3 e4 40 ed 60 c6 4e 8d 69 7d eb 3d 84 f0 62 cf 1f 31 b9 8a 1d 78 26 0e 6c 9a 39 bd 41 be b5 d7 4b df 95 3f ad 0f e6 1e 30 98 b2 ab 99 fa 34 9c be 34 7e 1c b5 d7 b7 de a9 89 86 dd 78 d0 59 47 44 27 6f
                                            Data Ascii: >:'.aIQk3bq=G9aL?<]2VX_k{&+r\Vr{JnGNX|NG9x&]>78w]gXkxeC|v<@`Ni}=b1x&l9AK?044~xYGD'o
                                            2025-03-24 21:09:51 UTC1378INData Raw: a5 6f 11 e7 bb fa 33 96 be c5 7c 25 96 ee 83 be ec b1 e4 b3 3a 70 e5 b3 f7 77 5e f1 d9 bd d7 33 76 7f e7 03 26 bf fd 88 67 62 e4 1e 75 f2 d9 1b ed 39 97 f7 95 ba f7 a4 cb fc a0 ee 69 53 c7 c0 e4 25 6f ee 7f d1 6f 2e 17 13 be 5c c5 c4 6f 0d bc 12 13 fb 05 cf f8 76 b5 2e f7 0e e2 d4 87 e7 d9 75 f9 33 7d 31 9f 71 a2 87 9b f4 7c 99 6b e5 39 8f 34 96 d8 39 e9 8b a3 df 96 98 df db cc 38 fa be f7 95 38 7a ae a7 dd 77 c8 b3 9d 2c bf 7b 32 65 3d 13 ef fd fb 1f e2 87 c6 da cd 5a 77 b7 f5 2c d9 f1 51 5c d1 b9 b6 de f0 0e c0 94 55 1b 1b 3c 5f 9b 6d c5 cd fe ce 55 dc 7c bb fc 4a dc b4 9d f1 7d 91 73 bb 71 77 e5 9f 9c 79 c5 3f fb d2 67 7c 57 fe ed bd c6 67 72 e5 ee f7 19 b6 ad ef ba f6 fa b2 ec a9 ea 1f df c2 5b a7 84 9f fd f3 33 0e 78 a5 7f 8c 9d 67 62 7c 35 16 dc 77
                                            Data Ascii: o3|%:pw^3v&gbu9iS%oo.\ov.u3}1q|k94988zw,{2e=Zw,Q\U<_mU|J}sqwy?g|Wgr[3xgb|5w
                                            2025-03-24 21:09:51 UTC1378INData Raw: 2e dc fc 1f 61 e9 99 cf 21 b6 1e f7 6e fa c4 9a 72 f6 c9 a4 51 cf a7 2d bb e6 d3 b1 d7 54 93 df 33 a2 47 3a 7c ef 36 75 bc ab bf 53 a6 df 1f a5 d7 fb 20 57 7a d9 ee 7a ca 28 b7 9e a9 ef be ef d5 76 55 df e9 91 5b f2 c1 ef 72 95 8f e1 1d e5 60 bf a7 23 df cc 33 07 f3 cf 85 b3 31 f3 ec 3d 04 f9 8d 93 dd f6 ac 0c 74 fa 65 d2 7d 1e b5 65 eb 85 7b b6 de b8 df 75 af 1c 9e df d5 1b 6b b4 19 bb bb 7a a3 9e ca 45 f4 8f ee 4b cf de ab f7 7b b5 13 27 47 fd 4f a7 89 63 2f dc 95 bd d6 45 af d8 0b 3e 4f 7b 3d f7 f3 bf dc 66 0d c6 3b df 7d 47 77 65 83 3c c9 86 f9 5e 17 1e b1 f0 7b 2f 57 b1 30 c7 be 12 0b b9 f1 b5 25 16 57 ef b2 aa 5b 57 f1 60 e3 2b f1 d0 76 c6 f7 45 ae 0d fc 1f c9 f9 bf 87 a6 7f f6 74 5e f1 af f7 ba 37 df b3 b5 0d cf a3 5c b9 da 7f fa c7 df ae e1 b3 f5
                                            Data Ascii: .a!nrQ-T3G:|6uS Wzz(vU[r`#31=te}e{ukzEK{'GOc/E>O{=f;}Gwe<^{/W0%W[W`+vEt^7\
                                            2025-03-24 21:09:51 UTC1378INData Raw: c3 d9 ff 4a 43 e7 88 86 2e f4 64 c3 15 93 b3 f9 7c 7f c3 ae ce 36 8f 5c f1 5d f9 d9 fc fb 48 e7 0f 3f c1 9d 7d 8b f0 23 16 ee 91 5c ef ed 4c 1c 5f fa fe 61 ce fd ec 3f 5b 5b 7f d1 3e cb 13 76 fd c8 37 5c 78 f7 77 8f de d1 2d 87 ee de d1 95 1b 74 f4 8e ae eb f0 8e 72 68 be a3 eb 3b 86 83 f9 e7 82 dc b3 b7 79 35 7e ec f3 7d d9 c6 8f 3a d5 f8 61 ff d5 f8 41 e7 a8 bd f1 43 2f 9c 23 f9 67 fd 7a 37 7e ae f8 9e c9 a5 3b 9d cf 8e 9f 1f b5 70 8f e4 7e 88 f1 f3 45 fa 8c 9f 5d 3f fa 0d 17 fe 99 f1 c3 0e 6d 77 e3 47 6e d0 d1 f8 71 1d de 51 0e 3d 1a 3f 9e 71 93 91 0e 7c 8d 1f ef bf 3f 3b 7e 5a 53 9d f1 5d dd 0b be eb 9e 17 dc 59 9f 9c dd 0b fa 86 fb ca 3f fb 22 af f8 d7 7b af 9b ef 43 de cb 5f ad a7 fc 96 e7 b6 f5 d1 7a 8a bc fd de eb e7 d1 17 ef 73 af 6e 1c f1 25 fc
                                            Data Ascii: JC.d|6\]H?}#\L_a?[[>v7\xw-trh;y5~}:aAC/#gz7~;p~E]?mwGnqQ=?q|?;~ZS]Y?"{C_zsn%
                                            2025-03-24 21:09:51 UTC1378INData Raw: 4b ba f2 47 7f bc e2 8f 5c 7c 64 27 fe 7f eb 80 c9 2f 3f d8 e2 37 fc e6 1e d0 b4 c5 6f 82 7e ec d8 16 bb 47 3e 91 f9 6f 1f 50 1b 99 fc f1 9b 31 57 fe f8 ff 72 cf fa a3 d6 fd df 6f b8 e0 99 38 5f d5 3a f3 c4 d4 6d 1f ed 8b a8 75 6c bd 93 f7 ea ff 8a a5 f3 4e 9e ff dd 81 d6 d1 5e 33 9c df 43 86 73 dc f2 b4 9f d5 e2 e2 f5 79 ee 8f bb e6 a3 fe 4a 47 63 65 ca ff 32 d6 ec e9 c3 b6 ef cb f0 ff 68 b3 4f dc b7 7d e5 48 79 c1 be ea c0 c7 b2 4f ed f0 fb 3f b3 76 b1 85 6e f9 e0 7b ed 57 6a 87 df 9d 23 bb 36 f3 a7 f5 71 d7 d5 0d 75 f3 b3 03 e8 df ff a3 55 bb 7d de cd f7 3e 75 68 7f 8b f6 ca b3 36 72 f7 dc 3e c7 2e fd cf d6 82 6a d5 5d 2d 78 54 5b 66 ed ab 56 dd d5 3e 34 77 f2 66 ed ab 56 f1 19 ce 71 cb 43 73 27 cf fa 06 ad a3 38 c3 f9 9f c5 70 8e 5b 9e f6 b3 da f7 ca
                                            Data Ascii: KG\|d'/?7o~G>oP1Wro8_:mulN^3CsyJGce2hO}HyO?vn{Wj#6quU}>uh6r>.j]-xT[fV>4wfVqCs'8p[
                                            2025-03-24 21:09:51 UTC1378INData Raw: 7c d8 b9 ef 6d d5 3d cf 3d 27 0e 58 93 79 bf 4b cc e0 ad c9 c4 87 fd de 13 9b df 26 a2 67 4f 73 4a fd c4 67 df cf d0 af cd 11 de fa 4d dc c4 9a 1e f7 69 8d 4f 7a ac a1 e9 30 47 4e 1d ec 3f 5b 3b fa 1f 04 93 ff 8c 0e 6e df eb f3 27 9b ca 81 6c 0f 9f ed fd 1f 20 63 c2 f7 74 6c 3f 8b 27 3b ea 6b eb b3 d6 93 bb bf e6 fe 19 98 7b 18 74 7e c8 fe d2 f6 53 0e 98 31 12 5f fe 4e 39 57 7d 68 2d 5c 1c 8a cb ec c3 fa eb 27 1c 30 e5 d1 eb 79 ec a3 be 89 df 78 9b 78 36 b0 df f8 76 c4 fb 13 0f 98 34 67 f2 9e d5 0b f7 a1 72 c2 f1 95 9c a8 5e 92 07 3f ff b7 0b 98 f3 2d 7d 67 fd 9b 0f f3 3e a0 f1 b9 ff 97 17 9c f7 12 37 ce f7 ca 13 a7 4f ed 6d ed ff c5 51 1f f9 ae 73 d2 f3 8d 7e 6d f6 9d 66 9b 9c fe b6 07 d8 63 ce ee 60 d6 33 b0 e7 3f bf 95 31 af c5 6b 5e 8b e7 1f 75 40 f9
                                            Data Ascii: |m=='XyK&gOsJgMiOz0GN?[;n'l ctl?';k{t~S1_N9W}h-\'0yxx6v4gr^?-}g>7OmQs~mfc`3?1k^u@
                                            2025-03-24 21:09:51 UTC1378INData Raw: f7 9e 64 35 0d cf b3 63 cb de e2 ac 6d f0 62 a9 46 18 5b f2 84 cc f0 5f f6 fa e6 1b 2e e0 fc ae 3f f9 05 37 7f 83 0d a8 29 9d d7 9f f6 83 66 8c d8 b9 f7 4e d0 d9 fb d8 74 7f ca db f5 a4 33 7e 40 74 c6 23 ff e6 38 d3 97 f0 fb 9e 5b 6c c5 ca d8 74 9c 3c 70 6a e1 c4 35 6f eb 4b c0 3e d7 68 ad 0f 26 ad 3a 8e 1f 9e 9d df e6 80 69 27 1e 74 5b e7 8c 59 b8 b3 7b f4 ea b4 3d 8d 2d f7 ee 9e 5e bb 78 4c bd 9e 4f 7b cf 4f 7e 88 49 b4 6a a7 b8 4c de b3 67 13 6c d1 b6 ef fb e1 c8 9b ba 1a 33 d9 af 4f a7 fd 68 d8 61 3f fc 4a 2e 19 b5 89 f3 94 ef 1e c6 33 3e 6d 7b 9f 21 d9 72 df d1 35 ff f8 29 67 ca 85 33 1f d1 db 4f bd 1a a7 ad 1f af 7c 7a df b1 ea 9c 9f 68 a3 6b 7e 69 9e f2 8c b1 67 b9 d5 bd 09 d1 b7 4f f2 97 1f f0 fd df ce e9 8c ee 0a fe f1 37 70 2e 16 bb 1e 88 c1 9c
                                            Data Ascii: d5cmbF[_.?7)fNt3~@t#8[lt<pj5oK>h&:i't[Y{=-^xLO{O~IjLgl3Oha?J.3>m{!r5)g3O|zhk~igO7p.
                                            2025-03-24 21:09:51 UTC1378INData Raw: b8 e7 89 de da 4d 5b df b1 84 f7 bc 86 de e4 84 f7 6c 47 3e 6e bc 35 15 f9 d9 93 5e f7 6b f4 79 67 c3 dc 1a 3d 1a 31 de 76 7a 1f d4 3d e1 a6 97 eb 67 fe 1a b7 78 c3 9b 6f e1 c9 26 f7 3b 1e a0 de 87 6f df c5 f3 ae 69 bf 35 87 73 fb 55 68 c3 7b 8e 62 ec 6d bc fe 3b a3 ff d1 6f e7 1b ff 27 1f 70 26 c7 fb e0 67 f4 ec 74 6e 4e d8 79 72 86 f7 6e 92 fa 43 de c4 8b 83 f3 e4 17 e7 f6 4e c4 62 f6 d7 77 3a 80 9c 8d d7 4f e8 d5 32 79 91 7c ef 62 c2 d7 5f e5 ed 77 3d 00 de 77 0e ec 09 6f fe 83 d7 cf c6 50 f2 8d 47 78 cf 50 f4 69 f4 ee 2b e9 8a 3e bd 6a 32 fa ed ef 0f 3e 80 fd 3b 4f 8c 3b f8 1d 37 f9 79 46 4f ce f4 2b bc 35 91 f3 2d e7 1f 79 3b df f4 f6 d1 be fa 80 4d ef 7d 72 35 6b eb fd 9e 07 e0 0f 5f 7c e4 aa 98 6c f9 de 2d 3d 1b 8f fa 48 1c b7 7c ef b7 d3 bb e9 ed
                                            Data Ascii: M[lG>n5^kyg=1vz=gxo&;oi5sUh{bm;o'p&gtnNyrnCNbw:O2y|b_w=woPGxPi+>j2>;O;7yFO+5-y;M}r5k_|l-=H|


                                            Statistics

                                            CPU Usage

                                            050100150s020406080100

                                            Click to jump to process

                                            Memory Usage

                                            050100150s0.00102030MB

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            • File
                                            • Registry
                                            • Network

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:17:09:49
                                            Start date:24/03/2025
                                            Path:C:\Users\user\Desktop\XoilaFixer.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\XoilaFixer.exe"
                                            Imagebase:0x5a0000
                                            File size:50'176 bytes
                                            MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3147050297.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1286096045.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3146989330.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3147050297.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:false
                                            Show Windows behavior

                                            File Activities

                                            Show Windows behavior

                                            Section Activities

                                            Show Windows behavior

                                            Registry Activities

                                            Show Windows behavior

                                            Mutex Activities

                                            Show Windows behavior

                                            Process Activities

                                            Show Windows behavior

                                            Thread Activities

                                            Show Windows behavior

                                            Memory Activities

                                            Show Windows behavior

                                            System Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Network Activities

                                            Process Token Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            General

                                            Target ID:1
                                            Start time:17:10:01
                                            Start date:24/03/2025
                                            Path:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                                            Imagebase:0x510000
                                            File size:50'176 bytes
                                            MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Joe Security
                                            • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: Sekoia.io
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XoilaFixer.exe, Author: ditekSHen
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            Reputation:low
                                            Has exited:true
                                            Show Windows behavior

                                            File Activities

                                            Show Windows behavior

                                            Section Activities

                                            Show Windows behavior

                                            Registry Activities

                                            Show Windows behavior

                                            Mutex Activities

                                            Show Windows behavior

                                            Process Activities

                                            Show Windows behavior

                                            Thread Activities

                                            Show Windows behavior

                                            Memory Activities

                                            Show Windows behavior

                                            System Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Process Token Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            General

                                            Target ID:5
                                            Start time:17:10:09
                                            Start date:24/03/2025
                                            Path:C:\Users\user\AppData\Roaming\XoilaFixer.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\XoilaFixer.exe"
                                            Imagebase:0x450000
                                            File size:50'176 bytes
                                            MD5 hash:CD3C6E9D220BC5F45CCDBC65958B4595
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true
                                            Show Windows behavior

                                            File Activities

                                            Show Windows behavior

                                            Section Activities

                                            Show Windows behavior

                                            Registry Activities

                                            Show Windows behavior

                                            Mutex Activities

                                            Show Windows behavior

                                            Process Activities

                                            Show Windows behavior

                                            Thread Activities

                                            Show Windows behavior

                                            Memory Activities

                                            Show Windows behavior

                                            System Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Process Token Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Disassembly

                                            Executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_H$(0e%$r6b%
                                            • API String ID: 0-1722477926
                                            • Opcode ID: b0f326c4c6dc9939c96f0eb9cdf7b02d3a489112e92b2c9615c3a4e8abf24154
                                            • Instruction ID: c0a8daf7a32f863bcfca2423332ac120d3cfdaace4539906e8828789d894b9c7
                                            • Opcode Fuzzy Hash: b0f326c4c6dc9939c96f0eb9cdf7b02d3a489112e92b2c9615c3a4e8abf24154
                                            • Instruction Fuzzy Hash: 7171F971F1C9498FEB58EF28D8556B9B7E2FF99751F44017AE00ED7282DE24A8028B50
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HBl%$r6b%
                                            • API String ID: 0-986867622
                                            • Opcode ID: e46d948548b7d35e82289afcbdbe2ee4b6999736894b65ae16d630420269d93b
                                            • Instruction ID: 50b5bd1b00fce3f400cd1de84a8b9b4df6a23b461930b44f285c31a9e6f7d876
                                            • Opcode Fuzzy Hash: e46d948548b7d35e82289afcbdbe2ee4b6999736894b65ae16d630420269d93b
                                            • Instruction Fuzzy Hash: 0B81D431F1C91A4FEB98AB2C84592BDB7D1FF98351F604579D40EC32C6ED28AC028791
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0Dl%$0Dl%
                                            • API String ID: 0-1328353002
                                            • Opcode ID: c7083b3126adcdbbce6bc577adf4ff7cc090a55d5395e55dd20bf5218d51341e
                                            • Instruction ID: a7a198c5534044ee91584806b4c90b8bbf71e0506fd6e8c92da22562fe962e4e
                                            • Opcode Fuzzy Hash: c7083b3126adcdbbce6bc577adf4ff7cc090a55d5395e55dd20bf5218d51341e
                                            • Instruction Fuzzy Hash: B641E730A1894A4FE798FF2C8895679B7E1FF48351F9005B9D44EC32D2DE28BC428B90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0Dl%
                                            • API String ID: 0-615576141
                                            • Opcode ID: 8b2fb57c73d3e13dd4dde92228ef4d3371c0aae16d15e7cc09cb99fb9a660372
                                            • Instruction ID: ff9e7140139533e26e1ce3dd6f30a5d521eca74d5d08b03122cd0f33cb596b33
                                            • Opcode Fuzzy Hash: 8b2fb57c73d3e13dd4dde92228ef4d3371c0aae16d15e7cc09cb99fb9a660372
                                            • Instruction Fuzzy Hash: AA51F516A0E696CBD702BBBC7C555E97B90DF4227AB5C42B7D0CC8A0D3DC08748A87D5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: r6b%
                                            • API String ID: 0-3697013579
                                            • Opcode ID: dafc40d295480740bf52f7340cdc72b665893d1113e83b0ecd170eff9ae17d19
                                            • Instruction ID: 21eac9380b85b44ebd072065bc6686fded99d6485b313b28794294fd4c7f5256
                                            • Opcode Fuzzy Hash: dafc40d295480740bf52f7340cdc72b665893d1113e83b0ecd170eff9ae17d19
                                            • Instruction Fuzzy Hash: 19412630D1DAC68FE756AB3848266A57FA1EF47360F5801EAD049C72D3CE2C6807C762
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6b%
                                            • API String ID: 0-1926265656
                                            • Opcode ID: fadc8c2537f11e8e09c60d096dda748e709cfa702531594633f187d10921622b
                                            • Instruction ID: afece38a107e0fd702485b2697f8b7f0d92fdb5446a56bf8f8e93d81a89cc0df
                                            • Opcode Fuzzy Hash: fadc8c2537f11e8e09c60d096dda748e709cfa702531594633f187d10921622b
                                            • Instruction Fuzzy Hash: 1D31F760A5DA868FEB45BB784C692B87BF1EF55790F5841BAE009C32C3DD18A802C752
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: r6b%
                                            • API String ID: 0-3697013579
                                            • Opcode ID: 8ee1e2a84b5ce470daea6de5e198043a9dd66c22d1742b67c3e325eb3b658323
                                            • Instruction ID: 878503a23e24ad91ccb4aa0a86b598a3fab154eb87f5c0e3d01c08ec2c3389ca
                                            • Opcode Fuzzy Hash: 8ee1e2a84b5ce470daea6de5e198043a9dd66c22d1742b67c3e325eb3b658323
                                            • Instruction Fuzzy Hash: 8321D571E189598FE798EF2894596B977E1FF99710FA04479E40EC33C2CE28AC02C761
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HBl%
                                            • API String ID: 0-2394293900
                                            • Opcode ID: 42cf59434e168e6e1849514bcf6f187e3f558f49574888788c2807b0ec7f33c1
                                            • Instruction ID: 3f07db229c9f7412fd24f68173f6018d2410789ad77dc32ebaa3efe8753e75c9
                                            • Opcode Fuzzy Hash: 42cf59434e168e6e1849514bcf6f187e3f558f49574888788c2807b0ec7f33c1
                                            • Instruction Fuzzy Hash: EC01F120D4E7C24FEB5ABB7888762786FA19F42350F9800FAD04ACB1D3DD1C68068721
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HBl%
                                            • API String ID: 0-2394293900
                                            • Opcode ID: df3315f70de2fca4b1d7e619c28ee03d2e3fb652ecc13b7098b30ec9364ced3a
                                            • Instruction ID: d34b14bff704a7bc62090c9f4622c5e3e7973d2cc125e10e8008f27b6d0e9d2c
                                            • Opcode Fuzzy Hash: df3315f70de2fca4b1d7e619c28ee03d2e3fb652ecc13b7098b30ec9364ced3a
                                            • Instruction Fuzzy Hash: EB01A211E1D6864FEB667B7844252B86A91EF86761FD501F6E00AC75C3ED1C78028762
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HBl%
                                            • API String ID: 0-2394293900
                                            • Opcode ID: ba8b33e7b4a5e1431eb4d328e0b27e14978be5a65fd0f0a2bf236b5695175ebc
                                            • Instruction ID: 0aa4e1ce310f2f6d61b9d6568555042c8e297a319bae6575728d29f7b46d8a67
                                            • Opcode Fuzzy Hash: ba8b33e7b4a5e1431eb4d328e0b27e14978be5a65fd0f0a2bf236b5695175ebc
                                            • Instruction Fuzzy Hash: 7BF03060E5C5074BFB98BE78A4662B852929F957A1F9400B9E00EC76C3DD2C78434764
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8el%
                                            • API String ID: 0-3633051253
                                            • Opcode ID: d860ae5db094077de5ddbb7c14617ea9bf66fdaf2af93800678581f4f8924690
                                            • Instruction ID: d205769619e0b157cab1abb974f151ffe4ba6038e3a69f1f0393b2b96ae65ec7
                                            • Opcode Fuzzy Hash: d860ae5db094077de5ddbb7c14617ea9bf66fdaf2af93800678581f4f8924690
                                            • Instruction Fuzzy Hash: A6F05C65D1C6058FF744F93C684147ABBE0EFD4360F90082BF808C3195DE14EA414791
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e485a92a2ce3d47b837714840d5b7e05b327e6c7ecfdd8ffe36fc0b6b948e426
                                            • Instruction ID: 8d00672a7f7cca1252f5efd52409e82ca6a011d77bd04e97075ee941a5c68e9a
                                            • Opcode Fuzzy Hash: e485a92a2ce3d47b837714840d5b7e05b327e6c7ecfdd8ffe36fc0b6b948e426
                                            • Instruction Fuzzy Hash: 3031A52661E2D68FD702BBB88C614E97F70EF8A25475541F7D048CB297DD28680AC762
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1bf2fbf05bcb60db63918dbb1089a676572ce0f863361241bf9c5b94364a77aa
                                            • Instruction ID: f706339f6ffc32c6ecfa9528084b3764cbbaa260dc08180bec8070f187429589
                                            • Opcode Fuzzy Hash: 1bf2fbf05bcb60db63918dbb1089a676572ce0f863361241bf9c5b94364a77aa
                                            • Instruction Fuzzy Hash: F5514831A4DB864FE756AB3848192787BF1EF86664B4800FBD48DC7193DD1CAC038752
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1501c0244389f2ee209dc11704dad265a7205ebfd9500818129ffc337ad1cfc2
                                            • Instruction ID: 533e3bd094a99f967099f18f0bd3fad6e27ee4cf5c215e78290786b8e51e32bd
                                            • Opcode Fuzzy Hash: 1501c0244389f2ee209dc11704dad265a7205ebfd9500818129ffc337ad1cfc2
                                            • Instruction Fuzzy Hash: B9511C76E0E6C68FDB05EF7C5C560F9BBA1FF41214BA4407AD04847287DD29A906CB91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3492085a8526036d075b2d189dbf2d5da339fc5b6f78db3052d693506fad8eca
                                            • Instruction ID: 2089a11ac77d8fb90cf262799fd9364d68c6bc15a8063f8b533b14296a69904b
                                            • Opcode Fuzzy Hash: 3492085a8526036d075b2d189dbf2d5da339fc5b6f78db3052d693506fad8eca
                                            • Instruction Fuzzy Hash: DE41A370908A5D8FDB98EF58C495BA9BBE1FF55311F10016EE00AC7692CB35E842CB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33c44233df9f450c70c6f953f56c660af97c92b2ff6b4f86503f13705392325a
                                            • Instruction ID: 4cfae9b54c31ad7bfed1645b97eb9203dab19af26b6f5a3f033ccf20d36df56f
                                            • Opcode Fuzzy Hash: 33c44233df9f450c70c6f953f56c660af97c92b2ff6b4f86503f13705392325a
                                            • Instruction Fuzzy Hash: 2D418F30A08A1D8FEB98EF58C895AB9B7E0FB58311F10416ED00AD3691DB75E842CB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bc7bc9747cf2e17d155f757ad18ad83213d0cf440460e943e8753deb80b7e0e
                                            • Instruction ID: f77d9da2b0451bd48473f132dedc240d8e3db206b8603befb0fd072411d5214d
                                            • Opcode Fuzzy Hash: 3bc7bc9747cf2e17d155f757ad18ad83213d0cf440460e943e8753deb80b7e0e
                                            • Instruction Fuzzy Hash: 48417E70A08A1D8FEF98EF58D495BA9BBE1FB54311F10416EE00AD3691CB75E842CB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28184199824696073931ff7cbd0d696ca22a451e6388f251aa98d35085244c80
                                            • Instruction ID: 433eee63ecbe00b1dafa85dcf85606a01e6a674811ab94172d4f47f2a4aef20d
                                            • Opcode Fuzzy Hash: 28184199824696073931ff7cbd0d696ca22a451e6388f251aa98d35085244c80
                                            • Instruction Fuzzy Hash: 02419230A09A1D8FDB98EF58C895BA9B7E1FF58311F00416ED00AC3691DB75E841CB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18435e250b72c37ba1d9caabe1a4b52bd5b7b18debd9300cbff28cb7c311f641
                                            • Instruction ID: 46af98125975c7292c6babc7f975d02b20543c8845824c0e7b4cda5a5e91d1b4
                                            • Opcode Fuzzy Hash: 18435e250b72c37ba1d9caabe1a4b52bd5b7b18debd9300cbff28cb7c311f641
                                            • Instruction Fuzzy Hash: F611A07965964A8FC744BBA888614E97B61FF88204BE04478E00DC3387CE2CB9048761
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34ead7252f7c44f9df24bb9d73eff95559e4ed11d7507cbc30d549f2e65d29c2
                                            • Instruction ID: 0e45c2381e82fcac2f238408a5a3892d29b72472e33223241d96d05abb0232da
                                            • Opcode Fuzzy Hash: 34ead7252f7c44f9df24bb9d73eff95559e4ed11d7507cbc30d549f2e65d29c2
                                            • Instruction Fuzzy Hash: 3B01D451B29D4A4BDB44B77D0C562FEF692EF88294BA001B9D02EC72D3DD18B8058391
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a6450cb95d791774749f41b10ebbce24f9e292f498c376a797631ff22bac228
                                            • Instruction ID: a02d3223a44bae1c9655e3c5e8e4a0d3be8a5658109babe31571ce8b8c42e14e
                                            • Opcode Fuzzy Hash: 7a6450cb95d791774749f41b10ebbce24f9e292f498c376a797631ff22bac228
                                            • Instruction Fuzzy Hash: 8501F760A1864BAFD705AB788C505F9BBB1FF95350F900172D41AD7183DE34782987A0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.3148625322.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9e8b8a3e10b6032a7f81bf5b7aae7159d85cbf1e64f0ef60e6ed88ddf04a7a4
                                            • Instruction ID: 27020ee641876e8dccaa742afb42bd0642b9c99900ac925c630cc870f2ac22f4
                                            • Opcode Fuzzy Hash: c9e8b8a3e10b6032a7f81bf5b7aae7159d85cbf1e64f0ef60e6ed88ddf04a7a4
                                            • Instruction Fuzzy Hash: 09E0ED21B1891D4FEF41BBAC58592FDB7E1EF9C222F540076D50DD3292DE28A8418751

                                            Executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1407655070.00007FF7C7990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7990000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ff7c7990000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0Dl%$0Dl%
                                            • API String ID: 0-1328353002
                                            • Opcode ID: 7a326c2399e9bd4488a80e59ff49b8269907f0f2b9d1ed40796de15e99f07e6c
                                            • Instruction ID: b41cae6619a982b97d110fd904aca95d63b83c980f2c573196538d759dda6459
                                            • Opcode Fuzzy Hash: 7a326c2399e9bd4488a80e59ff49b8269907f0f2b9d1ed40796de15e99f07e6c
                                            • Instruction Fuzzy Hash: 7631D531A1891A8FE398FB2C849577973E2FF8C745B9405B9D40EC7296DE39BC428740
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1407655070.00007FF7C7990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7990000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ff7c7990000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8el%
                                            • API String ID: 0-3633051253
                                            • Opcode ID: d6fe0af187fdbef6db3371ef6f3050ad6e4981e80089df7eacdb624e20bc2635
                                            • Instruction ID: 9d327b4632e8ffe48549583c051d18f95c8e61d678dc23d06d88290ea0ba02b5
                                            • Opcode Fuzzy Hash: d6fe0af187fdbef6db3371ef6f3050ad6e4981e80089df7eacdb624e20bc2635
                                            • Instruction Fuzzy Hash: 9701285040D7D20FE383A77898554627FF1DF87220B4940EFE488CB0A3C91C9946C752
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1407655070.00007FF7C7990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7990000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ff7c7990000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8017182beca2621afed0ca2616d4926b6df747f62d3af269309832b473e827b
                                            • Instruction ID: 4557a690fde02d2e416f7ad744ec0b19dbfded9c3b3bfebb3dcd365c9c419b32
                                            • Opcode Fuzzy Hash: b8017182beca2621afed0ca2616d4926b6df747f62d3af269309832b473e827b
                                            • Instruction Fuzzy Hash: EC01287151868A8FC706EB64CC642E9BFB1FF46300F4500A7C016D72D3CE346909C741
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1407655070.00007FF7C7990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7990000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ff7c7990000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72356b4328b969dbac96e187760ea2f8d99e9e227f0b0e23de75b0a5fb3cf0e7
                                            • Instruction ID: b77d890f1594ba61ced63bd0c5a09587ff9876c68d9e76d5a18717c455554ae1
                                            • Opcode Fuzzy Hash: 72356b4328b969dbac96e187760ea2f8d99e9e227f0b0e23de75b0a5fb3cf0e7
                                            • Instruction Fuzzy Hash: 1C213776A0A247CFE741BBBC98614EB7B61FF4932C7A005B6E45C87283DD39B8428750
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1407655070.00007FF7C7990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C7990000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ff7c7990000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1ef87e297624281277fafb019d665b52f420ccefc2cdb41ebcf732fc7d32dca
                                            • Instruction ID: c23a924154c376b252bb01987e3a8c95ded4d1fa9beba2488d8ceb986c7c4b49
                                            • Opcode Fuzzy Hash: f1ef87e297624281277fafb019d665b52f420ccefc2cdb41ebcf732fc7d32dca
                                            • Instruction Fuzzy Hash: 7C11C276A5920ACFD785BB7884554EB7B62FF8C3087A045B9E80D83386CD39B941C751

                                            Executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1488635401.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0Dl%$0Dl%
                                            • API String ID: 0-1328353002
                                            • Opcode ID: cc03782e98d9a6a667b2da6516618f23dde3fb7d6ce02258faededba4bc531d7
                                            • Instruction ID: 1891306458b5408d2ca95068641eb6342a32fe177b2f7eafc8ed6d324ee45874
                                            • Opcode Fuzzy Hash: cc03782e98d9a6a667b2da6516618f23dde3fb7d6ce02258faededba4bc531d7
                                            • Instruction Fuzzy Hash: 1D319470A1891A8FE798FB3C88956787391FF88341F9405B9D44EC72D6DE28BC828B40
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1488635401.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8el%
                                            • API String ID: 0-3633051253
                                            • Opcode ID: 3a9486e3d38de153e3127ad76ee131fcf8c0717d5cf47f134759493198b15cf0
                                            • Instruction ID: e1a957f8f61852ab7d85359d1ea793819c0d2165ec0c9e1f97e1126898336b79
                                            • Opcode Fuzzy Hash: 3a9486e3d38de153e3127ad76ee131fcf8c0717d5cf47f134759493198b15cf0
                                            • Instruction Fuzzy Hash: DAF02761D186058BE744F93C685547AB7E0EF94260B94082BF808C3195ED14AA414781
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1488635401.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f75d14effc0ebd666243a7ff968fa4f3cce828e04f579bb66cea3a11b35ce12a
                                            • Instruction ID: 63b5b62bcce715771ddd4d28d5f4a85037f67cb1699349e4ba9becfb3b74df3b
                                            • Opcode Fuzzy Hash: f75d14effc0ebd666243a7ff968fa4f3cce828e04f579bb66cea3a11b35ce12a
                                            • Instruction Fuzzy Hash: 3D510C72E0E6868FDB05EF7C5C660F9BBA1FF41214BA840BAD048472C7DD25A906CB91
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1488635401.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d93a13f50a4c6a08156602ffcffb11fedaaa306eebb8b88391b6531f0ee2465b
                                            • Instruction ID: 97c4e4a7fc79de813c42c3ed6d5f85994ce99f7a3b4879014446cf606f8d8220
                                            • Opcode Fuzzy Hash: d93a13f50a4c6a08156602ffcffb11fedaaa306eebb8b88391b6531f0ee2465b
                                            • Instruction Fuzzy Hash: 921191B5A5650ACFC744FBB885610FD7B61BF892047B04479E00E833C6ED2469508751
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1488635401.00007FF7C79C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C79C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_7ff7c79c0000_XoilaFixer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d9f88069c97f0e855a42bf102b58b7a5eacb3ee6855f495c82f747388804c2d
                                            • Instruction ID: 708338c6fd63311b3422930d84ad5e1074290f99ff4638e1e5ae52d4ae32834e
                                            • Opcode Fuzzy Hash: 4d9f88069c97f0e855a42bf102b58b7a5eacb3ee6855f495c82f747388804c2d
                                            • Instruction Fuzzy Hash: D7F0827092490FAFCB44AB78C8542EAF3B1FF88350F9042259416D3281DE3079258780