Analysis Overview
Threat Level: Known bad
The file https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1 was found to be: Known bad.
Malicious Activity Summary
ToxicEye
Gurcu, WhiteSnake
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of SendNotifyMessage
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NTFS ADS
Delays execution with timeout.exe
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 13:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 13:55
Reported
2024-06-28 13:56
Platform
win10v2004-20240508-en
Max time kernel
52s
Max time network
54s
Command Line
Signatures
Gurcu, WhiteSnake
ToxicEye
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Static\Update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe | N/A |
| N/A | N/A | C:\Users\Static\Update.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\XWorm-RAT-main.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Static\Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Static\Update.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Static\Update.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/inheritedeu/XWorm-RAT/tree/main/XWorm%20RAT%20V2.1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.0.1549976418\537069928" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7af1e3b-07a6-4e7e-b1b6-056f77669631} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 1900 1e61dd0da58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.1.960705279\1086025577" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2452 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1611eae4-2d37-42ab-8a48-cee984dc41de} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 2492 1e609a89a58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.2.712173569\1217911810" -childID 1 -isForBrowser -prefsHandle 1680 -prefMapHandle 2908 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {519f61f7-9250-45a1-bf6e-bf15b4b67deb} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 3028 1e620e59e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.3.1970717528\444388524" -childID 2 -isForBrowser -prefsHandle 900 -prefMapHandle 3552 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f84bda22-bb0f-4193-a17b-bf1a0fb605df} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 1212 1e6224e6b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.4.1592278344\311513232" -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3547e2f7-5e4e-4d3b-a431-c53b5082204b} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 5332 1e624b8a958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.5.1030890161\1158678341" -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d742ca46-ca98-4b4d-b695-85ba47c4b2b9} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 4384 1e624c51b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4760.6.724921559\5082130" -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d25354-d2c7-4650-a7ff-f50bb2036d05} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" 5180 1e624c54858 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
"C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
"C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1604"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1604"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\Static\Update.exe
"Update.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:56479 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 52.25.243.81:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 81.243.25.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:56487 | tcp | |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 47291f5bffb17c1658b2811eee4df7be |
| SHA1 | e030537635d7c86eb9fe73d9c7fc05f5c4165545 |
| SHA256 | 1385c163850263d9c6806b1defd58aa25e00b04a0faf83446c25ec92ac761f31 |
| SHA512 | 7582a960472b794ae598be82cf65857cb51b389ac657c20e394d041db7a46a1eae761a2530090f67ec0e4d90edf84a7139593bc846731130b14b44a13b8d4c2b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 7a3af1c03079c16e5b08068981f45569 |
| SHA1 | ede54442e93ec73a8b2c6e8cf6ef6626060ca9eb |
| SHA256 | 4c61901642f2ad5e072700cbf615feb85f68b50e86983b7e235625f889c2c7cf |
| SHA512 | c7e2552f05ad140a15ecf3b0d1830cd49405d1ad61112f870aa97936457f56c204dcbc0f2514b4e1bc1d79316ceaf52b28ea0450cd5db0c1ba8573bdcb6afdef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 712716d788f386879f1472dc1631d9a6 |
| SHA1 | a1a5f8c6d73f091665f030d111fcda2fdb244d55 |
| SHA256 | 6567e9450441db791598317fee3aa2b855c10552c7e843923f2310e4d733c72e |
| SHA512 | 36009c69151c7360858a791547f8f468a48a461c8bc185c56ce5a9bfdea6e0c4355a840f9336fb0c99a2f32ccc037664385621e18ed6e2006f7106d5d7d64ce3 |
C:\Users\Admin\Downloads\XWorm-RAT-main.xG2j4s6l.zip.part
| MD5 | 3c583f36fdd166613ec8b5f81597e5e9 |
| SHA1 | f3e9cbfb5749212f2d54f36b391b7d03bdd303a9 |
| SHA256 | 8f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e |
| SHA512 | 072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js
| MD5 | b9d0396bffe467897359f90922a054f3 |
| SHA1 | 31df99e360ae982e07b509b157ac017219137dd8 |
| SHA256 | c1983f3cf0f0f0bc8c275df6925c70fe4006fcb28e991a58cc9542a3377afa6a |
| SHA512 | 000ec50ca64dbd070c51e7b1fdb41cd976ae62fed69001685e997d15741304003aaf9d46a94c60e36ebb422d73dfe5b64eac2e18c21090208c46972c11c54597 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1c90fc18b3211de17d48467a44e59d2f |
| SHA1 | 51352e3be21881360bb235c9a79cd8bf6b90fb70 |
| SHA256 | 845088bd2967470164ea645dcd3caa57733fb858f81b9213c1f4e322446fedfe |
| SHA512 | 950ba2dbb30226f57fa61d8b5b11993a73a5a58d9757e5eaa5c25ea3cbb3b83df590fcea9a8f51a709785eb538dba77357e1c687db563fa8ffc94c137b115b2a |
memory/3016-300-0x00007FFE78213000-0x00007FFE78215000-memory.dmp
memory/3016-301-0x000001DF8C7E0000-0x000001DF8C8CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
| MD5 | f6f686df785d0abdc66d1f90fa508c4b |
| SHA1 | 75f348132001df30cbad9c7cae2e2072fcaca38e |
| SHA256 | 61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f |
| SHA512 | 7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77 |
memory/3016-321-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp
C:\Users\Admin\Desktop\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
| MD5 | a21db5b6e09c3ec82f048fd7f1c4bb3a |
| SHA1 | e7ffb13176d60b79d0b3f60eaea641827f30df64 |
| SHA256 | 67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 |
| SHA512 | 7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c |
memory/3016-324-0x000001DFA6DE0000-0x000001DFA6E00000-memory.dmp
memory/1604-316-0x000001ED677A0000-0x000001ED677C6000-memory.dmp
memory/1604-327-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp
memory/1100-328-0x0000000000CA0000-0x0000000001332000-memory.dmp
memory/1100-329-0x0000000005CF0000-0x0000000005D8C000-memory.dmp
memory/1100-330-0x0000000006340000-0x00000000068E4000-memory.dmp
memory/1100-331-0x0000000005E30000-0x0000000005EC2000-memory.dmp
memory/3016-332-0x000001DFA6FB0000-0x000001DFA6FBA000-memory.dmp
memory/1100-334-0x0000000006010000-0x0000000006066000-memory.dmp
memory/1100-333-0x0000000005D90000-0x0000000005D9A000-memory.dmp
memory/1100-335-0x0000000009A00000-0x0000000009A66000-memory.dmp
memory/3016-336-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp134.tmp.bat
| MD5 | 11f95b77bf0783fc8c0d34fb631e2931 |
| SHA1 | b0882fda999dea35f9d6f081144640fd13f0ccbb |
| SHA256 | 22bf4529a81020d00d5f1cf31972396daace946f9a28b2817828b1d044c7f1fd |
| SHA512 | b67326d19cb0652d1eb98ef10c2fb6e9a7165276df7fe0dc2a63979835a1f0aba711a3d07b14d84be326bf32b9baef53fd35260fc6356cafc4101457ecd85b92 |
memory/1604-341-0x00007FFE78210000-0x00007FFE78CD1000-memory.dmp