xworm | hxxps://mega[.]nz/file/9aMDyR4J#yd69oYpF9H8DmF3_0tgQQhmuk7hYr8bRIbJgKbFNHHQ

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/9aMDyR4J#yd69oYpF9H8DmF3_0tgQQhmuk7hYr8bRIbJgKbFNHHQ

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.21:42103

Attributes

Install_directory
%AppData%
install_file
BootstrapperV1.11.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd8-228.dat	family_xworm
behavioral1/files/0x0008000000023ced-241.dat	family_xworm
behavioral1/memory/4068-249-0x00000000009C0000-0x00000000009DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	Injector.exe

Executes dropped EXE 4 IoCs

pid	Process
4852	Injector.exe
6044	INJECTOR.EXE
4068	XCLIENT.EXE
2372	Atlantis.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Atlantis.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855377841034628"	msedgewebview2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
544	msedge.exe
544	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
5572	msedge.exe
5572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
3112	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5108	AUDIODG.EXE
Token: SeRestorePrivilege	6076	7zG.exe
Token: 35	6076	7zG.exe
Token: SeSecurityPrivilege	6076	7zG.exe
Token: SeSecurityPrivilege	6076	7zG.exe
Token: SeDebugPrivilege	4068	XCLIENT.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
6076	7zG.exe
2372	Atlantis.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4060	544	msedge.exe	87
PID 544 wrote to memory of 4060	544	msedge.exe	87
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 4956	544	msedge.exe	88
PID 544 wrote to memory of 1484	544	msedge.exe	89
PID 544 wrote to memory of 1484	544	msedge.exe	89
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90
PID 544 wrote to memory of 2888	544	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/9aMDyR4J#yd69oYpF9H8DmF3_0tgQQhmuk7hYr8bRIbJgKbFNHHQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3eb646f8,0x7ffb3eb64708,0x7ffb3eb64718
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,5349167784056621303,10272371432763612010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AtlantisV3\" -spe -an -ai#7zMap4583:82:7zEvent1097
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6076

C:\Users\Admin\Downloads\AtlantisV3\bin\Injector.exe
"C:\Users\Admin\Downloads\AtlantisV3\bin\Injector.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852
- C:\Users\Admin\AppData\Local\Temp\INJECTOR.EXE
  "C:\Users\Admin\AppData\Local\Temp\INJECTOR.EXE"
  2⤵
  - Executes dropped EXE
  PID:6044
- C:\Users\Admin\AppData\Local\Temp\XCLIENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\XCLIENT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4068

C:\Users\Admin\Downloads\AtlantisV3\Atlantis.exe
"C:\Users\Admin\Downloads\AtlantisV3\Atlantis.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:2372
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Atlantis.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=2372.3856.16921912276018997626
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3112
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x178,0x17c,0x180,0x154,0x188,0x7ffb2b30b078,0x7ffb2b30b084,0x7ffb2b30b090
    3⤵
    PID:5636
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView" --webview-exe-name=Atlantis.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1748,i,6721023847769059184,16206015417553051196,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1744 /prefetch:2
    3⤵
    PID:5228
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView" --webview-exe-name=Atlantis.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2064,i,6721023847769059184,16206015417553051196,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView" --webview-exe-name=Atlantis.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2396,i,6721023847769059184,16206015417553051196,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView" --webview-exe-name=Atlantis.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3604,i,6721023847769059184,16206015417553051196,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
    3⤵
    PID:6096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
38c7fad4de2187706a8c4eedaaa80da6

SHA1
98a21772946b81e04cdd65a7ed91aa849c1211e0

SHA256
798c0158fa69f5b58724b7f46f2ac06c502f418901c5b00e96db575463f632d3

SHA512
a13fa3412d0434b03f6a51f576d8f6aeaa83343a2206455af5495bd551dc0384c866f64e8f8b92a8dad0614f80955339dadbb3ff4dfc22ea6c2ab413207f2565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82deeb01554ea63d35303ee4e92f5280

SHA1
adc95089e55e62a63822db3f3941713446aacb33

SHA256
2e6514e4a3bde2a232424fcb0ed77e0928580062e3dce7f05545e9ac1f055170

SHA512
a35c6e554dc246852e9260b6e2986e2e0cf223423b7d3c35e33abc153b374d2c059c3464ec5c397e97ea17f0803735743e8fd903387bc2fb2e7d8935e48108f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f4f1b22c2432c5aa6dad176b0eb21dc

SHA1
38d37e82ecd5cae219cd0d34723d827c0bf57f82

SHA256
45c5985055478cc808265f7246eca4972d77fd3606947892cb2304b2df6ad3de

SHA512
1c195ce9b272d761c29ab3457f3079d77fac8b763c6fbc37b870139749e6d2ac88fb4e522cd73fb9868b37b0ef53e1b71dfa59b6b6e6dfb3e761b5e00a24bcda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
648ff3ad3cace85ac26be5bc3be69b41

SHA1
dc3891226b6a03be642954c4ed69ea5ef10f58dd

SHA256
adea8ab727066e2b03cfea69eb844ebe857167f7e5836000a5bf3aa279c0c6c8

SHA512
219809096d49c1d173e26d1fc2ba18f9d32cb14df31a57e21d0c881615b1896d2c7fbcc694838704b4d1528f14ca10869b2efeffe1487756430376d34c2d082e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2764d7baead6b75c716f3be5fd6f867f

SHA1
37f7b7dec3fb1950537e529e39564cf35bc08ec0

SHA256
0373ebacbe377bd456d2c5544c1dd76187ce80ec4f49101c8d0ea59a61f53b13

SHA512
cdafecb95c3a48a3a008c677dec9c930c2e878bb92318cc7b48b333e7b963f09c1d0c6c3f5dff858de10be4f2baeab21d6a7c74d7c141fc1058f752f3632fa9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583217.TMP

Filesize
48B

MD5
1e6496db999e13670efcd460fe011f08

SHA1
102353163872b318b1ede0eefac9c6c0cf86732f

SHA256
589f20e8c4677568718884bb1c0d9a85074feac1bc27fd7f10a8ac713bd8d24e

SHA512
ee189d8ebb287a3dda724c597a6b10bd1dc2caaf18cdcf946a06ca91d4a0fb74459796644b9672803b19188526610e7c7c765e4290bcd7bc1a67a076cb1747e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9687be67b3cc001ba5271b18337acc6

SHA1
3ae7c59ff60e5b78677bcb24512cd7a87f98e72a

SHA256
f0feea90990b4e6fd5e25600deda1718a7964d240ef7fc8ff83ca293975731e4

SHA512
54de9feb2727f9365006f4362ff46737933631083965e33f6886a9bd425bd6176010a1da24397e94279f4f145c464ffd78a92156c5a06d4ce3f0051ab96dbfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18b2a66daf4b091c89544f939fc6aa67

SHA1
2d8f0bc738ac08474231b4488cd1854dbe308ddf

SHA256
7afa6805296d715a380945ea910df6656e3f8477d5f48208a2b63004e3f1f4ae

SHA512
eb9db310903c80b21955cfcb7c3a68688bb8029c936e625c1644d5a6b2b5ad96dd6c3ead34cbaab274ff763ab33aaea8fb069680e8f6dce65855c27d6961fd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
a75af67b75a8cf0764a53158e2350868

SHA1
48a8e0cbe0921de801199ceafb069666aeef4e65

SHA256
f482bd41fb128be0e6a24becb380d918177644e53f8c10037c442c30cec750c9

SHA512
42e281465dac32e34465ef9eb9c09a21af86ee87d7a25923937e6e646fc491c379791a8de27d97a317dcdfb2c4a60177fcae9ee0681a6bb32831192bf69dee10

Download Submit
C:\Users\Admin\AppData\Local\Temp\INJECTOR.EXE

Filesize
13KB

MD5
1ed6f56d67e074e5073218b09d3bd561

SHA1
570545153cb05d330bb64811d024664511eb7386

SHA256
fc298a5b271dbb9b7d79c840054389c2441c142cac395300f1559977b0d10007

SHA512
725ec8ac5c1cd6f4f35132e22dab81f957688965bc07c8b16aff6103c36cc13d36411b71362d34c621dda40ffdd58363a5ea1af0a1f78698dc0079e493f33c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCLIENT.EXE

Filesize
78KB

MD5
9c0980c78250efd14138b1658781c7aa

SHA1
0edb2917e6b5c602c4afb53727064963fd6f87ac

SHA256
22b51fb7f2b4ffa3ab9f5730fcbbecd609e021a0910cc11fff92d1591ca70e6f

SHA512
56da8363dffc077cf957f7c05e6577d5141b71d50bfe62fe2f219195a42b182207cd939f79869db1e0144e42b2d10fef61e4bdffe3be8ce32fc5a968491f465f

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
ee8f7504a113e9b70e6aace70b54b1af

SHA1
61bb5e5fc5b8722a7c2966711e79f5b5aa77cc3a

SHA256
f1d9bf5986b7a9bd01a320712dabe34b8bcd825d0477d8ae7069acec436e2f62

SHA512
d957c74348513726c6c0490a34071c6ce2221df5d367b3ed9d84c56b4e9caaf068eb990898f27fd24b626dc21b20ca011dd4123c5da2f636c6fae56b7422925b

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
b5586f47d5aa59873b1ac14143ca017e

SHA1
597623b681ea3cfbeb7483a0f928a0163707ea7e

SHA256
f7285a502d8da62718cbbd4384a1222da6774db4fbd5f5ca1649ea947c9c321d

SHA512
f40d89c044474d2b8e005d21edabdde35b153bdfbfcf8207e27317b84daccca8aa4275a2db1739cfb207652711adf2631aceababdd9338cd5fb343d77e1ce78e

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
a8a36a425cf36e083890e704db5c9135

SHA1
7abc6d43f4d9bc7c6f6ae9e4794968628e7d34d5

SHA256
9a921b1608cb43ed106df902196d0398852f393f7f09d1d6de31c68b9f6ebf5b

SHA512
5aafbcd3f5157dff2740cf26809624b4738b77e3e609374ed449f88c357acc160d85d9b93abf9c4f58f358615ed8e63577f649e6f5af146288d327ec0b778375

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe58d4df.TMP

Filesize
48B

MD5
105baf5b558dbbe6d62d47c40310b8c6

SHA1
dcb2df299e8e37bbdc8b4b25f9dae458c648a1de

SHA256
528b8edd2fe1cf38fb0cdb3946a1844597cf2c670b3660161d3ca5ba43e67d11

SHA512
11e49de5450296d87dae62a8b1ab68282aeff4702c10e803b99866a9a11698e3b9a1ae65420b8347438202e33b3ce1e4c7a291b0a083d7b2bb628bd9c88d8129

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Network\Network Persistent State

Filesize
681B

MD5
b68f5a201299c4c123b1b4f46e30b994

SHA1
cd5365a9c59a538072d8584528014306546a57d6

SHA256
d92e0643029dae49e952616951c5fe064cb881e952209ad425e96d92fe323e8a

SHA512
af16c93d0653a10256e8d2ed21175b46621ff57d16b4ee35cc171dccd3a4a0393d2bcf2c4d80f8bdadb97ac97dd03dee502ed947817b6cab91bb722522925235

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Network\Network Persistent State~RFe58d50e.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Preferences

Filesize
6KB

MD5
c950341df0341a506f33616d7e99e203

SHA1
e79becc30f626c5921cc48a6271eb907b39c755c

SHA256
60e43714ad9927553e0e1395ceff89029411cb44258c197610357a475a70d368

SHA512
73b0b0675f0a57d8a640fb44f3d212b955d4aaeb57d0a0a5360c93fd0b880446d39cced147b7ad2c88872e0a0f969a0ea6d7856510f38211bdfd49eb981c1f43

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Default\Preferences~RFe58d4ef.TMP

Filesize
6KB

MD5
641f4b2a0d3b9ec6d588824e0d3e2d30

SHA1
666a26327594e7bfc46fcf98409b39088214e254

SHA256
be6125b48090f1c6330978571665808f17d81e32c73df30855dce6d72d5fe518

SHA512
20329d415d5ed1337cdc1098a7855ce638485c6fe9edecf5c6f65e8c55d42d2f93fa79f4c9e79850df3a6a03b14c48ffb0539ebc3e54dfc60fa24e7dbbc798a3

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State

Filesize
2KB

MD5
1f356f6b2db79258842d0282992d1685

SHA1
8e22c1dd5476c8da5de889b2f5380a15b7ee1873

SHA256
ec5a0304f64f378e13c34ef89d084c9958e8d82e2c555a2893bf4e287680a66b

SHA512
79f1eaf92e4b9a327ee53757aa4801586296e5f267357df8374de163844ccc4c2f1ac53f4759cc3c2e8d145589b9f83aa1284279b890505057ca6ac0692c51bd

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State

Filesize
3KB

MD5
19fe02d525b5e6ecd982ef8c4eaafc4a

SHA1
ca1a14f6b4b1ab6e3a636fa4a7b464ebab370a82

SHA256
c2f608a5d933fec1cb1a14ad284daaf50555db063541f434168b1dfcc6b4c232

SHA512
b7c06d406a70ac0a55b0c624b8cdffa77484aa5101d1e3ee4218a14167bb2e302a890311dfc50a6658676c80e1bc33855156d89fe5b88640cccbd0dfc1c22179

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State

Filesize
16KB

MD5
6f8cc5ce1d03fa315e443805c070ccb7

SHA1
b041d7b1ea04a4cd15c1766ed8a83d55e1962618

SHA256
380e35b6fde9b3fe1f1e031031122f718c67d2025cbf9fce54fe8108fb796efd

SHA512
8ddb46b1c7a98812346efcedd045d87bdb7a8dea0420934c90a41f6966d3e4113c13437d9ebaa34784f0a5047bfedacc2343b1fa6d5f84b0995b3acefa80ec24

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State

Filesize
1KB

MD5
acfb76b4993f5e920b1ca3f67c972fae

SHA1
47a924776081b87aa7cea3a815426adf843e85b6

SHA256
aca6e34d5f3f06dc6c7bc3d36791dcca3ad81593e9b73c48f0fee6fb82fe6ebb

SHA512
62fe223b0a9d514f9bc0195d72116534c0b6a0eef50f5e90f520c03148e847f59b20a69023a378af4257521a2a46bbe376094e260fdd8edb7750b8e2b947774a

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State

Filesize
17KB

MD5
6af2d3cb3a017c800cd6128c16a6f9a3

SHA1
88712403d8753b15c7b5b31bc0eb27466468e956

SHA256
504911d40df9bcd99aa2efd2549d5ab0bbe44a669677a6f36d9b6c93a25f6af0

SHA512
10c27e34c618200fed16b84b0f75bedd79b86e91eea3417adaa3c53fb6ba480bb3ba4f7cb171a9898911f50d73bfac4e2a760df60ee38506da89aef61e30cc6f

Download Submit
C:\Users\Admin\AppData\Local\com.lxzp.app\EBWebView\Local State~RFe5893bf.TMP

Filesize
1KB

MD5
a07b047d966a525a2cc238fa965e1cb5

SHA1
9aea01202294330269545953548ea42ce6100132

SHA256
c4f53b271771c4d68e37f87174a28a2f4a0c51aab1ec90317e85a44690a13c94

SHA512
4b54f990742e5621d001cd3bff92acde118015e0a65bdfbc43946e9b7a2d3c13089e00da9bad1af13ce711914b9c1e41baae3efdadd8a6c36c3f65e3d08acc83

Download Submit
C:\Users\Admin\Downloads\AtlantisV3.rar

Filesize
9.5MB

MD5
1098425fe1533456f30eef406fcb99b4

SHA1
82c7dab616ac60cc67f6d934b12eba91736bffa9

SHA256
1d895cd82c3e3d7cab5e4e11d4c573a21d49666953b34bd2f9b4905f218c81a9

SHA512
052823f89fe26e6b0da66d3a597017cd8f4fd6139c4bd8520fd89cdd35efdc0adb25d70d9f67d2275658a9451ed7f4c9f3ab13dde779dc80850f0596cb584501

Download Submit
C:\Users\Admin\Downloads\AtlantisV3\Atlantis.exe

Filesize
11.5MB

MD5
79e40f30ba609999ffa6114d9cffa107

SHA1
4fbc683e927ca0bb08be334b728b38d54f1531eb

SHA256
f590737e4865fe6201fd44ebe66a675602eb68b3c95225c7e0bdf75c003099b6

SHA512
7f22f3951b2993b6db4877b2c7a1e016e337f56d35bf335a416796efe0ec65bffa9d368bc16c47d9f4b71bd0d388280a4974eadf26fedac96338e510c5c3221b

Download Submit
C:\Users\Admin\Downloads\AtlantisV3\bin\Injector.exe

Filesize
144KB

MD5
d6f988ace73ac703e3571030bb172dce

SHA1
2c1702dbb3cb6cc359f7d80be1ad4d8ed933adc0

SHA256
38e94c4622107b5031c8a04b43704ea0752f26823ef74a6d053eb7cd568c38fb

SHA512
b296263b683b7594e8277f3f246bf96affa8b7b19441d1fca4b446c9f9aa8175870d5e4ac7e5ee0d26d49783b9c4dd2c64a701db9862ce7eb2d3978ad95c8585

Download Submit
memory/2564-311-0x00007FFB4C6D0000-0x00007FFB4C6D1000-memory.dmp

Filesize
4KB

Download
memory/2564-312-0x00007FFB4DED0000-0x00007FFB4DED1000-memory.dmp

Filesize
4KB

Download
memory/4068-249-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/5228-286-0x00007FFB4C040000-0x00007FFB4C041000-memory.dmp

Filesize
4KB

Download
memory/5228-480-0x0000017EC6010000-0x0000017EC60AE000-memory.dmp

Filesize
632KB

Download
memory/5228-663-0x0000017EC6010000-0x0000017EC60AE000-memory.dmp

Filesize
632KB

Download
memory/6096-402-0x00007FFB4C040000-0x00007FFB4C041000-memory.dmp

Filesize
4KB

Download
memory/6096-481-0x000001869A740000-0x000001869A7DE000-memory.dmp

Filesize
632KB

Download