Analysis
-
max time kernel
85s -
max time network
87s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/11/2024, 14:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://downloads.exodus.com/releases/exodus-windows-x64-24.41.6.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
https://downloads.exodus.com/releases/exodus-windows-x64-24.41.6.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation Exodus.exe -
Executes dropped EXE 25 IoCs
pid Process 5688 exodus-windows-x64-24.41.6.exe 5856 Update.exe 2116 Squirrel.exe 5520 Exodus.exe 5672 Update.exe 4472 Exodus.exe 1508 Exodus.exe 5452 Exodus.exe 5576 Exodus.exe 5620 Exodus.exe 5492 Exodus.exe 5080 Exodus.exe 5672 Exodus.exe 6136 Exodus.exe 2552 Exodus.exe 4756 Exodus.exe 3708 Exodus.exe 5124 Exodus.exe 5456 Exodus.exe 1744 Exodus.exe 3756 Exodus.exe 3552 Exodus.exe 6004 Exodus.exe 3916 Exodus.exe 2232 Exodus.exe -
Loads dropped DLL 32 IoCs
pid Process 5520 Exodus.exe 4472 Exodus.exe 1508 Exodus.exe 4472 Exodus.exe 4472 Exodus.exe 4472 Exodus.exe 4472 Exodus.exe 5452 Exodus.exe 5576 Exodus.exe 5620 Exodus.exe 5576 Exodus.exe 5576 Exodus.exe 5576 Exodus.exe 5576 Exodus.exe 5080 Exodus.exe 5672 Exodus.exe 6136 Exodus.exe 2552 Exodus.exe 5672 Exodus.exe 5672 Exodus.exe 5672 Exodus.exe 5672 Exodus.exe 4756 Exodus.exe 3708 Exodus.exe 5124 Exodus.exe 5456 Exodus.exe 1744 Exodus.exe 3756 Exodus.exe 3552 Exodus.exe 6004 Exodus.exe 3916 Exodus.exe 2232 Exodus.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\be0b2b30-8fd7-4d74-ab10-21d974bb0362.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241105145259.pma setup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp Exodus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Exodus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exodus-windows-x64-24.41.6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Squirrel.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Exodus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Exodus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Exodus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Exodus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Exodus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Exodus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Exodus.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus Exodus.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\URL Protocol Exodus.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\ = "URL:exodus" Exodus.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\shell\open\command Exodus.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\shell Exodus.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\shell\open Exodus.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\exodus\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\exodus\\app-24.41.6\\Exodus.exe\" \"--\" \"%1\"" Exodus.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 729093.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2088 msedge.exe 2088 msedge.exe 2516 msedge.exe 2516 msedge.exe 3128 identity_helper.exe 3128 identity_helper.exe 5556 msedge.exe 5556 msedge.exe 5856 Update.exe 5856 Update.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5520 Exodus.exe Token: SeCreatePagefilePrivilege 5520 Exodus.exe Token: SeShutdownPrivilege 5520 Exodus.exe Token: SeCreatePagefilePrivilege 5520 Exodus.exe Token: SeShutdownPrivilege 5520 Exodus.exe Token: SeCreatePagefilePrivilege 5520 Exodus.exe Token: SeShutdownPrivilege 5520 Exodus.exe Token: SeCreatePagefilePrivilege 5520 Exodus.exe Token: SeShutdownPrivilege 5520 Exodus.exe Token: SeCreatePagefilePrivilege 5520 Exodus.exe Token: SeDebugPrivilege 5856 Update.exe Token: SeShutdownPrivilege 5452 Exodus.exe Token: SeCreatePagefilePrivilege 5452 Exodus.exe Token: SeShutdownPrivilege 5452 Exodus.exe Token: SeCreatePagefilePrivilege 5452 Exodus.exe Token: SeShutdownPrivilege 5452 Exodus.exe Token: SeCreatePagefilePrivilege 5452 Exodus.exe Token: SeShutdownPrivilege 5452 Exodus.exe Token: SeCreatePagefilePrivilege 5452 Exodus.exe Token: SeShutdownPrivilege 5452 Exodus.exe Token: SeCreatePagefilePrivilege 5452 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe Token: SeCreatePagefilePrivilege 5080 Exodus.exe Token: SeShutdownPrivilege 5080 Exodus.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 4660 2516 msedge.exe 82 PID 2516 wrote to memory of 4660 2516 msedge.exe 82 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2532 2516 msedge.exe 83 PID 2516 wrote to memory of 2088 2516 msedge.exe 84 PID 2516 wrote to memory of 2088 2516 msedge.exe 84 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 PID 2516 wrote to memory of 4728 2516 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://downloads.exodus.com/releases/exodus-windows-x64-24.41.6.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffa0a646f8,0x7fffa0a64708,0x7fffa0a647182⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4464 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff702365460,0x7ff702365470,0x7ff7023654803⤵PID:3124
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6248 /prefetch:82⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 /prefetch:82⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,3764808173081969834,8983457199991405905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
-
C:\Users\Admin\Downloads\exodus-windows-x64-24.41.6.exe"C:\Users\Admin\Downloads\exodus-windows-x64-24.41.6.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5856 -
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Squirrel.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --squirrel-install 24.41.64⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5520 -
C:\Users\Admin\AppData\Local\exodus\Update.exeC:\Users\Admin\AppData\Local\exodus\Update.exe --createShortcut=Exodus.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5672
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,15220299380433213891,15197731496888835081,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4472
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2156,i,15220299380433213891,15197731496888835081,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508
-
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --squirrel-firstrun4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5452 -
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,14077129461422072934,392851325466299504,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5576
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2164,i,14077129461422072934,392851325466299504,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5620
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3548
-
C:\Users\Admin\AppData\Local\exodus\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\Exodus.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1788 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5672
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --field-trial-handle=2036,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6136
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2448,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2552
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2800,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4756
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2820,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2812 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3708
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3508,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5124
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3512,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5456
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3648,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1744
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3748,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3756
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3884,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3552
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4896,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:6004
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5148,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3916
-
-
C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe"C:\Users\Admin\AppData\Local\exodus\app-24.41.6\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.6\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5268,i,6999366912671067155,10425075216320759700,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a3ad561fdbb8336a308560148911ce8f
SHA1e7609f98f48c7166e4b3399118cf486792575c61
SHA2565c6e269de0bdb4173f2086c445bf4f3d23074bd6ad1078dd2328cfeb898c399e
SHA5128d4412be6fc71f900e55ae8c9cb8d580033b44a6541bc7c3789df6253ea520d8e70c843c970e65be0f9429d1c95372b50f5834abca076c05e455b4e23bf3fa94
-
Filesize
152B
MD5b9fc751d5fa08ca574eba851a781b900
SHA1963c71087bd9360fa4aa1f12e84128cd26597af4
SHA256360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb
SHA512ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757
-
Filesize
152B
MD5d9a93ee5221bd6f61ae818935430ccac
SHA1f35db7fca9a0204cefc2aef07558802de13f9424
SHA256a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968
SHA512b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
264KB
MD5e69c43fde09fcf069df9ce1693ca9eb5
SHA16a43f0f46c2678fd3a1d4ccea9871883a7a260d4
SHA2563f42d0bc118589e7ada0a9221e392c22669ee76c6c09cef0cf2ea025864b024a
SHA5129bd73ca3654ad4f284776527b7357e7e47508fd831874429e6c729d5fb9522fc703d1c6d840e7397367274b7d9ff1eb1a56bdb5a23f175cdf962dfc7c7423afc
-
Filesize
188B
MD574eb5b6a3357368a2d2c2b59ef238c5e
SHA1666722cca5b165d4b1ad3aa92718deea4601ce6b
SHA2560a4f73614ebae7db9b0e767e01f0b9482a53079902f0243b76b7d201c6830faf
SHA512c0cfcdbe8975e40c3bfe6b3ec6e01316077a79513b93f97aadac8db3c94c4e6cbba1114df1c67b4a3e09ee5d21d2e34f84205980a0445d430207a225b1c9c58c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5875d7.TMP
Filesize59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
5KB
MD5cd2e697d1731525775f80d49259b1950
SHA13ddac254b02adf3881c09d892e4dab2c63daa7d5
SHA2562bdaa5ce6a5848f917ea7f42f04b5e2c29929e90179536f8506a6f97412552d4
SHA51260ac2955aba7f14b7963e2c1877b6be11b2b47aa75f0475859cabbc0fca44defe242048d9fec3f26c316875c44f52363c82a602749995e097a68fbdc0e612e43
-
Filesize
5KB
MD537685d1a23d03ef7dbcd34f0565d09b9
SHA1f0b48ba211ec5a17e8e5b33fb1b90ec709b92510
SHA256b7aa72b45047f7eaf69683d063f16f883ec98998160527e090ab850be2324bdf
SHA5122fb16b1f6bb02fe61c40025b6fab497078d13d269d426fd9979e4cca422ba2aa7f52dfe73b92e1b40260e2749f92fbfdb45f603ac01f14e1eaf7a134b346eed2
-
Filesize
5KB
MD56594ae970e92395119dbbb448ac97c52
SHA12cab7374585019a7d9ae014e038b90dfc0d5c1a0
SHA256e8917a08b4159ed93351ffac5f3274bc9f3365f0b33b6348c74ab8f7e72ada32
SHA5124f90533267cfe8fb551aa86afee0b0468ab2f868e31b687e7f22a7012cd19e10ea98e99a39cf58b5ead6c31d5705dedcbbccd4cc346d0abc752f43f7916a3bb6
-
Filesize
6KB
MD535b77e97b28dd66fe473b9368e1e7833
SHA1d4d56960591adc2ef85db818a5daa1714483b2c9
SHA256cc98a9fb20db3819738a0c7e0245af07571124a185c0979b4c63d6bfe1677d3a
SHA5124b3592ed6940f9aee218d12adb8a921a37c0d3728b414a5b23a906e9f3b1c263f467af71989c451ca0a8543f53305401e93450169d817bb016791a57275b6f48
-
Filesize
24KB
MD5f9055ea0f42cb1609ff65d5be99750dc
SHA16f3a884d348e9f58271ddb0cdf4ee0e29becadd4
SHA2561cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348
SHA512b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4
-
Filesize
24KB
MD5d3412a01d4c3df1df43f94ecd14a889a
SHA12900a987c87791c4b64d80e9ce8c8bd26b679c2f
SHA256dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be
SHA5127d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD578861ea7bd4da5f004aaa6d0a8040e65
SHA179cfc2850824283d03a1b241c1c07e2f88fc9282
SHA256abb150658acb567b0be7ed4795a76173a734730f52eca125989643fc8dae40d2
SHA51281cee5e20ca416a5957efc7953df6ea692895c95fdb476b0503e4167167e1dde9392e8471f1dbd7ca7a3c3ed4b2b4bc2cf65836eac4235116b5df657ba754357
-
Filesize
10KB
MD5b9bf518863883dde1967150ad3eed99e
SHA123763741ba9aeb7676c588cc687d611a94e3f6ae
SHA256fa2a4832e6f45a47b628ea4f9cd5b99177a05a0ca17d2bda675d08cf1ab24911
SHA512a71a5c528bb2d73b16d7c45e86350fb0d9695f3f7802941e11b8bc81948197c3c0f60632fef32055602808b74bc8d517ce667f83ba037827cf004a39677684f8
-
Filesize
10KB
MD51ff4d82f22e4beb40c863f7fe34625cf
SHA1f926631a2b120b7e83b53c79287af2f08082e486
SHA256c48464b2ef5920b74aab9337d60e4ffe0c870ecfeeb258d41812233c04b6be77
SHA5127f6a86dfd7b6ded2da5ec899bd87b8fc20778a133cc35de244f7939047efa727f2834486cd5fa78a45735e2ac3f685b90739e9de1e2b99d2adbee5ec1e9c87f0
-
Filesize
79B
MD5ba4d2c0d55d28082c95347a03a32bf10
SHA195542439419df2b947fe24731c3770aef9fb1d06
SHA2568cfa173fa0465716c161baadefb04b8fd6492cd9aa511b38598411e12ea05ea8
SHA5126ef767f2cdc30d5d40bdaac8e442aac88862a670aa5fb98eb5d88c2de7d6e6589156001b67b919facd200d682e5eeb69fbc3e9141cf948887eebd2cf55464223
-
Filesize
1.7MB
MD5c5f6cda4976ae38cd9fba3d1e5ebd244
SHA12006c37f01d010963a4331c42e579b87a2d16039
SHA256dae7bd888b715b8e215482bc5ea6f028ded32a3ad88bf4acb6431d2a62ffe3f4
SHA512a1a7529b0ceb3df471e803eac1d9256c009a9c8252884f64a28a59d59753c75e1bff726a35af02db5bdf20a2d194850bfdbed163722b09465ca32d10d059524d
-
Filesize
10.7MB
MD59b01c5eab2c0bbf63c29944e485c062d
SHA1a8182f1d6363817757d9a4c652ca78591826c803
SHA256eb59903ac99cd42ace0b9204c6f2696c61ced7ff9c94e4da1334b3b5356655fc
SHA512edd950fc94e1c06960541527fda50f2da2f6c99206b691ab465eef69fdae491ca9e3d9b29c3e322f3590a64c73e59c0f24028e873557037a9807e83d946a383b
-
Filesize
352KB
MD5f4fd06cc518f26026049ccce65a4ec81
SHA16298ba68c06b31f1ec19e7ce757c26ff3e6df3f7
SHA256381905c1421a53741029db9ac3b9544bc39daabc8e14a8883ab0b64c5c0d2ca3
SHA512e53583d6a33b8f4b8d9d71aa19b1027b2152e35bc1595ee62916be3f1eb95015b4b1ca70d6bdeaa54742c11a374ccd663062229ce22410dc3d2b96bf8d6538d2
-
Filesize
599KB
MD51fa34ec8fcd718406ca7e4581c1cf47b
SHA13a457a829f941f93501934133586cdaff42e027b
SHA256c04cab3455b2675d9285770a3f8b5663d6992d3ddfc461c34913d8e8447f07c7
SHA512313da2c45669553718b809899533ea7d902af7350b162d7258bbda54ff9944ae5e65c473ee75ca14118885779b9e1f9678ea6f70fad90d11ab668413399fabbb
-
Filesize
148KB
MD5cb4f128469cd84711ed1c9c02212c7a8
SHA18ae60303be80b74163d5c4132de4a465a1eafc52
SHA2567dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3
SHA5120f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277
-
Filesize
223KB
MD5e9c1423fe5d139a4c88ba8b107573536
SHA146d3efe892044761f19844c4c4b8f9576f9ca43e
SHA2562408969599d3953aae2fb36008e4d0711e30d0bc86fb4d03f8b0577d43c649fa
SHA512abf8d4341c6de9c722168d0a9cf7d9bac5f491e1c9bedfe10b69096dcc2ef2cd08ff4d0e7c9b499c9d1f45fdb053eafc31add39d13c8287760f9304af0727bf4
-
Filesize
4.7MB
MD5c5c298d5e701758a0571f2224c8a1fb7
SHA1b312458479a997ebce365541db3a01e073fbcf10
SHA2563b562719c9257958c47d41161332ecc696980b9ea41e4a6472cc4791128f62af
SHA512e660db863ee8ad0c31071f371ebcd9bd396aee9d4db66d2fadfc2cac0c3b9aec13d5f0ba89e5b4e7088f71111c835671fcc2e71ae4bd2d85ee91056aeb89da7b
-
Filesize
2.6MB
MD51fdc2a1aa5a0b1f91ce58d7512552d83
SHA1fe3e1ea910af454b87f2d6f285fbcd4fff945e91
SHA25661bafa4f5c14ea6a923dd6dde550071b11959a9f05c8b0c9760d6224cb7714c9
SHA5126f646a75005e02912f285e83a948e188b2ef868cd1cb73b01fc68de27aafc44e039141c7787c124490e38d8774091376a77b80d68039ab5816146aa81b363317
-
Filesize
10.0MB
MD5ffd67c1e24cb35dc109a24024b1ba7ec
SHA199f545bc396878c7a53e98a79017d9531af7c1f5
SHA2569ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79
-
Filesize
479KB
MD52555648812ffb7254cb63e4825f1cdd2
SHA1852686446b4118597c2133be2cf6f9bf58bbcf30
SHA256b5a452481bb9996893b9cd3e5751b6605916d667260fc2bf7a4a9ff3ccea2828
SHA512be253e47d8da14773ca690af1e7018726c35af526411bcb0d7f2633be7d327a1996f08d3d26b304d18fd267decda37e13a4d4fd31a337939e9df2419c00391cd
-
Filesize
7.7MB
MD5deeaa1b60afb22f2a328a799ff3f1d94
SHA16526a21a00d0ca61c6e3c5fb0edf1d936c190e30
SHA2567378c79f8e2d296b03d7b1674a8265f57080653d97ec58c62862abce74076fc8
SHA5123ea8c14b2a6213f3b3252b53a0751c5a9c73975b2540b5de39e35c069208bbef562f6bf699207928c11f7efbdb5fb8d802174bd87c946d82fa3249276ff33d38
-
Filesize
454KB
MD55c52a86b21633b55b383c20f16859b2f
SHA1126585e68cb17f241351004e21c1d30e65de1cf6
SHA25641123d72bd8e289e85bd35227aabb4cc61fe1de02b5cd7a7834e5ec200bc2078
SHA5122a1b6a4becfb97d470cd7de74857edf2cc9cd4a77f377ccd9bf60c30539862ff1ac3ed6cc849632a3ed4ea0e5b92679f3cc5b4cb26cc7eaaa2bb2f4ae9974a6a
-
Filesize
5.3MB
MD5756ffdd90a3e7837cb1d086e9d2a02a2
SHA1594224dff9bc1b35368ece832e3ca43776e76743
SHA256f299b8d2e59b047f8473e86d88a9ef20b447627c40b5d5a2ebb77c7144faca94
SHA512198423de82a2f0747b722f1c965ede7760e4b2b5b1039c18fbadda2fa12f21013aa90b11521d16f94a04a74c2239ab5a82690d5bffbd0aeedb2b8ebece88e514
-
Filesize
2.1MB
MD55341b31761b38bb6a42cb155aaea8661
SHA146a98e293a2596d51c8d4171b39fa2549def9d96
SHA25655f4fdbd5fc93ded3565dd1af4d16479be3a27dab565243464107d8a1b114685
SHA512906583cd16ef56dfe13c44fbb4556a0d7d9160e63ab0e6d798d526f5cb7466812a6bbabe95448d339bf8a7ef740229ce39964d2502880ad996dba418d0da6080
-
Filesize
646KB
MD5a62fbbb671bf975ed46b42d9cf437bcd
SHA1408b595b1dc6658533e0db1d35f509ab9ee70525
SHA256a8bd22478c4f85afa836c89d3a7f52c606b17872fbbefce268b499bedede10ae
SHA51287c934670df70afcced0ea5c73449a17ad27d5b6a25cedad9eb61634aaff8a42b713f578e861c2efbc77593793bba240a1495822b69c99a8ecaef64b07b6a62c
-
Filesize
5.2MB
MD5bc2527af8bb5f30b1e61865b79c2a1e0
SHA198c425a874ebd1571a1dbdb5036bb3dbf1c7bcea
SHA2566c7ee879700f0fa43e22d09e79a1210513404e58fe08a2f743277586228c2155
SHA5123c495b4d9b90382f0ee20d8e00779da5004b9f9474302771481c6e728266a6ed412263bd2b2b21a2ae369d825ebffe3b0af6e90a410a4835cf5111f3ab24fe55
-
Filesize
434B
MD5dfff565766153091bf8a48328207d416
SHA1b2383089d48bdca0e818a9780ded1e8939ec5868
SHA256a6ae9fca3667eca78363ed0042f00102134c3a9623f2ea6a95205aacf9123de5
SHA512a07150005eeae9ab80719fc62a65a0777bf384c6c4e9306801b67a125fb2e2c207b80ad62245fc46118d1c26112ca9d919ffb80042f77ce1cef169cdefac31c8
-
Filesize
245B
MD57fa6e54ad4eceff00ba94b542fc203ce
SHA15dd6eeb3c16e63ecb56611f2ba9b73bbd90ad656
SHA256c71c9dc1fe212d7086749786bf765fb4f737951d2e29a90f81e2b1f1169cd666
SHA512e6d088ac2a5dcf923959a8908ba9b79794ab549185c156422d598976be146ee357c88a2d00aab3b3027f8c2bcb1a915bdc609ccab192e8d8f3698b1ad0028ec0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
36KB
MD5ba18bf06e5b76061522cdef07791ab8d
SHA13a237d7dc0ce618f9dadd49d9841548e3dd1302a
SHA2569e73b896c702a73bc8cc8b2d8f9b8ffa303581802ebb26f95c34793a4cd12fca
SHA512382012db8ae451368ad429c60cb7cd8e21842dfbbe8c7e8d43ede29cdfb06fb76774365d07e7eb1ec37874f4f99f75299d0629c4ca2583683a573919c026fd1c
-
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\Network\4b55a1b8-9748-41c8-a600-988233e5ada8.tmp
Filesize188B
MD577a807eb59f3a5452c212bdc1e83bf0d
SHA1d9cc940449ed3e2d57c2ae0a1e2e74c73f9059bf
SHA256315f580ff1ff3b83c875368235218991b84c5fac253acb7a9efccce7d38040a7
SHA512cba9a6eb57f2a8be8e1cd38e8a37eb304bc2905d4786bc82d4e3d31302d87848c8b46da846e4a5e6f6be4df9f9f087347dda01eee86509412e4fde180e80ac97
-
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\Shared Dictionary\cache\index-dir\temp-index
Filesize48B
MD58a5c591326f5bef703c3f534b198d86f
SHA1e4b4c53d70a0ded5a0bb555f6b46c01a519fd49b
SHA256214dcaba5edebe35278658fcd4c2d6c3afa4c14332df90f18ef394832a198cb3
SHA512a7d07747b34490b19671e9eaaf669f7a213baff52abf74bdfeefa2077a87d254ad9dc4b943809f8262edf12064badae56734310bba1f5034267d5f11ff9c1e39
-
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\network\Network\3e5e3ca0-bf26-4c94-8a9a-7f8f2b8ddac7.tmp
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
91B
MD53af821011542ab3d7cf76115354071fa
SHA1f192f162f5ca0ebc05789b0a06cdcb17bf3e1035
SHA25640cd2b78adad9f9fe68c02e0936bd81f0845da1b3550a40c299373187597f689
SHA512e212e929424d2a4d08eabc1a9278f75563cf0a1edc6c511b41587a7475fd4db558526a770bb5580f00090352da86433329353d6eec726579f5a257b2c03b5090
-
Filesize
1KB
MD5d3ec4d2c1b3afbee5f3018af96bae804
SHA12a5cbfcb054e420f39e83d169cd636e95177c17b
SHA256fe0fa3b378db618ce3c0ee2fe4b72e9a6389d0abd919a646330b0ae024fdd0ab
SHA512840a14c7b5830b176a7f679e25cff78dca7c2e24de4309a0d9c8fdd119d97c2c954bc31baf6abdabb2c99632c7d9ad5b9e2f1fe88576662c4e5af90c0bd03cbe
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD55fe15aa68fe4eb332141540ab4155627
SHA11c92141fbf4218fce4dbc5f92b499af2270e492d
SHA2567119959985f7ba8926d0cb353e5ce2be42959fd5f017864ff922ce82dcd81460
SHA51225ee85e6c80536f1594eb02e65be0be0dffe7f1b6b62688e302c37957b65119bbede84dcb4788f12957acfef39e6cee1d8421eebbd6cb4b65e5ce60dd5e14271
-
Filesize
44KB
MD5358d089087aa109e41f38ddda1ff8368
SHA142f68e8e7c6806485aab068ad2ef9d8992fe3867
SHA256e1ea1994a9c238120944c0009b25c9b75c3b8acb5cc137a78cd4a8450c809130
SHA5124630eba964ce1dccfbb8663f04141c91ff0a3cee399621637bdef17c696735316da23a5bf6f7235b9616005652d175e276e83c8aca5f99f9f3b4d9c713818553
-
Filesize
120B
MD538f2defe96edd991d56f79b1266c90bf
SHA100d5bff3145654472568c69ea749c78dd08f5fe8
SHA2564095e68d10336b78d9f6888f7e4e6dce36ca3b8127b0e19bf220ee789e5ea147
SHA512133028b11167aa497a46f50ff32868ee1fe7ff632ab1938e7e748b65364c05fe858c679854fac20e5fd5c1dbce3639413ac1365c1cd8d25b89cdb96bb3206897
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD55c7321568b83fb0c26ecd6c438db7fc3
SHA17f299008398ba350523ddf251935c6d3b7be01b9
SHA2564c882fa3178ac856dbd7ef89945d79260eb4de91b54aa9fa2424620dfb5e0f01
SHA5128d3c1229d1ad7f4d5da1ed233781478f531eac72b8578830eb24aac36f311f68ed7f4a532b7b73de5a56d306f17aaf226da33fcfa36f1965ebeb295f734ccbb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5bc163d477a5835e20f6889aee32ed918
SHA15262f6225484b81f1e6b022a15ee6cb532cd85b2
SHA256d2a18f7e57c3ed453f66302671a63a70bb84f4c882c95c952050b6b898326caa
SHA512efeaa26a532a6ab886ec9c8d3b871b871c61b4a8f4ff226852a1fea08b5ce4ed1abc70a571a25cdc1e7e495886e2c6a01fb8b8f3933c7fe060752e7e69f7acb9