skuld | d659cc921f33f877c5962835dfdcc9e067048a834398a2602d0aa3d06d23f050

Analysis

max time kernel
534s
max time network
529s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-11-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slinky-Client-Latest-Download-05-21.html
Size

7KB
MD5

e42d80ea3d8aed38bb82de09f225445a
SHA1

0d43a6e06593eb10def3be245bc8b0be6a3ed91c
SHA256

d659cc921f33f877c5962835dfdcc9e067048a834398a2602d0aa3d06d23f050
SHA512

e922b18cd780a7d2e8e77364609ddb8eda322e2fd5fbdfc922024d2c5f0f8e58f783fe0d1c3aedc46f6fbb9c1c396ad443a088f6ab31a8db694f1e1a71460e5c
SSDEEP

96:8suWzC+/Eur2+FkfjmZ/QT/vaYqPJjeIJumKF95RZjieojwXZkIaqPel:Nu+8V+y7m5QTvqJjeeu1hkrIe

Score

10^/10

skuld discovery persistence stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1296774769303359571/SuAqJEaZ8HyMJeY4XNdTzjqboa7EQQC9NlFu7Nm8gWVWabNPEFyEqvUIK1mdFAcYMMWN

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 6 IoCs

pid	Process
3844	slinky.exe
5604	slinky.exe
5112	slinky.exe
1988	slinky.exe
4972	slinky.exe
4660	slinky.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	slinky.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
161	raw.githubusercontent.com

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
188	api.ipify.org
191	ip-api.com
195	api.ipify.org
202	api.ipify.org
211	api.ipify.org
220	ip-api.com
189	api.ipify.org
197	api.ipify.org
203	ip-api.com
210	api.ipify.org
212	ip-api.com
219	api.ipify.org

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c9db2ed9-dc95-4b13-b311-a77b7e2f6e2f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108004809.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	204	Go-http-client/1.1
HTTP User-Agent header	213	Go-http-client/1.1
HTTP User-Agent header	221	Go-http-client/1.1
HTTP User-Agent header	192	Go-http-client/1.1
HTTP User-Agent header	196	Go-http-client/1.1
HTTP User-Agent header	198	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0200000004000000030000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0 = 7e0031000000000068595c0611004465736b746f7000680009000400efbe5759507268595c062e000000160904000000020000000000000000003e0000000000d5762c014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0\0 = 5400310000000000525949501000736c696e6b7900003e0009000400efbe68595106685951062e000000090d0400000003000000000000000000000000000000bf95200173006c0069006e006b007900000016000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 020000000000000001000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0 = 500031000000000057598679100041646d696e003c0009000400efbe57595072685903062e0000000c090400000002000000000000000000000000000000635b3900410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0 = 7800310000000000575950721100557365727300640009000400efbe874f7748685903062e000000fd0100000000010000000000000000003a0000000000d1cdce0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0\0\NodeSlot = "7"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	slinky.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5824	explorer.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
2952	msedge.exe
2952	msedge.exe
1744	identity_helper.exe
1744	identity_helper.exe
5652	msedge.exe
5652	msedge.exe
5860	msedge.exe
5860	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
1144	wmic.exe
1144	wmic.exe
1144	wmic.exe
1144	wmic.exe
1792	wmic.exe
1792	wmic.exe
1792	wmic.exe
1792	wmic.exe
1752	wmic.exe
1752	wmic.exe
1752	wmic.exe
1752	wmic.exe
2752	wmic.exe
2752	wmic.exe
2752	wmic.exe
2752	wmic.exe
2976	wmic.exe
2976	wmic.exe
2976	wmic.exe
2976	wmic.exe
4428	wmic.exe
4428	wmic.exe
4428	wmic.exe
4428	wmic.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5292	AUDIODG.EXE
Token: SeRestorePrivilege	6000	7zG.exe
Token: 35	6000	7zG.exe
Token: SeSecurityPrivilege	6000	7zG.exe
Token: SeSecurityPrivilege	6000	7zG.exe
Token: SeDebugPrivilege	2128	dnSpy.exe
Token: SeDebugPrivilege	3844	slinky.exe
Token: SeIncreaseQuotaPrivilege	1144	wmic.exe
Token: SeSecurityPrivilege	1144	wmic.exe
Token: SeTakeOwnershipPrivilege	1144	wmic.exe
Token: SeLoadDriverPrivilege	1144	wmic.exe
Token: SeSystemProfilePrivilege	1144	wmic.exe
Token: SeSystemtimePrivilege	1144	wmic.exe
Token: SeProfSingleProcessPrivilege	1144	wmic.exe
Token: SeIncBasePriorityPrivilege	1144	wmic.exe
Token: SeCreatePagefilePrivilege	1144	wmic.exe
Token: SeBackupPrivilege	1144	wmic.exe
Token: SeRestorePrivilege	1144	wmic.exe
Token: SeShutdownPrivilege	1144	wmic.exe
Token: SeDebugPrivilege	1144	wmic.exe
Token: SeSystemEnvironmentPrivilege	1144	wmic.exe
Token: SeRemoteShutdownPrivilege	1144	wmic.exe
Token: SeUndockPrivilege	1144	wmic.exe
Token: SeManageVolumePrivilege	1144	wmic.exe
Token: 33	1144	wmic.exe
Token: 34	1144	wmic.exe
Token: 35	1144	wmic.exe
Token: 36	1144	wmic.exe
Token: SeIncreaseQuotaPrivilege	1144	wmic.exe
Token: SeSecurityPrivilege	1144	wmic.exe
Token: SeTakeOwnershipPrivilege	1144	wmic.exe
Token: SeLoadDriverPrivilege	1144	wmic.exe
Token: SeSystemProfilePrivilege	1144	wmic.exe
Token: SeSystemtimePrivilege	1144	wmic.exe
Token: SeProfSingleProcessPrivilege	1144	wmic.exe
Token: SeIncBasePriorityPrivilege	1144	wmic.exe
Token: SeCreatePagefilePrivilege	1144	wmic.exe
Token: SeBackupPrivilege	1144	wmic.exe
Token: SeRestorePrivilege	1144	wmic.exe
Token: SeShutdownPrivilege	1144	wmic.exe
Token: SeDebugPrivilege	1144	wmic.exe
Token: SeSystemEnvironmentPrivilege	1144	wmic.exe
Token: SeRemoteShutdownPrivilege	1144	wmic.exe
Token: SeUndockPrivilege	1144	wmic.exe
Token: SeManageVolumePrivilege	1144	wmic.exe
Token: 33	1144	wmic.exe
Token: 34	1144	wmic.exe
Token: 35	1144	wmic.exe
Token: 36	1144	wmic.exe
Token: SeDebugPrivilege	5604	slinky.exe
Token: SeIncreaseQuotaPrivilege	1792	wmic.exe
Token: SeSecurityPrivilege	1792	wmic.exe
Token: SeTakeOwnershipPrivilege	1792	wmic.exe
Token: SeLoadDriverPrivilege	1792	wmic.exe
Token: SeSystemProfilePrivilege	1792	wmic.exe
Token: SeSystemtimePrivilege	1792	wmic.exe
Token: SeProfSingleProcessPrivilege	1792	wmic.exe
Token: SeIncBasePriorityPrivilege	1792	wmic.exe
Token: SeCreatePagefilePrivilege	1792	wmic.exe
Token: SeBackupPrivilege	1792	wmic.exe
Token: SeRestorePrivilege	1792	wmic.exe
Token: SeShutdownPrivilege	1792	wmic.exe
Token: SeDebugPrivilege	1792	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
6000	7zG.exe
2128	dnSpy.exe
3940	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5824	explorer.exe
5824	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2100	2952	msedge.exe	82
PID 2952 wrote to memory of 2100	2952	msedge.exe	82
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4284	2952	msedge.exe	83
PID 2952 wrote to memory of 4980	2952	msedge.exe	84
PID 2952 wrote to memory of 4980	2952	msedge.exe	84
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85
PID 2952 wrote to memory of 3472	2952	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5888	attrib.exe
3288	attrib.exe
1696	attrib.exe
1376	attrib.exe
188	attrib.exe
2068	attrib.exe
1132	attrib.exe
3664	attrib.exe
3684	attrib.exe
2728	attrib.exe
1696	attrib.exe
5936	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Slinky-Client-Latest-Download-05-21.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe054646f8,0x7ffe05464708,0x7ffe05464718
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff629e45460,0x7ff629e45470,0x7ff629e45480
    3⤵
    PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1192 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10124879603531489245,12895055390182445510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1632

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31330:70:7zEvent17814
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6000

C:\Users\Admin\Desktop\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Desktop\dnSpy-net-win64\dnSpy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2128
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:188
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:2068
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:1132
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:3664
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5112
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:5888
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:5936
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1988
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:3288
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:1696
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2752
- C:\Windows\explorer.exe
  "explorer.exe" /select,C:\Users\Admin\Desktop\slinky\slinky.exe
  2⤵
  PID:3144
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4972
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:1376
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:3684
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- C:\Users\Admin\Desktop\slinky\slinky.exe
  "C:\Users\Admin\Desktop\slinky\slinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4660
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Desktop\slinky\slinky.exe
    3⤵
    - Views/modifies file attributes
    PID:2728
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:1696
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19688:70:7zEvent8458
1⤵
- Suspicious use of FindShellTrayWindow
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f341c579d536611d57a259d26064df03

SHA1
43ac9ce30ee85d891d2bc7372e0d9c49819ee904

SHA256
32c841b099d86371ccc1ce9519512a9a1f8e87b145d2ca412f7c986b5201e33c

SHA512
e193eaa8b0e680526fc807cdcd6f8d66b2b6aac1f00c96775144cae87b6b69345cd432c706af1fdd18717279ae935dfb25441b593cf5721ad32f72a764125c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
022f5ac9679f850e63bd025db0373421

SHA1
d94353f77ae28352336f72e1a742aaa1f192e3fa

SHA256
e1fbede6bf57f8fa26acb453bd6265282193f0b4a655be305b736f3eeae9c070

SHA512
f826eea84c3e94cf3e338c1ee9b8c526c746a32449ac5be7ddf1e52e3486897c42214fa6feb23aa172f8b8d4dcf1ca5ab74f2cc553c1960751a545a0878695ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
187766f9a2ed4eb5b53f87ddc40e3ad8

SHA1
1259f733ecabe2f99ba77e7b981b74ef985561e9

SHA256
d69dd2769bb89d26c22cd2cec781bc7b406a01b9f1bc3da921012884059fd992

SHA512
2d3041505918bb00a1663de5aa93e55312704cbe4d58e00dc5527aa7079685c07e2b1fd11842dad5a77e521027107b7a861f0202e27709db619c35925153efd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
23bc936ff1114776bd71d1e51ef5bd1b

SHA1
a8775f1916fa00e58c811cd7519d5f82f15323d1

SHA256
3c0d4a1569cd1e7e0a2a5f1381abc04674d2df5d594bb307e9b2d416523fd2ff

SHA512
014037ac734a50cbcbcaa6693ce2c2910586a64fc1618032e5a9b05e541d5965fc3b6f2a1d95244a651b297ad90a33acba68ea6f4d235a707aeaf2c587babc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ac438f3229e0a00357ce04401e4578fe

SHA1
bd161be756018fd3100616b684cb3eeb94e09f9d

SHA256
bcba1135f8680481e14388c7f648206d9ee7d0c2a673fe3b6ef74a20dbebf68c

SHA512
ff85161464f39c5d26b3a9f0cfe62eed89483e6bfa3048634799b6ea5712884b8631a3d854cd87169ca3327f43a09e99512511b7e90c6d7ab63e99e694e7e882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e462d8df5523d58d9fea5e5344b65d3

SHA1
82b9e28e42c9b8305ec8ae2becdd395323f95fc5

SHA256
ff81d670ba88b69ca1bdfece5151b1280267dedb5c0e322b77d67017b993f7a5

SHA512
2b294ba65666a3dad525ee579bea984b1c0c0c6c910dd491c56ffc83be88adf2397891d34007f44a57697a3cfe4a65bca0157ff1580564ee44b2dae4c97ad835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
727B

MD5
44ffa1dcddc418ca21d091b501741c85

SHA1
9cc6d30c60083b5c6639701e133186a528d434a7

SHA256
140f7f01f6774f9472d811de838704b8ce20e5d7610ecfebf97b7c2e694bb304

SHA512
2634d7c3d0c38f81836cf4ed050f1af03d5ff0ae08219794610ef852f37960968dc782f550cd5b020f9263dc83145c18baad28c121f14857b8ec6907b2de6bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
35a1611f43f024e83f398fd6079f19d8

SHA1
d465b7a5aa4b438138a89cfb76d09800cc417c05

SHA256
9ed0fa822bbe365741202a96af9c87ae1f2cc7e7f27da9a18985bc106abdc520

SHA512
37413c8645f5cc223e6ce6c0e3fe3fd1aa5987ecc093cde446a6dd7ed47a88ea01dd11f39701435fcc1f360cad66aa3ed67b348c5c6d70f18b38f5fd035fb6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
388b0fc12f1df2a1f1a0bb37db40bd0c

SHA1
ff4fc5d997dd5510ec728f2e0017ffba88049e36

SHA256
3e7ee82ff5051ba36be0177a13f4607359bf604378439e0fc2d1347358db6635

SHA512
e08e24ce222532b77b16d0098abbfc4f2648fd8f9132614fd557c27466d33a0b5049c29e0b26530f9d70524fa23070e0f93a681b23bb9b3c5b8b3f3d2530397b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecdac59638d8c92877b9f43ed3c142a0

SHA1
fa902e95a2049f07cf5e1fd5b1a32ddb067ffefb

SHA256
6da828773bd8afb5470dab620454d5729e65f4c0f4c062e663845306ff700412

SHA512
191b6edda1f64edd72c1a7f479dc64ad53823997db49f425c1ed8c0c365be6abea0196c185ea7f212572190a87bbf94aaae5b370bb0ff93d2dd99d77fc3fa27b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e46515647d9c40bb0b9f640650d439e

SHA1
9f9e61b90909cecbbd42bea25f2179fb8153dc16

SHA256
ab9d6a4b19f92029050a389754822e1926b319a92e1fb64ace9d29deb7522521

SHA512
c1737ecf88bee4587405d2683ef9dba5eb9257c346583a8960dc99383c4f6f7f8ef8c7aea98e6626cdd6afe30f3fbca62a08dcddbb4397fa9d7367a4fe52cc83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c230851f313674ad8460a085757230fb

SHA1
723c0eb4f3fcd935d414051ceb680eaa65d925be

SHA256
cdb09b6bd739794f6ef31a9f57be5e78cc79ec309db2184647b6b4c60e7c32e3

SHA512
24fe80d1c1794833f7095fc00e76622d904f02af537a2558da61d18998521dcf4636e7a8bccbff42f4175b6669f7f56f1e2f604d66b9a60c7be82aa20d908222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28f9b60bd6028172079b112ed3f6eab5

SHA1
9218daf6f4e71cd73b93839122880b24b44cb037

SHA256
f3ce52ffaeeae821cedf84b891591ecebd6bf04b8501d868874e2dab18fe2de9

SHA512
84f7f4f5b1d789e0e403649cea523e7c4dbe01f3b6a0f620ff6c07b413b0c67183297d5544686ce7f71a3fbe7441bb900666a0a966fa8469f48779b802625183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97f988c922386dfe6096949da2bc201f

SHA1
454b9c21e6b6c4c110f372907d692fa5371d8a4c

SHA256
c6a5d874ca6b06115cba3dfe98a554cc188ac23432a9f189144fbaedda3862b0

SHA512
9ee25f4dc8a751b61002390e6068c66ab48cb34de2f237e5ae7dfafa7613dba1274fcc459de226698c76a562580c3db18ad2ee59c13b269553fbc1e6a5856287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae75daacf686a8a942eb56ee0bc99796

SHA1
0fac60fa71cc40f36cee6a785cee6fde51c2612b

SHA256
bd6b9bf28e304565c607eaedec6a4d5a8ad2175f5a0d5a96150cca5435db9a22

SHA512
456b4ff75b861c1a0e4a96c0ccbf9c4c86c25248711730b909e3705286f6ba6cc0d205b4757075e8cc50747ac3897edc60b9100fc86468257e5798926a68c254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d2308f937716b3428578c277568cc611

SHA1
1bf8d60cf8076553df091d662a91f4ee6537effc

SHA256
76cb0840b03e62fcff5f0ffa7c6f3a9b45d3dd0f9b40422aee0f8f873a342513

SHA512
31af9dc42a622e6a10c26d22a0b2a892f5af347f4234259667a16e283c54b9fedf2858724dd3445c2dcbf72485ad8ef5b56110971e597d9fb9cd013d67d67fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581f4b.TMP

Filesize
48B

MD5
97caf80c4b7bdb991b93c3526171d4f6

SHA1
e55b6f7abc8c70c685d29b3e14c588d750c3c3d9

SHA256
4143c401b879293460cb5a40c605e6c06b40ee43f5cc1522f7b7462e63092b0b

SHA512
b938517dcc9dec8c50422daf502f350d5a369c552bed074538258d81316860eb2e6d3f586e01e0fa80144b003d0234e731feb765bade467d57aa544fbac1a021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0529fdeb6237a74d3f60c5ff0d6fafad

SHA1
3b2703d10d917e0643b4bb79af2fc80f4ada5e59

SHA256
3c6c77c6f32c6724115f6d187431550c769705e5668db6c41d18bca6128fc451

SHA512
6d5c9f1083c736269c26e96840dfabde9671c8e7965b0e2bc4bec8cba3a453b69666cca4733dc9b09a8906c026dd703e81d9887c2e177d0db7767f551ed3d53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de1754726b0455af5e66d8b105062c28

SHA1
a74cd59b5c0e6ae9bfd75674716c2f580e47ffc1

SHA256
27faf75a2a83e6fe5998e3a6fbf7b91d7ac5277f7c7d8715e752a672ee7ca819

SHA512
7550664f5200ff9bc1126d3f641b70252f9909085417ae190065557740a9989d705eca28a5c4121499ce0780e1d01be2909d41a79d864b9896b057d906a0260b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
a6c2248a9e2381cf2c95d0a2692a01bb

SHA1
21591b73065c1d6250c2fa05c396bfaf677f46a1

SHA256
a5347ed14bbc2e3f8214e186a4124d5f227c4af0bb3198ba53485149f29c4596

SHA512
5e8aac0484da5c0a0c1ff50b40fbd437dfcf2195b29ec2da73b653121cb00bc4af8303a734fd33d3729e6db870b63e57315c0f4fa546a00f308885095134f671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
930fdde1a462cac39fe583b3b164954e

SHA1
6dea895ac3140af087c38f5fe5c811ca025374fd

SHA256
9de5b0ef5799802c13480b85a6e39fa0fad1ac4fc67bcfd8a42d7c7d9c3aa2e6

SHA512
4f53b1555d79d9c9331561e1fcb82074bbb80f8c3e6f4a76bf104777c816cc15af86ee51d71cbbc4f96ce9f8e8a20075950c7f72ee32f273aaf1cabc7fc93a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584d11.TMP

Filesize
371B

MD5
442162652adfa306f4c7583d0a2a3dde

SHA1
e0741a71ed44990309de5b6bad3803a94addedb0

SHA256
fb293c0441e45049a82701afdb10ecaa6b0f57dc54c36dd778316a692ec7a457

SHA512
f4e03d0c2d589f690916c541abdd792cd801f95952eba9c67263e07b433c8f2588fed5fbd419d4557d453d17f69fa26e8df193b30728e40040503ed0758d5c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb05731812e9982c9c6fc60c2662c43a

SHA1
10b8761410c5e92c4ab71f1536e5fbd4ebe60b82

SHA256
88047297bc2e9e3e456ae1892b7590ebdd31787792798a7bb06edc7fb66a8954

SHA512
a44eea216eaf4c05c92b7185fd86d4a627904b927b98c3540f0170e085b8b4a0c82051b636d107cbdef16d280a91bb27bfedf7546d31123b7455a7fc6c514f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2e606b696454cc3532806773edc18001

SHA1
f8ecd06a57f6762e7f34d036ea838a42b518f6ca

SHA256
a9fd04d6436e4c53f908e3c9a7380e25f584e1134db4efb3c22c2697b7cf7b1b

SHA512
6c04d919eedefc5261bb404103cbc810ae6d8cce33c2d9306922eb31352ba48dd728149c36e06ff7da77599d2dc47001a7c8669feb11f29ba2ad109f29cfdb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7332ad6fc6a9a3dfec626a8cc6975d2

SHA1
178b70ccab1b082382278463c6bf89bdb7db0f76

SHA256
17d35b8ada145d27777e5a204ff73814593c3ad6528e5186bd586d729cc7fe78

SHA512
f4b5d490c1b13eb6b44a5c94b684d320173f319405b3bf313d8eea6475ad76ec83b4978b7f8372d920f6f8c39dbb7b3365ebc1134d3922ea7ecdad9d3bcb4576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
409bd233253cecf1104ea7032d06112f

SHA1
67899290360be7ccc7164ba9d0c83095fdc315c6

SHA256
5de5c40b96dc8e682bf4ec07d2697a3c2a4d062a262121d504f859f58aa43b92

SHA512
852852a89e5898ee3b508a22fd1d4dee4b2c7ccab593796e803562efffa75e3bf6316b0f51e20acf075b1adc6b088524958c175609e743b7615243643b0ca346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ad1352e1b7de71db2dda4d8fede81edf

SHA1
846cf1a44081cb4fa43a1b2d649146ab1facc5c8

SHA256
97a56c5028317a2691199f8ef60541365a71c6be8d3d0cce508db0ed5bfac520

SHA512
2259f422766fbb43ff0dad764d2c1c4013af5934dc769a9c70994ec1f70d544f0f71d0f795cddc6cb1b13307cc8db87538e5c09406841fd5060f05d88334430f

Download Submit
C:\Users\Admin\Desktop\slinky.rar

Filesize
26.1MB

MD5
bc295733464e39844d642cf3d062343a

SHA1
1993d5e08fa0acc80f4203ad2e83264b5658f32b

SHA256
4ebc9c706ad1cf8d9b066bc29d67fe4628169cb1c9deebaf9e40e4b4814582b3

SHA512
824688fd8485329e48e9911d9db3d54f9691402e1230b9411781be4178416d7f4a44377a7b446f88d46ea9b6e6c41cb214a8c76925d8ff0e44ad47fe78b2e6da

Download Submit
C:\Users\Admin\Desktop\slinky\slinky.exe

Filesize
14.2MB

MD5
d02a74cc7cb238ae3ef85ea82fade1ed

SHA1
af4b5c5c803f76faace1695b4a7018f1b87c3a51

SHA256
64fd7264b8e2bc82b4012b191049a923f8bb3dc6d99c261a2ad07871f1d8b91c

SHA512
77696145cab73ce201e5231feb020f645fa0cd23fcd4b1eef0cd695e5544410a3f127dd0c6f3723a17836e59f90e96e50770591650f3ce36fe22f1ce2168f04b

Download Submit
C:\Users\Admin\Desktop\slinky\slinky_library.dll

Filesize
11.7MB

MD5
f4f7eacab208d7b50d50f196bd3facd2

SHA1
82ca056ecb89d1612df069a42952e077f7e079e1

SHA256
4f35cfe4d051d56cc22dc2743024ffa0f3b4ee906b34c4336c72d71bc55de708

SHA512
9b61bd125e066df121186057bcb163bfb3d8fb9ff3447963df0e9b14ab57fdf6a8d1faf61a5e75dc3e53425f541bb624b9d8b787e322ea6b675489d532b8f001

Download Submit
C:\Users\Admin\Desktop\slinky\slinkyhook.dll

Filesize
228KB

MD5
6d8c17c67970cb5841811eed8adffffc

SHA1
c869ab32318a035e51aff8e5e11b4cd25fb52a4f

SHA256
7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8

SHA512
7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72

Download Submit
memory/5824-839-0x0000000005D70000-0x000000000615C000-memory.dmp

Filesize
3.9MB

Download