hawkeye | 5cabdd6f5494bbb646f2f84ed05f7e5c999efaeba6f9beea3abe0100780137a5

Analysis

max time kernel
296s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slinkyloader.exe
Size

17.8MB
MD5

fa1764b9b4b43de4ce51b6da0748944c
SHA1

91ae2a9b63bcc0f3194385c306e941d7b628aa33
SHA256

5cabdd6f5494bbb646f2f84ed05f7e5c999efaeba6f9beea3abe0100780137a5
SHA512

bf807ca364e3b94c4ec3d8d859d4e927d7e2b70ddf70727a0c921645474c261798d8b39554b28ab838c6c7b04aae1da6c90caeb3d9cf1a682dea2ecf5d9cac18
SSDEEP

393216:Gr+c50Fa7K39n0LHOz3tcA/YFspJfUXvakYHQFSdbhALSVQtikwtW3Jigc:oot3uLuz3tM6rfUXCkYgU/VQti/W35

Score

10^/10

hawkeye remcos slinky keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

Slinky

shall-stat.gl.at.ply.gg:38560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Defender.exe
copy_folder
WD
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%WinDir%\System32
mouse_option
false
mutex
fasdfdsgsghhghd-Y8DVRO
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%WinDir%\System32
screenshot_time
10
startup_value
WD Defender
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 64 IoCs

Processes:

ServerSlinky.exeDefender.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeDefender.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeDefender.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exe

pid	Process
1260	ServerSlinky.exe
3968	Defender.exe
4444	ServerSlinky.exe
3196	ServerSlinky.exe
4812	ServerSlinky.exe
2124	ServerSlinky.exe
4380	ServerSlinky.exe
3580	ServerSlinky.exe
4268	ServerSlinky.exe
3000	ServerSlinky.exe
4132	ServerSlinky.exe
2316	ServerSlinky.exe
2808	ServerSlinky.exe
4736	ServerSlinky.exe
5084	ServerSlinky.exe
796	Defender.exe
5016	ServerSlinky.exe
4364	ServerSlinky.exe
168	ServerSlinky.exe
1172	ServerSlinky.exe
1028	ServerSlinky.exe
1000	ServerSlinky.exe
4124	ServerSlinky.exe
4408	ServerSlinky.exe
2072	ServerSlinky.exe
2780	ServerSlinky.exe
3824	ServerSlinky.exe
936	ServerSlinky.exe
4200	ServerSlinky.exe
2416	ServerSlinky.exe
732	ServerSlinky.exe
1420	ServerSlinky.exe
4152	ServerSlinky.exe
1816	ServerSlinky.exe
2344	ServerSlinky.exe
3164	ServerSlinky.exe
1000	ServerSlinky.exe
1520	Defender.exe
2316	ServerSlinky.exe
2804	ServerSlinky.exe
1552	ServerSlinky.exe
1276	ServerSlinky.exe
408	ServerSlinky.exe
3352	ServerSlinky.exe
2240	ServerSlinky.exe
3648	ServerSlinky.exe
4512	ServerSlinky.exe
2752	ServerSlinky.exe
4008	ServerSlinky.exe
3860	ServerSlinky.exe
2912	ServerSlinky.exe
1088	ServerSlinky.exe
2348	ServerSlinky.exe
912	ServerSlinky.exe
5108	ServerSlinky.exe
764	ServerSlinky.exe
4372	ServerSlinky.exe
5028	ServerSlinky.exe
2452	ServerSlinky.exe
3700	ServerSlinky.exe
304	ServerSlinky.exe
3896	ServerSlinky.exe
3016	ServerSlinky.exe
4636	ServerSlinky.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ServerSlinky.exeDefender.exeDefender.exeServerSlinky.exeDefender.exeServerSlinky.exeServerSlinky.exeDefender.exeDefender.exeServerSlinky.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WD Defender = "\"C:\\Windows\\SysWOW64\\WD\\Defender.exe\""	ServerSlinky.exe

Drops file in System32 directory 39 IoCs

Processes:

ServerSlinky.exeServerSlinky.exedxdiag.exeDefender.exeServerSlinky.exeDefender.exeDefender.exeDefender.exeDefender.exeServerSlinky.exeServerSlinky.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\WD	ServerSlinky.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\WD	Defender.exe
File opened for modification	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD	ServerSlinky.exe
File created	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	Defender.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD	ServerSlinky.exe
File created	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File created	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File created	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File created	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\WD	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\WD	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD	Defender.exe
File opened for modification	C:\Windows\SysWOW64\WD\Defender.exe	Defender.exe
File created	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File opened for modification	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\WD	ServerSlinky.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe
File created	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe
File created	C:\Windows\SysWOW64\WD\Defender.exe	ServerSlinky.exe
File created	C:\Windows\SysWOW64\Logs\logs.dat	Defender.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Defender.exeDefender.exeDefender.exeDefender.exeDefender.exe

description	pid	Process	procid_target
PID 3968 set thread context of 2036	3968	Defender.exe	78
PID 796 set thread context of 808	796	Defender.exe	110
PID 1520 set thread context of 3080	1520	Defender.exe	158
PID 4732 set thread context of 2452	4732	Defender.exe	237
PID 4480 set thread context of 3992	4480	Defender.exe	255

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxdiag.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe

Modifies registry class 43 IoCs

Processes:

dxdiag.exeDefender.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeServerSlinky.exeDefender.exeDefender.exeDefender.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Defender.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	ServerSlinky.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	ServerSlinky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	ServerSlinky.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	ServerSlinky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	ServerSlinky.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Defender.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dxdiag.exe

pid	Process
1268	dxdiag.exe
1268	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Defender.exe

pid	Process
1520	Defender.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Defender.exeDefender.exeDefender.exeDefender.exeDefender.exe

pid	Process
3968	Defender.exe
796	Defender.exe
1520	Defender.exe
4732	Defender.exe
4480	Defender.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Defender.exeDefender.exeDefender.exedxdiag.exeDefender.exeDefender.exe

pid	Process
3968	Defender.exe
796	Defender.exe
1520	Defender.exe
1268	dxdiag.exe
4732	Defender.exe
4732	Defender.exe
4480	Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

slinkyloader.exeServerSlinky.exeWScript.execmd.exeDefender.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exe

description	pid	Process	procid_target
PID 5084 wrote to memory of 1260	5084	slinkyloader.exe	72
PID 5084 wrote to memory of 1260	5084	slinkyloader.exe	72
PID 5084 wrote to memory of 1260	5084	slinkyloader.exe	72
PID 5084 wrote to memory of 2084	5084	slinkyloader.exe	73
PID 5084 wrote to memory of 2084	5084	slinkyloader.exe	73
PID 1260 wrote to memory of 3256	1260	ServerSlinky.exe	74
PID 1260 wrote to memory of 3256	1260	ServerSlinky.exe	74
PID 1260 wrote to memory of 3256	1260	ServerSlinky.exe	74
PID 3256 wrote to memory of 3452	3256	WScript.exe	75
PID 3256 wrote to memory of 3452	3256	WScript.exe	75
PID 3256 wrote to memory of 3452	3256	WScript.exe	75
PID 3452 wrote to memory of 3968	3452	cmd.exe	77
PID 3452 wrote to memory of 3968	3452	cmd.exe	77
PID 3452 wrote to memory of 3968	3452	cmd.exe	77
PID 3968 wrote to memory of 2036	3968	Defender.exe	78
PID 3968 wrote to memory of 2036	3968	Defender.exe	78
PID 3968 wrote to memory of 2036	3968	Defender.exe	78
PID 3968 wrote to memory of 2036	3968	Defender.exe	78
PID 2084 wrote to memory of 4444	2084	slinkyloader.exe	79
PID 2084 wrote to memory of 4444	2084	slinkyloader.exe	79
PID 2084 wrote to memory of 4444	2084	slinkyloader.exe	79
PID 2084 wrote to memory of 1420	2084	slinkyloader.exe	80
PID 2084 wrote to memory of 1420	2084	slinkyloader.exe	80
PID 1420 wrote to memory of 3196	1420	slinkyloader.exe	81
PID 1420 wrote to memory of 3196	1420	slinkyloader.exe	81
PID 1420 wrote to memory of 3196	1420	slinkyloader.exe	81
PID 1420 wrote to memory of 4456	1420	slinkyloader.exe	82
PID 1420 wrote to memory of 4456	1420	slinkyloader.exe	82
PID 4456 wrote to memory of 4812	4456	slinkyloader.exe	83
PID 4456 wrote to memory of 4812	4456	slinkyloader.exe	83
PID 4456 wrote to memory of 4812	4456	slinkyloader.exe	83
PID 4456 wrote to memory of 304	4456	slinkyloader.exe	84
PID 4456 wrote to memory of 304	4456	slinkyloader.exe	84
PID 304 wrote to memory of 2124	304	slinkyloader.exe	85
PID 304 wrote to memory of 2124	304	slinkyloader.exe	85
PID 304 wrote to memory of 2124	304	slinkyloader.exe	85
PID 304 wrote to memory of 2180	304	slinkyloader.exe	86
PID 304 wrote to memory of 2180	304	slinkyloader.exe	86
PID 2180 wrote to memory of 4380	2180	slinkyloader.exe	87
PID 2180 wrote to memory of 4380	2180	slinkyloader.exe	87
PID 2180 wrote to memory of 4380	2180	slinkyloader.exe	87
PID 2180 wrote to memory of 4008	2180	slinkyloader.exe	88
PID 2180 wrote to memory of 4008	2180	slinkyloader.exe	88
PID 4008 wrote to memory of 3580	4008	slinkyloader.exe	89
PID 4008 wrote to memory of 3580	4008	slinkyloader.exe	89
PID 4008 wrote to memory of 3580	4008	slinkyloader.exe	89
PID 4008 wrote to memory of 996	4008	slinkyloader.exe	90
PID 4008 wrote to memory of 996	4008	slinkyloader.exe	90
PID 996 wrote to memory of 4268	996	slinkyloader.exe	91
PID 996 wrote to memory of 4268	996	slinkyloader.exe	91
PID 996 wrote to memory of 4268	996	slinkyloader.exe	91
PID 996 wrote to memory of 3096	996	slinkyloader.exe	92
PID 996 wrote to memory of 3096	996	slinkyloader.exe	92
PID 3096 wrote to memory of 3000	3096	slinkyloader.exe	93
PID 3096 wrote to memory of 3000	3096	slinkyloader.exe	93
PID 3096 wrote to memory of 3000	3096	slinkyloader.exe	93
PID 3096 wrote to memory of 3556	3096	slinkyloader.exe	94
PID 3096 wrote to memory of 3556	3096	slinkyloader.exe	94
PID 3556 wrote to memory of 4132	3556	slinkyloader.exe	95
PID 3556 wrote to memory of 4132	3556	slinkyloader.exe	95
PID 3556 wrote to memory of 4132	3556	slinkyloader.exe	95
PID 3556 wrote to memory of 2352	3556	slinkyloader.exe	96
PID 3556 wrote to memory of 2352	3556	slinkyloader.exe	96
PID 2352 wrote to memory of 2316	2352	slinkyloader.exe	97

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
  "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\WD\Defender.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SysWOW64\WD\Defender.exe
        
        C:\Windows\SysWOW64\WD\Defender.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zwombkhdhrzcdvbtkgejgwcrarealg.vbs"
        6⤵
        
        PID:1276
- C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
  "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
    "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
    3⤵
    - Executes dropped EXE
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
    "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
      "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
      4⤵
      Executes dropped EXE
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
      "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        5⤵
        Executes dropped EXE
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        6⤵
        Executes dropped EXE
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        7⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        8⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        9⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        10⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        11⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        12⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        13⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        14⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        16⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\WD\Defender.exe"
        17⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\WD\Defender.exe
        
        C:\Windows\SysWOW64\WD\Defender.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        19⤵
        
        PID:808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ltaqgehdyngqejr.vbs"
        19⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        16⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        17⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        18⤵
        Executes dropped EXE
        
        PID:168
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        19⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        20⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        21⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        22⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        23⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        24⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        25⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        26⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        27⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        28⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        29⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        30⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        31⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        32⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        33⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        34⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        35⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        37⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\WD\Defender.exe"
        38⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WD\Defender.exe
        
        C:\Windows\SysWOW64\WD\Defender.exe
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        40⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        40⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rhfszaujgohzxzat.vbs"
        40⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        37⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        38⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        39⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        40⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        41⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        42⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        43⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        44⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        45⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        46⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        47⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        48⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        49⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        50⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        51⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        52⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        53⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        53⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        54⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        54⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        55⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        55⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        56⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        56⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        57⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        57⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        58⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        58⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        59⤵
        Executes dropped EXE
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        59⤵
        
        PID:168
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        60⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        60⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        61⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        61⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        62⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        62⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        63⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        63⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        64⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        64⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        65⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        65⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        66⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        66⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        67⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        67⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        68⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        68⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        69⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        69⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        70⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        70⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        71⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        72⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\WD\Defender.exe"
        73⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WD\Defender.exe
        
        C:\Windows\SysWOW64\WD\Defender.exe
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        75⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\szoapmnbbarjgrjhkuprfsrkso.vbs"
        75⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        71⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        72⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        72⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        73⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        73⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        74⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        74⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        75⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        75⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        76⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        76⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        77⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        78⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\WD\Defender.exe"
        79⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WD\Defender.exe
        
        C:\Windows\SysWOW64\WD\Defender.exe
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        81⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        77⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        78⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        78⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        79⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        79⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        80⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        80⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        81⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        81⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        82⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        82⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        83⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        83⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        84⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        84⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        85⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        85⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        86⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        86⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        87⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        87⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        88⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        88⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        89⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        89⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        90⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        90⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        91⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        91⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        92⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        92⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        93⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        93⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        94⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        94⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        95⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        95⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        96⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        96⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        97⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        97⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        98⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        98⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        99⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        99⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        100⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        100⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        101⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        101⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        102⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        102⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe"
        103⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        103⤵
        
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\slinkyloader.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ServerSlinky.exe

Filesize
469KB

MD5
d6d8860a0a1bcf9fdd49002b5f7210a4

SHA1
b53b139b2f8e4450881ac4f8d6413cff99a0d20c

SHA256
cc8759eb5c44c2ee5bc50afe242b03c4ba2691993731f55284c0cb2ebe6d3215

SHA512
983351d865a0b030eca2f5020a33fb29f990d14953046a8812e1bb72cf0deefba8b643455182f762f5c6b40397941cad9faf2cfa54d07acdbb977d5c1d704b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
8c5c9ebb4cabfb7e5d6a505b77174cbd

SHA1
3a663b516acff79a14f0235e298fc7e36b87db7c

SHA256
844be12e0d02eb217a5d6b395c67cc2db929dea5c8f327aed3805464125584f0

SHA512
ec118a40da8a412a62e97e0ac8caededadb80217a6f85eb6be434642cddb428230bccec2ce4e71ff4c6a827469c609034e3919c56b804ac374609ce302836332

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwombkhdhrzcdvbtkgejgwcrarealg.vbs

Filesize
544B

MD5
39c87a7d50aa4dc5c8f524ffd6155a43

SHA1
ac377f483a3ff489f6348c747f6036aebdcdab39

SHA256
117f497ce09cc7c8778e403811d660239a9f0e31ddd703948c94a23fba7badb4

SHA512
7883fc31557f019a2012842edf63a9f9c2ec58df672b6a8883d2f70823424decbace2103a5a06461684ec5b9bbcb22f87c80ac56567abc6c426b621d61309a67

Download Submit
C:\Windows\SysWOW64\Logs\logs.dat

Filesize
144B

MD5
80b50168b75f5e38cbe2b85232a55bec

SHA1
d59da3aaaff9827f5768c7ac24dba8cbcfb562d3

SHA256
e0f17d9ec6b2d9b9df7a9aa8926e0f2e2ca7d9c19afbbe1a0b5e30a92e79ab47

SHA512
7e81623951cc3a28ea185d00d2ab83334022bcc60fd25444eac6ee23d86dafdce12f97e5632b1705544d51c4f0338e294cedd2ea912e8ea5c82bd4d77683b84e

Download Submit
C:\Windows\SysWOW64\Logs\logs.dat

Filesize
224B

MD5
c7a00d43d42fe33b6953afc401c4c807

SHA1
dc746c8e0a62ca70075da9fa8a03106cb1e2a8b5

SHA256
7744a4ffd185f40c9952d0ba827c6aa1e731648a82deb96db96acbbb4807e474

SHA512
9880861655e2756c1452caa5df6ff889f5411f9d85d078452e9f361253261d4ac199d5e5ed1419c8773e4d8152bad65365d96b8b304aa76d7e72955ce2d0adcd

Download Submit
C:\Windows\SysWOW64\Logs\logs.dat

Filesize
144B

MD5
9ddd0257b64da745119191bf2eea03ad

SHA1
203679173df3dc566d9f9a0a8afb570ae4fab5eb

SHA256
5ae4b3a36d36daf8b4346d9a40dc3db22fef53ce37ef5a5ba5b879ed1bcf7d0c

SHA512
263904a4bf7eb75eba4308835259387c731e2749dbec9d314f1dab0e4586ed82af9bb063be2e735a6c60b3703fe62f9e96dd06a129846d957b1cbf44baf17820

Download Submit
C:\Windows\SysWOW64\Logs\logs.dat

Filesize
144B

MD5
94d0ac4e10c3b546157a60f122539628

SHA1
290cb33184daba3acfd5f1d50c1e3c338d936e3c

SHA256
a1694a50b8a9cd08d067e7322e2b6fb119e174204533481adebca8accb77670a

SHA512
fe13b92fdfca822d37a017d07847dd4fceef5f0abdf60adb0aabd958827f211ea3b3d4ce52fcfc4fe4782865077a2f4102f92ad2683cdb1f0abad8ea495b0cf2

Download Submit
C:\Windows\SysWOW64\Logs\logs.dat

Filesize
246B

MD5
fd1e0d6d388f7dceb36c5ebb16219af0

SHA1
436b09504b9c3a178f859ebde35f235a17ab18e1

SHA256
5d7862f244ce6ce3196563ff00c796517527a30ae951249703b9d269296f444e

SHA512
76a97ebe26f1f5dc4a0cce222162f5edaf82b1889f0fb3840fb27fe9e545515942039269ead57553e96e5d34e579e47b5ac337c98be0e26a52c516d0a5461a08

Download Submit
memory/808-115-0x0000000000840000-0x00000000008BF000-memory.dmp

Filesize
508KB

Download
memory/808-118-0x0000000000840000-0x00000000008BF000-memory.dmp

Filesize
508KB

Download
memory/2036-20-0x0000000000800000-0x000000000087F000-memory.dmp

Filesize
508KB

Download
memory/2036-23-0x0000000000800000-0x000000000087F000-memory.dmp

Filesize
508KB

Download
memory/2452-379-0x0000000002CB0000-0x0000000002D2F000-memory.dmp

Filesize
508KB

Download
memory/2452-376-0x0000000002CB0000-0x0000000002D2F000-memory.dmp

Filesize
508KB

Download
memory/3080-233-0x00000000032C0000-0x000000000333F000-memory.dmp

Filesize
508KB

Download
memory/3080-236-0x00000000032C0000-0x000000000333F000-memory.dmp

Filesize
508KB

Download
memory/3992-414-0x0000000000860000-0x00000000008DF000-memory.dmp

Filesize
508KB

Download
memory/3992-417-0x0000000000860000-0x00000000008DF000-memory.dmp

Filesize
508KB

Download
memory/5084-0-0x00007FFC21FD0000-0x00007FFC229BC000-memory.dmp

Filesize
9.9MB

Download
memory/5084-15-0x00007FFC21FD0000-0x00007FFC229BC000-memory.dmp

Filesize
9.9MB

Download
memory/5084-3-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/5084-1-0x0000000000310000-0x00000000014D8000-memory.dmp

Filesize
17.8MB

Download