File name:

slinkyloader.exe

Full analysis: https://app.any.run/tasks/4e86219d-7e6c-49a8-bdfe-e1ff3d445c39
Verdict: Malicious activity
Analysis date: January 17, 2026, 12:32:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
anti-evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

A65C5491DB99F5755DA095535FA01585

SHA1:

0C4C7E7DEEF8E953A72AB11D67AC8863A5A6B1A2

SHA256:

C1D07B33E8178B3BA4462D7677CBD2B0BA19A799E4371E832782BDD39583EF17

SSDEEP:

196608:f7HhdMhOFpiOHNcNLixZe81CiITLY3IYmdUsAU:fzUhsdmNGxT1n3IJ1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • slinkyloader.exe (PID: 7868)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • slinkyloader.exe (PID: 7788)
      • SystemService.exe (PID: 7840)
      • slinkyloader.exe (PID: 7868)

    • Reads security settings of Internet Explorer

      • slinkyloader.exe (PID: 7788)

    • Process drops legitimate windows executable

      • SystemService.exe (PID: 7840)

    • The process checks if it is being run in the virtual environment

      • SystemService.exe (PID: 7840)

  • INFO

    • Create files in a temporary directory

      • slinkyloader.exe (PID: 7788)
      • SystemService.exe (PID: 7840)

    • Checks supported languages

      • slinkyloader.exe (PID: 7788)
      • SystemService.exe (PID: 7840)
      • slinkyloader.exe (PID: 7868)

    • Reads the computer name

      • slinkyloader.exe (PID: 7788)
      • SystemService.exe (PID: 7840)

    • Process checks computer location settings

      • slinkyloader.exe (PID: 7788)

    • Checks proxy server information

      • slui.exe (PID: 5628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 23186944
UninitializedDataSize: -
EntryPoint: 0x1475
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start slinkyloader.exe systemservice.exe #GENERIC slinkyloader.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7788"C:\Users\admin\Desktop\slinkyloader.exe" C:\Users\admin\Desktop\slinkyloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\slinkyloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7840"C:\Users\admin\AppData\Local\Temp\SystemService.exe" C:\Users\admin\AppData\Local\Temp\SystemService.exe
slinkyloader.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows Application
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\systemservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7868"C:\Users\admin\AppData\Local\Temp\slinkyloader.exe" C:\Users\admin\AppData\Local\Temp\slinkyloader.exe
slinkyloader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\slinkyloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
7880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeslinkyloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 920
Read events
3 920
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7788slinkyloader.exeC:\Users\admin\AppData\Local\Temp\SystemService.exeexecutable
MD5:E4E073326C39F81F5DBC8707FF5F86C4
SHA256:3BF0BF73811A57A69928402EA4FA8E5ECE23A2CA3BC65A047917964848738275
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\system.data.sqlite.dllexecutable
MD5:EDD007CF3FCB18CCEF985F58004B1AEE
SHA256:9B0581B003161D1605405AB4AE2A31E03BF3287673C148F4A1D90253AAAD2C30
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\system.data.sqlite.linq.dllexecutable
MD5:7EE67DEBCAA7A2B2088E395FA878C3CC
SHA256:A409E2BF0B5C7C7507E4DBA46E6BBF0D1A01A75BDA68A81067D11C9DABEA42B9
7788slinkyloader.exeC:\Users\admin\AppData\Local\Temp\slinkyloader.exeexecutable
MD5:A2223005E6D186689577E5A2B785A16B
SHA256:CEF5B60321F17991400A19072052535638C0A5C02D338234686552DEADEEA82E
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\entityframework.sqlserver.dllexecutable
MD5:AF1646B1C2227AB206D855BD068535CF
SHA256:A960DD4D2F0F37B3C09FFB9567C32426B8791310D7EB935C04C819C3D46BD49E
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\system.data.sqlite.ef6.dllexecutable
MD5:ABE16B7897883FFADCB596AD81FF62C1
SHA256:996AC5F7D5F791C8FE5473E1E0525FBA594F6A1D779F2B3A1254805302770725
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\newtonsoft.json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
7840SystemService.exeC:\Users\admin\AppData\Local\Temp\Costura\D1138B0D14916C7DB1E1FAEB7DD76DFA\entityframework.dllexecutable
MD5:FFDCF232D0BB2FFF78721FB347641A76
SHA256:FF42BCA704605E187ABB45523868B15128D6AF1C28AD40A4579D507D34A953B2
7868slinkyloader.exeC:\Users\admin\Desktop\slinky_library.dllexecutable
MD5:44B5E89A9F7BAB889A4DF60042872F17
SHA256:16745AE6670EBA8A452A5E75FA6142564D31BD3B7D14766E04F1ACB214F65703
7868slinkyloader.exeC:\Users\admin\Desktop\slinkyhook.dllexecutable
MD5:6D8C17C67970CB5841811EED8ADFFFFC
SHA256:7C4234FAC3B6B3E96DACE1E71C7A952EC67E3839F90F7A88A9EA283BF88D25B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7088
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7088
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3192
SIHClient.exe
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
3192
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7088
svchost.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7088
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.32.238.155
  • 23.32.238.97
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.65
  • 40.126.32.133
  • 20.190.160.5
  • 20.190.160.130
  • 20.190.160.66
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
  • 48.192.1.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
slinkyloader.exe