Analysis Overview
Threat Level: Likely malicious
The file https://cdn.discordapp.com/attachments/1239300375685759150/1246868493610127524/aquatic.rar?ex=665e9d06&is=665d4b86&hm=f8af91b9ea2115eeecb7176385cefd23df11bbf93c6e1224fd5831a670d02ae4& was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:27
Reported
2024-06-03 09:29
Platform
win10v2004-20240508-en
Max time kernel
118s
Max time network
100s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\aquatic\aquatic\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3600_133618804854349746\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\aquatic\aquatic\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe | N/A |
Loads dropped DLL
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3600_133618804854349746\loader.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1239300375685759150/1246868493610127524/aquatic.rar?ex=665e9d06&is=665d4b86&hm=f8af91b9ea2115eeecb7176385cefd23df11bbf93c6e1224fd5831a670d02ae4&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850fe46f8,0x7ff850fe4708,0x7ff850fe4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,322046489491661586,5698999813793240640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\aquatic\" -ad -an -ai#7zMap9174:76:7zEvent1239
C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe
"C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\loader.exe
"C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start main.exe"
C:\Users\Admin\Downloads\aquatic\aquatic\main.exe
main.exe
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe
main.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Aquatic Raider I Tokens Loaded: 0 I Proxies Loaded: 0 I Version: V3 I Join: discord.gg/aquaticraider
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe
"C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3600_133618804854349746\loader.exe
"C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start main.exe"
C:\Users\Admin\Downloads\aquatic\aquatic\main.exe
main.exe
C:\Users\Admin\AppData\Local\Temp\onefile_1532_133618804858756300\main.exe
main.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Aquatic Raider I Tokens Loaded: 0 I Proxies Loaded: 0 I Version: V3 I Join: discord.gg/aquaticraider
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_2868_CEAHZUMFWVFYBDQB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 61f90e69b3aac498c82e71357abcb26d |
| SHA1 | 8a95499cbbef572a40679d723e1c96a3aa92104b |
| SHA256 | 846f0cfd08e545087b3e48758eb3400424b5afa0329237bb6fa50e5af5a8bc5f |
| SHA512 | 810740b49458570e70e1556b1d758a54c44f5dfbf624fb77247586e9170d7c243c1677e4b63bb64039bf863f75c0682da8bb3de9c5a7158da427f46bd3b439c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f7e306f883dd736474cd36cfa7cafc8b |
| SHA1 | 6fd96f89e8d85468a1fe4aebd348e5af75a040ff |
| SHA256 | 45438bc8d4570ca62bb4211d4920904cdaa0e2a4b4920dd93f2081e7f330dc92 |
| SHA512 | 415d7241fc3055a4222b58af917f8cb73614d486018b3ee101b9db1f688d300d67c8e30beb1347c72fa1e5e9eabf0e9305673f346ea7a596fed5637e2a2c1a8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3d0e78cb68b5fec9870474d116c52f42 |
| SHA1 | a6f4294f1dad97073f4c34c479c5b1ef01d8f646 |
| SHA256 | 6e3c266f7e0692ba0c17aba2b8168b23ada220a7e5b31bf5390539c2ffd4e2e6 |
| SHA512 | 8bb68face05703be89905fef11adba8953e31a58a4361d39541cbe670617200e6023d32d940cd16a7481f4f63f1bdd1cfca2ca621d150bb914780dac241d71c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f33a1e4756f8794d2c54132ae29f6ef0 |
| SHA1 | 867b5cfc50c08a22f193809a4871eeafd569002d |
| SHA256 | 709b72c9bf0dcfc9a034921ecafcbb1993d8e6b97cf1d75173116b7c33fd6fbf |
| SHA512 | 65d811c7db5008bd6aad74be44d5470b4a1ed1675bdfd2ca9626e82032cf31043ff98e893372542c7a6fd6114cbd01e9acffa4ffe426615670c31ecbad903f37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e05051d7e0ede1c8910f2232674b57bd |
| SHA1 | 79afedc83da8e03ced1d07383e9d160239f2654b |
| SHA256 | 2f573c65e9533b3b1ff93b62ad01010ed8a0a9cdb033f7d378fb7c8059e260f0 |
| SHA512 | 8151ad6e77ab7b69763891ec3b57e8b9e3d686b2eedafa622ac718585c32572369968e09da4335821c0b1ada56b657d7a0b428676d5dfae25d2452aff32b6892 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 094ab275342c45551894b7940ae9ad0d |
| SHA1 | 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e |
| SHA256 | ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3 |
| SHA512 | 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\Downloads\aquatic.rar
| MD5 | 1d86f76e37964225989fb45678e9b317 |
| SHA1 | 6f1b1ef21123b02d70b443e7ce28ca2536995107 |
| SHA256 | 69deb4c238c29a0473d6aa41f3ad5f7a57a99b22d4da7c408978b1beac61eb7c |
| SHA512 | 20d6db0b9ffd08e818be6c2c32d3212aa9871804798d307f62e8b1715528d643176bae93a4d81b4630392c1df32dfb46c46866463da660fe9f4ae3159fa4548c |
C:\Users\Admin\Downloads\aquatic\aquatic\loader.exe
| MD5 | c679369a7270cb8f284b96ba9325b007 |
| SHA1 | c33955d7a9f44ab9ef7e67031960fcbb13690714 |
| SHA256 | a0fb1568891680d66efb9f545ed1cdc9c8124d96e220cbdd8b618769be6e6083 |
| SHA512 | 081152540c6579c0cd27f201f8b0a8956a1debc58c538c47dc88a99aa64929ca28f2eb9b3229d61618c6d979d583cfeca6a930d3dc56ff6f138989774372079f |
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\loader.exe
| MD5 | b8e9bd84e2582b428785ae52636ce590 |
| SHA1 | 585d542155d9edd098d236ba89f3d8c52283fbbc |
| SHA256 | b39610bf0233ae7c7e1a6230072a65c014ec4c56fa10be7d66ffca2105775141 |
| SHA512 | 21462b75bc60481894d81516827faafbb77605018959f9c5cfd1aa68be7a480e609db8e08049ce37187547d7e5f731a9f4b9de23bfbf34e1613581129c65253e |
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\python311.dll
| MD5 | 9a24c8c35e4ac4b1597124c1dcbebe0f |
| SHA1 | f59782a4923a30118b97e01a7f8db69b92d8382a |
| SHA256 | a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7 |
| SHA512 | 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b |
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 8140bdc5803a4893509f0e39b67158ce |
| SHA1 | 653cc1c82ba6240b0186623724aec3287e9bc232 |
| SHA256 | 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769 |
| SHA512 | d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 97ee623f1217a7b4b7de5769b7b665d6 |
| SHA1 | 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0 |
| SHA256 | 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790 |
| SHA512 | 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd
| MD5 | ebefbc98d468560b222f2d2d30ebb95c |
| SHA1 | ee267e3a6e5bed1a15055451efcccac327d2bc43 |
| SHA256 | 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478 |
| SHA512 | ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 6a9ca97c039d9bbb7abf40b53c851198 |
| SHA1 | 01bcbd134a76ccd4f3badb5f4056abedcff60734 |
| SHA256 | e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535 |
| SHA512 | dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d |
C:\Users\Admin\AppData\Local\Temp\onefile_6052_133618804569401464\libffi-8.dll
| MD5 | 32d36d2b0719db2b739af803c5e1c2f5 |
| SHA1 | 023c4f1159a2a05420f68daf939b9ac2b04ab082 |
| SHA256 | 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c |
| SHA512 | a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1 |
C:\Users\Admin\Downloads\aquatic\aquatic\main.exe
| MD5 | c4639a9dd4fa418a1e2e5537b9a53bfe |
| SHA1 | 9fea0f4615170667aa59dac92f6d424455b5fc54 |
| SHA256 | 6548853e51522d28bc2d4ee6dbecdfe7be496462cb87f26587f830374ce07ec7 |
| SHA512 | 2e5f53a2d4bae0028ecb715485327db9da7aeb45176e7e54db039516dab6002f41b5f44ae728f7752ee840f34b14ac78698cea3bc4cc2d00ea815873bad6b692 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\main.exe
| MD5 | fd558700e832c55b847fbaa2f9c77f48 |
| SHA1 | db8a95fa38c5f59f7908c4a36efe4f62191c3f77 |
| SHA256 | 89ccb259276786bda67b5f70d1dbc55eb7d0ab6333254f75b6f60fee10c30637 |
| SHA512 | 14d275d4f3b9c4c06920dbc7fd85c01357402eba85968a06cabb0852c43d9d64d1d30e9dffd744c450b3174064f95076369f1f8173dcfd3412b89f194f71dc41 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\python311.dll
| MD5 | 58e01abc9c9b5c885635180ed104fe95 |
| SHA1 | 1c2f7216b125539d63bd111a7aba615c69deb8ba |
| SHA256 | de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837 |
| SHA512 | cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\libcrypto-3.dll
| MD5 | 7a6a8c2a8c379b111cdceb66b18d687d |
| SHA1 | f3b8a4c731fa0145f224112f91f046fddf642794 |
| SHA256 | 8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b |
| SHA512 | f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5 |
C:\Users\Admin\Downloads\aquatic\aquatic\crack.dll
| MD5 | fe7dc4218e47f5c31e7a2db9b2e55ddd |
| SHA1 | 6d30688097e87755b5d59429e5dfb9ce0562f931 |
| SHA256 | 1cbaa9f954edae2e9a6ccac8e0119ff533ee01b42b1bb24fa10adfa80064b780 |
| SHA512 | 922048e800411cb7f21618647b88b0d8b5c98aa45a55eb8ab66a838f3900bed6e03cd247e27af0b304bd4b71fa6402d1b88aa320aa4c23a42088a1617dac73c7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\_hashlib.pyd
| MD5 | 1524882af71247adecf5815a4e55366a |
| SHA1 | e25014c793c53503bdff9af046140edda329d01b |
| SHA256 | 6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327 |
| SHA512 | 5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a |
memory/5588-277-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-275-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-276-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-274-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-273-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-278-0x0000000063A60000-0x0000000064454000-memory.dmp
memory/5588-279-0x0000000063A60000-0x0000000064454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\_ctypes.pyd
| MD5 | 6114277c6fc040f68d25ca90e25924cd |
| SHA1 | 028179c77cb3ba29cd8494049421eaa4900ccd0e |
| SHA256 | f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656 |
| SHA512 | 76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d |
C:\Users\Admin\Downloads\aquatic\aquatic\config.toml
| MD5 | fe783a62cf5f5e09a7d8c6fd17ae60df |
| SHA1 | 46fa99c2b4c4158e9d9542559f11f34df5da8840 |
| SHA256 | 3188d09b74d87c1f1d1b6cd2624ef6fbb02aa27183e4908bed30f7f8ecd371b5 |
| SHA512 | d20a4d9c2a6f6ee2a7f4bc7d86264d1028d17db6e6cd868a27ff6d191170104bd99641dbba636d05588ad5e031ba378dcb28420b8a38363fcfadbb2608d25de3 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\_decimal.pyd
| MD5 | be315973aff9bdeb06629cd90e1a901f |
| SHA1 | 151f98d278e1f1308f2be1788c9f3b950ab88242 |
| SHA256 | 0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725 |
| SHA512 | 8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\_socket.pyd
| MD5 | 64a6c475f59e5c57b3f4dd935f429f09 |
| SHA1 | ca2e0719dc32f22163ae0e7b53b2caadb0b9d023 |
| SHA256 | d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49 |
| SHA512 | cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\_ssl.pyd
| MD5 | a0b40f1f8fc6656c5637eacacf7021f6 |
| SHA1 | 38813e25ffde1eee0b8154fa34af635186a243c1 |
| SHA256 | 79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1 |
| SHA512 | c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\select.pyd
| MD5 | 653bdccb7af2aa9ccf50cb050fd3be64 |
| SHA1 | afe0a85425ae911694c250ab4cb1f6c3d3f2cc69 |
| SHA256 | e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279 |
| SHA512 | 07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277 |
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133618804591374767\libssl-3.dll
| MD5 | 64acb046fe68d64ee475e19f67253a3c |
| SHA1 | d9e66c9437ce6f775189d6fdbd171635193ec4cc |
| SHA256 | b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10 |
| SHA512 | f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\zstandard\backend_c.pyd
| MD5 | dc08f04c9e03452764b4e228fc38c60b |
| SHA1 | 317bcc3f9c81e2fc81c86d5a24c59269a77e3824 |
| SHA256 | b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f |
| SHA512 | fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7 |
memory/4200-298-0x00007FF7C7260000-0x00007FF7C7C29000-memory.dmp
memory/6052-297-0x00007FF712230000-0x00007FF712745000-memory.dmp
memory/5588-299-0x00007FF83C8A0000-0x00007FF83D82C000-memory.dmp
memory/4200-300-0x00007FF7C7260000-0x00007FF7C7C29000-memory.dmp
memory/6052-304-0x00007FF712230000-0x00007FF712745000-memory.dmp
memory/5588-305-0x00007FF83C8A0000-0x00007FF83D82C000-memory.dmp
memory/2044-367-0x00007FF7CBBA0000-0x00007FF7CC569000-memory.dmp
memory/3600-372-0x00007FF712230000-0x00007FF712745000-memory.dmp
memory/5936-373-0x00007FF83BD30000-0x00007FF83CCBC000-memory.dmp