njrat | 9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.2MB
MD5

c136329a989aad9543c913f9197a01fe
SHA1

0b3bdab50947cf330243938c9ccb3e685c43457b
SHA256

9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
SHA512

fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
SSDEEP

98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj

Score

10^/10

njrat umbral xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b74-6.dat	family_umbral
behavioral2/memory/3944-22-0x0000025323B40000-0x0000025323B80000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7c-42.dat	family_xworm
behavioral2/memory/4460-52-0x0000000000710000-0x0000000000720000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
1728	powershell.exe
4888	powershell.exe
5100	powershell.exe
2744	powershell.exe
2104	powershell.exe
2944	powershell.exe
744	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
408	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	loader.exe

Executes dropped EXE 64 IoCs

pid	Process
3944	Aquatic.exe
2732	Server.exe
3148	Server.exe
4460	conhost.exe
4268	Aquatic.exe
3392	Server.exe
4940	Server.exe
2492	conhost.exe
3660	Aquatic.exe
3764	Server.exe
4644	Server.exe
3048	conhost.exe
924	server.exe
2584	Aquatic.exe
4472	Server.exe
3164	Aquatic.exe
4992	Server.exe
2416	Aquatic.exe
3828	Server.exe
4004	Aquatic.exe
1264	Server.exe
1748	Aquatic.exe
920	Server.exe
3956	Aquatic.exe
2432	Server.exe
3328	Aquatic.exe
3372	Server.exe
2652	Aquatic.exe
2980	Server.exe
1064	Aquatic.exe
4436	Server.exe
2204	Aquatic.exe
4012	Server.exe
2732	Aquatic.exe
2416	Server.exe
2572	Aquatic.exe
880	Server.exe
4780	Aquatic.exe
4268	Server.exe
4768	Aquatic.exe
2212	Server.exe
2816	Aquatic.exe
3104	Server.exe
2624	Aquatic.exe
2996	Server.exe
3284	Aquatic.exe
3536	Server.exe
4244	Aquatic.exe
3372	Server.exe
2980	Aquatic.exe
3944	Server.exe
1580	Aquatic.exe
4768	Server.exe
3364	Aquatic.exe
4916	Server.exe
3408	Ondrive.exe
4064	Aquatic.exe
920	Server.exe
3560	Aquatic.exe
3604	Server.exe
2260	Aquatic.exe
3472	Server.exe
4628	Aquatic.exe
1812	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
87	discord.com
88	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ip-api.com
146	ip-api.com
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3616	cmd.exe
1004	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1112	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1004	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2152	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4460	conhost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
744	powershell.exe
744	powershell.exe
5100	powershell.exe
5100	powershell.exe
2744	powershell.exe
2744	powershell.exe
2104	powershell.exe
2104	powershell.exe
4244	Aquatic.exe
2944	powershell.exe
2944	powershell.exe
2272	powershell.exe
2272	powershell.exe
1728	powershell.exe
1728	powershell.exe
4660	powershell.exe
4660	powershell.exe
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	Aquatic.exe
Token: SeDebugPrivilege	4460	conhost.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: 36	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: 36	1076	wmic.exe
Token: SeDebugPrivilege	4268	Aquatic.exe
Token: SeDebugPrivilege	2492	conhost.exe
Token: SeIncreaseQuotaPrivilege	3576	wmic.exe
Token: SeSecurityPrivilege	3576	wmic.exe
Token: SeTakeOwnershipPrivilege	3576	wmic.exe
Token: SeLoadDriverPrivilege	3576	wmic.exe
Token: SeSystemProfilePrivilege	3576	wmic.exe
Token: SeSystemtimePrivilege	3576	wmic.exe
Token: SeProfSingleProcessPrivilege	3576	wmic.exe
Token: SeIncBasePriorityPrivilege	3576	wmic.exe
Token: SeCreatePagefilePrivilege	3576	wmic.exe
Token: SeBackupPrivilege	3576	wmic.exe
Token: SeRestorePrivilege	3576	wmic.exe
Token: SeShutdownPrivilege	3576	wmic.exe
Token: SeDebugPrivilege	3576	wmic.exe
Token: SeSystemEnvironmentPrivilege	3576	wmic.exe
Token: SeRemoteShutdownPrivilege	3576	wmic.exe
Token: SeUndockPrivilege	3576	wmic.exe
Token: SeManageVolumePrivilege	3576	wmic.exe
Token: 33	3576	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3944	2420	loader.exe	86
PID 2420 wrote to memory of 3944	2420	loader.exe	86
PID 2420 wrote to memory of 2732	2420	loader.exe	87
PID 2420 wrote to memory of 2732	2420	loader.exe	87
PID 2420 wrote to memory of 5064	2420	loader.exe	88
PID 2420 wrote to memory of 5064	2420	loader.exe	88
PID 2732 wrote to memory of 3148	2732	Server.exe	89
PID 2732 wrote to memory of 3148	2732	Server.exe	89
PID 2732 wrote to memory of 3148	2732	Server.exe	89
PID 2732 wrote to memory of 4460	2732	Server.exe	90
PID 2732 wrote to memory of 4460	2732	Server.exe	90
PID 3944 wrote to memory of 1076	3944	Aquatic.exe	91
PID 3944 wrote to memory of 1076	3944	Aquatic.exe	91
PID 5064 wrote to memory of 4268	5064	loader.exe	94
PID 5064 wrote to memory of 4268	5064	loader.exe	94
PID 5064 wrote to memory of 3392	5064	loader.exe	95
PID 5064 wrote to memory of 3392	5064	loader.exe	95
PID 5064 wrote to memory of 3916	5064	loader.exe	96
PID 5064 wrote to memory of 3916	5064	loader.exe	96
PID 3392 wrote to memory of 4940	3392	Server.exe	98
PID 3392 wrote to memory of 4940	3392	Server.exe	98
PID 3392 wrote to memory of 4940	3392	Server.exe	98
PID 3392 wrote to memory of 2492	3392	Server.exe	99
PID 3392 wrote to memory of 2492	3392	Server.exe	99
PID 4268 wrote to memory of 3576	4268	Aquatic.exe	100
PID 4268 wrote to memory of 3576	4268	Aquatic.exe	100
PID 4460 wrote to memory of 744	4460	conhost.exe	102
PID 4460 wrote to memory of 744	4460	conhost.exe	102
PID 4460 wrote to memory of 5100	4460	conhost.exe	104
PID 4460 wrote to memory of 5100	4460	conhost.exe	104
PID 4460 wrote to memory of 2744	4460	conhost.exe	106
PID 4460 wrote to memory of 2744	4460	conhost.exe	106
PID 4460 wrote to memory of 2104	4460	conhost.exe	108
PID 4460 wrote to memory of 2104	4460	conhost.exe	108
PID 3916 wrote to memory of 3660	3916	loader.exe	110
PID 3916 wrote to memory of 3660	3916	loader.exe	110
PID 3916 wrote to memory of 3764	3916	loader.exe	111
PID 3916 wrote to memory of 3764	3916	loader.exe	111
PID 3916 wrote to memory of 3900	3916	loader.exe	112
PID 3916 wrote to memory of 3900	3916	loader.exe	112
PID 3764 wrote to memory of 4644	3764	Server.exe	114
PID 3764 wrote to memory of 4644	3764	Server.exe	114
PID 3764 wrote to memory of 4644	3764	Server.exe	114
PID 3764 wrote to memory of 3048	3764	Server.exe	115
PID 3764 wrote to memory of 3048	3764	Server.exe	115
PID 3660 wrote to memory of 1564	3660	Aquatic.exe	116
PID 3660 wrote to memory of 1564	3660	Aquatic.exe	116
PID 4460 wrote to memory of 2152	4460	conhost.exe	118
PID 4460 wrote to memory of 2152	4460	conhost.exe	118
PID 3148 wrote to memory of 924	3148	Server.exe	120
PID 3148 wrote to memory of 924	3148	Server.exe	120
PID 3148 wrote to memory of 924	3148	Server.exe	120
PID 3900 wrote to memory of 2584	3900	loader.exe	121
PID 3900 wrote to memory of 2584	3900	loader.exe	121
PID 3900 wrote to memory of 4472	3900	loader.exe	122
PID 3900 wrote to memory of 4472	3900	loader.exe	122
PID 3900 wrote to memory of 4472	3900	loader.exe	122
PID 3900 wrote to memory of 4768	3900	loader.exe	123
PID 3900 wrote to memory of 4768	3900	loader.exe	123
PID 2584 wrote to memory of 1532	2584	Aquatic.exe	125
PID 2584 wrote to memory of 1532	2584	Aquatic.exe	125
PID 4768 wrote to memory of 3164	4768	loader.exe	127
PID 4768 wrote to memory of 3164	4768	loader.exe	127
PID 4768 wrote to memory of 4992	4768	loader.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
  "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:924
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:408
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2104
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2152
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
    "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3576
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4940
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2492
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4768
      - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        6⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        7⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Checks computer location settings
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        9⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Checks computer location settings
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        10⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Checks computer location settings
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        11⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Checks computer location settings
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        12⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Checks computer location settings
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        13⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        14⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Checks computer location settings
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Checks computer location settings
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        16⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        17⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Checks computer location settings
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        18⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Checks computer location settings
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        19⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Checks computer location settings
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        20⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        Checks computer location settings
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        21⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        Checks computer location settings
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:4072
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        23⤵
        Views/modifies file attributes
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:3984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:3672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:1112
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        Checks computer location settings
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        23⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        24⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        Checks computer location settings
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        25⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        Checks computer location settings
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        26⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        Checks computer location settings
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        27⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        Checks computer location settings
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        28⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        Checks computer location settings
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        29⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        Checks computer location settings
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        30⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        31⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        32⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        Checks computer location settings
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        33⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        Checks computer location settings
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        34⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        35⤵
        
        PID:3876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        Checks computer location settings
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        36⤵
        
        PID:2116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        Checks computer location settings
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        37⤵
        
        PID:4316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        Checks computer location settings
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        38⤵
        
        PID:2104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        Checks computer location settings
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        39⤵
        
        PID:2996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        40⤵
        
        PID:1260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        Checks computer location settings
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        41⤵
        
        PID:716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        42⤵
        
        PID:2608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        Checks computer location settings
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        43⤵
        
        PID:3916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        Checks computer location settings
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        44⤵
        
        PID:4368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        Checks computer location settings
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        45⤵
        
        PID:2456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        46⤵
        
        PID:4064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        Checks computer location settings
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        47⤵
        
        PID:3256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        Checks computer location settings
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        48⤵
        
        PID:2688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        49⤵
        
        PID:3028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        50⤵
        
        PID:4028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        Checks computer location settings
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        51⤵
        
        PID:4424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        Checks computer location settings
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        52⤵
        
        PID:1356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        53⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        Checks computer location settings
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        54⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        Checks computer location settings
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        55⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        56⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        Checks computer location settings
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        57⤵
        
        PID:4640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        Checks computer location settings
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        58⤵
        
        PID:4520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        59⤵
        
        PID:4732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        Checks computer location settings
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        60⤵
        
        PID:208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        Checks computer location settings
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        61⤵
        
        PID:2104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        Checks computer location settings
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        62⤵
        
        PID:1728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        63⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        63⤵
        
        PID:4836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        64⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        Checks computer location settings
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        64⤵
        
        PID:3360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        65⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        Checks computer location settings
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        65⤵
        
        PID:2584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        65⤵
        Checks computer location settings
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        66⤵
        
        PID:3004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        67⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        66⤵
        
        PID:1516

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aquatic.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe

Filesize
229KB

MD5
56c788116da32ec8e9ac3b1b0e66b520

SHA1
545f203f2bdf6fac2f131a76a5f36e21637b27ca

SHA256
f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

SHA512
7da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_viyrqwf2.s23.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
memory/744-81-0x00000158FFF90000-0x00000158FFFB2000-memory.dmp

Filesize
136KB

Download
memory/744-93-0x000001589A980000-0x000001589AB9C000-memory.dmp

Filesize
2.1MB

Download
memory/2420-1-0x0000000000A30000-0x0000000000F6E000-memory.dmp

Filesize
5.2MB

Download
memory/2420-30-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/2420-0-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/2732-51-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/2732-29-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/2732-26-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/2744-117-0x0000013ED53D0000-0x0000013ED55EC000-memory.dmp

Filesize
2.1MB

Download
memory/3944-22-0x0000025323B40000-0x0000025323B80000-memory.dmp

Filesize
256KB

Download
memory/3944-54-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/3944-25-0x00007FFB45140000-0x00007FFB451DD000-memory.dmp

Filesize
628KB

Download
memory/4244-385-0x00000226E5530000-0x00000226E5580000-memory.dmp

Filesize
320KB

Download
memory/4244-384-0x00000226E54B0000-0x00000226E5526000-memory.dmp

Filesize
472KB

Download
memory/4244-386-0x00000226E5580000-0x00000226E559E000-memory.dmp

Filesize
120KB

Download
memory/4244-421-0x00000226E52F0000-0x00000226E52FA000-memory.dmp

Filesize
40KB

Download
memory/4244-422-0x00000226E5430000-0x00000226E5442000-memory.dmp

Filesize
72KB

Download
memory/4460-52-0x0000000000710000-0x0000000000720000-memory.dmp

Filesize
64KB

Download