redline | hxxps://www[.]mediafire[.]com/folder/0yxj41i2ju2lm/Aquantia_Executor

Analysis

max time kernel
464s
max time network
465s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/0yxj41i2ju2lm/Aquantia_Executor

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/4968-1049-0x0000000000400000-0x000000000044A000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4968-1049-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 7 IoCs

pid	Process
3060	Aquantia_Setup 2.21.exe
4500	Aquantia_Setup 2.21.exe
5436	Aquantia_Setup 2.21.exe
4528	Aquantia_Setup 2.21.exe
4820	Aquantia_Setup 2.21.exe
4656	Aquantia_Setup 2.21.exe
3760	Aquantia_Setup 2.21.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 4968	3060	Aquantia_Setup 2.21.exe	153
PID 4500 set thread context of 3176	4500	Aquantia_Setup 2.21.exe	157
PID 5436 set thread context of 540	5436	Aquantia_Setup 2.21.exe	160
PID 4528 set thread context of 1408	4528	Aquantia_Setup 2.21.exe	165
PID 4820 set thread context of 5724	4820	Aquantia_Setup 2.21.exe	168
PID 4656 set thread context of 5332	4656	Aquantia_Setup 2.21.exe	171
PID 3760 set thread context of 3860	3760	Aquantia_Setup 2.21.exe	174

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599821489679252"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Aquantia.rar:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7636	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
6792	chrome.exe
6792	chrome.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
4968	RegAsm.exe
3176	RegAsm.exe
540	RegAsm.exe
1408	RegAsm.exe
5724	RegAsm.exe
5332	RegAsm.exe
3860	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5044	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 47 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe
Token: SeShutdownPrivilege	4304	chrome.exe
Token: SeCreatePagefilePrivilege	4304	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe
4304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4300	4304	chrome.exe	79
PID 4304 wrote to memory of 4300	4304	chrome.exe	79
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 2396	4304	chrome.exe	81
PID 4304 wrote to memory of 5088	4304	chrome.exe	82
PID 4304 wrote to memory of 5088	4304	chrome.exe	82
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83
PID 4304 wrote to memory of 3428	4304	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/folder/0yxj41i2ju2lm/Aquantia_Executor
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb28dab58,0x7ffeb28dab68,0x7ffeb28dab78
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4748 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4676 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4760 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4984 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5128 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5180 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5520 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5716 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5864 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6060 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6280 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6456 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3764 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4588 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7208 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7528 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7624 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7628 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7912 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=8028 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=8052 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8592 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8748 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8908 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:6156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6996 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=9176 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=9312 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=9440 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=9448 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=9608 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=9760 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=9600 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=10176 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=10184 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=10336 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=10480 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=10624 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=10776 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=11024 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=11032 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=11188 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=11356 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=11500 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=11636 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:6572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=9036 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:7788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=11916 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:7908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9732 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:1
  2⤵
  PID:7984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1424 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 --field-trial-handle=1748,i,2007680947590133536,11683806987460389672,131072 /prefetch:8
  2⤵
  PID:6912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6376

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Aquantia\" -spe -an -ai#7zMap19432:78:7zEvent9912
1⤵
PID:7220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Aquantia\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:7636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Aquantia (Updated)\" -spe -an -ai#7zMap25739:112:7zEvent20964
1⤵
PID:7472

C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968

C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176

C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Aquantia\Aquantia (Updated).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5044

C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408

C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5724

C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5332

C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe
"C:\Users\Admin\Desktop\Aquantia\Aquantia_Setup 2.21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4d37fc710e6093a9c140e25beb7f5a63

SHA1
da60f1ec8331e75e88ace5f3afc2e9400331167e

SHA256
2ecaff74d48dab2c0e58e152433ea7e38b9ca2cf246963721b4a3110c4857672

SHA512
3fb98c5b119bf9661060a774480cd472307c2e2fe48bd4c51cf229949a63fc1251e1fa783d4595a5150d0a2d24cd8a67a14fafceee2c4a5598edce9a53e4703a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
b5eb0899a93225e892704204a16f63e7

SHA1
d4b56a5ee4d07cdac3375a7d50b5edb002143978

SHA256
9fb86925d91fa6cc9926796aa22d7b4d4de6b5f1431b8366412834b2ab691ae0

SHA512
31615c9f02a4292b9d6e2f691f4de1b5c0d147b3bf81bcac1297520d92436f4d1833a2d2ec240c6fe4e2f9f90c71f291846a1e8726b2dc2a3a863a701a37587d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
03d9099a99a1517abb8e6b5e0487f77e

SHA1
fb8685a2824f322ae46fcfb77224d91a7e00ec28

SHA256
c06e9d52a15d9551b87b657a2f751a72f84fcdd979c96360da5fb138bb8b3112

SHA512
d945d9a2eaf4db379fad67407e8c6def9cffdfb52cfdf2237bdd5cca928471b32b6183ebc0a4badb84964c801306af44e4a4db5d61dad162549e7409632c34a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
163b9ec0a96c9fdf1aa7a6df1ef9f64a

SHA1
630f218faa5d15c22203356984edafe8ab786043

SHA256
66b352f8d6f3bb010ef8a1ca893d9eac205f793bb55197838d668e524de5ac40

SHA512
83aa9d371aa13c4be37875b8e1e51b23d0ee7b0bd2629fbea0a08f658e53c368af73af09aed23a58fd11d22712a134abcf9421765e4116070bb277c91bdcdaeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
48f3a80d906617bd6d537d00b6012c44

SHA1
d10a725c886e7f62fe719e2850809122a3c8aa5d

SHA256
f979ec7d07740ea5ba61673c2db360ee925dd7168d7458686822f2768d6567f9

SHA512
344094b7e77997b53ce4f77f5566f2a3a8a8b26064cb5d30672ef88a5fd955f4e65122bfe6a9a5cad00fcc8aa1d8af9755163c54c5bd516a354708cf0515f2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
db9db250ef22c16f502e27591622880c

SHA1
5fd924ddce6851213126a363fd23224bbe3ad37b

SHA256
f7042c0d15c9aa94f96615d86c6cf0feed001df588d571805c5357ba92879ff5

SHA512
30919c5c6a856a02d172bf9cc3aec8861c4026b914e029d744b5066f62a766837950f4098b2e712c478347b54e7c9995da3e84a8be74c730a10a857732644eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ae68e32dd2d137ad15d78d4bc1d15b8d

SHA1
6fdeed2a879f841bcb384d3e63ee05a9ddc529c3

SHA256
48fea0824682f76e6aa20594391682c9ab9676e00a505d8a50a006632eaea089

SHA512
4a0cd3618f84e2d3f64326d012c7e9323c2b915b0c9c90ac9a0d8186c687e8299f121ce44fedc72d5979630f4256deb50d332788b0b01ff031db01e9771a1fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
879b69b59857fd950f673f347d53203f

SHA1
e9c25713a4ebd1b56329fab684dcdad3fee5b74e

SHA256
806d504ddd2773bbae6b84c8804c723e391b0fac39668efee0f8aab45e35ddd3

SHA512
211370175ff8784480aa6751063938ca7fb49723bc2136c1d21193a674f65e50f34eb08106feec128429db61ca2aa58b2dc3c1960d99bcee3f7c06fd30b5273b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1b77c552285956c4e00862fe34d9a02c

SHA1
d82300fb65217808479dcd89012e82edfbde8036

SHA256
64543d5768b8f7bf6a1255bc14ee7080004e2a3ac686c584d13578f84de0effa

SHA512
5ab7044967cda5b7e1a558773dd412bd9f7e47004b378cb76790f0942a81cf8fda57123e0ca23b1a37b854333e24c43d9ec6ee0a07b69e386635efa7b3afb0bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
dffc131aadbca044959a027d968aa5fd

SHA1
4e98e8be68b6f65905347efe992500eda9c2dbe7

SHA256
78cf798fcb0376646684b0369414e0e641168ff35a84361c1c0424917359b5bb

SHA512
98bede57b3412455ae2b545a14b33d4953bb3d89b5e71a6fd9e7795e07b9b77ee3cb89b6e04a0eed7073233e17354ec19b4aa5e2cd7f80d97547b334b1edc4ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
83ecbedf99ab4b963a7419f34c7861ce

SHA1
de58e478501e3dffa9e1d75f88e362c55549c836

SHA256
320b836ec772581ec368a739b0f3f897966e43abb7a54607a276353b5b3ea0f5

SHA512
89bfb5194fe0f24b373431a1ed20b1e985a8b6330fa08e9b1122636dc7ed2776d5cfb45ff2cfabb7e9a6f18431274be8ae342169331c517d41137a2a28392806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
0bf0c935b007eb0cdda9eb730d85651c

SHA1
c3fbcf038aa087c8e98cd1425c4fb187cca0f6e5

SHA256
2a158f0b5705ac33bf404ae4622bdd4471d6d9e7dffc6b79f9e277e7dd2357ee

SHA512
1fab44bec11dc98e2a18659078f93b75ad6fc6bbbeca80a320008d9a52b5e927eef3c0d2daa25ae479bfc94d1ad2db479a908ffb62c3128cebc67fa2b6a6fd4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c2c47.TMP

Filesize
88KB

MD5
66f72b5afc69cc2dc9a3c877a0527b4d

SHA1
44f35bd6c067311220a75f739bce852557853e00

SHA256
3185bae87b03d5ecf608c90f8b0e7efa5a1ed312196dbc78d6c53f896957a186

SHA512
50a3fe0c0dd69e9a7ca3376308c382c18b71863c5459c944ec2e65afaa41c0091c1e568aa0f9eae8aabd5a163331a27cd5c60def1df7b8cd39272f0021a4359f

Download Submit
C:\Users\Admin\Desktop\Aquantia (Updated)\Aquantia_Setup 2.21.exe

Filesize
368KB

MD5
f77b3165615ad09f0dec44af2746fc36

SHA1
7b6bc037c7c82534805a739e93a14a34cffb15de

SHA256
ee348f845ad37552a32b0643002b39614abab46eb7cba0788a4fe75ce5191c6c

SHA512
a002681e303d6ffa165e9500c9a64e23ccda58f503d182d397f25cf9661fa2268a6da750f7af12eac1d90c3fe7c2853f0ba8f2f42badd8a353fac176774a5565

Download Submit
C:\Users\Admin\Desktop\Aquantia (Updated)\Data\OPer.dat

Filesize
945KB

MD5
241b2fe38c819f11f2e719e5b8452fb1

SHA1
751c294d3a51984a451bfd8108899ec849f034c0

SHA256
e85c7ed526919f9c41a02204f2818054ad710553ff4b277a2478d418296097f7

SHA512
6368ab600ac9c85f186c779470b13220deda49bf048aca4c1d7531f8606fe24b183ffeb3556edd71353a24661941ea5f5518b5675193375a3d8ef1e8ff5816b0

Download Submit
C:\Users\Admin\Desktop\Aquantia (Updated)\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\Desktop\Aquantia\jre\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\Desktop\Aquantia\jre\lib\deploy\messages_zh_HK.properties

Filesize
3KB

MD5
4287d97616f708e0a258be0141504beb

SHA1
5d2110cabbbc0f83a89aec60a6b37f5f5ad3163e

SHA256
479dc754bd7bff2c9c35d2e308b138eef2a1a94cf4f0fc6ccd529df02c877dc7

SHA512
f273f8d501c5d29422257733624b5193234635bd24b444874e38d8d823d728d935b176579d5d1203451c0ce377c57ed7eb3a9ce9adcb3bb591024c3b7ee78dcd

Download Submit
C:\Users\Admin\Desktop\Aquantia\readme.txt

Filesize
382B

MD5
e036d9763ee295772454af138b311c18

SHA1
da81ee41a51a05cbbf9db9784f7f40554d034395

SHA256
27cab5f0f3e1010793c3b704c3d3c7fd2a43e5f513ce2f34da064f69d3a70edb

SHA512
dc9fe7f0520b5a529df017e0b519835d7f9bdc7f5ba37c60f3a799668b031459166bacd4b4e99df3de123971e263706acb6622a1bb862b4290d6c39adc0a2410

Download Submit
C:\Users\Admin\Downloads\Aquantia.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3060-1048-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3060-1050-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3760-1575-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4500-1067-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4528-1565-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4656-1572-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/4820-1569-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4968-1049-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4968-1057-0x0000000006A90000-0x0000000006ACC000-memory.dmp

Filesize
240KB

Download
memory/4968-1059-0x0000000006D90000-0x0000000006DF6000-memory.dmp

Filesize
408KB

Download
memory/4968-1060-0x0000000007700000-0x0000000007776000-memory.dmp

Filesize
472KB

Download
memory/4968-1061-0x0000000006F70000-0x0000000006F8E000-memory.dmp

Filesize
120KB

Download
memory/4968-1063-0x0000000008CA0000-0x0000000008E62000-memory.dmp

Filesize
1.8MB

Download
memory/4968-1064-0x00000000093A0000-0x00000000098CC000-memory.dmp

Filesize
5.2MB

Download
memory/4968-1058-0x0000000006C20000-0x0000000006C6C000-memory.dmp

Filesize
304KB

Download
memory/4968-1051-0x0000000005F80000-0x0000000006526000-memory.dmp

Filesize
5.6MB

Download
memory/4968-1056-0x0000000006A30000-0x0000000006A42000-memory.dmp

Filesize
72KB

Download
memory/4968-1055-0x0000000006B10000-0x0000000006C1A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-1054-0x0000000006FE0000-0x00000000075F8000-memory.dmp

Filesize
6.1MB

Download
memory/4968-1053-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/4968-1052-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/5436-1070-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download