b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/fyBqr89.msi
Size

6.2MB
MD5

69d4092b3524bc2bff4e5c73509c3eb9
SHA1

43cb58b5635aea617dd93565c1baa15fde3eb0c0
SHA256

23662f3ca1692692dc1f090acaf814695eddbbf5dba15fd7b2c95f8ef6c47432
SHA512

2085868cba95b6cf87f1c47efff4b95ce930c3ac2706cecb4f8d66b5611c7af11423a9397d17ad581bd9769143c88010f4b278fa332c8655978aaa5d4f34eaff
SSDEEP

196608:kCLvDC8Y0BDC2zU0jRhsk2/0ReXyhNHnIy9c:1LC8dB3fjRhPhReXyHIy

Score

9^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Looks for VirtualBox drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe

Looks for VMWare drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Aurelia = "\"C:\\Users\\Public\\Aurelia\\Aurelia.exe\""	aurelia_setup.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{634E26DC-7BAA-4375-B533-59B567E79B44}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA623.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA663.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a568.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a568.msi	msiexec.exe

Executes dropped EXE 32 IoCs

pid	Process
3652	aurelia_setup.exe
5124	aurelia_setup.tmp
1988	Aurelia.exe
3948	Aurelia.exe
3504	Aurelia.exe
232	Aurelia.exe
4816	Aurelia.exe
60	Aurelia.exe
3652	Aurelia.exe
5636	Aurelia.exe
4936	Aurelia.exe
3576	Aurelia.exe
2408	Aurelia.exe
3804	Aurelia.exe
5760	Aurelia.exe
4180	Aurelia.exe
5128	Aurelia.exe
1864	Aurelia.exe
3188	Aurelia.exe
5536	Aurelia.exe
1052	Aurelia.exe
5284	Aurelia.exe
4420	Aurelia.exe
2140	Aurelia.exe
5396	Aurelia.exe
5368	Aurelia.exe
5580	Aurelia.exe
5412	Aurelia.exe
4780	Aurelia.exe
1780	Aurelia.exe
2184	Aurelia.exe
3660	Aurelia.exe

Loads dropped DLL 31 IoCs

pid	Process
388	MsiExec.exe
1988	Aurelia.exe
3948	Aurelia.exe
3504	Aurelia.exe
232	Aurelia.exe
4816	Aurelia.exe
60	Aurelia.exe
3652	Aurelia.exe
5636	Aurelia.exe
4936	Aurelia.exe
3576	Aurelia.exe
2408	Aurelia.exe
3804	Aurelia.exe
5760	Aurelia.exe
4180	Aurelia.exe
5128	Aurelia.exe
1864	Aurelia.exe
3188	Aurelia.exe
5536	Aurelia.exe
1052	Aurelia.exe
5284	Aurelia.exe
4420	Aurelia.exe
2140	Aurelia.exe
5396	Aurelia.exe
5368	Aurelia.exe
5580	Aurelia.exe
5412	Aurelia.exe
4780	Aurelia.exe
1780	Aurelia.exe
2184	Aurelia.exe
3660	Aurelia.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5588	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000095442b2ce530c2410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000095442b2c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090095442b2c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d95442b2c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000095442b2c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	aurelia_setup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 22dcb6d75a2cc1347a29275d8aa56e3d069bb24d897469fbd809fce2a52dd489	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0069006f002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0076006500720074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0065006e007600690072006f006e006d0065006e0074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00660069006c006500730079007300740065006d002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0068006500610070002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006c006f00630061006c0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006d006100740068002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00700072006f0063006500730073002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00740069006d0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0076006300720075006e00740069006d0065003100340030002e0064006c006c0000000000	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 04140000da0817185daedb01	aurelia_setup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fe1cbcc72cdc07ebd4cf4a26bf6192db8d95588e37ac1dc8b35c4be47a19e129	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2216	msiexec.exe
2216	msiexec.exe
5124	aurelia_setup.tmp
5124	aurelia_setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5588	msiexec.exe
Token: SeSecurityPrivilege	2216	msiexec.exe
Token: SeCreateTokenPrivilege	5588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5588	msiexec.exe
Token: SeLockMemoryPrivilege	5588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5588	msiexec.exe
Token: SeMachineAccountPrivilege	5588	msiexec.exe
Token: SeTcbPrivilege	5588	msiexec.exe
Token: SeSecurityPrivilege	5588	msiexec.exe
Token: SeTakeOwnershipPrivilege	5588	msiexec.exe
Token: SeLoadDriverPrivilege	5588	msiexec.exe
Token: SeSystemProfilePrivilege	5588	msiexec.exe
Token: SeSystemtimePrivilege	5588	msiexec.exe
Token: SeProfSingleProcessPrivilege	5588	msiexec.exe
Token: SeIncBasePriorityPrivilege	5588	msiexec.exe
Token: SeCreatePagefilePrivilege	5588	msiexec.exe
Token: SeCreatePermanentPrivilege	5588	msiexec.exe
Token: SeBackupPrivilege	5588	msiexec.exe
Token: SeRestorePrivilege	5588	msiexec.exe
Token: SeShutdownPrivilege	5588	msiexec.exe
Token: SeDebugPrivilege	5588	msiexec.exe
Token: SeAuditPrivilege	5588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5588	msiexec.exe
Token: SeChangeNotifyPrivilege	5588	msiexec.exe
Token: SeRemoteShutdownPrivilege	5588	msiexec.exe
Token: SeUndockPrivilege	5588	msiexec.exe
Token: SeSyncAgentPrivilege	5588	msiexec.exe
Token: SeEnableDelegationPrivilege	5588	msiexec.exe
Token: SeManageVolumePrivilege	5588	msiexec.exe
Token: SeImpersonatePrivilege	5588	msiexec.exe
Token: SeCreateGlobalPrivilege	5588	msiexec.exe
Token: SeBackupPrivilege	5564	vssvc.exe
Token: SeRestorePrivilege	5564	vssvc.exe
Token: SeAuditPrivilege	5564	vssvc.exe
Token: SeBackupPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeTakeOwnershipPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeTakeOwnershipPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeTakeOwnershipPrivilege	2216	msiexec.exe
Token: SeBackupPrivilege	1780	srtasks.exe
Token: SeRestorePrivilege	1780	srtasks.exe
Token: SeSecurityPrivilege	1780	srtasks.exe
Token: SeTakeOwnershipPrivilege	1780	srtasks.exe
Token: SeBackupPrivilege	1780	srtasks.exe
Token: SeRestorePrivilege	1780	srtasks.exe
Token: SeSecurityPrivilege	1780	srtasks.exe
Token: SeTakeOwnershipPrivilege	1780	srtasks.exe
Token: SeAssignPrimaryTokenPrivilege	4124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4124	WMIC.exe
Token: SeSecurityPrivilege	4124	WMIC.exe
Token: SeTakeOwnershipPrivilege	4124	WMIC.exe
Token: SeLoadDriverPrivilege	4124	WMIC.exe
Token: SeBackupPrivilege	4124	WMIC.exe
Token: SeRestorePrivilege	4124	WMIC.exe
Token: SeShutdownPrivilege	4124	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4124	WMIC.exe
Token: SeSecurityPrivilege	4124	WMIC.exe
Token: SeTakeOwnershipPrivilege	4124	WMIC.exe
Token: SeLoadDriverPrivilege	4124	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5588	msiexec.exe
5124	aurelia_setup.tmp
5588	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1780	2216	msiexec.exe	98
PID 2216 wrote to memory of 1780	2216	msiexec.exe	98
PID 2216 wrote to memory of 388	2216	msiexec.exe	100
PID 2216 wrote to memory of 388	2216	msiexec.exe	100
PID 2216 wrote to memory of 388	2216	msiexec.exe	100
PID 388 wrote to memory of 3652	388	MsiExec.exe	101
PID 388 wrote to memory of 3652	388	MsiExec.exe	101
PID 388 wrote to memory of 3652	388	MsiExec.exe	101
PID 3652 wrote to memory of 5124	3652	aurelia_setup.exe	102
PID 3652 wrote to memory of 5124	3652	aurelia_setup.exe	102
PID 3652 wrote to memory of 5124	3652	aurelia_setup.exe	102
PID 5124 wrote to memory of 1988	5124	aurelia_setup.tmp	105
PID 5124 wrote to memory of 1988	5124	aurelia_setup.tmp	105
PID 3148 wrote to memory of 3948	3148	cmd.exe	106
PID 3148 wrote to memory of 3948	3148	cmd.exe	106
PID 1988 wrote to memory of 3912	1988	Aurelia.exe	107
PID 1988 wrote to memory of 3912	1988	Aurelia.exe	107
PID 3912 wrote to memory of 4124	3912	cmd.exe	109
PID 3912 wrote to memory of 4124	3912	cmd.exe	109
PID 1988 wrote to memory of 5964	1988	Aurelia.exe	110
PID 1988 wrote to memory of 5964	1988	Aurelia.exe	110
PID 1988 wrote to memory of 4324	1988	Aurelia.exe	112
PID 1988 wrote to memory of 4324	1988	Aurelia.exe	112
PID 1988 wrote to memory of 3504	1988	Aurelia.exe	114
PID 1988 wrote to memory of 3504	1988	Aurelia.exe	114
PID 3948 wrote to memory of 1052	3948	Aurelia.exe	115
PID 3948 wrote to memory of 1052	3948	Aurelia.exe	115
PID 1052 wrote to memory of 4156	1052	cmd.exe	117
PID 1052 wrote to memory of 4156	1052	cmd.exe	117
PID 3948 wrote to memory of 3688	3948	Aurelia.exe	118
PID 3948 wrote to memory of 3688	3948	Aurelia.exe	118
PID 3948 wrote to memory of 5636	3948	Aurelia.exe	120
PID 3948 wrote to memory of 5636	3948	Aurelia.exe	120
PID 3948 wrote to memory of 232	3948	Aurelia.exe	122
PID 3948 wrote to memory of 232	3948	Aurelia.exe	122
PID 3504 wrote to memory of 556	3504	Aurelia.exe	123
PID 3504 wrote to memory of 556	3504	Aurelia.exe	123
PID 556 wrote to memory of 708	556	cmd.exe	125
PID 556 wrote to memory of 708	556	cmd.exe	125
PID 3504 wrote to memory of 4876	3504	Aurelia.exe	126
PID 3504 wrote to memory of 4876	3504	Aurelia.exe	126
PID 3504 wrote to memory of 4180	3504	Aurelia.exe	128
PID 3504 wrote to memory of 4180	3504	Aurelia.exe	128
PID 3504 wrote to memory of 4816	3504	Aurelia.exe	131
PID 3504 wrote to memory of 4816	3504	Aurelia.exe	131
PID 232 wrote to memory of 1636	232	Aurelia.exe	132
PID 232 wrote to memory of 1636	232	Aurelia.exe	132
PID 1636 wrote to memory of 5212	1636	cmd.exe	134
PID 1636 wrote to memory of 5212	1636	cmd.exe	134
PID 232 wrote to memory of 1300	232	Aurelia.exe	135
PID 232 wrote to memory of 1300	232	Aurelia.exe	135
PID 232 wrote to memory of 3632	232	Aurelia.exe	137
PID 232 wrote to memory of 3632	232	Aurelia.exe	137
PID 232 wrote to memory of 60	232	Aurelia.exe	140
PID 232 wrote to memory of 60	232	Aurelia.exe	140
PID 4816 wrote to memory of 2844	4816	Aurelia.exe	141
PID 4816 wrote to memory of 2844	4816	Aurelia.exe	141
PID 2844 wrote to memory of 3928	2844	cmd.exe	143
PID 2844 wrote to memory of 3928	2844	cmd.exe	143
PID 4816 wrote to memory of 5944	4816	Aurelia.exe	144
PID 4816 wrote to memory of 5944	4816	Aurelia.exe	144
PID 4816 wrote to memory of 2364	4816	Aurelia.exe	146
PID 4816 wrote to memory of 2364	4816	Aurelia.exe	146
PID 4816 wrote to memory of 3652	4816	Aurelia.exe	148

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\fyBqr89.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE20BFC2283FB9DEE0599C92B204260D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe
    C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\is-7OFE7.tmp\aurelia_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7OFE7.tmp\aurelia_setup.tmp" /SL5="$90264,5779210,860672,C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Adds Run key to start application
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5124
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        "C:\Users\Public\Aurelia\Aurelia.exe"
        5⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4324
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4180
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:2364
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:4600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:3708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4044
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:1452
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5924
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:4428
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4044
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:64
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4828
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:1668
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:5200
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:4856
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4088
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:60
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:5184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:5480
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:4784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2896
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:2512
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:1304
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        17⤵
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        18⤵
        
        PID:5760
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        19⤵
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:3108
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        18⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        19⤵
        
        PID:2056
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        20⤵
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:1816
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Public\Aurelia\Aurelia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Public\Aurelia\Aurelia.exe
  C:\Users\Public\Aurelia\Aurelia.exe
  2⤵
  - Looks for VirtualBox drivers on disk
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5636
- - C:\Users\Public\Aurelia\Aurelia.exe
    C:\Users\Public\Aurelia\Aurelia.exe
    3⤵
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare drivers on disk
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3632
  - - C:\Users\Public\Aurelia\Aurelia.exe
      C:\Users\Public\Aurelia\Aurelia.exe
      4⤵
      Looks for VirtualBox drivers on disk
      Looks for VMWare drivers on disk
      Executes dropped EXE
      Loads dropped DLL
      PID:60
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5124
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5368
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        5⤵
        Looks for VirtualBox drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2220
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:3188
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:3976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4300
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:4688
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:1776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3660
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:3392
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5880
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:1136
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:4060
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:748
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4700
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:1376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5492
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:5696
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:5460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2532
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:5180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:5948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:1316
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:5704
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:4616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:2156
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:5800
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:4308
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:3104
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:4452

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a569.rbs

Filesize
1KB

MD5
1c5ac9835ecc16776a8014b791f09c94

SHA1
6f5c6e9fbc87caf3d6b65c1470366b3c95c06c0e

SHA256
294c078f060741a7df1964ccedefbca0a433689011d940bfa1f8dcd5bb723eca

SHA512
45e8af5a2970850d8c2d744a4f92efc1fcff9a665ebcea5cc9dbb9a221427f66db15c3d37dc056ab12760db4d6ef110f62b14d6e5697d1f3afccaba9f42aa962

Download Submit
C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe

Filesize
6.5MB

MD5
05550adb630b1113539470a138719946

SHA1
b4a9760e9c1b2a516b15f853e71c1e37dc85fa94

SHA256
6a5ae434d77e4678b61c5009127e2fac4ca988781c4f2af4581455da7af717c2

SHA512
5827a4778d383ec5387051517f955a7b09fec8c95ca6cbc38dfd89afbd6c63ddc078d58007f8a6fd52c42406b51b0b6691114ebfa42325aa092b663066f368e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7OFE7.tmp\aurelia_setup.tmp

Filesize
3.4MB

MD5
55d7b5023133d4ebbe3288d481a68b99

SHA1
6b706dee2daca913328ca6e4e5e6a85bc7f8ab0f

SHA256
85c1f72de072ed57e63b35fa7d68a1d100a1685eab6c730632b5635006993929

SHA512
8707cd9d7903522bbc0d6978a766c791740c57b6cf4ceba903175e8a7dd0c4d7f2d8787069ee3ba6abdf895d06448e1a07e8bc06c1d521160465a99efe04cb24

Download Submit
C:\Users\Public\Aurelia\Aurelia.exe

Filesize
8.7MB

MD5
e0494504708c3df7ba7bb5e68a8f005d

SHA1
414d7e6886405e969a89c490cdf6030cdeea362b

SHA256
ff08761c5aaaff84aa6a0c216e6b486bfb823e2107717986c7c657b8e5b933b5

SHA512
a4924cd7de04f5f430478a25bde70d5810e46bc48dab7f9d02166539b692f773e743db827b0f215ff3914057539a348957b5ccdab6b256dc26d6bde57fe7cb3b

Download Submit
C:\Users\Public\Aurelia\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Windows\Installer\MSIA663.tmp

Filesize
215KB

MD5
8931e35055fd15b1acce7d7f24a23c36

SHA1
39b10e3171aaa4db9f8f14275b587fb82589d0ea

SHA256
2b05bdcae15519ed4f61d1504f3226c2bcf04d358f3c54472b1d9b0aa3016860

SHA512
2350f7935324565069aa747b4d3a7e416934ace1bf34a898d534dd316c829c1bd0601200fd84b7a3f60674a3e160f52949689a98c22766f271e1140dedc76c22

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
27907715b7f47793f90f392bbe3e32eb

SHA1
c7119036f21b59a56d3c574de462fee0e9303b4b

SHA256
ef9a5989832d36882e383a73b45e833126361c2e9d96ee5a6677b6df2b63ef99

SHA512
b9d8e82e00345c37c23d2485846f93d62a09aefc1a541c387bf324b2589941b3ab780485bd36744c9a76c27a62064f35ff1c3bc2506914ebbbc6b52978dd1401

Download Submit
\??\Volume{2c2b4495-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6cb51faa-c3f1-42f5-943f-ff1e1645fd3e}_OnDiskSnapshotProp

Filesize
6KB

MD5
e4336184a87050f3874a0e23c611511e

SHA1
58bfd569d747800119c9221e46886698397d270e

SHA256
08b6ef2a47b9b88348ddaef7d8ad8726cd03ef10b8ec72074787d143b81a0af6

SHA512
eeeac4a9f523826d5391bf4d0903b0f19b0cd968d2a89234e1621d5d2f99b5cf5d371a010459ff78c7f99400d44cb0792ab8ea7f6257b014303aa6ce06e66d04

Download Submit
memory/1988-63-0x0000018933040000-0x0000018933055000-memory.dmp

Filesize
84KB

Download
memory/1988-68-0x0000018933060000-0x0000018933069000-memory.dmp

Filesize
36KB

Download
memory/1988-57-0x0000000180000000-0x00000001805D6000-memory.dmp

Filesize
5.8MB

Download
memory/1988-86-0x0000018934930000-0x0000018934959000-memory.dmp

Filesize
164KB

Download
memory/1988-81-0x0000018934910000-0x0000018934925000-memory.dmp

Filesize
84KB

Download
memory/1988-111-0x0000018934960000-0x000001893496B000-memory.dmp

Filesize
44KB

Download
memory/1988-115-0x0000018934970000-0x0000018934990000-memory.dmp

Filesize
128KB

Download
memory/1988-120-0x0000018934990000-0x00000189349C2000-memory.dmp

Filesize
200KB

Download
memory/3652-16-0x00000000004A0000-0x0000000000582000-memory.dmp

Filesize
904KB

Download
memory/3948-91-0x0000016ACF6F0000-0x0000016ACF705000-memory.dmp

Filesize
84KB

Download
memory/3948-96-0x0000016ACF710000-0x0000016ACF719000-memory.dmp

Filesize
36KB

Download
memory/3948-106-0x0000016ACF740000-0x0000016ACF769000-memory.dmp

Filesize
164KB

Download
memory/3948-101-0x0000016ACF720000-0x0000016ACF735000-memory.dmp

Filesize
84KB

Download