b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/fyBqr89.msi
Size

6.2MB
MD5

69d4092b3524bc2bff4e5c73509c3eb9
SHA1

43cb58b5635aea617dd93565c1baa15fde3eb0c0
SHA256

23662f3ca1692692dc1f090acaf814695eddbbf5dba15fd7b2c95f8ef6c47432
SHA512

2085868cba95b6cf87f1c47efff4b95ce930c3ac2706cecb4f8d66b5611c7af11423a9397d17ad581bd9769143c88010f4b278fa332c8655978aaa5d4f34eaff
SSDEEP

196608:kCLvDC8Y0BDC2zU0jRhsk2/0ReXyhNHnIy9c:1LC8dB3fjRhPhReXyHIy

Score

9^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Looks for VirtualBox drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe

Looks for VMWare drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Aurelia = "\"C:\\Users\\Public\\Aurelia\\Aurelia.exe\""	aurelia_setup.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86F4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF25EDD7374C37DBA2.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF65D6AC5AF66A99FD.TMP	msiexec.exe
File created	C:\Windows\Installer\e57858b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57858b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFECE7A85D1FECC378.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{634E26DC-7BAA-4375-B533-59B567E79B44}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF66943A9EF7340FFA.TMP	msiexec.exe

Executes dropped EXE 33 IoCs

pid	Process
4992	aurelia_setup.exe
4376	aurelia_setup.tmp
3604	Aurelia.exe
1692	Aurelia.exe
1960	Aurelia.exe
4204	Aurelia.exe
5964	Aurelia.exe
5140	Aurelia.exe
4928	Aurelia.exe
108	Aurelia.exe
1036	Aurelia.exe
5876	Aurelia.exe
5868	Aurelia.exe
3488	Aurelia.exe
5180	Aurelia.exe
4864	Aurelia.exe
4376	Aurelia.exe
3064	Aurelia.exe
2644	Aurelia.exe
3180	Aurelia.exe
5096	Aurelia.exe
4548	Aurelia.exe
344	Aurelia.exe
2096	Aurelia.exe
4072	Aurelia.exe
4416	Aurelia.exe
5644	Aurelia.exe
3136	Aurelia.exe
1964	Aurelia.exe
3900	Aurelia.exe
232	Aurelia.exe
5880	Aurelia.exe
2748	Aurelia.exe

Loads dropped DLL 32 IoCs

pid	Process
1444	MsiExec.exe
3604	Aurelia.exe
1692	Aurelia.exe
1960	Aurelia.exe
4204	Aurelia.exe
5964	Aurelia.exe
5140	Aurelia.exe
4928	Aurelia.exe
108	Aurelia.exe
1036	Aurelia.exe
5876	Aurelia.exe
5868	Aurelia.exe
3488	Aurelia.exe
5180	Aurelia.exe
4864	Aurelia.exe
4376	Aurelia.exe
3064	Aurelia.exe
2644	Aurelia.exe
3180	Aurelia.exe
5096	Aurelia.exe
4548	Aurelia.exe
344	Aurelia.exe
2096	Aurelia.exe
4072	Aurelia.exe
4416	Aurelia.exe
5644	Aurelia.exe
3136	Aurelia.exe
1964	Aurelia.exe
3900	Aurelia.exe
232	Aurelia.exe
5880	Aurelia.exe
2748	Aurelia.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5468	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c50288e5b57265880000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c50288e50000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c50288e5000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc50288e5000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c50288e500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	aurelia_setup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	aurelia_setup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 181100003b5df0205daedb01	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e20ee03dfe746932d6a5a68cbda1d21f7c8fa22f98ad95b7b546a1c9caee2924	aurelia_setup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0069006f002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0076006500720074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0065006e007600690072006f006e006d0065006e0074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00660069006c006500730079007300740065006d002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0068006500610070002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006c006f00630061006c0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006d006100740068002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00700072006f0063006500730073002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00740069006d0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0076006300720075006e00740069006d0065003100340030002e0064006c006c0000000000	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c90bdf967ebc6988ae4b2be51f678c11d40ea83567fb75996bd59f8921fe2ff5	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5004	msiexec.exe
5004	msiexec.exe
4376	aurelia_setup.tmp
4376	aurelia_setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5468	msiexec.exe
Token: SeSecurityPrivilege	5004	msiexec.exe
Token: SeCreateTokenPrivilege	5468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5468	msiexec.exe
Token: SeLockMemoryPrivilege	5468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5468	msiexec.exe
Token: SeMachineAccountPrivilege	5468	msiexec.exe
Token: SeTcbPrivilege	5468	msiexec.exe
Token: SeSecurityPrivilege	5468	msiexec.exe
Token: SeTakeOwnershipPrivilege	5468	msiexec.exe
Token: SeLoadDriverPrivilege	5468	msiexec.exe
Token: SeSystemProfilePrivilege	5468	msiexec.exe
Token: SeSystemtimePrivilege	5468	msiexec.exe
Token: SeProfSingleProcessPrivilege	5468	msiexec.exe
Token: SeIncBasePriorityPrivilege	5468	msiexec.exe
Token: SeCreatePagefilePrivilege	5468	msiexec.exe
Token: SeCreatePermanentPrivilege	5468	msiexec.exe
Token: SeBackupPrivilege	5468	msiexec.exe
Token: SeRestorePrivilege	5468	msiexec.exe
Token: SeShutdownPrivilege	5468	msiexec.exe
Token: SeDebugPrivilege	5468	msiexec.exe
Token: SeAuditPrivilege	5468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5468	msiexec.exe
Token: SeChangeNotifyPrivilege	5468	msiexec.exe
Token: SeRemoteShutdownPrivilege	5468	msiexec.exe
Token: SeUndockPrivilege	5468	msiexec.exe
Token: SeSyncAgentPrivilege	5468	msiexec.exe
Token: SeEnableDelegationPrivilege	5468	msiexec.exe
Token: SeManageVolumePrivilege	5468	msiexec.exe
Token: SeImpersonatePrivilege	5468	msiexec.exe
Token: SeCreateGlobalPrivilege	5468	msiexec.exe
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeBackupPrivilege	5004	msiexec.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeTakeOwnershipPrivilege	5004	msiexec.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeTakeOwnershipPrivilege	5004	msiexec.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeTakeOwnershipPrivilege	5004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeTakeOwnershipPrivilege	5004	msiexec.exe
Token: SeRestorePrivilege	5004	msiexec.exe
Token: SeTakeOwnershipPrivilege	5004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5716	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5468	msiexec.exe
4376	aurelia_setup.tmp
5468	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3348	5004	msiexec.exe	85
PID 5004 wrote to memory of 3348	5004	msiexec.exe	85
PID 5004 wrote to memory of 1444	5004	msiexec.exe	87
PID 5004 wrote to memory of 1444	5004	msiexec.exe	87
PID 5004 wrote to memory of 1444	5004	msiexec.exe	87
PID 1444 wrote to memory of 4992	1444	MsiExec.exe	88
PID 1444 wrote to memory of 4992	1444	MsiExec.exe	88
PID 1444 wrote to memory of 4992	1444	MsiExec.exe	88
PID 4992 wrote to memory of 4376	4992	aurelia_setup.exe	89
PID 4992 wrote to memory of 4376	4992	aurelia_setup.exe	89
PID 4992 wrote to memory of 4376	4992	aurelia_setup.exe	89
PID 4376 wrote to memory of 3604	4376	aurelia_setup.tmp	92
PID 4376 wrote to memory of 3604	4376	aurelia_setup.tmp	92
PID 5192 wrote to memory of 1692	5192	cmd.exe	93
PID 5192 wrote to memory of 1692	5192	cmd.exe	93
PID 3604 wrote to memory of 232	3604	Aurelia.exe	94
PID 3604 wrote to memory of 232	3604	Aurelia.exe	94
PID 232 wrote to memory of 4248	232	cmd.exe	96
PID 232 wrote to memory of 4248	232	cmd.exe	96
PID 3604 wrote to memory of 1412	3604	Aurelia.exe	98
PID 3604 wrote to memory of 1412	3604	Aurelia.exe	98
PID 3604 wrote to memory of 2912	3604	Aurelia.exe	100
PID 3604 wrote to memory of 2912	3604	Aurelia.exe	100
PID 3604 wrote to memory of 1960	3604	Aurelia.exe	102
PID 3604 wrote to memory of 1960	3604	Aurelia.exe	102
PID 1692 wrote to memory of 1604	1692	Aurelia.exe	103
PID 1692 wrote to memory of 1604	1692	Aurelia.exe	103
PID 1604 wrote to memory of 5716	1604	cmd.exe	105
PID 1604 wrote to memory of 5716	1604	cmd.exe	105
PID 1692 wrote to memory of 3780	1692	Aurelia.exe	106
PID 1692 wrote to memory of 3780	1692	Aurelia.exe	106
PID 1692 wrote to memory of 6116	1692	Aurelia.exe	108
PID 1692 wrote to memory of 6116	1692	Aurelia.exe	108
PID 1692 wrote to memory of 4204	1692	Aurelia.exe	110
PID 1692 wrote to memory of 4204	1692	Aurelia.exe	110
PID 1960 wrote to memory of 4672	1960	Aurelia.exe	111
PID 1960 wrote to memory of 4672	1960	Aurelia.exe	111
PID 4672 wrote to memory of 3868	4672	cmd.exe	113
PID 4672 wrote to memory of 3868	4672	cmd.exe	113
PID 1960 wrote to memory of 2904	1960	Aurelia.exe	114
PID 1960 wrote to memory of 2904	1960	Aurelia.exe	114
PID 1960 wrote to memory of 5868	1960	Aurelia.exe	116
PID 1960 wrote to memory of 5868	1960	Aurelia.exe	116
PID 1960 wrote to memory of 5964	1960	Aurelia.exe	118
PID 1960 wrote to memory of 5964	1960	Aurelia.exe	118
PID 4204 wrote to memory of 2688	4204	Aurelia.exe	119
PID 4204 wrote to memory of 2688	4204	Aurelia.exe	119
PID 2688 wrote to memory of 2224	2688	cmd.exe	121
PID 2688 wrote to memory of 2224	2688	cmd.exe	121
PID 4204 wrote to memory of 3584	4204	Aurelia.exe	122
PID 4204 wrote to memory of 3584	4204	Aurelia.exe	122
PID 4204 wrote to memory of 5352	4204	Aurelia.exe	124
PID 4204 wrote to memory of 5352	4204	Aurelia.exe	124
PID 4204 wrote to memory of 5140	4204	Aurelia.exe	126
PID 4204 wrote to memory of 5140	4204	Aurelia.exe	126
PID 5964 wrote to memory of 4368	5964	Aurelia.exe	127
PID 5964 wrote to memory of 4368	5964	Aurelia.exe	127
PID 4368 wrote to memory of 764	4368	cmd.exe	129
PID 4368 wrote to memory of 764	4368	cmd.exe	129
PID 5964 wrote to memory of 4988	5964	Aurelia.exe	130
PID 5964 wrote to memory of 4988	5964	Aurelia.exe	130
PID 5964 wrote to memory of 2420	5964	Aurelia.exe	132
PID 5964 wrote to memory of 2420	5964	Aurelia.exe	132
PID 5964 wrote to memory of 4928	5964	Aurelia.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\fyBqr89.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BA3DC80EE9F8B7B4F7E4B07AE5F42930 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe
    C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\is-T72HU.tmp\aurelia_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T72HU.tmp\aurelia_setup.tmp" /SL5="$70070,5779210,860672,C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Adds Run key to start application
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        "C:\Users\Public\Aurelia\Aurelia.exe"
        5⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2912
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5868
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:5964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:2420
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:3036
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4676
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:5192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:1248
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:4788
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:5576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:1932
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5660
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:816
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2180
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:5212
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:5328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:440
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:2440
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:5556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:5292
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:5428
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:5348
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:3168
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:1036
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        17⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        18⤵
        
        PID:4028
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        19⤵
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:4908
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        18⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        19⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        20⤵
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:4676
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        19⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        20⤵
        
        PID:1524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        21⤵
        
        PID:5372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:4540
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Public\Aurelia\Aurelia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5192
- C:\Users\Public\Aurelia\Aurelia.exe
  C:\Users\Public\Aurelia\Aurelia.exe
  2⤵
  - Looks for VirtualBox drivers on disk
  - Looks for VMWare drivers on disk
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6116
- - C:\Users\Public\Aurelia\Aurelia.exe
    C:\Users\Public\Aurelia\Aurelia.exe
    3⤵
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare drivers on disk
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5352
  - - C:\Users\Public\Aurelia\Aurelia.exe
      C:\Users\Public\Aurelia\Aurelia.exe
      4⤵
      Looks for VirtualBox drivers on disk
      Looks for VMWare drivers on disk
      Executes dropped EXE
      Loads dropped DLL
      PID:5140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2076
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4828
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        5⤵
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1872
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:1564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1524
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2792
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5668
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:5632
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1180
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:4404
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5056
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:744
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:4756
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:5596
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:5196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:4788
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:5492
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4676
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:4968
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:6132
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:5356
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:3408
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:4488
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:5948
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:5376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:5340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2732
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:1120
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:4568

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57858c.rbs

Filesize
1KB

MD5
50c5b3ba528fe41e61c4b82fa024e2f5

SHA1
cabf70772100818d8f326dbd75406dab0e022f0e

SHA256
27f333d592d102daa131324e689c984c14935f59fd9fd48de1552f14279abc48

SHA512
1f230b9aaa2b0e19dd550bd0d987228ef7dbb06b774e3adfd8369bc2c9a59ec5e54cbeb0cdda210dde70079d4af219e664831a8144a8317243cf003d11728d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe

Filesize
6.5MB

MD5
05550adb630b1113539470a138719946

SHA1
b4a9760e9c1b2a516b15f853e71c1e37dc85fa94

SHA256
6a5ae434d77e4678b61c5009127e2fac4ca988781c4f2af4581455da7af717c2

SHA512
5827a4778d383ec5387051517f955a7b09fec8c95ca6cbc38dfd89afbd6c63ddc078d58007f8a6fd52c42406b51b0b6691114ebfa42325aa092b663066f368e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T72HU.tmp\aurelia_setup.tmp

Filesize
3.4MB

MD5
55d7b5023133d4ebbe3288d481a68b99

SHA1
6b706dee2daca913328ca6e4e5e6a85bc7f8ab0f

SHA256
85c1f72de072ed57e63b35fa7d68a1d100a1685eab6c730632b5635006993929

SHA512
8707cd9d7903522bbc0d6978a766c791740c57b6cf4ceba903175e8a7dd0c4d7f2d8787069ee3ba6abdf895d06448e1a07e8bc06c1d521160465a99efe04cb24

Download Submit
C:\Users\Public\Aurelia\Aurelia.exe

Filesize
8.7MB

MD5
e0494504708c3df7ba7bb5e68a8f005d

SHA1
414d7e6886405e969a89c490cdf6030cdeea362b

SHA256
ff08761c5aaaff84aa6a0c216e6b486bfb823e2107717986c7c657b8e5b933b5

SHA512
a4924cd7de04f5f430478a25bde70d5810e46bc48dab7f9d02166539b692f773e743db827b0f215ff3914057539a348957b5ccdab6b256dc26d6bde57fe7cb3b

Download Submit
C:\Users\Public\Aurelia\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Windows\Installer\MSI86F4.tmp

Filesize
215KB

MD5
8931e35055fd15b1acce7d7f24a23c36

SHA1
39b10e3171aaa4db9f8f14275b587fb82589d0ea

SHA256
2b05bdcae15519ed4f61d1504f3226c2bcf04d358f3c54472b1d9b0aa3016860

SHA512
2350f7935324565069aa747b4d3a7e416934ace1bf34a898d534dd316c829c1bd0601200fd84b7a3f60674a3e160f52949689a98c22766f271e1140dedc76c22

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
73850e4f00af59c3d9cdebcf9855b86f

SHA1
5ab24e95f690f85a3369445a4396d70b3ef01e01

SHA256
8fc04bbd37e7d7e0ce12955d863add15147d629bfe4b727637194ec654f1aca4

SHA512
ab95ab560c46095b22a2366cb4ffeb6d86c96a4152b7fa467754f12f9c075f9f5c3a0c04cdcf11d96bbf78c1fa1f3f71bcb12ff1e64444a74c11179a069a18d3

Download Submit
\??\Volume{e58802c5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{740a421a-0d86-421f-b20d-dcb87bb1229a}_OnDiskSnapshotProp

Filesize
6KB

MD5
b298d78ae2c8382f95098003fe962aab

SHA1
bf256ea1221d152eabf248f0642fbe0efd1601bd

SHA256
c35a50b79026534f045922df3405fc4736d062edcb795609cf2b44a7c091da99

SHA512
3821d5f0218926b077ab4946e70adafdf54a338dfdf02b3333e5e7a58712bd82d35a2a93d2f4f5dc3c1c318fc806bfe1102a60d1aa63cfb7f9077b9d153edaf3

Download Submit
memory/1692-99-0x0000029702590000-0x00000297025A5000-memory.dmp

Filesize
84KB

Download
memory/1692-89-0x0000029702060000-0x0000029702075000-memory.dmp

Filesize
84KB

Download
memory/1692-94-0x0000029702080000-0x0000029702089000-memory.dmp

Filesize
36KB

Download
memory/1692-104-0x00000297025B0000-0x00000297025D9000-memory.dmp

Filesize
164KB

Download
memory/3604-55-0x0000000180000000-0x00000001805D6000-memory.dmp

Filesize
5.8MB

Download
memory/3604-82-0x000002109ACC0000-0x000002109ACE9000-memory.dmp

Filesize
164KB

Download
memory/3604-75-0x000002109A330000-0x000002109A345000-memory.dmp

Filesize
84KB

Download
memory/3604-109-0x000002109A350000-0x000002109A35B000-memory.dmp

Filesize
44KB

Download
memory/3604-113-0x000002109B0F0000-0x000002109B110000-memory.dmp

Filesize
128KB

Download
memory/3604-118-0x000002109B110000-0x000002109B142000-memory.dmp

Filesize
200KB

Download
memory/3604-61-0x000002109A310000-0x000002109A325000-memory.dmp

Filesize
84KB

Download
memory/3604-66-0x0000021098920000-0x0000021098929000-memory.dmp

Filesize
36KB

Download
memory/4992-16-0x0000000000820000-0x0000000000902000-memory.dmp

Filesize
904KB

Download