b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/fyBqr89.msi
Size

6.2MB
MD5

69d4092b3524bc2bff4e5c73509c3eb9
SHA1

43cb58b5635aea617dd93565c1baa15fde3eb0c0
SHA256

23662f3ca1692692dc1f090acaf814695eddbbf5dba15fd7b2c95f8ef6c47432
SHA512

2085868cba95b6cf87f1c47efff4b95ce930c3ac2706cecb4f8d66b5611c7af11423a9397d17ad581bd9769143c88010f4b278fa332c8655978aaa5d4f34eaff
SSDEEP

196608:kCLvDC8Y0BDC2zU0jRhsk2/0ReXyhNHnIy9c:1LC8dB3fjRhPhReXyHIy

Score

9^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Looks for VirtualBox drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	Aurelia.exe

Looks for VMWare drivers on disk 2 TTPs 64 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmci.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	Aurelia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Aurelia = "\"C:\\Users\\Public\\Aurelia\\Aurelia.exe\""	aurelia_setup.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57c1d9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c1d9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{634E26DC-7BAA-4375-B533-59B567E79B44}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC285.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC2E3.tmp	msiexec.exe

Executes dropped EXE 35 IoCs

pid	Process
3612	aurelia_setup.exe
5008	aurelia_setup.tmp
1900	Aurelia.exe
532	Aurelia.exe
2060	Aurelia.exe
5380	Aurelia.exe
4504	Aurelia.exe
2404	Aurelia.exe
4088	Aurelia.exe
2092	Aurelia.exe
2384	Aurelia.exe
3144	Aurelia.exe
2952	Aurelia.exe
2956	Aurelia.exe
1988	Aurelia.exe
4372	Aurelia.exe
5932	Aurelia.exe
5924	Aurelia.exe
4648	Aurelia.exe
3780	Aurelia.exe
556	Aurelia.exe
3460	Aurelia.exe
3504	Aurelia.exe
2680	Aurelia.exe
4352	Aurelia.exe
5464	Aurelia.exe
4968	Aurelia.exe
4936	Aurelia.exe
1988	Aurelia.exe
1232	Aurelia.exe
4144	Aurelia.exe
1116	Aurelia.exe
3892	Aurelia.exe
6044	Aurelia.exe
5520	Aurelia.exe

Loads dropped DLL 34 IoCs

pid	Process
2204	MsiExec.exe
1900	Aurelia.exe
532	Aurelia.exe
2060	Aurelia.exe
5380	Aurelia.exe
4504	Aurelia.exe
2404	Aurelia.exe
4088	Aurelia.exe
2092	Aurelia.exe
2384	Aurelia.exe
3144	Aurelia.exe
2952	Aurelia.exe
2956	Aurelia.exe
1988	Aurelia.exe
4372	Aurelia.exe
5932	Aurelia.exe
5924	Aurelia.exe
4648	Aurelia.exe
3780	Aurelia.exe
556	Aurelia.exe
3460	Aurelia.exe
3504	Aurelia.exe
2680	Aurelia.exe
4352	Aurelia.exe
5464	Aurelia.exe
4968	Aurelia.exe
4936	Aurelia.exe
1988	Aurelia.exe
1232	Aurelia.exe
4144	Aurelia.exe
1116	Aurelia.exe
3892	Aurelia.exe
6044	Aurelia.exe
5520	Aurelia.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1528	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aurelia_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d433842ca64169410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d433842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d433842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd433842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d433842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	aurelia_setup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a5d1cbd4410b06e2282db3575a6619503bffb438265db8f6508d39c4d3bdbf03	aurelia_setup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	aurelia_setup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 9013000071411fed5daedb01	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0069006f002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0063006f006e0076006500720074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0065006e007600690072006f006e006d0065006e0074002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00660069006c006500730079007300740065006d002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d0068006500610070002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006c006f00630061006c0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d006d006100740068002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00700072006f0063006500730073002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c006100700069002d006d0073002d00770069006e002d006300720074002d00740069006d0065002d006c0031002d0031002d0030002e0064006c006c00000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0041007500720065006c00690061002e00650078006500000043003a005c00550073006500720073005c005000750062006c00690063005c0041007500720065006c00690061005c0076006300720075006e00740069006d0065003100340030002e0064006c006c0000000000	aurelia_setup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 15355e709d441e18732c7ee07d5b92615a1446e4cd02f3e7e0706e47c03c38f2	aurelia_setup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
6120	msiexec.exe
6120	msiexec.exe
5008	aurelia_setup.tmp
5008	aurelia_setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1528	msiexec.exe
Token: SeSecurityPrivilege	6120	msiexec.exe
Token: SeCreateTokenPrivilege	1528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1528	msiexec.exe
Token: SeLockMemoryPrivilege	1528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1528	msiexec.exe
Token: SeMachineAccountPrivilege	1528	msiexec.exe
Token: SeTcbPrivilege	1528	msiexec.exe
Token: SeSecurityPrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeLoadDriverPrivilege	1528	msiexec.exe
Token: SeSystemProfilePrivilege	1528	msiexec.exe
Token: SeSystemtimePrivilege	1528	msiexec.exe
Token: SeProfSingleProcessPrivilege	1528	msiexec.exe
Token: SeIncBasePriorityPrivilege	1528	msiexec.exe
Token: SeCreatePagefilePrivilege	1528	msiexec.exe
Token: SeCreatePermanentPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeShutdownPrivilege	1528	msiexec.exe
Token: SeDebugPrivilege	1528	msiexec.exe
Token: SeAuditPrivilege	1528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1528	msiexec.exe
Token: SeChangeNotifyPrivilege	1528	msiexec.exe
Token: SeRemoteShutdownPrivilege	1528	msiexec.exe
Token: SeUndockPrivilege	1528	msiexec.exe
Token: SeSyncAgentPrivilege	1528	msiexec.exe
Token: SeEnableDelegationPrivilege	1528	msiexec.exe
Token: SeManageVolumePrivilege	1528	msiexec.exe
Token: SeImpersonatePrivilege	1528	msiexec.exe
Token: SeCreateGlobalPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	448	vssvc.exe
Token: SeRestorePrivilege	448	vssvc.exe
Token: SeAuditPrivilege	448	vssvc.exe
Token: SeBackupPrivilege	6120	msiexec.exe
Token: SeRestorePrivilege	6120	msiexec.exe
Token: SeRestorePrivilege	6120	msiexec.exe
Token: SeTakeOwnershipPrivilege	6120	msiexec.exe
Token: SeRestorePrivilege	6120	msiexec.exe
Token: SeTakeOwnershipPrivilege	6120	msiexec.exe
Token: SeRestorePrivilege	6120	msiexec.exe
Token: SeTakeOwnershipPrivilege	6120	msiexec.exe
Token: SeBackupPrivilege	2452	srtasks.exe
Token: SeRestorePrivilege	2452	srtasks.exe
Token: SeSecurityPrivilege	2452	srtasks.exe
Token: SeTakeOwnershipPrivilege	2452	srtasks.exe
Token: SeBackupPrivilege	2452	srtasks.exe
Token: SeRestorePrivilege	2452	srtasks.exe
Token: SeSecurityPrivilege	2452	srtasks.exe
Token: SeTakeOwnershipPrivilege	2452	srtasks.exe
Token: SeAssignPrimaryTokenPrivilege	6116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6116	WMIC.exe
Token: SeSecurityPrivilege	6116	WMIC.exe
Token: SeTakeOwnershipPrivilege	6116	WMIC.exe
Token: SeLoadDriverPrivilege	6116	WMIC.exe
Token: SeBackupPrivilege	6116	WMIC.exe
Token: SeRestorePrivilege	6116	WMIC.exe
Token: SeShutdownPrivilege	6116	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	6116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6116	WMIC.exe
Token: SeSecurityPrivilege	6116	WMIC.exe
Token: SeTakeOwnershipPrivilege	6116	WMIC.exe
Token: SeLoadDriverPrivilege	6116	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1528	msiexec.exe
5008	aurelia_setup.tmp
1528	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6120 wrote to memory of 2452	6120	msiexec.exe	99
PID 6120 wrote to memory of 2452	6120	msiexec.exe	99
PID 6120 wrote to memory of 2204	6120	msiexec.exe	101
PID 6120 wrote to memory of 2204	6120	msiexec.exe	101
PID 6120 wrote to memory of 2204	6120	msiexec.exe	101
PID 2204 wrote to memory of 3612	2204	MsiExec.exe	102
PID 2204 wrote to memory of 3612	2204	MsiExec.exe	102
PID 2204 wrote to memory of 3612	2204	MsiExec.exe	102
PID 3612 wrote to memory of 5008	3612	aurelia_setup.exe	103
PID 3612 wrote to memory of 5008	3612	aurelia_setup.exe	103
PID 3612 wrote to memory of 5008	3612	aurelia_setup.exe	103
PID 5008 wrote to memory of 1900	5008	aurelia_setup.tmp	106
PID 5008 wrote to memory of 1900	5008	aurelia_setup.tmp	106
PID 3128 wrote to memory of 532	3128	cmd.exe	107
PID 3128 wrote to memory of 532	3128	cmd.exe	107
PID 1900 wrote to memory of 536	1900	Aurelia.exe	108
PID 1900 wrote to memory of 536	1900	Aurelia.exe	108
PID 536 wrote to memory of 6116	536	cmd.exe	110
PID 536 wrote to memory of 6116	536	cmd.exe	110
PID 1900 wrote to memory of 5484	1900	Aurelia.exe	111
PID 1900 wrote to memory of 5484	1900	Aurelia.exe	111
PID 1900 wrote to memory of 4352	1900	Aurelia.exe	113
PID 1900 wrote to memory of 4352	1900	Aurelia.exe	113
PID 1900 wrote to memory of 2060	1900	Aurelia.exe	115
PID 1900 wrote to memory of 2060	1900	Aurelia.exe	115
PID 532 wrote to memory of 5456	532	Aurelia.exe	116
PID 532 wrote to memory of 5456	532	Aurelia.exe	116
PID 5456 wrote to memory of 6064	5456	cmd.exe	118
PID 5456 wrote to memory of 6064	5456	cmd.exe	118
PID 532 wrote to memory of 1864	532	Aurelia.exe	119
PID 532 wrote to memory of 1864	532	Aurelia.exe	119
PID 532 wrote to memory of 5676	532	Aurelia.exe	121
PID 532 wrote to memory of 5676	532	Aurelia.exe	121
PID 532 wrote to memory of 5380	532	Aurelia.exe	123
PID 532 wrote to memory of 5380	532	Aurelia.exe	123
PID 2060 wrote to memory of 4736	2060	Aurelia.exe	124
PID 2060 wrote to memory of 4736	2060	Aurelia.exe	124
PID 4736 wrote to memory of 1824	4736	cmd.exe	126
PID 4736 wrote to memory of 1824	4736	cmd.exe	126
PID 2060 wrote to memory of 2112	2060	Aurelia.exe	127
PID 2060 wrote to memory of 2112	2060	Aurelia.exe	127
PID 2060 wrote to memory of 1240	2060	Aurelia.exe	129
PID 2060 wrote to memory of 1240	2060	Aurelia.exe	129
PID 2060 wrote to memory of 4504	2060	Aurelia.exe	132
PID 2060 wrote to memory of 4504	2060	Aurelia.exe	132
PID 5380 wrote to memory of 2468	5380	Aurelia.exe	133
PID 5380 wrote to memory of 2468	5380	Aurelia.exe	133
PID 2468 wrote to memory of 2068	2468	cmd.exe	135
PID 2468 wrote to memory of 2068	2468	cmd.exe	135
PID 5380 wrote to memory of 4028	5380	Aurelia.exe	136
PID 5380 wrote to memory of 4028	5380	Aurelia.exe	136
PID 5380 wrote to memory of 2040	5380	Aurelia.exe	138
PID 5380 wrote to memory of 2040	5380	Aurelia.exe	138
PID 5380 wrote to memory of 2404	5380	Aurelia.exe	140
PID 5380 wrote to memory of 2404	5380	Aurelia.exe	140
PID 4504 wrote to memory of 5888	4504	Aurelia.exe	142
PID 4504 wrote to memory of 5888	4504	Aurelia.exe	142
PID 5888 wrote to memory of 1196	5888	cmd.exe	144
PID 5888 wrote to memory of 1196	5888	cmd.exe	144
PID 4504 wrote to memory of 3408	4504	Aurelia.exe	145
PID 4504 wrote to memory of 3408	4504	Aurelia.exe	145
PID 4504 wrote to memory of 1820	4504	Aurelia.exe	147
PID 4504 wrote to memory of 1820	4504	Aurelia.exe	147
PID 4504 wrote to memory of 4088	4504	Aurelia.exe	149

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\fyBqr89.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6120
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A6C617CC860CEF5A687B3C3617C937E8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe
    C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\is-FIR6C.tmp\aurelia_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FIR6C.tmp\aurelia_setup.tmp" /SL5="$301CE,5779210,860672,C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Adds Run key to start application
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        "C:\Users\Public\Aurelia\Aurelia.exe"
        5⤵
        Looks for VirtualBox drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4352
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:1240
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5888
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1820
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:1864
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:2340
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:5784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3516
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:5888
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:5964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:1888
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:2488
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5292
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:2784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:4176
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:5068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5624
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:4656
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1016
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:2376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:1172
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:4640
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:5368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:2120
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        17⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        18⤵
        
        PID:4088
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        19⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:5224
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        18⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        19⤵
        
        PID:2440
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        20⤵
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:4348
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        19⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        20⤵
        
        PID:5600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        21⤵
        
        PID:5284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:2404
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        20⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        21⤵
        
        PID:4636
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        22⤵
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:1160
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Public\Aurelia\Aurelia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Public\Aurelia\Aurelia.exe
  C:\Users\Public\Aurelia\Aurelia.exe
  2⤵
  - Looks for VirtualBox drivers on disk
  - Looks for VMWare drivers on disk
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5676
- - C:\Users\Public\Aurelia\Aurelia.exe
    C:\Users\Public\Aurelia\Aurelia.exe
    3⤵
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare drivers on disk
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2040
  - - C:\Users\Public\Aurelia\Aurelia.exe
      C:\Users\Public\Aurelia\Aurelia.exe
      4⤵
      Looks for VirtualBox drivers on disk
      Looks for VMWare drivers on disk
      Executes dropped EXE
      Loads dropped DLL
      PID:2404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3636
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2044
    - - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        5⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1824
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4844
      - C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        6⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:3452
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:3692
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        7⤵
        Looks for VirtualBox drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:1604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3928
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        8⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:5620
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:1404
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        9⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:4604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:1748
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        10⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        11⤵
        
        PID:4936
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        12⤵
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:5616
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        11⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        12⤵
        
        PID:3120
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        13⤵
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4788
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        12⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        
        PID:5932
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:3060
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        13⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:2952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4600
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        14⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        15⤵
        
        PID:3064
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        16⤵
        
        PID:5468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1472
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        15⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        16⤵
        
        PID:1860
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        17⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:1104
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        16⤵
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        17⤵
        
        PID:5068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        18⤵
        
        PID:5360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:2076
        
        C:\Users\Public\Aurelia\Aurelia.exe
        
        C:\Users\Public\Aurelia\Aurelia.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        18⤵
        
        PID:5160
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        19⤵
        
        PID:316

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c1da.rbs

Filesize
1KB

MD5
d39fc1a2a9bd6980403360bdefecd7f2

SHA1
8cebed5bcaf8713f97b2800bdd32ec47a7c02a7b

SHA256
8ff5c730bcbe27be444eb47aab3a7278b514623eefbb82f60e1174d7db9f3105

SHA512
676e937994ffe6ec02b6999e0a946af862dfb1dbaefb1e4891fbcd051cee15f0161c014ef6e4cafa9b45c0ce64536ec52113b92c74167eb6099627823fca9387

Download Submit
C:\Users\Admin\AppData\Local\Temp\bam\aurelia_setup.exe

Filesize
6.5MB

MD5
05550adb630b1113539470a138719946

SHA1
b4a9760e9c1b2a516b15f853e71c1e37dc85fa94

SHA256
6a5ae434d77e4678b61c5009127e2fac4ca988781c4f2af4581455da7af717c2

SHA512
5827a4778d383ec5387051517f955a7b09fec8c95ca6cbc38dfd89afbd6c63ddc078d58007f8a6fd52c42406b51b0b6691114ebfa42325aa092b663066f368e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIR6C.tmp\aurelia_setup.tmp

Filesize
3.4MB

MD5
55d7b5023133d4ebbe3288d481a68b99

SHA1
6b706dee2daca913328ca6e4e5e6a85bc7f8ab0f

SHA256
85c1f72de072ed57e63b35fa7d68a1d100a1685eab6c730632b5635006993929

SHA512
8707cd9d7903522bbc0d6978a766c791740c57b6cf4ceba903175e8a7dd0c4d7f2d8787069ee3ba6abdf895d06448e1a07e8bc06c1d521160465a99efe04cb24

Download Submit
C:\Users\Public\Aurelia\Aurelia.exe

Filesize
8.7MB

MD5
e0494504708c3df7ba7bb5e68a8f005d

SHA1
414d7e6886405e969a89c490cdf6030cdeea362b

SHA256
ff08761c5aaaff84aa6a0c216e6b486bfb823e2107717986c7c657b8e5b933b5

SHA512
a4924cd7de04f5f430478a25bde70d5810e46bc48dab7f9d02166539b692f773e743db827b0f215ff3914057539a348957b5ccdab6b256dc26d6bde57fe7cb3b

Download Submit
C:\Users\Public\Aurelia\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Windows\Installer\MSIC2E3.tmp

Filesize
215KB

MD5
8931e35055fd15b1acce7d7f24a23c36

SHA1
39b10e3171aaa4db9f8f14275b587fb82589d0ea

SHA256
2b05bdcae15519ed4f61d1504f3226c2bcf04d358f3c54472b1d9b0aa3016860

SHA512
2350f7935324565069aa747b4d3a7e416934ace1bf34a898d534dd316c829c1bd0601200fd84b7a3f60674a3e160f52949689a98c22766f271e1140dedc76c22

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
d3bedaa2429cbabb1fbb93f5362da2c5

SHA1
df2ef6783d9d461d9266370954fda771ee6d435c

SHA256
601a0820947766f7833531058f1322ca14316301b50b9bba0e881e1c7d5218ac

SHA512
472d6ac30619692669eec678b5e0d0343deb705b726330110695010c82b2d99b9da3ceb3413a1df4ff06bb7c3da7a2bdce9b8f1396c7ff482ebd1137502f2e69

Download Submit
\??\Volume{2c8433d4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d8832a7a-e28a-441b-994b-4e4db145c43c}_OnDiskSnapshotProp

Filesize
6KB

MD5
2dc518b85fc4f057cfb05376868e6490

SHA1
8c0fe865cd2de26c10e40b8ddcf795c275041114

SHA256
521046f1e0989bf1b7752699d1af32867e5e09f8a39b218dd31f71ab2a44b02a

SHA512
f04bae7fa05cec3b5d2882af2b89828d93e145f6a94442fd87b587b442686aa402268e8c8351caaa39ec36c7d27c0aaf2c2fce00fc674bb18766478068ffcf86

Download Submit
memory/532-106-0x0000016A3F4B0000-0x0000016A3F4D9000-memory.dmp

Filesize
164KB

Download
memory/532-91-0x0000016A3F460000-0x0000016A3F475000-memory.dmp

Filesize
84KB

Download
memory/532-96-0x0000016A3F480000-0x0000016A3F489000-memory.dmp

Filesize
36KB

Download
memory/532-101-0x0000016A3F490000-0x0000016A3F4A5000-memory.dmp

Filesize
84KB

Download
memory/1900-68-0x000002A1C32F0000-0x000002A1C32F9000-memory.dmp

Filesize
36KB

Download
memory/1900-57-0x0000000180000000-0x00000001805D6000-memory.dmp

Filesize
5.8MB

Download
memory/1900-78-0x000002A1C3D70000-0x000002A1C3D99000-memory.dmp

Filesize
164KB

Download
memory/1900-73-0x000002A1C3D50000-0x000002A1C3D65000-memory.dmp

Filesize
84KB

Download
memory/1900-64-0x000002A1C32D0000-0x000002A1C32E5000-memory.dmp

Filesize
84KB

Download
memory/1900-111-0x000002A1C3DA0000-0x000002A1C3DAB000-memory.dmp

Filesize
44KB

Download
memory/1900-115-0x000002A1C41B0000-0x000002A1C41D0000-memory.dmp

Filesize
128KB

Download
memory/1900-120-0x000002A1C41D0000-0x000002A1C4202000-memory.dmp

Filesize
200KB

Download
memory/3612-16-0x0000000000FF0000-0x00000000010D2000-memory.dmp

Filesize
904KB

Download