9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
Size

23KB
MD5

63bdaa9ef652b6287dc08d08e7489550
SHA1

493ac75996c2498c789124f6df717cb9bda234fe
SHA256

9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4
SHA512

635a91bbbc9fe3a8353c6dc69f56cce23f991a69c36690a813c1e52ed15c6c9e690934381481e7ab2ee3dfaf63b115e8fbdb3727faa508528a0dccf6867ec70a
SSDEEP

384:1M3PnQoHDCpHf4I4Qwdc0G5KDJOmFpH/m1CT:1m/QojCpHfx0OmbHzT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
3488	winlogon.exe
3664	AE 0124 BE.exe
680	winlogon.exe
528	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
3664	AE 0124 BE.exe
680	winlogon.exe
528	winlogon.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_swcomponent.inf_amd64_f378d70fa39d3577\c_swcomponent.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\MSFT_EtwTraceSession_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterHardwareInfo.Format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\GroupSet.Schema.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedClass.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DxpTaskSync.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dxtmsft.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\rdpendp.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsphysicalquotamgmt.inf_amd64_796516c18b264f1e	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\Netwfw01.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SystemSettings.DataModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wiascanprofiles.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Notepad-FoD-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.117.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\umpass.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msls31.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-powershell-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\scmbus.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\advapi32res.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmusrgl.inf_amd64_19bd1d6c2b642b6f	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfmpeg2srcsnk.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\odbc32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\ufxchipidea.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\htable.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClientForNFS-Infrastructure-OptGroup-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_f1a7a2fbd6554d60\VSTBS26.SYS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_b401376fd0a39c95\usbvideo.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sr-Latn-RS\SyncRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterLso.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ExtrasXmlParser.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\racpldlg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.928.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d\cht4nulx64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_cashdrawer.inf_amd64_a648ee708660440c\c_cashdrawer.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cryptsp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netcenter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_mtd.inf_amd64_2f8cc39571965376\c_mtd.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\srloc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wpnclient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WWanAPI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\circlass.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hpsamd.inf_amd64_0784fd3ef0d7ec93\hpsamd.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ntlanman.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\joinutil.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mapistub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Data.Pdf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KMCL-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_220320d2c4216035	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_10.0.19041.1_en-us_d26e0637cf86d0d1\winresume.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\HelloFaceAnimation.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1_none_67df66e1405214df\samlib.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-feedback-service_31bf3856ad364e35_10.0.19041.630_none_57ca0a77efb2334c\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..skfactory.resources_31bf3856ad364e35_10.0.19041.1_en-us_4455b8e1c8da7ea2	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.Interop\v4.0_2.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~~10.0.19041.1023.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms003.inf_31bf3856ad364e35_10.0.19041.1202_none_8b568f04f79b359a\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_a84acae243b8ad63\kanji_1.uce	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-storage_31bf3856ad364e35_10.0.19041.264_none_e3a79bf4b0ee8748	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx4-US-OC-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ipt_31bf3856ad364e35_10.0.19041.1_none_64a5e429f6c07bce	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nts-mdac-rds-ce-vbs_31bf3856ad364e35_10.0.19041.1_none_1714c122e1b86324	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..oragecontexthandler_31bf3856ad364e35_10.0.19041.746_none_a48c20778e0b0fc5\r\StorageContextHandler.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\85f874.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-xpthemes_manifest_b03f5f7f11d50a3a_10.0.19041.1_none_97b1e5d929fef91b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1266_none_fc46bc5d51913141\boot.stl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..nese-core-essential_31bf3856ad364e35_10.0.19041.906_none_87ebbd2e29360e73\IMTCCORE.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..ckgroundmediapolicy_31bf3856ad364e35_10.0.19041.746_none_20fd7dc0637d60d3	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_4_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_iscsi.inf_31bf3856ad364e35_10.0.19041.1151_none_2548defe90359599\r\iscsilog.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\ko-KR\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-family-cache_31bf3856ad364e35_10.0.19041.1_none_cfb7afe27be05a0d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-fileexplorer_31bf3856ad364e35_10.0.19041.153_none_64dfae1afa14e771	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_netathr10x.inf_31bf3856ad364e35_10.0.19041.1_none_045e44cd3c4b69ac\eeprom_ar6320_3p0_NFA344a_highTX_LE_9.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\App.StepsRecorder~~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_b5fb7c987b6e9877	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..rk-ctfmon.resources_31bf3856ad364e35_10.0.19041.1_en-us_4c6aa2acd5820257	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\wide.TimeLanguage.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..appvprogrammability_31bf3856ad364e35_10.0.19041.746_none_ca08a5430d378c28	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmuidevices_31bf3856ad364e35_10.0.19041.928_none_5baff06b214ab1ff	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-timedate.resources_31bf3856ad364e35_10.0.19041.1_en-us_d9b59138c16b517f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0000044a_31bf3856ad364e35_10.0.19041.1_none_bcd0d9a12a4741d4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\n	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-dusm-api_31bf3856ad364e35_10.0.19041.546_none_d2d472e23827041b\dusmapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Product-Data-21h1-EKB-Wrapper-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.789.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmhaeu.inf_31bf3856ad364e35_10.0.19041.1_none_2732194cb22c103c	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\consolai.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_ar-sa_257d996be3ed9469	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devices-midi_31bf3856ad364e35_10.0.19041.746_none_c8d36e2efa765486\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3-netsh-helper_31bf3856ad364e35_10.0.19041.1_none_909821e76374f0e7\dot3cfg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-webauthn_31bf3856ad364e35_10.0.19041.1_none_b51692778b21e562	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-CoreSystem-DISM-Package~31bf3856ad364e35~amd64~~10.0.19041.153.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_sdfrd.inf_31bf3856ad364e35_10.0.19041.1_none_7dc823dfe4526b1c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_10.0.19041.1_en-us_c94163e939bb3e6e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-bcp47languages_31bf3856ad364e35_10.0.19041.1_none_5ab00596aa91fbeb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sctasks.resources_31bf3856ad364e35_10.0.19041.1_en-us_e35ddeaa1ca1870d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1288_none_f26bd0dcdf662cc9\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-magnify.resources_31bf3856ad364e35_10.0.19041.1_en-us_ab7e0e498c008cc9\Magnify.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-workplace_31bf3856ad364e35_10.0.19041.264_none_46805855b0aa9bd1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtil.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..mon-printexperience_31bf3856ad364e35_10.0.19041.746_none_753a35e56850cf18\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-computerdefaults_31bf3856ad364e35_10.0.19041.1_none_c6bc59819707b32b	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommon\ClockFlyoutExperience\Assets\Fonts	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..adam-core.resources_31bf3856ad364e35_10.0.19041.207_en-us_5fde7496dedcd749\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-enterprisecsps_31bf3856ad364e35_10.0.19041.1151_none_c10310d293c6ec98\f	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4904	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
3488	winlogon.exe
3664	AE 0124 BE.exe
680	winlogon.exe
528	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3488	4904	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe	84
PID 4904 wrote to memory of 3488	4904	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe	84
PID 4904 wrote to memory of 3488	4904	9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe	84
PID 3488 wrote to memory of 3664	3488	winlogon.exe	85
PID 3488 wrote to memory of 3664	3488	winlogon.exe	85
PID 3488 wrote to memory of 3664	3488	winlogon.exe	85
PID 3488 wrote to memory of 680	3488	winlogon.exe	86
PID 3488 wrote to memory of 680	3488	winlogon.exe	86
PID 3488 wrote to memory of 680	3488	winlogon.exe	86
PID 3664 wrote to memory of 528	3664	AE 0124 BE.exe	87
PID 3664 wrote to memory of 528	3664	AE 0124 BE.exe	87
PID 3664 wrote to memory of 528	3664	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe
"C:\Users\Admin\AppData\Local\Temp\9015ebc35c3cd49471eeb806c30c4e75e62f0f3e6a54eb19a08de95ae22a73d4.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:528
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
C:\Windows\AE 0124 BE.jpg

Filesize
43KB

MD5
af091cefd057c068cc10f22d4735d129

SHA1
162e86749a97abdff67bf6836e771172a87560a6

SHA256
d8acabacb93580f245f0e56b466e7ea9d8450c4736a64e9a3b445c18df8f5f21

SHA512
2a31c61a53635e75b32f5da891f1dc527c121844a3dc743d6653632d4863c32b87f84ac860f334ffc66a2346cde6d3ceae32cb33b3011730c8346ffb50df550b

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
26e4436dca8a119493ec949b42ab1758

SHA1
552d31e17c1005ca94b119d64ba6ead659b2776c

SHA256
606d99c3080399a2afa2a4bf8f176182a638d536c8a128f24bf28711344bec75

SHA512
d4fe47bf18f8a0c6569f07d3ac33bab3048f792e90a5bc9c4c23eb17a76269f962e46ead03e9fa87498876038009738bdff0a66f499802a028eaa54128d31965

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads