21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17

General

Target

21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
Size

19KB
MD5

822b6ee40e6a43272bdc7f913a0ee1de
SHA1

51efb6fafd128bd536047f9cbf10be874c65882c
SHA256

21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17
SHA512

61629ca4db5511e6bd71186a39e20a4229b1dbc2d13cefa7aebc871c1b7f3714988b77d7a3015fe64e73135ac9f48911dd1ec93f6b6618facc2ed7c6a6ce104d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

coiome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	coiome.exe

Executes dropped EXE 1 IoCs

Processes:

coiome.exe

pid process

1880 coiome.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1880	coiome.exe

Loads dropped DLL 2 IoCs

Processes:

21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe

pid	process
1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvy\\coiome.exe"	mshta.exe

Drops file in Program Files directory 5 IoCs

Processes:

coiome.exe21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvy	coiome.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvy	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
File created	C:\Program Files (x86)\EHO.hta	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
File created	C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1600 sc.exe
280 sc.exe
576 sc.exe
1804 sc.exe
1432 sc.exe
1784 sc.exe
1800 sc.exe
240 sc.exe
1484 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1812 taskkill.exe
1668 taskkill.exe
1588 taskkill.exe

pid	process
1600	sc.exe
280	sc.exe
576	sc.exe
1804	sc.exe
1432	sc.exe
1784	sc.exe
1800	sc.exe
240	sc.exe
1484	sc.exe

pid	process
1812	taskkill.exe
1668	taskkill.exe
1588	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.2345.com/?kkkbaidu"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.2345.com/?kkkbaidu"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?kkkbaidu"	mshta.exe

Modifies registry class 2 IoCs

Processes:

coiome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"	coiome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	coiome.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

coiome.exe

pid process

1880 coiome.exe

pid	process
1880	coiome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exetaskkill.execoiome.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1880	coiome.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.execmd.execoiome.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1068 wrote to memory of 756	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	mshta.exe
PID 1068 wrote to memory of 756	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	mshta.exe
PID 1068 wrote to memory of 756	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	mshta.exe
PID 1068 wrote to memory of 756	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	mshta.exe
PID 1068 wrote to memory of 832	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	cmd.exe
PID 1068 wrote to memory of 832	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	cmd.exe
PID 1068 wrote to memory of 832	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	cmd.exe
PID 1068 wrote to memory of 832	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	cmd.exe
PID 832 wrote to memory of 1668	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1668	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1668	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 1668	832	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 1880	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	coiome.exe
PID 1068 wrote to memory of 1880	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	coiome.exe
PID 1068 wrote to memory of 1880	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	coiome.exe
PID 1068 wrote to memory of 1880	1068	21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe	coiome.exe
PID 1880 wrote to memory of 1048	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1048	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1048	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1048	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1320	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1320	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1320	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1320	1880	coiome.exe	cmd.exe
PID 1048 wrote to memory of 280	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 280	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 280	1048	cmd.exe	sc.exe
PID 1048 wrote to memory of 280	1048	cmd.exe	sc.exe
PID 1320 wrote to memory of 1588	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 1588	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 1588	1320	cmd.exe	taskkill.exe
PID 1320 wrote to memory of 1588	1320	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 1600	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1600	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1600	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1600	1880	coiome.exe	cmd.exe
PID 1600 wrote to memory of 1812	1600	cmd.exe	taskkill.exe
PID 1600 wrote to memory of 1812	1600	cmd.exe	taskkill.exe
PID 1600 wrote to memory of 1812	1600	cmd.exe	taskkill.exe
PID 1600 wrote to memory of 1812	1600	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 1792	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1792	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1792	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1792	1880	coiome.exe	cmd.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	sc.exe
PID 1792 wrote to memory of 1800	1792	cmd.exe	sc.exe
PID 1880 wrote to memory of 940	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 940	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 940	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 940	1880	coiome.exe	cmd.exe
PID 940 wrote to memory of 576	940	cmd.exe	sc.exe
PID 940 wrote to memory of 576	940	cmd.exe	sc.exe
PID 940 wrote to memory of 576	940	cmd.exe	sc.exe
PID 940 wrote to memory of 576	940	cmd.exe	sc.exe
PID 1880 wrote to memory of 1596	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1596	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1596	1880	coiome.exe	cmd.exe
PID 1880 wrote to memory of 1596	1880	coiome.exe	cmd.exe
PID 1596 wrote to memory of 240	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 240	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 240	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 240	1596	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
"C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\EHO.hta"
2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im coiome.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\taskkill.exe
taskkill /im coiome.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
"C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete JavaServe
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\sc.exe
sc delete JavaServe
4⤵
- Launches sc.exe
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im iejore.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\taskkill.exe
taskkill /im iejore.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im conime.exe /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im conime.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c sc stop LYTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\sc.exe
sc stop LYTC
4⤵
- Launches sc.exe
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c sc stop Messenger
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\sc.exe
sc stop Messenger
4⤵
- Launches sc.exe
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete Messenger
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\sc.exe
sc delete Messenger
4⤵
- Launches sc.exe
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete LYTC
3⤵
PID:860

C:\Windows\SysWOW64\sc.exe
sc delete LYTC
4⤵
- Launches sc.exe
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c sc stop IE_WinserverName
3⤵
PID:1052

C:\Windows\SysWOW64\sc.exe
sc stop IE_WinserverName
4⤵
- Launches sc.exe
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete IE_WinserverName
3⤵
PID:1684

C:\Windows\SysWOW64\sc.exe
sc delete IE_WinserverName
4⤵
- Launches sc.exe
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c sc stop HidServ
3⤵
PID:904

C:\Windows\SysWOW64\sc.exe
sc stop HidServ
4⤵
- Launches sc.exe
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c sc delete HidServ
3⤵
PID:1728

C:\Windows\SysWOW64\sc.exe
sc delete HidServ
4⤵
- Launches sc.exe
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
3⤵
PID:1092

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
4⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
3⤵
PID:1848

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe"
2⤵
PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe

Filesize
4.0MB

MD5
bc0d0ff15cec70aff63910382a4dc359

SHA1
031794fd0b126e602770a5b3149cff34d57b5c66

SHA256
8aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147

SHA512
b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477

Download Submit
C:\Program Files (x86)\EHO.hta

Filesize
785B

MD5
74ccbce1e5800180a01fb299767e310c

SHA1
5eee44303a3800e0ac31a103538dccfe4ffa57b2

SHA256
7c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec

SHA512
581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8

Download Submit
\Program Files (x86)\Common Files\sfbsbvy\coiome.exe

Filesize
4.0MB

MD5
bc0d0ff15cec70aff63910382a4dc359

SHA1
031794fd0b126e602770a5b3149cff34d57b5c66

SHA256
8aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147

SHA512
b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477

Download Submit
\Program Files (x86)\Common Files\sfbsbvy\coiome.exe

Filesize
4.0MB

MD5
bc0d0ff15cec70aff63910382a4dc359

SHA1
031794fd0b126e602770a5b3149cff34d57b5c66

SHA256
8aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147

SHA512
b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477

Download Submit
memory/240-82-0x0000000000000000-mapping.dmp

Download
memory/280-72-0x0000000000000000-mapping.dmp

Download
memory/576-80-0x0000000000000000-mapping.dmp

Download
memory/756-55-0x0000000000000000-mapping.dmp

Download
memory/796-95-0x0000000000000000-mapping.dmp

Download
memory/832-59-0x0000000000000000-mapping.dmp

Download
memory/860-83-0x0000000000000000-mapping.dmp

Download
memory/904-90-0x0000000000000000-mapping.dmp

Download
memory/940-79-0x0000000000000000-mapping.dmp

Download
memory/1040-89-0x0000000000000000-mapping.dmp

Download
memory/1048-70-0x0000000000000000-mapping.dmp

Download
memory/1052-85-0x0000000000000000-mapping.dmp

Download
memory/1068-67-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1068-69-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1068-64-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1068-54-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1068-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1092-94-0x0000000000000000-mapping.dmp

Download
memory/1320-71-0x0000000000000000-mapping.dmp

Download
memory/1432-88-0x0000000000000000-mapping.dmp

Download
memory/1484-86-0x0000000000000000-mapping.dmp

Download
memory/1492-97-0x0000000000000000-mapping.dmp

Download
memory/1588-73-0x0000000000000000-mapping.dmp

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1600-93-0x0000000000000000-mapping.dmp

Download
memory/1600-75-0x0000000000000000-mapping.dmp

Download
memory/1668-60-0x0000000000000000-mapping.dmp

Download
memory/1684-87-0x0000000000000000-mapping.dmp

Download
memory/1728-92-0x0000000000000000-mapping.dmp

Download
memory/1784-91-0x0000000000000000-mapping.dmp

Download
memory/1792-77-0x0000000000000000-mapping.dmp

Download
memory/1800-78-0x0000000000000000-mapping.dmp

Download
memory/1804-84-0x0000000000000000-mapping.dmp

Download
memory/1812-76-0x0000000000000000-mapping.dmp

Download
memory/1848-96-0x0000000000000000-mapping.dmp

Download
memory/1880-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1880-63-0x0000000000000000-mapping.dmp

Download
memory/1880-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads