darkcomet | c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59

General

Target

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Size

449KB
MD5

e10ca314d5cc8d7643aff2acd14b8696
SHA1

ff0e4023caa46ba078be0645c132b072a945d4f3
SHA256

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
SHA512

6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b
SSDEEP

6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q

Score

10^/10

darkcomet modiloader tell persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

tell

C2

ddos.duia.ro:443

Mutex

DCMIN_MUTEX-E61LPZQ

Attributes

InstallPath
notepad.exe
gencode
STE5MstR9N7H
install
true
offline_keylogger
true
persistence
false
reg_key
Host process

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

FB_CBA2.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\STE5MstR9N7H\\notepad.exe"	FB_CBA2.tmp.exe

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3616-136-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral2/memory/3616-138-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral2/memory/3616-139-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe	modiloader_stage2
C:\Users\Admin\AppData\Roaming\upfile.exe	modiloader_stage2
C:\Users\Admin\AppData\Roaming\upfile.exe	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

FB_CBA2.tmp.exeFB_CE81.tmp.exeupfile.exenotepad.exe

pid process

1008 FB_CBA2.tmp.exe
1700 FB_CE81.tmp.exe
2356 upfile.exe
2392 notepad.exe

pid	process
1008	FB_CBA2.tmp.exe
1700	FB_CE81.tmp.exe
2356	upfile.exe
2392	notepad.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe	upx
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe	upx
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe	upx
behavioral2/memory/2392-152-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1008-153-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2392-155-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exeFB_CE81.tmp.exeFB_CBA2.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FB_CE81.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FB_CBA2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FB_CBA2.tmp.exeupfile.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host process = "C:\\Windows\\system32\\STE5MstR9N7H\\notepad.exe"	FB_CBA2.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upfile = "C:\\Users\\Admin\\AppData\\Roaming\\upfile.exe"	upfile.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sakura = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winog.exe"	reg.exe

Drops file in System32 directory 3 IoCs

Processes:

FB_CBA2.tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notepad.exe	FB_CBA2.tmp.exe
File created	C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe	FB_CBA2.tmp.exe
File opened for modification	C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe	FB_CBA2.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe

description	pid	process	target process
PID 5060 set thread context of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

FB_CBA2.tmp.exenotepad.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1008	FB_CBA2.tmp.exe
Token: SeSecurityPrivilege	1008	FB_CBA2.tmp.exe
Token: SeTakeOwnershipPrivilege	1008	FB_CBA2.tmp.exe
Token: SeLoadDriverPrivilege	1008	FB_CBA2.tmp.exe
Token: SeSystemProfilePrivilege	1008	FB_CBA2.tmp.exe
Token: SeSystemtimePrivilege	1008	FB_CBA2.tmp.exe
Token: SeProfSingleProcessPrivilege	1008	FB_CBA2.tmp.exe
Token: SeIncBasePriorityPrivilege	1008	FB_CBA2.tmp.exe
Token: SeCreatePagefilePrivilege	1008	FB_CBA2.tmp.exe
Token: SeBackupPrivilege	1008	FB_CBA2.tmp.exe
Token: SeRestorePrivilege	1008	FB_CBA2.tmp.exe
Token: SeShutdownPrivilege	1008	FB_CBA2.tmp.exe
Token: SeDebugPrivilege	1008	FB_CBA2.tmp.exe
Token: SeSystemEnvironmentPrivilege	1008	FB_CBA2.tmp.exe
Token: SeChangeNotifyPrivilege	1008	FB_CBA2.tmp.exe
Token: SeRemoteShutdownPrivilege	1008	FB_CBA2.tmp.exe
Token: SeUndockPrivilege	1008	FB_CBA2.tmp.exe
Token: SeManageVolumePrivilege	1008	FB_CBA2.tmp.exe
Token: SeImpersonatePrivilege	1008	FB_CBA2.tmp.exe
Token: SeCreateGlobalPrivilege	1008	FB_CBA2.tmp.exe
Token: 33	1008	FB_CBA2.tmp.exe
Token: 34	1008	FB_CBA2.tmp.exe
Token: 35	1008	FB_CBA2.tmp.exe
Token: 36	1008	FB_CBA2.tmp.exe
Token: SeIncreaseQuotaPrivilege	2392	notepad.exe
Token: SeSecurityPrivilege	2392	notepad.exe
Token: SeTakeOwnershipPrivilege	2392	notepad.exe
Token: SeLoadDriverPrivilege	2392	notepad.exe
Token: SeSystemProfilePrivilege	2392	notepad.exe
Token: SeSystemtimePrivilege	2392	notepad.exe
Token: SeProfSingleProcessPrivilege	2392	notepad.exe
Token: SeIncBasePriorityPrivilege	2392	notepad.exe
Token: SeCreatePagefilePrivilege	2392	notepad.exe
Token: SeBackupPrivilege	2392	notepad.exe
Token: SeRestorePrivilege	2392	notepad.exe
Token: SeShutdownPrivilege	2392	notepad.exe
Token: SeDebugPrivilege	2392	notepad.exe
Token: SeSystemEnvironmentPrivilege	2392	notepad.exe
Token: SeChangeNotifyPrivilege	2392	notepad.exe
Token: SeRemoteShutdownPrivilege	2392	notepad.exe
Token: SeUndockPrivilege	2392	notepad.exe
Token: SeManageVolumePrivilege	2392	notepad.exe
Token: SeImpersonatePrivilege	2392	notepad.exe
Token: SeCreateGlobalPrivilege	2392	notepad.exe
Token: 33	2392	notepad.exe
Token: 34	2392	notepad.exe
Token: 35	2392	notepad.exe
Token: 36	2392	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad.exe

pid process

2392 notepad.exe

pid	process
2392	notepad.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.execmd.exevbc.exeFB_CE81.tmp.exeFB_CBA2.tmp.exe

description	pid	process	target process
PID 5060 wrote to memory of 2820	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	cmd.exe
PID 5060 wrote to memory of 2820	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	cmd.exe
PID 5060 wrote to memory of 2820	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	cmd.exe
PID 2820 wrote to memory of 4592	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 4592	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 4592	2820	cmd.exe	reg.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 5060 wrote to memory of 3616	5060	c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe	vbc.exe
PID 3616 wrote to memory of 1008	3616	vbc.exe	FB_CBA2.tmp.exe
PID 3616 wrote to memory of 1008	3616	vbc.exe	FB_CBA2.tmp.exe
PID 3616 wrote to memory of 1008	3616	vbc.exe	FB_CBA2.tmp.exe
PID 3616 wrote to memory of 1700	3616	vbc.exe	FB_CE81.tmp.exe
PID 3616 wrote to memory of 1700	3616	vbc.exe	FB_CE81.tmp.exe
PID 3616 wrote to memory of 1700	3616	vbc.exe	FB_CE81.tmp.exe
PID 1700 wrote to memory of 2356	1700	FB_CE81.tmp.exe	upfile.exe
PID 1700 wrote to memory of 2356	1700	FB_CE81.tmp.exe	upfile.exe
PID 1700 wrote to memory of 2356	1700	FB_CE81.tmp.exe	upfile.exe
PID 1008 wrote to memory of 2392	1008	FB_CBA2.tmp.exe	notepad.exe
PID 1008 wrote to memory of 2392	1008	FB_CBA2.tmp.exe	notepad.exe
PID 1008 wrote to memory of 2392	1008	FB_CBA2.tmp.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
"C:\Users\Admin\AppData\Local\Temp\c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sakura" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winog.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sakura" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winog.exe
3⤵
- Adds Run key to start application
PID:4592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe
"C:\Windows\system32\STE5MstR9N7H\notepad.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\upfile.exe
"C:\Users\Admin\AppData\Roaming\upfile.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe
Filesize
232KB

MD5
3a708b5ecb675e5a90647ef477ea63b9

SHA1
35179515c96d64212fdc2e5e6d441fbe4eba5318

SHA256
7b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4

SHA512
44dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe
Filesize
232KB

MD5
3a708b5ecb675e5a90647ef477ea63b9

SHA1
35179515c96d64212fdc2e5e6d441fbe4eba5318

SHA256
7b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4

SHA512
44dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe
Filesize
36KB

MD5
262d01e26ca4cc3c1892f412fdabdb2f

SHA1
30afa5bbafb1b789afe155fd609febfaa1df8881

SHA256
15f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be

SHA512
d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe
Filesize
36KB

MD5
262d01e26ca4cc3c1892f412fdabdb2f

SHA1
30afa5bbafb1b789afe155fd609febfaa1df8881

SHA256
15f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be

SHA512
d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7

Download Submit
C:\Users\Admin\AppData\Roaming\upfile.exe
Filesize
36KB

MD5
262d01e26ca4cc3c1892f412fdabdb2f

SHA1
30afa5bbafb1b789afe155fd609febfaa1df8881

SHA256
15f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be

SHA512
d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7

Download Submit
C:\Users\Admin\AppData\Roaming\upfile.exe
Filesize
36KB

MD5
262d01e26ca4cc3c1892f412fdabdb2f

SHA1
30afa5bbafb1b789afe155fd609febfaa1df8881

SHA256
15f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be

SHA512
d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7

Download Submit
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe
Filesize
232KB

MD5
3a708b5ecb675e5a90647ef477ea63b9

SHA1
35179515c96d64212fdc2e5e6d441fbe4eba5318

SHA256
7b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4

SHA512
44dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b

Download Submit
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe
Filesize
232KB

MD5
3a708b5ecb675e5a90647ef477ea63b9

SHA1
35179515c96d64212fdc2e5e6d441fbe4eba5318

SHA256
7b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4

SHA512
44dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b

Download Submit
memory/1008-153-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1008-140-0x0000000000000000-mapping.dmp

Download
memory/1700-143-0x0000000000000000-mapping.dmp

Download
memory/2356-146-0x0000000000000000-mapping.dmp

Download
memory/2392-149-0x0000000000000000-mapping.dmp

Download
memory/2392-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2392-155-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2820-133-0x0000000000000000-mapping.dmp

Download
memory/3616-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-136-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-135-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/5060-132-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5060-154-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads