formbook | 72a32e559653c3ef0b9f2c2065707850b24225f77dd9ec4dd3ebfffed43002fb

General

Target

Signed PI % Payment Order Order.exe
Size

1.1MB
MD5

ce8dfa3ab6e40ef88605b208e48fdfa9
SHA1

120c14d5da5c24721edd92f140b8a6de180679d7
SHA256

72a32e559653c3ef0b9f2c2065707850b24225f77dd9ec4dd3ebfffed43002fb
SHA512

27dd308465ff5ef1ad5b5bf2f6d433430b1b094b22d52ec13629b8c318cb2eb7de834d189c538057ccfb1e124744c64947aa46dd8c7133156eb89189124d95a7
SSDEEP

24576:ygaIphuOCwQSQ8eD0nzOt1ytFvDgIFoc5:y2B2DmzOt1ytFvDpFoc

Score

10^/10

formbook modiloader n7ak nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

wise-transfer.info

jam-nins.com

thebestsocialcrm.com

majomeow222.com

ancientshadowguilt.space

gentleman-china.com

parquemermoz.store

taxuw.com

sharqiyapaints.com

libraryofkath.com

1949wan.com

synqr.net

bitchessgirls.com

btonu.cfd

coding-bootcamps-16314.com

leadership22-tdh.site

maximsboutique.com

irishsummertruffles.com

sdnaqianchuan.com

uyews.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1432-164-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/2348-166-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/2704-172-0x0000000000C80000-0x0000000000CAF000-memory.dmp	formbook

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2720-132-0x00000000040E0000-0x000000000410C000-memory.dmp	modiloader_stage2
behavioral2/memory/1432-156-0x0000000002AB0000-0x0000000002ADF000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

kzqlhzo.exe

pid process

1432 kzqlhzo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1432	kzqlhzo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Signed PI % Payment Order Order.exekzqlhzo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvkdyihh = "C:\\Users\\Public\\Libraries\\hhiydkvK.url"	Signed PI % Payment Order Order.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgpvztlr = "C:\\Users\\Public\\Libraries\\rltzvpgT.url"	kzqlhzo.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

colorcpl.exeipconfig.exeiexpress.execontrol.exe

description	pid	process	target process
PID 4820 set thread context of 2480	4820	colorcpl.exe	Explorer.EXE
PID 1724 set thread context of 2480	1724	ipconfig.exe	Explorer.EXE
PID 2348 set thread context of 2480	2348	iexpress.exe	Explorer.EXE
PID 2704 set thread context of 2480	2704	control.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1724 ipconfig.exe

pid	process
1724	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.execontrol.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe
Key created	\Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Signed PI % Payment Order Order.execolorcpl.exeipconfig.exekzqlhzo.exeiexpress.execontrol.exe

pid	process
2720	Signed PI % Payment Order Order.exe
2720	Signed PI % Payment Order Order.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1432	kzqlhzo.exe
1432	kzqlhzo.exe
2348	iexpress.exe
2348	iexpress.exe
2348	iexpress.exe
2348	iexpress.exe
1724	ipconfig.exe
1724	ipconfig.exe
2704	control.exe
2704	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2480 Explorer.EXE

pid	process
2480	Explorer.EXE

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

colorcpl.exeipconfig.exeiexpress.execontrol.exe

pid	process
4820	colorcpl.exe
4820	colorcpl.exe
4820	colorcpl.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
1724	ipconfig.exe
2348	iexpress.exe
2348	iexpress.exe
2348	iexpress.exe
2704	control.exe
2704	control.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

colorcpl.exeExplorer.EXEipconfig.exeiexpress.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	4820	colorcpl.exe
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeDebugPrivilege	1724	ipconfig.exe
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeDebugPrivilege	2348	iexpress.exe
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeDebugPrivilege	2704	control.exe
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE
Token: SeShutdownPrivilege	2480	Explorer.EXE
Token: SeCreatePagefilePrivilege	2480	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Signed PI % Payment Order Order.exeExplorer.EXEipconfig.exekzqlhzo.execontrol.exe

description	pid	process	target process
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2720 wrote to memory of 4820	2720	Signed PI % Payment Order Order.exe	colorcpl.exe
PID 2480 wrote to memory of 1724	2480	Explorer.EXE	ipconfig.exe
PID 2480 wrote to memory of 1724	2480	Explorer.EXE	ipconfig.exe
PID 2480 wrote to memory of 1724	2480	Explorer.EXE	ipconfig.exe
PID 1724 wrote to memory of 2264	1724	ipconfig.exe	Firefox.exe
PID 1724 wrote to memory of 2264	1724	ipconfig.exe	Firefox.exe
PID 1724 wrote to memory of 2264	1724	ipconfig.exe	Firefox.exe
PID 1724 wrote to memory of 1432	1724	ipconfig.exe	kzqlhzo.exe
PID 1724 wrote to memory of 1432	1724	ipconfig.exe	kzqlhzo.exe
PID 1724 wrote to memory of 1432	1724	ipconfig.exe	kzqlhzo.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 1432 wrote to memory of 2348	1432	kzqlhzo.exe	iexpress.exe
PID 2480 wrote to memory of 2704	2480	Explorer.EXE	control.exe
PID 2480 wrote to memory of 2704	2480	Explorer.EXE	control.exe
PID 2480 wrote to memory of 2704	2480	Explorer.EXE	control.exe
PID 2704 wrote to memory of 1772	2704	control.exe	cmd.exe
PID 2704 wrote to memory of 1772	2704	control.exe	cmd.exe
PID 2704 wrote to memory of 1772	2704	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\Signed PI % Payment Order Order.exe
"C:\Users\Admin\AppData\Local\Temp\Signed PI % Payment Order Order.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\kzqlhzo.exe
"C:\Users\Admin\AppData\Local\Temp\kzqlhzo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
05e0fa39bab6b25f876280dbd070d7c6

SHA1
f7705a543aba81271727fc76a805992451bb41cf

SHA256
d926f9f74cfb54322ea59589f6b45e01d3503d03786440cf65545dbaad256445

SHA512
84b2f611f83f412b963edaf9ac9e2d0facd7f7ee3b97ec7d0221c16b2fc44012c0e7322260ca21a51fa78844e98d7fd0ab80874f388d62f7a005467f6baacca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
1646532f99b1b2b4f86254d1defaf717

SHA1
b983e07f7db93f4e1c4b8255a2cdb68dfd5a8144

SHA256
2c6cef6ea5d413b276f6e6a424fd54c60861a0098a03020fa1592f3d5546072f

SHA512
ccf84656056918dea6398ff47e94cf9cb4ce376348ad309a87c689906f05ff69577079504715535b14f23ee387a88350ac80c6311eec0559fd5ba28a7886cc07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
ca0556be185760f46ae31fa602a01e9f

SHA1
b552bc85ba0cf9eaf36c403fa8a30e33d8c4d0bb

SHA256
891dce1b1c038ca0327bf8ae1e6e70d50342fcd76adbd342069d7823ce99aff9

SHA512
37c07bdfb7b61e517d46ea037334b3408f9d72865b7b11ecfcb9fb00b1a4acaffeca5b68c1ec3a8d1225ea08a7d02177b9d053d4abeaa17a80cc4cfe5f802653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
bbfb36db22e0fc17f076b61785f077c8

SHA1
bd1e043d329405b8e90fd6333d62e20b89f923d4

SHA256
22ccc40e54c441ba5b2b59f83b46b92ef75efbd4c8d50316e74bf6e5b4b5371a

SHA512
142d145de4f40a48706922d1e874a02098729277ab0fb353ca07ba28b8efc1412e04d8635d11784ce065efd1c6aa7b58bd77a85c83e508eb8d7c630b2d0adb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzqlhzo.exe
Filesize
813KB

MD5
64d2846157591b66f661d92828378740

SHA1
d0518b9a33520f734c18f9899f12f4dc174bb4d5

SHA256
88acaeea01d4d295442dce0a661af093c36ba08c69c2aa943a3d8d8c55688058

SHA512
a35f6f804356358b5cc1f10a9a99816c4897c61d93289237e9c95e0bc0109a6a6664d88edfe9fe1d185f0ec57a50dcf090d28356f1e4e020e6598382aa56ccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzqlhzo.exe
Filesize
813KB

MD5
64d2846157591b66f661d92828378740

SHA1
d0518b9a33520f734c18f9899f12f4dc174bb4d5

SHA256
88acaeea01d4d295442dce0a661af093c36ba08c69c2aa943a3d8d8c55688058

SHA512
a35f6f804356358b5cc1f10a9a99816c4897c61d93289237e9c95e0bc0109a6a6664d88edfe9fe1d185f0ec57a50dcf090d28356f1e4e020e6598382aa56ccb7

Download Submit
memory/1432-163-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1432-153-0x0000000000000000-mapping.dmp

Download
memory/1432-156-0x0000000002AB0000-0x0000000002ADF000-memory.dmp

Filesize
188KB

Download
memory/1432-164-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1724-145-0x0000000000000000-mapping.dmp

Download
memory/1724-146-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/1724-147-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/1724-148-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/1724-150-0x0000000000D30000-0x0000000000DBF000-memory.dmp

Filesize
572KB

Download
memory/1724-149-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/1772-174-0x0000000000000000-mapping.dmp

Download
memory/2348-166-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2348-162-0x0000000000000000-mapping.dmp

Download
memory/2348-167-0x00000000042E0000-0x000000000462A000-memory.dmp

Filesize
3.3MB

Download
memory/2348-168-0x0000000004240000-0x0000000004254000-memory.dmp

Filesize
80KB

Download
memory/2480-151-0x0000000008550000-0x0000000008696000-memory.dmp

Filesize
1.3MB

Download
memory/2480-177-0x00000000086A0000-0x00000000087C3000-memory.dmp

Filesize
1.1MB

Download
memory/2480-144-0x0000000008020000-0x000000000810B000-memory.dmp

Filesize
940KB

Download
memory/2480-169-0x00000000083A0000-0x00000000084DA000-memory.dmp

Filesize
1.2MB

Download
memory/2480-152-0x0000000008550000-0x0000000008696000-memory.dmp

Filesize
1.3MB

Download
memory/2704-171-0x0000000000950000-0x0000000000977000-memory.dmp

Filesize
156KB

Download
memory/2704-170-0x0000000000000000-mapping.dmp

Download
memory/2704-172-0x0000000000C80000-0x0000000000CAF000-memory.dmp

Filesize
188KB

Download
memory/2704-173-0x0000000002BB0000-0x0000000002EFA000-memory.dmp

Filesize
3.3MB

Download
memory/2704-176-0x00000000029F0000-0x0000000002A83000-memory.dmp

Filesize
588KB

Download
memory/2720-136-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/2720-132-0x00000000040E0000-0x000000000410C000-memory.dmp

Filesize
176KB

Download
memory/2720-135-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4820-138-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4820-139-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4820-141-0x0000000004D10000-0x000000000505A000-memory.dmp

Filesize
3.3MB

Download
memory/4820-143-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4820-134-0x0000000000000000-mapping.dmp

Download
memory/4820-142-0x0000000010432000-0x0000000010434000-memory.dmp

Filesize
8KB

Download
memory/4820-140-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads