darkcomet | 1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915

General

Target

NanoCore.exe
Size

1.1MB
MD5

e4aeb7b31d677a5a9a58a4762fab1321
SHA1

a5e7279b6d59236296031ff87976e33fbd8cf34d
SHA256

1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
SHA512

964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
SSDEEP

24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb

Score

10^/10

darkcomet nanocore idman evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

IDMAN

C2

arrivals.ddns.net:2323

Mutex

DC_MUTEX-391X2ZJ

Attributes

InstallPath
MSDCSC\IDMAN.exe
gencode
CUWbhGwmWBMb
install
true
offline_keylogger
true
persistence
true
reg_key
IDMAN

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

CRACKED.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe"	CRACKED.EXE

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

IDMAN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	IDMAN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	IDMAN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	IDMAN.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

CRACKED.EXENANOCORE.EXEIDMAN.exe

pid process

2960 CRACKED.EXE
4068 NANOCORE.EXE
4120 IDMAN.exe

pid	process
2960	CRACKED.EXE
4068	NANOCORE.EXE
4120	IDMAN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CRACKED.EXEIDMAN.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe"	CRACKED.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe"	IDMAN.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

taskmgr.exedw20.exe

pid	process
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
1488	dw20.exe
1488	dw20.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IDMAN.exe

pid process

4120 IDMAN.exe

pid	process
4120	IDMAN.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

CRACKED.EXEIDMAN.exetaskmgr.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2960	CRACKED.EXE
Token: SeSecurityPrivilege	2960	CRACKED.EXE
Token: SeTakeOwnershipPrivilege	2960	CRACKED.EXE
Token: SeLoadDriverPrivilege	2960	CRACKED.EXE
Token: SeSystemProfilePrivilege	2960	CRACKED.EXE
Token: SeSystemtimePrivilege	2960	CRACKED.EXE
Token: SeProfSingleProcessPrivilege	2960	CRACKED.EXE
Token: SeIncBasePriorityPrivilege	2960	CRACKED.EXE
Token: SeCreatePagefilePrivilege	2960	CRACKED.EXE
Token: SeBackupPrivilege	2960	CRACKED.EXE
Token: SeRestorePrivilege	2960	CRACKED.EXE
Token: SeShutdownPrivilege	2960	CRACKED.EXE
Token: SeDebugPrivilege	2960	CRACKED.EXE
Token: SeSystemEnvironmentPrivilege	2960	CRACKED.EXE
Token: SeChangeNotifyPrivilege	2960	CRACKED.EXE
Token: SeRemoteShutdownPrivilege	2960	CRACKED.EXE
Token: SeUndockPrivilege	2960	CRACKED.EXE
Token: SeManageVolumePrivilege	2960	CRACKED.EXE
Token: SeImpersonatePrivilege	2960	CRACKED.EXE
Token: SeCreateGlobalPrivilege	2960	CRACKED.EXE
Token: 33	2960	CRACKED.EXE
Token: 34	2960	CRACKED.EXE
Token: 35	2960	CRACKED.EXE
Token: 36	2960	CRACKED.EXE
Token: SeIncreaseQuotaPrivilege	4120	IDMAN.exe
Token: SeSecurityPrivilege	4120	IDMAN.exe
Token: SeTakeOwnershipPrivilege	4120	IDMAN.exe
Token: SeLoadDriverPrivilege	4120	IDMAN.exe
Token: SeSystemProfilePrivilege	4120	IDMAN.exe
Token: SeSystemtimePrivilege	4120	IDMAN.exe
Token: SeProfSingleProcessPrivilege	4120	IDMAN.exe
Token: SeIncBasePriorityPrivilege	4120	IDMAN.exe
Token: SeCreatePagefilePrivilege	4120	IDMAN.exe
Token: SeBackupPrivilege	4120	IDMAN.exe
Token: SeRestorePrivilege	4120	IDMAN.exe
Token: SeShutdownPrivilege	4120	IDMAN.exe
Token: SeDebugPrivilege	4120	IDMAN.exe
Token: SeSystemEnvironmentPrivilege	4120	IDMAN.exe
Token: SeChangeNotifyPrivilege	4120	IDMAN.exe
Token: SeRemoteShutdownPrivilege	4120	IDMAN.exe
Token: SeUndockPrivilege	4120	IDMAN.exe
Token: SeManageVolumePrivilege	4120	IDMAN.exe
Token: SeImpersonatePrivilege	4120	IDMAN.exe
Token: SeCreateGlobalPrivilege	4120	IDMAN.exe
Token: 33	4120	IDMAN.exe
Token: 34	4120	IDMAN.exe
Token: 35	4120	IDMAN.exe
Token: 36	4120	IDMAN.exe
Token: SeDebugPrivilege	3516	taskmgr.exe
Token: SeSystemProfilePrivilege	3516	taskmgr.exe
Token: SeCreateGlobalPrivilege	3516	taskmgr.exe
Token: 33	3516	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3516	taskmgr.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

taskmgr.exedw20.exe

pid	process
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
1488	dw20.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

Processes:

taskmgr.exe

pid	process
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe
3516	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IDMAN.exe

pid process

4120 IDMAN.exe

pid	process
4120	IDMAN.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

NanoCore.exeCRACKED.EXEIDMAN.exeNANOCORE.EXE

description	pid	process	target process
PID 2464 wrote to memory of 2960	2464	NanoCore.exe	CRACKED.EXE
PID 2464 wrote to memory of 2960	2464	NanoCore.exe	CRACKED.EXE
PID 2464 wrote to memory of 2960	2464	NanoCore.exe	CRACKED.EXE
PID 2464 wrote to memory of 4068	2464	NanoCore.exe	NANOCORE.EXE
PID 2464 wrote to memory of 4068	2464	NanoCore.exe	NANOCORE.EXE
PID 2960 wrote to memory of 4120	2960	CRACKED.EXE	IDMAN.exe
PID 2960 wrote to memory of 4120	2960	CRACKED.EXE	IDMAN.exe
PID 2960 wrote to memory of 4120	2960	CRACKED.EXE	IDMAN.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4120 wrote to memory of 3060	4120	IDMAN.exe	notepad.exe
PID 4068 wrote to memory of 1488	4068	NANOCORE.EXE	dw20.exe
PID 4068 wrote to memory of 1488	4068	NANOCORE.EXE	dw20.exe

C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Roaming\CRACKED.EXE
"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3060

C:\Users\Admin\AppData\Roaming\NANOCORE.EXE
"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1036
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CRACKED.EXE
Filesize
659KB

MD5
94c5b3199414b8fca9f134724acdd88e

SHA1
6c95291364476fc10c4e343120225dae72d11233

SHA256
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

SHA512
5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

Download Submit
C:\Users\Admin\AppData\Roaming\CRACKED.EXE
Filesize
659KB

MD5
94c5b3199414b8fca9f134724acdd88e

SHA1
6c95291364476fc10c4e343120225dae72d11233

SHA256
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

SHA512
5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe
Filesize
659KB

MD5
94c5b3199414b8fca9f134724acdd88e

SHA1
6c95291364476fc10c4e343120225dae72d11233

SHA256
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

SHA512
5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe
Filesize
659KB

MD5
94c5b3199414b8fca9f134724acdd88e

SHA1
6c95291364476fc10c4e343120225dae72d11233

SHA256
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

SHA512
5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe
Filesize
659KB

MD5
94c5b3199414b8fca9f134724acdd88e

SHA1
6c95291364476fc10c4e343120225dae72d11233

SHA256
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536

SHA512
5fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1

Download Submit
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE
Filesize
403KB

MD5
d902fb22b92a7455eeac95712e9c2179

SHA1
8e4e0d0965055517c1ddef8442cf74c4f3d700af

SHA256
58f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f

SHA512
d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269

Download Submit
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE
Filesize
403KB

MD5
d902fb22b92a7455eeac95712e9c2179

SHA1
8e4e0d0965055517c1ddef8442cf74c4f3d700af

SHA256
58f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f

SHA512
d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269

Download Submit
memory/2960-139-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2960-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3060-142-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/4068-143-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

Filesize
4.8MB

Download
memory/4068-159-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/4068-140-0x000000001B670000-0x000000001B716000-memory.dmp

Filesize
664KB

Download
memory/4068-144-0x000000001C160000-0x000000001C1FC000-memory.dmp

Filesize
624KB

Download
memory/4068-135-0x00000000006E0000-0x000000000074C000-memory.dmp

Filesize
432KB

Download
memory/4068-141-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/4068-149-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/4068-151-0x000000001C380000-0x000000001C3CC000-memory.dmp

Filesize
304KB

Download
memory/4120-146-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4120-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-163-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-165-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-167-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4120-168-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads