ardamax | 2fc377e680565a454d7dc0e04c042dccc2a6306f4368d93de59d69821842457d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe
Size

813KB
MD5

e2ebdccb8a3e4244261ca5ebb3d0f8a6
SHA1

c70105a7b64287c4e53548b54be6fe9f242f95f0
SHA256

2fc377e680565a454d7dc0e04c042dccc2a6306f4368d93de59d69821842457d
SHA512

208aa92a162e231b59730d1c4636ea2826920c5ecf94cc062640c1bfe792e6db5091653add3628c0d624185fa0e4a2384825dd1422aa4406ade0ed13cca148cd
SSDEEP

12288:+ctGE+lDwn8cUwp9MCEAjW7cp8V+6RG7io6ezCjnG3yWoI1UWQB:0EwDPcLjDEAjGU8V+x7QeezlhB

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023472-22.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	alalal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	HAWF.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	alalal.exe
2084	HAWF.exe

Loads dropped DLL 6 IoCs

pid	Process
2264	alalal.exe
2084	HAWF.exe
2084	HAWF.exe
2084	HAWF.exe
4812	NOTEPAD.EXE
3208	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HAWF Agent = "C:\\Windows\\SysWOW64\\28463\\HAWF.exe"	HAWF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HAWF.exe	alalal.exe
File created	C:\Windows\SysWOW64\28463\key.bin	alalal.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	alalal.exe
File opened for modification	C:\Windows\SysWOW64\28463	HAWF.exe
File created	C:\Windows\SysWOW64\28463\HAWF.001	alalal.exe
File created	C:\Windows\SysWOW64\28463\HAWF.006	alalal.exe
File created	C:\Windows\SysWOW64\28463\HAWF.007	alalal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3208	2084	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alalal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HAWF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\0\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\MiscStatus\ = "2228625"	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\InProcServer32	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\ProgID	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\0	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\HELPDIR	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\DefaultIcon	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\0\win32\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\TypeLib\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\ProgID\	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\InProcServer32\ = "C:\\Windows\\SysWOW64\\mshtml.dll"	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\MiscStatus	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\ = "Adobe Acrobat 7.0 Browser Control Type Library 1.0"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\FLAGS\	HAWF.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-19"	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll"	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\FLAGS	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\BrowseInPlace	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\BrowseInPlace\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\Version\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\ = "Eneveqo.Fehoda"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\MiscStatus\	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\0\win32	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\HELPDIR\	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\TypeLib	HAWF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\Version	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\DefaultIcon\	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\ProgID\ = "svgfile"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\FLAGS\ = "0"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\TypeLib\ = "{FAE9CE64-B9CA-32B2-11C8-8AA94B8FB95A}"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\Version\ = "1.0"	HAWF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEBAE830-F14B-4FDB-469A-87E27E943C26}\InProcServer32\	HAWF.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4812	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2084	HAWF.exe
Token: SeIncBasePriorityPrivilege	2084	HAWF.exe
Token: SeIncBasePriorityPrivilege	2084	HAWF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2084	HAWF.exe
2084	HAWF.exe
2084	HAWF.exe
2084	HAWF.exe
2084	HAWF.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2264	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	83
PID 388 wrote to memory of 2264	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	83
PID 388 wrote to memory of 2264	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	83
PID 388 wrote to memory of 4812	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	84
PID 388 wrote to memory of 4812	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	84
PID 388 wrote to memory of 4812	388	e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe	84
PID 2264 wrote to memory of 2084	2264	alalal.exe	85
PID 2264 wrote to memory of 2084	2264	alalal.exe	85
PID 2264 wrote to memory of 2084	2264	alalal.exe	85
PID 2084 wrote to memory of 2284	2084	HAWF.exe	98
PID 2084 wrote to memory of 2284	2084	HAWF.exe	98
PID 2084 wrote to memory of 2284	2084	HAWF.exe	98

C:\Users\Admin\AppData\Local\Temp\e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2ebdccb8a3e4244261ca5ebb3d0f8a6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\alalal.exe
  "C:\Users\Admin\AppData\Local\Temp\alalal.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\28463\HAWF.exe
    "C:\Windows\system32\28463\HAWF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1088
      4⤵
      Loads dropped DLL
      Program crash
      PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\HAWF.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hello.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 2084
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@97CB.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\alalal.exe

Filesize
783KB

MD5
d8e63038cd315c939bceb4333959c8ff

SHA1
2bc6b710064dfa44f13dec3b0631c9203b5a484f

SHA256
5bb8b60c931e2dc1b3080471ffc9b0612d1b5d9055a63feb07fb3db5d8f4d6cf

SHA512
54f8a2403496097b30bb8cf444dec7b3868dc57b80d8d96b385d406eb5a2482711cb2ec8bdfcb8b49e63784973513dee5187996af996379a416fbd8602b2ba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello.txt

Filesize
40B

MD5
0818a2155823f8c4d1e6b2a24d4b86ac

SHA1
3764085a15922b359b0d4a714c10dbd020f23f36

SHA256
a49cafc9b464f56a529f917851d7f292969f157dffcc2392006bbe15811b489a

SHA512
be3de98b5e25cccf6e50c6d78bae9fa00af54482d25e2caf1995f3808d4247d8f5251d535e08ee84c5d9b22e9bdad5d4765ba5ca8fdeaf672cda42eb7ded571d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\HAWF.001

Filesize
446B

MD5
12f3f808506762ba31b6ab8ae9bef99c

SHA1
4aae9bef8ddd534e11a87f1be45a9be7cad3c4a4

SHA256
7b76928bbb5948e2fb83915515b9d5ad0c596d5f5b2d46d2dc300089759f6be0

SHA512
dc0465a96d52bfc52cc3a6182dfb9200f6a7b1b42a0d21f824089dc517376575e16117ebe38020df695d66a57580fd81de9929a3aa4b4575d580a33303cf616c

Download Submit
C:\Windows\SysWOW64\28463\HAWF.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\HAWF.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\HAWF.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
a7803747d88ef30694f734728947208f

SHA1
66d940969be262153388f57209f60b4840f78fa5

SHA256
5a155301048acd3ee2e64682ca9ea92fed5a5821515ad1b94f0f9555f9198de4

SHA512
7bc14fdc47f372bfa00d627afd3bbd76f4efdad86727b198ba85c151a5b6d25466836ac4f87a228128eb0d16254449b9e26e731ce781b6003a83892dabb4c185

Download Submit
memory/2084-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2084-42-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2084-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2084-50-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads