remcos | c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

General

Target

414f4a3b05028be19e006ae2ba9182b6.exe
Size

595KB
MD5

414f4a3b05028be19e006ae2ba9182b6
SHA1

2a66efff8a0dfcf8d0ac247940b8f790c3c9d377
SHA256

c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec
SHA512

82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44
SSDEEP

12288:Ongh/PsZ1DX/VDJ8rrvE4kynl6i6rJ49j9qkaxv:Ongh/PVU4kYqJK9qkC

Score

10^/10

remcos nov 24th evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Nov 24th

C2

gcrozona.duckdns.org:6062

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Microsoft Intel Audios.exe
copy_folder
Audio Microsoft File
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Window Security Check
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

Microsoft Intel Audios.exeMicrosoft Intel Audios.exe

pid process

1084 Microsoft Intel Audios.exe
1964 Microsoft Intel Audios.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1576 cmd.exe
1576 cmd.exe

pid	process
1084	Microsoft Intel Audios.exe
1964	Microsoft Intel Audios.exe

pid	process
1576	cmd.exe
1576	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Microsoft Intel Audios.exe414f4a3b05028be19e006ae2ba9182b6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\""	Microsoft Intel Audios.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	414f4a3b05028be19e006ae2ba9182b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\""	414f4a3b05028be19e006ae2ba9182b6.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Microsoft Intel Audios.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

414f4a3b05028be19e006ae2ba9182b6.exeMicrosoft Intel Audios.exe

description	pid	process	target process
PID 1396 set thread context of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1084 set thread context of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe

Drops file in Windows directory 5 IoCs

Processes:

Microsoft Intel Audios.exe414f4a3b05028be19e006ae2ba9182b6.exe

description	ioc	process
File opened for modification	C:\Windows\Windows Display\logs.dat	Microsoft Intel Audios.exe
File created	C:\Windows\Windows Display\logs.dat	Microsoft Intel Audios.exe
File created	C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe	414f4a3b05028be19e006ae2ba9182b6.exe
File opened for modification	C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe	414f4a3b05028be19e006ae2ba9182b6.exe
File opened for modification	C:\Windows\Audio Microsoft File	414f4a3b05028be19e006ae2ba9182b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1432 reg.exe
892 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1692 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

414f4a3b05028be19e006ae2ba9182b6.exe

pid process

1396 414f4a3b05028be19e006ae2ba9182b6.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

414f4a3b05028be19e006ae2ba9182b6.exe

description pid process

Token: SeDebugPrivilege 1396 414f4a3b05028be19e006ae2ba9182b6.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Intel Audios.exe

pid process

1964 Microsoft Intel Audios.exe

pid	process
1432	reg.exe
892	reg.exe

pid	process
1692	PING.EXE

pid	process
1396	414f4a3b05028be19e006ae2ba9182b6.exe

description	pid	process
Token: SeDebugPrivilege	1396	414f4a3b05028be19e006ae2ba9182b6.exe

pid	process
1964	Microsoft Intel Audios.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

414f4a3b05028be19e006ae2ba9182b6.exe414f4a3b05028be19e006ae2ba9182b6.execmd.execmd.exeMicrosoft Intel Audios.exeMicrosoft Intel Audios.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 596	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 596	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 596	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 596	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 1396 wrote to memory of 676	1396	414f4a3b05028be19e006ae2ba9182b6.exe	414f4a3b05028be19e006ae2ba9182b6.exe
PID 676 wrote to memory of 1832	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1832	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1832	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1832	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 1832 wrote to memory of 1432	1832	cmd.exe	reg.exe
PID 1832 wrote to memory of 1432	1832	cmd.exe	reg.exe
PID 1832 wrote to memory of 1432	1832	cmd.exe	reg.exe
PID 1832 wrote to memory of 1432	1832	cmd.exe	reg.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 676 wrote to memory of 1576	676	414f4a3b05028be19e006ae2ba9182b6.exe	cmd.exe
PID 1576 wrote to memory of 1692	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1692	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1692	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1692	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 1084	1576	cmd.exe	Microsoft Intel Audios.exe
PID 1576 wrote to memory of 1084	1576	cmd.exe	Microsoft Intel Audios.exe
PID 1576 wrote to memory of 1084	1576	cmd.exe	Microsoft Intel Audios.exe
PID 1576 wrote to memory of 1084	1576	cmd.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1084 wrote to memory of 1964	1084	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1964 wrote to memory of 988	1964	Microsoft Intel Audios.exe	cmd.exe
PID 1964 wrote to memory of 988	1964	Microsoft Intel Audios.exe	cmd.exe
PID 1964 wrote to memory of 988	1964	Microsoft Intel Audios.exe	cmd.exe
PID 1964 wrote to memory of 988	1964	Microsoft Intel Audios.exe	cmd.exe
PID 988 wrote to memory of 892	988	cmd.exe	reg.exe
PID 988 wrote to memory of 892	988	cmd.exe	reg.exe
PID 988 wrote to memory of 892	988	cmd.exe	reg.exe
PID 988 wrote to memory of 892	988	cmd.exe	reg.exe
PID 1964 wrote to memory of 1900	1964	Microsoft Intel Audios.exe	iexplore.exe
PID 1964 wrote to memory of 1900	1964	Microsoft Intel Audios.exe	iexplore.exe
PID 1964 wrote to memory of 1900	1964	Microsoft Intel Audios.exe	iexplore.exe
PID 1964 wrote to memory of 1900	1964	Microsoft Intel Audios.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe
"C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe
  "C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe"
  2⤵
  PID:596
- C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe
  "C:\Users\Admin\AppData\Local\Temp\414f4a3b05028be19e006ae2ba9182b6.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1692
  - - C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
      "C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
        
        "C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:892
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
109B

MD5
8ddcdd0ab01b0740982e7b78b1591015

SHA1
acbb9c4bb32822a164f200f8b77eda0ce7bd758d

SHA256
7c1abbf1a20f581d2db76d769cc14cf753a412cf92e383a36ffbf0c962eaf678

SHA512
ef43e3cb89c800529530183d4315782a864281ef8a0e6443a54ccc4f1837fcbfe43027b399bb43ea114fab70416d49b3cb2539cf8bf658b4b447c4e8597959dc

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe

Filesize
595KB

MD5
414f4a3b05028be19e006ae2ba9182b6

SHA1
2a66efff8a0dfcf8d0ac247940b8f790c3c9d377

SHA256
c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

SHA512
82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe

Filesize
595KB

MD5
414f4a3b05028be19e006ae2ba9182b6

SHA1
2a66efff8a0dfcf8d0ac247940b8f790c3c9d377

SHA256
c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

SHA512
82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe

Filesize
595KB

MD5
414f4a3b05028be19e006ae2ba9182b6

SHA1
2a66efff8a0dfcf8d0ac247940b8f790c3c9d377

SHA256
c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

SHA512
82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44

Download Submit
\Windows\Audio Microsoft File\Microsoft Intel Audios.exe

Filesize
595KB

MD5
414f4a3b05028be19e006ae2ba9182b6

SHA1
2a66efff8a0dfcf8d0ac247940b8f790c3c9d377

SHA256
c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

SHA512
82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44

Download Submit
\Windows\Audio Microsoft File\Microsoft Intel Audios.exe

Filesize
595KB

MD5
414f4a3b05028be19e006ae2ba9182b6

SHA1
2a66efff8a0dfcf8d0ac247940b8f790c3c9d377

SHA256
c09cb187ead292e38f9552449115d0e8ad5211f65cd6cc2ad2a2e8249d7481ec

SHA512
82491b4e7876aa3d4306f1fdde6838e93fa123e0b66df8e262275be3fc5b80565475651bcc39765240467b209ca099522afa602ec414ebd9ee5bcaa8dc8a9a44

Download Submit
memory/676-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-68-0x000000000040FD88-mapping.dmp

Download
memory/676-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/676-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/892-100-0x0000000000000000-mapping.dmp

Download
memory/988-99-0x0000000000000000-mapping.dmp

Download
memory/1084-82-0x0000000000000000-mapping.dmp

Download
memory/1084-84-0x0000000001310000-0x00000000013AC000-memory.dmp

Filesize
624KB

Download
memory/1396-55-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1396-59-0x0000000001ED0000-0x0000000001EEE000-memory.dmp

Filesize
120KB

Download
memory/1396-58-0x0000000004EE0000-0x0000000004F38000-memory.dmp

Filesize
352KB

Download
memory/1396-57-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/1396-56-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download
memory/1396-54-0x00000000000F0000-0x000000000018C000-memory.dmp

Filesize
624KB

Download
memory/1432-74-0x0000000000000000-mapping.dmp

Download
memory/1576-75-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1832-72-0x0000000000000000-mapping.dmp

Download
memory/1964-98-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-94-0x000000000040FD88-mapping.dmp

Download
memory/1964-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads