orcus | 12b479aa48b2ee353262197143a55251d0b329927113b10bf928d3f96ff183c6

General

Target

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Size

1.1MB
MD5

0093cdaf6010d872fd69b5f554bad42f
SHA1

64bc03d0e253e776447e1de1286332af4bd322e0
SHA256

12b479aa48b2ee353262197143a55251d0b329927113b10bf928d3f96ff183c6
SHA512

a7a5fb737751e58ff751e44150c9805e8927a4a1b79b81ac5c4765c0c7c5b787798a483262a787281073d9be7450cc2eed03c1d6912d88d9adabac4154f8eac8
SSDEEP

24576:BCUjgfYTaCCcpcup6GMZNiZNfE2xUj8jTkZAoRsw8UGJNCxioH:BCUjgfYIcpjTM63wsw8UG3

Score

10^/10

orcus rock discovery evasion rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

rock

C2

23.227.201.233:10134

Mutex

288c4a8c96e6445cb50953f3403b6f6f

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-24-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2884-22-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2884-20-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2884-16-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2884-14-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

WindowsInput.exeWindowsInput.exe

pid process

2932 WindowsInput.exe
1524 WindowsInput.exe
Loads dropped DLL 1 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid process

2884 0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid	process
2932	WindowsInput.exe
1524	WindowsInput.exe

pid	process
2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	pid	process	target process
PID 3040 set thread context of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\debug\WIA\aIQzlZ.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
File opened for modification	C:\Windows\debug\WIA\aIQzlZ.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exeschtasks.exe0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid process

3040 0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
3040 0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid	process
2304	schtasks.exe

pid	process
3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
Token: SeDebugPrivilege	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid process

2884 0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

pid	process
2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 3040 wrote to memory of 2304	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	schtasks.exe
PID 3040 wrote to memory of 2304	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	schtasks.exe
PID 3040 wrote to memory of 2304	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	schtasks.exe
PID 3040 wrote to memory of 2304	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	schtasks.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 3040 wrote to memory of 2884	3040	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
PID 2884 wrote to memory of 2656	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	csc.exe
PID 2884 wrote to memory of 2656	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	csc.exe
PID 2884 wrote to memory of 2656	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	csc.exe
PID 2884 wrote to memory of 2656	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	csc.exe
PID 2656 wrote to memory of 2376	2656	csc.exe	cvtres.exe
PID 2656 wrote to memory of 2376	2656	csc.exe	cvtres.exe
PID 2656 wrote to memory of 2376	2656	csc.exe	cvtres.exe
PID 2656 wrote to memory of 2376	2656	csc.exe	cvtres.exe
PID 2884 wrote to memory of 2932	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	WindowsInput.exe
PID 2884 wrote to memory of 2932	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	WindowsInput.exe
PID 2884 wrote to memory of 2932	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	WindowsInput.exe
PID 2884 wrote to memory of 2932	2884	0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe	WindowsInput.exe

C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aIQzlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp429C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktof2mux.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49AD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2932

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES49AE.tmp

Filesize
1KB

MD5
1ba1b6d9e3a7481787a275ff7a5be017

SHA1
793e97447311286de89cd30983c1af3ebf8ad195

SHA256
72fb9b8f7ad8b45c98c202641dac7f5d27d412d6b3a07a1738465941a9175e1c

SHA512
b9f3ca5e4cca7e8e930eac9695ffecebe5bd87cde23905a3d3dab0920f2dfa75d753fa47fb32da04e2ba954d3f30ab598d0990ee6c5529e6ad05b6e52586f633

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktof2mux.dll

Filesize
76KB

MD5
5068881f5f33e991c2863cc63b4578b5

SHA1
52e1e5db2f9ff876770158099c00f8ff1f8414a4

SHA256
46d70c35047d75c949f6ddc023c69dd80da06adf80f6d5d4e03955a137d2e50d

SHA512
7dfbc2dda0da6809420a20fe902edee5c15e08180c2caac1b7ff93e66a398aa51a274e8b8d4d35d739c17bef4fcbf952fafdca8f97119376875c71575c0f3810

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp429C.tmp

Filesize
1KB

MD5
8c59f0c492e88226ee10a2d37743c335

SHA1
8925dcc99def08242f96cead7fac3b0e2c9753da

SHA256
2191da62b8d7f253f3c7a281ad5e5a470f1feae86cdcfecda931df7b4d275e76

SHA512
518b89f8f0df05cdf32d05b5367ca5a36017f4712aa429bf08fc1f0d0fa342c404960a76bb9c21591eb5b3588708b4ebb845f68b25bea739f356af107831391f

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC49AD.tmp

Filesize
676B

MD5
17fa403d519cca900b2bd669186b95ab

SHA1
9d3132a7292b8bd65861491ab17a9ba6f08ca113

SHA256
3b3d1f8ca6b650c781f988bf056357c10c0997ab4eeab2ea4cb28b1dddfe4b55

SHA512
ea384b1d4a798107f9944f928a8750d3f0cfbd0cb3f614c3dd1ca52e9a0d64bf83ce21ac7210963c57a8ca1491f96c635423a64426a9d87a6597392079bd17ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ktof2mux.0.cs

Filesize
208KB

MD5
2b27db7bf877c069718ee2f1fa7b8761

SHA1
36e538d654d1ebda49834492a5295de0d213817d

SHA256
c333148a5c83946f861763f955b237f75680eb20d79872d2f29a4bc94674993c

SHA512
9ea3cec5d22a1a8ca7773f8b3f995f18cd5a05df1c2cd09189a698aeef0ac21455377b2e2476bf0f755dc5b6eb7c3ba37f86200823cef7cd824f31861d6f8926

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ktof2mux.cmdline

Filesize
347B

MD5
f9021442c8fcd7a64f3137dbed4325de

SHA1
e2179d9b3018f4760adf673a9c2dfe6f26b568a1

SHA256
718e6c53f44b3457891b2cee7b0f47ac7098158e762c538bca10c042fa129d89

SHA512
588c30e1ba47b0511252522592a2aa733dee600267cb296b2b706fb31cc6c4a1f3b339ef4598048681bd9264d811f19be2eb570c473b6c917e346c67866a9e54

Download Submit
\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
memory/1524-54-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2884-24-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-20-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-25-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-16-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-28-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-27-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-55-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-14-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-12-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-22-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2884-11-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2932-50-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/3040-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

Filesize
4KB

Download
memory/3040-4-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-3-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-2-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-26-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads