Hide Navigation Hide TOC

QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)

QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past. QUASARRAT is a publicly available Windows backdoor. It may visit a website, download, upload, and execute files. QUASARRAT may acquire system information, act as a remote desktop or shell, or remotely activate the webcam. The backdoor may also log keystrokes and steal passwords from commonly used browsers and FTP clients. QUASARRAT was originally named xRAT before it was renamed by the developers in August 2015. Availability: Public

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	1
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	1
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77)	Microsoft Activity Group actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Ruby Sleet (03ff54cf-f7d4-4606-a531-2ca6d4fa6a54)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Kimsuky - APT-C-55 (84e18657-3995-5837-88f1-f823520382a8)	360.net Threat Actors	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Opal Sleet (5f71a9ea-511d-4fdd-9807-271ef613f488)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53)	RAT	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	3
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	3
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23)	Attack Pattern	3
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	3
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	3
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b)	Attack Pattern	3
Query Public AI Services - T1682 (143122a8-fcda-4dd7-aded-5b9387d9c2d6)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452)	Attack Pattern	3
Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	3
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	3
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	3
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	3
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3)	Attack Pattern	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	4
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	4
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	4
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	4
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	4
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	4
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc)	Attack Pattern	4
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	4
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	4
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	4
Social Engineering - T1684 (41e4d77a-6275-4976-9e35-785985598519)	Attack Pattern	Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	4
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	4
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	4
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	4
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	5
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	5
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	5
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	5
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	5
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	5
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	5
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	5
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	5
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	5
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	5
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	5
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	5
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	5
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	5