phobos | c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256

Analysis

max time kernel
28s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 01:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
Size

56KB
MD5

03ff3bba0065b0b29723f59c41890e45
SHA1

37bcd0bdcf97e436b54440627bee368800f4188e
SHA256

c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256
SHA512

d28e52a5b1883aeb9863b21fa7a84aaa5731cff08c33b019e398d76a98a905eb6797eb92ff05445d20715f7f4d7273e1f55d86278e176c1d0722f40c37e0c1b2
SSDEEP

1536:CUNeRBl5PT/rx1mzwRMSTdLpJasHSW7E7oq5Mq:BQRrmzwR5J9HTeoqOq

Score

10^/10

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2484	bcdedit.exe
4656	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2356	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1012	netsh.exe
3240	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256 = "C:\\Users\\Admin\\AppData\\Local\\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256 = "C:\\Users\\Admin\\AppData\\Local\\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zCon.sfx.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip.dll.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7z.exe.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7-zip.chm.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[59F5F7FE-3352].[rec0verydata@tuta.io].LIZARD	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1568	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1296	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	93
PID 1904 wrote to memory of 1572	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	92
PID 1904 wrote to memory of 1572	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	92
PID 1904 wrote to memory of 1296	1904	c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe	93
PID 1296 wrote to memory of 1012	1296	cmd.exe	96
PID 1296 wrote to memory of 1012	1296	cmd.exe	96
PID 1572 wrote to memory of 1568	1572	cmd.exe	97
PID 1572 wrote to memory of 1568	1572	cmd.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
"C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe
  "C:\Users\Admin\AppData\Local\Temp\c70ced34e4c01df4344e9ee4b2a42190f25ed6ac7543ee9c9579cb0ca8658256.exe"
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:920
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2484
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4656
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2356
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1012
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1900

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2276

Network

DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

164.189.21.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.189.21.2.in-addr.arpa

IN PTR

Response

164.189.21.2.in-addr.arpa

IN PTR

a2-21-189-164deploystaticakamaitechnologiescom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

82.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.90.14.23.in-addr.arpa

IN PTR

Response

82.90.14.23.in-addr.arpa

IN PTR

a23-14-90-82deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

27.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.173.189.20.in-addr.arpa

IN PTR

Response

96.16.110.114:80

260 B
5
13.107.253.64:443

46 B
40 B
1
1
172.217.169.74:443

46 B
40 B
1
1

8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

64.159.190.20.in-addr.arpa

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

164.189.21.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

164.189.21.2.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

82.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

82.90.14.23.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

27.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

27.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
65KB

MD5
e5f729728ef63949ee08cdb344e199a0

SHA1
39869fb44914a7aa172a48342d39dbdfbda4d65c

SHA256
ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2

SHA512
5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.