phobos | a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2022 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phobos.exe
Size

71KB
MD5

e59ffeaf7acb0c326e452fa30bb71a36
SHA1

c88fad293256bfead6962124394de4f8b97765aa
SHA256

a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
SHA512

737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 04AF3D1F-1096 If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Jabber client installation instructions: Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click "Add" In the "Protocol" field, select XMPP In "Username" - come up with any name In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im Create a password At the bottom, put a tick "Create account" Click add If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://pidgin.im/download/windows/

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 5052 created 4716 5052 svchost.exe phobos.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

224 bcdedit.exe
4780 bcdedit.exe
2636 bcdedit.exe
320 bcdedit.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1472 netsh.exe
3632 netsh.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

phobos.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\AddPublish.tiff phobos.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

phobos.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation phobos.exe

description	pid	process	target process
PID 5052 created 4716	5052	svchost.exe	phobos.exe

pid	process
224	bcdedit.exe
4780	bcdedit.exe
2636	bcdedit.exe
320	bcdedit.exe

pid	process
1472	netsh.exe
3632	netsh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\AddPublish.tiff	phobos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	phobos.exe

Drops startup file 4 IoCs

Processes:

phobos.exetaskmgr.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\phobos.exe	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	phobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.id[04af3d1f-1096].[[email protected]].acute	taskmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe"	phobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phobos = "C:\\Users\\Admin\\AppData\\Local\\phobos.exe"	phobos.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

phobos.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	phobos.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	phobos.exe
File opened for modification	C:\Program Files\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	phobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	phobos.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	phobos.exe

Drops file in Program Files directory 64 IoCs

Processes:

phobos.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	phobos.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-white.png	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\nub.png.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png	phobos.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_en-GB.dll.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-125.png	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png	phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-200.png	phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\ui-strings.js	phobos.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Edge.dat	phobos.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	phobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dll.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\28.png	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48_altform-lightunplated.png	phobos.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	phobos.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png	phobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll	phobos.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200.png	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms	phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	phobos.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui	phobos.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png	phobos.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-lightunplated.png	phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lv.pak	phobos.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png.id[04AF3D1F-1096].[[email protected]].acute	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\MyOffice.BackgroundTasks.winmd	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl.winmd	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png	phobos.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll	phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	phobos.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js	phobos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2184 696 WerFault.exe

pid	pid_target	process	target process
2184	696	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2792 vssadmin.exe
3980 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

phobos.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings phobos.exe

pid	process
2792	vssadmin.exe
3980	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	phobos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

phobos.exe

pid	process
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe
4716	phobos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exevssvc.exeWMIC.exetaskmgr.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	5052	svchost.exe
Token: SeTcbPrivilege	5052	svchost.exe
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe
Token: SeDebugPrivilege	2504	taskmgr.exe
Token: SeSystemProfilePrivilege	2504	taskmgr.exe
Token: SeCreateGlobalPrivilege	2504	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

taskmgr.exe

pid	process
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

taskmgr.exe

pid	process
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

svchost.exephobos.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 5028	5052	svchost.exe	phobos.exe
PID 5052 wrote to memory of 5028	5052	svchost.exe	phobos.exe
PID 5052 wrote to memory of 5028	5052	svchost.exe	phobos.exe
PID 4716 wrote to memory of 312	4716	phobos.exe	cmd.exe
PID 4716 wrote to memory of 312	4716	phobos.exe	cmd.exe
PID 4716 wrote to memory of 1412	4716	phobos.exe	cmd.exe
PID 4716 wrote to memory of 1412	4716	phobos.exe	cmd.exe
PID 1412 wrote to memory of 2792	1412	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 2792	1412	cmd.exe	vssadmin.exe
PID 312 wrote to memory of 1472	312	cmd.exe	netsh.exe
PID 312 wrote to memory of 1472	312	cmd.exe	netsh.exe
PID 1412 wrote to memory of 4092	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 4092	1412	cmd.exe	WMIC.exe
PID 312 wrote to memory of 3632	312	cmd.exe	netsh.exe
PID 312 wrote to memory of 3632	312	cmd.exe	netsh.exe
PID 1412 wrote to memory of 224	1412	cmd.exe	bcdedit.exe
PID 1412 wrote to memory of 224	1412	cmd.exe	bcdedit.exe
PID 1412 wrote to memory of 4780	1412	cmd.exe	bcdedit.exe
PID 1412 wrote to memory of 4780	1412	cmd.exe	bcdedit.exe
PID 4716 wrote to memory of 512	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 512	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 512	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 5012	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 5012	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 5012	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 2308	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 2308	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 2308	4716	phobos.exe	mshta.exe
PID 4716 wrote to memory of 3868	4716	phobos.exe	cmd.exe
PID 4716 wrote to memory of 3868	4716	phobos.exe	cmd.exe
PID 3868 wrote to memory of 3980	3868	cmd.exe	vssadmin.exe
PID 3868 wrote to memory of 3980	3868	cmd.exe	vssadmin.exe
PID 3868 wrote to memory of 1004	3868	cmd.exe	WMIC.exe
PID 3868 wrote to memory of 1004	3868	cmd.exe	WMIC.exe
PID 3868 wrote to memory of 2636	3868	cmd.exe	bcdedit.exe
PID 3868 wrote to memory of 2636	3868	cmd.exe	bcdedit.exe
PID 3868 wrote to memory of 320	3868	cmd.exe	bcdedit.exe
PID 3868 wrote to memory of 320	3868	cmd.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\phobos.exe
"C:\Users\Admin\AppData\Local\Temp\phobos.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\phobos.exe
  "C:\Users\Admin\AppData\Local\Temp\phobos.exe"
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2792
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:224
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4780
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1472
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3632
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:512
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5012
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:2308
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2636
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 696 -ip 696
1⤵
PID:1424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 696 -s 836
1⤵
- Program crash
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[04AF3D1F-1096].[[email protected]].acute

Filesize
418B

MD5
10dcc2e8511d2fa66096030cf90c9056

SHA1
bca7f17929f0b0bcd2073d694a07d164fea7577a

SHA256
34448e04c40e3356741205d9edbdeb180571d3267fed0fa067aff5c9c2db7a47

SHA512
b75d8b945f8546a7b7a8243a8a8ec2560a185fa6a866d74bb55b4fddf40b6d0bda94bcbee1cfbf193cb708b2247602aaa5404c61f1b18642030afd71ba9f9dc3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\phobos.exe

Filesize
71KB

MD5
e59ffeaf7acb0c326e452fa30bb71a36

SHA1
c88fad293256bfead6962124394de4f8b97765aa

SHA256
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

SHA512
737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\phobos.exe

Filesize
71KB

MD5
e59ffeaf7acb0c326e452fa30bb71a36

SHA1
c88fad293256bfead6962124394de4f8b97765aa

SHA256
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

SHA512
737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[04AF3D1F-1096].[[email protected]].acute

Filesize
418B

MD5
f42da0d6e4dc9c9d4156a0fa2dc310e9

SHA1
e4e477621203cbc161cbd694c52522329ee69159

SHA256
007644af8ea5177772e00ebb4ddb44e8064c97e50d389f780e43a394724e0fb6

SHA512
322169cb8ed01817b912096a5b3f09ac07267b417478209b5a781be7a9a08e2aaaea399cf8a2e896b08ebf75200603ec3dd76fb0cf25299d956667fa6e1a9e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phobos.exe

Filesize
71KB

MD5
e59ffeaf7acb0c326e452fa30bb71a36

SHA1
c88fad293256bfead6962124394de4f8b97765aa

SHA256
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

SHA512
737937ac074b1754878f9548be0fae43a18b88ed669a5626468763577d254ef4cd833686d3b9ed5a3169eb8dd1593ca03a74f5ba4664ccc1446d9b85d2f316b3

Download Submit
C:\Users\Admin\Desktop\info.hta

Filesize
6KB

MD5
a00141858dd45364c19325e191eb4489

SHA1
186dc8cad290d520fb66e1525d2223dadf0f694d

SHA256
533d1b3797533c273f61338d56e2b527d4ac5c3b1790573ea9d0b94ee08c7036

SHA512
288b2cc2dd77e38fb08ed7953b7b923c4490996c9a4f7d53165257a0032727208b946e83b92701814221cdf2e16e7e4ad5e9130cf30edd18270b529595d6818f

Download Submit
C:\info.hta

Filesize
6KB

MD5
a00141858dd45364c19325e191eb4489

SHA1
186dc8cad290d520fb66e1525d2223dadf0f694d

SHA256
533d1b3797533c273f61338d56e2b527d4ac5c3b1790573ea9d0b94ee08c7036

SHA512
288b2cc2dd77e38fb08ed7953b7b923c4490996c9a4f7d53165257a0032727208b946e83b92701814221cdf2e16e7e4ad5e9130cf30edd18270b529595d6818f

Download Submit
C:\users\public\desktop\info.hta

Filesize
6KB

MD5
a00141858dd45364c19325e191eb4489

SHA1
186dc8cad290d520fb66e1525d2223dadf0f694d

SHA256
533d1b3797533c273f61338d56e2b527d4ac5c3b1790573ea9d0b94ee08c7036

SHA512
288b2cc2dd77e38fb08ed7953b7b923c4490996c9a4f7d53165257a0032727208b946e83b92701814221cdf2e16e7e4ad5e9130cf30edd18270b529595d6818f

Download Submit
memory/224-139-0x0000000000000000-mapping.dmp

Download
memory/312-133-0x0000000000000000-mapping.dmp

Download
memory/320-159-0x0000000000000000-mapping.dmp

Download
memory/512-149-0x0000000000000000-mapping.dmp

Download
memory/1004-157-0x0000000000000000-mapping.dmp

Download
memory/1412-134-0x0000000000000000-mapping.dmp

Download
memory/1472-136-0x0000000000000000-mapping.dmp

Download
memory/2308-151-0x0000000000000000-mapping.dmp

Download
memory/2636-158-0x0000000000000000-mapping.dmp

Download
memory/2792-135-0x0000000000000000-mapping.dmp

Download
memory/3632-138-0x0000000000000000-mapping.dmp

Download
memory/3868-152-0x0000000000000000-mapping.dmp

Download
memory/3980-156-0x0000000000000000-mapping.dmp

Download
memory/4092-137-0x0000000000000000-mapping.dmp

Download
memory/4780-140-0x0000000000000000-mapping.dmp

Download
memory/5012-150-0x0000000000000000-mapping.dmp

Download
memory/5028-132-0x0000000000000000-mapping.dmp

Download