Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A

Renames multiple (520) files with added filename extension

ransomware

Deletes backup catalog

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A

Modifies Windows Firewall

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\netsh.exe	N/A
N/A	N/A	C:\Windows\system32\netsh.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\resources.pri	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.f74ef681.pri	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxil.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-down_32.svg.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation.png.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-150.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-time-l1-1-0.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-lightunplated.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover.png.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WideTile.scale-100_contrast-black.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.id[8F45EA37-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\System32\vds.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	C:\Windows\System32\vds.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1492 wrote to memory of 3432	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 3432	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 3436	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 3436	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 2812	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 3432 wrote to memory of 2812	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 3436 wrote to memory of 2284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3436 wrote to memory of 2284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3436 wrote to memory of 1616	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3436 wrote to memory of 1616	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 3432 wrote to memory of 1072	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 3432 wrote to memory of 1072	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 3432 wrote to memory of 4520	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 3432 wrote to memory of 4520	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 3432 wrote to memory of 2168	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 3432 wrote to memory of 2168	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 3432 wrote to memory of 4516	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 3432 wrote to memory of 4516	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1492 wrote to memory of 4380	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 4380	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 4380	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 4140	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 4140	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 4140	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1492 wrote to memory of 1080	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 1080	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 756	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1080 wrote to memory of 756	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1080 wrote to memory of 1248	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1080 wrote to memory of 1248	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1080 wrote to memory of 3180	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1080 wrote to memory of 3180	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1080 wrote to memory of 4656	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1080 wrote to memory of 4656	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1080 wrote to memory of 4308	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1080 wrote to memory of 4308	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	138.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	19.229.111.52.in-addr.arpa	udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[8F45EA37-3540].[[email protected]].faust

MD5	2f95f2b0c3af85ca0ab6a554f388ed60
SHA1	da8b578d5c66eadecd839422b4f66c8a840c8b0a
SHA256	c8a60fd2e85206a5bad74b2a4245e07bd4f26ec89fd21e44d8ba0777696e3000
SHA512	1b873a22870703457812caddc518260d3c50a7be2c80ee73fa8e498980e295a0ab88d91fd4a1d9ef2b7c87a2a2f37db755d5a066c1294b69c5f98afb098ceb6f

C:\info.hta

MD5	81e15f4bfaba8522336d77f33ede096d
SHA1	453ed863618b453d7e77607a2717bfb7264c1fe8
SHA256	99ace72b7388c7b5fd88761da076c01a041482525b83166107484c71aadfe3a1
SHA512	db756bcf77b472462d24225aefe72bfde7aab06ffe5a90258ad34fb5ce2f5a21260697096352c9b31fa93f06d3941869404b031ce649b2e0b6776f04fd196f25

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 00:06

Reported

2024-05-07 00:08

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A

Renames multiple (315) files with added filename extension

ransomware

Deletes backup catalog

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A

Modifies Windows Firewall

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\netsh.exe	N/A
N/A	N/A	C:\Windows\system32\netsh.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LS99WIMF\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WZPJ6IGS\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BB0Z8TKM\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OEGTYQG\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00646_.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITS.ICO.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jre7\lib\zi\America\Menominee.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado20.tlb	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.id[940A5AE6-3540].[[email protected]].faust	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0187423.WMF	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	C:\Windows\SysWOW64\mshta.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	C:\Windows\SysWOW64\mshta.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	C:\Windows\SysWOW64\mshta.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	C:\Windows\SysWOW64\mshta.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1532 wrote to memory of 2896	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2896	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2896	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2896	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2536	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2536	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2536	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2536	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2668	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 2668	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 2668	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 2612	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2536 wrote to memory of 2612	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2536 wrote to memory of 2612	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2536 wrote to memory of 1172	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2536 wrote to memory of 1172	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2536 wrote to memory of 1172	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\netsh.exe
PID 2896 wrote to memory of 1084	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2896 wrote to memory of 1084	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2896 wrote to memory of 1084	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2896 wrote to memory of 1728	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 1728	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 1728	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 2948	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 2948	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 2948	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2896 wrote to memory of 1716	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 2896 wrote to memory of 1716	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 2896 wrote to memory of 1716	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1532 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\SysWOW64\mshta.exe
PID 1532 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe	C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 1904	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2256 wrote to memory of 1904	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2256 wrote to memory of 1904	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2256 wrote to memory of 1516	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2256 wrote to memory of 1516	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2256 wrote to memory of 1516	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2256 wrote to memory of 2756	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 2756	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 2756	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 792	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 792	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 792	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 940	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 2256 wrote to memory of 940	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 2256 wrote to memory of 940	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5	646069663b48ed1bed665182b913e934
SHA1	529fac78821a51bd5c73e5082eb2a69b8c9381b6
SHA256	f2ff7cfb992a7507a4e7c8d20d168242e17d37e02fc49bb0dd084e78bc3d1882
SHA512	37c10238eb24ef0f7e227a5650aa3c07893c8a829dd307cdb842cd006caec430d001f581fb3ff0d97a450e8acf94d06aa979e3d8005be1bbac24ac28367560ae

Sample ID	240507-adv16acd78
Target	2024-05-06_b9901d7f5cba3befab569d78accba5dc_phobos
SHA256	ed9a2b4e0a7e81b8b671a797dc499d8eb112bf42500551607a5d454056e1cdd2
Tags	phobos defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Analysis Report

2024-09-11 01:44

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files