Malware Analysis Report

2024-09-11 00:57

Sample ID 240620-x6bjjstfla
Target 2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos
SHA256 844afe9491b526a0a7fe3ad39386082353a1944873b92fcd1aa5ff1f0cf4fec9
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

844afe9491b526a0a7fe3ad39386082353a1944873b92fcd1aa5ff1f0cf4fec9

Threat Level: Known bad

The file 2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Deletes shadow copies

Renames multiple (527) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (324) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Modifies registry class

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:30

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (324) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B5JWTXJ4\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L54IQZD2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHX8DMHP\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIYQP923\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBCN6.CHM.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ONLINE.ICO.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jre7\bin\jdwp.dll.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.DPV C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103058.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF.id[8DC4A3DA-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2912 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2912 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2912 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2912 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2912 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2976 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2976 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2900 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2900 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2900 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2900 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2900 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2900 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2900 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2900 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 9ea91d950e9c36d2a9e8f9b30ead5259
SHA1 96d440aae564e77b8f2e59897c3e69b00e8b48bc
SHA256 aef5f5f296997bb1751a666850087bbc5647d461f71e3f0174cd06c8c23b6d8c
SHA512 241b67d6e4947d572d945f280bcdb3f95d64b8e048d79c85832ff18d9ee0542adb74b923bcbaba04c3cadd9528eea5588a0adb068178a9f45fbda32eaeadd46d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:27

Reported

2024-06-20 19:30

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (527) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nl_135x40.svg C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\en-us\office_strings.js C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\Microsoft.PowerShell.PSReadline.Resources.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FFFFFF-0.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.id[2C52DD15-3538].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 3964 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3964 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3212 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3212 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3212 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3212 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3964 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3964 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3964 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3964 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3964 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3964 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3964 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3964 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 728 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 728 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2780 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2780 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2780 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2780 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2780 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2780 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2780 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2780 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2780 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e0ca8aab0fb03f86b47664271cf17e1d_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[2C52DD15-3538].[[email protected]].faust

MD5 90c857f8df67d12af4ee06eff535fc9f
SHA1 c49d406f3d007ab7629b357c0bdd1792ce08294e
SHA256 40c689a2206d496336de3588902c53169a5c10033fd1f33d2a73e5acf7a5cd91
SHA512 4680b42269238311731011cb80b7f095af52c1f18f0bf6326ad3445a960ed7ae6224dfe7ba25158237d9c4c9690d360d352b26ab90ba5e29cbaf5ea4c46c79fe

C:\info.hta

MD5 eab35645e2648e4f9e94c9b8a0e07210
SHA1 4dbfb72adfa2a11283fdc39f2c51da8c578f0647
SHA256 1e78933f5c71908176d3d196f37ae38511ce8d8766b2607288ccccf95bef6b62
SHA512 50df9d80ce1c850174e9ed82ea7653ab89344400e3bfeee1f6d7d1242596c34b547297ed0c6739fbf838f16a927cd2d4c2359af362138449961c763b5c8f93f3