Malware Analysis Report

2024-09-11 00:57

Sample ID 240704-g8yh4aydmj
Target 2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos
SHA256 419e2c52b87ba2817d5001a4581b909adc557a9661184c55e40fc9ebc2a5f8e7
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

419e2c52b87ba2817d5001a4581b909adc557a9661184c55e40fc9ebc2a5f8e7

Threat Level: Known bad

The file 2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Deletes shadow copies

Renames multiple (633) files with added filename extension

Renames multiple (311) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-04 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 06:29

Reported

2024-07-04 06:31

Platform

win7-20240220-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (311) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5VY10BSW\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KEQD8ZAD\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NNULH633\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HL1JTUOY\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OQAMAYIL\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\66RFTKYZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M221U1AY\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RequestComplete.wm C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\VSTARemotingServer.dll.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\7-Zip\7z.exe.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabfind.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_te.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EST5EDT C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jre7\bin\dt_shmem.dll.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_01.MID.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\sunec.jar.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ro.dll.id[6212CE02-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2540 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2540 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2540 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3016 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3016 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2540 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2540 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2540 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2540 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2368 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2776 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2776 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2776 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2776 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2776 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2776 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2776 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2776 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 1c7eccb6a3b78910c4176efabf8d48c2
SHA1 85cba75183758afdd1fe8f12ec2100a5173247cd
SHA256 9059d1e090167b03be8a89b4e0206c64d53775e37e7722c7801064bcff27ad42
SHA512 2682572c3667b7058081019393432e76acfee2271f63334c6368676360d01cfa0f60410c19dda032028197eb3e0bc2d576cbdd34cf106f8ede63a3c033b2fcbe

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 06:29

Reported

2024-07-04 06:31

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (633) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowerrelief.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1 C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\Microsoft.PowerShell.PSReadline.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\README.html C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Mozilla Firefox\freebl3.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\content-types.properties C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogo.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\identity_proxy\resources.pri.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll.id[463D0814-2837].[[email protected]].eject C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 4112 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4112 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2436 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4112 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4112 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2436 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2436 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2436 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2436 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 2436 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 2436 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2436 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3456 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe C:\Windows\system32\cmd.exe
PID 5908 wrote to memory of 6032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5908 wrote to memory of 6032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5908 wrote to memory of 6112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5908 wrote to memory of 6112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5908 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5908 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5908 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5908 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5908 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5908 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f5e6debd7ae08b93c1bcd40f6873a991_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1300,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe f9bafac88159f26902bd0dc203cd5827 NAdYBFQ3X0qZ6JRS3Kw8Mg.0.1.0.0.0

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[463D0814-2837].[[email protected]].eject

MD5 944985e486ee093907d08f94e63b5898
SHA1 aa87961bfaa7c5c708ec94e755f8b425f5ce1627
SHA256 4bdf7b7cf746de541c0ced4669569cd31a4a9e67d2befac2ac0a9085d6799c0c
SHA512 59a85ce5fca8e96108709c7e186c5a8fe19ea4c06196988bdee93dec75600828b0ac831ea849def907db9a699a17170c95516b2cb3dfafbee5a30c6408f418be

C:\info.hta

MD5 fc6a6fed332fa8a8d98a4ce2cd1fb9c3
SHA1 26533485f36c6dc2b9f74704a103f633568e82fa
SHA256 ca8970b251f1565da8475aa167cbb1674420fc9b7a05f46b0b01000907b5b1c4
SHA512 74771bac6e1f13e7a6622f047668b44fffc56bf4bd8afbbee6df6fa68d24efa180a20756e87c2f6a3908b81015c20038f014c0b818c3325f5cebd671f13bee1d