Malware Analysis Report

2024-09-11 00:59

Sample ID 240704-lb8d9awerh
Target 202407035ec053bc341fb1b3504bd95b1bba7d71phobos
SHA256 8f8d76d157e5e4dbd7210cb19ce27b3734147c430a534143c97b90c1f5e35249
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f8d76d157e5e4dbd7210cb19ce27b3734147c430a534143c97b90c1f5e35249

Threat Level: Known bad

The file 202407035ec053bc341fb1b3504bd95b1bba7d71phobos was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (312) files with added filename extension

Renames multiple (631) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-04 09:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 09:22

Reported

2024-07-04 09:25

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87XXOISN\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HKGE1S7K\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6QIBR00Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O29M4VT2\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXU0E4DR\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQ9N4B3U\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penkor.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.cfg.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MIMEDIR.DLL.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_F_COL.HXK.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OneNoteSyncPCIntl.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.id[91A2998C-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2628 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2960 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2628 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2628 wrote to memory of 284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2628 wrote to memory of 284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1660 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1628 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1628 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id[91A2998C-3333].[[email protected]].faust

MD5 f17327cd87f0e22af1d7b953b3896744
SHA1 722a11ff79e421697ee4a97243c8a1c63df2d8e4
SHA256 feffd27d0e1fc456dc2847b7ad67b2e983d247200f9687e92c6814b0d39b116e
SHA512 abc224ec295cc39ddba6f84956a63d46d46870f09b1b5d3d00007192e2122d4264ae086127d12694a489b62afcb910ed5895d59ee4aafc2a497895edb093ddef

C:\Users\Public\Desktop\info.hta

MD5 41ae04bcdddd2e64098f1b9846ca7aa5
SHA1 b038e5ce049c234b40c74602244365ba69983ff3
SHA256 2d4c1f0a587e44698a88c172c4a3b012b8a9406321ce1bbcff34707a7a7819fc
SHA512 383e16168eb6dc2dc37f3bdcf9372fc11fbd607cf582c3cbc1f3049ba69fd729cdbe52d6ea1fada22b03b9def7b30de51f1a9e089679cfb705e99590f88b91e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 09:22

Reported

2024-07-04 09:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (631) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202407035ec053bc341fb1b3504bd95b1bba7d71phobos = "C:\\Users\\Admin\\AppData\\Local\\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe" C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.XmlSerializer.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_cs.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\skin_beeps.lua C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_am.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eyebrow.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\identity_proxy\win11\identity_helper.Sparse.Dev.msix.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Package.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\ui-strings.js.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1 C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\ui-strings.js.id[D79933EB-3333].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 216 wrote to memory of 3520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4512 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4512 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4512 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4512 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 216 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 216 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 216 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 216 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 216 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 216 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 216 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 216 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3156 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 3156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2988 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2988 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2988 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2988 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2988 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2988 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2988 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2988 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2988 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe

"C:\Users\Admin\AppData\Local\Temp\202407035ec053bc341fb1b3504bd95b1bba7d71phobos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4308,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[D79933EB-3333].[[email protected]].faust

MD5 01a753be96412d9521b1dfd563335e22
SHA1 20aeba8bb43c3d0c3c6d8bc53f47c9f27ee62d62
SHA256 1fa2a8f572a4bc81aeda44dc070ae65448e7cdb258cbeff2984d573e08532739
SHA512 b26575c6ada2df06a96e32f8f7e51fa7ac1c2ae081ace34051c10d62c559e28f30ad016bed24e5b789c833c894547fcb58e70ce4810fd04f69d814862e877582

C:\info.hta

MD5 aa95657edeb8de7458bef0b491b2ebca
SHA1 ed8838422c3f9a69b3c7834cdcd25e95e4b38955
SHA256 32920b48ce336ca221d04de03ae6ec1ec43cb2d7c8011bdd23a1dfcb999b4cff
SHA512 3ba3884df426b1648482a1aeb29f347d4dbdcbc3e839f9b12a671adc32087b5f88130c04417e3c56139f2a0a53c752e9d58568af71d548717c9dc742788576a9