Malware Analysis Report

2024-09-11 01:03

Sample ID 240725-l5cvfasekn
Target 2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi
SHA256 f604723783fbd9d194418ff08b5b30a120bc69ba91c3d74ca7ee6be20cb28800
Tags
phobos aspackv2 credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f604723783fbd9d194418ff08b5b30a120bc69ba91c3d74ca7ee6be20cb28800

Threat Level: Known bad

The file 2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi was found to be: Known bad.

Malicious Activity Summary

phobos aspackv2 credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Renames multiple (522) files with added filename extension

Credentials from Password Stores: Credentials from Web Browsers

Renames multiple (317) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Modifies Internet Explorer settings

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-25 10:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 10:06

Reported

2024-07-25 10:09

Platform

win7-20240704-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

Signatures

Phobos

ransomware phobos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (317) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi = "C:\\Users\\Admin\\AppData\\Local\\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi = "C:\\Users\\Admin\\AppData\\Local\\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G4UA8T7D\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9P9LRO9\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FGBCC7A8\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FH198YO1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JVMDVGRW\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJW4QSK9\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02262_.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Module.thmx.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxerror.ico.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\PROCDB.XLAM.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MSOCFUIUTILITIESDLL.DLL.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\COUGH.WAV.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jre7\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdaorar.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\iedvtool.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sv.dll.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200289.WMF.id[ACA5FF97-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02276_.WMF C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 1488 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 1488 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 1488 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 1180 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 2408 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2408 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2408 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2436 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2408 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2408 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2408 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2408 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2408 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2408 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2408 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1488 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 1488 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2192 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2192 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2192 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2192 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\45b05c8d.bat" "

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/1180-11-0x0000000000070000-0x0000000000079000-memory.dmp

memory/1488-10-0x0000000000120000-0x0000000000129000-memory.dmp

memory/1488-3-0x0000000000120000-0x0000000000129000-memory.dmp

memory/1488-2-0x0000000000B30000-0x0000000000B49000-memory.dmp

memory/2716-15-0x0000000000B30000-0x0000000000B49000-memory.dmp

memory/2716-14-0x0000000000B30000-0x0000000000B49000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\3C2D75FB.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\45b05c8d.bat

MD5 6662631741b054ec71a47e8685a93da5
SHA1 3f55a181de674d41c479d79a57cb13758bb99d54
SHA256 5dbcf59bdc8a32a568804c4d5d4016981c0e6726f991fedb5c46c18d9a749c97
SHA512 dc8271b2c94b807023b2307dede49df1738946f0e77b8b36390ba2f1c2613d6d267807f9345d44f7267117c2fe82df053577757805995cad754a370dd971f4bc

memory/1180-55-0x0000000000070000-0x0000000000079000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 e39fccc34b4d07ee06d3b2bef886f24f
SHA1 563d2b0e7588accdb6aacc688febbccaa53e8605
SHA256 ab0da26b87819e97f45cea22d9d439392f24186b1b5a260ad91581ddd234de7c
SHA512 6f73998ffae9fe7242f4b8e49ad1eef45b4b6dc409177691be957e61cb61cf2a7314826abcc5783d9b2ccdabeb97170ae2f9890025858d687f830215de8bf1d2

memory/1488-3575-0x0000000000B30000-0x0000000000B49000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe

MD5 038fbd60fd3d1a73bb75a0b8a2b19dde
SHA1 f38d028ca60ab29337649abd0e4b64be9b5476b8
SHA256 ad5ed6487c3fb85f42d694027f573774bb9c9bdd70f32cbbc73f766a46e5d1fe
SHA512 a2d32a42dbfa1fe91c4ffe7daa5224fc7cf8da1f354f3cf355e09d5e8cdf4e817c88a5c26ee3a744ba3514b3a1fd78fee99f09f9886d323afcc46d6bbb2eb8da

C:\info.hta

MD5 a298e8ac90f213d0e2a7e9250cd46c67
SHA1 a1904cf3cf0fbfd390406f7da5cc9957eae441d1
SHA256 633d152a3a91a924a59f2376ceb0addc5669d0ee1f33ba39dc12f9608d4b7d3a
SHA512 b4d7a3f650543718aa999c1cb50dc20d40aedb05c634f7e0111bd88d8676b37ac8ef20fecbde42008a192840c7f6c8a0291ec52f54c1eec6ab31fa91f568a47f

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 10:06

Reported

2024-07-25 10:09

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

Signatures

Phobos

ransomware phobos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (522) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi = "C:\\Users\\Admin\\AppData\\Local\\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi = "C:\\Users\\Admin\\AppData\\Local\\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe" C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.resources.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\tokens_enGB.xml C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_bn-IN.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_gu.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Analytics.DATA.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CursorResourceBuilder.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_dark_18.svg.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_mk.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_lv.json C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_selected_18.svg.id[372BB73F-3542].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zGrw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 4780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 4780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Users\Admin\AppData\Local\Temp\zGrw.exe
PID 2352 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\zGrw.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1072 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2592 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2592 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1072 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1072 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2592 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2592 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2592 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2592 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2592 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2592 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2592 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2592 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4780 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\SysWOW64\mshta.exe
PID 4780 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2808 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2808 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2808 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2808 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-07-25_d347769098a8697660804d68eaac0622_phobos_wapomi.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63eb72a0.bat" "

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4780-0-0x00000000006D0000-0x00000000006E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zGrw.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/2352-5-0x0000000000290000-0x0000000000299000-memory.dmp

memory/1804-7-0x00000000006D0000-0x00000000006E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46011D82.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AF6HG05X\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

memory/2352-46-0x0000000000290000-0x0000000000299000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63eb72a0.bat

MD5 638a9f491ca04d977cb2691a95fe6001
SHA1 29bcf6f2e8f67b2c699f62a5dbb380c24c734dbf
SHA256 ae050808f0abcde9e5b7383054040f3d071c3496a219937409af7e3c0fa0d2d6
SHA512 1994a53a76472183146026a855846d30dd6fdc7eec82a2fbef71c3c4595a78728b17f0aaa106799420588a10eb83701df746b71ae77fae0528a5f1ffb66c6242

C:\Program Files\7-Zip\Uninstall.exe

MD5 8fd53ac834f4db9629b8fcf2e4133692
SHA1 1fbf94914de35ab6b258b8b9dfe4e4a27a8fee3e
SHA256 c815791a75b0b9ec9f49241ebe279988bcc742a51c57b69d859aa91ea147a6f1
SHA512 178a7d8a257895826a90ce61fd93c85517b07a5f5afef2be041461592690239c55d37a3e36d41deec5c0cdbd1ca5c53aa59c8ef51bcb2ff22b93534b8a465351

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[372BB73F-3542].[[email protected]].faust

MD5 75d17f98c857f4f1e3b6c65172b4b64b
SHA1 78be74b67d3b5633e67aaf95942a96f4b13fd124
SHA256 767525b498042bb21146b0a981a286756e89d5a3e70227d863342ccd24e39084
SHA512 1507a86fa4ce4c1dbfa0c28152881e48fb018ec8231ce37dbf07caeb74eb793c1ad5cdfeab40e0acb3051f5a4c6a276007a86174b66e59577ab2aa4744e0312d

memory/4780-6485-0x00000000006D0000-0x00000000006E9000-memory.dmp

C:\info.hta

MD5 b077b9461b3f90a22120367b960beb23
SHA1 ce281b6481e7a4055ff97bcb060ac22124b9c046
SHA256 64a955bdde7c20368cea9d93c895ffb8b7969f9ff197b454cc12b3b3d06f609c
SHA512 760ef844af61db5526a743d525b63797a10ae1bcfafacd4dcd621ce60049dc2479143e8f9d0eb8ef45a26ae4eaccef4b53c087c4921007343dbe34f4968d64f6