Malware Analysis Report

2024-11-16 12:14

Sample ID 241107-h9an4a1jhr
Target 2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos
SHA256 fadc9d5be208e7b040940ffc19c780819d93bc0850f6d3bb14ae7c2ccabe60aa
Tags
phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fadc9d5be208e7b040940ffc19c780819d93bc0850f6d3bb14ae7c2ccabe60aa

Threat Level: Known bad

The file 2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos was found to be: Known bad.

Malicious Activity Summary

phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos family

Phobos

Renames multiple (514) files with added filename extension

Renames multiple (309) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Deletes backup catalog

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies registry class

Interacts with shadow copies

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 07:25

Reported

2024-11-07 07:28

Platform

win7-20240729-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

Signatures

Phobos

ransomware phobos

Phobos family

phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (309) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.INF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Mozilla Firefox\ucrtbase.dll.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ACCOLK.DLL C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\calendars.properties C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FiveRules.potx.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.id[B8A4F8FA-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2052 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2052 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2796 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2796 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2796 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2796 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2796 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2796 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2052 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2052 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2052 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2052 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1732 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2260 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2260 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2260 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2260 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2260 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2260 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2260 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2260 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2260 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 7133cf4c985c4b64092d2454d283c7b7
SHA1 e412c0d6cf11711a187cbc43a81238950cca9409
SHA256 f0b462b46d9d1d6c5e0be564ef6482f93ccc745ac43f6ce3708630d4db398017
SHA512 c16c50cc4bf7dc5130b70f715829fef0d7d899adb0fa721e338bd91270d8205fd531386911be811b16fc754eb136a11388ab313d596493ca93fb55ed1c3a659a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 07:25

Reported

2024-11-07 07:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

Signatures

Phobos

ransomware phobos

Phobos family

phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (514) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.INF C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_et.json C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected][FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\XboxResourceDictionary.xaml C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\joni.md C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kk.pak.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_128x.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll.id[FA542019-2803].[[email protected]].eight C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.5eee580c.pri C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1892 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1892 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1892 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1892 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1892 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1892 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1892 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1892 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1892 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\SysWOW64\mshta.exe
PID 2160 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4380 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4380 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4380 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4380 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4380 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4380 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4380 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4380 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4380 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_d752846960ac3072760aa64b4fb61dac_phobos.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[FA542019-2803].[[email protected]].eight

MD5 34863162475b4c4d6d83e57dabf1e3a6
SHA1 275d8f9c010ee854c35eff0d8d29ed3f571cfc05
SHA256 8362a268cec8ebdd842a51d9997b752e361372408c7b41194a8efac0b766b5d9
SHA512 36faa231e4cc83acfceb8a49f5651c8b4b0645c3b85a86841eb039a7cafdb599f19d99ceeea192d02b226117f0cef39c34b2ba8fc2b997c2f753d6ab59f1aeab

C:\info.hta

MD5 46c676f5e88aa86b96b5eff5326a87ab
SHA1 69e51fa02a53c5f8405db2096d1a55e6375b1a5f
SHA256 98c4c210e9fa038723706d8cfbac076fb771fafa36799af96d211fad98bfb44a
SHA512 3b963913d2f9ac85df1f334e052b8119fb4f17ae36dee236254bd9b5a0b8b1bc1d33a610d44361c5d05e642e6fa4a1647545efd78e106e1889f982142682bb47