phobos | 27aebbda43b8e6e72b1f305b912ca4a506401d9462baf60bc30ce35852984f70

Analysis

max time kernel
101s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z
Size

35KB
MD5

8e6f83b06c6c010293b8b798102bed1f
SHA1

1c84da8f9bd35cc60bb0e826cf312ba9c7c372b4
SHA256

27aebbda43b8e6e72b1f305b912ca4a506401d9462baf60bc30ce35852984f70
SHA512

9aae2d3e1f54add6bda63828dfbc48d6ad85f0e31345e3638d47715dab9b84df4b4f6e187f8578d40c6af78738db37857bf15ffbe7c7895d2cac1aae028f9f25
SSDEEP

768:1Upgmy0MS3BZYdStnK6gBZ918LXT9spwzcwR2NcmbFimd9SLFYnbzkgwKU5dIBHx:1UimBuu/gB0JsBzNcOj9SLF1f1St

Score

10^/10

phobos credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>7B1DB1F7-2930</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/Resp0nse'>@Resp0nse</a></span> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Phobos family
phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3320	bcdedit.exe
1988	bcdedit.exe
4024	bcdedit.exe
5812	bcdedit.exe

Renames multiple (785) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
684	wbadmin.exe
4452	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1500	netsh.exe
6016	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Executes dropped EXE 2 IoCs

pid	Process
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4996	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1 = "C:\\Users\\Admin\\AppData\\Local\\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1 = "C:\\Users\\Admin\\AppData\\Local\\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Advertising.DATA	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-white.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\edge_game_assist\EdgeGameAssist.msix.DATA.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-125.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\pa.pak.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\v8_context_snapshot.bin	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_gd.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-150.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-80_contrast-black.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ta.pak	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sk_get.svg.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.id[7B1DB1F7-2930].[[email protected]].eking	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerBackgroundTasks.winmd	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2628	vssadmin.exe
3820	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2348	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4872	taskmgr.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2340	7zFM.exe
Token: 35	2340	7zFM.exe
Token: SeSecurityPrivilege	2340	7zFM.exe
Token: SeDebugPrivilege	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
Token: SeBackupPrivilege	5724	vssvc.exe
Token: SeRestorePrivilege	5724	vssvc.exe
Token: SeAuditPrivilege	5724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeBackupPrivilege	5244	wbengine.exe
Token: SeRestorePrivilege	5244	wbengine.exe
Token: SeSecurityPrivilege	5244	wbengine.exe
Token: SeDebugPrivilege	4872	taskmgr.exe
Token: SeSystemProfilePrivilege	4872	taskmgr.exe
Token: SeCreateGlobalPrivilege	4872	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	5476	WMIC.exe
Token: SeSecurityPrivilege	5476	WMIC.exe
Token: SeTakeOwnershipPrivilege	5476	WMIC.exe
Token: SeLoadDriverPrivilege	5476	WMIC.exe
Token: SeSystemProfilePrivilege	5476	WMIC.exe
Token: SeSystemtimePrivilege	5476	WMIC.exe
Token: SeProfSingleProcessPrivilege	5476	WMIC.exe
Token: SeIncBasePriorityPrivilege	5476	WMIC.exe
Token: SeCreatePagefilePrivilege	5476	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2340	7zFM.exe
2340	7zFM.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe
4872	taskmgr.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 5924	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	95
PID 4640 wrote to memory of 5924	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	95
PID 4640 wrote to memory of 1496	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	94
PID 4640 wrote to memory of 1496	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	94
PID 5924 wrote to memory of 1500	5924	cmd.exe	98
PID 5924 wrote to memory of 1500	5924	cmd.exe	98
PID 1496 wrote to memory of 2628	1496	cmd.exe	99
PID 1496 wrote to memory of 2628	1496	cmd.exe	99
PID 5924 wrote to memory of 6016	5924	cmd.exe	103
PID 5924 wrote to memory of 6016	5924	cmd.exe	103
PID 1496 wrote to memory of 4112	1496	cmd.exe	104
PID 1496 wrote to memory of 4112	1496	cmd.exe	104
PID 1496 wrote to memory of 3320	1496	cmd.exe	106
PID 1496 wrote to memory of 3320	1496	cmd.exe	106
PID 1496 wrote to memory of 1988	1496	cmd.exe	107
PID 1496 wrote to memory of 1988	1496	cmd.exe	107
PID 1496 wrote to memory of 684	1496	cmd.exe	108
PID 1496 wrote to memory of 684	1496	cmd.exe	108
PID 4640 wrote to memory of 2820	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	117
PID 4640 wrote to memory of 2820	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	117
PID 4640 wrote to memory of 2820	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	117
PID 4640 wrote to memory of 2064	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	118
PID 4640 wrote to memory of 2064	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	118
PID 4640 wrote to memory of 2064	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	118
PID 4640 wrote to memory of 5948	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	119
PID 4640 wrote to memory of 5948	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	119
PID 4640 wrote to memory of 5948	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	119
PID 4640 wrote to memory of 1988	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	120
PID 4640 wrote to memory of 1988	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	120
PID 4640 wrote to memory of 1988	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	120
PID 4640 wrote to memory of 3244	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	121
PID 4640 wrote to memory of 3244	4640	HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe	121
PID 3244 wrote to memory of 3820	3244	cmd.exe	123
PID 3244 wrote to memory of 3820	3244	cmd.exe	123
PID 3244 wrote to memory of 5476	3244	cmd.exe	124
PID 3244 wrote to memory of 5476	3244	cmd.exe	124
PID 3244 wrote to memory of 4024	3244	cmd.exe	125
PID 3244 wrote to memory of 4024	3244	cmd.exe	125
PID 3244 wrote to memory of 5812	3244	cmd.exe	126
PID 3244 wrote to memory of 5812	3244	cmd.exe	126
PID 3244 wrote to memory of 4452	3244	cmd.exe	127
PID 3244 wrote to memory of 4452	3244	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340

C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"
1⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe
  "C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe"
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3320
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1988
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:684
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1500
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6016
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5476
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4024
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5812
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[7B1DB1F7-2930].[[email protected]].eking

Filesize
2.7MB

MD5
bb03cfbdebabd4a4d6a3877b8d804667

SHA1
cc69eb5064258d85730c203fe16894eb88a43590

SHA256
6b73c5e9c3ba3a29dd5013c1d7e32a28b9f78c61290496aaf68d6bc1007672b7

SHA512
2036f2f0e2759a21c909d084549867cbd6529735724ef28388c29057b16c1582a8f8d0c65aa424190bcc9bf600270f28928ff5f2f34f462311f54bd9291c987a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Phobos.vho-a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1.exe

Filesize
55KB

MD5
3ada72cac8ab9b5578ae56fce08aac52

SHA1
175d036720d40787c9d3614623f2f88381396a71

SHA256
a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1

SHA512
6551387585f3e7904e6a062123edb7b628bb7996ccb6c129c275728ec9ff76bce1287abe4b6f49d89d4f640f75251af0b7ca443cface087bb34f96203cd6e955

Download Submit
C:\Users\Public\Desktop\info.txt

Filesize
268B

MD5
59103d781c92b08e00d9eacf5e381e23

SHA1
dc254f359ef3b42c5617368323d2bfbf79c72f35

SHA256
cbb2f848dee8d94628743e5758232ce2500274423cf699532d5918665db10099

SHA512
8be870bf04abdd872d12a9d8c1f6eb6fcef97f4f5e81b05c83ae78107c54242e55d88b878f799fc849e7cf22ec92a40ee16b2d9ab95cd6c9baaa423274e87fe5

Download Submit
C:\info.hta

Filesize
5KB

MD5
e0cc46e125ebaf2dc2c0ab07086be03c

SHA1
2e997e4d0fd915a86b39c3f3873a74f6b06d2e29

SHA256
b7b20db038561830766b67da924beb6af4366402a462fbc7f1f80f50776e81a8

SHA512
0d7c2c9d50d383b40d65761b12db992d74f4fd41dba76e19259e0799c483345a8d70bfc71cb99cbbe730128f107dfdb1035cf9b33f9d9f3e5b90a1b6a25f28e7

Download Submit
memory/4872-4672-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4694-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4693-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4692-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4691-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4695-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4696-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4697-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4673-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download
memory/4872-4674-0x0000020052D00000-0x0000020052D01000-memory.dmp

Filesize
4KB

Download