Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
Phantom2 - Copy_obf.bat
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Phantom2 - Copy_obf.bat
Resource
win10v2004-20241007-en
General
-
Target
Phantom2 - Copy_obf.bat
-
Size
16.2MB
-
MD5
bda2645938c8be959860b1636addf5cf
-
SHA1
d490d062605c3d1dd8936786a7a8b45ea3de7de6
-
SHA256
ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8
-
SHA512
adf974710718263917622b56a8c96e0faed3798aca4102fcaf0dc0c16a7ac6d27ca132852fe4f90f4f50b9053033cf7f295a4119dfddf98e08eb9c1117d0fcde
-
SSDEEP
49152:R106pFHVz+jRObrFKnAEjhZgsCR22zEc8g+oOgsRa9y8NaivevRnQblTJ2lrGM6X:HJktN6JB
Malware Config
Signatures
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 19 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1808 powershell.exe 2996 powershell.exe 2440 powershell.exe 2364 powershell.exe 2800 powershell.exe 2440 powershell.exe 2808 powershell.exe 2068 powershell.exe 2316 powershell.exe 2300 powershell.exe 1200 powershell.exe 2304 powershell.exe 2328 powershell.exe 2848 powershell.exe 2080 powershell.exe 2196 powershell.exe 1752 powershell.exe 1908 powershell.exe 1704 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1256 powershell.exe 2976 powershell.exe 780 powershell.exe 868 powershell.exe 496 powershell.exe 2780 powershell.exe 1572 powershell.exe 2216 powershell.exe 1720 powershell.exe 2820 powershell.exe 2576 powershell.exe 1992 powershell.exe 3016 powershell.exe 1948 powershell.exe 2504 powershell.exe 2056 powershell.exe 2476 powershell.exe 1824 powershell.exe 1964 powershell.exe 2768 powershell.exe 1616 powershell.exe 3004 powershell.exe 3008 powershell.exe 1324 powershell.exe 680 powershell.exe 1540 powershell.exe 2288 powershell.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 2160 timeout.exe 2536 timeout.exe 2332 timeout.exe 2420 timeout.exe 1696 timeout.exe 2968 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2388 powershell.exe 2304 powershell.exe 3004 powershell.exe 3008 powershell.exe 2068 powershell.exe 1620 powershell.exe 2216 powershell.exe 2316 powershell.exe 1752 powershell.exe 2848 powershell.exe 2520 powershell.exe 1720 powershell.exe 1324 powershell.exe 1704 powershell.exe 1808 powershell.exe 2576 powershell.exe 868 powershell.exe 1256 powershell.exe 1964 powershell.exe 2300 powershell.exe 2968 powershell.exe 2728 powershell.exe 1492 powershell.exe 2996 powershell.exe 2080 powershell.exe 2068 powershell.exe 1616 powershell.exe 2820 powershell.exe 2976 powershell.exe 2428 powershell.exe 2768 powershell.exe 1948 powershell.exe 3048 powershell.exe 700 powershell.exe 780 powershell.exe 568 powershell.exe 2504 powershell.exe 2780 powershell.exe 2440 powershell.exe 2364 powershell.exe 2196 powershell.exe 2056 powershell.exe 680 powershell.exe 1992 powershell.exe 2376 powershell.exe 1752 powershell.exe 2704 powershell.exe 1540 powershell.exe 2800 powershell.exe 1824 powershell.exe 2440 powershell.exe 2328 powershell.exe 2288 powershell.exe 1200 powershell.exe 1572 powershell.exe 2808 powershell.exe 496 powershell.exe 2160 powershell.exe 2768 powershell.exe 2132 powershell.exe 1504 powershell.exe 3016 powershell.exe 548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2388 powershell.exe Token: SeIncreaseQuotaPrivilege 2480 WMIC.exe Token: SeSecurityPrivilege 2480 WMIC.exe Token: SeTakeOwnershipPrivilege 2480 WMIC.exe Token: SeLoadDriverPrivilege 2480 WMIC.exe Token: SeSystemProfilePrivilege 2480 WMIC.exe Token: SeSystemtimePrivilege 2480 WMIC.exe Token: SeProfSingleProcessPrivilege 2480 WMIC.exe Token: SeIncBasePriorityPrivilege 2480 WMIC.exe Token: SeCreatePagefilePrivilege 2480 WMIC.exe Token: SeBackupPrivilege 2480 WMIC.exe Token: SeRestorePrivilege 2480 WMIC.exe Token: SeShutdownPrivilege 2480 WMIC.exe Token: SeDebugPrivilege 2480 WMIC.exe Token: SeSystemEnvironmentPrivilege 2480 WMIC.exe Token: SeRemoteShutdownPrivilege 2480 WMIC.exe Token: SeUndockPrivilege 2480 WMIC.exe Token: SeManageVolumePrivilege 2480 WMIC.exe Token: 33 2480 WMIC.exe Token: 34 2480 WMIC.exe Token: 35 2480 WMIC.exe Token: SeIncreaseQuotaPrivilege 2480 WMIC.exe Token: SeSecurityPrivilege 2480 WMIC.exe Token: SeTakeOwnershipPrivilege 2480 WMIC.exe Token: SeLoadDriverPrivilege 2480 WMIC.exe Token: SeSystemProfilePrivilege 2480 WMIC.exe Token: SeSystemtimePrivilege 2480 WMIC.exe Token: SeProfSingleProcessPrivilege 2480 WMIC.exe Token: SeIncBasePriorityPrivilege 2480 WMIC.exe Token: SeCreatePagefilePrivilege 2480 WMIC.exe Token: SeBackupPrivilege 2480 WMIC.exe Token: SeRestorePrivilege 2480 WMIC.exe Token: SeShutdownPrivilege 2480 WMIC.exe Token: SeDebugPrivilege 2480 WMIC.exe Token: SeSystemEnvironmentPrivilege 2480 WMIC.exe Token: SeRemoteShutdownPrivilege 2480 WMIC.exe Token: SeUndockPrivilege 2480 WMIC.exe Token: SeManageVolumePrivilege 2480 WMIC.exe Token: 33 2480 WMIC.exe Token: 34 2480 WMIC.exe Token: 35 2480 WMIC.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeIncreaseQuotaPrivilege 2344 WMIC.exe Token: SeSecurityPrivilege 2344 WMIC.exe Token: SeTakeOwnershipPrivilege 2344 WMIC.exe Token: SeLoadDriverPrivilege 2344 WMIC.exe Token: SeSystemProfilePrivilege 2344 WMIC.exe Token: SeSystemtimePrivilege 2344 WMIC.exe Token: SeProfSingleProcessPrivilege 2344 WMIC.exe Token: SeIncBasePriorityPrivilege 2344 WMIC.exe Token: SeCreatePagefilePrivilege 2344 WMIC.exe Token: SeBackupPrivilege 2344 WMIC.exe Token: SeRestorePrivilege 2344 WMIC.exe Token: SeShutdownPrivilege 2344 WMIC.exe Token: SeDebugPrivilege 2344 WMIC.exe Token: SeSystemEnvironmentPrivilege 2344 WMIC.exe Token: SeRemoteShutdownPrivilege 2344 WMIC.exe Token: SeUndockPrivilege 2344 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exedescription pid Process procid_target PID 2492 wrote to memory of 2112 2492 cmd.exe 31 PID 2492 wrote to memory of 2112 2492 cmd.exe 31 PID 2492 wrote to memory of 2112 2492 cmd.exe 31 PID 2492 wrote to memory of 2388 2492 cmd.exe 32 PID 2492 wrote to memory of 2388 2492 cmd.exe 32 PID 2492 wrote to memory of 2388 2492 cmd.exe 32 PID 2388 wrote to memory of 2480 2388 powershell.exe 33 PID 2388 wrote to memory of 2480 2388 powershell.exe 33 PID 2388 wrote to memory of 2480 2388 powershell.exe 33 PID 2492 wrote to memory of 2840 2492 cmd.exe 35 PID 2492 wrote to memory of 2840 2492 cmd.exe 35 PID 2492 wrote to memory of 2840 2492 cmd.exe 35 PID 2492 wrote to memory of 2304 2492 cmd.exe 36 PID 2492 wrote to memory of 2304 2492 cmd.exe 36 PID 2492 wrote to memory of 2304 2492 cmd.exe 36 PID 2492 wrote to memory of 2744 2492 cmd.exe 37 PID 2492 wrote to memory of 2744 2492 cmd.exe 37 PID 2492 wrote to memory of 2744 2492 cmd.exe 37 PID 2492 wrote to memory of 1296 2492 cmd.exe 38 PID 2492 wrote to memory of 1296 2492 cmd.exe 38 PID 2492 wrote to memory of 1296 2492 cmd.exe 38 PID 2492 wrote to memory of 2532 2492 cmd.exe 39 PID 2492 wrote to memory of 2532 2492 cmd.exe 39 PID 2492 wrote to memory of 2532 2492 cmd.exe 39 PID 2492 wrote to memory of 1980 2492 cmd.exe 41 PID 2492 wrote to memory of 1980 2492 cmd.exe 41 PID 2492 wrote to memory of 1980 2492 cmd.exe 41 PID 2492 wrote to memory of 2964 2492 cmd.exe 42 PID 2492 wrote to memory of 2964 2492 cmd.exe 42 PID 2492 wrote to memory of 2964 2492 cmd.exe 42 PID 2492 wrote to memory of 1500 2492 cmd.exe 43 PID 2492 wrote to memory of 1500 2492 cmd.exe 43 PID 2492 wrote to memory of 1500 2492 cmd.exe 43 PID 2492 wrote to memory of 2160 2492 cmd.exe 44 PID 2492 wrote to memory of 2160 2492 cmd.exe 44 PID 2492 wrote to memory of 2160 2492 cmd.exe 44 PID 2492 wrote to memory of 1248 2492 cmd.exe 45 PID 2492 wrote to memory of 1248 2492 cmd.exe 45 PID 2492 wrote to memory of 1248 2492 cmd.exe 45 PID 2492 wrote to memory of 3004 2492 cmd.exe 46 PID 2492 wrote to memory of 3004 2492 cmd.exe 46 PID 2492 wrote to memory of 3004 2492 cmd.exe 46 PID 2492 wrote to memory of 3060 2492 cmd.exe 47 PID 2492 wrote to memory of 3060 2492 cmd.exe 47 PID 2492 wrote to memory of 3060 2492 cmd.exe 47 PID 2492 wrote to memory of 3044 2492 cmd.exe 48 PID 2492 wrote to memory of 3044 2492 cmd.exe 48 PID 2492 wrote to memory of 3044 2492 cmd.exe 48 PID 2492 wrote to memory of 3008 2492 cmd.exe 49 PID 2492 wrote to memory of 3008 2492 cmd.exe 49 PID 2492 wrote to memory of 3008 2492 cmd.exe 49 PID 2492 wrote to memory of 2136 2492 cmd.exe 50 PID 2492 wrote to memory of 2136 2492 cmd.exe 50 PID 2492 wrote to memory of 2136 2492 cmd.exe 50 PID 2492 wrote to memory of 2196 2492 cmd.exe 51 PID 2492 wrote to memory of 2196 2492 cmd.exe 51 PID 2492 wrote to memory of 2196 2492 cmd.exe 51 PID 2492 wrote to memory of 2500 2492 cmd.exe 52 PID 2492 wrote to memory of 2500 2492 cmd.exe 52 PID 2492 wrote to memory of 2500 2492 cmd.exe 52 PID 2492 wrote to memory of 2540 2492 cmd.exe 53 PID 2492 wrote to memory of 2540 2492 cmd.exe 53 PID 2492 wrote to memory of 2540 2492 cmd.exe 53 PID 2492 wrote to memory of 1832 2492 cmd.exe 54
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2744
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:1296
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2532
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:1980
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2964
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1500
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2160
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:3060
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\system32\doskey.exedoskey GRAFTABL=BCDBOOT2⤵PID:2136
-
-
C:\Windows\system32\doskey.exedoskey GRAFTABL=START2⤵PID:2196
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2500
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2540
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1832
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1860
-
-
C:\Windows\system32\net.exenet file2⤵PID:2072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:2088
-
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2256
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1172
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1512
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2120
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2832
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2912
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2944
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:1664
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1160
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:700
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2232
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1924
-
-
C:\Windows\system32\doskey.exedoskey COMP=SYSTEMINFO2⤵PID:1944
-
-
C:\Windows\system32\doskey.exedoskey CHKNTFS=CONVERT2⤵PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2268
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2712
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2508
-
-
C:\Windows\system32\doskey.exedoskey MORE=REM2⤵PID:2192
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Windows\system32\doskey.exedoskey DIR=TITLE2⤵PID:340
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:1696
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2964
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:1664
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2044
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:3016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1688
-
-
C:\Windows\system32\doskey.exedoskey FSUTIL=MOVE2⤵PID:408
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
-
C:\Windows\system32\doskey.exedoskey SORT=SCHTASKS2⤵PID:808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1816
-
-
C:\Windows\system32\doskey.exedoskey /listsize=02⤵PID:2128
-
-
C:\Windows\system32\doskey.exedoskey SCHTASKS=ICACLS2⤵PID:2576
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2748
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:344
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2272
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:1976
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2260
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵PID:2476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2616
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:1628
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2832
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2896
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:2968
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2512
-
-
C:\Windows\system32\doskey.exedoskey /listsize=02⤵PID:2776
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:356
-
-
C:\Windows\system32\doskey.exedoskey GOTO=FTYPE2⤵PID:1696
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:2124
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2248
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:3008
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:3028
-
-
C:\Windows\system32\doskey.exedoskey BCDBOOT=SYSTEMINFO2⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:1620
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2252
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2128
-
-
C:\Windows\system32\doskey.exedoskey MORE=DATE2⤵PID:2424
-
-
C:\Windows\system32\doskey.exedoskey GPRESULT=ICACLS2⤵PID:332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1200
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2544
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1960
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1976
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2592
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:888
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:1404
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2808
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2912
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2556
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2896
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1772
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:952
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2588
-
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1052
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:3052
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2564
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:680
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1932
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2256
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:1728
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2052
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:2464
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2476
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:2940
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2860
-
-
C:\Windows\system32\doskey.exedoskey CHKDSK=SETLOCAL2⤵PID:2808
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:1404
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2832
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2912
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1284
-
-
C:\Windows\system32\doskey.exedoskey /listsize=02⤵PID:2852
-
-
C:\Windows\system32\doskey.exedoskey /listsize=02⤵PID:2960
-
-
C:\Windows\system32\doskey.exedoskey RMDIR=TYPE2⤵PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2712
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2676
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:2364
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:3004
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2080
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:408
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2576
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2384
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2548
-
-
C:\Windows\system32\timeout.exetimeout 02⤵
- Delays execution with timeout.exe
PID:2332
-
-
C:\Windows\system32\mshta.exemshta2⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2004
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:1048
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:2416
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2640
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:1244
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2716
-
-
C:\Windows\system32\doskey.exedoskey POPD=MD2⤵PID:2912
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2708
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:496
-
-
C:\Windows\system32\doskey.exedoskey /listsize=02⤵PID:356
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
C:\Windows\system32\wscript.exewscript /b2⤵PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:548
-
-
C:\Windows\system32\doskey.exedoskey VOL=DRIVERQUERY2⤵PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value2⤵PID:2868
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get manufacturer /value3⤵PID:1536
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -nop -c "Write-Host -NoNewLine $null"2⤵PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186B
MD5f375cca76665b4940a23022a0e8fd7e8
SHA1bb9aeb111e067904c48a2b82b8f5482eaf290b8f
SHA25699c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348
SHA512d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022
-
Filesize
13B
MD5337065424ed27284c55b80741f912713
SHA10e99e1b388ae66a51a8ffeee3448c3509a694db8
SHA2564ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b
SHA512d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a
-
Filesize
95B
MD5f5a71fdb6b1326188878f569079e6d7b
SHA164536a07da7123953acc29f084560fcabbb1d021
SHA2568be55d45bdd197eea902588aae2b92c6da33257a9b35778c2456883dd8e441f1
SHA51268c01c9ef6169bf56800df80695394959056ed0c3b6382ed9c3f2936082a79baba5c8287990662386f8ce0bd12006bc17cf4a6f9c99c4a92d82ba13faa7cfa8f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d46607893f2ad5bbc69187a8827f86ac
SHA1a886dc984c2773ec495e2e545db208b9a08470fb
SHA256136c507359e5f3af9a8abb7d2f959ad25a419e534720efdc52c6529d98e0f853
SHA512ed7621628731ecc58a89a37110e8b0b012b65141627e64feb9ab5944d901a5f0afa77939642404fd4fc4c3d8b69d72a941e8030d1f2629a9d617b80657d9dd2d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e