Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:03

General

  • Target

    Phantom2 - Copy_obf.bat

  • Size

    16.2MB

  • MD5

    bda2645938c8be959860b1636addf5cf

  • SHA1

    d490d062605c3d1dd8936786a7a8b45ea3de7de6

  • SHA256

    ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8

  • SHA512

    adf974710718263917622b56a8c96e0faed3798aca4102fcaf0dc0c16a7ac6d27ca132852fe4f90f4f50b9053033cf7f295a4119dfddf98e08eb9c1117d0fcde

  • SSDEEP

    49152:R106pFHVz+jRObrFKnAEjhZgsCR22zEc8g+oOgsRa9y8NaivevRnQblTJ2lrGM6X:HJktN6JB

Malware Config

Signatures

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 19 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

    Using powershell.exe command.

  • Delays execution with timeout.exe 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
      2⤵
        PID:2112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\System32\Wbem\WMIC.exe
          "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2480
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
        2⤵
          PID:2840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
          2⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
        • C:\Windows\system32\findstr.exe
          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
          2⤵
            PID:2744
          • C:\Windows\system32\chcp.com
            chcp 65001
            2⤵
              PID:1296
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
              2⤵
                PID:2532
              • C:\Windows\system32\mshta.exe
                mshta
                2⤵
                  PID:1980
                • C:\Windows\system32\findstr.exe
                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                  2⤵
                    PID:2964
                  • C:\Windows\system32\findstr.exe
                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                    2⤵
                      PID:1500
                    • C:\Windows\system32\findstr.exe
                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                      2⤵
                        PID:2160
                      • C:\Windows\system32\findstr.exe
                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                        2⤵
                          PID:1248
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3004
                        • C:\Windows\system32\mshta.exe
                          mshta
                          2⤵
                            PID:3060
                          • C:\Windows\system32\rundll32.exe
                            rundll32
                            2⤵
                              PID:3044
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                              2⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3008
                            • C:\Windows\system32\doskey.exe
                              doskey GRAFTABL=BCDBOOT
                              2⤵
                                PID:2136
                              • C:\Windows\system32\doskey.exe
                                doskey GRAFTABL=START
                                2⤵
                                  PID:2196
                                • C:\Windows\system32\rundll32.exe
                                  rundll32
                                  2⤵
                                    PID:2500
                                  • C:\Windows\system32\rundll32.exe
                                    rundll32
                                    2⤵
                                      PID:2540
                                    • C:\Windows\system32\rundll32.exe
                                      rundll32
                                      2⤵
                                        PID:1832
                                      • C:\Windows\system32\rundll32.exe
                                        rundll32
                                        2⤵
                                          PID:1860
                                        • C:\Windows\system32\net.exe
                                          net file
                                          2⤵
                                            PID:2072
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 file
                                              3⤵
                                                PID:2088
                                            • C:\Windows\system32\wscript.exe
                                              wscript /b
                                              2⤵
                                                PID:456
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                2⤵
                                                • Hide Artifacts: Ignore Process Interrupts
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2068
                                              • C:\Windows\system32\mshta.exe
                                                mshta
                                                2⤵
                                                  PID:972
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1620
                                                • C:\Windows\system32\rundll32.exe
                                                  rundll32
                                                  2⤵
                                                    PID:1908
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2216
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                    2⤵
                                                    • Hide Artifacts: Ignore Process Interrupts
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2316
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                    2⤵
                                                      PID:2256
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic computersystem get manufacturer /value
                                                        3⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2344
                                                    • C:\Windows\system32\findstr.exe
                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                      2⤵
                                                        PID:1172
                                                      • C:\Windows\system32\findstr.exe
                                                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                        2⤵
                                                          PID:1512
                                                        • C:\Windows\system32\findstr.exe
                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                          2⤵
                                                            PID:2120
                                                          • C:\Windows\system32\findstr.exe
                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                            2⤵
                                                              PID:1732
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                              2⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:1752
                                                            • C:\Windows\system32\findstr.exe
                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                              2⤵
                                                                PID:1884
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                2⤵
                                                                  PID:2832
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic computersystem get manufacturer /value
                                                                    3⤵
                                                                      PID:2392
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                    2⤵
                                                                      PID:2912
                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                        wmic computersystem get manufacturer /value
                                                                        3⤵
                                                                          PID:2944
                                                                      • C:\Windows\system32\findstr.exe
                                                                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                        2⤵
                                                                          PID:2528
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                          2⤵
                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:2848
                                                                        • C:\Windows\system32\findstr.exe
                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                          2⤵
                                                                            PID:2428
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                            2⤵
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:2520
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                            2⤵
                                                                              PID:1664
                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                wmic computersystem get manufacturer /value
                                                                                3⤵
                                                                                  PID:2964
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                2⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:1720
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                2⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:1324
                                                                              • C:\Windows\system32\findstr.exe
                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                2⤵
                                                                                  PID:1160
                                                                                • C:\Windows\system32\findstr.exe
                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                  2⤵
                                                                                    PID:3028
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                    2⤵
                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:1704
                                                                                  • C:\Windows\system32\findstr.exe
                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                    2⤵
                                                                                      PID:700
                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                      rundll32
                                                                                      2⤵
                                                                                        PID:2232
                                                                                      • C:\Windows\system32\wscript.exe
                                                                                        wscript /b
                                                                                        2⤵
                                                                                          PID:1132
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                          2⤵
                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:1808
                                                                                        • C:\Windows\system32\findstr.exe
                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                          2⤵
                                                                                            PID:620
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                            2⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:2576
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                            2⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:868
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                            2⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:1256
                                                                                          • C:\Windows\system32\findstr.exe
                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                            2⤵
                                                                                              PID:1924
                                                                                            • C:\Windows\system32\doskey.exe
                                                                                              doskey COMP=SYSTEMINFO
                                                                                              2⤵
                                                                                                PID:1944
                                                                                              • C:\Windows\system32\doskey.exe
                                                                                                doskey CHKNTFS=CONVERT
                                                                                                2⤵
                                                                                                  PID:2004
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                  2⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:1964
                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                  2⤵
                                                                                                    PID:1736
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                    2⤵
                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:2300
                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                    2⤵
                                                                                                      PID:2268
                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                      2⤵
                                                                                                        PID:2392
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                        2⤵
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        PID:2968
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                        2⤵
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        PID:2728
                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                        rundll32
                                                                                                        2⤵
                                                                                                          PID:2712
                                                                                                        • C:\Windows\system32\findstr.exe
                                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                          2⤵
                                                                                                            PID:2508
                                                                                                          • C:\Windows\system32\doskey.exe
                                                                                                            doskey MORE=REM
                                                                                                            2⤵
                                                                                                              PID:2192
                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                              timeout 0
                                                                                                              2⤵
                                                                                                              • Delays execution with timeout.exe
                                                                                                              PID:2420
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                              2⤵
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:1492
                                                                                                            • C:\Windows\system32\doskey.exe
                                                                                                              doskey DIR=TITLE
                                                                                                              2⤵
                                                                                                                PID:340
                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                timeout 0
                                                                                                                2⤵
                                                                                                                • Delays execution with timeout.exe
                                                                                                                PID:1696
                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                rundll32
                                                                                                                2⤵
                                                                                                                  PID:2124
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                  2⤵
                                                                                                                    PID:2964
                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                      wmic computersystem get manufacturer /value
                                                                                                                      3⤵
                                                                                                                        PID:1664
                                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                      2⤵
                                                                                                                        PID:1648
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                        2⤵
                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        PID:2996
                                                                                                                      • C:\Windows\system32\findstr.exe
                                                                                                                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                        2⤵
                                                                                                                          PID:1640
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                          2⤵
                                                                                                                            PID:2044
                                                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                              wmic computersystem get manufacturer /value
                                                                                                                              3⤵
                                                                                                                                PID:3016
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                              2⤵
                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:2080
                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                              2⤵
                                                                                                                                PID:1688
                                                                                                                              • C:\Windows\system32\doskey.exe
                                                                                                                                doskey FSUTIL=MOVE
                                                                                                                                2⤵
                                                                                                                                  PID:408
                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                  2⤵
                                                                                                                                    PID:1632
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                    2⤵
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    PID:2068
                                                                                                                                  • C:\Windows\system32\doskey.exe
                                                                                                                                    doskey SORT=SCHTASKS
                                                                                                                                    2⤵
                                                                                                                                      PID:808
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                      2⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      PID:1616
                                                                                                                                    • C:\Windows\system32\wscript.exe
                                                                                                                                      wscript /b
                                                                                                                                      2⤵
                                                                                                                                        PID:1816
                                                                                                                                      • C:\Windows\system32\doskey.exe
                                                                                                                                        doskey /listsize=0
                                                                                                                                        2⤵
                                                                                                                                          PID:2128
                                                                                                                                        • C:\Windows\system32\doskey.exe
                                                                                                                                          doskey SCHTASKS=ICACLS
                                                                                                                                          2⤵
                                                                                                                                            PID:2576
                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                            2⤵
                                                                                                                                              PID:2748
                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                              2⤵
                                                                                                                                                PID:344
                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                2⤵
                                                                                                                                                  PID:2272
                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1956
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1976
                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                        wmic computersystem get manufacturer /value
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2260
                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2476
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                          2⤵
                                                                                                                                                            PID:2616
                                                                                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                              wmic computersystem get manufacturer /value
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1628
                                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2940
                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                2⤵
                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:2820
                                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2832
                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2896
                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                    timeout 0
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                    PID:2968
                                                                                                                                                                  • C:\Windows\system32\wscript.exe
                                                                                                                                                                    wscript /b
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1724
                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                      PID:2976
                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                      rundll32
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2512
                                                                                                                                                                      • C:\Windows\system32\doskey.exe
                                                                                                                                                                        doskey /listsize=0
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2776
                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                          rundll32
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2800
                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            PID:2428
                                                                                                                                                                          • C:\Windows\system32\wscript.exe
                                                                                                                                                                            wscript /b
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:356
                                                                                                                                                                            • C:\Windows\system32\doskey.exe
                                                                                                                                                                              doskey GOTO=FTYPE
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1696
                                                                                                                                                                              • C:\Windows\system32\mshta.exe
                                                                                                                                                                                mshta
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2124
                                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:2356
                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                    PID:2768
                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                    PID:1948
                                                                                                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2248
                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                      rundll32
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:3008
                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                        rundll32
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:3028
                                                                                                                                                                                        • C:\Windows\system32\doskey.exe
                                                                                                                                                                                          doskey BCDBOOT=SYSTEMINFO
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:2720
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                            PID:3048
                                                                                                                                                                                          • C:\Windows\system32\wscript.exe
                                                                                                                                                                                            wscript /b
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:1860
                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              PID:700
                                                                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:1656
                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:1620
                                                                                                                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                    wmic computersystem get manufacturer /value
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:2252
                                                                                                                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2128
                                                                                                                                                                                                    • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                      doskey MORE=DATE
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:2424
                                                                                                                                                                                                      • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                        doskey GPRESULT=ICACLS
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:332
                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          PID:780
                                                                                                                                                                                                        • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1200
                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2544
                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                              rundll32
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1960
                                                                                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:1976
                                                                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:1736
                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:2592
                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                        wmic computersystem get manufacturer /value
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:1600
                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:888
                                                                                                                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                            wmic computersystem get manufacturer /value
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:2824
                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:1404
                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:2808
                                                                                                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:1448
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                  PID:568
                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:2912
                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                      wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:2716
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:2556
                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                          wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:2896
                                                                                                                                                                                                                                        • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:1772
                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:1296
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                              PID:2504
                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:952
                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                  wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:2588
                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                  timeout 0
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                  PID:2160
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                  PID:2780
                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                  rundll32
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:1052
                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                    rundll32
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:1764
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                      PID:2440
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                      PID:2364
                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:3052
                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                          wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:2564
                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                          PID:2196
                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                          rundll32
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:2552
                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                            PID:2056
                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                            PID:680
                                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:2252
                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                              PID:1992
                                                                                                                                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:1932
                                                                                                                                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:2256
                                                                                                                                                                                                                                                                • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                  wscript /b
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:1200
                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                    powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                    PID:2376
                                                                                                                                                                                                                                                                  • C:\Windows\system32\mshta.exe
                                                                                                                                                                                                                                                                    mshta
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:1728
                                                                                                                                                                                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:2052
                                                                                                                                                                                                                                                                      • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                        wscript /b
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:2464
                                                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                          timeout 0
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                          PID:2536
                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                          PID:2476
                                                                                                                                                                                                                                                                        • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                          wscript /b
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:2940
                                                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:2860
                                                                                                                                                                                                                                                                            • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                              doskey CHKDSK=SETLOCAL
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:2808
                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                rundll32
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:1404
                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                  rundll32
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:2788
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                    PID:1752
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:2832
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:2912
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                        wscript /b
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:1284
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                          doskey /listsize=0
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:2852
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                            doskey /listsize=0
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:2960
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                              doskey RMDIR=TYPE
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:2708
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                PID:2704
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:2712
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                    wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:2676
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                    PID:1540
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                    powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                    PID:2800
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:2356
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                      PID:1824
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\mshta.exe
                                                                                                                                                                                                                                                                                                      mshta
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:1196
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                        PID:2440
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                                        wscript /b
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:2364
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\mshta.exe
                                                                                                                                                                                                                                                                                                          mshta
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:3004
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:2080
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:408
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:2660
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                  PID:2328
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                  PID:2288
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:2576
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                    findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:2384
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:2548
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                                                                        timeout 0
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                        PID:2332
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\mshta.exe
                                                                                                                                                                                                                                                                                                                        mshta
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:2344
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                          PID:1200
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:2004
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:1628
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                              PID:1572
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:1048
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                  wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:2416
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                  PID:2808
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:2640
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                                                                    wscript /b
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:1244
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:2716
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                                                                        doskey POPD=MD
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:2912
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:2708
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:2732
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                                                                                                                                                                                                                                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:936
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                PID:496
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                                                                                doskey /listsize=0
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:356
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                                                                                  wscript /b
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:340
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                    powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                    PID:2160
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                                                                                                                                                    wscript /b
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:2356
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                      PID:2768
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                      PID:2132
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                      PID:1504
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                      PID:3016
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                      PID:548
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\doskey.exe
                                                                                                                                                                                                                                                                                                                                                      doskey VOL=DRIVERQUERY
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1132
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                        powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2088
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                          powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2056
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                            PID:1908
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2868
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                wmic computersystem get manufacturer /value
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:1536
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:956

                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                186B

                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                f375cca76665b4940a23022a0e8fd7e8

                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                bb9aeb111e067904c48a2b82b8f5482eaf290b8f

                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348

                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022

                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                13B

                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                337065424ed27284c55b80741f912713

                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                0e99e1b388ae66a51a8ffeee3448c3509a694db8

                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                95B

                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                f5a71fdb6b1326188878f569079e6d7b

                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                64536a07da7123953acc29f084560fcabbb1d021

                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                8be55d45bdd197eea902588aae2b92c6da33257a9b35778c2456883dd8e441f1

                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                68c01c9ef6169bf56800df80695394959056ed0c3b6382ed9c3f2936082a79baba5c8287990662386f8ce0bd12006bc17cf4a6f9c99c4a92d82ba13faa7cfa8f

                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                7KB

                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                d46607893f2ad5bbc69187a8827f86ac

                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                a886dc984c2773ec495e2e545db208b9a08470fb

                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                136c507359e5f3af9a8abb7d2f959ad25a419e534720efdc52c6529d98e0f853

                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                ed7621628731ecc58a89a37110e8b0b012b65141627e64feb9ab5944d901a5f0afa77939642404fd4fc4c3d8b69d72a941e8030d1f2629a9d617b80657d9dd2d

                                                                                                                                                                                                                                                                                                                                                              • \??\PIPE\srvsvc

                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                                                                                              • memory/2304-39-0x0000000002340000-0x0000000002348000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                32KB

                                                                                                                                                                                                                                                                                                                                                              • memory/2304-38-0x000000001B690000-0x000000001B972000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                2.9MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                32KB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-21-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                9.6MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-20-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                9.6MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-19-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                9.6MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-18-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                9.6MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-16-0x000000001B700000-0x000000001B9E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                2.9MB

                                                                                                                                                                                                                                                                                                                                                              • memory/2388-15-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                4KB