Malware Analysis Report

2024-12-07 16:36

Sample ID 241114-cgppnawpap
Target Phantom2 - Copy_obf.bat
SHA256 ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8
Tags
defense_evasion execution
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8

Threat Level: Likely benign

The file Phantom2 - Copy_obf.bat was found to be: Likely benign.

Malicious Activity Summary

defense_evasion execution

Hide Artifacts: Ignore Process Interrupts

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:03

Reported

2024-11-14 02:06

Platform

win7-20241023-en

Max time kernel

148s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2388 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2388 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2492 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2492 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2492 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\doskey.exe
PID 2492 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\mshta.exe

mshta

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\mshta.exe

mshta

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\doskey.exe

doskey GRAFTABL=BCDBOOT

C:\Windows\system32\doskey.exe

doskey GRAFTABL=START

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\mshta.exe

mshta

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey COMP=SYSTEMINFO

C:\Windows\system32\doskey.exe

doskey CHKNTFS=CONVERT

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey MORE=REM

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\doskey.exe

doskey DIR=TITLE

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey FSUTIL=MOVE

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\doskey.exe

doskey SORT=SCHTASKS

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\doskey.exe

doskey /listsize=0

C:\Windows\system32\doskey.exe

doskey SCHTASKS=ICACLS

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\doskey.exe

doskey /listsize=0

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\doskey.exe

doskey GOTO=FTYPE

C:\Windows\system32\mshta.exe

mshta

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\doskey.exe

doskey BCDBOOT=SYSTEMINFO

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey MORE=DATE

C:\Windows\system32\doskey.exe

doskey GPRESULT=ICACLS

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\mshta.exe

mshta

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey CHKDSK=SETLOCAL

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\system32\rundll32.exe

rundll32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\doskey.exe

doskey /listsize=0

C:\Windows\system32\doskey.exe

doskey /listsize=0

C:\Windows\system32\doskey.exe

doskey RMDIR=TYPE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\mshta.exe

mshta

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\mshta.exe

mshta

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\timeout.exe

timeout 0

C:\Windows\system32\mshta.exe

mshta

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\doskey.exe

doskey POPD=MD

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\system32\doskey.exe

doskey /listsize=0

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\wscript.exe

wscript /b

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\system32\doskey.exe

doskey VOL=DRIVERQUERY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get manufacturer /value

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -c "Write-Host -NoNewLine $null"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat

MD5 f375cca76665b4940a23022a0e8fd7e8
SHA1 bb9aeb111e067904c48a2b82b8f5482eaf290b8f
SHA256 99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348
SHA512 d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022

memory/2388-15-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

memory/2388-16-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2388-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2388-18-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

memory/2388-19-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

memory/2388-20-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

memory/2388-21-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d46607893f2ad5bbc69187a8827f86ac
SHA1 a886dc984c2773ec495e2e545db208b9a08470fb
SHA256 136c507359e5f3af9a8abb7d2f959ad25a419e534720efdc52c6529d98e0f853
SHA512 ed7621628731ecc58a89a37110e8b0b012b65141627e64feb9ab5944d901a5f0afa77939642404fd4fc4c3d8b69d72a941e8030d1f2629a9d617b80657d9dd2d

memory/2304-38-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2304-39-0x0000000002340000-0x0000000002348000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat

MD5 337065424ed27284c55b80741f912713
SHA1 0e99e1b388ae66a51a8ffeee3448c3509a694db8
SHA256 4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b
SHA512 d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat

MD5 f5a71fdb6b1326188878f569079e6d7b
SHA1 64536a07da7123953acc29f084560fcabbb1d021
SHA256 8be55d45bdd197eea902588aae2b92c6da33257a9b35778c2456883dd8e441f1
SHA512 68c01c9ef6169bf56800df80695394959056ed0c3b6382ed9c3f2936082a79baba5c8287990662386f8ce0bd12006bc17cf4a6f9c99c4a92d82ba13faa7cfa8f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:03

Reported

2024-11-14 02:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

Signatures

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model

C:\Windows\system32\findstr.exe

findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat

MD5 f375cca76665b4940a23022a0e8fd7e8
SHA1 bb9aeb111e067904c48a2b82b8f5482eaf290b8f
SHA256 99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348
SHA512 d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022

memory/2656-11-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxbzpgqo.lyb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2656-12-0x000001F05B510000-0x000001F05B532000-memory.dmp

memory/2656-22-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/2656-23-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/2656-26-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 158a72355ea99a8bc04d0b6a380cc97c
SHA1 750fff9e378ca754a4534371e54624f7e90b796f
SHA256 c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA512 0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

memory/3364-49-0x000001C0F84B0000-0x000001C0F84DA000-memory.dmp

memory/3364-50-0x000001C0F84B0000-0x000001C0F84D4000-memory.dmp