33c21bf2e0c7f058fc2d76c9fa41e7fa203b1793b45ea61fec551186998f709a | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 14:33

Sharing

Report Analysis Logs

General

Target

ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/robocopy.ps1
Size

161B
MD5

e07e4d18c1e182d942be4c38cc3d5eca
SHA1

05e11619920174a97aa5ca42d4fc3b7807f64ad9
SHA256

4258b0781b453981346ba07316886f4f2b990420608b97e84ae3c446d797c8eb
SHA512

26c772fb1ca6b936ffa4a3715e72732620961e5cf62ff69f1cbc423ed341cecec714f7d5060602b5aa883337cad24eefa19f44cf0fb1436e7ef4b2a975c02b7d

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\ChrisTitusTech_debloatWin10_elQueAnda\cttscript\Individual Scripts\robocopy.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-132-0x0000021A56F10000-0x0000021A56F32000-memory.dmp

Filesize
136KB

Download
memory/1524-133-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp

Filesize
10.8MB

Download
memory/1524-134-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp

Filesize
10.8MB

Download