af345cbcd20d7ae664d369ca78acb95f0768b4b5c5c036a6a4a55ae09059ea79

Analysis

max time kernel
130s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 14:20

Target

tqtc-qt5-everywhere-src-5.15.5/coin/pre-provisioning/qtci-windows-10-x86/disable-windows-file-protector.ps1
Size

289B
MD5

235b2291aa55cdc0d3d5dbca73d86581
SHA1

c20abe7c86d1f99cb08c486d468735a9bb711494
SHA256

7bb5aedc6c632de0ea6a7c632c22bc7e467d06edf9d90e37624b45e1aa38c370
SHA512

57dbe5cd267477ebdfb3cfb5d5fbc25da7cda5ae767b0bb19000f0e667983b80a5216fcabd0dac8aabc2f709bb61bdd5314c5038397e4372408171f3e15799d4

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	powershell.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3560	2936	powershell.exe	90
PID 2936 wrote to memory of 3560	2936	powershell.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\tqtc-qt5-everywhere-src-5.15.5\coin\pre-provisioning\qtci-windows-10-x86\disable-windows-file-protector.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V SFCDisable /T REG_dWORD /D 0xffffff9d /F
  2⤵
  PID:3560

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtca3k5o.ypj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2936-9-0x00000211A5DC0000-0x00000211A5DE2000-memory.dmp

Filesize
136KB

Download
memory/2936-12-0x00007FFBD65B0000-0x00007FFBD7071000-memory.dmp

Filesize
10.8MB

Download
memory/2936-13-0x00007FFBD65B0000-0x00007FFBD7071000-memory.dmp

Filesize
10.8MB

Download