BTLO – Investigation: Crypto


After a number of Windows servers saw a large CPU spike, can you identify what’s happened based on a suspicious PowerShell script found on each system?

You have been provided with the script, a PCAP from one of the affected servers, and a memory dump.

The Volatility profile needed is win10x64_17134.

Scenario Description
Restricted Content
This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.


No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *