b895f0b4930c131fc92942de00d891ceaf782402e5215e2afeaf95b22137f353

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 21:30

Target

fix/speculating.ps1
Size

371B
MD5

bb7793ce425db431b720fb50f391cb97
SHA1

fb517ddb22d112606ce8e37f7f104446b37559d8
SHA256

c6ddc6d154447b822a719e91342e9d0f3e6254fccd733b847fd77c43d73927cd
SHA512

caa200cd88a2a3b64079aa189c4d0d3275181bff20b907ab9802f0ca130937fb083a6701d4b939008b5bf74f5be4e81d975bff3822dee36f16d86d38977397c6

Score

1^/10

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1652 powershell.exe
1652 powershell.exe
1652 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1652 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1652	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1652 wrote to memory of 1672	1652	powershell.exe	rundll32.exe
PID 1652 wrote to memory of 1672	1652	powershell.exe	rundll32.exe
PID 1652 wrote to memory of 1672	1652	powershell.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\flapjacksXxi.jpg DrawThemeIcon
2⤵
PID:1672

memory/1652-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1652-56-0x000007FEF3390000-0x000007FEF3EED000-memory.dmp

Filesize
11.4MB

Download
memory/1652-57-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1652-59-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1652-60-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1672-58-0x0000000000000000-mapping.dmp

Download