Malware Analysis Report

2025-08-11 06:35

Sample ID 241016-adzdkstdla
Target 見積依頼.zip
SHA256 28c5f7a70f7b7cbd238467322531d8f7bbca1731389dca610711ed17397ea924
Tags
snakekeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28c5f7a70f7b7cbd238467322531d8f7bbca1731389dca610711ed17397ea924

Threat Level: Known bad

The file 見積依頼.zip was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection discovery execution keylogger spyware stealer

Snake Keylogger

Snake Keylogger payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 00:06

Reported

2024-10-16 00:09

Platform

win10-20240404-ja

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\taskschd.msc C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 192 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 192 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 192 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 3232 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 2316 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4248 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe
PID 4248 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\見積依頼.exe C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\見積依頼.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TpQmYD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TpQmYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmp"

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\IME\SHARED\imebroker.exe

C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TpQmYD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TpQmYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC704.tmp"

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TpQmYD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TpQmYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD5B.tmp"

C:\Users\Admin\AppData\Local\Temp\見積依頼.exe

"C:\Users\Admin\AppData\Local\Temp\見積依頼.exe"

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\taskschd.msc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/3232-0-0x000000007397E000-0x000000007397F000-memory.dmp

memory/3232-1-0x0000000000040000-0x00000000000E0000-memory.dmp

memory/3232-2-0x0000000004F10000-0x000000000540E000-memory.dmp

memory/3232-3-0x0000000004900000-0x0000000004992000-memory.dmp

memory/3232-4-0x00000000049C0000-0x00000000049CA000-memory.dmp

memory/3232-5-0x0000000073970000-0x000000007405E000-memory.dmp

memory/3232-6-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

memory/3232-7-0x00000000060D0000-0x00000000060EA000-memory.dmp

memory/3232-8-0x000000007397E000-0x000000007397F000-memory.dmp

memory/3232-9-0x0000000073970000-0x000000007405E000-memory.dmp

memory/3232-10-0x0000000007270000-0x00000000072D8000-memory.dmp

memory/3232-11-0x0000000009EC0000-0x0000000009FCE000-memory.dmp

memory/4576-18-0x0000000004A60000-0x0000000004A96000-memory.dmp

memory/4576-21-0x0000000073970000-0x000000007405E000-memory.dmp

memory/192-22-0x00000000075D0000-0x0000000007BF8000-memory.dmp

memory/4576-23-0x0000000073970000-0x000000007405E000-memory.dmp

memory/192-24-0x0000000073970000-0x000000007405E000-memory.dmp

memory/4576-25-0x00000000072F0000-0x0000000007382000-memory.dmp

memory/4576-27-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmp

MD5 70237ab982a2fb4da5fd9315ead93b87
SHA1 da28835ac58379123c69ea9bc8f21b51fbf7ee99
SHA256 746c051d3826bb4421269fecdd3a946cfbb37e9a67b58df4a6b3cdfb5391d10a
SHA512 80471c6c75743c4838111f39294ef51546e3c26dff609b83ac790721348a047a5be1eccabbc0d5e3e68ea86fd174f5f0e461bd3714709b62d1c513ebb39aff91

memory/192-29-0x0000000007EF0000-0x0000000007F56000-memory.dmp

memory/192-30-0x0000000007380000-0x0000000007390000-memory.dmp

memory/4876-31-0x0000000000400000-0x0000000000426000-memory.dmp

memory/192-28-0x0000000007CB0000-0x0000000007D16000-memory.dmp

memory/192-33-0x0000000008000000-0x0000000008350000-memory.dmp

memory/3232-34-0x0000000073970000-0x000000007405E000-memory.dmp

memory/192-35-0x0000000007F60000-0x0000000007F7C000-memory.dmp

memory/192-36-0x0000000008570000-0x00000000085BB000-memory.dmp

memory/4576-37-0x00000000087B0000-0x0000000008826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pj1ewxlf.4yd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4576-73-0x00000000708F0000-0x000000007093B000-memory.dmp

memory/192-72-0x00000000098C0000-0x00000000098DE000-memory.dmp

memory/192-71-0x00000000708F0000-0x000000007093B000-memory.dmp

memory/192-70-0x00000000098E0000-0x0000000009913000-memory.dmp

memory/192-82-0x00000000099C0000-0x0000000009A65000-memory.dmp

memory/4576-83-0x0000000009AA0000-0x0000000009AF0000-memory.dmp

memory/4576-84-0x0000000009B90000-0x0000000009C24000-memory.dmp

memory/192-468-0x0000000009BA0000-0x0000000009BBA000-memory.dmp

memory/4576-477-0x0000000009A90000-0x0000000009A98000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/192-510-0x0000000073970000-0x000000007405E000-memory.dmp

memory/4576-509-0x0000000073970000-0x000000007405E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6562f8e861f3d925d2d96d5d728b33bf
SHA1 149ed444dd5d84cbef85b89e5cb0eaafcdfa1f7a
SHA256 6197f4829f606c96b010be830f21988ca453d7a5bf511d42258ec7b5d85e7540
SHA512 961d7c149001de9c0c0c86478b8c90708a2a8e61a298ef828d386d55683a60cc8b728d50efdc09118494a2f176f208aad3775b0581b46d8f8d7d790cea136ab9

memory/4876-511-0x0000000005450000-0x0000000005464000-memory.dmp

memory/4876-512-0x00000000065B0000-0x0000000006772000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\見積依頼.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/3892-520-0x0000000007B80000-0x0000000007ED0000-memory.dmp

memory/3892-523-0x0000000008840000-0x000000000888B000-memory.dmp

memory/3892-552-0x0000000070060000-0x00000000700AB000-memory.dmp

memory/3892-559-0x0000000009840000-0x00000000098E5000-memory.dmp

memory/2580-562-0x0000000070060000-0x00000000700AB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04561b176faa8523aa07fa4bb2969861
SHA1 4aecba39382a84d00c036ae622649650740d38e0
SHA256 c8acaeb6a1bf5aa29950b92a465f0cdf3ee983b32206255ec5ae4d84e312892f
SHA512 e1b90a44ead304e8a1db297444d3f7be580b87e347008ab52fc59f4621903098416e17541e19506685495ac4fdbcd60ede8082d8eacc9e5b73c3573191ab6cc4

memory/5080-995-0x0000000007830000-0x0000000007B80000-memory.dmp

memory/5080-997-0x0000000007E10000-0x0000000007E5B000-memory.dmp

memory/5080-1026-0x00000000703A0000-0x00000000703EB000-memory.dmp

memory/5080-1033-0x00000000092F0000-0x0000000009395000-memory.dmp

memory/2244-1036-0x00000000703A0000-0x00000000703EB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75820be786f94d56d69c78a65397bec2
SHA1 018150e98208af3ac8188c25aa4176fd1661f3a6
SHA256 fc5d8c2d3735989f5529735bed061e565da2b7cb3dfd31ec6b1b79f8b7638a71
SHA512 0f7c9b473f3a0e84f1e3fb3b271a2e4dc7ee9187697e352cb363fc33a41a05aa42e8b7cd5e262ed5191b43c140571e424ac9f708f3552dcbe0f7839a5dec9f73

memory/1872-1478-0x000000001DE70000-0x000000001DF7E000-memory.dmp

memory/1872-1493-0x000000001CDB0000-0x000000001CDBE000-memory.dmp

memory/1872-1507-0x000000001E4B0000-0x000000001E656000-memory.dmp

memory/1872-1512-0x000000001E2B0000-0x000000001E2D2000-memory.dmp