Malware Analysis Report

2025-08-11 06:36

Sample ID 241016-alv15atela
Target お見積り依頼.zip
SHA256 1e2c7f25f9388d47be1f318cdf74b95b9d971a12d23c6eb4c78707301126acfe
Tags
snakekeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e2c7f25f9388d47be1f318cdf74b95b9d971a12d23c6eb4c78707301126acfe

Threat Level: Known bad

The file お見積り依頼.zip was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection discovery execution keylogger spyware stealer

Snake Keylogger payload

Snake Keylogger

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Uses Task Scheduler COM API

outlook_office_path

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 00:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 00:18

Reported

2024-10-16 00:23

Platform

win10-20240611-ja

Max time kernel

225s

Max time network

264s

Command Line

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\taskschd.msc C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3492 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 4776 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 1764 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\System32\IME\SHARED\imebroker.exe

C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\System32\taskschd.msc"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp

Files

memory/3492-0-0x000000007361E000-0x000000007361F000-memory.dmp

memory/3492-1-0x0000000000AB0000-0x0000000000B32000-memory.dmp

memory/3492-2-0x0000000005870000-0x0000000005D6E000-memory.dmp

memory/3492-3-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/3492-4-0x0000000005390000-0x000000000539A000-memory.dmp

memory/3492-6-0x00000000056B0000-0x000000000574C000-memory.dmp

memory/3492-5-0x0000000073610000-0x0000000073CFE000-memory.dmp

memory/3492-7-0x00000000055D0000-0x00000000055E2000-memory.dmp

memory/3492-8-0x000000007361E000-0x000000007361F000-memory.dmp

memory/3492-9-0x0000000073610000-0x0000000073CFE000-memory.dmp

memory/3492-10-0x0000000006830000-0x0000000006898000-memory.dmp

memory/3492-11-0x0000000009460000-0x000000000956E000-memory.dmp

memory/64-12-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3492-14-0x0000000073610000-0x0000000073CFE000-memory.dmp

memory/4568-17-0x0000000007010000-0x0000000007046000-memory.dmp

memory/4568-18-0x00000000077D0000-0x0000000007DF8000-memory.dmp

memory/4568-19-0x00000000074D0000-0x0000000007562000-memory.dmp

memory/4568-20-0x00000000077A0000-0x00000000077C2000-memory.dmp

memory/4568-22-0x0000000007EE0000-0x0000000007F46000-memory.dmp

memory/4568-21-0x0000000007E70000-0x0000000007ED6000-memory.dmp

memory/4568-23-0x0000000007780000-0x0000000007790000-memory.dmp

memory/4568-24-0x00000000080B0000-0x0000000008400000-memory.dmp

memory/4568-25-0x0000000008640000-0x000000000865C000-memory.dmp

memory/4568-26-0x0000000008660000-0x00000000086AB000-memory.dmp

memory/4568-27-0x0000000008950000-0x00000000089C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qf1dp22r.itd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4568-44-0x0000000009820000-0x0000000009853000-memory.dmp

memory/4568-45-0x000000006FE10000-0x000000006FE5B000-memory.dmp

memory/4568-46-0x0000000009800000-0x000000000981E000-memory.dmp

memory/4568-51-0x0000000009B00000-0x0000000009BA5000-memory.dmp

memory/4568-52-0x0000000009C90000-0x0000000009CE0000-memory.dmp

memory/4568-53-0x0000000009D80000-0x0000000009E14000-memory.dmp

memory/4568-246-0x0000000009CE0000-0x0000000009CFA000-memory.dmp

memory/4568-251-0x0000000009C70000-0x0000000009C78000-memory.dmp

memory/64-260-0x0000000006540000-0x0000000006554000-memory.dmp

memory/64-261-0x0000000006930000-0x0000000006AF2000-memory.dmp

memory/2076-284-0x000000001CBF0000-0x000000001CCFE000-memory.dmp

memory/2076-299-0x0000000004870000-0x000000000487E000-memory.dmp

memory/2076-312-0x000000001CFE0000-0x000000001D186000-memory.dmp

memory/2076-317-0x000000001CE90000-0x000000001CEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\お見積り依頼.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/4776-433-0x00000000052B0000-0x00000000052C2000-memory.dmp

memory/1764-434-0x0000000005690000-0x00000000056A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

memory/544-439-0x0000000007610000-0x0000000007960000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 829b53d10878b7d6ef5e9a938b3606f4
SHA1 f80f522a8b96776f2be40034550c90e871903a91
SHA256 dc3ed824cd84454db6d71bde7b721e4a39de3136081722cba8e3e9d28d2ec853
SHA512 0af81087355b4ffd1fb3546a9d8e595919ca70908801123872c51ad9ac8a4be0a0cbe59ab68f5367839ccb82eaad48e77484dc580be74b2ff473ea6494796576

memory/544-460-0x000000006FE10000-0x000000006FE5B000-memory.dmp

memory/544-465-0x0000000009020000-0x00000000090C5000-memory.dmp

memory/1572-542-0x0000000006490000-0x00000000064D8000-memory.dmp

memory/4932-687-0x000000006FE10000-0x000000006FE5B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9b58651487a76e40b99b0d031c612d4
SHA1 3d9ced656904ad9814dd4b1e22f4197c9e7abee2
SHA256 9b73ff6ea0941d1126341827a0520e646d068ba5144e6db973a29b90097af5f2
SHA512 c6a0b4461020b72f11f7ca96b2523a40be9e60d69d433fab82fef3e74c957e6d14df45278fb211fcdc4495820b64f325fa55a4f01759c9a5d0e3f30febbf4c65

memory/2880-909-0x0000000005200000-0x0000000005212000-memory.dmp

memory/4784-930-0x000000006FE10000-0x000000006FE5B000-memory.dmp

memory/4784-935-0x0000000009760000-0x0000000009805000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 00:18

Reported

2024-10-16 00:22

Platform

win10v2004-20241007-ja

Max time kernel

209s

Max time network

212s

Command Line

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\taskschd.msc C:\Windows\system32\mmc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 2552 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 904 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
PID 3988 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe

"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp

Files

memory/2552-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/2552-1-0x0000000000010000-0x0000000000092000-memory.dmp

memory/2552-2-0x0000000004FC0000-0x0000000005564000-memory.dmp

memory/2552-3-0x0000000004AB0000-0x0000000004B42000-memory.dmp

memory/2552-4-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/2552-5-0x0000000004A90000-0x0000000004A9A000-memory.dmp

memory/2552-6-0x0000000004D00000-0x0000000004D9C000-memory.dmp

memory/2552-7-0x0000000004E50000-0x0000000004E62000-memory.dmp

memory/2552-8-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/2552-9-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/2552-10-0x0000000005FD0000-0x0000000006038000-memory.dmp

memory/2552-11-0x0000000008B60000-0x0000000008C6E000-memory.dmp

memory/4776-12-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4776-15-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/2552-14-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4724-16-0x0000000005050000-0x0000000005086000-memory.dmp

memory/4724-17-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4724-18-0x00000000056C0000-0x0000000005CE8000-memory.dmp

memory/4724-19-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4776-20-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4724-21-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4724-22-0x0000000005520000-0x00000000055B2000-memory.dmp

memory/4724-23-0x0000000005CF0000-0x0000000005D12000-memory.dmp

memory/4724-25-0x0000000005F00000-0x0000000005F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_muprm0d4.chx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4724-24-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/4724-32-0x0000000006030000-0x0000000006384000-memory.dmp

memory/4724-36-0x0000000005E80000-0x0000000005E90000-memory.dmp

memory/4724-37-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/4724-38-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/4724-39-0x00000000077C0000-0x00000000077F2000-memory.dmp

memory/4724-40-0x0000000070510000-0x000000007055C000-memory.dmp

memory/4724-50-0x0000000007780000-0x000000000779E000-memory.dmp

memory/4724-51-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/4724-52-0x0000000008160000-0x00000000087DA000-memory.dmp

memory/4724-53-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/4724-54-0x0000000007B80000-0x0000000007B8A000-memory.dmp

memory/4724-55-0x0000000007CC0000-0x0000000007D10000-memory.dmp

memory/4724-56-0x0000000007DB0000-0x0000000007E46000-memory.dmp

memory/4724-57-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

memory/4724-58-0x0000000007D20000-0x0000000007D2E000-memory.dmp

memory/4724-59-0x0000000007D30000-0x0000000007D44000-memory.dmp

memory/4724-60-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/4724-61-0x0000000007D70000-0x0000000007D78000-memory.dmp

memory/4724-64-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4776-65-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4776-66-0x00000000067B0000-0x00000000067C4000-memory.dmp

memory/4776-67-0x0000000006BA0000-0x0000000006D62000-memory.dmp

memory/1992-68-0x000000001D310000-0x000000001D41E000-memory.dmp

memory/1992-69-0x0000000004F30000-0x0000000004F3E000-memory.dmp

memory/1992-70-0x000000001D970000-0x000000001DB16000-memory.dmp

memory/1992-71-0x000000001D560000-0x000000001D582000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\お見積り依頼.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/904-73-0x00000000059D0000-0x00000000059E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1652-76-0x0000000005B70000-0x0000000005EC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7dd63c9468b9599fbefc382c05aca017
SHA1 5db3f8234c8e7eb3c6a95edea9839565b017d5e4
SHA256 e7dabab09e415635f40d7da3a5155c8dcceea6e69d62370443366e946fa3af98
SHA512 03b05ba7ddc80a78ebd3b716f88e56943a116bfb5b5d57de689df8a535112b8c92b5aae645cd88ca76a1ec2c3ffd57407f2afb5bb3ec19ab1b2e53d61845e023

memory/1652-87-0x0000000006430000-0x000000000647C000-memory.dmp

memory/1652-88-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/1652-98-0x0000000007640000-0x00000000076E3000-memory.dmp

memory/1652-99-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/1652-100-0x0000000007980000-0x0000000007994000-memory.dmp

memory/3692-112-0x0000000005C80000-0x0000000005FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c5252b072dcbe22812589cba933f29f
SHA1 cc3ede2404cfb15798b65e25d505558518ed8979
SHA256 8dbc305474bf98ba7c2bb86ddc5b600db0838a22c7fb672c5f4373eaf71734eb
SHA512 f4d82158537c6bb77607dd7da18d77d7fff6873f208ead3b208c55b5b4cef48ba3be24ecf467f86bfde378c038df3b0ff6baebe9712de6e19af5a5e23112a65f

memory/3692-114-0x0000000006310000-0x000000000635C000-memory.dmp

memory/3692-115-0x00000000708C0000-0x000000007090C000-memory.dmp

memory/3692-125-0x0000000007540000-0x00000000075E3000-memory.dmp

memory/3692-126-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/3692-127-0x0000000007830000-0x0000000007844000-memory.dmp