Malware Analysis Report

2024-11-30 15:02

Sample ID 241031-qvyfls1jcl
Target Product Inquiry-002.gz
SHA256 63c2e0330762479ef2c7d87ff691af7b867275f60a2544de3ce51643b2c5c55d
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63c2e0330762479ef2c7d87ff691af7b867275f60a2544de3ce51643b2c5c55d

Threat Level: Known bad

The file Product Inquiry-002.gz was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Vipkeylogger family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 13:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 13:35

Reported

2024-10-31 13:39

Platform

win7-20241010-en

Max time kernel

120s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1304 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 1304 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 1304 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KrNxPXjrA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrNxPXjrA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp"

C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1304-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/1304-1-0x0000000000E70000-0x0000000000F44000-memory.dmp

memory/1304-2-0x0000000074920000-0x000000007500E000-memory.dmp

memory/1304-3-0x0000000000A40000-0x0000000000A5C000-memory.dmp

memory/1304-4-0x000000007492E000-0x000000007492F000-memory.dmp

memory/1304-5-0x0000000074920000-0x000000007500E000-memory.dmp

memory/1304-6-0x00000000008A0000-0x000000000092C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BFDGF2P7HRZ4OUMKPFN.temp

MD5 43c585cdc02e42f5a4260fe6984cf4b5
SHA1 a55718112f84b3b1e59f0d7c17ccacd10169b5c8
SHA256 db26e5c07728e5074d4b4ce921a9b1df791e6cd53434f14adea5af0ce9e0891d
SHA512 a7721a004ef183a67d3886e984d51fdd8d878e6c8357e86e8c1d30769d603da9f050fe2782806d0bd0da94b159ae627e1a5e45098c30b7901929a521a46e1a3a

C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp

MD5 a96824c81909a2c5e416e70714c5b749
SHA1 417dfc1bb8219b5b868176302e04cafd27408918
SHA256 899327909e22c3e3c1e3ef180aefec104bcc1313ca04af1cbac0b8c2df89d5b9
SHA512 9be9234180fbd387bd52c64b256226234ee98c67c0c03a48b54bca1d5fd0baaebcdf08d70e1b43420a3814359fe43c2d892d988cda6e20e62d1f22cc1664af52

memory/2844-31-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2844-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1304-32-0x0000000074920000-0x000000007500E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 13:35

Reported

2024-10-31 13:38

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4448 set thread context of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
PID 4448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KrNxPXjrA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrNxPXjrA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp"

C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe

"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4448-0-0x000000007448E000-0x000000007448F000-memory.dmp

memory/4448-1-0x0000000000BD0000-0x0000000000CA4000-memory.dmp

memory/4448-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/4448-3-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/4448-4-0x00000000057F0000-0x00000000057FA000-memory.dmp

memory/4448-5-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4448-6-0x0000000005960000-0x000000000597C000-memory.dmp

memory/4448-7-0x000000007448E000-0x000000007448F000-memory.dmp

memory/4448-8-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4448-9-0x0000000002F80000-0x000000000300C000-memory.dmp

memory/4448-10-0x000000000DC20000-0x000000000DCBC000-memory.dmp

memory/1308-15-0x0000000002320000-0x0000000002356000-memory.dmp

memory/1308-17-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1308-16-0x0000000004D90000-0x00000000053B8000-memory.dmp

memory/1308-18-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3920-19-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3920-21-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1308-23-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/1308-22-0x00000000054C0000-0x00000000054E2000-memory.dmp

memory/4084-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1308-27-0x0000000005640000-0x0000000005994000-memory.dmp

memory/1308-26-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1308-24-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp

MD5 0c61e142d5c063f6219c751d876e35b7
SHA1 606911d6adb6d4249b5c9d9289a7361ef2c26fa8
SHA256 5a39f37ff0792469dfe1f6c80fa1f642b2677c0280676f7f29de29f98e1021ad
SHA512 d6b312777748f191f3c4a8a024ac9f1e3fcf901bfa8d2d8d4c9e6de083b093dea37d3f0fbca7b07f405578f4075163af2626e6268e6ff44114b05f68b52bc3e2

memory/3920-29-0x0000000074480000-0x0000000074C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1w0m3eew.wvd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4448-30-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1308-49-0x0000000005C40000-0x0000000005C5E000-memory.dmp

memory/1308-50-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/1308-51-0x0000000006BF0000-0x0000000006C22000-memory.dmp

memory/1308-52-0x0000000070B00000-0x0000000070B4C000-memory.dmp

memory/3920-63-0x0000000070B00000-0x0000000070B4C000-memory.dmp

memory/1308-62-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

memory/1308-73-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/1308-74-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/1308-75-0x0000000006F60000-0x0000000006F7A000-memory.dmp

memory/1308-76-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

memory/3920-77-0x0000000007F00000-0x0000000007F96000-memory.dmp

memory/1308-78-0x0000000007160000-0x0000000007171000-memory.dmp

memory/3920-79-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

memory/3920-80-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

memory/3920-81-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

memory/3920-82-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70f4957652a42b6b95fe708059bc400b
SHA1 b03086af375704eaa6f911f31824797f466978e4
SHA256 cdd644dc46e4128d2fac9fbae3ee7e84f14a9ea915772199d7a29aee4f3880b6
SHA512 f7374261803c7a27cb877f5e381efb51de08c19875195f7c974cc408205ddb2a4e9feba02c4df333705710d451e3c714892114aa68e91f96014a651b68788a56

memory/3920-89-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1308-88-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4084-90-0x0000000006490000-0x0000000006652000-memory.dmp

memory/4084-91-0x0000000006310000-0x0000000006360000-memory.dmp