Malware Analysis Report

2025-01-03 05:22

Sample ID 230216-ntewrshd37
Target Portail commercial.exe
SHA256 1b1b465907d70a5be723778e15933b70e5ba1154f0f5e4c023194065c8baeb7f
Tags
bitrat nanocore evasion keylogger persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b1b465907d70a5be723778e15933b70e5ba1154f0f5e4c023194065c8baeb7f

Threat Level: Known bad

The file Portail commercial.exe was found to be: Known bad.

Malicious Activity Summary

bitrat nanocore evasion keylogger persistence spyware stealer trojan upx

NanoCore

BitRAT

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-16 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-16 11:41

Reported

2023-02-16 11:43

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

Signatures

BitRAT

trojan bitrat

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxtensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Net\\sxtensionsx.exe\"" C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Extensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensionsx.exe\"" C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1228 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 1744 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 1744 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

"C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe"

C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hamzzagolozar.loseyourip.com udp
NL 212.193.30.230:14981 hamzzagolozar.loseyourip.com tcp
US 8.8.8.8:53 bitratluckshinjisix130.freeddns.org udp
NL 212.193.30.230:7011 bitratluckshinjisix130.freeddns.org tcp

Files

memory/1228-54-0x0000000000CF0000-0x0000000000F62000-memory.dmp

memory/1228-55-0x0000000004EA0000-0x000000000512E000-memory.dmp

memory/1228-56-0x0000000005570000-0x0000000005766000-memory.dmp

memory/1228-57-0x0000000075A11000-0x0000000075A13000-memory.dmp

memory/456-58-0x0000000000000000-mapping.dmp

memory/456-60-0x000000006F1F0000-0x000000006F79B000-memory.dmp

memory/456-61-0x000000006F1F0000-0x000000006F79B000-memory.dmp

memory/456-62-0x000000006F1F0000-0x000000006F79B000-memory.dmp

\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/1744-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/1744-67-0x0000000000CC0000-0x0000000000EB4000-memory.dmp

memory/1744-68-0x0000000004F60000-0x0000000005170000-memory.dmp

memory/1744-69-0x0000000004C40000-0x0000000004DB6000-memory.dmp

memory/1128-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-71-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-74-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-73-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-78-0x000000000041E792-mapping.dmp

memory/1128-76-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-83-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1128-80-0x0000000000400000-0x0000000000438000-memory.dmp

memory/792-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1a0fb999923f6524b68d37d5a397263b
SHA1 a0ac0cf47437aee417bb1d55b0a0ab99187199fb
SHA256 529c2bcdeb7f9e3a4e05b205b3753d2c87e060591acaec6138c117dd73c3bf71
SHA512 c3079ca13b3b8240bf809c51f079bfd1c37d3af9a122cf4bffcfb6fda5e66392c297672075a17468e544e1398701b19cf23945f479787918f8ab37321584ab0c

memory/792-87-0x000000006E120000-0x000000006E6CB000-memory.dmp

memory/1128-88-0x0000000000440000-0x000000000044A000-memory.dmp

memory/1128-89-0x0000000000450000-0x000000000046E000-memory.dmp

memory/1128-90-0x0000000000470000-0x000000000047A000-memory.dmp

memory/1128-91-0x00000000004E0000-0x00000000004F2000-memory.dmp

memory/1128-92-0x00000000006A0000-0x00000000006BA000-memory.dmp

memory/1128-93-0x00000000006C0000-0x00000000006CE000-memory.dmp

memory/1128-94-0x0000000000730000-0x0000000000742000-memory.dmp

memory/1128-95-0x00000000007C0000-0x00000000007CE000-memory.dmp

memory/1128-96-0x0000000000850000-0x000000000085C000-memory.dmp

memory/1128-97-0x0000000002370000-0x0000000002384000-memory.dmp

memory/1128-98-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/1128-99-0x00000000023D0000-0x00000000023E4000-memory.dmp

memory/1128-100-0x00000000044E0000-0x00000000044EE000-memory.dmp

memory/1128-101-0x0000000004500000-0x000000000452E000-memory.dmp

memory/1128-102-0x00000000049B0000-0x00000000049C4000-memory.dmp

memory/792-103-0x000000006E120000-0x000000006E6CB000-memory.dmp

memory/792-104-0x000000006E120000-0x000000006E6CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/968-106-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-107-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-109-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-110-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-111-0x00000000007E2760-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/968-113-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-115-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-114-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-117-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-118-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/968-119-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/968-120-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/968-121-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/968-122-0x00000000001B0000-0x00000000001BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-16 11:41

Reported

2023-02-16 11:43

Platform

win10v2004-20221111-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

Signatures

BitRAT

trojan bitrat

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxtensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Net\\sxtensionsx.exe\"" C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Extensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensionsx.exe\"" C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 2768 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 2768 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 2768 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
PID 3972 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
PID 3972 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

"C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe"

C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe

"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hamzzagolozar.loseyourip.com udp
NL 212.193.30.230:14981 hamzzagolozar.loseyourip.com tcp
US 34.160.46.54:443 tcp
US 35.201.103.21:443 tcp
US 34.98.75.36:443 tcp
US 35.241.9.150:443 tcp
US 34.160.144.191:443 tcp
US 13.89.178.26:443 tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 bitratluckshinjisix130.freeddns.org udp
NL 212.193.30.230:7011 bitratluckshinjisix130.freeddns.org tcp

Files

memory/2768-132-0x0000000000510000-0x0000000000782000-memory.dmp

memory/2768-133-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/2264-134-0x0000000000000000-mapping.dmp

memory/2264-135-0x00000000051C0000-0x00000000051F6000-memory.dmp

memory/2264-136-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/2264-137-0x0000000006010000-0x0000000006076000-memory.dmp

memory/2264-138-0x0000000006130000-0x0000000006196000-memory.dmp

memory/2264-139-0x0000000006780000-0x000000000679E000-memory.dmp

memory/2264-140-0x0000000007FC0000-0x000000000863A000-memory.dmp

memory/2264-141-0x0000000006C80000-0x0000000006C9A000-memory.dmp

memory/3972-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/3972-146-0x0000000000740000-0x0000000000934000-memory.dmp

memory/4996-145-0x0000000000000000-mapping.dmp

memory/4996-147-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4996-148-0x0000000005650000-0x0000000005BF4000-memory.dmp

memory/4996-149-0x00000000050A0000-0x0000000005132000-memory.dmp

memory/4996-150-0x0000000005140000-0x00000000051DC000-memory.dmp

memory/4996-151-0x0000000002B00000-0x0000000002B0A000-memory.dmp

memory/2096-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c8d7c04811896849480954782534fe4
SHA1 64ce416250e4f2ff8661b9357adeb65626f28391
SHA256 b5c7a064d1425080c6434a5c5014305084e504dfae72752d1fe17a697f75cf39
SHA512 45b1161ef0df82642ec2130c2f20ed70c03de4678c99c5edb247d37215f21641e2b6d5849a338f1f1b0dbbc04b13cd2c59816bebbbd73f4e088702d93c769c71

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/1588-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/1280-158-0x0000000000000000-mapping.dmp

memory/1280-159-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe

MD5 c067642ee75a78d31964d7951c0673ee
SHA1 6eda0e0896e1517e10dd8a4e4202704860b0514a
SHA256 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad
SHA512 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0

memory/1280-161-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1280-162-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1280-163-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1280-164-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1280-165-0x0000000075040000-0x0000000075079000-memory.dmp

memory/1280-166-0x00000000714E0000-0x0000000071519000-memory.dmp

memory/1280-167-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1280-168-0x0000000075040000-0x0000000075079000-memory.dmp