Analysis Overview
SHA256
1b1b465907d70a5be723778e15933b70e5ba1154f0f5e4c023194065c8baeb7f
Threat Level: Known bad
The file Portail commercial.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
BitRAT
Checks computer location settings
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-16 11:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-16 11:43
Reported
2023-02-16 11:45
Platform
win7-20221111-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
BitRAT
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxtensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Net\\sxtensionsx.exe\"" | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Extensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensionsx.exe\"" | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1588 set thread context of 876 | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe |
| PID 1688 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
"C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe"
C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hamzzagolozar.loseyourip.com | udp |
| NL | 212.193.30.230:14981 | hamzzagolozar.loseyourip.com | tcp |
| US | 8.8.8.8:53 | bitratluckshinjisix130.freeddns.org | udp |
| NL | 212.193.30.230:7011 | bitratluckshinjisix130.freeddns.org | tcp |
Files
memory/1588-54-0x00000000011C0000-0x0000000001432000-memory.dmp
memory/1588-55-0x0000000004C20000-0x0000000004EAE000-memory.dmp
memory/1588-56-0x00000000052D0000-0x00000000054C6000-memory.dmp
memory/1588-57-0x0000000075BE1000-0x0000000075BE3000-memory.dmp
memory/584-58-0x0000000000000000-mapping.dmp
memory/584-60-0x000000006F900000-0x000000006FEAB000-memory.dmp
memory/584-61-0x000000006F900000-0x000000006FEAB000-memory.dmp
memory/584-62-0x000000006F900000-0x000000006FEAB000-memory.dmp
memory/1688-64-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/1688-67-0x0000000000970000-0x0000000000B64000-memory.dmp
memory/1688-68-0x0000000004C30000-0x0000000004E40000-memory.dmp
memory/876-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/876-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/876-73-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1688-72-0x0000000005120000-0x0000000005296000-memory.dmp
memory/876-74-0x0000000000400000-0x0000000000438000-memory.dmp
memory/876-76-0x0000000000400000-0x0000000000438000-memory.dmp
memory/876-77-0x000000000041E792-mapping.dmp
memory/876-79-0x0000000000400000-0x0000000000438000-memory.dmp
memory/876-82-0x0000000000400000-0x0000000000438000-memory.dmp
memory/900-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b3645b074e484ec0f4238ceaefe09c13 |
| SHA1 | 446e7154df5cd640e7f9e7e80503b8b725496cfe |
| SHA256 | 810cbacbba0659e4356856f34e363631aa009f9913d989b3add4b9a3f8e01c4f |
| SHA512 | 8bc4c183d8d84797cc6125db28175e48e126c4cca81b8e603be5b0ea7c98b24a59cf307c570cd9c3160acc1d56cdf1f749f7af3ceceabf404a3b16b1a57de8fc |
memory/876-87-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/876-88-0x0000000000440000-0x000000000045E000-memory.dmp
memory/876-89-0x00000000003B0000-0x00000000003BA000-memory.dmp
memory/900-90-0x000000006E660000-0x000000006EC0B000-memory.dmp
memory/876-91-0x0000000000480000-0x0000000000492000-memory.dmp
memory/876-92-0x0000000000630000-0x000000000064A000-memory.dmp
memory/876-93-0x0000000000760000-0x000000000076E000-memory.dmp
memory/876-94-0x0000000000880000-0x0000000000892000-memory.dmp
memory/876-95-0x0000000000890000-0x000000000089E000-memory.dmp
memory/876-96-0x0000000000A40000-0x0000000000A4C000-memory.dmp
memory/876-97-0x0000000000A50000-0x0000000000A64000-memory.dmp
memory/876-98-0x0000000000C30000-0x0000000000C40000-memory.dmp
memory/876-99-0x0000000000D80000-0x0000000000D94000-memory.dmp
memory/876-100-0x0000000001180000-0x000000000118E000-memory.dmp
memory/876-101-0x0000000004840000-0x000000000486E000-memory.dmp
memory/876-102-0x00000000011A0000-0x00000000011B4000-memory.dmp
memory/900-103-0x000000006E660000-0x000000006EC0B000-memory.dmp
memory/900-104-0x000000006E660000-0x000000006EC0B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/2032-106-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-107-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-109-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-110-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-111-0x00000000007E2760-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/2032-113-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-114-0x0000000000100000-0x000000000010A000-memory.dmp
memory/2032-115-0x0000000000100000-0x000000000010A000-memory.dmp
memory/2032-116-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/2032-117-0x0000000000100000-0x000000000010A000-memory.dmp
memory/2032-118-0x0000000000100000-0x000000000010A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-16 11:43
Reported
2023-02-16 11:45
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
BitRAT
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxtensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Net\\sxtensionsx.exe\"" | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Extensionsx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensionsx.exe\"" | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1476 set thread context of 1104 | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe |
| PID 4800 set thread context of 5100 | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
"C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe"
C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"
C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe
"C:\Users\Admin\AppData\Local\Temp\Portail commercial.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hamzzagolozar.loseyourip.com | udp |
| NL | 212.193.30.230:14981 | hamzzagolozar.loseyourip.com | tcp |
| US | 20.189.173.10:443 | tcp | |
| US | 8.8.8.8:53 | bitratluckshinjisix130.freeddns.org | udp |
| NL | 212.193.30.230:7011 | bitratluckshinjisix130.freeddns.org | tcp |
| NL | 8.253.208.113:80 | tcp | |
| NL | 8.253.208.113:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/1476-132-0x0000000000FF0000-0x0000000001262000-memory.dmp
memory/1476-133-0x0000000007440000-0x0000000007462000-memory.dmp
memory/2992-134-0x0000000000000000-mapping.dmp
memory/2992-135-0x0000000002DF0000-0x0000000002E26000-memory.dmp
memory/2992-136-0x0000000005AE0000-0x0000000006108000-memory.dmp
memory/2992-137-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/2992-138-0x0000000006110000-0x0000000006176000-memory.dmp
memory/2992-139-0x0000000006710000-0x000000000672E000-memory.dmp
memory/2992-140-0x0000000007D90000-0x000000000840A000-memory.dmp
memory/2992-141-0x0000000006C00000-0x0000000006C1A000-memory.dmp
memory/4800-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/2908-145-0x0000000000000000-mapping.dmp
memory/4800-146-0x0000000000F20000-0x0000000001114000-memory.dmp
memory/1104-147-0x0000000000000000-mapping.dmp
memory/1104-148-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1104-149-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/1104-150-0x0000000003180000-0x0000000003212000-memory.dmp
memory/1104-151-0x0000000005880000-0x000000000591C000-memory.dmp
memory/2592-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
memory/1104-153-0x0000000003230000-0x000000000323A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29e5a11a403b7d04fbc31a248bab201a |
| SHA1 | e900f4b99e516c966b2a89fdb18aad60bbbddf8a |
| SHA256 | 371000c1140caf2edd3de7d1c8226e221e5459926d87eb0500e06da2c8796b44 |
| SHA512 | 05463952bebc2efec11355cc81f3e9f31aa624de147a1697d291895a51dd032c7215d7d820ea236adbd1fc10a9b9f36d94ef53f76513878cd555f74154c4e344 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/2208-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/5100-159-0x0000000000000000-mapping.dmp
memory/5100-160-0x0000000000400000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ldfyngljpaccess.exe
| MD5 | c067642ee75a78d31964d7951c0673ee |
| SHA1 | 6eda0e0896e1517e10dd8a4e4202704860b0514a |
| SHA256 | 4824cf3c52d037cccdaf9d7422b393a7e0a769b27b92c899484048cef7876bad |
| SHA512 | 3ae2af350df6806ed7127fe2ff843c08429d4a38755899425e49e1019beab0af765766a668884673819768a21a5b01caa0498f4875997a6d08b47048038cbcc0 |
memory/5100-163-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/5100-162-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/5100-165-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/5100-164-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/5100-166-0x0000000074F20000-0x0000000074F59000-memory.dmp
memory/5100-167-0x00000000713C0000-0x00000000713F9000-memory.dmp
memory/5100-168-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/5100-169-0x0000000074F20000-0x0000000074F59000-memory.dmp