Malware Analysis Report

2025-01-03 05:01

Sample ID 240104-wywzvahbb5
Target 41965fc5d071ce4b42bba9b7c486f784
SHA256 e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e
Tags
bitrat zgrat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e386c831df697e516fedcab1ad8a879ae057a5f4f321a873dcd31e9c6760009e

Threat Level: Known bad

The file 41965fc5d071ce4b42bba9b7c486f784 was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat rat trojan

ZGRat

Detect ZGRat V1

BitRAT

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 18:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 18:20

Reported

2024-01-04 18:23

Platform

win7-20231215-en

Max time kernel

169s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 2368 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 2368 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 2368 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 2368 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2368 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2368 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2368 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2732 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 1948 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2732 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe

"C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 firewall.publicvm.com udp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp

Files

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 34807e27e2772be32b3cca23495aedc2
SHA1 549a963b15808ca697ee578a975baec7ddd8c524
SHA256 8bcaf77aea4c579780773ef789db6f4ec703f9b66ceddaf12bffb74e044022e8
SHA512 6622d7e420ade554f4768154d795a866fc79f564576e9154e8cce3e8084a4d617dc75cb9b9ae6c7593a9fa92c0b58aac46e56d6652b4343d68e10c8b0482bfb3

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 62bb6c387e0ac09f6499abc72a8436a5
SHA1 86e01467113a2d745fccfaed3cf420f032b48cd6
SHA256 788bc3d291971d53f05dcc60792aa8ba57fbaa8b7f13b2b52528cf305f28af52
SHA512 8591f1effcd0ecd913fc892d9eb2b4305c19d9a3998d54b8a403f7ddc25520d1d53f9751d2669a425e33cc0cba5689b09a76adb7ec69a6b6c84c4bfd3a835417

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 be6cd2e92a9c8b06752bb131f020890f
SHA1 6b678e0f873a30bf46215f971f472ba2f5bb8f28
SHA256 112d16bd2c8cd5bd937ab608bd239b83c6c7822e3f1f61ecfb332d3150601ec4
SHA512 9bd49f9cdfb0ba69c87c4f814103e487f53be93ba013c40a82e5676fda587dfa1cf62b2076fd9297818e4b1e6e2991b2c22ae06e6e4e915d309edea9bbe6d720

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 eeb48cb7a10641d9d9d744b15bf3adf8
SHA1 6f5754ba9a786b400cd7c40ec8384fb2de72ce9d
SHA256 0d79df0cddb7d24aa18e5b4ec3fe8cec70e0e45b14b7eca85c8d07738ce1fe73
SHA512 0c69d31bb1cc2af6cff28399b8085ecf52c2112063f479b563e2d3e0f89f054fb3084ef44928ebde2647b84b91a8061ac3b0ae8669f7c5fb3b0db181c33ca715

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 af9fb2f0dc26092eaa1f1e129786b082
SHA1 7e8c6fd7e44f3332406533da22431aea397f331f
SHA256 2cd28d2f85702ee3b813a91590556ab4fcd67f86d16271d6c3d065aafddec30f
SHA512 c9aa4a7a35699a8c196028f0d8cd064daaea7d08ff7f9333fa12fe333b1e1cedbb691c17c6294babc6d00d422bbf35df043c16aaf8164d726a56c9631010e419

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 d1c3ccd35b91c88221dacaf2df2463af
SHA1 7bee8b1a95aad5117edef7f17ba6a8c4ceab2527
SHA256 dd2f579cf95e2676523efa017e8dc365fa4b5196e408796163d4fc08009426f1
SHA512 a35a0b064016c1e7764c8e789518c0422cf3a0038f269df43195169d13760dc0417e7208d7cac5b98d2f6763da655c07939777e7dd005bf7936313709098398d

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 19e71eea8c9f80af54b82693902fe801
SHA1 6a8940596e96dfc47618713feec2d061ccd76264
SHA256 948be482d66cf8cbf326c6103098a9d6b120222577c4f207d63bccbcda3f9205
SHA512 06fb1403be185aa523a4f4acd758d1871074fa9d7e53fb13e16ff038b138e8541540e689efcf936a6369382f850bfabc398c50ebdbc95d0638669b1567f9388f

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 d3231d3a03fa7633e1e875529e31bcc7
SHA1 4f04645533e6bfa9104b3583c5b7b24a256b1d45
SHA256 af223e24bf154b92777073ecf0d735dbc348dc1654bbe6ec6ff4943944b84ab5
SHA512 cf94db8ef529415957e5f9f2a67104f4465dd767f3652ac1bbb94472493c53762de0821e819f24d18a4f273d2837f34a3def29a3db1cdf3f7de1cc30e44582f6

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 897e81d74f49a79b49db5ec4c0258f78
SHA1 53889d25040b1793ba3b7cc50a8cd5979f6c8b27
SHA256 afb54cbd186f57d6db76edb0e4d1ac80b1f878986645c0e1ebc9b0c6cd372c44
SHA512 108c3dc6dedc64eddf85b629d19014415f67e6645243f69b77e0538276862ad7277a55d69594adf7df5b0ddedd101a8f05b97464cb6eef29c3844591626df4f8

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 4a4a0b2f651ac53e57a3e526a1e5b85c
SHA1 b2e6e8d03514d6556789cfad8ea578ff310cb7d0
SHA256 27d8452541ef131e6dd87cfe7e8befe1703db4f3b6c655d61c751a1c118144ed
SHA512 038bc14e09eb3cf4a0c2bc7042898837ca59bf7590a245dc222e6dfd0bd3530e0a395e9e0073fcaa6852dfac9a540d638016dd31456da2d10a700c02f9a75021

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 1dbed07932a92fe69594072cef433423
SHA1 0c5a7b72be30165e5282c9b23f2c39ce6c565200
SHA256 dce38eae8e6a921e1831c18a1907fa1969230c35ccedfa73c4aac162872fd928
SHA512 a7c19b373efdccab6c454a82f4f418e93ed6c0421cc1679b61e583451b9d7688fded2efc1133b62d88f8215fc43abec53a4c7b1b9b1aeceb064524d2426524a9

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 4f79e3432971d12ecdb7505fedbf687d
SHA1 a17abfc16d91abee714d77cc8b37fb236d2e5b4d
SHA256 d623666826aac49a94b3bde97dffbc5c015661a8ac5059bd379bfd37fe0326f8
SHA512 ba36bbc8fe8b012aab9343c390439f2911b0140ed9bbcf7ca7c0b221da874e7aab0775651288cbc6aaeb8eb95e11d8bab7377faaeb8682bcb8a6de6456b0e550

memory/2732-38-0x0000000073B90000-0x000000007427E000-memory.dmp

memory/1544-39-0x000000013F500000-0x000000013F566000-memory.dmp

memory/2732-37-0x0000000000180000-0x000000000046C000-memory.dmp

memory/1544-41-0x0000000000160000-0x0000000000178000-memory.dmp

memory/1544-40-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/1544-42-0x000000001BB50000-0x000000001BBD0000-memory.dmp

memory/2732-43-0x0000000004650000-0x0000000004690000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

MD5 19f8591a6baa83af46de41f20224b6f1
SHA1 c736799e1936cec37acbf66fdf1df96f4679562f
SHA256 a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79
SHA512 db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e

memory/1544-46-0x0000000000180000-0x000000000018A000-memory.dmp

memory/1544-48-0x000000001AB80000-0x000000001ABC8000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

MD5 6fabeaa1c8ea15e787f2e3b487ab434d
SHA1 c2091f69192903676ed6b181bbf8346b819c43a2
SHA256 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909
SHA512 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

memory/1544-45-0x0000000002100000-0x000000000217C000-memory.dmp

memory/1544-50-0x000000001AAC0000-0x000000001AAFC000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

MD5 d30f6fb490a820dcdd9c7da971036393
SHA1 177b1b912fb09efacce8bae24fca35ea514f131b
SHA256 be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b
SHA512 332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

memory/2732-51-0x0000000073B90000-0x000000007427E000-memory.dmp

memory/1544-52-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/1544-53-0x000000001BB50000-0x000000001BBD0000-memory.dmp

memory/2732-55-0x0000000004650000-0x0000000004690000-memory.dmp

memory/2732-54-0x0000000004650000-0x0000000004690000-memory.dmp

memory/2732-56-0x0000000005E30000-0x000000000603A000-memory.dmp

memory/2732-57-0x0000000002000000-0x000000000206C000-memory.dmp

memory/2732-58-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-59-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-61-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-75-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-77-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-81-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-85-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-87-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-83-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-91-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-95-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-97-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-99-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-101-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-93-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-103-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-105-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-109-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-113-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-121-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-119-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-117-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-115-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-111-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-107-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-89-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-79-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-73-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-71-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-69-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-67-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-65-0x0000000002000000-0x0000000002066000-memory.dmp

memory/2732-63-0x0000000002000000-0x0000000002066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs

MD5 0d6555dc02c45b1e49ac39075c65cebe
SHA1 2fb0e4464b16db957a06353e14345e0f5a5ba4be
SHA256 368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f
SHA512 775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 6bb2db270a32b1a9ce30bdda9f7dc8a6
SHA1 b013fb715436b117588c6515826f6ced5829d4d4
SHA256 304e5bc6a31e8db2c4e82c94e08c351dcdf19d02a4b0c275204a884527dae56f
SHA512 84cf07e22f0fcf6d8c179d15d6e8b3105999a25c1fa3d50963879e89b17e7743611b95c19435cc113a38a8e1991229ed5df0bd98fe306a09c3d4205dfac082dd

memory/2732-2016-0x0000000073B90000-0x000000007427E000-memory.dmp

memory/1816-2018-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/1816-2021-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1816-2020-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1816-2019-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/1816-2023-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2276-2022-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1816-2024-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2276-2033-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 18:20

Reported

2024-01-04 18:23

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4120 set thread context of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 4480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 4480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif
PID 4480 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 4480 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 4120 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 4120 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 4120 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Windows\SysWOW64\WScript.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4120 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1876 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe

"C:\Users\Admin\AppData\Local\Temp\41965fc5d071ce4b42bba9b7c486f784.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 firewall.publicvm.com udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 201.135.221.88.in-addr.arpa udp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 firewall.publicvm.com udp

Files

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 74ff1365744d94e18eac9294de845798
SHA1 1839dee90d909dda325e14b5d9eb85cb4e8f537f
SHA256 6e0ab157f3969069ce7425f0f192077b6ebd354bbdfc5bfc3aabb18bd35aa7ac
SHA512 52507fb4c49c442328efed9c5bcc7780a802de22b06d2766ef9fc10c9abf0e8ba0db779062305ff548f477c8b419521320c41206aae717642ece5dc568e5bdd2

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 c2a78b5610d2abd529688c420bde478e
SHA1 7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a
SHA256 36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c
SHA512 b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\System.pif

MD5 16f856d08fc8d9b8b356eb77b028ad1b
SHA1 12d15256b94b037094d4ffac6ef0b9651ded7de3
SHA256 c182c1abe045779bfbebcfa7640cec521fe9dd1a29fe562bcaf613f48060f470
SHA512 f81fcf04b47d70c8a6bd33ed7a481d178adbbd3f043d4b0e768dc4a410f4268d69be89f0660e9608c28570d951e25a5da8dea0973d125ae44814349e0e94ac80

memory/608-30-0x00000245B44C0000-0x00000245B4526000-memory.dmp

memory/608-31-0x00000245B48D0000-0x00000245B48E8000-memory.dmp

memory/4120-32-0x0000000000F60000-0x000000000124C000-memory.dmp

memory/608-33-0x00007FFE35C60000-0x00007FFE36721000-memory.dmp

memory/608-35-0x00000245B6390000-0x00000245B640C000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

MD5 1204ab09202811083417dcc5728ace36
SHA1 4ac4ca5e6c330cb17fbf8d1bd34b46ebe7ac86f7
SHA256 46a751d7c3e087fbea754749bc437dcaa5536a0b233f2fcf28a89b70140adfd5
SHA512 d9fc5b6691f86bdc0bc77caec6a7fe7a2f44f9690bf05948d4e22bdee0823acc70c6e051220af99f0b2c9a02eefcd9551aee5c64b5408d156c5e0afb60cbfd75

memory/608-36-0x00000245B4900000-0x00000245B490A000-memory.dmp

memory/608-38-0x00000245B62C0000-0x00000245B6308000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

MD5 6fabeaa1c8ea15e787f2e3b487ab434d
SHA1 c2091f69192903676ed6b181bbf8346b819c43a2
SHA256 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909
SHA512 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

memory/4120-41-0x0000000006340000-0x00000000068E4000-memory.dmp

memory/608-42-0x00000245B62B0000-0x00000245B62C0000-memory.dmp

memory/608-43-0x00000245B6240000-0x00000245B627C000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

MD5 d30f6fb490a820dcdd9c7da971036393
SHA1 177b1b912fb09efacce8bae24fca35ea514f131b
SHA256 be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b
SHA512 332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

memory/4120-40-0x0000000072BC0000-0x0000000073370000-memory.dmp

memory/4120-44-0x0000000005C60000-0x0000000005CF2000-memory.dmp

memory/4120-45-0x0000000005F30000-0x0000000005F40000-memory.dmp

memory/4120-46-0x0000000005C40000-0x0000000005C4A000-memory.dmp

memory/4120-47-0x0000000072BC0000-0x0000000073370000-memory.dmp

memory/608-48-0x00007FFE35C60000-0x00007FFE36721000-memory.dmp

memory/608-49-0x00000245B62B0000-0x00000245B62C0000-memory.dmp

memory/4120-50-0x0000000005F30000-0x0000000005F40000-memory.dmp

memory/4120-51-0x0000000005F30000-0x0000000005F40000-memory.dmp

memory/4120-52-0x0000000007370000-0x000000000757A000-memory.dmp

memory/4120-53-0x0000000008070000-0x00000000080DC000-memory.dmp

memory/4120-54-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-55-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-57-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-59-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-61-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-65-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-63-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-69-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-71-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-73-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-67-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-81-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-79-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-85-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-93-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-97-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-103-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-101-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-115-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-117-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-113-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-111-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-109-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-107-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-105-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-99-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-95-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-91-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-89-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-87-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-83-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-77-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4120-75-0x0000000008070000-0x00000000080D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe

MD5 9fd1f52d41b0b6b9f4441b215f4e86c3
SHA1 54110e365dfca0db91c49013504a728abf202666
SHA256 75ea1039db1ca61e21610977cb3570684ee256b43b0416ad6b2ce1d947201219
SHA512 bedb8ba5cdf40e845af81ff57db126c62c14deeb514cc80db09c56c206a2cf1783f2913483068bf90497400af274b154cb564535e23e6cdbc59837b7158ac970

C:\Users\Admin\AppData\Local\Temp\_Nakikvvyglg.vbs

MD5 0d6555dc02c45b1e49ac39075c65cebe
SHA1 2fb0e4464b16db957a06353e14345e0f5a5ba4be
SHA256 368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f
SHA512 775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/4120-1995-0x0000000072BC0000-0x0000000073370000-memory.dmp

memory/1804-1998-0x0000000002410000-0x0000000002446000-memory.dmp

memory/1804-2000-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/1804-1999-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/1804-2001-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/1804-2002-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/4848-2004-0x00000000717B0000-0x00000000717E9000-memory.dmp

memory/1804-2005-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/1804-2006-0x0000000004EE0000-0x0000000004F46000-memory.dmp

memory/1804-2007-0x0000000005700000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgspl442.4ys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1804-2017-0x0000000005870000-0x0000000005BC4000-memory.dmp

memory/1804-2018-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/1804-2019-0x0000000005D70000-0x0000000005DBC000-memory.dmp

memory/4848-2027-0x0000000070130000-0x0000000070169000-memory.dmp

memory/1804-2028-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/1804-2029-0x0000000006EF0000-0x0000000006F22000-memory.dmp

memory/1804-2030-0x0000000070450000-0x000000007049C000-memory.dmp

memory/1804-2040-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/1804-2041-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/1804-2042-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/1804-2043-0x0000000007040000-0x000000000705A000-memory.dmp

memory/1804-2044-0x00000000070B0000-0x00000000070BA000-memory.dmp

memory/1804-2045-0x00000000072C0000-0x0000000007356000-memory.dmp

memory/1804-2046-0x0000000007240000-0x0000000007251000-memory.dmp

memory/1804-2047-0x00000000072A0000-0x00000000072AE000-memory.dmp

memory/1804-2048-0x0000000007360000-0x0000000007374000-memory.dmp

memory/1804-2049-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/1804-2050-0x0000000007380000-0x0000000007388000-memory.dmp

memory/1804-2053-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4848-2056-0x0000000075330000-0x0000000075369000-memory.dmp

memory/4848-2059-0x0000000075330000-0x0000000075369000-memory.dmp