Analysis Overview
SHA256
a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
Threat Level: Known bad
The file 496d5fc129c98a075ea39863bd8938a2.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
ZGRat
Detect ZGRat V1
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:46
Reported
2024-01-07 19:48
Platform
win7-20231215-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe
"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
C:\Users\Admin\AppData\Local\Temp\Sys.pif
C:\Users\Admin\AppData\Local\Temp\Sys.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
| MD5 | 76555816c73f34e86608807c7737a593 |
| SHA1 | 3c38473581f2c602a25707ee9000634f4b4d033a |
| SHA256 | 64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d |
| SHA512 | a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b |
\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
| MD5 | c2a78b5610d2abd529688c420bde478e |
| SHA1 | 7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a |
| SHA256 | 36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c |
| SHA512 | b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2 |
memory/2800-37-0x000000013F3A0000-0x000000013F406000-memory.dmp
memory/2648-38-0x0000000000240000-0x0000000000484000-memory.dmp
memory/2800-40-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2800-39-0x0000000000770000-0x0000000000788000-memory.dmp
memory/2648-41-0x0000000073CD0000-0x00000000743BE000-memory.dmp
memory/2800-42-0x000000001BAC0000-0x000000001BB40000-memory.dmp
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll
| MD5 | 19f8591a6baa83af46de41f20224b6f1 |
| SHA1 | c736799e1936cec37acbf66fdf1df96f4679562f |
| SHA256 | a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79 |
| SHA512 | db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e |
memory/2800-44-0x0000000002130000-0x00000000021AC000-memory.dmp
memory/2800-45-0x0000000000560000-0x000000000056A000-memory.dmp
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll
| MD5 | 6fabeaa1c8ea15e787f2e3b487ab434d |
| SHA1 | c2091f69192903676ed6b181bbf8346b819c43a2 |
| SHA256 | 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909 |
| SHA512 | 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739 |
memory/2800-47-0x00000000007A0000-0x00000000007E8000-memory.dmp
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll
| MD5 | d30f6fb490a820dcdd9c7da971036393 |
| SHA1 | 177b1b912fb09efacce8bae24fca35ea514f131b |
| SHA256 | be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b |
| SHA512 | 332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2 |
memory/2800-49-0x00000000021B0000-0x00000000021EC000-memory.dmp
memory/2648-50-0x0000000004C80000-0x0000000004CC0000-memory.dmp
memory/2492-53-0x000000006F7B0000-0x000000006FD5B000-memory.dmp
memory/2492-54-0x000000006F7B0000-0x000000006FD5B000-memory.dmp
memory/2492-56-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/2492-55-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/2800-57-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2492-58-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/2492-59-0x000000006F7B0000-0x000000006FD5B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9c274a21fccd0a0f34d9adbf1b5f46ec |
| SHA1 | 07879555b26f54f6adc4906bdc99c0f5cadd086e |
| SHA256 | 1ee4e70bd05228608e93b53228db1e35a3f8c8c5b987c3087af44d57c482abb0 |
| SHA512 | d49e1e79b22f3634c71546a88f52ae0ddde4949003687d2dcc3193c23a6963fa238ab8256504024bedc779b2c42b2f9431807aa094a1c19188a4a8669b524dec |
memory/2648-65-0x0000000073CD0000-0x00000000743BE000-memory.dmp
memory/2952-66-0x000000006F500000-0x000000006FAAB000-memory.dmp
memory/2952-67-0x0000000002950000-0x0000000002990000-memory.dmp
memory/2952-68-0x000000006F500000-0x000000006FAAB000-memory.dmp
memory/2952-69-0x0000000002950000-0x0000000002990000-memory.dmp
memory/2800-70-0x000000001BAC0000-0x000000001BB40000-memory.dmp
memory/2648-71-0x0000000004C80000-0x0000000004CC0000-memory.dmp
memory/2648-72-0x0000000005B50000-0x0000000005D64000-memory.dmp
memory/2648-73-0x0000000004FA0000-0x0000000005020000-memory.dmp
memory/2648-74-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-75-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-77-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-79-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-81-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-83-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-85-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-87-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-89-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-91-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-93-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-95-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-97-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-99-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-101-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-103-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-105-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-107-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-109-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-111-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-113-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-115-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-117-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-119-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-121-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-123-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-125-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-127-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-129-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-131-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-133-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-135-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2648-137-0x0000000004FA0000-0x000000000501A000-memory.dmp
memory/2952-683-0x0000000002950000-0x0000000002990000-memory.dmp
memory/2952-686-0x000000006F500000-0x000000006FAAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs
| MD5 | 0d6555dc02c45b1e49ac39075c65cebe |
| SHA1 | 2fb0e4464b16db957a06353e14345e0f5a5ba4be |
| SHA256 | 368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f |
| SHA512 | 775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9 |
memory/2308-2596-0x000000006F4F0000-0x000000006FA9B000-memory.dmp
memory/2308-2597-0x0000000002600000-0x0000000002640000-memory.dmp
memory/2308-2598-0x000000006F4F0000-0x000000006FA9B000-memory.dmp
memory/2308-2599-0x0000000002600000-0x0000000002640000-memory.dmp
memory/2308-2600-0x0000000002600000-0x0000000002640000-memory.dmp
memory/2308-2601-0x000000006F4F0000-0x000000006FA9B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:46
Reported
2024-01-07 19:48
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
150s
Command Line
Signatures
BitRAT
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Processes
C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe
"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Temp\Sys.pif
C:\Users\Admin\AppData\Local\Temp\Sys.pif
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| SG | 139.99.66.103:25874 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
| MD5 | 7c6ae5039d34ef48cb0ba0fdc51f8488 |
| SHA1 | 81078d459d6f1c6dd69564f0d3c1731bf4a2128a |
| SHA256 | a02b1cb427385a59c2afc7cd7d0301836bd3e2118cfa58f3a80660e55c82521b |
| SHA512 | 9c458bf95d94a370877be8cb73768d19ee20b4f1cb1e90283cbc95c066f68e30bdaeb35516160e3728c930ad73dbbe5ace076cf9e51924a627a83a20a780e6bc |
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4844-30-0x00000000000B0000-0x00000000002F4000-memory.dmp
memory/4844-32-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/4844-33-0x00000000050C0000-0x0000000005664000-memory.dmp
memory/3060-34-0x0000024FBB460000-0x0000024FBB478000-memory.dmp
memory/3060-36-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp
memory/3060-46-0x0000024FBB570000-0x0000024FBB5AC000-memory.dmp
memory/3060-44-0x0000024FBB510000-0x0000024FBB558000-memory.dmp
memory/4844-42-0x0000000004C60000-0x0000000004C6A000-memory.dmp
memory/3060-41-0x0000024FBB4A0000-0x0000024FBB4AA000-memory.dmp
memory/3060-40-0x0000024FBB500000-0x0000024FBB510000-memory.dmp
memory/4844-39-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2344-50-0x0000000002D10000-0x0000000002D20000-memory.dmp
memory/2344-51-0x0000000005780000-0x0000000005DA8000-memory.dmp
memory/2344-54-0x0000000005F10000-0x0000000005F76000-memory.dmp
memory/2344-64-0x0000000005F80000-0x00000000062D4000-memory.dmp
memory/2344-53-0x0000000005DF0000-0x0000000005E56000-memory.dmp
memory/2344-52-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/2344-65-0x0000000006540000-0x000000000655E000-memory.dmp
memory/2344-66-0x00000000065F0000-0x000000000663C000-memory.dmp
memory/2344-49-0x0000000002D10000-0x0000000002D20000-memory.dmp
memory/2344-48-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/2344-47-0x0000000002C50000-0x0000000002C86000-memory.dmp
memory/3060-38-0x0000024FD5620000-0x0000024FD569C000-memory.dmp
memory/4844-35-0x0000000004BB0000-0x0000000004C42000-memory.dmp
memory/3060-31-0x0000024FBB060000-0x0000024FBB0C6000-memory.dmp
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
| MD5 | db839c59eee092b7aadaf7c429e45c32 |
| SHA1 | e8be58417dfd4ed4dd110776de843084302f43df |
| SHA256 | e495c5fc9eb8073157995929503522403f160fcf4f3519770185539784bd3684 |
| SHA512 | 64242febb1bc8941ef4b2fdced4bfa914c06fc7ab96b9e9ffce9aa1913404380999e20f8b0eca3320feecbb9eb37e040339a832915ffa195beb5de9e65b4a56f |
memory/2344-69-0x0000000006A70000-0x0000000006A92000-memory.dmp
memory/2344-68-0x0000000006A20000-0x0000000006A3A000-memory.dmp
memory/2344-67-0x0000000007530000-0x00000000075C6000-memory.dmp
memory/2344-70-0x00000000087B0000-0x0000000008E2A000-memory.dmp
memory/4844-71-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/4404-73-0x0000000005100000-0x0000000005110000-memory.dmp
memory/4404-72-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/3060-83-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp
memory/2344-86-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/4844-87-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/3060-88-0x0000024FBB500000-0x0000024FBB510000-memory.dmp
memory/4844-89-0x0000000006A50000-0x0000000006C64000-memory.dmp
memory/4844-91-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-104-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-116-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-124-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-138-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-146-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-154-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-152-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-150-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-148-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-144-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-142-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-140-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-136-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-134-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-132-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-130-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-128-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-126-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-122-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-120-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-118-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-114-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-112-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-110-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-108-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-106-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-102-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-100-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-98-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-96-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-94-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-92-0x0000000005EE0000-0x0000000005F5A000-memory.dmp
memory/4844-90-0x0000000005EE0000-0x0000000005F60000-memory.dmp
memory/4404-839-0x00000000732A0000-0x0000000073A50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3208d49ba6636842bd1fbf160895f03a |
| SHA1 | 0b467dba6f9c2d4ba92b8316305c268f66091542 |
| SHA256 | 42be444d765ccf981588d0178c87e27f6e4779159c2801ac5686273f5b9fb32b |
| SHA512 | fc0701993fb6670fe548fae0d079213c32adfa0012106a9606bab10895ad25c5e67faf26fdd55a07a12ab3d53155169c8a8b6cbf7ec1a269ed97be8eceba1182 |
memory/4416-2609-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/2952-2611-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4844-2610-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/4416-2617-0x0000000005C00000-0x0000000005F54000-memory.dmp
memory/4416-2623-0x00000000062F0000-0x000000000633C000-memory.dmp
memory/4416-2604-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/4416-2625-0x0000000007290000-0x00000000072C2000-memory.dmp
memory/4416-2638-0x0000000007530000-0x00000000075D3000-memory.dmp
memory/4416-2637-0x0000000006830000-0x000000000684E000-memory.dmp
memory/4416-2636-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/4416-2626-0x0000000075750000-0x000000007579C000-memory.dmp
memory/4416-2639-0x0000000007650000-0x000000000765A000-memory.dmp
memory/4416-2624-0x000000007FA40000-0x000000007FA50000-memory.dmp
memory/4416-2640-0x00000000077D0000-0x00000000077E1000-memory.dmp
memory/4416-2642-0x0000000007810000-0x0000000007824000-memory.dmp
memory/4416-2644-0x00000000078F0000-0x00000000078F8000-memory.dmp
memory/4416-2643-0x0000000007910000-0x000000000792A000-memory.dmp
memory/4416-2641-0x0000000007800000-0x000000000780E000-memory.dmp
memory/4416-2646-0x00000000732A0000-0x0000000073A50000-memory.dmp
memory/2952-2648-0x0000000075060000-0x0000000075099000-memory.dmp
memory/2952-2656-0x00000000753E0000-0x0000000075419000-memory.dmp
memory/2952-2657-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2952-2660-0x00000000753E0000-0x0000000075419000-memory.dmp
memory/2952-2663-0x00000000753E0000-0x0000000075419000-memory.dmp
memory/2952-2666-0x00000000753E0000-0x0000000075419000-memory.dmp