Malware Analysis Report

2024-10-10 12:04

Sample ID 240613-sdqesatdqb
Target minecraft.ZERO.hile.exe
SHA256 fb581a2cc898f1130a283f27f7969aad7aa67ea39aa05fdf989bb814a7b89f06
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb581a2cc898f1130a283f27f7969aad7aa67ea39aa05fdf989bb814a7b89f06

Threat Level: Shows suspicious behavior

The file minecraft.ZERO.hile.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Modifies file permissions

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:00

Reported

2024-06-13 15:04

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2712 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2508 wrote to memory of 4000 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 2508 wrote to memory of 4000 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 2508 wrote to memory of 4508 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\tasklist.exe
PID 2508 wrote to memory of 4508 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\tasklist.exe
PID 2508 wrote to memory of 612 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 612 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4448 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4448 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4532 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4532 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4536 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4536 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5128 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5128 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 3332 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 3332 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 1320 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 1320 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2620 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2620 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4492 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4492 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2548 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2548 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5896 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5896 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5852 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5852 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5124 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5124 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2828 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 2828 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 2160 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 2160 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 5256 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 5256 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 5768 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5768 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4068 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4068 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4572 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4572 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4428 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4428 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2712 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2712 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 3104 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 3104 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4844 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4844 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 4740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5644 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5644 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2288 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 2288 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2508 wrote to memory of 5380 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 5380 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 1340 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 1340 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe

"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\tasklist.exe

tasklist

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get name

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption /value

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get name

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption /value

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 ptb.discord.com udp
US 162.159.137.232:443 ptb.discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 89.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2712-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2508-3-0x0000027F14190000-0x0000027F14400000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 7330624f97bdbe320508e5bc444aa96b
SHA1 af1c8278bdefa7d8224a03899b3452f6cdf2c8e1
SHA256 178447750a504c892d2e2637f54e499cf01b96e9ee48e6000412a49956e36e6b
SHA512 fb07881da366fd9a283e9058036f281f6677030f79be4e7bae375d92677aadf830648ca86f2d6e61c53271c3d5d18a47ccf85840b3e0b9abeeffac24389185d7

memory/2508-13-0x0000027F14170000-0x0000027F14171000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7022119757418952327.dll

MD5 719d6ba1946c25aa61ce82f90d77ffd5
SHA1 94d2191378cac5719daecc826fc116816284c406
SHA256 69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512 119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b

C:\Users\Admin\AppData\Local\Temp\sqlite-3.20.1-f7d69257-67f5-4659-8544-a3d6b55abb91-sqlitejdbc.dll

MD5 dfeb9c87f051ca41d1070a0b8e3c805b
SHA1 bab606fb299b220d979e338c938bb3c871eeb3e6
SHA256 32e1a9209fc62b815be176718638a1c764745ba2de60295d7d287b95dd773071
SHA512 0369d025f65f384135227e253a56f53d8b4c63773c441036571499173b6aa6d0cef9208d548bd6e427977f1c2b2ec6e2f289a4d32831167a9bb0b2e3e79726c4

memory/2508-28-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-30-0x0000027F14400000-0x0000027F14410000-memory.dmp

memory/2508-32-0x0000027F14410000-0x0000027F14420000-memory.dmp

memory/2508-34-0x0000027F14420000-0x0000027F14430000-memory.dmp

memory/2508-37-0x0000027F14430000-0x0000027F14440000-memory.dmp

memory/2508-38-0x0000027F14440000-0x0000027F14450000-memory.dmp

memory/2508-41-0x0000027F14450000-0x0000027F14460000-memory.dmp

memory/2508-42-0x0000027F14460000-0x0000027F14470000-memory.dmp

memory/2508-44-0x0000027F14470000-0x0000027F14480000-memory.dmp

memory/2508-53-0x0000027F14490000-0x0000027F144A0000-memory.dmp

memory/2508-52-0x0000027F144B0000-0x0000027F144C0000-memory.dmp

memory/2508-51-0x0000027F144A0000-0x0000027F144B0000-memory.dmp

memory/2508-57-0x0000027F144C0000-0x0000027F144D0000-memory.dmp

memory/2508-56-0x0000027F14400000-0x0000027F14410000-memory.dmp

memory/2508-50-0x0000027F14480000-0x0000027F14490000-memory.dmp

memory/2508-49-0x0000027F14190000-0x0000027F14400000-memory.dmp

memory/2508-61-0x0000027F144E0000-0x0000027F144F0000-memory.dmp

memory/2508-60-0x0000027F144D0000-0x0000027F144E0000-memory.dmp

memory/2508-59-0x0000027F14410000-0x0000027F14420000-memory.dmp

memory/2508-66-0x0000027F14500000-0x0000027F14510000-memory.dmp

memory/2508-65-0x0000027F144F0000-0x0000027F14500000-memory.dmp

memory/2508-64-0x0000027F14420000-0x0000027F14430000-memory.dmp

memory/2508-69-0x0000027F14510000-0x0000027F14520000-memory.dmp

memory/2508-68-0x0000027F14430000-0x0000027F14440000-memory.dmp

memory/2508-72-0x0000027F14450000-0x0000027F14460000-memory.dmp

memory/2508-73-0x0000027F14520000-0x0000027F14530000-memory.dmp

memory/2508-71-0x0000027F14440000-0x0000027F14450000-memory.dmp

memory/2508-76-0x0000027F14530000-0x0000027F14540000-memory.dmp

memory/2508-77-0x0000027F14540000-0x0000027F14550000-memory.dmp

memory/2508-83-0x0000027F14550000-0x0000027F14560000-memory.dmp

memory/2508-82-0x0000027F14460000-0x0000027F14470000-memory.dmp

memory/2508-104-0x0000027F14560000-0x0000027F14570000-memory.dmp

memory/2508-103-0x0000027F14470000-0x0000027F14480000-memory.dmp

memory/2508-112-0x0000027F14570000-0x0000027F14580000-memory.dmp

memory/2508-110-0x0000027F144B0000-0x0000027F144C0000-memory.dmp

memory/2508-109-0x0000027F144A0000-0x0000027F144B0000-memory.dmp

memory/2508-108-0x0000027F14480000-0x0000027F14490000-memory.dmp

memory/2508-113-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-116-0x0000027F14490000-0x0000027F144A0000-memory.dmp

memory/2508-117-0x0000027F14580000-0x0000027F14590000-memory.dmp

memory/2508-121-0x0000027F14590000-0x0000027F145A0000-memory.dmp

memory/2508-120-0x0000027F144C0000-0x0000027F144D0000-memory.dmp

memory/2508-126-0x0000027F145B0000-0x0000027F145C0000-memory.dmp

memory/2508-125-0x0000027F145A0000-0x0000027F145B0000-memory.dmp

memory/2508-124-0x0000027F144E0000-0x0000027F144F0000-memory.dmp

memory/2508-123-0x0000027F144D0000-0x0000027F144E0000-memory.dmp

memory/2508-130-0x0000027F145C0000-0x0000027F145D0000-memory.dmp

memory/2508-129-0x0000027F14500000-0x0000027F14510000-memory.dmp

memory/2508-128-0x0000027F144F0000-0x0000027F14500000-memory.dmp

memory/2508-171-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-173-0x0000027F14510000-0x0000027F14520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Pvwynmdt\Game\sonoyuncu.txt

MD5 c4e084cd947c96a0b82b02c634540789
SHA1 de91618baf7eccbad86a0610176b6be79e16a094
SHA256 c926a5b9148deecb9084d03187b9297b501296de20f87db2b689066c3fbb34d2
SHA512 c2d288b2ee229c8edd1250284322a118b06a847ad05e076f4f028acd5a060864a4f6dbe77c091707aff49663e3a6d7c8e173ddc83220c44df6468c02e7eb7e85

C:\Users\Admin\AppData\Local\Microsoft\Pvwynmdt\Browsers\Chrome\Default\cookie.txt

MD5 e626fb9444522a4f6394a8a102a6c289
SHA1 125f3fa1601103ae9b3ecfeef19bcba928d4b0fd
SHA256 6f4d38fb9af15a15fa880a2bfec2f2a9c7a595ce1994ca78109d7ee4aa30f72e
SHA512 d1e914b16fed816baa0ac1095410aa66affe56d97ee9ed5590ea77c65bfb9bee37d4ab1ff47e68df757f445d65ed2e8c9d4977b8aeae201dab3e355b842449a2

memory/2508-178-0x0000027F14520000-0x0000027F14530000-memory.dmp

memory/2508-185-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-213-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-215-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-223-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-225-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-229-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-235-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-236-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-237-0x0000027F14530000-0x0000027F14540000-memory.dmp

memory/2508-238-0x0000027F14540000-0x0000027F14550000-memory.dmp

memory/2508-243-0x0000027F14550000-0x0000027F14560000-memory.dmp

memory/2508-242-0x000000006ADC0000-0x000000006AEB2000-memory.dmp

memory/2508-246-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-247-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-249-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-250-0x0000027F14170000-0x0000027F14171000-memory.dmp

memory/2508-287-0x0000027F14490000-0x0000027F144A0000-memory.dmp

memory/2508-286-0x0000027F14430000-0x0000027F14440000-memory.dmp

memory/2508-285-0x0000027F14420000-0x0000027F14430000-memory.dmp

memory/2508-284-0x0000027F14410000-0x0000027F14420000-memory.dmp

memory/2508-283-0x0000027F14400000-0x0000027F14410000-memory.dmp

memory/2508-282-0x0000027F14440000-0x0000027F14450000-memory.dmp

memory/2508-293-0x0000027F144B0000-0x0000027F144C0000-memory.dmp

memory/2508-298-0x0000027F144F0000-0x0000027F14500000-memory.dmp

memory/2508-310-0x0000027F145C0000-0x0000027F145D0000-memory.dmp

memory/2508-309-0x0000027F145B0000-0x0000027F145C0000-memory.dmp

memory/2508-308-0x0000027F145A0000-0x0000027F145B0000-memory.dmp

memory/2508-307-0x0000027F14590000-0x0000027F145A0000-memory.dmp

memory/2508-306-0x0000027F14580000-0x0000027F14590000-memory.dmp

memory/2508-296-0x0000027F144D0000-0x0000027F144E0000-memory.dmp

memory/2508-305-0x0000027F14570000-0x0000027F14580000-memory.dmp

memory/2508-304-0x0000027F14560000-0x0000027F14570000-memory.dmp

memory/2508-303-0x0000027F14540000-0x0000027F14550000-memory.dmp

memory/2508-302-0x0000027F14530000-0x0000027F14540000-memory.dmp

memory/2508-301-0x0000027F14520000-0x0000027F14530000-memory.dmp

memory/2508-300-0x0000027F14510000-0x0000027F14520000-memory.dmp

memory/2508-299-0x0000027F14500000-0x0000027F14510000-memory.dmp

memory/2508-297-0x0000027F144E0000-0x0000027F144F0000-memory.dmp

memory/2508-295-0x0000027F144C0000-0x0000027F144D0000-memory.dmp

memory/2508-294-0x0000027F14190000-0x0000027F14400000-memory.dmp

memory/2508-292-0x0000027F144A0000-0x0000027F144B0000-memory.dmp

memory/2508-291-0x0000027F14480000-0x0000027F14490000-memory.dmp

memory/2508-290-0x0000027F14470000-0x0000027F14480000-memory.dmp

memory/2508-289-0x0000027F14450000-0x0000027F14460000-memory.dmp

memory/2508-288-0x0000027F14460000-0x0000027F14470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:00

Reported

2024-06-13 15:04

Platform

win11-20240611-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2440 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2388 wrote to memory of 3408 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 2388 wrote to memory of 3408 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 2388 wrote to memory of 3764 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\tasklist.exe
PID 2388 wrote to memory of 3764 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\tasklist.exe
PID 2388 wrote to memory of 8 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 8 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 5040 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 5040 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 1824 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 1824 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2680 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2680 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3040 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3040 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4856 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4856 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2612 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2612 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3852 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3852 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 240 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 240 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2816 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2816 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4124 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 4124 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 2052 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 2052 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 3956 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 3956 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 1004 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 1004 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3296 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3296 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4928 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4928 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2240 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2240 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2304 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 2304 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3924 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3924 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4108 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4108 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3176 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 3176 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4580 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4580 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4052 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 4052 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\hostname.exe
PID 2388 wrote to memory of 1668 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 1668 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 1508 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe
PID 2388 wrote to memory of 1508 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe

"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\tasklist.exe

tasklist

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get name

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption /value

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get name

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption /value

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
GB 88.221.135.27:443 tcp
BE 88.221.83.224:443 r.bing.com tcp
BE 88.221.83.224:443 r.bing.com tcp
BE 88.221.83.224:443 r.bing.com tcp
BE 88.221.83.224:443 r.bing.com tcp
BE 88.221.83.224:443 r.bing.com tcp
BE 88.221.83.224:443 r.bing.com tcp
US 20.42.65.85:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2440-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2388-3-0x000001C4D8310000-0x000001C4D8580000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 8c108747ed69366d07462965e4f400ac
SHA1 cc3684055ad5922f23a8f44be7ab3f8685cb1803
SHA256 7ed393add1a454d07cf046da17d35212106251cc82817a706799f9b4208149e4
SHA512 c928c2293269a8cb941ef37a3018b437bdf5cff06983b7ab2d169ddf52b89d2d23113c2f2102ce9659f4c9bc60ff85da54457c3fcff2e6b46e77283e49846f8a

memory/2388-13-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5879801517958746416.dll

MD5 719d6ba1946c25aa61ce82f90d77ffd5
SHA1 94d2191378cac5719daecc826fc116816284c406
SHA256 69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512 119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b

C:\Users\Admin\AppData\Local\Temp\sqlite-3.20.1-2f579953-1332-491e-9981-d24c56650fbc-sqlitejdbc.dll

MD5 dfeb9c87f051ca41d1070a0b8e3c805b
SHA1 bab606fb299b220d979e338c938bb3c871eeb3e6
SHA256 32e1a9209fc62b815be176718638a1c764745ba2de60295d7d287b95dd773071
SHA512 0369d025f65f384135227e253a56f53d8b4c63773c441036571499173b6aa6d0cef9208d548bd6e427977f1c2b2ec6e2f289a4d32831167a9bb0b2e3e79726c4

memory/2388-30-0x000001C4D8580000-0x000001C4D8590000-memory.dmp

memory/2388-32-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp

memory/2388-34-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp

memory/2388-37-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp

memory/2388-38-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp

memory/2388-41-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp

memory/2388-42-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp

memory/2388-44-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp

memory/2388-46-0x000001C4D8600000-0x000001C4D8610000-memory.dmp

memory/2388-49-0x000001C4D8610000-0x000001C4D8620000-memory.dmp

memory/2388-54-0x000001C4D8580000-0x000001C4D8590000-memory.dmp

memory/2388-53-0x000001C4D8630000-0x000001C4D8640000-memory.dmp

memory/2388-52-0x000001C4D8620000-0x000001C4D8630000-memory.dmp

memory/2388-51-0x000001C4D8310000-0x000001C4D8580000-memory.dmp

memory/2388-57-0x000001C4D8640000-0x000001C4D8650000-memory.dmp

memory/2388-56-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp

memory/2388-59-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp

memory/2388-60-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp

memory/2388-61-0x000001C4D8650000-0x000001C4D8660000-memory.dmp

memory/2388-65-0x000001C4D8660000-0x000001C4D8670000-memory.dmp

memory/2388-67-0x000001C4D8680000-0x000001C4D8690000-memory.dmp

memory/2388-66-0x000001C4D8670000-0x000001C4D8680000-memory.dmp

memory/2388-71-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp

memory/2388-72-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp

memory/2388-70-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp

memory/2388-76-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp

memory/2388-75-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp

memory/2388-74-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp

memory/2388-86-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp

memory/2388-85-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp

memory/2388-84-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp

memory/2388-83-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp

memory/2388-106-0x000001C4D8600000-0x000001C4D8610000-memory.dmp

memory/2388-107-0x000001C4D8610000-0x000001C4D8620000-memory.dmp

memory/2388-108-0x000001C4D86F0000-0x000001C4D8700000-memory.dmp

memory/2388-112-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-114-0x000001C4D8700000-0x000001C4D8710000-memory.dmp

memory/2388-118-0x000001C4D8710000-0x000001C4D8720000-memory.dmp

memory/2388-117-0x000001C4D8620000-0x000001C4D8630000-memory.dmp

memory/2388-122-0x000001C4D8720000-0x000001C4D8730000-memory.dmp

memory/2388-121-0x000001C4D8630000-0x000001C4D8640000-memory.dmp

memory/2388-124-0x000001C4D8730000-0x000001C4D8740000-memory.dmp

memory/2388-123-0x000001C4D8640000-0x000001C4D8650000-memory.dmp

memory/2388-127-0x000001C4D8740000-0x000001C4D8750000-memory.dmp

memory/2388-126-0x000001C4D8650000-0x000001C4D8660000-memory.dmp

memory/2388-133-0x000001C4D8660000-0x000001C4D8670000-memory.dmp

memory/2388-136-0x000001C4D8750000-0x000001C4D8760000-memory.dmp

memory/2388-134-0x000001C4D8670000-0x000001C4D8680000-memory.dmp

memory/2388-135-0x000001C4D8680000-0x000001C4D8690000-memory.dmp

memory/2388-166-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-173-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-174-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp

memory/2388-175-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Tlawpkpz\Game\sonoyuncu.txt

MD5 c4e084cd947c96a0b82b02c634540789
SHA1 de91618baf7eccbad86a0610176b6be79e16a094
SHA256 c926a5b9148deecb9084d03187b9297b501296de20f87db2b689066c3fbb34d2
SHA512 c2d288b2ee229c8edd1250284322a118b06a847ad05e076f4f028acd5a060864a4f6dbe77c091707aff49663e3a6d7c8e173ddc83220c44df6468c02e7eb7e85

C:\Users\Admin\AppData\Local\Microsoft\Tlawpkpz\Browsers\Chrome\Default\cookie.txt

MD5 62c0ac2afb97ecc5c5a3c2cce6d6315e
SHA1 3c98b7ff8b9d7c35a4208df9cdea28d8d7b959d5
SHA256 350eed026d30826a00f1185cebe2a17a2c0f96dea785fc75ef675ed4080f24c6
SHA512 3d80a83ed6c934de6129c1a7a7a272f7f0dbe1be0c6b8911dea2122acd425c1ad0e0d266dfd0f73e6143bca6d7b74bdbab1c71e68f029696af36a176b21aa387

memory/2388-179-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp

memory/2388-180-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-186-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-189-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-219-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-217-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-221-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-220-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-223-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-238-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-239-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-240-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp

memory/2388-241-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp

memory/2388-242-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp

memory/2388-247-0x000001C4D86F0000-0x000001C4D8700000-memory.dmp

memory/2388-246-0x000000006ADC0000-0x000000006AEB2000-memory.dmp

memory/2388-252-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp

memory/2388-291-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp

memory/2388-295-0x000001C4D8600000-0x000001C4D8610000-memory.dmp

memory/2388-297-0x000001C4D8610000-0x000001C4D8620000-memory.dmp

memory/2388-315-0x000001C4D8750000-0x000001C4D8760000-memory.dmp

memory/2388-314-0x000001C4D8740000-0x000001C4D8750000-memory.dmp

memory/2388-313-0x000001C4D8730000-0x000001C4D8740000-memory.dmp

memory/2388-312-0x000001C4D8720000-0x000001C4D8730000-memory.dmp

memory/2388-311-0x000001C4D8710000-0x000001C4D8720000-memory.dmp

memory/2388-310-0x000001C4D8700000-0x000001C4D8710000-memory.dmp

memory/2388-309-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp

memory/2388-308-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp

memory/2388-307-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp

memory/2388-306-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp

memory/2388-305-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp

memory/2388-304-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp

memory/2388-303-0x000001C4D8680000-0x000001C4D8690000-memory.dmp

memory/2388-302-0x000001C4D8670000-0x000001C4D8680000-memory.dmp

memory/2388-301-0x000001C4D8660000-0x000001C4D8670000-memory.dmp

memory/2388-300-0x000001C4D8650000-0x000001C4D8660000-memory.dmp

memory/2388-299-0x000001C4D8640000-0x000001C4D8650000-memory.dmp

memory/2388-298-0x000001C4D8310000-0x000001C4D8580000-memory.dmp

memory/2388-296-0x000001C4D8620000-0x000001C4D8630000-memory.dmp

memory/2388-294-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp

memory/2388-293-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp

memory/2388-292-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp

memory/2388-290-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp

memory/2388-289-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp

memory/2388-288-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp

memory/2388-287-0x000001C4D8580000-0x000001C4D8590000-memory.dmp

memory/2388-286-0x000001C4D8630000-0x000001C4D8640000-memory.dmp