Analysis Overview
SHA256
fb581a2cc898f1130a283f27f7969aad7aa67ea39aa05fdf989bb814a7b89f06
Threat Level: Shows suspicious behavior
The file minecraft.ZERO.hile.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 15:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 15:00
Reported
2024-06-13 15:04
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\tasklist.exe
tasklist
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get name
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption /value
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get name
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption /value
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ptb.discord.com | udp |
| US | 162.159.137.232:443 | ptb.discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2712-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2508-3-0x0000027F14190000-0x0000027F14400000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 7330624f97bdbe320508e5bc444aa96b |
| SHA1 | af1c8278bdefa7d8224a03899b3452f6cdf2c8e1 |
| SHA256 | 178447750a504c892d2e2637f54e499cf01b96e9ee48e6000412a49956e36e6b |
| SHA512 | fb07881da366fd9a283e9058036f281f6677030f79be4e7bae375d92677aadf830648ca86f2d6e61c53271c3d5d18a47ccf85840b3e0b9abeeffac24389185d7 |
memory/2508-13-0x0000027F14170000-0x0000027F14171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7022119757418952327.dll
| MD5 | 719d6ba1946c25aa61ce82f90d77ffd5 |
| SHA1 | 94d2191378cac5719daecc826fc116816284c406 |
| SHA256 | 69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44 |
| SHA512 | 119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b |
C:\Users\Admin\AppData\Local\Temp\sqlite-3.20.1-f7d69257-67f5-4659-8544-a3d6b55abb91-sqlitejdbc.dll
| MD5 | dfeb9c87f051ca41d1070a0b8e3c805b |
| SHA1 | bab606fb299b220d979e338c938bb3c871eeb3e6 |
| SHA256 | 32e1a9209fc62b815be176718638a1c764745ba2de60295d7d287b95dd773071 |
| SHA512 | 0369d025f65f384135227e253a56f53d8b4c63773c441036571499173b6aa6d0cef9208d548bd6e427977f1c2b2ec6e2f289a4d32831167a9bb0b2e3e79726c4 |
memory/2508-28-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-30-0x0000027F14400000-0x0000027F14410000-memory.dmp
memory/2508-32-0x0000027F14410000-0x0000027F14420000-memory.dmp
memory/2508-34-0x0000027F14420000-0x0000027F14430000-memory.dmp
memory/2508-37-0x0000027F14430000-0x0000027F14440000-memory.dmp
memory/2508-38-0x0000027F14440000-0x0000027F14450000-memory.dmp
memory/2508-41-0x0000027F14450000-0x0000027F14460000-memory.dmp
memory/2508-42-0x0000027F14460000-0x0000027F14470000-memory.dmp
memory/2508-44-0x0000027F14470000-0x0000027F14480000-memory.dmp
memory/2508-53-0x0000027F14490000-0x0000027F144A0000-memory.dmp
memory/2508-52-0x0000027F144B0000-0x0000027F144C0000-memory.dmp
memory/2508-51-0x0000027F144A0000-0x0000027F144B0000-memory.dmp
memory/2508-57-0x0000027F144C0000-0x0000027F144D0000-memory.dmp
memory/2508-56-0x0000027F14400000-0x0000027F14410000-memory.dmp
memory/2508-50-0x0000027F14480000-0x0000027F14490000-memory.dmp
memory/2508-49-0x0000027F14190000-0x0000027F14400000-memory.dmp
memory/2508-61-0x0000027F144E0000-0x0000027F144F0000-memory.dmp
memory/2508-60-0x0000027F144D0000-0x0000027F144E0000-memory.dmp
memory/2508-59-0x0000027F14410000-0x0000027F14420000-memory.dmp
memory/2508-66-0x0000027F14500000-0x0000027F14510000-memory.dmp
memory/2508-65-0x0000027F144F0000-0x0000027F14500000-memory.dmp
memory/2508-64-0x0000027F14420000-0x0000027F14430000-memory.dmp
memory/2508-69-0x0000027F14510000-0x0000027F14520000-memory.dmp
memory/2508-68-0x0000027F14430000-0x0000027F14440000-memory.dmp
memory/2508-72-0x0000027F14450000-0x0000027F14460000-memory.dmp
memory/2508-73-0x0000027F14520000-0x0000027F14530000-memory.dmp
memory/2508-71-0x0000027F14440000-0x0000027F14450000-memory.dmp
memory/2508-76-0x0000027F14530000-0x0000027F14540000-memory.dmp
memory/2508-77-0x0000027F14540000-0x0000027F14550000-memory.dmp
memory/2508-83-0x0000027F14550000-0x0000027F14560000-memory.dmp
memory/2508-82-0x0000027F14460000-0x0000027F14470000-memory.dmp
memory/2508-104-0x0000027F14560000-0x0000027F14570000-memory.dmp
memory/2508-103-0x0000027F14470000-0x0000027F14480000-memory.dmp
memory/2508-112-0x0000027F14570000-0x0000027F14580000-memory.dmp
memory/2508-110-0x0000027F144B0000-0x0000027F144C0000-memory.dmp
memory/2508-109-0x0000027F144A0000-0x0000027F144B0000-memory.dmp
memory/2508-108-0x0000027F14480000-0x0000027F14490000-memory.dmp
memory/2508-113-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-116-0x0000027F14490000-0x0000027F144A0000-memory.dmp
memory/2508-117-0x0000027F14580000-0x0000027F14590000-memory.dmp
memory/2508-121-0x0000027F14590000-0x0000027F145A0000-memory.dmp
memory/2508-120-0x0000027F144C0000-0x0000027F144D0000-memory.dmp
memory/2508-126-0x0000027F145B0000-0x0000027F145C0000-memory.dmp
memory/2508-125-0x0000027F145A0000-0x0000027F145B0000-memory.dmp
memory/2508-124-0x0000027F144E0000-0x0000027F144F0000-memory.dmp
memory/2508-123-0x0000027F144D0000-0x0000027F144E0000-memory.dmp
memory/2508-130-0x0000027F145C0000-0x0000027F145D0000-memory.dmp
memory/2508-129-0x0000027F14500000-0x0000027F14510000-memory.dmp
memory/2508-128-0x0000027F144F0000-0x0000027F14500000-memory.dmp
memory/2508-171-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-173-0x0000027F14510000-0x0000027F14520000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Pvwynmdt\Game\sonoyuncu.txt
| MD5 | c4e084cd947c96a0b82b02c634540789 |
| SHA1 | de91618baf7eccbad86a0610176b6be79e16a094 |
| SHA256 | c926a5b9148deecb9084d03187b9297b501296de20f87db2b689066c3fbb34d2 |
| SHA512 | c2d288b2ee229c8edd1250284322a118b06a847ad05e076f4f028acd5a060864a4f6dbe77c091707aff49663e3a6d7c8e173ddc83220c44df6468c02e7eb7e85 |
C:\Users\Admin\AppData\Local\Microsoft\Pvwynmdt\Browsers\Chrome\Default\cookie.txt
| MD5 | e626fb9444522a4f6394a8a102a6c289 |
| SHA1 | 125f3fa1601103ae9b3ecfeef19bcba928d4b0fd |
| SHA256 | 6f4d38fb9af15a15fa880a2bfec2f2a9c7a595ce1994ca78109d7ee4aa30f72e |
| SHA512 | d1e914b16fed816baa0ac1095410aa66affe56d97ee9ed5590ea77c65bfb9bee37d4ab1ff47e68df757f445d65ed2e8c9d4977b8aeae201dab3e355b842449a2 |
memory/2508-178-0x0000027F14520000-0x0000027F14530000-memory.dmp
memory/2508-185-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-213-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-215-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-223-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-225-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-229-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-235-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-236-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-237-0x0000027F14530000-0x0000027F14540000-memory.dmp
memory/2508-238-0x0000027F14540000-0x0000027F14550000-memory.dmp
memory/2508-243-0x0000027F14550000-0x0000027F14560000-memory.dmp
memory/2508-242-0x000000006ADC0000-0x000000006AEB2000-memory.dmp
memory/2508-246-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-247-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-249-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-250-0x0000027F14170000-0x0000027F14171000-memory.dmp
memory/2508-287-0x0000027F14490000-0x0000027F144A0000-memory.dmp
memory/2508-286-0x0000027F14430000-0x0000027F14440000-memory.dmp
memory/2508-285-0x0000027F14420000-0x0000027F14430000-memory.dmp
memory/2508-284-0x0000027F14410000-0x0000027F14420000-memory.dmp
memory/2508-283-0x0000027F14400000-0x0000027F14410000-memory.dmp
memory/2508-282-0x0000027F14440000-0x0000027F14450000-memory.dmp
memory/2508-293-0x0000027F144B0000-0x0000027F144C0000-memory.dmp
memory/2508-298-0x0000027F144F0000-0x0000027F14500000-memory.dmp
memory/2508-310-0x0000027F145C0000-0x0000027F145D0000-memory.dmp
memory/2508-309-0x0000027F145B0000-0x0000027F145C0000-memory.dmp
memory/2508-308-0x0000027F145A0000-0x0000027F145B0000-memory.dmp
memory/2508-307-0x0000027F14590000-0x0000027F145A0000-memory.dmp
memory/2508-306-0x0000027F14580000-0x0000027F14590000-memory.dmp
memory/2508-296-0x0000027F144D0000-0x0000027F144E0000-memory.dmp
memory/2508-305-0x0000027F14570000-0x0000027F14580000-memory.dmp
memory/2508-304-0x0000027F14560000-0x0000027F14570000-memory.dmp
memory/2508-303-0x0000027F14540000-0x0000027F14550000-memory.dmp
memory/2508-302-0x0000027F14530000-0x0000027F14540000-memory.dmp
memory/2508-301-0x0000027F14520000-0x0000027F14530000-memory.dmp
memory/2508-300-0x0000027F14510000-0x0000027F14520000-memory.dmp
memory/2508-299-0x0000027F14500000-0x0000027F14510000-memory.dmp
memory/2508-297-0x0000027F144E0000-0x0000027F144F0000-memory.dmp
memory/2508-295-0x0000027F144C0000-0x0000027F144D0000-memory.dmp
memory/2508-294-0x0000027F14190000-0x0000027F14400000-memory.dmp
memory/2508-292-0x0000027F144A0000-0x0000027F144B0000-memory.dmp
memory/2508-291-0x0000027F14480000-0x0000027F14490000-memory.dmp
memory/2508-290-0x0000027F14470000-0x0000027F14480000-memory.dmp
memory/2508-289-0x0000027F14450000-0x0000027F14460000-memory.dmp
memory/2508-288-0x0000027F14460000-0x0000027F14470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 15:00
Reported
2024-06-13 15:04
Platform
win11-20240611-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.ZERO.hile.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\tasklist.exe
tasklist
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get name
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption /value
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get name
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption /value
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\SYSTEM32\hostname.exe
hostname
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| GB | 88.221.135.27:443 | tcp | |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| BE | 88.221.83.224:443 | r.bing.com | tcp |
| US | 20.42.65.85:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2440-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2388-3-0x000001C4D8310000-0x000001C4D8580000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 8c108747ed69366d07462965e4f400ac |
| SHA1 | cc3684055ad5922f23a8f44be7ab3f8685cb1803 |
| SHA256 | 7ed393add1a454d07cf046da17d35212106251cc82817a706799f9b4208149e4 |
| SHA512 | c928c2293269a8cb941ef37a3018b437bdf5cff06983b7ab2d169ddf52b89d2d23113c2f2102ce9659f4c9bc60ff85da54457c3fcff2e6b46e77283e49846f8a |
memory/2388-13-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5879801517958746416.dll
| MD5 | 719d6ba1946c25aa61ce82f90d77ffd5 |
| SHA1 | 94d2191378cac5719daecc826fc116816284c406 |
| SHA256 | 69c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44 |
| SHA512 | 119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b |
C:\Users\Admin\AppData\Local\Temp\sqlite-3.20.1-2f579953-1332-491e-9981-d24c56650fbc-sqlitejdbc.dll
| MD5 | dfeb9c87f051ca41d1070a0b8e3c805b |
| SHA1 | bab606fb299b220d979e338c938bb3c871eeb3e6 |
| SHA256 | 32e1a9209fc62b815be176718638a1c764745ba2de60295d7d287b95dd773071 |
| SHA512 | 0369d025f65f384135227e253a56f53d8b4c63773c441036571499173b6aa6d0cef9208d548bd6e427977f1c2b2ec6e2f289a4d32831167a9bb0b2e3e79726c4 |
memory/2388-30-0x000001C4D8580000-0x000001C4D8590000-memory.dmp
memory/2388-32-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp
memory/2388-34-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp
memory/2388-37-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp
memory/2388-38-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp
memory/2388-41-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp
memory/2388-42-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp
memory/2388-44-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp
memory/2388-46-0x000001C4D8600000-0x000001C4D8610000-memory.dmp
memory/2388-49-0x000001C4D8610000-0x000001C4D8620000-memory.dmp
memory/2388-54-0x000001C4D8580000-0x000001C4D8590000-memory.dmp
memory/2388-53-0x000001C4D8630000-0x000001C4D8640000-memory.dmp
memory/2388-52-0x000001C4D8620000-0x000001C4D8630000-memory.dmp
memory/2388-51-0x000001C4D8310000-0x000001C4D8580000-memory.dmp
memory/2388-57-0x000001C4D8640000-0x000001C4D8650000-memory.dmp
memory/2388-56-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp
memory/2388-59-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp
memory/2388-60-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp
memory/2388-61-0x000001C4D8650000-0x000001C4D8660000-memory.dmp
memory/2388-65-0x000001C4D8660000-0x000001C4D8670000-memory.dmp
memory/2388-67-0x000001C4D8680000-0x000001C4D8690000-memory.dmp
memory/2388-66-0x000001C4D8670000-0x000001C4D8680000-memory.dmp
memory/2388-71-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp
memory/2388-72-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp
memory/2388-70-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp
memory/2388-76-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp
memory/2388-75-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp
memory/2388-74-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp
memory/2388-86-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp
memory/2388-85-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp
memory/2388-84-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp
memory/2388-83-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp
memory/2388-106-0x000001C4D8600000-0x000001C4D8610000-memory.dmp
memory/2388-107-0x000001C4D8610000-0x000001C4D8620000-memory.dmp
memory/2388-108-0x000001C4D86F0000-0x000001C4D8700000-memory.dmp
memory/2388-112-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-114-0x000001C4D8700000-0x000001C4D8710000-memory.dmp
memory/2388-118-0x000001C4D8710000-0x000001C4D8720000-memory.dmp
memory/2388-117-0x000001C4D8620000-0x000001C4D8630000-memory.dmp
memory/2388-122-0x000001C4D8720000-0x000001C4D8730000-memory.dmp
memory/2388-121-0x000001C4D8630000-0x000001C4D8640000-memory.dmp
memory/2388-124-0x000001C4D8730000-0x000001C4D8740000-memory.dmp
memory/2388-123-0x000001C4D8640000-0x000001C4D8650000-memory.dmp
memory/2388-127-0x000001C4D8740000-0x000001C4D8750000-memory.dmp
memory/2388-126-0x000001C4D8650000-0x000001C4D8660000-memory.dmp
memory/2388-133-0x000001C4D8660000-0x000001C4D8670000-memory.dmp
memory/2388-136-0x000001C4D8750000-0x000001C4D8760000-memory.dmp
memory/2388-134-0x000001C4D8670000-0x000001C4D8680000-memory.dmp
memory/2388-135-0x000001C4D8680000-0x000001C4D8690000-memory.dmp
memory/2388-166-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-173-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-174-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp
memory/2388-175-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Tlawpkpz\Game\sonoyuncu.txt
| MD5 | c4e084cd947c96a0b82b02c634540789 |
| SHA1 | de91618baf7eccbad86a0610176b6be79e16a094 |
| SHA256 | c926a5b9148deecb9084d03187b9297b501296de20f87db2b689066c3fbb34d2 |
| SHA512 | c2d288b2ee229c8edd1250284322a118b06a847ad05e076f4f028acd5a060864a4f6dbe77c091707aff49663e3a6d7c8e173ddc83220c44df6468c02e7eb7e85 |
C:\Users\Admin\AppData\Local\Microsoft\Tlawpkpz\Browsers\Chrome\Default\cookie.txt
| MD5 | 62c0ac2afb97ecc5c5a3c2cce6d6315e |
| SHA1 | 3c98b7ff8b9d7c35a4208df9cdea28d8d7b959d5 |
| SHA256 | 350eed026d30826a00f1185cebe2a17a2c0f96dea785fc75ef675ed4080f24c6 |
| SHA512 | 3d80a83ed6c934de6129c1a7a7a272f7f0dbe1be0c6b8911dea2122acd425c1ad0e0d266dfd0f73e6143bca6d7b74bdbab1c71e68f029696af36a176b21aa387 |
memory/2388-179-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp
memory/2388-180-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-186-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-189-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-219-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-217-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-221-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-220-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-223-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-238-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-239-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-240-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp
memory/2388-241-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp
memory/2388-242-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp
memory/2388-247-0x000001C4D86F0000-0x000001C4D8700000-memory.dmp
memory/2388-246-0x000000006ADC0000-0x000000006AEB2000-memory.dmp
memory/2388-252-0x000001C4D6AC0000-0x000001C4D6AC1000-memory.dmp
memory/2388-291-0x000001C4D85B0000-0x000001C4D85C0000-memory.dmp
memory/2388-295-0x000001C4D8600000-0x000001C4D8610000-memory.dmp
memory/2388-297-0x000001C4D8610000-0x000001C4D8620000-memory.dmp
memory/2388-315-0x000001C4D8750000-0x000001C4D8760000-memory.dmp
memory/2388-314-0x000001C4D8740000-0x000001C4D8750000-memory.dmp
memory/2388-313-0x000001C4D8730000-0x000001C4D8740000-memory.dmp
memory/2388-312-0x000001C4D8720000-0x000001C4D8730000-memory.dmp
memory/2388-311-0x000001C4D8710000-0x000001C4D8720000-memory.dmp
memory/2388-310-0x000001C4D8700000-0x000001C4D8710000-memory.dmp
memory/2388-309-0x000001C4D86E0000-0x000001C4D86F0000-memory.dmp
memory/2388-308-0x000001C4D86D0000-0x000001C4D86E0000-memory.dmp
memory/2388-307-0x000001C4D86C0000-0x000001C4D86D0000-memory.dmp
memory/2388-306-0x000001C4D86B0000-0x000001C4D86C0000-memory.dmp
memory/2388-305-0x000001C4D86A0000-0x000001C4D86B0000-memory.dmp
memory/2388-304-0x000001C4D8690000-0x000001C4D86A0000-memory.dmp
memory/2388-303-0x000001C4D8680000-0x000001C4D8690000-memory.dmp
memory/2388-302-0x000001C4D8670000-0x000001C4D8680000-memory.dmp
memory/2388-301-0x000001C4D8660000-0x000001C4D8670000-memory.dmp
memory/2388-300-0x000001C4D8650000-0x000001C4D8660000-memory.dmp
memory/2388-299-0x000001C4D8640000-0x000001C4D8650000-memory.dmp
memory/2388-298-0x000001C4D8310000-0x000001C4D8580000-memory.dmp
memory/2388-296-0x000001C4D8620000-0x000001C4D8630000-memory.dmp
memory/2388-294-0x000001C4D85F0000-0x000001C4D8600000-memory.dmp
memory/2388-293-0x000001C4D85E0000-0x000001C4D85F0000-memory.dmp
memory/2388-292-0x000001C4D85D0000-0x000001C4D85E0000-memory.dmp
memory/2388-290-0x000001C4D85C0000-0x000001C4D85D0000-memory.dmp
memory/2388-289-0x000001C4D85A0000-0x000001C4D85B0000-memory.dmp
memory/2388-288-0x000001C4D8590000-0x000001C4D85A0000-memory.dmp
memory/2388-287-0x000001C4D8580000-0x000001C4D8590000-memory.dmp
memory/2388-286-0x000001C4D8630000-0x000001C4D8640000-memory.dmp