xenorat | hxxps://github[.]com/moom825/xeno-rat/releases/download/1[.]8[.]7/Release[.]zip

Analysis

max time kernel
85s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a847-115.dat	family_xenorat
behavioral1/memory/748-117-0x0000000000E40000-0x0000000000E52000-memory.dmp	family_xenorat
behavioral1/memory/748-159-0x0000000006420000-0x000000000642A000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
748	fdwqfqwfwq.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdwqfqwfwq.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772734179890060"	chrome.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\MRUListEx = ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 = 7e003100000000004759bc6511004465736b746f7000680009000400efbe4759e5607c59226a2e0000002c5702000000010000000000000000003e00000000000a119a004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\NodeSlot = "3"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	xeno rat server.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe
748	fdwqfqwfwq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
784	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
784	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3736	4092	chrome.exe	79
PID 4092 wrote to memory of 3736	4092	chrome.exe	79
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 2688	4092	chrome.exe	80
PID 4092 wrote to memory of 5060	4092	chrome.exe	81
PID 4092 wrote to memory of 5060	4092	chrome.exe	81
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82
PID 4092 wrote to memory of 332	4092	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6879cc40,0x7ffc6879cc4c,0x7ffc6879cc58
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1744,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2020,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3564,i,5295844150455558205,17714964737455737359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1276

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:784

C:\Users\Admin\Downloads\fdwqfqwfwq.exe
"C:\Users\Admin\Downloads\fdwqfqwfwq.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c417076eccdc7ffe98533e49545d628b

SHA1
18eb4a11ec367438a6a32c557acba12d5b480fe1

SHA256
3bd7261bbd896ea80f9dcec95d10d3707830c6b55c53c493f9db9c961b7d90e7

SHA512
4339499632ff6a27ac4982ec689928b359c9bf796e0888c0fda5c74c07f48f0c6d703d44ad4323bca166639040ddeae8d1f20952ba70b2e8c675d213781e5e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\312502ed-d8e9-4f12-be64-689e1e8e459b.tmp

Filesize
523B

MD5
2452a0f47e7956c426347aef92d7703c

SHA1
7d5738416be9b8e9b0c6a84f48d145cd53db58e6

SHA256
9a95dc02ee615e869e39398cf7f30fe8929ccb137392c0b2ca08359f6bd099d2

SHA512
a6c5e99b5c1c98e727108bf89e35dd46ba3b0bcc37861f7a89e3d8c121227e33fc6f4b219d912523916a6ec1ff9349413b68bb6ffe8bf1ade36f357c0147f2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
63573063b5c0683752cc65fc2987dbc4

SHA1
7d20d8a1b63e6c501e0106d26ede847920e22242

SHA256
13c29592b1d2a261b7f5370a7174d0cb712f9b99cf1b9cae6b852c3bfc19887c

SHA512
92168c8e7810e2f68aff24c58faedab73c73738c1950c9e27089e7ca2a62e9f251885e28b9ba794ee4cea5438a0222940486a7a7bec5cef2bf3a24adb886cb43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4121c967c5513f0751794909d556adfb

SHA1
b8eae2a41731cb8028b8dfd71919855032c50208

SHA256
4475ace81c05a41e2d52964a670584a19354cc761e4342198e6ceab95dcdbff5

SHA512
b790da3afd9573b36b9eba5dc7f0f826f9debb68e84853a21a61513cb4828768c6fdc24a423327de56d620a0060611a4756674fa4f261f4ac725f156595bbfbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
547943a14fde0a7664b0f79f6e697702

SHA1
9daeb4abd1559e67561c95dfec8725b2ba790a54

SHA256
87d0db294a538bebbe9d4b746c530d01d9e72585425e108f94ce6f5a3f045978

SHA512
bb0f27f39d65eaab996e7e75edade957d86e247ab11cd283d45a31540e2d6cc421b4633248ab9c2f38d53b8e4d38a9aefd6f68d4123efd152c7157c0c62eddc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f3827468a71d919c70f4c080941feb5

SHA1
e38079ea15dfaa676d2c13bca0d603a3be5b0e18

SHA256
b9d099611593e3d22c84ecbfa4b2eb146e449bd99518a79397352d35ea9d9f93

SHA512
3c08340cf1b8fd398d26711bc210c8addb360af8de09ba262b89590d13da8f152578d4a4769183b9854ff9119f631d57b6fd26ab77eb2358c2a5869325f9fe66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed92bc32be6f0ad27c62c582630fef30

SHA1
88b7b8d5c2cf67478578097d9b8051acd4c9f2dc

SHA256
3a2d05e356fb7356101e184595b8e519c5415d015dae6be2642db44a183028c6

SHA512
6d3a0b5957e413354f69a4fd8fd024cc54fffb9cb3d29194bea589b9089c1a459f11d0c5ab853b51cde9097dd146718bd01af2fda6e0e5a5abb699e88eaf5a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc7934f3236440206951dd6e81d3d2fe

SHA1
548402179a08d612201f7e16650526d11da4d7fb

SHA256
ac1cfdb67a9a49d3cf296ef7fb3f1ecf26d93fac6923f4f2fe60dada302da106

SHA512
534b4afa10cfe64c0d4bce599b92c790082ce60cfa9dbf830f5849252d9867affebe75e7a21e726759d776d6312c0983c02fd4fd8d71ef90384ba1179c91ad29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ed9240d247df64dc710a7e3ca74a80b

SHA1
a1628ceb3affe4b0ade57b07a4404f10408ae6a9

SHA256
0666c5ec58d368dc1766523128f9acb937163ebd2cfa7892f36abafc28c002db

SHA512
44a7b69481153824d6e7e2808a184d2fa7d75d5b6102de8057981744b6c55d8663988a5ee6b47eeb1644fb2f1360a092ce116c3b344954b62c397e7b77957815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e72c6c7b-8618-4bc0-8321-839827d80bb4.tmp

Filesize
9KB

MD5
e277ff4226940c7f7c16c68dce3d831f

SHA1
017ad43e416bf0ce3b98a2c40fc6fc528c383a90

SHA256
6daab8aae8c6cc4bce1445ce50ffb6537b7622180e45577ddd2cd0f1b6305367

SHA512
4eb7770364b8fbea880bec8d832960d7cb009ccb9ae5440767ff1674ca3c322c52d08a1a122b46f9745545a1aa1fe2584d02e7611397da52ae412584339921ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
19e3c9a55c59731b1c0415b4198a08bd

SHA1
a9f9fb1a1bcf64c397738fa1f92a4a203cdbdb98

SHA256
59a5d89824e1fe9bd0728a7cc479b804434abf3e70d6551f5eb7368eea7846e5

SHA512
5fdfbb5cd40b5cb6aaec5c7df9a2f56775d67f98daf263a74cf6a7d9861485cb7a764ab3ff355632d4010df911de168cfcd5ecd00e1cbff62023f31d709bbb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
aea67603c909bcb13dd04971b5f1ba05

SHA1
a1d5a9cec095298fe4b746b280e039e9b7edab7c

SHA256
1c9e4bc9335b43c730f891bc3cd510aef8a47138c800e8cb64589b8bc46b35d8

SHA512
8115f65629f281a8ad28c22396a0aec0e493f518b2e21a516331ab4b64f79b5cf74b2ebad9100eb131f3ba977fa44f332bcf6c3b18810ea32e133af5a690031e

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\fdwqfqwfwq.exe

Filesize
45KB

MD5
e069304f72f1993e3a4227b5fb5337a1

SHA1
131c2b3eb9afb6a806610567fe846a09d60b5115

SHA256
5d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5

SHA512
26f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9

Download Submit
memory/748-138-0x0000000006430000-0x0000000006496000-memory.dmp

Filesize
408KB

Download
memory/748-159-0x0000000006420000-0x000000000642A000-memory.dmp

Filesize
40KB

Download
memory/748-117-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/784-66-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/784-81-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/784-82-0x0000000008150000-0x0000000008274000-memory.dmp

Filesize
1.1MB

Download
memory/784-83-0x0000000008270000-0x000000000828A000-memory.dmp

Filesize
104KB

Download
memory/784-84-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/784-85-0x000000000CE60000-0x000000000CF12000-memory.dmp

Filesize
712KB

Download
memory/784-86-0x000000000CF30000-0x000000000D287000-memory.dmp

Filesize
3.3MB

Download
memory/784-88-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/784-65-0x0000000009FC0000-0x0000000009FE2000-memory.dmp

Filesize
136KB

Download
memory/784-63-0x00000000080B0000-0x00000000080CA000-memory.dmp

Filesize
104KB

Download
memory/784-64-0x00000000080A0000-0x00000000080B2000-memory.dmp

Filesize
72KB

Download
memory/784-62-0x0000000005D10000-0x0000000005D24000-memory.dmp

Filesize
80KB

Download
memory/784-61-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/784-60-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/784-59-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/784-139-0x0000000009610000-0x0000000009622000-memory.dmp

Filesize
72KB

Download
memory/784-58-0x0000000005D50000-0x00000000062F6000-memory.dmp

Filesize
5.6MB

Download
memory/784-57-0x00000000009C0000-0x0000000000BC2000-memory.dmp

Filesize
2.0MB

Download
memory/784-56-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download