xenorat | c1660f29a63ef53452026f41494cfef417c10354ba6218d2105ec7d7aef87ec6

Analysis

max time kernel
48s
max time network
108s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PENTESTING.exe
Size

45KB
MD5

16956f8d3753f83bf7e896c77a5d57c0
SHA1

fd61d797498534ff0a3f9c99f9d92439df912001
SHA256

c1660f29a63ef53452026f41494cfef417c10354ba6218d2105ec7d7aef87ec6
SHA512

e49384fe9d9e23e2f40a3703cce2c4f7f9a54ed1ca66f9ffddd8d64eb18f15bbbec76c6db977f8716aeadeec4cc52158fd9e59db56f1b4961f7084422b893851
SSDEEP

768:ldhO/poiiUcjlJInAqH9Xqk5nWEZ5SbTDa3WI7CPW50:7w+jjgnrH9XqcnW85SbTuWIM

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

PENTESTING

Attributes

delay
5000
install_path
temp
port
4444
startup_name
Windows Servieces for Defender

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000120000-0x0000000000132000-memory.dmp	family_xenorat
behavioral1/files/0x00100000000162e9-4.dat	family_xenorat
behavioral1/memory/644-9-0x00000000013B0000-0x00000000013C2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
644	PENTESTING.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	PENTESTING.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PENTESTING.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PENTESTING.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 644	2396	PENTESTING.exe	29
PID 2396 wrote to memory of 644	2396	PENTESTING.exe	29
PID 2396 wrote to memory of 644	2396	PENTESTING.exe	29
PID 2396 wrote to memory of 644	2396	PENTESTING.exe	29
PID 644 wrote to memory of 2288	644	PENTESTING.exe	30
PID 644 wrote to memory of 2288	644	PENTESTING.exe	30
PID 644 wrote to memory of 2288	644	PENTESTING.exe	30
PID 644 wrote to memory of 2288	644	PENTESTING.exe	30
PID 2956 wrote to memory of 2964	2956	chrome.exe	37
PID 2956 wrote to memory of 2964	2956	chrome.exe	37
PID 2956 wrote to memory of 2964	2956	chrome.exe	37
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 1280	2956	chrome.exe	39
PID 2956 wrote to memory of 780	2956	chrome.exe	40
PID 2956 wrote to memory of 780	2956	chrome.exe	40
PID 2956 wrote to memory of 780	2956	chrome.exe	40
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41
PID 2956 wrote to memory of 1300	2956	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\PENTESTING.exe
"C:\Users\Admin\AppData\Local\Temp\PENTESTING.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\XenoManager\PENTESTING.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\PENTESTING.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Servieces for Defender" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FA9.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2288

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x45c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5869758,0x7fef5869768,0x7fef5869778
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:2
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2192 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 --field-trial-handle=1360,i,8299879746686589788,9560405918090882504,131072 /prefetch:8
  2⤵
  PID:2780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
98644285b0df151e3471b2e015ec6f53

SHA1
3fd3148c47aa075c9087d0cb5deffeae28fa10a6

SHA256
3c3e45e4e97d7b12153f3d6d51f4c7c6f763605ebf016fb251b0ddcb2078dc88

SHA512
da83d869a5a490102c0eea75e494749ec6d7c1c56d1170ba5433db0992b5448dc17814bcb5f253df67fbd1e591bb3ae25769f682f55ad984f2ce76a60da17d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FA9.tmp

Filesize
1KB

MD5
a247ebed4d178c3d18cde61319da03f8

SHA1
4db31b193d264643419f986324ed99d29fd49471

SHA256
7bf644501f2b4d8cb0b0460a86fb35cb9ab604a49f8b3861583eb421fe9dc936

SHA512
c71a9b8ba6b903ee5a914d9f4e46aaa931c4f0f13b0e36bd4041ba486b049b39153aab0509ea126601e846f19a41fb6c4ba53513c0585ff5a696019b30f29114

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\PENTESTING.exe

Filesize
45KB

MD5
16956f8d3753f83bf7e896c77a5d57c0

SHA1
fd61d797498534ff0a3f9c99f9d92439df912001

SHA256
c1660f29a63ef53452026f41494cfef417c10354ba6218d2105ec7d7aef87ec6

SHA512
e49384fe9d9e23e2f40a3703cce2c4f7f9a54ed1ca66f9ffddd8d64eb18f15bbbec76c6db977f8716aeadeec4cc52158fd9e59db56f1b4961f7084422b893851

Download Submit
memory/644-9-0x00000000013B0000-0x00000000013C2000-memory.dmp

Filesize
72KB

Download
memory/644-14-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/644-15-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/644-13-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/644-10-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000000120000-0x0000000000132000-memory.dmp

Filesize
72KB

Download