outsteel | 0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
Size

779KB
MD5

bf54e0c0740b6f0baf357153ab96d965
SHA1

6f53badd55841d225d6c6235aa45134a48e70954
SHA256

0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e
SHA512

f3be135f9682774a8e7d0c788b22bc2a3a57281c9b46c9d26083425575db33a1888673b78a13b07beed6c5645c54c7f2067c2483ec622339f048f4d46b4c726c
SSDEEP

12288:hdH3aW/CKuDuoEdv40VtsFfN0p8JTkn3JNFr5beFbWz4OK:hF3aDAvFsFfNpWn3J5eFbWzBK

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe

description	ioc	Process
File opened (read-only)	\??\e:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\l:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\m:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\o:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\z:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\b:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\j:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\k:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\p:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\w:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\x:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\a:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\g:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\i:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\r:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\u:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\y:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\h:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\n:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\q:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\s:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\t:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
File opened (read-only)	\??\v:	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/820-2-0x0000000002220000-0x00000000022FD000-memory.dmp	autoit_exe
behavioral2/memory/820-3-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-4-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-6-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-7-0x0000000002220000-0x00000000022FD000-memory.dmp	autoit_exe
behavioral2/memory/820-8-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-9-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-10-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-11-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-12-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-13-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-14-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-16-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-18-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral2/memory/820-20-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1560	820	WerFault.exe	84
5096	820	WerFault.exe	84
212	820	WerFault.exe	84
684	820	WerFault.exe	84
3668	820	WerFault.exe	84
3404	820	WerFault.exe	84
1824	820	WerFault.exe	84
4504	820	WerFault.exe	84
4328	820	WerFault.exe	84
4732	820	WerFault.exe	84
2672	820	WerFault.exe	84
2140	820	WerFault.exe	84
1016	820	WerFault.exe	84
4232	820	WerFault.exe	84
4512	820	WerFault.exe	84
4124	820	WerFault.exe	84
3632	820	WerFault.exe	84
1268	820	WerFault.exe	84
4688	820	WerFault.exe	84
4144	820	WerFault.exe	84
1148	820	WerFault.exe	84
3660	820	WerFault.exe	84
3864	820	WerFault.exe	84
4996	820	WerFault.exe	84
3108	820	WerFault.exe	84
928	820	WerFault.exe	84
3876	820	WerFault.exe	84
4828	820	WerFault.exe	84
4436	820	WerFault.exe	84
3616	820	WerFault.exe	84
5000	820	WerFault.exe	84
4492	820	WerFault.exe	84
3180	820	WerFault.exe	84
4988	820	WerFault.exe	84
4896	820	WerFault.exe	84
2728	820	WerFault.exe	84
1060	820	WerFault.exe	84
3424	820	WerFault.exe	84
4852	820	WerFault.exe	84
3828	820	WerFault.exe	84
4516	820	WerFault.exe	84
2984	820	WerFault.exe	84
1476	820	WerFault.exe	84
2568	820	WerFault.exe	84
2080	820	WerFault.exe	84
3416	820	WerFault.exe	84
3436	820	WerFault.exe	84
1340	820	WerFault.exe	84
3120	820	WerFault.exe	84
4276	820	WerFault.exe	84
4976	820	WerFault.exe	84
4912	820	WerFault.exe	84
1128	820	WerFault.exe	84
1748	820	WerFault.exe	84
2912	820	WerFault.exe	84
3432	820	WerFault.exe	84
2384	820	WerFault.exe	84
5056	820	WerFault.exe	84
1124	820	WerFault.exe	84
4636	820	WerFault.exe	84
5072	820	WerFault.exe	84
3592	820	WerFault.exe	84
2956	820	WerFault.exe	84
2108	820	WerFault.exe	84

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe

description	pid	Process	procid_target
PID 820 wrote to memory of 1748	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	88
PID 820 wrote to memory of 1748	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	88
PID 820 wrote to memory of 1748	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	88
PID 820 wrote to memory of 1072	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	93
PID 820 wrote to memory of 1072	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	93
PID 820 wrote to memory of 1072	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	93
PID 820 wrote to memory of 1476	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	106
PID 820 wrote to memory of 1476	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	106
PID 820 wrote to memory of 1476	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	106
PID 820 wrote to memory of 3764	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	117
PID 820 wrote to memory of 3764	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	117
PID 820 wrote to memory of 3764	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	117
PID 820 wrote to memory of 924	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	130
PID 820 wrote to memory of 924	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	130
PID 820 wrote to memory of 924	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	130
PID 820 wrote to memory of 4656	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	141
PID 820 wrote to memory of 4656	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	141
PID 820 wrote to memory of 4656	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	141
PID 820 wrote to memory of 2392	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	152
PID 820 wrote to memory of 2392	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	152
PID 820 wrote to memory of 2392	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	152
PID 820 wrote to memory of 4648	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	161
PID 820 wrote to memory of 4648	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	161
PID 820 wrote to memory of 4648	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	161
PID 820 wrote to memory of 2140	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	171
PID 820 wrote to memory of 2140	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	171
PID 820 wrote to memory of 2140	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	171
PID 820 wrote to memory of 2480	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	182
PID 820 wrote to memory of 2480	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	182
PID 820 wrote to memory of 2480	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	182
PID 820 wrote to memory of 2032	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	192
PID 820 wrote to memory of 2032	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	192
PID 820 wrote to memory of 2032	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	192
PID 820 wrote to memory of 3820	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	201
PID 820 wrote to memory of 3820	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	201
PID 820 wrote to memory of 3820	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	201
PID 820 wrote to memory of 2840	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	212
PID 820 wrote to memory of 2840	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	212
PID 820 wrote to memory of 2840	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	212
PID 820 wrote to memory of 4504	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	221
PID 820 wrote to memory of 4504	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	221
PID 820 wrote to memory of 4504	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	221
PID 820 wrote to memory of 1528	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	231
PID 820 wrote to memory of 1528	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	231
PID 820 wrote to memory of 1528	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	231
PID 820 wrote to memory of 1008	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	241
PID 820 wrote to memory of 1008	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	241
PID 820 wrote to memory of 1008	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	241
PID 820 wrote to memory of 2300	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	251
PID 820 wrote to memory of 2300	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	251
PID 820 wrote to memory of 2300	820	0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe	251

C:\Users\Admin\AppData\Local\Temp\0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe
"C:\Users\Admin\AppData\Local\Temp\0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 608
  2⤵
  - Program crash
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 652
  2⤵
  - Program crash
  PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 672
  2⤵
  - Program crash
  PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 684
  2⤵
  - Program crash
  PID:684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 616
  2⤵
  - Program crash
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 676
  2⤵
  - Program crash
  PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 700
  2⤵
  - Program crash
  PID:1824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 708
  2⤵
  - Program crash
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 664
  2⤵
  - Program crash
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:3764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 704
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 708
  2⤵
  - Program crash
  PID:2672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 688
  2⤵
  - Program crash
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 680
  2⤵
  - Program crash
  PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 700
  2⤵
  - Program crash
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 612
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 728
  2⤵
  - Program crash
  PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 704
  2⤵
  - Program crash
  PID:3632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 732
  2⤵
  - Program crash
  PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 596
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 760
  2⤵
  - Program crash
  PID:4144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 656
  2⤵
  - Program crash
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 772
  2⤵
  - Program crash
  PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 640
  2⤵
  - Program crash
  PID:3864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 656
  2⤵
  - Program crash
  PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 780
  2⤵
  - Program crash
  PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 788
  2⤵
  - Program crash
  PID:928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 732
  2⤵
  - Program crash
  PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 716
  2⤵
  - Program crash
  PID:4828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 780
  2⤵
  - Program crash
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 796
  2⤵
  - Program crash
  PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 640
  2⤵
  - Program crash
  PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 740
  2⤵
  - Program crash
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 716
  2⤵
  - Program crash
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:2480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 772
  2⤵
  - Program crash
  PID:4988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 688
  2⤵
  - Program crash
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 812
  2⤵
  - Program crash
  PID:2728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 824
  2⤵
  - Program crash
  PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 832
  2⤵
  - Program crash
  PID:3424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 700
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 808
  2⤵
  - Program crash
  PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 760
  2⤵
  - Program crash
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 856
  2⤵
  - Program crash
  PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 836
  2⤵
  - Program crash
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 864
  2⤵
  - Program crash
  PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 760
  2⤵
  - Program crash
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 832
  2⤵
  - Program crash
  PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 772
  2⤵
  - Program crash
  PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 880
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 900
  2⤵
  - Program crash
  PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 908
  2⤵
  - Program crash
  PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 876
  2⤵
  - Program crash
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 916
  2⤵
  - Program crash
  PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 908
  2⤵
  - Program crash
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 948
  2⤵
  - Program crash
  PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 984
  2⤵
  - Program crash
  PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1004
  2⤵
  - Program crash
  PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1012
  2⤵
  - Program crash
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 944
  2⤵
  - Program crash
  PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 984
  2⤵
  - Program crash
  PID:1124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1000
  2⤵
  - Program crash
  PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1012
  2⤵
  - Program crash
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 892
  2⤵
  - Program crash
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 984
  2⤵
  - Program crash
  PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1020
  2⤵
  - Program crash
  PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 888
  2⤵
  PID:4704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 892
  2⤵
  PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 892
  2⤵
  PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 984
  2⤵
  PID:2080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 792
  2⤵
  PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1044
  2⤵
  PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1112
  2⤵
  PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1236
  2⤵
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 820 -ip 820
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 820 -ip 820
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 820 -ip 820
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 820 -ip 820
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 820 -ip 820
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 820 -ip 820
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 820 -ip 820
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 820 -ip 820
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 820 -ip 820
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 820 -ip 820
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 820 -ip 820
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 820 -ip 820
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 820 -ip 820
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 820 -ip 820
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 820 -ip 820
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 820 -ip 820
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 820 -ip 820
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 820 -ip 820
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 820 -ip 820
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 820 -ip 820
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 820 -ip 820
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 820 -ip 820
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 820 -ip 820
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 820 -ip 820
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 820 -ip 820
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 820 -ip 820
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 820 -ip 820
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 820 -ip 820
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 820 -ip 820
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 820 -ip 820
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 820 -ip 820
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 820 -ip 820
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 820 -ip 820
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 820 -ip 820
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 820 -ip 820
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 820 -ip 820
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 820 -ip 820
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 820 -ip 820
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 820 -ip 820
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 820 -ip 820
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 820 -ip 820
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 820 -ip 820
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 820 -ip 820
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 820 -ip 820
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 820 -ip 820
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 820 -ip 820
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 820 -ip 820
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 820 -ip 820
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 820 -ip 820
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 820 -ip 820
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 820 -ip 820
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 820 -ip 820
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 820 -ip 820
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 820 -ip 820
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 820 -ip 820
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 820 -ip 820
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 820 -ip 820
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 820 -ip 820
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 820 -ip 820
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 820 -ip 820
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 820 -ip 820
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 820 -ip 820
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 820 -ip 820
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-1-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/820-2-0x0000000002220000-0x00000000022FD000-memory.dmp

Filesize
884KB

Download
memory/820-3-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-5-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/820-6-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-7-0x0000000002220000-0x00000000022FD000-memory.dmp

Filesize
884KB

Download
memory/820-8-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-9-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-10-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-11-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-12-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-13-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-14-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-16-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-18-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/820-20-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download