guloader | 3b2c6392ce2ade6f3a5fd949df763736a273dd8daea8057869d692cb8242f066

Analysis

max time kernel
91s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpeau7xe1h.exe
Size

1.2MB
MD5

bdde3f2fca8eb09969b1dc90579a71e1
SHA1

0b259b48afbf21c5ea9c9ef52c16d15a0e52728f
SHA256

3b2c6392ce2ade6f3a5fd949df763736a273dd8daea8057869d692cb8242f066
SHA512

c6604ce727b9c84ede591c46c7831cdcf1f5df9ec70f45a9e9767901e972ec78e61a553468cd7f92bfbbd25709f4f34d946550df1709291235f8514c43abb1cf
SSDEEP

24576:9SOPcJoogMZ97gucAImvxrHeQywSoP663593VrS74Z/dT:XWoogMj9ImvnPSc/9FXZ1T

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1376-94-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1540-88-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1952-141-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1952-158-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-88-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1376-94-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1308-101-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2212-132-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1952-141-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1952-158-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Loads dropped DLL 1 IoCs

Processes:

tmpeau7xe1h.exe

pid process

2080 tmpeau7xe1h.exe

pid	process
2080	tmpeau7xe1h.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Distrix = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mrkeblk\\Microcline.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2596 wab.exe
2596 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

tmpeau7xe1h.exewab.exe

pid process

2080 tmpeau7xe1h.exe
2596 wab.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
2596	wab.exe
2596	wab.exe

pid	process
2080	tmpeau7xe1h.exe
2596	wab.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

tmpeau7xe1h.exewab.exe

description	pid	process	target process
PID 2080 set thread context of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2596 set thread context of 1540	2596	wab.exe	wab.exe
PID 2596 set thread context of 1376	2596	wab.exe	wab.exe
PID 2596 set thread context of 1308	2596	wab.exe	wab.exe
PID 2596 set thread context of 1952	2596	wab.exe	wab.exe

Drops file in Windows directory 1 IoCs

Processes:

tmpeau7xe1h.exe

description ioc process

File created C:\Windows\resources\0409\feriegiros.lnk tmpeau7xe1h.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2816 2596 WerFault.exe wab.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

wab.exe

pid process

1540 wab.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tmpeau7xe1h.exewab.exe

pid process

2080 tmpeau7xe1h.exe
2596 wab.exe
2596 wab.exe
2596 wab.exe
2596 wab.exe
2596 wab.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wab.exe

description pid process

Token: SeDebugPrivilege 1308 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2596 wab.exe

description	ioc	process
File created	C:\Windows\resources\0409\feriegiros.lnk	tmpeau7xe1h.exe

pid	pid_target	process	target process
2816	2596	WerFault.exe	wab.exe

pid	process
1540	wab.exe

pid	process
2080	tmpeau7xe1h.exe
2596	wab.exe
2596	wab.exe
2596	wab.exe
2596	wab.exe
2596	wab.exe

description	pid	process
Token: SeDebugPrivilege	1308	wab.exe

pid	process
2596	wab.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

tmpeau7xe1h.exewab.exe

description	pid	process	target process
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2080 wrote to memory of 2596	2080	tmpeau7xe1h.exe	wab.exe
PID 2596 wrote to memory of 1540	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1540	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1540	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1540	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1540	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1376	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1376	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1376	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1376	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1376	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1308	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1308	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1308	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1308	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1308	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1952	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1952	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1952	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1952	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 1952	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 2180	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 2180	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 2180	2596	wab.exe	wab.exe
PID 2596 wrote to memory of 2180	2596	wab.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\tmpeau7xe1h.exe
"C:\Users\Admin\AppData\Local\Temp\tmpeau7xe1h.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2080

C:\Program Files (x86)\windows mail\wab.exe
"C:\Users\Admin\AppData\Local\Temp\tmpeau7xe1h.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dlnffmwpvrekbo"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ofsyxegrjzwpluldx"
3⤵
- Accesses Microsoft Outlook accounts
PID:1376

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qhgiyxrkxhouojahousev"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vqhsdowyhmkak"
3⤵
PID:1952

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fkmlwghrvucfmwov"
3⤵
PID:2180

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\inrexzsticujxckzres"
3⤵
PID:2212

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kurbwtdvifteisbcthnca"
3⤵
PID:1820

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uowuxmoownlrkyxgcsaelock"
3⤵
PID:2164

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjbmyeyqkvdwvelstdufosxbgxf"
3⤵
PID:3048

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zqasxzksjybrgukooyhoglfikrmxd"
3⤵
PID:2396

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jkgdyrulxgteiayafjcqrqzrtxeyecvp"
3⤵
PID:2068

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mntv"
3⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 448
3⤵
- Program crash
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhv8F6.tmp
Filesize
9.9MB

MD5
6d838479ef21b3885a90aabec2ad056a

SHA1
2682e79672865b11d90682cfeb021a7434745e9d

SHA256
4e42b0bfa16f98748ab75b1f7898c16a8218bfb8ad0b14b6a79b15cb09838253

SHA512
9263a0649737467804252091b0a9b7c20714e29e5224a6dfd8101c1590ff805ba68bfb4e87270b0c9c844993aba05ef73bbb502dd618ebd31153adda60059d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqasxzksjybrgukooyhoglfikrmxd
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4FF7.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/1308-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-93-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1376-91-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1376-94-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1376-87-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1540-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1540-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1540-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1540-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1952-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1952-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1952-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-25-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2080-24-0x00000000775B0000-0x0000000077686000-memory.dmp

Filesize
856KB

Download
memory/2080-23-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2080-22-0x0000000003860000-0x0000000006B48000-memory.dmp

Filesize
50.9MB

Download
memory/2080-21-0x0000000003860000-0x0000000006B48000-memory.dmp

Filesize
50.9MB

Download
memory/2212-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2596-62-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-104-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-66-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-67-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-68-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-69-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-72-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-73-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-74-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-75-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-76-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-77-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-64-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-63-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-61-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-60-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-95-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-59-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-58-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-82-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-57-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-55-0x0000000001B20000-0x0000000004E08000-memory.dmp

Filesize
50.9MB

Download
memory/2596-96-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-98-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-56-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-100-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-102-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-54-0x00000000775B0000-0x0000000077686000-memory.dmp

Filesize
856KB

Download
memory/2596-103-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-65-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-105-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-106-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-107-0x00000000775B0000-0x0000000077686000-memory.dmp

Filesize
856KB

Download
memory/2596-53-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-112-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-116-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-127-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-128-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-129-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-130-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-131-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-31-0x0000000001B20000-0x0000000004E08000-memory.dmp

Filesize
50.9MB

Download
memory/2596-133-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-134-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-135-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-136-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-137-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-138-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-139-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-29-0x00000000775B0000-0x0000000077686000-memory.dmp

Filesize
856KB

Download
memory/2596-140-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-142-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-143-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-144-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-148-0x0000000000AB0000-0x0000000001B12000-memory.dmp

Filesize
16.4MB

Download
memory/2596-28-0x00000000775E6000-0x00000000775E7000-memory.dmp

Filesize
4KB

Download
memory/2596-27-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2596-26-0x0000000001B20000-0x0000000004E08000-memory.dmp

Filesize
50.9MB

Download