pony | de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
Size

227KB
MD5

048a199311fab7f94c4875efa1dbd7ae
SHA1

c12904c11f04a09dea4fe96f4f7bfbab0fb69599
SHA256

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84
SHA512

7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9
SSDEEP

3072:ghMU1v4n8NTCNlMNG7rgRyD2TLimejD22u/lbtlRkE82hQP67V98KLd:ghMgt622ob6nuZ

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://www.frankyzulike.org.in/ambrose/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

smtphost.exentfsmon.exesmtphost.exe

pid process

1696 smtphost.exe
276 ntfsmon.exe
1320 smtphost.exe
Loads dropped DLL 3 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exesmtphost.exentfsmon.exe

pid process

968 de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696 smtphost.exe
276 ntfsmon.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1696	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exentfsmon.exe

description	pid	process	target process
PID 968 set thread context of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 276 set thread context of 1732	276	ntfsmon.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exesmtphost.exentfsmon.exesmtphost.exe

pid	process
968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696	smtphost.exe
968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696	smtphost.exe
968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696	smtphost.exe
968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696	smtphost.exe
968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
1696	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
276	ntfsmon.exe
1320	smtphost.exe
1320	smtphost.exe
276	ntfsmon.exe
276	ntfsmon.exe
1320	smtphost.exe
1320	smtphost.exe
1320	smtphost.exe
1320	smtphost.exe
276	ntfsmon.exe
276	ntfsmon.exe
1320	smtphost.exe
1320	smtphost.exe
276	ntfsmon.exe
276	ntfsmon.exe
1320	smtphost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exesmtphost.exentfsmon.exesmtphost.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
Token: SeDebugPrivilege	1696	smtphost.exe
Token: SeDebugPrivilege	276	ntfsmon.exe
Token: SeDebugPrivilege	1320	smtphost.exe
Token: SeImpersonatePrivilege	1732	RegAsm.exe
Token: SeTcbPrivilege	1732	RegAsm.exe
Token: SeChangeNotifyPrivilege	1732	RegAsm.exe
Token: SeCreateTokenPrivilege	1732	RegAsm.exe
Token: SeBackupPrivilege	1732	RegAsm.exe
Token: SeRestorePrivilege	1732	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	1732	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	1732	RegAsm.exe
Token: SeImpersonatePrivilege	1732	RegAsm.exe
Token: SeTcbPrivilege	1732	RegAsm.exe
Token: SeChangeNotifyPrivilege	1732	RegAsm.exe
Token: SeCreateTokenPrivilege	1732	RegAsm.exe
Token: SeBackupPrivilege	1732	RegAsm.exe
Token: SeRestorePrivilege	1732	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	1732	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	1732	RegAsm.exe
Token: SeImpersonatePrivilege	1732	RegAsm.exe
Token: SeTcbPrivilege	1732	RegAsm.exe
Token: SeChangeNotifyPrivilege	1732	RegAsm.exe
Token: SeCreateTokenPrivilege	1732	RegAsm.exe
Token: SeBackupPrivilege	1732	RegAsm.exe
Token: SeRestorePrivilege	1732	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	1732	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	1732	RegAsm.exe
Token: SeImpersonatePrivilege	1732	RegAsm.exe
Token: SeTcbPrivilege	1732	RegAsm.exe
Token: SeChangeNotifyPrivilege	1732	RegAsm.exe
Token: SeCreateTokenPrivilege	1732	RegAsm.exe
Token: SeBackupPrivilege	1732	RegAsm.exe
Token: SeRestorePrivilege	1732	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	1732	RegAsm.exe
Token: SeAssignPrimaryTokenPrivilege	1732	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exesmtphost.exentfsmon.exeRegAsm.exe

description	pid	process	target process
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1996	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	RegAsm.exe
PID 968 wrote to memory of 1696	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	smtphost.exe
PID 968 wrote to memory of 1696	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	smtphost.exe
PID 968 wrote to memory of 1696	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	smtphost.exe
PID 968 wrote to memory of 1696	968	de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe	smtphost.exe
PID 1696 wrote to memory of 276	1696	smtphost.exe	ntfsmon.exe
PID 1696 wrote to memory of 276	1696	smtphost.exe	ntfsmon.exe
PID 1696 wrote to memory of 276	1696	smtphost.exe	ntfsmon.exe
PID 1696 wrote to memory of 276	1696	smtphost.exe	ntfsmon.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1732	276	ntfsmon.exe	RegAsm.exe
PID 276 wrote to memory of 1320	276	ntfsmon.exe	smtphost.exe
PID 276 wrote to memory of 1320	276	ntfsmon.exe	smtphost.exe
PID 276 wrote to memory of 1320	276	ntfsmon.exe	smtphost.exe
PID 276 wrote to memory of 1320	276	ntfsmon.exe	smtphost.exe
PID 1732 wrote to memory of 1968	1732	RegAsm.exe	cmd.exe
PID 1732 wrote to memory of 1968	1732	RegAsm.exe	cmd.exe
PID 1732 wrote to memory of 1968	1732	RegAsm.exe	cmd.exe
PID 1732 wrote to memory of 1968	1732	RegAsm.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe
"C:\Users\Admin\AppData\Local\Temp\de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmon.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_win_path
      PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7109527.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "
        5⤵
        
        PID:1968
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7109527.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmon.exe

Filesize
227KB

MD5
048a199311fab7f94c4875efa1dbd7ae

SHA1
c12904c11f04a09dea4fe96f4f7bfbab0fb69599

SHA256
de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

SHA512
7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmon.exe

Filesize
227KB

MD5
048a199311fab7f94c4875efa1dbd7ae

SHA1
c12904c11f04a09dea4fe96f4f7bfbab0fb69599

SHA256
de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

SHA512
7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ntfsmon.exe

Filesize
227KB

MD5
048a199311fab7f94c4875efa1dbd7ae

SHA1
c12904c11f04a09dea4fe96f4f7bfbab0fb69599

SHA256
de63f1e9ac97f6be5c9b02d80dc38665717d6483fdbd9778dfb3b4956683bc84

SHA512
7888f1b5d7a2fbcf61f1f0430f8420271d58327b92861a1ec01a86b57cec0f05fc81385d7a1998d93f780ace94f38ba3812e0faa88cdd2f215e9206b899ed7b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smtphost.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
memory/276-99-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/276-73-0x0000000000000000-mapping.dmp

Download
memory/276-77-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/968-81-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/968-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-103-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-90-0x0000000000000000-mapping.dmp

Download
memory/1320-96-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1696-78-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-76-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-98-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1732-94-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1732-87-0x0000000000410022-mapping.dmp

Download
memory/1732-101-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1968-100-0x0000000000000000-mapping.dmp

Download
memory/1996-57-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1996-56-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1996-59-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1996-60-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1996-63-0x0000000000410022-mapping.dmp

Download
memory/1996-64-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download