pony | daa8802270996f3d7b4835fd9fba42da054ad1a58403854c0f86b0666c631ac1

Analysis

max time kernel
174s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

110.exe
Size

242KB
MD5

c0224c4d9628b324db1af4d9007fa46c
SHA1

1d264386f3d36b28f78f3cba45c189e0c065ce16
SHA256

673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984
SHA512

339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03
SSDEEP

3072:5hmeYAv6OUGsjtZfSPAnk2eFkf2zXm5XHxXQ41lfmLjCsyQQHX0LTvNaJS7X9hkg:JYAUGs/fSPAkDFKXJHQgENaU7X9h

Score

10^/10

pony collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://exportservices.co.in/david/Panel/gate.php

Attributes

payload_url
http://exportservices.co.in/david/Panel/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 3 IoCs

pid	Process
1476	AeLookupSvi.exe
428	ProfSvc.exe
556	ProfSvc.exe

Loads dropped DLL 2 IoCs

pid	Process
912	110.exe
1476	AeLookupSvi.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ProfSvc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ProfSvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application Experience = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AeLookupSvi.exe"	AeLookupSvi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 1100	912	110.exe	28
PID 428 set thread context of 556	428	ProfSvc.exe	33
PID 1128 set thread context of 1616	1128	takshost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
912	110.exe
1476	AeLookupSvi.exe
912	110.exe
1476	AeLookupSvi.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1476	AeLookupSvi.exe
1476	AeLookupSvi.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe
428	ProfSvc.exe
1476	AeLookupSvi.exe
1128	takshost.exe
428	ProfSvc.exe
1128	takshost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
912	110.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	110.exe
Token: SeImpersonatePrivilege	1100	110.exe
Token: SeTcbPrivilege	1100	110.exe
Token: SeChangeNotifyPrivilege	1100	110.exe
Token: SeCreateTokenPrivilege	1100	110.exe
Token: SeBackupPrivilege	1100	110.exe
Token: SeRestorePrivilege	1100	110.exe
Token: SeIncreaseQuotaPrivilege	1100	110.exe
Token: SeAssignPrimaryTokenPrivilege	1100	110.exe
Token: SeDebugPrivilege	1476	AeLookupSvi.exe
Token: SeDebugPrivilege	428	ProfSvc.exe
Token: SeImpersonatePrivilege	1100	110.exe
Token: SeTcbPrivilege	1100	110.exe
Token: SeChangeNotifyPrivilege	1100	110.exe
Token: SeCreateTokenPrivilege	1100	110.exe
Token: SeBackupPrivilege	1100	110.exe
Token: SeRestorePrivilege	1100	110.exe
Token: SeIncreaseQuotaPrivilege	1100	110.exe
Token: SeAssignPrimaryTokenPrivilege	1100	110.exe
Token: SeDebugPrivilege	1128	takshost.exe
Token: SeImpersonatePrivilege	1100	110.exe
Token: SeTcbPrivilege	1100	110.exe
Token: SeChangeNotifyPrivilege	1100	110.exe
Token: SeCreateTokenPrivilege	1100	110.exe
Token: SeBackupPrivilege	1100	110.exe
Token: SeRestorePrivilege	1100	110.exe
Token: SeIncreaseQuotaPrivilege	1100	110.exe
Token: SeAssignPrimaryTokenPrivilege	1100	110.exe
Token: SeImpersonatePrivilege	1100	110.exe
Token: SeTcbPrivilege	1100	110.exe
Token: SeChangeNotifyPrivilege	1100	110.exe
Token: SeCreateTokenPrivilege	1100	110.exe
Token: SeBackupPrivilege	1100	110.exe
Token: SeRestorePrivilege	1100	110.exe
Token: SeIncreaseQuotaPrivilege	1100	110.exe
Token: SeAssignPrimaryTokenPrivilege	1100	110.exe
Token: SeImpersonatePrivilege	556	ProfSvc.exe
Token: SeTcbPrivilege	556	ProfSvc.exe
Token: SeChangeNotifyPrivilege	556	ProfSvc.exe
Token: SeCreateTokenPrivilege	556	ProfSvc.exe
Token: SeBackupPrivilege	556	ProfSvc.exe
Token: SeRestorePrivilege	556	ProfSvc.exe
Token: SeIncreaseQuotaPrivilege	556	ProfSvc.exe
Token: SeAssignPrimaryTokenPrivilege	556	ProfSvc.exe
Token: SeImpersonatePrivilege	1616	takshost.exe
Token: SeTcbPrivilege	1616	takshost.exe
Token: SeChangeNotifyPrivilege	1616	takshost.exe
Token: SeCreateTokenPrivilege	1616	takshost.exe
Token: SeBackupPrivilege	1616	takshost.exe
Token: SeRestorePrivilege	1616	takshost.exe
Token: SeIncreaseQuotaPrivilege	1616	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	1616	takshost.exe
Token: SeImpersonatePrivilege	556	ProfSvc.exe
Token: SeTcbPrivilege	556	ProfSvc.exe
Token: SeChangeNotifyPrivilege	556	ProfSvc.exe
Token: SeCreateTokenPrivilege	556	ProfSvc.exe
Token: SeBackupPrivilege	556	ProfSvc.exe
Token: SeRestorePrivilege	556	ProfSvc.exe
Token: SeIncreaseQuotaPrivilege	556	ProfSvc.exe
Token: SeAssignPrimaryTokenPrivilege	556	ProfSvc.exe
Token: SeImpersonatePrivilege	556	ProfSvc.exe
Token: SeTcbPrivilege	556	ProfSvc.exe
Token: SeChangeNotifyPrivilege	556	ProfSvc.exe
Token: SeCreateTokenPrivilege	556	ProfSvc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1100	912	110.exe	28
PID 912 wrote to memory of 1476	912	110.exe	29
PID 912 wrote to memory of 1476	912	110.exe	29
PID 912 wrote to memory of 1476	912	110.exe	29
PID 912 wrote to memory of 1476	912	110.exe	29
PID 1476 wrote to memory of 428	1476	AeLookupSvi.exe	31
PID 1476 wrote to memory of 428	1476	AeLookupSvi.exe	31
PID 1476 wrote to memory of 428	1476	AeLookupSvi.exe	31
PID 1476 wrote to memory of 428	1476	AeLookupSvi.exe	31
PID 912 wrote to memory of 1128	912	110.exe	32
PID 912 wrote to memory of 1128	912	110.exe	32
PID 912 wrote to memory of 1128	912	110.exe	32
PID 912 wrote to memory of 1128	912	110.exe	32
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 428 wrote to memory of 556	428	ProfSvc.exe	33
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1128 wrote to memory of 1616	1128	takshost.exe	34
PID 1100 wrote to memory of 1588	1100	110.exe	35
PID 1100 wrote to memory of 1588	1100	110.exe	35
PID 1100 wrote to memory of 1588	1100	110.exe	35
PID 1100 wrote to memory of 1588	1100	110.exe	35
PID 556 wrote to memory of 1648	556	ProfSvc.exe	37
PID 556 wrote to memory of 1648	556	ProfSvc.exe	37
PID 556 wrote to memory of 1648	556	ProfSvc.exe	37
PID 556 wrote to memory of 1648	556	ProfSvc.exe	37
PID 1616 wrote to memory of 888	1616	takshost.exe	39
PID 1616 wrote to memory of 888	1616	takshost.exe	39
PID 1616 wrote to memory of 888	1616	takshost.exe	39
PID 1616 wrote to memory of 888	1616	takshost.exe	39

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

C:\Users\Admin\AppData\Local\Temp\110.exe
"C:\Users\Admin\AppData\Local\Temp\110.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\110.exe
  "C:\Users\Admin\AppData\Local\Temp\110.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7125922.bat" "C:\Users\Admin\AppData\Local\Temp\110.exe" "
    3⤵
    PID:1588
- C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7138028.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe" "
        5⤵
        
        PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7139058.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "
      4⤵
      PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7125922.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7138028.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7139058.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

Filesize
8KB

MD5
0ad079e611cf1a31bc5b01ee17fe607d

SHA1
d769361e8d0289cfc79adb2b0a5e6f3b9af33c15

SHA256
8a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5

SHA512
f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

Filesize
8KB

MD5
0ad079e611cf1a31bc5b01ee17fe607d

SHA1
d769361e8d0289cfc79adb2b0a5e6f3b9af33c15

SHA256
8a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5

SHA512
f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

Filesize
242KB

MD5
c0224c4d9628b324db1af4d9007fa46c

SHA1
1d264386f3d36b28f78f3cba45c189e0c065ce16

SHA256
673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

SHA512
339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

Filesize
242KB

MD5
c0224c4d9628b324db1af4d9007fa46c

SHA1
1d264386f3d36b28f78f3cba45c189e0c065ce16

SHA256
673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

SHA512
339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

Filesize
242KB

MD5
c0224c4d9628b324db1af4d9007fa46c

SHA1
1d264386f3d36b28f78f3cba45c189e0c065ce16

SHA256
673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

SHA512
339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AeLookupSvi.exe

Filesize
8KB

MD5
0ad079e611cf1a31bc5b01ee17fe607d

SHA1
d769361e8d0289cfc79adb2b0a5e6f3b9af33c15

SHA256
8a0d39c067024add12353126cd79c6ceb8f1680895a0f81737aae070568e38f5

SHA512
f78ebeda9e01b6deab338a800be8b267e594845ee258c3e83e12f8c216a11599fe63c15147c26fbab2b4090d30739893299b506cbc28025154ea4ec0726e1f05

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ProfSvc.exe

Filesize
242KB

MD5
c0224c4d9628b324db1af4d9007fa46c

SHA1
1d264386f3d36b28f78f3cba45c189e0c065ce16

SHA256
673a680f2bad58c131f64dcf538e9e4539ea5b5319020ce27d05baffe9ea0984

SHA512
339492a6de4aa920db03f8e4cff3e76052372096f068d4d5984ffc7fc93d15423ee4a35b24f583a2edb67658e7411d9789fe4024223c27015fe8f555407bbe03

Download Submit
memory/428-82-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/428-115-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/556-112-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/556-118-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/912-88-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/912-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/912-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/912-74-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-111-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-72-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-80-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-66-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1100-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1128-116-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-85-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-81-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-73-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-113-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1616-122-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download