pony | 115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
Size

136KB
MD5

3276ed4c930c7f3f20e6492199139ea9
SHA1

d0837fc9960823be07f44439aa439018d974454f
SHA256

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304
SHA512

10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703
SSDEEP

3072:zstGUIKGNj4y6tgdYCVmRL4sjDfdTs3oRlqhdd:zstGyYsyTv8+s/fdTq

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.bigdaddygroup.in/wp-admin/images/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

Pony.exeWindows.exe

pid process

1516 Pony.exe
1020 Windows.exe

pid	process
1516	Pony.exe
1020	Windows.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Pony.exe	upx
\Users\Admin\AppData\Roaming\Pony.exe	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
behavioral1/memory/1516-67-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-72-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-75-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-77-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-82-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-80-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1120-84-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1516-88-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx

Loads dropped DLL 4 IoCs

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

pid	process
1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exePony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exePony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Windows.exe

description pid process target process

PID 1020 set thread context of 1120 1020 Windows.exe svchost.exe

description	pid	process	target process
PID 1020 set thread context of 1120	1020	Windows.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows.exe	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
File opened for modification	C:\Program Files (x86)\Windows.exe	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

580 schtasks.exe

pid	process
580	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Pony.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1516	Pony.exe
Token: SeTcbPrivilege	1516	Pony.exe
Token: SeChangeNotifyPrivilege	1516	Pony.exe
Token: SeCreateTokenPrivilege	1516	Pony.exe
Token: SeBackupPrivilege	1516	Pony.exe
Token: SeRestorePrivilege	1516	Pony.exe
Token: SeIncreaseQuotaPrivilege	1516	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	1516	Pony.exe
Token: SeImpersonatePrivilege	1120	svchost.exe
Token: SeTcbPrivilege	1120	svchost.exe
Token: SeChangeNotifyPrivilege	1120	svchost.exe
Token: SeCreateTokenPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeImpersonatePrivilege	1120	svchost.exe
Token: SeTcbPrivilege	1120	svchost.exe
Token: SeChangeNotifyPrivilege	1120	svchost.exe
Token: SeCreateTokenPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeImpersonatePrivilege	1120	svchost.exe
Token: SeTcbPrivilege	1120	svchost.exe
Token: SeChangeNotifyPrivilege	1120	svchost.exe
Token: SeCreateTokenPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeImpersonatePrivilege	1120	svchost.exe
Token: SeTcbPrivilege	1120	svchost.exe
Token: SeChangeNotifyPrivilege	1120	svchost.exe
Token: SeCreateTokenPrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeImpersonatePrivilege	1516	Pony.exe
Token: SeTcbPrivilege	1516	Pony.exe
Token: SeChangeNotifyPrivilege	1516	Pony.exe
Token: SeCreateTokenPrivilege	1516	Pony.exe
Token: SeBackupPrivilege	1516	Pony.exe
Token: SeRestorePrivilege	1516	Pony.exe
Token: SeIncreaseQuotaPrivilege	1516	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	1516	Pony.exe
Token: SeImpersonatePrivilege	1516	Pony.exe
Token: SeTcbPrivilege	1516	Pony.exe
Token: SeChangeNotifyPrivilege	1516	Pony.exe
Token: SeCreateTokenPrivilege	1516	Pony.exe
Token: SeBackupPrivilege	1516	Pony.exe
Token: SeRestorePrivilege	1516	Pony.exe
Token: SeIncreaseQuotaPrivilege	1516	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	1516	Pony.exe
Token: SeImpersonatePrivilege	1516	Pony.exe
Token: SeTcbPrivilege	1516	Pony.exe
Token: SeChangeNotifyPrivilege	1516	Pony.exe
Token: SeCreateTokenPrivilege	1516	Pony.exe
Token: SeBackupPrivilege	1516	Pony.exe
Token: SeRestorePrivilege	1516	Pony.exe
Token: SeIncreaseQuotaPrivilege	1516	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	1516	Pony.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exeWindows.exesvchost.exePony.exe

description	pid	process	target process
PID 1328 wrote to memory of 1516	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1328 wrote to memory of 1516	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1328 wrote to memory of 1516	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1328 wrote to memory of 1516	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Pony.exe
PID 1328 wrote to memory of 1020	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1328 wrote to memory of 1020	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1328 wrote to memory of 1020	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1328 wrote to memory of 1020	1328	115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe	Windows.exe
PID 1020 wrote to memory of 580	1020	Windows.exe	schtasks.exe
PID 1020 wrote to memory of 580	1020	Windows.exe	schtasks.exe
PID 1020 wrote to memory of 580	1020	Windows.exe	schtasks.exe
PID 1020 wrote to memory of 580	1020	Windows.exe	schtasks.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1020 wrote to memory of 1120	1020	Windows.exe	svchost.exe
PID 1120 wrote to memory of 680	1120	svchost.exe	cmd.exe
PID 1120 wrote to memory of 680	1120	svchost.exe	cmd.exe
PID 1120 wrote to memory of 680	1120	svchost.exe	cmd.exe
PID 1120 wrote to memory of 680	1120	svchost.exe	cmd.exe
PID 1516 wrote to memory of 1956	1516	Pony.exe	cmd.exe
PID 1516 wrote to memory of 1956	1516	Pony.exe	cmd.exe
PID 1516 wrote to memory of 1956	1516	Pony.exe	cmd.exe
PID 1516 wrote to memory of 1956	1516	Pony.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

Pony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

C:\Users\Admin\AppData\Local\Temp\115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe
"C:\Users\Admin\AppData\Local\Temp\115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\Pony.exe
  "C:\Users\Admin\AppData\Roaming\Pony.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7093459.bat" "C:\Users\Admin\AppData\Roaming\Pony.exe" "
    3⤵
    PID:1956
- C:\Program Files (x86)\Windows.exe
  "C:\Program Files (x86)\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\98327065.xml"
    3⤵
    - Creates scheduled task(s)
    PID:580
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7090089.bat" "C:\Windows\SysWOW64\svchost.exe" "
      4⤵
      PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
C:\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
C:\Users\Admin\AppData\Local\Temp\7090089.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7093459.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\98327065.xml

Filesize
1KB

MD5
9b455e6c6de92de9fbca5bce1c74f0ba

SHA1
bacad1f2af2c72f1d9669928ec8b62499415b816

SHA256
6b7c5d35ba75727256db67a479d627b78e71cd32e4712a46190b92bba922556d

SHA512
f26d6e9c26e87201a248f925fc4b28961d7f96ae99b1d0de5d2754862043e537fb97e271eb9575ba3feb5025cfe82d7512154262419ee4a29cd1117f89876ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
\Program Files (x86)\Windows.exe

Filesize
136KB

MD5
3276ed4c930c7f3f20e6492199139ea9

SHA1
d0837fc9960823be07f44439aa439018d974454f

SHA256
115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

SHA512
10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

Download Submit
\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
\Users\Admin\AppData\Roaming\Pony.exe

Filesize
34KB

MD5
ce17b05eeb7960d69b2169f62faad510

SHA1
8ba96e55cb0bcea218f05f4a063cd8c7a6e57d06

SHA256
cb6451851012e919e11960d96ecc1f45c0bbddb65e4b33ee0a40e5a934b9374f

SHA512
a4dd7a0edcc46f3a38675c036df1affaa042aea4ad5df94980efe2f15fa44a4c31af59bbbf8c2039f179a2ec3427f5bdddd397643de5c69e6c1aa0db43ef3c0d

Download Submit
memory/580-69-0x0000000000000000-mapping.dmp

Download
memory/680-85-0x0000000000000000-mapping.dmp

Download
memory/1020-61-0x0000000000000000-mapping.dmp

Download
memory/1020-81-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1020-68-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-77-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-79-0x000000000041AF60-mapping.dmp

Download
memory/1120-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-82-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1120-75-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1328-66-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1516-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1516-88-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1516-57-0x0000000000000000-mapping.dmp

Download
memory/1956-87-0x0000000000000000-mapping.dmp

Download