Malware Analysis Report

2025-08-06 04:12

Sample ID 230802-krjkdseh3x
Target xveXYcYoRA9ESLn.exe
SHA256 afcf2d75de98e641cb9555de188660470893d84e4c22577cd56f947e5a54223a
Tags
snakekeylogger keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afcf2d75de98e641cb9555de188660470893d84e4c22577cd56f947e5a54223a

Threat Level: Known bad

The file xveXYcYoRA9ESLn.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger spyware stealer

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-02 08:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-02 08:49

Reported

2023-08-02 08:52

Platform

win7-20230712-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2564 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 2564 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kmOptlGglTeN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kmOptlGglTeN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C9C.tmp"

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp

Files

memory/2564-55-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2564-54-0x0000000000E50000-0x0000000000EF8000-memory.dmp

memory/2564-56-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/2564-57-0x0000000000490000-0x00000000004A0000-memory.dmp

memory/2564-58-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2564-59-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/2564-60-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2564-61-0x0000000004300000-0x0000000004360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2C9C.tmp

MD5 cf86431a5b964926cfc91a4c7927f549
SHA1 34210690b2b942c08cd4123a75f2d7c91abe02d5
SHA256 cce2d0d8b58b56c0e17cd53471db4ee99c3daf0c7cf3a4361f3f92102bf5bb17
SHA512 f4556310afcd3586e98313fcd054a09d2b360385e5a24f92f5fd8442605e80535e8fa3b8b51b7a274a4fad6c3f8a9539347d438b1b7e2b7578b3c873232d4d45

memory/2752-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-71-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-79-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2752-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2564-84-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/3032-85-0x000000006E950000-0x000000006EEFB000-memory.dmp

memory/3032-86-0x000000006E950000-0x000000006EEFB000-memory.dmp

memory/2752-87-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/3032-88-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/2752-89-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/3032-90-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/3032-91-0x000000006E950000-0x000000006EEFB000-memory.dmp

memory/2752-92-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2752-93-0x0000000004860000-0x00000000048A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-02 08:49

Reported

2023-08-02 08:52

Platform

win10v2004-20230703-en

Max time kernel

117s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1500 set thread context of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1500 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1500 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe
PID 1500 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kmOptlGglTeN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kmOptlGglTeN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73B4.tmp"

C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe

"C:\Users\Admin\AppData\Local\Temp\xveXYcYoRA9ESLn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.134.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

memory/1500-134-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/1500-133-0x0000000000120000-0x00000000001C8000-memory.dmp

memory/1500-135-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/1500-136-0x0000000004C60000-0x0000000004CF2000-memory.dmp

memory/1500-137-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/1500-138-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

memory/1500-139-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/1500-140-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/1500-141-0x0000000009CF0000-0x0000000009D8C000-memory.dmp

memory/680-146-0x0000000004D10000-0x0000000004D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp73B4.tmp

MD5 b7f1b436ad114aa2b333aa3ae4ffe82e
SHA1 cd442aef158ce6fd51239dba09a11d61090c9b55
SHA256 3f0c5c07a9ec8909463dd9802a7d9ce8759619ea88ec678a4e8d7e2a196db230
SHA512 dd98b127cecf55da41bb86d88ef77c9f6c4b3684041ea342fec36164df88e2c0be21fdafcb11121785133996e48416326ff3e6c1b6102aaf43c355f2a658b152

memory/680-148-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/680-149-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/680-150-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/680-151-0x0000000005380000-0x00000000059A8000-memory.dmp

memory/4256-152-0x0000000000400000-0x0000000000424000-memory.dmp

memory/680-153-0x0000000005B20000-0x0000000005B42000-memory.dmp

memory/4256-155-0x0000000074510000-0x0000000074CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfso5ddl.2jo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/680-158-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/1500-167-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/680-166-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/4256-168-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

memory/680-169-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/680-170-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/680-171-0x00000000068A0000-0x00000000068D2000-memory.dmp

memory/680-172-0x0000000070730000-0x000000007077C000-memory.dmp

memory/680-182-0x0000000006870000-0x000000000688E000-memory.dmp

memory/680-183-0x0000000007C20000-0x000000000829A000-memory.dmp

memory/680-184-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/680-185-0x0000000007650000-0x000000000765A000-memory.dmp

memory/680-186-0x0000000007860000-0x00000000078F6000-memory.dmp

memory/680-187-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4256-188-0x0000000006B70000-0x0000000006BC0000-memory.dmp

memory/680-189-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/680-190-0x0000000007810000-0x000000000781E000-memory.dmp

memory/4256-191-0x0000000006D90000-0x0000000006F52000-memory.dmp

memory/680-192-0x0000000007920000-0x000000000793A000-memory.dmp

memory/680-193-0x0000000007900000-0x0000000007908000-memory.dmp

memory/680-194-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/680-197-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4256-198-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4256-199-0x0000000005AD0000-0x0000000005AE0000-memory.dmp