Malware Analysis Report

2025-01-02 07:25

Sample ID 240913-z8g58azgld
Target cb9dc4606ac85050ceec95e649100000N
SHA256 b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d
Tags
floxif xred backdoor discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d

Threat Level: Known bad

The file cb9dc4606ac85050ceec95e649100000N was found to be: Known bad.

Malicious Activity Summary

floxif xred backdoor discovery persistence trojan upx

Floxif, Floodfix

Xred family

Floxif family

Xred

Detects Floxif payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Enumerates connected drives

Adds Run key to start application

UPX packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 21:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 21:23

Reported

2024-09-13 21:25

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Xred

backdoor xred

Xred family

xred

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\ProgramData\Synaptics\Synaptics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll C:\ProgramData\Synaptics\Synaptics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp C:\ProgramData\Synaptics\Synaptics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.dat C:\ProgramData\Synaptics\Synaptics.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\ProgramData\Synaptics\Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe

"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 www.aieov.com udp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

memory/2380-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\ProgramData\Synaptics\Synaptics.exe

MD5 cb9dc4606ac85050ceec95e649100000
SHA1 9398495b08379335b9166ed0a941b0cff6ca429f
SHA256 b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d
SHA512 4f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2

\Users\Admin\AppData\Local\Temp\A1D26E2\F5F3A8C94C.tmp

MD5 d9167c0e9e27b90a13965cdcdcf05e0c
SHA1 cae0b273832c2ae23d4aad128de5f7ac1bfb896f
SHA256 93262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987
SHA512 ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e

memory/2560-31-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2380-29-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2380-25-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2668-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

MD5 99a18dfb742a40016fdc37fbc599e0cf
SHA1 f5502769f8e9f694404aaf5a9b9d830dced2dd5e
SHA256 0820f783a2899d73a48fb5b5daa5470e19d4bd3252ebfb34b65ec661ca525a3e
SHA512 79ecb9878fc403d5156aa04e254680311bfc54d15ad872b7c8ee918fde1245236e877f7078a068b9ff2b02fda411504acd34960f3067d247d767f45bc3db0b91

\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp

MD5 929da7b631e3883432c8a9cc3800b2ef
SHA1 439d90e32f1a95a18667fb054eee707d8da171c6
SHA256 9877f6b53fbdd0977697aacced41d856bca4fb80bda072a9d77f9f84dadb2217
SHA512 010d08bdba82f5901cb52560f9f595650cb1920f02aa5244ef42c58a8e98b3450731b5ab53fddc3211c8497a49e31747a8e21858df294321ff8737b196728b45

C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

MD5 8851c4a9f95491db21856be6adeae1a0
SHA1 f649482cff91a044b40ec09f9569c26b4bbeba2b
SHA256 548d9266f0c70ef1df63742f4c32316ac7e544ef8cd67b818f269449dbca3d52
SHA512 7d77760962f803128b5fdbf25615d6f5436201cc22ec4c6fc11368ec40164d00f2994b62cf2eef4b3dafd6f213eaf28b28dcaf62fd9151d53561644e5ebde429

C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

MD5 ff427854f7475fccd73e99d8c02a47a4
SHA1 a7aa9fbc26e3c34a08769b2cf24dcac782904c51
SHA256 5e984d418b7379ec263da7bec3c2dd79a8bbc98dce35d39e96db957082315c80
SHA512 4d99c09fc84645a45d3c8372e3e39e09e3627397f372cef60c8d23654cf04cb3b50eb79f7fee6f44edbfa9201c719c1fb6787570c033b838b4570ed069ab166d

C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

MD5 73f10c5c93825ba78bb8dd5e3844ebc3
SHA1 ed8eda737eeb28e54e861e12e9280d7adc832a28
SHA256 525db427b076f8bbc1bf82ccd37a75b3ffafe6ff25c0cc450f853be9d21e7198
SHA512 039aabb025faf6f0f6b334883f79802afc6cbf93f1cd926ad98af968ffc6e6ce8206204417d09627d84d31b008f6e2150ad94af5f1ff40f5210e376160d8c868

C:\Users\Admin\Documents\~$UsePush.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

memory/2560-113-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2560-112-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2560-117-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2560-116-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2560-121-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2560-125-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2560-129-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2560-133-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2560-162-0x0000000000400000-0x00000000004C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 21:23

Reported

2024-09-13 21:25

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Xred

backdoor xred

Xred family

xred

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe

"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/4992-4-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1D26E2\8A4E1701380.tmp

MD5 d9167c0e9e27b90a13965cdcdcf05e0c
SHA1 cae0b273832c2ae23d4aad128de5f7ac1bfb896f
SHA256 93262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987
SHA512 ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e

memory/4992-72-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4992-75-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4976-76-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp

memory/4976-78-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp

memory/4976-77-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp

memory/4976-79-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp

memory/4976-80-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp

memory/4976-81-0x00007FF9FAB30000-0x00007FF9FAB40000-memory.dmp

memory/4976-82-0x00007FF9FAB30000-0x00007FF9FAB40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jg7aTbaM.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/1476-96-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1476-100-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1476-124-0x0000000000400000-0x00000000004C2000-memory.dmp