Analysis Overview
SHA256
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
Threat Level: Known bad
The file b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Blackmatter family
BlackMatter Ransomware
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Modifies extensions of user files
Sets service image path in registry
Enumerates connected drives
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-24 15:21
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-24 15:21
Reported
2021-10-24 15:24
Platform
win11
Max time kernel
147s
Max time network
135s
Command Line
Signatures
BlackMatter Ransomware
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Sets service image path in registry
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f5yX7OyXn.bmp" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f5yX7OyXn.bmp" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 1880 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\uus\AMD64\MoUsoCoreWorker.exe |
| PID 1496 wrote to memory of 1880 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\uus\AMD64\MoUsoCoreWorker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
"C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b34634922f00db267e803f4858beb050 GEwTR/2hiEy0A5uai15Dxg.0.1.0.3.0
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b34634922f00db267e803f4858beb050 GEwTR/2hiEy0A5uai15Dxg.0.1.0.3.0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | slscr.update.microsoft.com | udp |
| US | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | fe3cr.delivery.mp.microsoft.com | udp |
| IE | 20.54.89.15:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| US | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| US | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| N/A | 127.0.0.1:5985 | tcp | |
| IE | 20.54.89.15:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| US | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| US | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 52.152.110.14:443 | slscr.update.microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| NL | 20.86.173.234:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/1052-146-0x0000000003123000-0x0000000003125000-memory.dmp
memory/1052-147-0x0000000003120000-0x0000000003121000-memory.dmp
memory/2492-148-0x000001479BD20000-0x000001479BD30000-memory.dmp
memory/2492-149-0x000001479BDA0000-0x000001479BDB0000-memory.dmp
memory/2492-150-0x000001479E490000-0x000001479E494000-memory.dmp
memory/1880-151-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-24 15:21
Reported
2021-10-24 15:24
Platform
win10-en-20211014
Max time kernel
114s
Max time network
121s
Command Line
Signatures
BlackMatter Ransomware
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Modifies extensions of user files
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
"C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
Files
memory/2684-115-0x0000000000E00000-0x0000000000F4A000-memory.dmp
memory/2684-116-0x0000000000E00000-0x0000000000F4A000-memory.dmp