Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-12-2020 14:46
Static task
static1
Behavioral task
behavioral1
Sample
202010121236.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
202010121236.scr
Resource
win10v20201028
General
-
Target
202010121236.scr
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
spoolsv.exespoolsv.exepid process 1460 spoolsv.exe 1580 spoolsv.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1648 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
202010121236.scrspoolsv.exepid process 1368 202010121236.scr 1460 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
202010121236.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run 202010121236.scr Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start" 202010121236.scr -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
spoolsv.exedescription ioc process File opened (read-only) \??\M: spoolsv.exe File opened (read-only) \??\H: spoolsv.exe File opened (read-only) \??\E: spoolsv.exe File opened (read-only) \??\X: spoolsv.exe File opened (read-only) \??\W: spoolsv.exe File opened (read-only) \??\V: spoolsv.exe File opened (read-only) \??\T: spoolsv.exe File opened (read-only) \??\B: spoolsv.exe File opened (read-only) \??\A: spoolsv.exe File opened (read-only) \??\Z: spoolsv.exe File opened (read-only) \??\U: spoolsv.exe File opened (read-only) \??\R: spoolsv.exe File opened (read-only) \??\P: spoolsv.exe File opened (read-only) \??\N: spoolsv.exe File opened (read-only) \??\L: spoolsv.exe File opened (read-only) \??\K: spoolsv.exe File opened (read-only) \??\G: spoolsv.exe File opened (read-only) \??\Y: spoolsv.exe File opened (read-only) \??\S: spoolsv.exe File opened (read-only) \??\Q: spoolsv.exe File opened (read-only) \??\O: spoolsv.exe File opened (read-only) \??\J: spoolsv.exe File opened (read-only) \??\I: spoolsv.exe File opened (read-only) \??\F: spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Drops file in Program Files directory 13760 IoCs
Processes:
spoolsv.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR25F.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML spoolsv.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml spoolsv.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF spoolsv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG spoolsv.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml spoolsv.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04323_.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar spoolsv.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPS.ICO spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01839_.GIF.128-806-0EA spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Rome spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.128-806-0EA spoolsv.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens spoolsv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF.128-806-0EA spoolsv.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1148 vssadmin.exe 1892 vssadmin.exe -
Processes:
202010121236.scrspoolsv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 202010121236.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 202010121236.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 202010121236.scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 spoolsv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 1183 IoCs
Processes:
spoolsv.exepid process 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe 1460 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
202010121236.scrWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1368 202010121236.scr Token: SeDebugPrivilege 1368 202010121236.scr Token: SeIncreaseQuotaPrivilege 588 WMIC.exe Token: SeSecurityPrivilege 588 WMIC.exe Token: SeTakeOwnershipPrivilege 588 WMIC.exe Token: SeLoadDriverPrivilege 588 WMIC.exe Token: SeSystemProfilePrivilege 588 WMIC.exe Token: SeSystemtimePrivilege 588 WMIC.exe Token: SeProfSingleProcessPrivilege 588 WMIC.exe Token: SeIncBasePriorityPrivilege 588 WMIC.exe Token: SeCreatePagefilePrivilege 588 WMIC.exe Token: SeBackupPrivilege 588 WMIC.exe Token: SeRestorePrivilege 588 WMIC.exe Token: SeShutdownPrivilege 588 WMIC.exe Token: SeDebugPrivilege 588 WMIC.exe Token: SeSystemEnvironmentPrivilege 588 WMIC.exe Token: SeRemoteShutdownPrivilege 588 WMIC.exe Token: SeUndockPrivilege 588 WMIC.exe Token: SeManageVolumePrivilege 588 WMIC.exe Token: 33 588 WMIC.exe Token: 34 588 WMIC.exe Token: 35 588 WMIC.exe Token: SeIncreaseQuotaPrivilege 828 WMIC.exe Token: SeSecurityPrivilege 828 WMIC.exe Token: SeTakeOwnershipPrivilege 828 WMIC.exe Token: SeLoadDriverPrivilege 828 WMIC.exe Token: SeSystemProfilePrivilege 828 WMIC.exe Token: SeSystemtimePrivilege 828 WMIC.exe Token: SeProfSingleProcessPrivilege 828 WMIC.exe Token: SeIncBasePriorityPrivilege 828 WMIC.exe Token: SeCreatePagefilePrivilege 828 WMIC.exe Token: SeBackupPrivilege 828 WMIC.exe Token: SeRestorePrivilege 828 WMIC.exe Token: SeShutdownPrivilege 828 WMIC.exe Token: SeDebugPrivilege 828 WMIC.exe Token: SeSystemEnvironmentPrivilege 828 WMIC.exe Token: SeRemoteShutdownPrivilege 828 WMIC.exe Token: SeUndockPrivilege 828 WMIC.exe Token: SeManageVolumePrivilege 828 WMIC.exe Token: 33 828 WMIC.exe Token: 34 828 WMIC.exe Token: 35 828 WMIC.exe Token: SeBackupPrivilege 956 vssvc.exe Token: SeRestorePrivilege 956 vssvc.exe Token: SeAuditPrivilege 956 vssvc.exe Token: SeIncreaseQuotaPrivilege 828 WMIC.exe Token: SeSecurityPrivilege 828 WMIC.exe Token: SeTakeOwnershipPrivilege 828 WMIC.exe Token: SeLoadDriverPrivilege 828 WMIC.exe Token: SeSystemProfilePrivilege 828 WMIC.exe Token: SeSystemtimePrivilege 828 WMIC.exe Token: SeProfSingleProcessPrivilege 828 WMIC.exe Token: SeIncBasePriorityPrivilege 828 WMIC.exe Token: SeCreatePagefilePrivilege 828 WMIC.exe Token: SeBackupPrivilege 828 WMIC.exe Token: SeRestorePrivilege 828 WMIC.exe Token: SeShutdownPrivilege 828 WMIC.exe Token: SeDebugPrivilege 828 WMIC.exe Token: SeSystemEnvironmentPrivilege 828 WMIC.exe Token: SeRemoteShutdownPrivilege 828 WMIC.exe Token: SeUndockPrivilege 828 WMIC.exe Token: SeManageVolumePrivilege 828 WMIC.exe Token: 33 828 WMIC.exe Token: 34 828 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
202010121236.scrspoolsv.execmd.execmd.execmd.exedescription pid process target process PID 1368 wrote to memory of 1460 1368 202010121236.scr spoolsv.exe PID 1368 wrote to memory of 1460 1368 202010121236.scr spoolsv.exe PID 1368 wrote to memory of 1460 1368 202010121236.scr spoolsv.exe PID 1368 wrote to memory of 1460 1368 202010121236.scr spoolsv.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1368 wrote to memory of 1648 1368 202010121236.scr notepad.exe PID 1460 wrote to memory of 1700 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1700 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1700 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1700 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1592 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1592 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1592 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1592 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 268 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 268 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 268 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 268 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1636 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1636 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1636 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1636 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1796 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1796 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1796 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1796 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 576 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 576 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 576 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 576 1460 spoolsv.exe cmd.exe PID 1460 wrote to memory of 1580 1460 spoolsv.exe spoolsv.exe PID 1460 wrote to memory of 1580 1460 spoolsv.exe spoolsv.exe PID 1460 wrote to memory of 1580 1460 spoolsv.exe spoolsv.exe PID 1460 wrote to memory of 1580 1460 spoolsv.exe spoolsv.exe PID 1796 wrote to memory of 1148 1796 cmd.exe vssadmin.exe PID 1796 wrote to memory of 1148 1796 cmd.exe vssadmin.exe PID 1796 wrote to memory of 1148 1796 cmd.exe vssadmin.exe PID 1796 wrote to memory of 1148 1796 cmd.exe vssadmin.exe PID 1700 wrote to memory of 588 1700 cmd.exe WMIC.exe PID 1700 wrote to memory of 588 1700 cmd.exe WMIC.exe PID 1700 wrote to memory of 588 1700 cmd.exe WMIC.exe PID 1700 wrote to memory of 588 1700 cmd.exe WMIC.exe PID 576 wrote to memory of 828 576 cmd.exe WMIC.exe PID 576 wrote to memory of 828 576 cmd.exe WMIC.exe PID 576 wrote to memory of 828 576 cmd.exe WMIC.exe PID 576 wrote to memory of 828 576 cmd.exe WMIC.exe PID 576 wrote to memory of 1892 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 1892 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 1892 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 1892 576 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202010121236.scr"C:\Users\Admin\AppData\Local\Temp\202010121236.scr" /S1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
85934f14cc9248f76c58dc21180b4f15
SHA15ae41d9bea1cd413260de621f2302febd1e00323
SHA2560d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58
SHA5128496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
4bddfe3851f7aa064be1b88af5e4516d
SHA12619398420a8e45f8f68c7c02ff2fd8c5ae3f18a
SHA2561427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc
SHA5121874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
a54e6020d8dade29e93e679d7d067676
SHA11ff53fa146566b3dc7a4dc43c91650a89b0bca5f
SHA2563762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb
SHA51287da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e701dced7f71531010737b88f0aae2ae
SHA12b681bc734b3b3fadb6bd72fdf358d710dffbd67
SHA256661e189327784fc1cbbc426d063482ab68f7eaf4f01e4c34256d3d1df70ab2df
SHA512db233914794efe239b55c5f9005ca5e04410111fe4bbd76f8a45fed7d608310905c6646c689fa2603a48768df765fdc4152a5f7fd1b19daff89a1a7b2df6ebc1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
0ab9b1924797144ddb10af6b1885a010
SHA1351ff7400e78ff4a5b4345ec8648592b61477ee6
SHA2563c0e5fedfa7fb056e5f9f99e6a768e9ca129638928f2f293071dd8a61f0dea12
SHA51228a08537055ab9b30b1168171c845da4c3231254d1f1cbdc94dbc85f18226e3ecabf40e9d8dba70018000f607830f826110a97300d8f738b3c327e2e02665753
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
91236466d1cd77743c5ae5ab0510f08c
SHA165928c8697e72d0175d7c94981b835f083042a19
SHA256fedce7da5b18bc0bb1347c627064ad334952abdf35d1be18a7d2d357a1b802f7
SHA512f7f8e8a57336b593081297da88c938a10bcd9a0ca364e0a435e0defee00e943f56fd9823544cf80dcd26c57c9d5663f7d916583ad644db4c2b8f6aeefc1ed37f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8c80560d5ee82439c063eae42f31984f
SHA193498285e878572647b471bb09988ef8c3e04b41
SHA25634528b3d20c173076a1dd7ec5a0133e022f9866c15e22bd5813b0b0240818064
SHA512770f1c7d4252b6be2e64fa15fe8a73c9d07d9166fd264fa5c57afc253a2c914851c3a023186769099e138645937075c672e7cb6521c28d7bc2d8f0f837b05359
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\QRJVIHYQ.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\E3M1F9WA.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/268-19-0x0000000000000000-mapping.dmp
-
memory/576-22-0x0000000000000000-mapping.dmp
-
memory/588-28-0x0000000000000000-mapping.dmp
-
memory/828-30-0x0000000000000000-mapping.dmp
-
memory/1148-27-0x0000000000000000-mapping.dmp
-
memory/1460-4-0x0000000000000000-mapping.dmp
-
memory/1576-2-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1580-25-0x0000000000000000-mapping.dmp
-
memory/1592-18-0x0000000000000000-mapping.dmp
-
memory/1636-20-0x0000000000000000-mapping.dmp
-
memory/1648-6-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1648-7-0x0000000000000000-mapping.dmp
-
memory/1700-17-0x0000000000000000-mapping.dmp
-
memory/1796-21-0x0000000000000000-mapping.dmp
-
memory/1892-31-0x0000000000000000-mapping.dmp