Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 14:47
Static task
static1
Behavioral task
behavioral1
Sample
8184e6cb56376660cf0756a1adef0671.exe
Resource
win7-en-20211104
General
-
Target
8184e6cb56376660cf0756a1adef0671.exe
-
Size
5.3MB
-
MD5
8184e6cb56376660cf0756a1adef0671
-
SHA1
9bc48fddf1fe3eba10fb229723b256a350c66838
-
SHA256
96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3
-
SHA512
4b7c7797702d46a825ad8eb27b9f1481b1940e7f9e57ceb687b165fc9b32a2a65f1c96a65b2e8591952ad231f71fbfaf56a22fab3cafe92bf87b8326f56d06a5
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VLUORE~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\VLUORE~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2832 created 4484 2832 WerFault.exe vluorevqevpc.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 30 364 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
orchic.exequothavp.exevluorevqevpc.exeDpEditor.exepid process 2424 orchic.exe 3216 quothavp.exe 4484 vluorevqevpc.exe 3936 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exeorchic.exequothavp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion orchic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion orchic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion quothavp.exe -
Loads dropped DLL 2 IoCs
Processes:
8184e6cb56376660cf0756a1adef0671.exerundll32.exepid process 4388 8184e6cb56376660cf0756a1adef0671.exe 1912 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida behavioral2/memory/2424-122-0x0000000000FB0000-0x0000000001691000-memory.dmp themida behavioral2/memory/3216-126-0x00000000003A0000-0x0000000000A60000-memory.dmp themida behavioral2/memory/2424-124-0x0000000000FB0000-0x0000000001691000-memory.dmp themida behavioral2/memory/3216-127-0x00000000003A0000-0x0000000000A60000-memory.dmp themida behavioral2/memory/2424-129-0x0000000000FB0000-0x0000000001691000-memory.dmp themida behavioral2/memory/2424-128-0x0000000000FB0000-0x0000000001691000-memory.dmp themida behavioral2/memory/3216-130-0x00000000003A0000-0x0000000000A60000-memory.dmp themida behavioral2/memory/3216-131-0x00000000003A0000-0x0000000000A60000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/3936-143-0x0000000000B20000-0x0000000001201000-memory.dmp themida behavioral2/memory/3936-144-0x0000000000B20000-0x0000000001201000-memory.dmp themida behavioral2/memory/3936-146-0x0000000000B20000-0x0000000001201000-memory.dmp themida behavioral2/memory/3936-147-0x0000000000B20000-0x0000000001201000-memory.dmp themida -
Processes:
orchic.exequothavp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orchic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quothavp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 2424 orchic.exe 3216 quothavp.exe 3936 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
8184e6cb56376660cf0756a1adef0671.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 8184e6cb56376660cf0756a1adef0671.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 8184e6cb56376660cf0756a1adef0671.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 8184e6cb56376660cf0756a1adef0671.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2832 4484 WerFault.exe vluorevqevpc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
quothavp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString quothavp.exe -
Modifies registry class 1 IoCs
Processes:
quothavp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings quothavp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 3936 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
quothavp.exeorchic.exeDpEditor.exeWerFault.exepid process 3216 quothavp.exe 3216 quothavp.exe 2424 orchic.exe 2424 orchic.exe 3936 DpEditor.exe 3936 DpEditor.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2832 WerFault.exe Token: SeBackupPrivilege 2832 WerFault.exe Token: SeDebugPrivilege 2832 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8184e6cb56376660cf0756a1adef0671.exequothavp.exeorchic.exevluorevqevpc.exedescription pid process target process PID 4388 wrote to memory of 2424 4388 8184e6cb56376660cf0756a1adef0671.exe orchic.exe PID 4388 wrote to memory of 2424 4388 8184e6cb56376660cf0756a1adef0671.exe orchic.exe PID 4388 wrote to memory of 2424 4388 8184e6cb56376660cf0756a1adef0671.exe orchic.exe PID 4388 wrote to memory of 3216 4388 8184e6cb56376660cf0756a1adef0671.exe quothavp.exe PID 4388 wrote to memory of 3216 4388 8184e6cb56376660cf0756a1adef0671.exe quothavp.exe PID 4388 wrote to memory of 3216 4388 8184e6cb56376660cf0756a1adef0671.exe quothavp.exe PID 3216 wrote to memory of 4484 3216 quothavp.exe vluorevqevpc.exe PID 3216 wrote to memory of 4484 3216 quothavp.exe vluorevqevpc.exe PID 3216 wrote to memory of 4484 3216 quothavp.exe vluorevqevpc.exe PID 3216 wrote to memory of 4452 3216 quothavp.exe WScript.exe PID 3216 wrote to memory of 4452 3216 quothavp.exe WScript.exe PID 3216 wrote to memory of 4452 3216 quothavp.exe WScript.exe PID 2424 wrote to memory of 3936 2424 orchic.exe DpEditor.exe PID 2424 wrote to memory of 3936 2424 orchic.exe DpEditor.exe PID 2424 wrote to memory of 3936 2424 orchic.exe DpEditor.exe PID 3216 wrote to memory of 364 3216 quothavp.exe WScript.exe PID 3216 wrote to memory of 364 3216 quothavp.exe WScript.exe PID 3216 wrote to memory of 364 3216 quothavp.exe WScript.exe PID 4484 wrote to memory of 1912 4484 vluorevqevpc.exe rundll32.exe PID 4484 wrote to memory of 1912 4484 vluorevqevpc.exe rundll32.exe PID 4484 wrote to memory of 1912 4484 vluorevqevpc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8184e6cb56376660cf0756a1adef0671.exe"C:\Users\Admin\AppData\Local\Temp\8184e6cb56376660cf0756a1adef0671.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\vluorevqevpc.exe"C:\Users\Admin\AppData\Local\Temp\vluorevqevpc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\VLUORE~1.DLL,s C:\Users\Admin\AppData\Local\Temp\VLUORE~1.EXE4⤵
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 5044⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bajekldosfg.vbs"3⤵PID:4452
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lfigqaefvk.vbs"3⤵
- Blocklisted process makes network request
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
63c607f0532198ccf7ec512717d3c0c1
SHA113d3c057f1169d6b293b7155b930c1e436c52313
SHA256beb3627496a1eec612d02e52551b7fc78bf76773becab96e095d9f9ee7d21648
SHA512600b93d059dfe7b88bb13d4ef450c7404e2669c128c753e184fa07eeec879c9d4e0a509a9041915740d687c46836e08a03769c52f6b8d8c32de8316bc1caf2b6
-
C:\Users\Admin\AppData\Local\Temp\VLUORE~1.DLLMD5
8be6e543f10c7b377b35ef8a5c53af41
SHA132133205d290b1b68ea7ee957d3a2a6c091b8717
SHA256ab6136aea9c9eb65357aca4e568fb80baf4cb49ef4dee536c49fa9ebb4d3b9ec
SHA5127b801e7137c3647db4d33ba409bda36985a46befcb28d6f5cfbd13237bd9c677daa53f7940efcdf500e9b5861c6f21118509b5761a3a3be2f1050b5638900d69
-
C:\Users\Admin\AppData\Local\Temp\bajekldosfg.vbsMD5
88b6539ac2130214f38946c0666cb4a1
SHA1a2b21b438a425e9fa8bcae002712d5b157918dfc
SHA256e9bb701a0e80f312f21bfb54a547d5dac370d2953124f2479fa44aeb629877f9
SHA512b85242673271613f47c5c31620371bffddd99b17f67b4a9127502e5ec8d1e120f26f1e238bcbe51050b639641100fbbc5b1fb97a855a27d59bca69437a685ee4
-
C:\Users\Admin\AppData\Local\Temp\lfigqaefvk.vbsMD5
5a5f74858b56b4fdb03cf423e2c3653f
SHA10c092d26cc75782e82fa6bf3c157fdc955c8587c
SHA2569284af13038f8517e1445c41a82bb5f5cc4186669cfb111261febbbdd49c6fdb
SHA51294b9a3c86f1d9fd3413ecf58b3757bc61ce7e0472b91fa25e8a747c9d000d8243bfe1f6643348616346cf47341fa121d8a6813a7a0e5f4861114c6d4dcc726f6
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
b554ac040604842b3f5e186193896f2c
SHA1b403f2b366d042770080f659227666855f95ef46
SHA256a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39
SHA51263d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
b554ac040604842b3f5e186193896f2c
SHA1b403f2b366d042770080f659227666855f95ef46
SHA256a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39
SHA51263d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea
-
C:\Users\Admin\AppData\Local\Temp\vluorevqevpc.exeMD5
e924eb010529f89e69fc51fb807f33cf
SHA1f746ab5096cee82a1155d970679b1fb09ec4d8a1
SHA2562d43b2184492f8a4f6dc3c8d151229848fc9b74ecbc8b944bba64054ef1377e0
SHA512bbde0b4fe805042d775b3e6e2396b83e01f4d5a52bc0d043c9631a445403c9212234ea5ef72c737da3d1e3f5d6b536bc33225f7022a67e40fe9a9b4a697bb898
-
C:\Users\Admin\AppData\Local\Temp\vluorevqevpc.exeMD5
e924eb010529f89e69fc51fb807f33cf
SHA1f746ab5096cee82a1155d970679b1fb09ec4d8a1
SHA2562d43b2184492f8a4f6dc3c8d151229848fc9b74ecbc8b944bba64054ef1377e0
SHA512bbde0b4fe805042d775b3e6e2396b83e01f4d5a52bc0d043c9631a445403c9212234ea5ef72c737da3d1e3f5d6b536bc33225f7022a67e40fe9a9b4a697bb898
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
\Users\Admin\AppData\Local\Temp\VLUORE~1.DLLMD5
8be6e543f10c7b377b35ef8a5c53af41
SHA132133205d290b1b68ea7ee957d3a2a6c091b8717
SHA256ab6136aea9c9eb65357aca4e568fb80baf4cb49ef4dee536c49fa9ebb4d3b9ec
SHA5127b801e7137c3647db4d33ba409bda36985a46befcb28d6f5cfbd13237bd9c677daa53f7940efcdf500e9b5861c6f21118509b5761a3a3be2f1050b5638900d69
-
\Users\Admin\AppData\Local\Temp\nsgBAE5.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/364-148-0x0000000000000000-mapping.dmp
-
memory/1912-152-0x0000000000000000-mapping.dmp
-
memory/2424-122-0x0000000000FB0000-0x0000000001691000-memory.dmpFilesize
6.9MB
-
memory/2424-128-0x0000000000FB0000-0x0000000001691000-memory.dmpFilesize
6.9MB
-
memory/2424-129-0x0000000000FB0000-0x0000000001691000-memory.dmpFilesize
6.9MB
-
memory/2424-124-0x0000000000FB0000-0x0000000001691000-memory.dmpFilesize
6.9MB
-
memory/2424-123-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/2424-116-0x0000000000000000-mapping.dmp
-
memory/3216-131-0x00000000003A0000-0x0000000000A60000-memory.dmpFilesize
6.8MB
-
memory/3216-130-0x00000000003A0000-0x0000000000A60000-memory.dmpFilesize
6.8MB
-
memory/3216-127-0x00000000003A0000-0x0000000000A60000-memory.dmpFilesize
6.8MB
-
memory/3216-125-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/3216-126-0x00000000003A0000-0x0000000000A60000-memory.dmpFilesize
6.8MB
-
memory/3216-119-0x0000000000000000-mapping.dmp
-
memory/3936-144-0x0000000000B20000-0x0000000001201000-memory.dmpFilesize
6.9MB
-
memory/3936-145-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/3936-146-0x0000000000B20000-0x0000000001201000-memory.dmpFilesize
6.9MB
-
memory/3936-147-0x0000000000B20000-0x0000000001201000-memory.dmpFilesize
6.9MB
-
memory/3936-143-0x0000000000B20000-0x0000000001201000-memory.dmpFilesize
6.9MB
-
memory/3936-138-0x0000000000000000-mapping.dmp
-
memory/4452-135-0x0000000000000000-mapping.dmp
-
memory/4484-142-0x0000000000400000-0x0000000000652000-memory.dmpFilesize
2.3MB
-
memory/4484-141-0x0000000000B30000-0x0000000000CD7000-memory.dmpFilesize
1.7MB
-
memory/4484-137-0x0000000000996000-0x0000000000B26000-memory.dmpFilesize
1.6MB
-
memory/4484-132-0x0000000000000000-mapping.dmp