Analysis Overview
SHA256
5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e
Threat Level: Known bad
The file 5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
UPX packed file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:44
Reported
2024-08-07 21:47
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
97s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pyeqs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kyqoky.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pyeqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyqoky.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boufe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pyeqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyqoky.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\boufe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe
"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"
C:\Users\Admin\AppData\Local\Temp\pyeqs.exe
"C:\Users\Admin\AppData\Local\Temp\pyeqs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
"C:\Users\Admin\AppData\Local\Temp\kyqoky.exe" OK
C:\Users\Admin\AppData\Local\Temp\boufe.exe
"C:\Users\Admin\AppData\Local\Temp\boufe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3988-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3988-2-0x0000000001050000-0x0000000001051000-memory.dmp
memory/3988-3-0x0000000001060000-0x0000000001061000-memory.dmp
memory/3988-10-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3988-1-0x0000000001040000-0x0000000001041000-memory.dmp
memory/3988-8-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/3988-7-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/3988-6-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/3988-5-0x0000000000526000-0x000000000087A000-memory.dmp
memory/3988-4-0x0000000001090000-0x0000000001091000-memory.dmp
memory/3988-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pyeqs.exe
| MD5 | c4819d80f3e956bf84b346a540ff63ef |
| SHA1 | 0a2255c7b1da0f4c1ea82c260164f1813d87fa04 |
| SHA256 | 8c4dc416c07e0fad1d062cd8bfe7e1f7da445d47e95c105912ae28ae70d40399 |
| SHA512 | 76e1b0cc362a5424f74dcae024fb135b92a625ce21f46a368bd5184f9e98540c60f567bf379e736461fca89c8dea8a1035ca6b0abc891885b1125308acb4f61f |
memory/4784-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3988-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3988-26-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a372b778baecac45e4ad237d72914b23 |
| SHA1 | f865dd3a4c1ac1458e7a1ac4c2f125382c35face |
| SHA256 | 14617c5d5c0b16e1d8c845cbed998de813b2524a98d56dd6efadc7155fb54f56 |
| SHA512 | 48749be43a59dd9ed8cf5472c891f56037e30c3ba2383b789fc3bdcf79ae0a6cf21a728b0eea0c54af16a66549adc7d2b98ede89bcb11d74e1c9bb7d9b90e408 |
memory/4784-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8d0ae61ebb0a3b537e5a69739fbbcfed |
| SHA1 | be360f991ba1d88ea284ece09dcdbe41ee1db6c7 |
| SHA256 | 1fae80014ae2e4b6205a9a0abd7c379ac0813daff49b23dd392454146c172d82 |
| SHA512 | 884ae10250144b037ef76d5afb0692ad53311aceb6fb2324bd40d156b78d890de2fc9e21e34b57369f26b79f56e5a53d11d4eba52973bae3c7cde41f34a2554e |
memory/4784-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4784-35-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4784-34-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/4784-33-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/4784-32-0x0000000001090000-0x0000000001091000-memory.dmp
memory/4784-31-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/4784-30-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/4784-29-0x0000000000F80000-0x0000000000F81000-memory.dmp
memory/4784-28-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/4784-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4748-55-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/4748-54-0x00000000011C0000-0x00000000011C1000-memory.dmp
memory/4748-56-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4748-53-0x00000000011B0000-0x00000000011B1000-memory.dmp
memory/4748-52-0x00000000011A0000-0x00000000011A1000-memory.dmp
memory/4748-51-0x0000000001170000-0x0000000001171000-memory.dmp
memory/4748-50-0x0000000001160000-0x0000000001161000-memory.dmp
memory/4748-49-0x0000000001150000-0x0000000001151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\boufe.exe
| MD5 | 78a0b650b0a7c464b000cd64f8214dd9 |
| SHA1 | 823b930a88dee63d4d78d45592ab997a0e352be1 |
| SHA256 | b4a898d61e6ddbb61d73a348a44c3fda0ecefae39fabaffecbf54853a98e7339 |
| SHA512 | b10c38c2414a028444eba0c8c6460ae52b770a40abe5e02cc961b3a68cf858a6f19c609556d1c5a21c14b61f64e059ba01f70d24465ee2581d5fa19191cc9cf2 |
memory/4544-69-0x0000000000400000-0x0000000000599000-memory.dmp
memory/4748-71-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | fbda5501e0cc5d81f18db3e932f5f92d |
| SHA1 | 561a1409b02236a4a3b8fce97cc4269bf722b5d9 |
| SHA256 | f583f215cc4b75178c1b05bed17694223aaa494b6298dc48d5971b2bcf5194ce |
| SHA512 | 932edd3e01e7b9576f1e3a1e94988cec2cef0775938d4a6ba02dbb2f48dd1d869225e5a8236c5ba4896ffd03db1cfcba7d26ae95824ae41aac1bc34f5a81019b |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4544-74-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:44
Reported
2024-08-07 21:47
Platform
win7-20240705-en
Max time kernel
147s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuybx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mubedi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuybx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuybx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mubedi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xuybx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mubedi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuybx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mubedi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voysh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe
"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"
C:\Users\Admin\AppData\Local\Temp\xuybx.exe
"C:\Users\Admin\AppData\Local\Temp\xuybx.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\mubedi.exe
"C:\Users\Admin\AppData\Local\Temp\mubedi.exe" OK
C:\Users\Admin\AppData\Local\Temp\voysh.exe
"C:\Users\Admin\AppData\Local\Temp\voysh.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1996-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1996-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1996-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1996-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1996-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1996-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1996-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1996-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1996-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1996-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1996-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1996-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1996-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1996-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1996-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1996-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1996-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1996-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1996-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1996-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1996-1-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\xuybx.exe
| MD5 | bb3bce9f6cd42c6039e5ab6690990fc0 |
| SHA1 | 90ac41d14ca0e45892dbac6a8932ee5ee132b383 |
| SHA256 | 2ec794b1309392dc217a575c4409753665e9ae5acbfc3a8d90b6a81559654d06 |
| SHA512 | d7c641239d8c6a0596e3f98dd9fadc730e36ea2771e238659639318ff4228cca8662fa2fe91e258efac4523633a72a2ffe1f423dc6dc93f394af76a2dfe9c3a2 |
memory/1996-50-0x0000000004160000-0x0000000004C4C000-memory.dmp
memory/1996-52-0x0000000004160000-0x0000000004C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | a372b778baecac45e4ad237d72914b23 |
| SHA1 | f865dd3a4c1ac1458e7a1ac4c2f125382c35face |
| SHA256 | 14617c5d5c0b16e1d8c845cbed998de813b2524a98d56dd6efadc7155fb54f56 |
| SHA512 | 48749be43a59dd9ed8cf5472c891f56037e30c3ba2383b789fc3bdcf79ae0a6cf21a728b0eea0c54af16a66549adc7d2b98ede89bcb11d74e1c9bb7d9b90e408 |
memory/1996-61-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1996-62-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4d9e93e01065463d6f6159c36ad6cbe2 |
| SHA1 | 590549488a4e5a3c16dbce84dcc25926486df38e |
| SHA256 | eed65654eb4872a16f60eebae4d40daf4a88a7b81b8963bbeb8b094dbd9f15b4 |
| SHA512 | 1a502d78d7fb475210d0856140961ed8ed9053fc6af84ed2d2f686cb18836d4393bc9390936f827566c549e45b9b489b964d0d3466649c6c0e20157680d9bb16 |
memory/1992-110-0x0000000004470000-0x0000000004F5C000-memory.dmp
memory/1992-112-0x0000000004470000-0x0000000004F5C000-memory.dmp
memory/1992-111-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2144-115-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\voysh.exe
| MD5 | 8878641d16e55e942144d9d3af55f69e |
| SHA1 | cd13f24065dd8301612a43b8537471ab128279c7 |
| SHA256 | 8d991b6751877448a66854c2f37276b236b611d156e37025c262d8aeb9f7b606 |
| SHA512 | bd584e885fb1deabc27c5f88c670d84d315d05501211d1f85db96c3b0479af4c7eefc9ae8a3636eb95b30f72dd531d4b7b2df72ccbe2ab56feaef931b7d8af2c |
memory/2144-160-0x0000000004770000-0x0000000004909000-memory.dmp
memory/2492-169-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ae79b104461bbc087a9a54ea31fe8dc8 |
| SHA1 | 1392ce4588f543fffa0931544ade647a3e876223 |
| SHA256 | 876e01574c57b8a58573a09a86290bcc315933abbcfaa15f497603cc7684acd2 |
| SHA512 | 02ad40260fa87a55dffc8a29bfacd11b9ba45336f8157f1ed0b9b9d2f479f6761eb0cd6e82d22d6b779f37014bb30e42fd5a11345bd358fdbc3613e351ec7370 |
memory/2144-170-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2492-175-0x0000000000400000-0x0000000000599000-memory.dmp