Analysis Overview
SHA256
06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a
Threat Level: Known bad
The file 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Amadey
Redline family
Detects Healer an antivirus disabler dropper
Amadey family
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:18
Reported
2024-11-09 19:21
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe
"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1192
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5512 -ip 5512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 1220
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 193.3.19.154:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
| MD5 | 827ccbc4c11603646f8a3c69172e8a45 |
| SHA1 | 2017a8048034862c7e92e2d3ece454ed3e927779 |
| SHA256 | 525e8d353a3ec8dca403c848bb02e2f0f9cbbdc041f5ab6c7ff85aa2f14f0b67 |
| SHA512 | f32bf5eb824031eff1a497961cc6a3ad4de9eddab3944eadbefdd1d0e6f87f6a7abb4ab9794d96fc8f771ad60c9347cfe7ac3f44d74b04021ddcdaa5d28fa207 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
| MD5 | fbd51d7e7ef4b74311ada32235dad4a3 |
| SHA1 | cd77bc5d2d0c52f65ee8ca49e413fc04436a0951 |
| SHA256 | 18a2596e9e9421902f25d1f2ff4b591f1489d8a716842c295b18c4bc5342abe6 |
| SHA512 | 8aabcdbb6cfa9fd24c0f3dd92b48d6eaedbf5625dfc819d7d065db795e4104facaf2126401e39df235107c9ec697fdbf4895d50f8d7c8231ac4b514e4a50af95 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
| MD5 | f6d59c97a0ed988291f29786087dc183 |
| SHA1 | b441493c234cb87c634ba56b170372ab7c6ae6e3 |
| SHA256 | 8b77e63aa6736150639ebd0fd474f9c6fcf6cc7a4e6795e92e888b2ce52a14cb |
| SHA512 | 8ac6b127cec2616e637fef0bff71cc2360c48e3690958c66c9233844792276d912b8cfce0f63834b20d9a94fd2cadca9b0ced8846ec474686d91b3d402f21ea2 |
memory/4692-21-0x0000000004940000-0x0000000004998000-memory.dmp
memory/4692-22-0x0000000004B10000-0x00000000050B4000-memory.dmp
memory/4692-23-0x0000000004A20000-0x0000000004A76000-memory.dmp
memory/4692-25-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-71-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-87-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-85-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-83-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-81-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-79-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-77-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-75-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-73-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-69-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-67-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-65-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-63-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-61-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-59-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-57-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-55-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-53-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-49-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-47-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-45-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-41-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-39-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-38-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-35-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-31-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-29-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-28-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-51-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-43-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-33-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-24-0x0000000004A20000-0x0000000004A71000-memory.dmp
memory/4692-2152-0x0000000004AC0000-0x0000000004ACA000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/324-2166-0x00000000003C0000-0x00000000003CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
| MD5 | cd22ce939659072b194a1fa34ad136e3 |
| SHA1 | e6fe1c548efc7fae64a6a6569ed4747df39999b8 |
| SHA256 | cb90776180a118ffd70a5e77dfcb25217e04ba16fc0813436d15b68dc1f63240 |
| SHA512 | 70a29db233981f5800c9130626371bfee55973175e25b86a9f74832d03a38d47ee0e7d58e63e13e8410010062442334649a5c7f23f8c7391a36d2d2ab0dbeeaf |
memory/2812-4298-0x0000000005740000-0x00000000057D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
| MD5 | c09473f87c87e6bd0ebab611067875bb |
| SHA1 | b42294e8ce5804dec65735d142a4a29e8a861cd6 |
| SHA256 | d7e3a6c78044fb393ebbc9d262dbe7609eb07acff787d6b43f96dc8107d287d1 |
| SHA512 | c3ddb62d12a1d0ee584815faecf616e8a3884d8b13ed9f832308fbf57ebb770c2b1dd7df38d32da4ee072eb8d61bfc9b37607cf37e1b52dccb1a986c247476a6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
| MD5 | 85648d9d3c25a9cae3d60bba38357e3e |
| SHA1 | f319e778b59b4b81158f6433a9d19d0145472217 |
| SHA256 | dd05dc35b6c6320abc834b7624bd557e4961aa1564de949f6bc0c386ff11f57f |
| SHA512 | cf8a4c68e50f17fd2000c11766656aa3a4162ea18a9cd51bb6027dae5604e3a48c1d555184cee656dc179a4a033fedcf78f04a5dff5fecadbf4ebd74e7341d15 |
memory/5512-4318-0x0000000002970000-0x00000000029D8000-memory.dmp
memory/5512-4319-0x0000000002B50000-0x0000000002BB6000-memory.dmp
memory/5512-6466-0x0000000005760000-0x0000000005792000-memory.dmp