Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:33

General

  • Target

    JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe

  • Size

    1.3MB

  • MD5

    0e9b77d2adc68f1d8f3a104bb8db6d32

  • SHA1

    bf9714af5a5da7cd7cc0ae8a73a1a5010a27066c

  • SHA256

    f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c

  • SHA512

    1ddac7e2b3e3c3927f7c78a91ad77c2e162072fad149765e60ad683985179de247dffe50363f6bb80fc0971ded4ad5e944775ddb49f84c52ee3d11be32deb15c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\Users\Admin\Start Menu\services.exe
            "C:\Users\Admin\Start Menu\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1612
                • C:\Users\Admin\Start Menu\services.exe
                  "C:\Users\Admin\Start Menu\services.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2352
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1004
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1288
                      • C:\Users\Admin\Start Menu\services.exe
                        "C:\Users\Admin\Start Menu\services.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2404
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
                          10⤵
                            PID:1824
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:608
                              • C:\Users\Admin\Start Menu\services.exe
                                "C:\Users\Admin\Start Menu\services.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1000
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
                                  12⤵
                                    PID:2684
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2568
                                      • C:\Users\Admin\Start Menu\services.exe
                                        "C:\Users\Admin\Start Menu\services.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3000
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
                                          14⤵
                                            PID:2208
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1772
                                              • C:\Users\Admin\Start Menu\services.exe
                                                "C:\Users\Admin\Start Menu\services.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2328
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
                                                  16⤵
                                                    PID:1968
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2812
                                                      • C:\Users\Admin\Start Menu\services.exe
                                                        "C:\Users\Admin\Start Menu\services.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2192
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
                                                          18⤵
                                                            PID:2364
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1572
                                                              • C:\Users\Admin\Start Menu\services.exe
                                                                "C:\Users\Admin\Start Menu\services.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2616
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
                                                                  20⤵
                                                                    PID:1728
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1736
                                                                      • C:\Users\Admin\Start Menu\services.exe
                                                                        "C:\Users\Admin\Start Menu\services.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1700
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
                                                                          22⤵
                                                                            PID:496
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:1676
                                                                              • C:\Users\Admin\Start Menu\services.exe
                                                                                "C:\Users\Admin\Start Menu\services.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:664
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
                                                                                  24⤵
                                                                                    PID:1744
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2712
                                                                                      • C:\Users\Admin\Start Menu\services.exe
                                                                                        "C:\Users\Admin\Start Menu\services.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2860
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:692
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1992
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2380
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2008
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1308
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2040
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1976
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2448
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:568
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1128
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2344
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1284
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1504
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2388
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1312
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2132
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2484
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2140
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1356
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2404
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1752

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        097614f5d2e9f5677591efa76c7d2950

                                        SHA1

                                        d05d16d7c486575a1f013c2363d49893a891b202

                                        SHA256

                                        3cfe05227482792c1b096971dda03e49513a33c7e1e75fedf192decc25301963

                                        SHA512

                                        fe5afb7841cba03fb3b4ffd7cd31796addfb8a49adbff1140c2d36e7d7f4e585c73a16a703e6685eff446f601770a2bad76ed9c0cd7b4279546845f52704c54e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        480bf627e57f1717c91e94c448b7333f

                                        SHA1

                                        0f9d208a61fa2fb79d4fcdc2b73d42d8b26725b7

                                        SHA256

                                        48f9f622f57d92b9f8143475d0d94ecdc2320ea8f646f900689a5bb938da7bc0

                                        SHA512

                                        c065a3fb047434000946778ed116f37c309a5259765de6c30815a3cb2a1977271f22dbd7681e13ff3000539af1b06dc9a5473389699157eddd5c37a43f4da78b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e8223d4f44865923b6a738d841ac2e1c

                                        SHA1

                                        2a6a5281281d350b6d6f948ca4ffcf7c5e5b6a35

                                        SHA256

                                        1bd0583ba0ad113dae773b21a2f97cbce56b7e7c2fe19587e4ab4eeef052ef2d

                                        SHA512

                                        a3590b1ee0258806cda7f0e6f6ab0d6651f930ee7972f0e4c9c6aa7cad8506e86d58bed57331cb52e48dd2ea7fac6c47612af4a7b16c100ea72efedf61f8f5fd

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        26d57ce96c4a795768139797c0504d94

                                        SHA1

                                        eacbcf4e031990ee8499c3e0a2930193078e1164

                                        SHA256

                                        bd800a4e402a57c62197fb277a4f0d985aabe9b631352341fd086604efd03af8

                                        SHA512

                                        814c04f3f4be7841b7ddb969c272877ddd6c35ffcda57df5f4cea891e16fc81a6f69783cc47bae4af3c5ff0cb30e7f3d19c9bbe51ad002be396a811cf910f340

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e6d8758a43d9f4cf3f1bdb158281725b

                                        SHA1

                                        8d050f5bfda7af46ffd1735a53b063784e539675

                                        SHA256

                                        04f4148f3897b9a8b5c3fc98ec90c4586061b42ecd50957e8860aafc0f921119

                                        SHA512

                                        a0320825ddce5e40b7f55b5881c3731a795dc4bf28cf932f62b51302d5cd253976848f52a6d775cc5fd51f5144a38f57299ce56e39245e58764cdf55ef62f675

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        6d9c1996ff316726ca90390d9d2a65a5

                                        SHA1

                                        b0e774d73f52ca887e77f14ee58eb83d252f45c6

                                        SHA256

                                        0f242349a221765a9f42de02478d5d898476e6b270ea4541ee3130061be88dc8

                                        SHA512

                                        8e4d1af81e759a05403622cec470ae0f9e98ce73751270d6cab56a64229de578ed95b66202dbe6bb9ab6d7b5ddca23a2781c6bfbfd9fe30cf230c660dc10ff42

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        dc38fe5a59f1eeb56de6f56c4983ec6f

                                        SHA1

                                        914b348b95c5e2172f7a2753bdae721e08c6d432

                                        SHA256

                                        b7fbabe5c9a5ee6214a8217dcbebe35ebda521381abf40f070f7aed8bb34aa9d

                                        SHA512

                                        7015125a1e757341390d2264361f747317590eb2cec71cdd342b3668457e1fabf214008dc9bb95633e40b95e9d2a96867749a164c96f6d9316e75ea745e2740c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9e7854057367fa0b3b4518f988b2c6e4

                                        SHA1

                                        af4376e03be9a3a9592ccec9b4afbd7321639f1e

                                        SHA256

                                        65fa4f66696587ce1dae5899cbb455c83811c33a6dea8efba37f11cf5f84adaa

                                        SHA512

                                        be420d345cab5a33b41f47c32d3de5ce6103c92ff0b18a91badb65220546a27e68a6817e6e8f92464a2dbad4f6d12828ac4e92cd574137ab197c5c8b6b05e83d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5fc5766c5e41ef63aa0ad6cd3e8c64a8

                                        SHA1

                                        038bfd7e11ab7990cedebcf19ce1b79f42969cd2

                                        SHA256

                                        906e52a78295e8efebe97d54931e36286a4485eb9ae193e8bb1a79dff51822c5

                                        SHA512

                                        74a911bcbe792ba6a517cd1f3faf926c647b267fa27cf15d2cb10e228f4d8c6e7488a1605946d2a1988c30e31db93aa077ae2a1418562052a7330e10495282dc

                                      • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                        Filesize

                                        203B

                                        MD5

                                        b889ff166db2e92a9f7d15e00afc0c91

                                        SHA1

                                        6fd3d2c889f9fa16bcf73d7cc4e637c1111f591b

                                        SHA256

                                        2f17d51892a48689b68bb7eff8f69d45d88a223c1e4b2540916ec7ddd519d740

                                        SHA512

                                        255f6b151fb3ee0d4227445d8a3108ddfbac1ddf03d46f77cb085ee9e53ba194da59ec149122d71573195de0cc966bd6914357a12cddc52891efeb2390af7c46

                                      • C:\Users\Admin\AppData\Local\Temp\Cab476E.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

                                        Filesize

                                        203B

                                        MD5

                                        efa71234c1ab5a8bb5c6d1a84c249dae

                                        SHA1

                                        ddfa9d1a64043e38f9f47353fdda0a7cc621cfe2

                                        SHA256

                                        f7c3a29f0d82175e51278985635c00bfa5e57d951df9e102fd268c478dbd1c3d

                                        SHA512

                                        d42f9f9e0b784a24815f6e026d6ce8923ab83d8bd63b5f11922b8c268bbfeebe142c5001adce00abc90098a57cec7e4a77ef38140d04d3e40959ee3f462e0dc1

                                      • C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

                                        Filesize

                                        203B

                                        MD5

                                        a15dbff7190e62407afb2da058e5efaf

                                        SHA1

                                        c6ee2ab5bf8a84f53e4a5bf97ed318f611a52541

                                        SHA256

                                        71037be349f0f8fc2475d01871a70268640f0b5d1582f6eb2ee54095eac4eef5

                                        SHA512

                                        d07a1441019c6f34302a4592cfd25a616f112a8f904ad3c1568ede26567cc77714d9dc02ae4e49353cd99ae01811547c62fb6856f916aeeb8a6bfc6cc004ed9c

                                      • C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

                                        Filesize

                                        203B

                                        MD5

                                        da47937af77e6d76141d22405ea9f29c

                                        SHA1

                                        c0aeb63d69872b35db4b15bd4929105fdedb07c2

                                        SHA256

                                        75dfcf258e4c980d6f958ce877cc839a55a0769e2ae4e4ecfd25968846dc1b8f

                                        SHA512

                                        d1ce3b3c8242eb3a3675f0f5cf73dc502488b8dd19cd8cdb8ab66ef3dd409ee25bb3e031b99ffaa7d9f5928085167ae5275efdab1a240a50f025fe57db2fbcdb

                                      • C:\Users\Admin\AppData\Local\Temp\Tar4771.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

                                        Filesize

                                        203B

                                        MD5

                                        49c37e460a60ef39a4c259181c9b0b53

                                        SHA1

                                        18b94771000ba48fd5c8dec166ebd765d0c3e29b

                                        SHA256

                                        ce48c5f5793f2b30e3468124acf6092af51e28de2b4a6549efca3cd4fa0e0292

                                        SHA512

                                        b7fb705bca55391c631ec4814b75e41c121e5ac54eb0fbba2e7cf0769d4370515f7c057e169bd5d2e28db5a1ba9285322a4be80e321c6b0b959fb27f65ffc88d

                                      • C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

                                        Filesize

                                        203B

                                        MD5

                                        558bcc199272863f52ac9f2e82bbe589

                                        SHA1

                                        edcc3924f2913146b5a24a4f33c11b62186ec6a4

                                        SHA256

                                        e598802badd14fe8bddd3bf3524efc17795b62d96805ae02b785f43284a142d7

                                        SHA512

                                        c9e240957f4c46cad8c48dde589aae163a832db8459ed9b660e5e984c247f6fe58ae1fb1be8d9e045e03af580a38053fa2c36411e9fba99d268a2204aea848e8

                                      • C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

                                        Filesize

                                        203B

                                        MD5

                                        b955f3522401f9b3e69d76caea2c646c

                                        SHA1

                                        67666a59733c2655f612a839b586f3be874f0aea

                                        SHA256

                                        56c1a962e833c63cbd6d522fef46770dca9a92424b34ff41c73e0c8a62154666

                                        SHA512

                                        f5c766275516083a162c9c6157e3c4f5cb7994f72feefbf131414ff47d32f749736d07ed910347cd365751df2a648dc0097cef0c239a62fc8f3db0d023660df9

                                      • C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

                                        Filesize

                                        203B

                                        MD5

                                        565e82039b88dd560ae0e24ed81cf5ca

                                        SHA1

                                        6502965991b0db979a134be0a81003635e49ef9b

                                        SHA256

                                        7394d25b9905544a5c415a9b13a623bb15517f094fbee3881e485d9cd985b169

                                        SHA512

                                        075413a5911212e51e1407fbbd6c9760aad607678d7008f81820bf331a232a359c9239a6366cb3e6e421d0208725d28f4cd09911d4b8f9af8333a4c301766929

                                      • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                        Filesize

                                        203B

                                        MD5

                                        1c9f8fed7da88d35c79a0395b2372f66

                                        SHA1

                                        69d2d2817f279284da4e2653d07e2ee1f671661a

                                        SHA256

                                        3bfe7f798590a095744e6ccbcf66ceca8ab4bd4b84583881707f60f2afd7041e

                                        SHA512

                                        c95a21d948317dddccd456fc72b05bc94a49c1be83ec889e1315b31e959e708553aaafd0314f0796854ee754bb9a56f533e184af7f7bcaa488263d8c1a649569

                                      • C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

                                        Filesize

                                        203B

                                        MD5

                                        8db8dff4c9ac161374b0906436b1bb5b

                                        SHA1

                                        a3b0e817f4ee92b52da1c7c260739664af96da2b

                                        SHA256

                                        81d6f25a287902599d0bee0fadf281ef44039a5778a80fa2272bf21f305d7908

                                        SHA512

                                        8bef6c741b8e944fbd19a20c43ff7358a3f9c783623debd5327a192042a3f1dc216ef29b46aa2cc80b00d257f03a7e36007fdacea1e766efb9c91c2bfd6e86c1

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        69920ed84b1d8608749d96e47b64d264

                                        SHA1

                                        0af420710ea2213292bc563bbafb6621d86f11e5

                                        SHA256

                                        9168b19a40c8a07eb1e346475709b96a27a91ae2e9fb2c400e214abcc80e8fee

                                        SHA512

                                        abb2a69f185583093710601cb8d0720eacee2246d5ed655c571b02f775c36b84987fd9df57333b07095041efa61e62e58ac95ecbb63890cd65bb56b9047f976b

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/664-647-0x00000000012F0000-0x0000000001400000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1000-288-0x00000000008F0000-0x0000000000A00000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1000-289-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1700-587-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1728-73-0x0000000000350000-0x0000000000362000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1728-50-0x0000000000070000-0x0000000000180000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1772-66-0x000000001B740000-0x000000001BA22000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2192-468-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2352-168-0x0000000001380000-0x0000000001490000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2404-228-0x0000000000320000-0x0000000000430000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2508-67-0x00000000021F0000-0x00000000021F8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2688-17-0x0000000000360000-0x000000000036C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2688-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2688-15-0x0000000000250000-0x000000000025C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2688-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2688-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3000-349-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

                                        Filesize

                                        1.1MB