dcrat | 3c5af308bf4ddad79422caea4295d14ae2e5628a600ac7ddcc2a77a0a070d207

General

Target

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Size

3.0MB
MD5

2600cbb9ad38c10aca6ac4a91900cc84
SHA1

f670e02edea5048e57c089ae4042f1f00a5790f0
SHA256

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847
SHA512

06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b
SSDEEP

49152:0f2OK9jJIoFe/S7zrfL3pmRk/5JaANZr/LHFTYUjy3/q3KgW:19jlw8rfjpmRc3/ZvlTtjVj

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3704	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2548-0-0x0000000000490000-0x0000000000718000-memory.dmp	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\msedge.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Executes dropped EXE 1 IoCs

Processes:

msedge.exe

pid process

1676 msedge.exe

pid	process
1676	msedge.exe

Drops file in Program Files directory 13 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\VideoLAN\VLC\csrss.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\upfc.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\Registry.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Common Files\Services\c5b4cb5e9653cc	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Google\CrashReports\ee2ad38f3d4382	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\VideoLAN\VLC\886983d96e3d3e	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Common Files\Services\services.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\ea1d8f6d871115	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Google\CrashReports\Registry.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\5b884080fd4f94	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Drops file in Windows directory 6 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\Prefetch\ReadyBoot\e1ef82546f0b02	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\Logs\SettingSync\msedge.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\Logs\SettingSync\61a52ddc9dd915	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\ja-JP\winlogon.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1092	schtasks.exe
2584	schtasks.exe
2928	schtasks.exe
1520	schtasks.exe
4708	schtasks.exe
3128	schtasks.exe
4404	schtasks.exe
2268	schtasks.exe
400	schtasks.exe
1884	schtasks.exe
1760	schtasks.exe
3504	schtasks.exe
4564	schtasks.exe
2352	schtasks.exe
4468	schtasks.exe
1540	schtasks.exe
1288	schtasks.exe
908	schtasks.exe
4664	schtasks.exe
5032	schtasks.exe
220	schtasks.exe
1420	schtasks.exe
2572	schtasks.exe
3120	schtasks.exe
4620	schtasks.exe
2376	schtasks.exe
3188	schtasks.exe
3412	schtasks.exe
4944	schtasks.exe
1256	schtasks.exe
4876	schtasks.exe
3880	schtasks.exe
2800	schtasks.exe
5108	schtasks.exe
1748	schtasks.exe
4104	schtasks.exe
4972	schtasks.exe
1732	schtasks.exe
2148	schtasks.exe
3264	schtasks.exe
3940	schtasks.exe
2652	schtasks.exe
3572	schtasks.exe
440	schtasks.exe
3196	schtasks.exe
3156	schtasks.exe
4808	schtasks.exe
3624	schtasks.exe
3996	schtasks.exe
1768	schtasks.exe
2084	schtasks.exe
5096	schtasks.exe
2184	schtasks.exe
3820	schtasks.exe
1212	schtasks.exe
3172	schtasks.exe
1900	schtasks.exe

Modifies registry class 1 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exemsedge.exe

pid	process
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe
1676	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exemsedge.exe

description	pid	process
Token: SeDebugPrivilege	2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Token: SeDebugPrivilege	1676	msedge.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.execmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 872	2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 2548 wrote to memory of 872	2548	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 872 wrote to memory of 2076	872	cmd.exe	w32tm.exe
PID 872 wrote to memory of 2076	872	cmd.exe	w32tm.exe
PID 872 wrote to memory of 1676	872	cmd.exe	msedge.exe
PID 872 wrote to memory of 1676	872	cmd.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
"C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5RmOGkisT.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2076

C:\Recovery\WindowsRE\msedge.exe
"C:\Recovery\WindowsRE\msedge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\SettingSync\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\SettingSync\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-US\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\msedge.exe
Filesize
2.1MB

MD5
1052e3834e4d66eed486452d1151b90c

SHA1
b73e621c2c286a9f203926cbd98896c9246b1d90

SHA256
1ba5a4bbf6118e1c09ae740fbcc3216644ad1d260f2b640a4fedb5fd9dbdd9f7

SHA512
7b768dfab7b2d03ac15472b99459075a2601f7bde70ea35a3a128f8497496aa124262fc4426c4e71c923e884e70b8f54dfaacbd1327c5fa1ffc129a148640629

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5RmOGkisT.bat
Filesize
197B

MD5
742d39a6fb81f75d03286dfa8236d253

SHA1
450731e6fb02e0033f5ae9f03498240983c0a5ef

SHA256
5588ab259aeff8adb043d040e63953c503b130cc12ce5193f1eaa6f638e69461

SHA512
694426c4496e154052626aa8b2ba99e42ce721df842e7cf0ffcdf82f54eed5b1e0ca83f2d3caf3cee3ce4e8f731433663f2a4e0a2e847e1731dbd9106b5a4a85

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\RuntimeBroker.exe
Filesize
3.0MB

MD5
2600cbb9ad38c10aca6ac4a91900cc84

SHA1
f670e02edea5048e57c089ae4042f1f00a5790f0

SHA256
e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847

SHA512
06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b

Download Submit
memory/1676-71-0x00007FFFD66B0000-0x00007FFFD7171000-memory.dmp

Filesize
10.8MB

Download
memory/1676-69-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/1676-68-0x00007FFFD66B0000-0x00007FFFD7171000-memory.dmp

Filesize
10.8MB

Download
memory/1676-67-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1676-66-0x000000001AFC0000-0x000000001B016000-memory.dmp

Filesize
344KB

Download
memory/1676-65-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/1676-64-0x00007FFFD66B0000-0x00007FFFD7171000-memory.dmp

Filesize
10.8MB

Download
memory/2548-4-0x00000000029D0000-0x0000000002A20000-memory.dmp

Filesize
320KB

Download
memory/2548-8-0x000000001C0C0000-0x000000001C5E8000-memory.dmp

Filesize
5.2MB

Download
memory/2548-15-0x0000000002B80000-0x0000000002B8C000-memory.dmp

Filesize
48KB

Download
memory/2548-14-0x0000000002B70000-0x0000000002B78000-memory.dmp

Filesize
32KB

Download
memory/2548-12-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/2548-11-0x0000000002A20000-0x0000000002A2E000-memory.dmp

Filesize
56KB

Download
memory/2548-10-0x0000000002970000-0x000000000297C000-memory.dmp

Filesize
48KB

Download
memory/2548-59-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Filesize
10.8MB

Download
memory/2548-9-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download
memory/2548-13-0x0000000002B60000-0x0000000002B6C000-memory.dmp

Filesize
48KB

Download
memory/2548-7-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/2548-0-0x0000000000490000-0x0000000000718000-memory.dmp

Filesize
2.5MB

Download
memory/2548-6-0x0000000002980000-0x00000000029D6000-memory.dmp

Filesize
344KB

Download
memory/2548-5-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/2548-3-0x0000000001030000-0x000000000104C000-memory.dmp

Filesize
112KB

Download
memory/2548-2-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/2548-1-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads