8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3

Analysis

max time kernel
122s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe
Size

938KB
MD5

ca086522c41a01059042774cee7635b1
SHA1

e5fc28a8c56cca5f50c7312f55f429d72bbede94
SHA256

8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3
SHA512

6d34519ef624e90e78eda3b28b35ceffe58c2a20b1d80b3060f485900971450df91d19b64b3ce3147aa68efe8fb93707c9efef6027cf4f09328230c43deba308
SSDEEP

24576:VyFtfh77VfEuFhBhjVxWcFwb27awxCIoTgQ:wHh77VfzzXaoawKT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2768	x2619965.exe
2620	x3111465.exe
2640	x7286830.exe
2512	g4040312.exe

Loads dropped DLL 12 IoCs

pid	Process
2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe
2768	x2619965.exe
2768	x2619965.exe
2620	x3111465.exe
2620	x3111465.exe
2640	x7286830.exe
2640	x7286830.exe
2512	g4040312.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2619965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3111465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7286830.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2624	2512	g4040312.exe	33

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2484	2512	WerFault.exe	32
2156	2624	WerFault.exe	33

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2648 wrote to memory of 2768	2648	8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe	29
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2768 wrote to memory of 2620	2768	x2619965.exe	30
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2620 wrote to memory of 2640	2620	x3111465.exe	31
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2640 wrote to memory of 2512	2640	x7286830.exe	32
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2624	2512	g4040312.exe	33
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2512 wrote to memory of 2484	2512	g4040312.exe	34
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35
PID 2624 wrote to memory of 2156	2624	AppLaunch.exe	35

C:\Users\Admin\AppData\Local\Temp\8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe
"C:\Users\Admin\AppData\Local\Temp\8009812292319d8757ae447fb672266d74248d88c7a10c5b1ec33691ba08c6d3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 268
        7⤵
        Program crash
        
        PID:2156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 272
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe

Filesize
837KB

MD5
d714e1b95fa4310498395ad80a1aafc9

SHA1
a2d547961f6e2572ef79b1d5e1e19c52319e4c52

SHA256
96a2d961785b03be8e9ebfa221a38d2653a9e523b26546233e88659a75417df2

SHA512
6c3d774985ff8528b227690d4ad2b7aa75e6533e2c0fe6a3fe8f9d81ac8945676ae22bd6bdcafb6efa82e6fc4408109b533a53dcec79840cf9a3613089f02379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe

Filesize
837KB

MD5
d714e1b95fa4310498395ad80a1aafc9

SHA1
a2d547961f6e2572ef79b1d5e1e19c52319e4c52

SHA256
96a2d961785b03be8e9ebfa221a38d2653a9e523b26546233e88659a75417df2

SHA512
6c3d774985ff8528b227690d4ad2b7aa75e6533e2c0fe6a3fe8f9d81ac8945676ae22bd6bdcafb6efa82e6fc4408109b533a53dcec79840cf9a3613089f02379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe

Filesize
571KB

MD5
6d1a87bc623070f0e967d82b6bc84099

SHA1
7739414c4e5aab1f5231a7024ba3ea25f23be30e

SHA256
49972facb0b198f8da58450a540075966fd22da5e78cc1a1e9790afa5623ae82

SHA512
0eb27f1641c479eea50c9a3fd136532bed531595b2bc0ae2999ac42233fb057dd0f86a54120283ed2f54d0b8c52ccbf2c180e2784d986657db79abe070d60243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe

Filesize
571KB

MD5
6d1a87bc623070f0e967d82b6bc84099

SHA1
7739414c4e5aab1f5231a7024ba3ea25f23be30e

SHA256
49972facb0b198f8da58450a540075966fd22da5e78cc1a1e9790afa5623ae82

SHA512
0eb27f1641c479eea50c9a3fd136532bed531595b2bc0ae2999ac42233fb057dd0f86a54120283ed2f54d0b8c52ccbf2c180e2784d986657db79abe070d60243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe

Filesize
394KB

MD5
4afef9f4c0c679e3542f1c74cbe49318

SHA1
089220c2ce00c06b728fa9eb04970ae4da37b1bf

SHA256
3bda942bcf45d7e74f471700b36957beca10ecd5017086919fe9449695b48f6a

SHA512
b0eaeb6a7ea9ca24d623c7c096623d47e6ff502e2e27778a9707167ba6de639aa2c0d688abca12e9b60e43ca5547fef559531de564db21724452da276c9d79d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe

Filesize
394KB

MD5
4afef9f4c0c679e3542f1c74cbe49318

SHA1
089220c2ce00c06b728fa9eb04970ae4da37b1bf

SHA256
3bda942bcf45d7e74f471700b36957beca10ecd5017086919fe9449695b48f6a

SHA512
b0eaeb6a7ea9ca24d623c7c096623d47e6ff502e2e27778a9707167ba6de639aa2c0d688abca12e9b60e43ca5547fef559531de564db21724452da276c9d79d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe

Filesize
837KB

MD5
d714e1b95fa4310498395ad80a1aafc9

SHA1
a2d547961f6e2572ef79b1d5e1e19c52319e4c52

SHA256
96a2d961785b03be8e9ebfa221a38d2653a9e523b26546233e88659a75417df2

SHA512
6c3d774985ff8528b227690d4ad2b7aa75e6533e2c0fe6a3fe8f9d81ac8945676ae22bd6bdcafb6efa82e6fc4408109b533a53dcec79840cf9a3613089f02379

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2619965.exe

Filesize
837KB

MD5
d714e1b95fa4310498395ad80a1aafc9

SHA1
a2d547961f6e2572ef79b1d5e1e19c52319e4c52

SHA256
96a2d961785b03be8e9ebfa221a38d2653a9e523b26546233e88659a75417df2

SHA512
6c3d774985ff8528b227690d4ad2b7aa75e6533e2c0fe6a3fe8f9d81ac8945676ae22bd6bdcafb6efa82e6fc4408109b533a53dcec79840cf9a3613089f02379

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe

Filesize
571KB

MD5
6d1a87bc623070f0e967d82b6bc84099

SHA1
7739414c4e5aab1f5231a7024ba3ea25f23be30e

SHA256
49972facb0b198f8da58450a540075966fd22da5e78cc1a1e9790afa5623ae82

SHA512
0eb27f1641c479eea50c9a3fd136532bed531595b2bc0ae2999ac42233fb057dd0f86a54120283ed2f54d0b8c52ccbf2c180e2784d986657db79abe070d60243

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3111465.exe

Filesize
571KB

MD5
6d1a87bc623070f0e967d82b6bc84099

SHA1
7739414c4e5aab1f5231a7024ba3ea25f23be30e

SHA256
49972facb0b198f8da58450a540075966fd22da5e78cc1a1e9790afa5623ae82

SHA512
0eb27f1641c479eea50c9a3fd136532bed531595b2bc0ae2999ac42233fb057dd0f86a54120283ed2f54d0b8c52ccbf2c180e2784d986657db79abe070d60243

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe

Filesize
394KB

MD5
4afef9f4c0c679e3542f1c74cbe49318

SHA1
089220c2ce00c06b728fa9eb04970ae4da37b1bf

SHA256
3bda942bcf45d7e74f471700b36957beca10ecd5017086919fe9449695b48f6a

SHA512
b0eaeb6a7ea9ca24d623c7c096623d47e6ff502e2e27778a9707167ba6de639aa2c0d688abca12e9b60e43ca5547fef559531de564db21724452da276c9d79d2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7286830.exe

Filesize
394KB

MD5
4afef9f4c0c679e3542f1c74cbe49318

SHA1
089220c2ce00c06b728fa9eb04970ae4da37b1bf

SHA256
3bda942bcf45d7e74f471700b36957beca10ecd5017086919fe9449695b48f6a

SHA512
b0eaeb6a7ea9ca24d623c7c096623d47e6ff502e2e27778a9707167ba6de639aa2c0d688abca12e9b60e43ca5547fef559531de564db21724452da276c9d79d2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4040312.exe

Filesize
365KB

MD5
d2d35a9aec70a49e214687b3a4928976

SHA1
3753d9f415359409e2f5a2ab23c70c4a9722bfd8

SHA256
b01602fd83cb5f034fb3e392626147e9055ab138c1cad84b369885a668691c5b

SHA512
5b77f90ec2de93f87c07b226b32654044d16bdc109f06dda37c0600cb1cc911223333ed1a485d0009426ac10874c061935d86831a016b95e97b2bc9281e4149e

Download Submit
memory/2624-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-53-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-46-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2624-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads