b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034c

General

Target

b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Size

304KB
MD5

dbc1b95fc203df887abd3ac7c836e280
SHA1

52694aefe466112c022877e27859d29ba9260382
SHA256

b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034c
SHA512

ff087958c6735b5e2af0e3b45760b4a9269e60bfbe47480e2f5f760279e60f333187907846bd248d6cd001d27a8810a3dfd596ad7f18a1a5049b29a0a4caae62
SSDEEP

6144:pq7n+STH0YoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6MxE:y+SO6t3XGCByvNv54B9f01ZmHByvNE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Executes dropped EXE 6 IoCs

pid	Process
220	Delnin32.exe
1188	Ddonekbl.exe
4936	Deokon32.exe
3620	Dogogcpo.exe
1628	Dhocqigp.exe
4880	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Ddonekbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4692	4880	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 220	3152	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe	82
PID 3152 wrote to memory of 220	3152	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe	82
PID 3152 wrote to memory of 220	3152	b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe	82
PID 220 wrote to memory of 1188	220	Delnin32.exe	83
PID 220 wrote to memory of 1188	220	Delnin32.exe	83
PID 220 wrote to memory of 1188	220	Delnin32.exe	83
PID 1188 wrote to memory of 4936	1188	Ddonekbl.exe	84
PID 1188 wrote to memory of 4936	1188	Ddonekbl.exe	84
PID 1188 wrote to memory of 4936	1188	Ddonekbl.exe	84
PID 4936 wrote to memory of 3620	4936	Deokon32.exe	85
PID 4936 wrote to memory of 3620	4936	Deokon32.exe	85
PID 4936 wrote to memory of 3620	4936	Deokon32.exe	85
PID 3620 wrote to memory of 1628	3620	Dogogcpo.exe	86
PID 3620 wrote to memory of 1628	3620	Dogogcpo.exe	86
PID 3620 wrote to memory of 1628	3620	Dogogcpo.exe	86
PID 1628 wrote to memory of 4880	1628	Dhocqigp.exe	87
PID 1628 wrote to memory of 4880	1628	Dhocqigp.exe	87
PID 1628 wrote to memory of 4880	1628	Dhocqigp.exe	87

C:\Users\Admin\AppData\Local\Temp\b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe
"C:\Users\Admin\AppData\Local\Temp\b6fdc78bbf41c067aa271419d18c4643259143e33a1d546d4c47c8b8e807034cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\Delnin32.exe
  C:\Windows\system32\Delnin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\Ddonekbl.exe
    C:\Windows\system32\Ddonekbl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 408
        8⤵
        Program crash
        
        PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4880 -ip 4880
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
304KB

MD5
0fa3cfc896a774d56dd58278a2d16a51

SHA1
b679e8a511aa242b67d3e39343d4c9096cdb5ade

SHA256
b2b4edf2606c2ef0ccb69dda72ef386bd119d1a4784a7423036065c6f9346437

SHA512
3fc5297959367ac68ba5f1e96b1d12006c8b741a8865d41aae40e6dc70fd51637c8815e44be82d868ecce2a5495a1675799a1ae895bb93e913d3308674213083

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
304KB

MD5
da8b6b4ec6a3d8c7878360387db9a018

SHA1
05a4dd1b330673eb37f23e5b7d48c63bcfdb5d77

SHA256
dbe66ce7904ce80a297f8385753aebd9177b075129b060676a2ff5aafaa59fd6

SHA512
94081fd4c189819fffa31bec0aca2089a4c51e983d972264ef62abb902de0beb70710a2e4f9237383cb9591d3fb46102a19b38f6982fe55e2db607684fad66b7

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
304KB

MD5
0127c3a0bb75606be956b05f60b80c19

SHA1
aa13b435eb8a280541880c00e04dc6b757500fca

SHA256
9f1e9c28e53f14a43f95e483f4672be56ee37c49a3e6d5500b9aca27aa66f530

SHA512
dae56d5d328e721b3dcb6f0cceb88d2c564feb31f3c8472387dedc02b6a98ac4a5fa3b45356dd0929edd23154f66885a640a156e93d1cdad57fb3a2f30a2a6cc

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
304KB

MD5
26132065f75cb09b84ef343c5cf83684

SHA1
09eb54960cc53f5e26088a7c2e913358d4f18942

SHA256
3fab85e8ddc93c34ea1aed082f2c265cab8ead514bea2cb7193c74fcf7d525b1

SHA512
44bb3f8ad9d123c95077f3df4809c0f08022125ae014b467fc7075bd8dfbdc972feec9d4b2b4d2f6dc18bf87650bd7c6f76f8be1635685d266bafbf48a94cfbf

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
304KB

MD5
e53f6322558d9dd6d2eb7c795c332c7f

SHA1
83a07dd8850fd3e847d508d1a971428e097c45c8

SHA256
71548a8390b2ba47356051719e1d187ffdbe49df3d62a4eda455124beb5eb18f

SHA512
07dc553bd1a8bcba1ae4205c13f97395825993bf6bc55c2715f8fa22c134ff4082d013d6d4484431b1ee521e6c50f7578f0a054cd98e51550771351f1a77bb23

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
9d6d19010198483587e6bde30fcd2fcb

SHA1
2581274f4c6faed495cf059dbdc55f1ea4a32016

SHA256
a114626a5273f5f8ef03819fe72161e8ea5c235398a7e2ca2017aa040faf206c

SHA512
233495f63cbac11ffb258d8ed2fb15021be28ccc9522a7e891e687f75a9b17199525306f73c6802dfbd502801daa2dcb8580d31ce327177089b0e49739598bc3

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
304KB

MD5
dd1d891e779cd7cc6e961ec98c6e4a29

SHA1
979502fed7065b2ac8fca32b0edafa8f8f466480

SHA256
b3e245f29c854e5d017783cc89a21990db02991668390d81bc61cddf4c924278

SHA512
f27aa6f4ec127378478b27a59be4e17460406b7e8bec17ce15ec6b7a1385584d59fa0cec2c3ad153a47286ecdc3515dc538394f44be956c568ccfc3aa042ad60

Download Submit
C:\Windows\SysWOW64\Elkadb32.dll

Filesize
7KB

MD5
2080195a413315ec02db0512cb00a9b7

SHA1
0b367c92f321dec1a82f70397ddd6e79a524a58a

SHA256
66c43e218705b2e75d8460c87ef8e4964d99e456ea1c5d52be0f0683a4eb366b

SHA512
7465d01ae780c4e57d8efd714166349e93ed58a5cc8911929346531521661d8dab3513ec23f1c388edb3890425ed18b49b4cec18fa3f3c2b05090658866f9ddc

Download Submit
memory/220-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/220-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1188-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1188-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-50-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3152-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3152-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3620-31-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3620-51-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4880-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4880-49-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4936-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4936-52-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads