amadey | 71dce0a244a32bbf6b0724c4ea19e5e4cf99a34312d8153493d45ff828af0bf0

Analysis

max time kernel
2s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4a553b6c7406ef85d0a8f14d63d755bb7015f441742b03e18e3865297279219.exe
Size

537KB
MD5

f16e3b152eccccc052822f31e5544c4b
SHA1

0dd1fc2d912b2f510f3466f657a61fbbb670c4a5
SHA256

d4a553b6c7406ef85d0a8f14d63d755bb7015f441742b03e18e3865297279219
SHA512

31ccd9830b65a66acee22963ebd96e089ee9907cdaa98446fec62a48b11f11673884223dba63fe73e4feb6d0da44df3ea0043b07ab63dfeeec5d23dd88def80b
SSDEEP

12288:g2eElvdNWyjjfO6PczwPUBZSGLCQrW6j7I7Dov:9e4WyHf7Uzw8GGLRr/A7Dov

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.14

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
5040	3120	WerFault.exe	14
2928	3120	WerFault.exe	14
5068	3120	WerFault.exe	14
3504	3120	WerFault.exe	14
1072	3120	WerFault.exe	14
4784	3120	WerFault.exe	14
3988	3120	WerFault.exe	14
4136	3120	WerFault.exe	14
4840	3120	WerFault.exe	14
640	3120	WerFault.exe	14
3344	3120	WerFault.exe	14
4464	636	WerFault.exe	81
3992	636	WerFault.exe	81
3516	636	WerFault.exe	81
2700	636	WerFault.exe	81
868	636	WerFault.exe	81
2972	636	WerFault.exe	81
4976	636	WerFault.exe	81
1588	636	WerFault.exe	81
996	636	WerFault.exe	81
5104	636	WerFault.exe	81
5108	636	WerFault.exe	81
1600	636	WerFault.exe	81
4012	636	WerFault.exe	81
4852	636	WerFault.exe	81
4608	636	WerFault.exe	81
3564	636	WerFault.exe	81
2768	636	WerFault.exe	81
4040	636	WerFault.exe	81
3520	636	WerFault.exe	81
3584	64	WerFault.exe	162
3824	636	WerFault.exe	81
2280	3748	WerFault.exe	170
2196	636	WerFault.exe	81
3392	636	WerFault.exe	81
916	636	WerFault.exe	81
2132	636	WerFault.exe	81
4164	636	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2180	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3120	d4a553b6c7406ef85d0a8f14d63d755bb7015f441742b03e18e3865297279219.exe

C:\Users\Admin\AppData\Local\Temp\d4a553b6c7406ef85d0a8f14d63d755bb7015f441742b03e18e3865297279219.exe
"C:\Users\Admin\AppData\Local\Temp\d4a553b6c7406ef85d0a8f14d63d755bb7015f441742b03e18e3865297279219.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 580
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 664
  2⤵
  - Program crash
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 740
  2⤵
  - Program crash
  PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 844
  2⤵
  - Program crash
  PID:3504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 752
  2⤵
  - Program crash
  PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 752
  2⤵
  - Program crash
  PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1104
  2⤵
  - Program crash
  PID:3988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1112
  2⤵
  - Program crash
  PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1216
  2⤵
  - Program crash
  PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1000
  2⤵
  - Program crash
  PID:640
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
  2⤵
  PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 604
    3⤵
    - Program crash
    PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 740
    3⤵
    - Program crash
    PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 828
    3⤵
    - Program crash
    PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 972
    3⤵
    - Program crash
    PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 972
    3⤵
    - Program crash
    PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 996
    3⤵
    - Program crash
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1048
    3⤵
    - Program crash
    PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 908
    3⤵
    - Program crash
    PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 668
    3⤵
    - Program crash
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 604
    3⤵
    - Program crash
    PID:5104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1228
    3⤵
    - Program crash
    PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1252
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1272
    3⤵
    - Program crash
    PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1336
    3⤵
    - Program crash
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1336
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1420
    3⤵
    - Program crash
    PID:3564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1480
    3⤵
    - Program crash
    PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1572
    3⤵
    - Program crash
    PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1528
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1028
    3⤵
    - Program crash
    PID:3824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1704
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1256
    3⤵
    - Program crash
    PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1488
    3⤵
    - Program crash
    PID:916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1700
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1632
    3⤵
    - Program crash
    PID:4164
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
    3⤵
    PID:3644
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
      4⤵
      PID:468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1264
  2⤵
  - Program crash
  PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3120 -ip 3120
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3120 -ip 3120
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3120 -ip 3120
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3120 -ip 3120
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3120 -ip 3120
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3120 -ip 3120
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3120 -ip 3120
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3120 -ip 3120
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3120 -ip 3120
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3120 -ip 3120
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 636 -ip 636
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 636 -ip 636
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 636 -ip 636
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 636 -ip 636
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 636 -ip 636
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 636 -ip 636
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 636 -ip 636
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 636 -ip 636
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 636 -ip 636
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 636 -ip 636
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 636 -ip 636
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 636 -ip 636
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 636 -ip 636
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 636 -ip 636
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 636 -ip 636
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 636 -ip 636
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 636 -ip 636
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 636 -ip 636
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 636 -ip 636
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
PID:64
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 436
  2⤵
  - Program crash
  PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 64 -ip 64
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 636 -ip 636
1⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 252
  2⤵
  - Program crash
  PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3748 -ip 3748
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 636 -ip 636
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 636 -ip 636
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 636 -ip 636
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 636 -ip 636
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 636 -ip 636
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\232405761120

Filesize
79KB

MD5
0ce74a6cec7731c2454d1ad1a8189e90

SHA1
1e4dd17e5746a60806687543037ba20d2152902e

SHA256
6689b0e7b736cda96a60d88607714ffb1e72b4102d14858cd2b5020e3f323157

SHA512
239013800d9bc3673ef3bfde9995b23d677337f1e0798d1b18a68dcfde332c0f2ff3307309e7fbebde08bb9c8786f8a9d9be1feff1a919c8fbadbb721be583e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
93KB

MD5
0f695e80592489a3844aa0279c8415be

SHA1
b0d95193e3229f3bcadbc0515ccf24608cc569df

SHA256
bc4321dd0b2e6edda112428292a9b77c0f16c779c7baec1449e55808990914c2

SHA512
8ee72e54c8b9e52949fdd9505295e60f21068c8b64cdd88a82fe093867f7782d4fddf4ef8ca3238d79e727b0241afe39373a1ff1c2b3202d123fc578a651fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
65KB

MD5
f648eacb8e35ba3aae3f2efed47aff65

SHA1
a9058693396274264ddb2ee08c411764b08e7621

SHA256
c8039ffb2a17d1e8343a1f5161a1d0a9cdf8e856d745b6ebf1018aad6eb2b6ca

SHA512
af61bddbae7a36ada1f14485daec932fa120dc3323b0a3fe5ec52ce74f70cba14721eea58d44920c802da38fde14eb25f906da4af1e44939206286f9c185052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
92KB

MD5
c187bb3ada0f721c2bcaf68d7032c4cb

SHA1
55fb50de7210c98f6154b41bd62c50dda76b78d8

SHA256
45708f0332de98bdb919234ef55a4f6cfdb8e91e6998d5f02ba738fa38229de4

SHA512
91bc0f54666732cabfda52c21c23a70997fc5cfea1ad70385a5266e97be95eb695d3dd6e35eb7bb4a44b52d5fb3df7fcf70e39126365b1e07c859405b2af9b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
375KB

MD5
70ec66aacda01aa750fe689b64ccccc0

SHA1
7d1fe8c7d3e210c5875b637dfbd01e815ae77997

SHA256
3aa757dda592b80ffdb38d6af5c190cb93f015e29c63f5283cab14a067b31090

SHA512
05d18c12af9f4936f4df30534e9c35fb33fb7aa20f03106984a5a47e4fa5eccfccaaa8a230ff6d27028b37067cff804f47c13a7764d62c35ae0832bb8cc5476e

Download Submit
memory/64-44-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/64-43-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/636-32-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/636-18-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/636-26-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/636-19-0x0000000000750000-0x00000000007BF000-memory.dmp

Filesize
444KB

Download
memory/636-31-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/636-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/636-42-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3120-1-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3120-2-0x0000000002290000-0x00000000022FF000-memory.dmp

Filesize
444KB

Download
memory/3120-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3120-3-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3748-54-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3748-53-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads