3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebff

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Size

75KB
MD5

bcca47da54d142c7b9457c33a6ef6480
SHA1

3b878e2149febdb5b07ed2f0c0ea61817cc1830e
SHA256

3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebff
SHA512

8b639d4d1cc25f64b38c328736349db5f5fd4550928e561eabbec0432ab8abb1713c5d51eea81c75a9676f4a03f57fbebde4d33b79614d936d5b0f72c5c002d9
SSDEEP

1536:1x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:fOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015fba-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2368	ctfmen.exe
2776	smnss.exe

Loads dropped DLL 6 IoCs

pid	Process
2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
2368	ctfmen.exe
2368	ctfmen.exe
2776	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_escape_characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_prompts.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW0460T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1RC3L.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hptf735t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_environment_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYW7QUR5.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5600T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\EP0SBT00.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW9800T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\RICFG7.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO6300T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8200T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Redirection.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_profiles.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\KYW7QURY.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa310t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_blocks.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1400t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_preference_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Reserved_Words.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc8100t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Signing.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\TIME.XML	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html	smnss.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML	smnss.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	smnss.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_3_HomeGroup.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\LocalizedData.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..d-line-utility-base_31bf3856ad364e35_6.1.7600.16385_none_0da2254524b4bc0c\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Switch.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Throw.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd4300t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpl7600t.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31129025_465135600.back.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-11.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7110452767e88835\xpsrchvw.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_remote_FAQ.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-dmrxml_31bf3856ad364e35_6.1.7600.16385_none_9d23d74d960a8256\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\502.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_do.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_pssessions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\flyout.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..gadgetxml.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1cfa9fa3f3d7258b\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-18.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8486739b50ee62de\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iesecuritydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_f28b13d21e65b224\IESecurityDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netfx3-core_31bf3856ad364e35_6.1.7601.17514_none_c5c6d478f0c06fa1\FrameworkList.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_script_blocks.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3784c9b57cdcbf\picturePuzzle.html	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-15.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\ehome\en-US\epgtos.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-13.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc6200t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions_advanced.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d1240af48795ef12\currency.html	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_functions_cmdletbindingattribute.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_FAQ.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Core_Commands.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-14.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_pssessions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_71715b0ed4b9200e\Report.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_do.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_data_sections.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_72fcae3cc365b3f2\Rules.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Continue.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_pssession_details.help.txt	smnss.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2368	2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe	30
PID 2508 wrote to memory of 2368	2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe	30
PID 2508 wrote to memory of 2368	2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe	30
PID 2508 wrote to memory of 2368	2508	3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe	30
PID 2368 wrote to memory of 2776	2368	ctfmen.exe	31
PID 2368 wrote to memory of 2776	2368	ctfmen.exe	31
PID 2368 wrote to memory of 2776	2368	ctfmen.exe	31
PID 2368 wrote to memory of 2776	2368	ctfmen.exe	31

C:\Users\Admin\AppData\Local\Temp\3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe
"C:\Users\Admin\AppData\Local\Temp\3ab79ea70aeb605157c65bc5fc83cc803c8eb15e65780ba1d68807fdfc31ebffN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
23ee6572a8e1a2d3ed156f8da43276de

SHA1
6fb85c833369cc4f03615c9424a900d5508be10d

SHA256
0e5bef7d2a89114c4ff12d2c3e9af3f7a9763041269b1fa2781ce05b3532be9e

SHA512
e1cb7c0c3467cdf203318f5d86d9425b2ce99aedb30d45364341171ec265d62a8864dd6e4c020e2008ef15eef196c37ebc516013b75fa56503d4e316ca51af55

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
088fa6bee269ba0063ed207212e31377

SHA1
6b927117e1a04f28a35de85003ecd94c7230acff

SHA256
18f38b384b3767080d7943fe63cce7bd2f538a440b077297d4990b5dd81ffbd3

SHA512
39d0ded9127cbb712081af7a98f395675af39c5373ef8dabbbf7c5172af9ab027d532c04aa776119ee96f34359d61e2df09ed650d4aca45d36d7fee1ad36003e

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a5f20701400c64425295efe014d3aec8

SHA1
442eb6d8f5adbc9eb929611c7adeabd7561895d6

SHA256
819c6d47da136266933ed14000b02d89a7f208fa8bd8856c94b07cc7282361e6

SHA512
706f201ac335d9f8fed1eb7e786a5456adc920b70e59bd25d6cda1d3a66a2d3f7449e1cedabea1fec01ada806e232cc54e8d8a2f1c64397fa773661cd7689d89

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
1a18b6bacc481d284bbfe215b935430f

SHA1
5fc78d90aad73d1e3f2c441281a33473fffa2fe3

SHA256
815c26b4bcefb500989bb81251d4d98ab905439b74c625b54cd1db8f169f0294

SHA512
d01437f0b8baf48c29e961641bbc7ef83974e2a7f8f61c3d2efa10abca4d2c50ac0db3bd178b9536a650f2df6b1fac6cd181e3f219371d4bc0eb9c270ab33043

Download Submit
memory/2368-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2368-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2508-11-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2508-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2508-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2508-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2776-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads