Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 12:02
General
-
Target
4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe
-
Size
325KB
-
MD5
28215a5ed45d61536d22322602407aeb
-
SHA1
d4db7b54acd5a8f2f7022f3f947ad79e0226801a
-
SHA256
4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a
-
SHA512
639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+nqtrx.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4
2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4
3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4
If for some reasons the addresses are not available, follow these steps:
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar: xlowfznrg4wf7dli.onion/9B1627686B7818F4
4 - Follow the instructions on the site
IMPORTANT INFORMATION
Your personal pages
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4
http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4
Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9B1627686B7818F4
URLs
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4
http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4
http://xlowfznrg4wf7dli.ONION/9B1627686B7818F4
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_RECoVERY_+nqtrx.html
Ransom Note
<html>
<style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }
.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center>
<div style="text-align:left; font-family:Arial; <!---4231213423142134231421342341234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">
<b><font class="ttl"><center><b>NOT YOUR LANGUAGE? USE <a href="https://translate.google.com" target="_blank">Google Translate</a></b></center>
What<!------4231213423142134231421342341234 --> happened <!------4231213423142134231421342341234 --> to your<!------4231213423142134231421342341234 --> files?</b></font><br> <font style="font-size:13px;">All <!------4231213423142134231421342341234 -->of your files<!------4231213423142134231421342341234 --> were
<!------4231213423142134231421342341234 --> protected by a strong<!------4231213423142134231421342341234 --> encr<!---4231213423142134231421342341234 -->yption wi<!---4231213423142134231421342341234 -->th <!------4231213423142134231421342341234 -->RSA4096 <!------4231213423142134231421342341234 -->
<br> More <!------4231213423142134231421342341234 --> information about the <!------4231213423142134231421342341234 -->encryption RSA4096 can be<!------4231213423142134231421342341234 -->
fou<!---4231213423142134231421342341234 -->nd <a href= http://en.wikipedia.org/wiki/RSA_(cryptosystem) target="_blank"> htt<!--4231213423142134231421342341234 -->ps:<!--4231213423142134231421342341234 -->//en<!--4231213423142134231421342341234 -->.w<!--4231213423142134231421342341234 -->ikipedia<!--4231213423142134231421342341234 -->.<!--4231213423142134231421342341234 -->org/wiki/RSA_(cry<!--4231213423142134231421342341234 -->ptosystem) </a><br></font>
<br><b><font class="ttl">Wh<!--4231213423142134231421342341234 -->at <!------4231213423142134231421342341234 --> does th<!--4231213423142134231421342341234 -->is mean?</b></font><br><font style="font-size:13px;">
T<!--4231213423142134231421342341234 -->his<!------4231213423142134231421342341234 --> mea<!--4231213423142134231421342341234 -->ns that the <!------4231213423142134231421342341234 --> str<!--4231213423142134231421342341234 -->ucture and da<!--4231213423142134231421342341234 -->ta wi<!--4231213423142134231421342341234 -->thin your
<!------4231213423142134231421342341234 -->files ha<!--4231213423142134231421342341234 -->ve be<!--4231213423142134231421342341234 -->en<!------4231213423142134231421342341234 --> irre<!--4231213423142134231421342341234 -->voca<!--4231213423142134231421342341234 -->bly
changed, you will not be able work
wi<!--4231213423142134231421342341234 -->th
them, read<!------4231213423142134231421342341234 --> th<!--4231213423142134231421342341234 -->em or see them, <!------4231213423142134231421342341234 -->it is the s<!--4231213423142134231421342341234 -->ame thing
<!------4231213423142134231421342341234 -->as los<!--4231213423142134231421342341234 -->ing <!------4231213423142134231421342341234 -->them for<!--4231213423142134231421342341234 -->ever,
but with our he<!--4231213423142134231421342341234 -->lp, you <!------4231213423142134231421342341234 --> can re<!--4231213423142134231421342341234 -->st<!--4231213423142134231421342341234 -->ore t<!--4231213423142134231421342341234 -->hem
<br><br><b><font class="ttl"><!------4231213423142134231421342341234 -->Ho<!--4231213423142134231421342341234 -->w d<!--4231213423142134231421342341234 -->id th<!--4231213423142134231421342341234 -->is hap<!--4231213423142134231421342341234 -->pen?<!------4231213423142134231421342341234 --></b></font> <br> <!------4231213423142134231421342341234 -->
<font style="font-size:13px;"><!------4231213423142134231421342341234 --> Espec<!--4231213423142134231421342341234 -->ially for y<!--4231213423142134231421342341234 -->ou,<!------4231213423142134231421342341234 --> on our SER<!--4231213423142134231421342341234 -->VER <!------4231213423142134231421342341234 -->was gene<!--4231213423142134231421342341234 -->rated
<!------4231213423142134231421342341234 -->the sec<!--4231213423142134231421342341234 -->ret k<!--4231213423142134231421342341234 -->ey
<br>Al<!--4231213423142134231421342341234-->l y<!--4231213423142134231421342341234-->our <!------4231213423142134231421342341234 --> files w<!--4231213423142134231421342341234-->ere encry<!--4231213423142134231421342341234-->pted with the p<!--4231213423142134231421342341234-->ublic k<!--4231213423142134231421342341234-->ey,
<!------4231213423142134231421342341234 --> wh<!--4231213423142134231421342341234-->ich has b<!--4231213423142134231421342341234-->een <!------4231213423142134231421342341234 -->
trans<!--4231213423142134231421342341234-->ferred to <!------4231213423142134231421342341234 -->y<!--4231213423142134231421342341234-->our co<!--4231213423142134231421342341234-->mputer via <!------4231213423142134231421342341234 -->the Inter<!--4231213423142134231421342341234-->net.<!--4231213423142134231421342341234--><br>
<!------4231213423142134231421342341234 --> Decr<!--4231213423142134231421342341234-->ypting of <!------4231213423142134231421342341234 -->YO<!--4231213423142134231421342341234-->UR FI<!--4231213423142134231421342341234-->LES is
<!--4231213423142134231421342341234 -->on<!--4231213423142134231421342341234 -->ly p<!--4231213423142134231421342341234 -->oss<!--4231213423142134231421342341234-->ible <!--- -4231213423142134231421342341234 -->w<!--4231213423142134231421342341234 -->ith the he<!--4231213423142134231421342341234-->lp of t<!--4231213423142134231421342341234 -->he <!----4231213423142134231421342341234 -->pri<!--4231213423142134231421342341234-->va<!--4231213423142134231421342341234 -->te k<!--4231213423142134231421342341234-->ey a<!--4231213423142134231421342341234 -->nd <!--4231213423142134231421342341234 -->d<!--4231213423142134231421342341234 -->ecr<!--4231213423142134231421342341234-->ypt p<!--4231213423142134231421342341234 -->rog<!--4231213423142134231421342341234-->ram
<!--4231213423142134231421342341234 -->wh<!--4231213423142134231421342341234-->ich is on our <!--- -4231213423142134231421342341234 -->Sec<!--4231213423142134231421342341234-->ret <!--4231213423142134231421342341234 -->Ser<!--4231213423142134231421342341234-->ver!!!
</font><br><br><b><font class="ttl">Wh<!--4231213423142134231421342341234-->at do I do?</b></font> <br><font style="font-size:13px;">Alas, if you <!--4231213423142134231421342341234 --> do not take
<!---4231213423142134231421342341234 --> the nece<!--4231213423142134231421342341234-->ssary meas<!--4231213423142134231421342341234-->ures
<!--4231213423142134231421342341234-->for the spec<!--4231213423142134231421342341234-->ified ti<!--4231213423142134231421342341234-->me th<!--4231213423142134231421342341234-->en t<!--4231213423142134231421342341234-->he co<!--4231213423142134231421342341234-->nditions fo<!--4231213423142134231421342341234-->r obta<!--4231213423142134231421342341234-->ining the priv<!--4231213423142134231421342341234-->ate
ke<!--4231213423142134231421342341234-->y w<!--4231213423142134231421342341234-->ill be cha<!--4231213423142134231421342341234-->nged<!--- 4231213423142134231421342341234 -->
<br>
<!-----4231213423142134231421342341234 --> If you really need <!------4231213423142134231421342341234 --> your data, <!------4231213423142134231421342341234 -->then we suggest you <!------4231213423142134231421342341234 --> do not waste<!------4231213423142134231421342341234 --> valuable <!------4231213423142134231421342341234 --> time searching <!------4231213423142134231421342341234 -->for other <!------4231213423142134231421342341234 --> solutions <!------4231213423142134231421342341234 -->becausen
<!----4231213423142134231421342341234 --> they do not exist.</font><br><br>
<!----4231213423142134231421342341234 --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions,
please<!------4231213423142134231421342341234 --> visit your <!------4231213423142134231421342341234 --> personal <!------4231213423142134231421342341234 -->home page,<!------4231213423142134231421342341234 --> there are<!------4231213423142134231421342341234 --> a few <!------4231213423142134231421342341234 -->different <!------4231213423142134231421342341234 -->addresses<!------4231213423142134231421342341234 --> pointing to <!------4231213423142134231421342341234 --> your page<!------4231213423142134231421342341234 --> below:<b><hr>
<!---000==-=-==-=-=-=-=-=-=---> 1 - <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4</a> <br>
<!------000==-=-==-=-=-=-=-=-= --> 2 - <a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4</a> <br>
<!------000==-=-==-=-=-=-=-=-= --> 3 - <a href=http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 target="_blank">http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4</a> <br>
<!------000==-=-==-=-=-=-=-=-= --></div><br><div class="tb" style="font-size:13px; border-color:#880000;"><b>If for some reasons the
<!-----000==-=-==-=-=-=-=-=-= --> addresses are not available, <!------000==-=-==-=-=-=-=-=-= --> follow these steps:</b> <hr>
1 - <!------000==-=-==-=-=-=-=-=-= --> Download and <!------000==-=-==-=-=-=-=-=-= --> install tor-browser:
<a href=http://www.torproject.org/projects/torbrowser.html.en target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>
2 - <!---000==-=-==-=-=-=-=-=-= --> Af<!---000==-=-==-=-=-=-=-=-=--->ter a<!---000==-=-==-=-=-=-=-=-=---> succe<!---000==-=-==-=-=-=-=-=-=--->ssful<!------000==-=-==-=-=-=-=-=-= --> instal<!---000==-=-==-=-=-=-=-=-=--->lation, run the br<!---000==-=-==-=-=-=-=-=-=--->owser and w<!---000==-=-==-=-=-=-=-=-=--->ait for initi<!---000==-=-==-=-=-=-=-=-=--->alization.<br>
3 - <!--- 000==-=-==-=-=-=-=-=-= --> Ty<!---000==-=-==-=-=-=-=-=-=--->pe<!-- 000==-=-==-=-=-=-=-=-= --> in<!-- 000==-=-==-=-=-=-=-=-= --> the t<!---000==-=-==-=-=-=-=-=-=--->or-bro<!---000==-=-==-=-=-=-=-=-=--->wser<!-- 000==-=-==-=-=-=-=-=-= --> add<!---000==-=-==-=-=-=-=-=-=--->ress<!-- 000==-=-==-=-=-=-=-=-= --> bar: <font style="font-weight:bold; color:#009977;"><!-- 000==-=-==-=-=-=-=-=-= -->xlowfznrg4wf7dli.onion/9B1627686B7818F4<!-- 000==-=-==-=-=-=-=-=-= --></font><!-- 000==-=-==-=-=-=-=-=-= --><br>
4 - <!--- 000==-=-==-=-=-=-=-=-= --> Fol<!---000==-=-==-=-=-=-=-=-=--->low the instr<!---000==-=-==-=-=-=-=-=-=--->uctions <!-- 000==-=-==-=-=-=-=-=-= --> on the site.</div><br><br><b>!!! IMPO<!---000==-=-==-=-=-=-=-=-=--->RTANT INFO<!---000==-=-==-=-=-=-=-=-=--->RMATION:</b><br>
<!-----000==-=-==-=-=-=-=-=-= --><div class="tb" style="width:790px;"><!-----000==-=-==-=-=-=-=-=-= --> Yo<!---000==-=-==-=-=-=-=-=-=--->ur Pers<!---000==-=-==-=-=-=-=-=-=--->onal PAGES<b>:
<br> <a href=http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4 target="_blank">http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9B1627686B7818F4</a> <br><a href=http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4 target="_blank">http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9B1627686B7818F4</a> <br>
<!-----000==-=-==-=-=-=-=-=-= --><a href=http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4 target="_blank">http://yyre45dbvn2nhbefbmh.begumvelic.at/9B1627686B7818F4</a> <br>
<!-----000==-=-==-=-=-=-=-=-= --> Your <!------000==-=-==-=-=-=-=-=-= --> Personal TOR-Browser<!-----000==-=-==-=-=-=-=-=-= --> page :
<!-----000==-=-==-=-=-=-=-=-= --><font style="font-weight:bold; color:#009977;"><!-- 000==-=-==-=-=-=-=-=-= -->xlowfznrg4wf7dli.onion/9B1627686B7818F4<!-- 000==-=-==-=-=-=-=-=-= --></font><br>
<!-----000==-=-==-=-=-=-=-=-= --> Your personal <!------000==-=-==-=-=-=-=-=-= --> ID
<!-----000==-=-==-=-=-=-=-=-= --> (if you open <!------000==-=-==-=-=-=-=-=-= --> the site directly):
<!-----000==-=-==-=-=-=-=-=-= --> <font style="font-weight:bold; color:#770000;">9B1627686B7818F4</font><br>
</div></div></center></body></html>
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 25 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe"C:\Users\Admin\AppData\Local\Temp\4ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\nkhnlblxlvtm.exeC:\Windows\nkhnlblxlvtm.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NKHNLB~1.EXE3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4ACE7B~1.EXE2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58969b97e474ad3d3f592de4e5537fded
SHA11bca1b71ca1ac32fdb5c07e97922ba0ebb00c8f0
SHA256f80b6cc1379c3bc57010f7ebf8cd3a942b3b7027e2e8954a3aa5d437b2d8da1b
SHA512f0c0c37ada8cd7fca50b5606b25b39e91822922648b999e7f208584771625dae95b8eaa9b9def46e16383f208d3d47ce5e38607e89badcbb33406e2562c0804f
-
Filesize
1KB
MD5d09ea7a5a5a986ab78462b4cee39403c
SHA105d6a36bfba55ff0941b49705cea8d6ffc1e5f3d
SHA256550d933c4c78870165aaf7fda4d6990bce0000ce9609749199edd79d42a79cae
SHA5120cd14795f1b2223d99ae5f626d6887b763cd25a3b251b8b0e1c1e2a2a15b3539b4050ba8d2290af480ebbb4563c5c01524c6efed0ec1356df9ce2a780c1e1517
-
Filesize
64KB
MD53d6f46963d62e242c2e784c6e3908209
SHA1f51c6d7d15d3c7566e609e71bc87ea45baf45e3d
SHA2569919c94d507644b1814c955be5c041ba02a1b3ebe11311765130eb575522acc1
SHA5128a2b48a426c4cc5e97a3105a4766c7e9e46ab8d1e64e180157e3b35dc290eedfbe9a8d789e93477d6a03b01e2c4bca59b0b1d7b218080eb8e5db51d800f0b616
-
Filesize
325KB
MD528215a5ed45d61536d22322602407aeb
SHA1d4db7b54acd5a8f2f7022f3f947ad79e0226801a
SHA2564ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a
SHA512639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5
-
Filesize
325KB
MD528215a5ed45d61536d22322602407aeb
SHA1d4db7b54acd5a8f2f7022f3f947ad79e0226801a
SHA2564ace7b3da6d042f34d583d057abdb503f0f56f746801cbb0383da5efe8e3239a
SHA512639ab48113f68f07e0573fcafac435aa5c41394572104a023f6c79ae33484a1b0c20765f7ffac2bf84e1ff715d0aacc08a927a24028d6863cdd0c31fad9896a5
-
-
-
-
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
-
-
Filesize
8KB
-
Filesize
668KB
-
Filesize
188KB
-
Filesize
668KB
