Resubmissions
31-07-2023 12:37
230731-ptx8safd79 1031-07-2023 12:37
230731-ptndksfd76 731-07-2023 11:43
230731-nvq1eseh69 10Analysis
-
max time kernel
71s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
31-07-2023 12:37
General
-
Target
yOMHr.exe
-
Size
170KB
-
MD5
31bd0f224e7e74eee2847f43aae23974
-
SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58
-
SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
-
SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
SSDEEP
3072:2qeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpn:2trA/WSo1rl3ALrlHQpn
Malware Config
Extracted
F:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4064 -s 9602⤵
- Program crash
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff839b29758,0x7ff839b29768,0x7ff839b297782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2376 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5212 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5696 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3256 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5716 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3024 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804B
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
Filesize
39KB
MD5500ecdda9ad3e919a1f41c1588266a1b
SHA1d5ddf92dc08284a48701a4d3555590bda05f77e0
SHA256caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37
SHA5125e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f
-
Filesize
1KB
MD50f7ab306482e168df8ae4db0da366a23
SHA17cd96f1892eed08892bcad19b6dfd9f8e24b42d1
SHA256c2114f65f31ec1d737b02b0bf0545a5fd61799881b7bc80f3666beffe2cccf7d
SHA512a3fbe4a812ab9af1652e3624afd99c5e666edb055658d558857b0baa5a829355e01e4ded7f3ee0c60049ed6f1321aefd55b1517aceb53476ce7c63bf3ee74b8d
-
Filesize
2KB
MD5e0ded7013da949486d130e515084c36a
SHA1a31d47854c60b86e0e8d22881f55a7b775fbe0b2
SHA256b66ab473aa02d99bb588c521d3cad1d2c4c25fcacf258e650a0c0f456687966a
SHA5127f952c969a82c68f922d13c826b48dfba103f06ee3a3b0d2a570823fa154dc4e9397ed49ddf200e2dfdae84b80423b9c4f4c0076925fbe6f8c1e4993aa9b8384
-
Filesize
538B
MD52348a872c571314760d300439ac54144
SHA1004728f059eb518726a10121ce6866ad14760841
SHA25695ade341361b5c4ad2b4d09cbb4931656bbb1b950f1c7a7b8fcd0ea77e40c6be
SHA512dc82ad1d5cc7bb0b53432b9571941b4e6323c7144f5786f9c19ec44740571912b38d92cd4fc6f34bc2bc5c9f8a5e5671e15509b34f5d0412b890be6a83b74a3f
-
Filesize
1KB
MD5f3db0ba5dda88a664c85360265c0ffd6
SHA172e2e5410bedfe0f841e192b4d58e30db70e1020
SHA25604e744c66ad48ea9be9913cf2573fb48f8bfb4bcb777638b446394507924bb9a
SHA512c5fc70588fc8024e5940be082ef526c2f7317e7e590cf1902ea07ba9b6e2d0bf3a644f7643d4ccd787d73168a14bda199ecdc3f540a6a3782e30bc8dc3bde03e
-
Filesize
1KB
MD55bc1e603f027036ed4d968604c6e6472
SHA1aae53d491749db0f85872ff3c685ac084939bd7f
SHA256f31041aea77b80b25277cc8849a73f0b5df61121ac6ece43578d1e9a4771fb70
SHA51216007683aa8fd9c5d1b9ea52db0e1b0ed52fcd45ad811ae41d93318b5d09a2d5ac573159b4ca03623710853a56fe37152aa3af7b1e285fd7f9299a02a4e1a1eb
-
Filesize
2KB
MD514460e37f8af20e8e0de11e00515a578
SHA1684f3dc907c74f32cbdfaed7b1d943d3a3af195a
SHA256cb421e48e344c46d3c600d57a559d5e28d8ced6b2d625d1239c1614fdd6608ca
SHA5122f601156d2a750eaac72b728b65c6a2054670786ab0804dcfd9ce2aacb9032b160b486c9ca90c262bccd2ee9a26280534611195745403fcef6774beaedf3b849
-
Filesize
6KB
MD52a3924f10550b34cb768e1312043bcdc
SHA1f6fa158c1185d4c7f11ce779008e6d1e1aba757f
SHA256ae7927f2be212cdd19ca854ef363d2ac4b207c439c5e7dda837a8bccfd101295
SHA512baf385ce29304d74e89a2321e5e2a9488c8ba413d78813eb62a0e131d6e106a8726c08d1d353ac445d87545b5150b970b90af41198ea14b9a0b99a79f64f4b22
-
Filesize
6KB
MD5d83708351a1ad7b3499cc1500bcb923f
SHA1ca235c92cb7b1ff2f16975a7c8af3af03f0a9f03
SHA25609e05cbe3a375bdb2a4210f535d94bacb5a5da1ee72584f3a7ccfc0471e5a245
SHA512dee9dd2c63479967bdeff6330b40315ea3b1a7f493671909ad26b864c57761707932a4ebeed0680c763e88c4263d103a115ed777e88be0162e1e143f6793a5e4
-
Filesize
6KB
MD525fbf708901af6798b2c896d93540619
SHA10c07743a76a0a3a4a4c1b66ad1454ccef3206bee
SHA25621409ed7347572234ae5a428adfaa9342f2db359ce9f34544ce6c56634873964
SHA5123fdcc8675154f1327c07720cfa2cbcdd045aa80346772f3d094108977b598c320b11d06d14a2a033c11d60ab54efcdbaf46c016890a5baebbc5c598a13defbe0
-
Filesize
5KB
MD5ae3f57ed846101118b5b28552a0b3672
SHA184537ce42cbda6a3cdebe21171d1de0b3de3fe3c
SHA2566b9300ef48f080978921294b93361f777da588093acb6294c088ff2e8ff3b9e0
SHA512e0598225a600baac978d321b745c45be8c0268f84dddee98b612629fe6edc10c6e8a56c15a60acd9f77acb44ca967f04cda9c24daa36b9ecfe7156e6bd4fe430
-
Filesize
6KB
MD5fb312dc56b88c655e1ff2332af0d49b1
SHA1266138b8b4ff8edf697981d5c91aa4466acc386e
SHA256abe15fdd116632cc00e14b225d916e112934219cbf8d96259041928189ab1f10
SHA5128ef7ae513e24bff6f68acfa56c8a3bc88e0facc4e96044b4837a0560c77c04b096f605deb123b4b7d4a3d999feb8dd60650202c7456667e35dbd336fbf449271
-
Filesize
12KB
MD5da07b61ebeb3329d21696f259384ca70
SHA1740ebb0035c265217d898e6a7afc385fec08a166
SHA25614513d4c8b2c8b6df6731619f4975b2a44105aaa90c9c4c5b7ca6afdccd2d1bb
SHA512e9776cd42b7e58314725064446bdec11c43ba6c8f4da734c3b4f3ff4c1705fd169c9516c2a4e7cae445d7b4b1fd7229f9e3e0662becde733655029004d065424
-
Filesize
176KB
MD56e070fdcc8ea075d014ef24d2d8f5f09
SHA13acebf15e7b77838ed25053dc5ad15a155dac2a4
SHA256a65bc6faba0142d6ae1b370ef404c606e156b511160a794b2cd91fee02627c88
SHA5128555624af95c4814c92df3f70303166928ea4bfe5c0f2be3d2ec15f9c9011b5f5909ee442ae8992517b5654b584ab0f88fd4892ae2b69937c23280f7b325d182
-
Filesize
176KB
MD5b3c7a8087a5388cf30e569cc1900e228
SHA180ece602ae099e115363227648e238216c7b0468
SHA256762ed03ab14fcfd1350523c5c379e6609103dddb20a1742a7ed68386d6ca8f13
SHA5129f5ddf784850eae70fbb069e5ff87f8558916cd56850bb7d0efe5ee7f9beff0d3a439209ef2b0e4bf337ad791b8837ec0de30fff020dd4f115ffeaf02a3d7192
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
804B
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB