Resubmissions
18-04-2024 11:18
240418-ned1xsbd66 1018-04-2024 11:18
240418-nea92abd64 1018-04-2024 11:18
240418-neay9scf7z 1018-04-2024 11:18
240418-neacqscf7y 718-04-2024 11:18
240418-nd92zacf7x 718-04-2024 09:59
240418-lz5chaba8t 7Analysis
-
max time kernel
591s -
max time network
576s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 11:18
General
-
Target
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
-
Size
371KB
-
MD5
eafe645b56c3f5cb746fb5f8504f6035
-
SHA1
f539987de9fe59bff20483ac7a124afafc27036b
-
SHA256
0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94
-
SHA512
61af2cfa960a72b66d54d0ee121acb5c54d455b05eb85fb2d7df2958d3134d348c87a5aef2aa46319532407f7ebf01eaedfb8dd889bb0f67ce5edc067445e806
-
SSDEEP
6144:hnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLv3RXdYX9ji+uhi2PsrhY:dzQnkM1oSiBGI8bxn5W6i+uo20tY
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bab02914-bb52-4f77-af9b-e8916c622388}\_DECRYPT_INFO_gbgpy.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>gbgpy decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713439975+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/gbgpy.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
GYNFK-T3H7G-X7EMB-QUYUF-PDKQY-DN1HW-SQYSC-3HXF3-YQ0BY-FT5NK-6HF87-X0C8Q-WJQWP-SYV0V
QVWS0-YJU6K-DU0D2-S72MJ-4KBW6-MA4CJ-S8E4F-DZCKH-ZSUB1-MVFEB-T3WCG-UR1Y2-NR2ZA-GWMD2
26VPP-D1VQ8-SMT6X-6T83E-EW0JD-ZRYHQ-DFAF0-4XGUK-WV8AK-HHJBB-E7D3R-ZFV8A-JMBXM-FTHTY
VX7HB-N08TV-VEMV4-YYEF8-5U7K8-RK3TU-D7TCJ-NCG2C-KMCMH-GSZBA-UPV4V-PUE8U-G76ZH-DVX5W
A1DWT-0SME1-MFQ4G-576FU-BDBP0-8ED8Y-DRDCZ-0DS1X-KS1K7-ZS6MJ-CRPZZ-M6GMU-710KM-7JF1D
HSTYB-4VTEC-5YE5N-ZSF4D-Q3H5J-AW7VP-ZE6HJ-7WGFZ-K8B61-61TYR-X0BSG-ST7FZ
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
Path
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\IF5JRPH7\_DECRYPT_INFO_gbgpy.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>gbgpy decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713439976+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/gbgpy.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
GYNFK-T3H7G-X7EMB-QUYUF-PDKQY-DN1HW-SQYSC-3HXF3-YQ0BY-FT5NK-6HF87-X0C8Q-WJQWP-SYV0V
QVWS0-YJU6K-DU0D2-S72MJ-4KBW6-MA4CJ-S8E4F-DZCKH-ZSUB1-MVFEB-T3WCG-UR1Y2-NR2ZA-GWMD2
26VPP-D1VQ8-SMT6X-6T83E-EW0JD-ZRYHQ-DFAF0-4XGUK-WV8AK-HHJBB-E7D3R-ZFV8A-JMBXM-FTHTY
VX7HB-N08TV-VEMV4-YYEF8-5U7K8-RK3TU-D7TCJ-NCG2C-KMCMH-GSZBA-UPV4V-PUE8U-G76ZH-DVX5W
A1DWT-0SME1-MFQ4G-576FU-BDBP0-8ED8Y-DRDCZ-0DS1X-KS1K7-ZS6MJ-CRPZZ-M6GMU-710KM-7JF1D
HSTYB-4VTEC-5YE5N-ZSF4D-Q3H5J-AW7VP-ZE6HJ-7WGFZ-K8B61-61TYR-X0BSG-ST7FZ
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
Path
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\_DECRYPT_INFO_gbgpy.html
Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<!-- saved from url=(0014)about:internet -->
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
<title>gbgpy decrypt</title>
<style type='text/css'>
<!--
html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;}
a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;}
td {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f0f0f0;
font-size: 14px;
}
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 48px;
}
.style3 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 60px;
}
.style4 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #28caf9;
font-size: 14px;
}
.style5 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #f5e700;
font-size: 14px;
}
.style6 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #d7001e;
font-size: 14px;
}
.style7 {
width:685px;
height:120px;
background-color:#393838;
border:1px solid #565656;
font-family: Courier New;
font-weight: bold;
color: #f0f0f0;
font-size: 13px;
}
.styled-select select {
background-color:#393838;
font-weight: bold;
color: #f0f0f0;
width: 178px;
padding: 5px;
font-size: 16px;
line-height: 1;
border: 0;
border-radius: 0;
height: 34px;
-webkit-appearance: none;
}
-->
</style>
<script type='text/javascript'>
function init()
{
var xtime;
document.getElementById('fe_text').innerHTML = '00:00:00';
var language = window.navigator.userLanguage || window.navigator.language;
if (language.indexOf('-') !== -1)
language = language.split('-')[0];
if (language.indexOf('_') !== -1)
language = language.split('_')[0];
change_lang(language);
var ua = window.navigator.userAgent;
var msie = ua.indexOf('MSIE ');
xtime = Math.floor( (1713439982+(12*60*60)) - (Date.now()/1000));
if (msie == 0)
window.setTimeout('update_timestamp('+xtime+')',1000);
else
update_timestamp(xtime);
}
function component(x, y, z)
{
var res
if (z == 1)
res = Math.floor(x / y);
else
res = Math.floor(x / y) % z;
if (res < 10)
res = '0'+res;
return res;
}
function update_timestamp(tstamp)
{
if (tstamp < 1)
{
document.getElementById('fe_text').innerHTML = '00:00:00';
}
else
{
var hours = component(tstamp, 60*60, 1),
minutes = component(tstamp, 60, 60),
seconds = component(tstamp, 1, 60);
document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds;
tstamp-=1;
window.setTimeout('update_timestamp('+tstamp+')',1000);
}
}
function change_lang(lang)
{
if (lang == "de")
show_de();
else if (lang == "es")
show_es();
else if (lang == "fr")
show_fr();
else if (lang == "it")
show_it();
else if (lang == "nl")
show_nl();
else
show_en();
}
function show_en()
{
document.getElementById('text_01').innerHTML = 'WARNING!';
document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.';
document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.';
document.getElementById('text_09').innerHTML = 'Download TOR Browser from';
document.getElementById('text_10').innerHTML = 'In the Tor Browser open the';
document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).';
document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:';
}
function show_de()
{
document.getElementById('text_01').innerHTML = 'WARNUNG!';
document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!';
document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.';
document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von';
document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie';
document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).';
document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:';
}
function show_es()
{
document.getElementById('text_01').innerHTML = '¡PELIGRO!';
document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!';
document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.';
document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde';
document.getElementById('text_10').innerHTML = 'En el navegador TOR abre';
document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).';
document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:';
}
function show_fr()
{
document.getElementById('text_01').innerHTML = 'ATTENTION!';
document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !';
document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.';
document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de';
document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez ';
document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).';
document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :';
}
function show_it()
{
document.getElementById('text_01').innerHTML = 'ATTENZIONE!';
document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!';
document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.';
document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da';
document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link';
document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).';
document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:';
}
function show_nl()
{
document.getElementById('text_01').innerHTML = 'WAARSCHUWING!';
document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!';
document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.';
document.getElementById('text_09').innerHTML = 'Download de TOR Browser van';
document.getElementById('text_10').innerHTML = 'In de Tor Browser, open';
document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).';
document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:';
}
//var language = window.navigator.userLanguage || window.navigator.language;
//alert(language);
</script>
</head>
<body onload='init();'>
<div align='center'>
<table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'>
<tr>
<td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/gbgpy.gif' width='225' height='221' /></td>
<td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br />
<div align='center' id='text_02'>Your personal files are encrypted.<br />
<br />
<br />
</div>
<div align='center' class='style3' id='fe_text'></div></p>
<div class="styled-select" align='center'>
<select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);">
<option selected disabled value="" style="display:none;">Select language</option>
<option value='en'> ENGLISH</option>
<option value='de'> GERMAN</option>
<option value='es'> SPANISH</option>
<option value='fr'> FRENCH</option>
<option value='it'> ITALIAN</option>
<option value='nl'> DUTCH</option>
</select>
</div>
</td>
</tr>
<tr>
<td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'>
<tr>
<td colspan='2' align='left'>
<br />
<div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br />
<br />
</td>
</tr>
<tr>
<td colspan='2' align='left'>
1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br />
2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubebz6z6cgtw.onion</span><br /><br />
<span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br />
<br />
<span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br />
<div align='center'><textarea class='style7'>
GYNFK-T3H7G-X7EMB-QUYUF-PDKQY-DN1HW-SQYSC-3HXF3-YQ0BY-FT5NK-6HF87-X0C8Q-WJQWP-SYV0V
QVWS0-YJU6K-DU0D2-S72MJ-4KBW6-MA4CJ-S8E4F-DZCKH-ZSUB1-MVFEB-T3WCG-UR1Y2-NR2ZA-GWMD2
26VPP-D1VQ8-SMT6X-6T83E-EW0JD-ZRYHQ-DFAF0-4XGUK-WV8AK-HHJBB-E7D3R-ZFV8A-JMBXM-FTHTY
VX7HB-N08TV-VEMV4-YYEF8-5U7K8-RK3TU-D7TCJ-NCG2C-KMCMH-GSZBA-UPV4V-PUE8U-G76ZH-DVX5W
A1DWT-0SME1-MFQ4G-576FU-BDBP0-8ED8Y-DRDCZ-0DS1X-KS1K7-ZS6MJ-CRPZZ-M6GMU-710KM-7JF1D
HSTYB-4VTEC-5YE5N-ZSF4D-Q3H5J-AW7VP-ZE6HJ-7WGFZ-K8B61-61TYR-X0BSG-ST7FZ
</textarea>
<br />
</div>
<br />
<br />
<br />
</div>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
URLs
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD50fd1d2834f80e050c15e1fde0df2624b
SHA15193afa56d305a0e77cdad2f254ac762b9cc0285
SHA256d310667cf2355740c71156480ee5bdc4e0aab53162cb8316aaa1b0245a395fe6
SHA512b463296f90c5e70e077b8bc438a623f241a451664384684931dbf66d00d53671cc33e549f1210061a987828922397e464500988dd4c6ba4230742d110dfcf301
-
Filesize
12KB
MD5477c1281b479275b6bfd6a2ff1a9fdc4
SHA18defe06d012e35757d10223359b63eaa85577efd
SHA256d1469636b4bb53e7d78dbe2b6fd28dd2d697613abaf0bcbac395161e664da6e8
SHA512f9071549eb138b6ccffd85de811805aa240740a3d289d331c62833c8b976a505008f754a0b8f582679b7988c3423157ef71133a5af98c668c8cda9afd09419c4
-
Filesize
48B
MD5a8c5473545d2bb727cebb0055fb3e934
SHA15b7438bb3af2dd43cd0f190a79b921a422b0fe3e
SHA25696d0385a6b20a72f636c9b441ef5efe23edbfe68ed848d385a03c660b2230bcc
SHA512dec2efb206ac74d85ff6819f5a7c2f690b9489dbcfd05de39a49e342bda57690392d6646315a5b45d769fa201f4718a28ffb9b6ab14eda92a65a196ec4dc02e8
-
Filesize
48B
MD5f640cb8e16a3471d76e597754d9486f6
SHA1c874535b6c3022919b3e5c2b7df9839c940cbbab
SHA256e9adf74cabcbc5ec7e8cffd4cfe72fad1b696ce1612f2b65bd36812b6ff64237
SHA512ad2b7cb45c32de5320cc060054da18241d226cb00af2f04c2f737a7d7247dd8ab661d719bb108e6b41cd913fc1b38647aac4d91220d478f5c6fd3e943ade76aa
-
Filesize
12KB
MD54f4f63dcbd9a3c2a04119c82610ab4f1
SHA176eeadcf71e65cd391f5f072da5c1d859a0da9a0
SHA2560ab807d8374cae80d88914ef0925ba7ae578a8a9b3696bf17a36ea0079787cb0
SHA512b310b97ef78beafddd13f011c423a4d27a8ebe3d0da10cb34671eaf050fea5a7204fd4f1921cf78735901d9b81f2e0ce2acc2f033da7041838beec687715ef70
-
Filesize
4KB
MD52d5020c82de674b48cfd17cc20fcbba2
SHA14e317eaeebd839ee5f6eb3925a9fbee819c5349c
SHA256120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a
SHA512ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
72KB
-
Filesize
388KB
-
Filesize
160KB
-
Filesize
388KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
352KB