Characterization of the Group II Intron Gs. Int1 from the ...
Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore...
Transcript of Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore...
![Page 1: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/1.jpg)
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Aleksandr Matrosov
Eugene Rodionov
![Page 2: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/2.jpg)
Agenda
Evolution of payloads and rootkits
Bypassing code integrity checks
Attacking Windows Bootloader
Modern Bootkit details:
Win64/Olmarik
Win64/Rovnix
What Facilitates Bootkit Attack Vector
![Page 3: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/3.jpg)
Evolution of Rootkits
![Page 4: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/4.jpg)
Evolution of Rootkit Installation
Malicious
Web-site
Exploit
Vulnerability
Bypass
ASLR/DEP
Escape
Sandbox
Execute
Payload
Download
Rootkit Escalate
Local Privilege
Install Rootkit Kernel-Mode
Exploit
![Page 5: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/5.jpg)
Dropper
Evolution of Rootkit Features
bypassing HIPS/AV
x86
privilege escalation
installing rootkit
driver
Rootkit
self-defense
surviving reboot
injecting payload
User
mo
de
Ke
rne
l m
od
e
![Page 6: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/6.jpg)
Dropper
Evolution of Rootkit Features
bypassing HIPS/AV
x86 x64
privilege escalation
installing rootkit
driver
Rootkit
self-defense
surviving reboot
injecting payload
Rootkit
Rootkit
self-defense
surviving reboot
injecting payload
bypassing signature
check
bypassing
MS PatchGuard
User
mo
de
Ke
rne
l m
od
e
![Page 7: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/7.jpg)
o Kernel-Mode Code Signing Policy:
It is “difficult” to load unsigned kernel-mode driver
o Kernel-Mode Patch Protection (Patch Guard):
SSDT (System Service Dispatch Table)
IDT (Interrupt Descriptor Table)
GDT (Global Descriptor Table)
MSRs (Model Specific Registers)
Obstacles for 64-bit Rootkits
![Page 8: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/8.jpg)
Bypassing Code Integrity Checks
![Page 9: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/9.jpg)
Subverting KMCSP
o Abusing vulnerable, signed, legitimate kernel-mode
driver
o Switching off kernel-mode code signing checks by
altering BCD data:
abusing WinPE Mode
disabling signing check
enabling test signing
o Patching Bootmgr and OS loader
![Page 10: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/10.jpg)
Bypassing Integrity Checks
USER-MODE
Bypassing Integrity Check Techniques
KERNEL-MODE
TESTSIGNING ON
DISABLE INTEGRITY CHECKS
VBR(Volume Boot Record)
System Boot Modification
MBR(Master Boot Record)
![Page 11: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/11.jpg)
Attacking Windows Bootloader
![Page 12: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/12.jpg)
Boot Process
Full Kernel
Initialization MBR
First
User-Mode
Process
Kernel Services BIOS Services
BIOS
Initialization
Boot
Loader
Early Kernel
Initialization
Hardware
![Page 13: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/13.jpg)
Boot Process with Bootkit Infection
load malicious
MBR/VBR
NT kernel
modifications
load rootkit
driver
![Page 14: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/14.jpg)
Code Integrity Check
Bootmgr OS loader OS kernel
dependencies
OS kernel
Boot-start drivers
Non boot-start kernel-mode drivers
![Page 15: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/15.jpg)
Evolution of Bootkits
o Bootkit PoC evolution:
eEye Bootroot (2005)
Vbootkit (2007)
Vbootkit v2 (2009)
Stoned Bootkit (2009)
Evilcore x64 (2011)
o Bootkit Threats evolution:
Win32/Mebroot (2007)
Win32/Mebratix (2008)
Win32/Mebroot v2 (2009)
Win64/Olmarik (2010/11)
Win64/Rovnix (2011)
![Page 16: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/16.jpg)
Win64/Olmarik
![Page 17: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/17.jpg)
TDL4 Installation on x64
Write FS image,patch MBR and Adjust
SE_SHUTDOWN_PRIVILEGEfail success
Copy itself into%TMP% directory
ExploitationMS10-092
success
fail
Createmanifest requesting
admin privilege
CallZwRaiseHardError
to create BSOD
Prepare hidden FS image
Report to C&C
Restart Dropper
CallShellExecute
fail
success
![Page 18: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/18.jpg)
BCD Elements determining KMCSP (before KB2506014)
BCD option Description
BcdLibraryBoolean_DisableIntegrityCheck
(0x16000020)
disables kernel-mode code integrity
checks
BcdOSLoaderBoolean_WinPEMode
(0x26000022)
instructs kernel to be loaded in
preinstallation mode, disabling
kernel-mode code integrity checks
as a byproduct
BcdLibraryBoolean_AllowPrereleaseSignatures
(0x16000049)
enables test signing
![Page 19: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/19.jpg)
Abusing Win PE mode: TDL4 modules
Module name Description
mbr (infected) infected MBR loads ldr16 module and restores original
MBR in memory
ldr16 hooks 13h interrupt to disable KMCSP and substitute
kdcom.dll with ldr32 or ldr64
ldr32 reads TDL4’s kernel-mode driver from hidden file
system and maps it into kernel-mode address space
ldr64 implementation of ldr32 module functionality for 64-bit
OS
int 13h – service provided by BIOS to communicate with IDE HDD controller
![Page 20: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/20.jpg)
Load infected MBRInfected mbr is
loadedand executed
Load “ldr16” from hidden file system
Hook BIOS int 13h handler and
restore original MBR
“ldr16” is loaded
and executed
Load VBR
Original mbr isloaded
and executed
Load bootmgr
VBR is loaded and executed
read bcd
Bootmgr is loaded and executed
Load winload.exe
Substitute
EmsEnabled option with WinPe
Load ntoskrnl.exe, hal.dll,kdcom.dll,bootvid.dll ant etc
distrort /MININT option
Call KdDebuggerInitialize1 from loaded kdcom.dll
substitute kdcom.dll
with”ldr32” or “ldr64"
Continue kernel initialization
Load ”drv32” or “drv64"
Load bootmgr
Abusing Win PE mode: Workflow
![Page 21: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/21.jpg)
MS Patch (KB2506014)
o BcdOsLoaderBoolean_WinPEMode option no longer
influences kernel-mode code signing policy
o Size of the export directory of kdcom.dll has been
changed
![Page 22: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/22.jpg)
Win64/Rovnix
![Page 23: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/23.jpg)
Win64/Rovnix: Installation
Check if already infected
success
fail
Determine OSDigit Capacity
Check OSVersion
Install Corresponding Kernel-mode Driver
Initiate System Reboot
Overwrite Bootstrap Code of Active Partition
Vista/Win7
Check Admin Privileges
success
Windows 2000
Self Delete and Exit
Call ShellExecuteEx API with “runas”
fail
Windows XP
![Page 24: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/24.jpg)
Win64/Rovnix: Bootkit Overview
Load MBR
Load VBR
Load bootmgr
Load winload.exe or winresume.exe
real mode
real mode/protected mode
Load kernel and boot
start drivers
real mode/protected mode
Load bootstrap
code
real mode/protected mode
real mode
Target of Win64\Rovnix
![Page 25: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/25.jpg)
Win64/Rovnix: Infected Partition Layout
MBR VBR Bootstrap Code File System Data
VBRMalicious
CodeFile System Data
Bootstrap Code
MBR
NTFS bootstrap code(15 sectors)
Before Infecting
After Infecting
Malicious Unsigned
Driver
CompressedData
o Win64/Rovnix overwrites bootstrap code of the
active partition
o The malicious driver is written either: before active partition, in case there is enough space
to the end of the hard drive, otherwise
![Page 26: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/26.jpg)
Win64/Rovnix: Bootkit Details
Load MBRMBR is loaded
and executed
Load VBR
Patch bootmgr
VBR is loaded and executed
Read BCD
Restore bootmgr, hook int1 handler and
copy itself over IDT
Load winload.exe
Bootloader parametersare read from BCD
Load ntoskrnl.exe, hal.dll,kdcom.dll,bootvid.dll ant etc
Hook BlImgAllocateImageBuffer
Map malicious driver into kernel-mode address space
Continue kernel initialization
Load malicious bootstrap code
Malicious bootstrap code is
loaded and executed
Hook BIOS int 13h handler and
restore original bootstrap code
Original bootstrap code is restored
Load bootmgr
Bootmgr is loaded and receives control
![Page 27: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/27.jpg)
Win64/Rovnix: Loading Unsigned Driver
o Insert malicious driver in BootDriverList of
KeLoaderBlock structure
o When kernel receives control it calls entry point of
each module in the BootDriverList
KeLoaderBlock
Ntoskrnl.exe Malicious
Driver
![Page 28: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/28.jpg)
Win64/Rovnix: Abusing Debugging Facilities
Win64/Rovnix:
o hooks Int 1h
tracing
handles hardware breakpoints (DR0-DR7)
o overwrites the last half of IDT (Interrupt Descriptor Table)
is not used by OS
As a result the malware is able to:
set up hooks without patching bootloader components
retain control after switching into protected mode
![Page 29: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/29.jpg)
Win64/Rovnix: Abusing Debugging Facilities
Win64/Rovnix:
o hooks Int 1h
tracing
handles hardware breakpoints (DR0-DR7)
o overwrites the last half of IDT (Interrupt Descriptor Table)
is not used by OS
As a result the malware is able to:
set up hooks without patching bootloader components
retain control after switching into protected mode
![Page 30: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/30.jpg)
Olmarik vs Rovnix
Characteristics Win64/Olmarik Win64/Rovnix
Privilege escalation MS10-092 Reboot technique ZwRaiseHardError API ExitWindowsEx API
MBR/VBR infection MBR VBR (bootstrap code)
Loading driver ZwCreateDriver API Inserting into boot driver list
of KeLoaderBlock structure
Payload injection KeInitializeApc/
KeInstertQueueApc APIs
KeInitializeApc/
KeInstertQueueApc APIs
Self-defense Kernel-mode hooks,
MBR monitoring
Number of modules 10 2
Stability of code
Threat complexity
![Page 31: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/31.jpg)
Bootkit Attack Vector
![Page 32: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/32.jpg)
Modern Bootkits’ Approaches
o Hooking BIOS 13h Interrupt Handler
Win64/Olmarik
o Tracing Bootloader Components
Win64/Rovnix
“Deep Boot” (PoC)
o Stealing a Processor’s Core
“EvilCore” (PoC)
![Page 33: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/33.jpg)
Tracing Bootloader Components
o Microsoft Windows Bootloader Components:
o Surviving processor’s execution mode switching
Malware has to retain control after execution mode
switching
IDT and GDT are most frequently abused data
structures
Component Name Processor Execution Mode
Bootstrap code real mode
Bootmgr real mode/protected mode
Winload.exe/Winresume.exe protected mode
![Page 34: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/34.jpg)
What Facilitates the Attack Vector?
o Untrusted platform problem
BIOS controls boot process, but who controls it?
The trust of trust is below point of attack
Bootmgr OS loader OS kernel
dependencies
OS kernel
Boot-start drivers
Non boot-start kernel-mode drivers
Pre boot firmware
Point of Attack
The Root of Trust
![Page 35: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/35.jpg)
How to Defend Against the Attack?
oTo resist bootkit attacks we need the root of trust
be above point of attack:
TPM
UEFI Secure Boot
Bootmgr OS loader OS kernel
dependencies
OS kernel
Boot-start drivers
Non boot-start kernel-mode drivers
Pre boot firmware
Point of Attack
The Root of Trust
![Page 36: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/36.jpg)
Conclusion
Bootkits ability to bypass KMCSP
Return of old-school techniques MBR infections
Win64/Olmarik (TDL4) 1st widely spread Win64
rootkit
Win64/Rovnix debugging facilities to subvert
KMCSP
Untrusted platform facilitates bootkit techniques
![Page 37: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/37.jpg)
References
“The Evolution of TDL: Conquering x64”
http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
“Defeating x64: The Evolution of the TDL Rootkit”
http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf
“Hasta La Vista, Bootkit: Exploiting the VBR”
http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr
Follow ESET Threat Blog http://blog.eset.com
![Page 38: Bypassing Kernel-Mode Signing Policy · Patch bootmgr VBR is loaded and executed Read BCD Restore bootmgr, hook int1 handler and copy itself over IDT Load winload.exe Bootloader parameters](https://reader034.fdocuments.in/reader034/viewer/2022052005/601888320e3dbd1ede32a9e8/html5/thumbnails/38.jpg)
Thank you for your attention ;)
Aleksandr Matrosov [email protected]
@matrosov
Eugene Rodionov [email protected]
@vxradius