Written by:
InfoSecKitten@gmail.com / @infoseckitten
hack3rsaurus@gmail.com / @magicked
ulilclown@gmail.com / @alwaysreit
First off, special shout out to @jackcr for creating the forensic challenge. If you didn’t catch it on twitter, it is available here: https://t.co/BF5csAws
In short, the challenge consisted of a memory dump with a handful of questions. We’ll answer the questions first and then move on to our solution.
What is the C2:
58.64.132.141
What tools were placed on the machine:
psexec was used on the system, creating residue
gsecdump and 6to4ex.dll were also dropped on the system
What type of backdoor:
gh0st
What was stolen:
Passwords and Windows Secrets were dumped
What was the name of the file that held the stolen data:
berry.gif
What process id was the backdoor running in:
1072 (svchost.exe was the parent process)
What was the name of the dropper:
C:\Documents and Settings\gdaniels\Desktop\Symantec-1.43-1.exe
Which looks like it was copied over using vboxshare
710728-C:\Documents and Settings\gdaniels\Desktop\Symantec-1.43-1.exe
710729:##vboxsrv#vboxshare
What is the name of the backdoor:
6to4ex.dll (located in the system32 folder)
Now for the explanation!
Basic Information
The majority of this challenge was solved using Volatility. Volatility exists here: http://code.google.com/p/volatility/First things first, the imageinfo (dumped from volatility):
$ python vol.py -f memdump.bin imageinfo
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (memdump.bin)
PAE type : PAE
DTB : 0x311000L
KDBG : 0x80545ae0
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2012-11-17 18:49:50 UTC+0000
Image local date and time : 2012-11-17 13:49:50 -0500
Finding the C2
The C2 was discovered by first looking for the running processes. We looked at the standard pslist, but no processes seemed to stick out.$ python vol.py -f memdump.bin pslist
Volatile Systems Volatility Framework 2.2
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x823c89c8 System 4 0 54 254 ------ 0
0x8219d020 smss.exe 368 4 3 19 ------ 0 2012-11-17 18:30:27
0x8228e020 csrss.exe 616 368 12 364 0 0 2012-11-17 18:30:28
0x822acc78 winlogon.exe 640 368 20 611 0 0 2012-11-17 18:30:28
0x82065020 services.exe 684 640 16 249 0 0 2012-11-17 18:30:28
0x821a4020 lsass.exe 696 640 24 395 0 0 2012-11-17 18:30:28
0x8215d230 VBoxService.exe 856 684 8 106 0 0 2012-11-17 18:30:28
0x8206c020 svchost.exe 900 684 18 167 0 0 2012-11-17 18:30:28
0x8216f558 svchost.exe 988 684 9 222 0 0 2012-11-17 18:30:29
0x8217d7e8 svchost.exe 1072 684 76 1406 0 0 2012-11-17 18:30:29
0x8203eda0 svchost.exe 1124 684 6 75 0 0 2012-11-17 18:30:29
0x822cf020 svchost.exe 1184 684 14 245 0 0 2012-11-17 18:30:29
0x820298b0 spoolsv.exe 1380 684 10 104 0 0 2012-11-17 18:30:29
0x821a8a78 alg.exe 1924 684 5 103 0 0 2012-11-17 18:30:37
0x822dba20 explorer.exe 320 248 15 474 0 0 2012-11-17 18:30:47
0x821d6da0 VBoxTray.exe 1024 320 7 57 0 0 2012-11-17 18:30:48
0x821d13c0 wuauclt.exe 1880 1072 3 133 0 0 2012-11-17 18:31:39
0x8202c538 cmd.exe 1324 1072 0 -------- 0 0 2012-11-17 18:33:30 2012-11-17 18:47:24
0x82155da0 PsExec.exe 1772 1324 1 44 0 0 2012-11-17 18:45:40
0x822d07e8 cmd.exe 1212 320 1 33 0 0 2012-11-17 18:49:01
0x82028ad8 mdd.exe 1584 1212 1 24 0 0 2012-11-17 18:49:50
Our next thought was that this was either a process just running in a funky directory (something like Windows\svchost.exe) or that this was a dll that was being launched under another process (rundll32, or svchost when used as a service launcher). We decided to look at network connections to see if anything interesting was listening as a backdoor.
Looking at connscan yielded the following information:
Volatile Systems Volatility Framework 2.2
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x021eb3c0 192.168.56.103:1084 192.168.56.10:389 320
0x021ecaa8 192.168.56.103:1076 58.64.132.141:80 1072
0x0224e8e8 192.168.56.103:1081 192.168.56.10:445 1184
0x023a12f8 192.168.56.103:1079 58.64.132.141:80 1072
We could also check Volatility’s connections plugin:
$ python vol.py -f memdump.bin connectionsHAY THATS WEIRD! Once the 58.64.132.141 address was discovered, it was just a matter of pulling on strings to figure out which process that was tied back to. Both plugins revealed sid 1072 as the parent process. Good thing for us that a connection was in memory at the time of the memory being dumped. In most cases we don't get that lucky.
Volatile Systems Volatility Framework 2.2
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
0x821a12f8 192.168.56.103:1079 58.64.132.141:80 1072
0x81fecaa8 192.168.56.103:1076 58.64.132.141:80 1072
Analyzing the Parent Process
When looking at this process we could see the C2 string existed under svchost.exe (1072). Unless it’s a total binary copy of svchost on the box, there is a good chance that the binary itself isn’t malicious (it’s probably a dll or something loaded under the process). Using dlllist to display all of the loaded dll’s under this process yielded the following data:$ python vol.py -f memdump.bin dlllist -p 1072
************************************************************************
svchost.exe pid: 1072
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Pack 3
Base Size Path
---------- ---------- ----
0x01000000 0x6000 C:\WINDOWS\System32\svchost.exe
0x7c900000 0xaf000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x92000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 0x11000 C:\WINDOWS\system32\Secur32.dll
...snip...
0x5cb70000 0x26000 C:\WINDOWS\System32\ShimEng.dl
0x10000000 0x1c000 c:\windows\system32\6to4ex.dll <- stuck out
0x73b80000 0x12000 c:\windows\system32\AVICAP32.dll
0x75a70000 0x21000 c:\windows\system32\MSVFW32.dll
0x73d30000 0x17000 C:\WINDOWS\System32\wbem\wbemcons.dll
In the above output, we confirmed our assumption that it was a hidden DLL launched under another process. We could have looked up every DLL in the above list, but experience gave us insight into 6to4ex.dll. It’s the odd man out. A quick way to do this is compile a known whitelist of binaries and filter out legit dll’s by name. This isn’t guaranteed to work as some backdoors will completely replace an existing binary, but this will often help weed out the non-malicious dll’s.
At this point, we had already answered 3 or so of the questions. There are several different directions to take at this point. We can try and chase down the DLL to get full functionality of the backdoor, or we can search memory for commands entered and executed from memory.
Extracting the Malicious DLL:
Let’s extract the malicious DLL. We know the malicious process and the suspected DLL. We can dump those out using volatility.$ python vol.py -f memdump.bin dlldump -p 1072 --dump-dir dump/
Volatile Systems Volatility Framework 2.2
Process(V) Name Module Base Module Name Result
---------- -------------------- ----------- -------------------- ------
..snip...
0x8217d7e8 svchost.exe 0x010000000 6to4ex.dll OK: module.1072.237d7e8.10000000.dll
..snip...
This gives us the binary DLL which we can then analyze using normal RE methods. Part of our analysis might include strings, which gives us the following tidbit:
Gh0st Update
Global\Gh0st %d
This appears to be a variant of Gh0st.
Discovering what was Stolen:
One other thing of note is that psexec is also being used on this system. Typically psexec is hard to hunt as there is a TON of legitimate use for it on a network, so we wanted to see if we could find anything in memory that would be damning. There is residue of psexec running ipconfig against the domain controller. It was most likely given the accepteula arg to avoid popping a window on the remote system. This can either be found with strings and/or grep, or it can be pulled out with the consoles command from volatility.$ python vol.py -f memdump.bin consoles
Volatile Systems Volatility Framework 2.2
**************************************************
ConsoleProcess: csrss.exe Pid: 616
Console: 0x4f2398 CommandHistorySize: 50
HistoryBufferCount: 4 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\svchost.exe
Title: C:\WINDOWS\System32\svchost.exe - PsExec.exe \\w2k3dc "cmd /c ipconfig" \accepteula
AttachedProcess: PsExec.exe Pid: 1772 Handle: 0x598
One of our favorite string dumps from this memory sample is the directory listing, where we can see 2 versions of one directory (as well as file sizes). We can derive that the xircom directory not only had psexec + gsecdump in it, but also berry.gif (4,947 bytes).
$ strings memory.bin | egrep -n20 -i -a "psexec"
...snip...
1581408-The command completed successfully.
1581409-C:\WINDOWS\system32\xircom>:
1581410-59Yh
1581411-8D*`3
1581412- Volume in drive C has no label.
1581413- Volume Serial Number is 3CD4-8C81
1581414- Directory of C:\WINDOWS\system32\xircom
1581415-11/17/2012 01:35 PM <DIR> .
1581416-11/17/2012 01:35 PM <DIR> ..
1581417:11/17/2012 01:35 PM 303,104 gsecdump.exe
1581418-11/17/2012 01:35 PM 381,816 PsExec.exe
1581419- 2 File(s) 684,920 bytes
1581420- 2 Dir(s) 5,849,026,560 bytes free
1581421-C:\WINDOWS\system32\xircom>
1581422- DxK-
1581423-eMmz
1581424- Volume in drive C has no label.
1581425- Volume Serial Number is 3CD4-8C81
1581426- Directory of C:\WINDOWS\system32\xircom
1581427-11/17/2012 01:37 PM <DIR> .
1581428-11/17/2012 01:37 PM <DIR> ..
1581429-11/17/2012 01:37 PM 4,947 berry.gif
1581430:11/17/2012 01:35 PM 303,104 gsecdump.exe
1581431-11/17/2012 01:35 PM 381,816 PsExec.exe
1581432- 3 File(s) 689,867 bytes
1581433- 2 Dir(s) 5,849,042,944 bytes free
1581434-C:\WINDOWS\system32\xircom>n
Also in the output above we see that our computer was talking to another computer at the time of this command being issued (GH0ST1). Interesting data, but nothing to act on at the moment.
1581406-\\2K3DC
1581407-\\GH0ST1
Pulling out the Passwords
We can discover password hashes by simply running grep. You just have to know the format to search:$ egrep -i -a ":[a-z0-9]{32}:" memdump.bin
Hashes discovered in memory:
PETRO1-MARKET\gdaniels::0eabfd9afee0b99ed8ed90e37b677c5c:797ae920dbb4ddcb60f7d56db3cda7f3:::
PETRO1-MARKET\GH0ST1$::00000000000000000000000000000000:3737a005e082618387f7e78f1207b839:::
Administrator(current):500:a15153d335c2751f17306d272a9441bb:835fd21aac32076df24dc75e0c77144f:::
backup-svc(current):1004:aad3b435b51404eeaad3b435b51404ee:58084ba4f441deb663cf89894c6efdee:::
Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant(current):1000:73a6b58b54bc6c67698a385fbb9ff610:d9d5049db334e1bf20efada4be260c90:::
jack(current):1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:8009c56ccf299e35ce02991ac58c00cc:::
Why stop here? We decided to crack the passwords in memory for the good old college try! (Helps that they were in LM.)
Feeding those to JTR led us to the following results:
Loaded 12 password hashes with no different salts (LM DES [64/64 BS])Unfortunately, at the time of writing JTR is still running, so we only have partial passwords at this point. We do have the admin password of “2AWESOME”, as well as some blank passwords. Administrator is a good account to have though. When JTR completes, we’ll update with the full results.
(SUPPORT_388945a0(current))
(jack(current))
(Guest(current))
(backup-svc(current))
E (Administrator:2)
3AVE! (gdaniels:2)
2AWES0M (Administrator:1)
HT2JGMT (HelpAssistant:2)
U0&2HCS (HelpAssistant:1)
In addition to passwords being dumped, windows secrets were also dumped and show up in memory: (Note: When taking the below data and saving it into a txt file, we match a size very close to berry.gif, while this is not a smoking gun by any mean, we can infer that that data inside of berry.gif was most likely the results of gsecdump)
1831158-$MACHINE.ACC
1831159- AD CC 55 00 D6 6F B6 19 26 F4 AA CF FC BE 45 0B ..U..o..&.....E. ?U?__??_
1831160- B6 86 1A 5B E7 31 B7 CD DF 77 45 34 ...[.1...wE4 ??_???
1831161-0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
1831162- 55 00 30 00 26 00 32 00 48 00 63 00 73 00 48 00 U.0.&.2.H.c.s.H. U0&2HcsH
1831163- 54 00 32 00 4A 00 67 00 4D 00 54 00 00 00 T.2.J.g.M.T... T2JgMT_
1831164-0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
1831165- 01 05 00 00 00 00 00 05 15 00 00 00 85 E7 7E 2F ..............~/ ________
1831166- 8A A7 32 3F DB EB 0C 50 E8 03 00 00 ..2?...P.... _?_??_
1831167-20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT
1831168-DefaultPassword
1831169-DPAPI_SYSTEM
1831170- 01 00 00 00 29 32 BC 08 B0 EA 9E DC CB 5E 28 0D ....)2.......^(. ______??
1831171- 36 77 00 25 5E 79 54 76 AD 6A 6E A9 B2 37 F2 7F 6w.%^yTv.jn..7.. ?_???_??
1831172- CB FC A9 62 94 08 3C 0E C7 16 7D F0 ...b..<...}. ??__?_
1831173-G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
1831174- 76 6B 61 99 4F 08 B8 46 91 21 C7 E1 D6 2D 78 F5 vka.O..F.!...-x. ??_?____
1831175-L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
1831176- 52 53 41 32 48 00 00 00 00 02 00 00 3F 00 00 00 RSA2H.......?... ?_H_?_?_
1831177- 01 00 01 00 13 19 50 EA 2B AB 97 03 08 69 CA F4 ......P.+....i.. _____??_
1831178- 9C 06 12 79 A9 5A 2E 17 B3 A3 84 7A BC FF 69 5F ...y.Z.....z..i_ ???_????
1831179- A3 BE 00 1B 28 23 CC 49 30 AA 72 10 E1 1A 00 22 ....(#.I0.r...." ?__?____
1831180- 57 A8 C3 07 2B 0E A6 06 B3 A1 EB 79 37 73 C2 0E W...+......y7s.. __??????
1831181- 10 64 5F E0 00 00 00 00 00 00 00 00 FF 88 BF 57 .d_............W ?_____??
1831182- FA 23 F9 66 C1 5D AF 95 78 E9 EC 47 ED AE FD B9 .#.f.]..x..G.... _???_???
1831183- 2D 3B 6E 0B 97 D7 FD 42 4C ED D3 F1 00 00 00 00 -;n....BL....... ????____
1831184- ED BB 14 EF 8D A2 01 E8 9A DF 56 A5 88 40 D5 F0 ..........V..@.. ?_?___?_
1831185- 78 A8 97 88 CE 82 CE 34 B8 D1 6C AB 9C 96 85 ED x......4..l..... _????_?_
1831186- 00 00 00 00 77 34 E3 0B FF C9 12 12 8C 67 4A A5 ....w4.......gJ. __?_???_
1831187- D8 E8 A5 12 1E FD 95 26 93 18 FE B6 8A 32 26 01 .......&.....2&. _??_??_?
1831188- FA 7D 12 D0 00 00 00 00 5D 85 1E FD 30 C6 3A D2 .}......]...0.:. ??__????
1831189- F4 AB C0 16 74 4F 89 F5 67 8D DC EE AA 7E DD 06 ....tO..g....~.. _??_?_?_
1831190- 73 ED C5 65 2C 77 F4 51 00 00 00 00 B2 74 20 B9 s..e,w.Q.....t . _???__??
1831191- 4E 40 1D C5 48 9B 19 9C 37 3D EB 89 BD 7D BB 3D N@..H...7=...}.= ????????
1831192- 92 5C AB E3 96 98 29 F8 6D E3 AB 7A 00 00 00 00 .\....).m..z.... ?_?__?__
1831193- C1 8B 80 70 00 3A A1 F5 30 ED 79 14 1F 57 BE F0 ...p.:..0.y..W.. ???__??_
1831194- F2 0C D6 6B 25 D1 FD 61 F9 EE 1C 5E 3E 6F 5B F9 ...k%..a...^>o[. _???_???
1831195- 8E 32 18 D4 01 71 DD B6 7E 26 61 15 CC 28 DA EE .2...q..~&a..(.. _???_?__
1831196- 9B 63 36 88 81 A6 F5 C9 0E 80 07 B7 FD C0 1E 63 .c6............c ??_?????
1831197- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ________
1831198- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ________
1831199- 00 00 00 00 00 00 00 00 00 00 00 00 ............ ______
1831200-L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588
1831201- 00 40 3E 05 A8 1D CE 01 .@>..... ??_?
1831202-L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
1831203- FF 62 37 13 60 13 02 E8 E4 8E DF 5E 71 3C B3 21 .b7.`......^q<.! ??__???_
1831204- ED 7F 4B 91 43 82 88 98 7E 30 4A 48 60 55 0F E1 ..K.C...~0JH`U.. ???????_
1831205- 90 80 98 5A 96 BD B1 82 AB D8 81 40 6C 80 D7 B0 ...Z.......@l... ????_???
1831206- C2 9B 9A 17 BA 3B CB A0 .....;.. ????
1831207-NL$KM
1831208- 1D CD 4D 34 A3 E4 40 6C F9 0C 4F D1 7B E4 D2 1F ..M4..@l..O.{... ??_?_?_?
1831209- E3 F0 2B 60 D1 1E C4 08 13 DA E6 D1 46 19 D9 83 ..+`........F... _??__?_?
1831210- 41 60 B3 43 71 6D 8E F1 F1 4A 68 80 35 FE 13 F5 A`.Cqm...Jh.5... ???_???_
1831211- 30 1C 9E DD F4 0F A5 7F D6 97 89 EC 8B 32 26 D2 0............2&. ___??__?
1831212- 02 00 00 00 .... __
1831213- 02 00 00 00 .... __
1831223-Microsoft wireless secrets:
1831224-No interfaces found
1831225-PETRO1-MARKET\gdaniels::0eabfd9afee0b99ed8ed90e37b677c5c:797ae920dbb4ddcb60f7d56db3cda7f3:::
1831226-PETRO1-MARKET\GH0ST1$::00000000000000000000000000000000:3737a005e082618387f7e78f1207b839:::
1831227-PETRO1-MARKET\GH0ST1$::00000000000000000000000000000000:3737a005e082618387f7e78f1207b839:::
1831228:Administrator(current):500:a15153d335c2751f17306d272a9441bb:835fd21aac32076df24dc75e0c77144f:::
1831229:backup-svc(current):1004:aad3b435b51404eeaad3b435b51404ee:58084ba4f441deb663cf89894c6efdee:::
1831230:Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
1831231:HelpAssistant(current):1000:73a6b58b54bc6c67698a385fbb9ff610:d9d5049db334e1bf20efada4be260c90:::
1831232:jack(current):1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
1831233:SUPPORT_388945a0(current):1002:aad3b435b51404eeaad3b435b51404ee:8009c56ccf299e35ce02991ac58c00cc:::
Additional Information:
Build string in memory:e:\gh0st\server\sys\i386\RESSDT.pdb
A strange mutant was found (still digging on that)
0x021d5708 2 1 0 0x821d8988 1072:1444 AAAAAAsqe9tbO9rrCxva6zrqmnr58=
Interesting strings from the malware are listed below only for reference. As a next step in our incident response process, we would build these into a yara rule (http://code.google.com/p/yara-project/) to scan the environment for more copies of this backdoor. We could also check proxies, weblogs, etc. (Note: With copies of Gh0st that we have dealt with before, strings are often unreliable and the binary would require further RE to build reliable signatures.)
!This program cannot be run in DOS mode.
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
Documents and Settings\
ConvertSidToStringSidA
advapi32.dll
L$_RasDefaultCredentials#0
RasDialParams!%s#0
Device
PhoneNumber
DialParamsUID
WinSta0\Default
%1
%s\shell\open\command
%s\*.*
%s%s%s
%s%s*.*
SYSTEM\CurrentControlSet\Services\%s
InstallModule
RegSetValueEx(start)
SYSTEM\CurrentControlSet\Services\
RegQueryValueEx(Type)
\syslog.dat
Gh0st Update
Applications\iexplore.exe\shell\open\command
winlogon.exe
%d.bak
ex.dll
[%02d/%02d/%d %02d:%02d:%02d] (%s)
_kaspersky
REG_BINARY
%-24s %-15s
REG_MULTI_SZ
%-24s %-15s 0x%x(%d)
REG_DWORD
%-24s %-15s %s
REG_EXPAND_SZ
REG_SZ
[%s]
%d
\cmd.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Mozilla/4.0 (compatible)
https://
http://
HARDWARE\DESCRIPTION\System\CentralProcessor\0
KeServiceDescriptorTable
ntdll.dll
NtQuerySystemInformation
\\.\RESSDTDOS
Global\Gh0st %d
winsta0
AAAAAA
SeShutdownPrivilege
explorer.exe
Winlogon
CVideoCap
#32770
1.1.4
58.64.132.141
C:\WINDOWS\system32\Drivers\beep.sys
!This program cannot be run in DOS mode.
$
.text
h.rdata
H.data
.reloc
\Device\RESSDT
\??\RESSDTDOS
e:\gh0st\server\sys\i386\RESSDT.pdb
ntoskrnl.exe
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
CompanyName
Microsoft Corporation
FileDescription
Device Protect Application
FileVersion
3, 6, 0, 0
InternalName
Microsoft(R) Windows(R) Operating System
LegalCopyright
Copyright ? 2008
LegalTrademarks
OriginalFilename
svchost.dll
PrivateBuild
ProductName
Microsoft(R) Windows(R) Operating System
ProductVersion
3, 6, 0, 0
good job!
ReplyDeleteThis site is very useful for everyone. I have found lot of stuff here, which is very interesting, but don't forget to check my website. We have amazing jackets and coats. All products are available at discounted price. We have limited stock. Order your favorite ones now. Kim Cattrall Filthy Rich Fringe Jacket
ReplyDelete