[ad_1]
Introduction
Going by current headlines you may be forgiven for considering all ransomware operators are raking in tens of millions of ill-gotten {dollars} every year from their nefarious actions.
Lurking within the shadows of each large-scale assault by organized gangs of cybercriminals, nevertheless, there may be discovered a mess of smaller actors who wouldn’t have entry to the most recent ransomware samples, the flexibility to be associates within the post-DarkSide RaaS world or the monetary clout to instrument up at velocity.
So what’s a low-paid ransomware operator to do in such circumstances?
By getting artistic and searching for the most recent malware and builder leaks they are often simply as devastating to their victims and, on this weblog, we’ll monitor the felony profession of 1 such actor as they evolve from selfmade ransomware to using main ransomware by way of the usage of publicly leaked builders.
The Wealthy Get Richer
For years, the McAfee Enterprise Superior Menace Analysis (ATR) staff has noticed the proliferation of ransomware and the delivery and (obvious) demise of enormous organized gangs of operators. Probably the most infamous of those gangs have extorted big sums of cash from their victims, by charging for decryption of knowledge or by holding the information itself to ransom towards the specter of publication on their ‘leak’ web sites.
With the revenue of such ways typically working into the tens of millions of {dollars}, similar to with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that a lot of these ill-gotten funds are subsequently used to construct and keep arsenals of offensive cyber instruments, permitting essentially the most profitable cybercriminals to remain one step forward of the chasing pack
Determine 1: Babuk group on the lookout for a company VPN 0-Day
As seen within the picture above, cybercriminals with entry to underground boards and deep pockets have the means to pay high greenback for the instruments they should frequently generate extra revenue, with this specific Babuk operator providing up 50,000 USD for a 0-day concentrating on a company digital non-public community (VPN) which might enable quick access to a brand new sufferer.
The Lowly-Paid Don’t Essentially Keep That Means
For smaller ransomware operators, who wouldn’t have affiliation with a big group, the technical abilities to create their very own devastating malware or the monetary muscle to purchase what they want, the panorama seems moderately totally different.
Unable to construct equally efficient assault chains, from preliminary entry by way of to information exfiltration, their alternatives to make unlawful income are far slimmer compared to the behemoths of the ransomware market.
Away from the gaze of researchers who sometimes concentrate on the bigger ransomware teams, many people and smaller teams are toiling within the background, making an attempt to evolve their very own operations any method they will. One such methodology we now have noticed is thru the usage of leaks, such because the current on-line posting of Babuk’s builder and supply code.
Determine 2: Babuk builder public leak on Twitter
Determine 3: Babuk supply code leak on underground discussion board
McAfee Enterprise ATR has seen two distinct varieties of cybercriminal benefiting from leaks similar to this. The primary group, which we presume to be much less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin deal with within the ransom observe with their very own. The second group has gone additional, utilizing the supply materials to iterate their very own variations of Babuk, full with extra options and new packers.
Thus, even these operators on the backside of the ransomware meals chain have the chance to construct on others’ work, to stake their declare on a proportion of the cash to be created from information exfiltration and extortion.
ATR’s Principle of Evolution
A Yara rule devoted to Babuk ransomware triggered a brand new pattern uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.
From a fast look on the pattern we will deduce that it’s a copied and pasted binary output from Babuk’s builder, with an edited ransom observe naming the model “Delta Plus”, two restoration electronic mail addresses and a brand new Bitcoin deal with for funds:
Determine 4: Strings content material of “Delta Plus” named model of Babuk
We’ve seen the 2 electronic mail restoration addresses earlier than – they’ve been used to ship random ransomware prior to now and, through the use of them to pivot, we have been capable of delve into the actor’s resume:
The primary electronic mail deal with, retrievedata300@gmail.com, has been used to drop a .NET ransomware mentioning “Delta Plus”:
Determine 5: Strings content material of .NET ransomware associated to earlier Delta ransomware actions
| Filename | Setup.exe |
| Compiled Time | Tue Sep 7 17:58:34 2021 |
| FileType | Win32 EXE |
| FileSize | 22.50 KB |
| Sha256 | 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d |
The ransomware is fairly easy to research; all mechanisms are declared, and command strains, registry modification, and many others., are hardcoded within the binary.
Determine 6: .NET evaluation with command line particulars
The truth is, the actor’s personal ransomware is so poorly developed (no packing, no obfuscation, command strains embedded within the binary and the truth that the .NET language is straightforward to research) that it’s hardly stunning they began utilizing the Babuk builder as an alternative.
By the use of distinction, their new mission is effectively developed, simple to make use of and environment friendly, no to say painful to research (as it’s written within the Golang language) and offers executables for Home windows, Linux and community hooked up storage (NAS) programs.
The second electronic mail deal with, deltapaymentbitcoin@gmail.com, has been used to drop an earlier model of the .NET ransomware
Determine 7: Strings content material from first model of .NET ransomware
| Filename | test2.exe |
| Compiled Time | Mon Aug 30 19:49:54 2021 |
| FileType | Win32 EXE |
| FileSize | 15.50 KB |
| Sha256 | e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761 |
Ways, Methods and Procedures
By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted throughout course of execution, we will observe some domains associated to our pattern:
| suporte01928492.redirectme.web |
| suporte20082021.sytes.web |
| 24.152.38.205 |
Due to a misconfiguration, information hosted on these two domains are accessible by way of Open Listing (OpenDir), which is an inventory of direct hyperlinks to information saved on a server:
Determine 8: Open Directories web site the place samples are hosted
- bat.rar: A PowerShell script used to carry out a number of operations:
- Attempt to disable Home windows Defender
- Bypass Consumer Account Management (UAC)
- Get system rights through runasti
Determine 9: Privilege escalation to get system rights
- exe.rar: Delta Plus ransomware
- reg.rar: Registry values used to disable Home windows Defender
Determine 10: Registry worth modifications to disable Home windows Defender
Different domains the place information are hosted comprise totally different instruments used throughout assault operations:
- We’ve discovered two strategies employed by the operator, which we assume for use for preliminary entry: First, a pretend Flash Participant installer and, secondly, a pretend Anydesk distant instrument installer used to drop the ransomware. Our principle about Flash Participant preliminary entry has been confirmed by checking the IP that hosts a lot of the domains:
Determine 11: Faux Flash web site used to obtain pretend Flash installer
When logging in, the web site warns you that your Flash Participant model is outdated and tries to obtain the Faux Flash Participant installer:
Determine 12: JavaScript variables used to drop pretend Flash Installer
A secondary website seems to have additionally been utilized in propagating the pretend Flash Participant, although it’s at present offline :
Determine 13: JavaScript operate to obtain the pretend Flash Installer from one other web site
- Moveable Executable (PE) information used to launch PowerShell command strains to delete shadow copies, exclude Home windows Defender and import registry keys from “Replace.reg.rar” to disable Home windows defender.
- A PE file used for a number of functions: Exfiltrating information from the sufferer, keylogging, checking if the system has already been held to ransom, getting system data, acquiring person data and to create and cease processes.
Determine 14: Features and C2 configuration from ransomware pattern
(host used for extraction)
- Along with the above, we additionally discovered proof that this actor tried to leverage one other ransomware builder leak, Chaos ransomware.
Infrastructure
The vast majority of domains utilized by this actor are hosted on the identical IP: “24.152.38.205” (AS 270564 / MASTER DA WEB DATACENTER LTDA).
However as we noticed by “analyzing” the extraction instrument utilized by the actor, one other IP is talked about: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, similar to FTP (in all probability used to retailer exfiltrated information), SSH, and many others.
By taking a look at this IP with Shodan, we will get a devoted hash for the SSH service, plus fingerprints to make use of on this IP, after which discover different IPs utilized by the actor throughout their operations.
Through the use of this hash, we have been capable of map the infrastructure by on the lookout for different IPs sharing the identical SSH key + fingerprintings.
No less than 174 IPs are sharing the identical SSH sample (key, fingerprint, and many others.); all findings can be found within the IOCs part.
Some IPs are internet hosting totally different file sorts, perhaps associated to earlier campaigns:
Determine 15: Open Listing web site in all probability utilized by the identical actor for earlier campaigns
Bitcoin Pursuits
Many of the ransomware samples utilized by the actor point out totally different Bitcoin (BTC) addresses which we assume is an effort to obscure their exercise.
By on the lookout for transactions between these BTC addresses with CipherTrace, we will observe that each one the addresses we extracted (see the circle highlighted with a yellow “1” under) from the samples we’ve discovered are associated and ultimately level to a single Bitcoin pockets, in all probability below management of the identical menace actor.
From the three samples we researched, we have been capable of extract the next BTC addresses:
- 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
- 1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
- bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2
Determine 16: Observe the cash with CipherTrace
Ransomware Isn’t Simply About Survival of the Fittest
As we now have seen above, our instance menace actor has advanced over time, transferring from simplistic ransomware and calls for within the a whole bunch of {dollars}, to toying with a minimum of two builder leaks and ransom quantities within the hundreds of {dollars} vary.
Whereas their exercise so far suggests a low degree of technical ability, the income of their cybercrime could effectively show massive sufficient for them to make one other degree bounce sooner or later.
Even when they stick to copy-pasting builders and crafting ‘stagers’, they may have the means at their disposal to create an environment friendly assault chain with which to compromise an organization, extort cash and enhance their revenue to the purpose of changing into an even bigger fish in a small pond, similar to the bigger RaaS crews.
Within the meantime, such opportunitistic actors will proceed to bait their hooks and catch any fish they will as, in contrast to affiliated ransomware operators, they don’t have to comply with any guidelines in return for assist (pentest documentation, software program, infrastructure, and many others.) from the gang’s operators. Thus, they’ve a free hand to hold out their assaults and, if a sufferer needs to chunk, they don’t care about ethics or who they aim.
The excellent news for everybody else, nevertheless, is the truth that international legislation enforcement isn’t gonna want an even bigger boat, because it already casts its nets far and extensive.
Mitre Att&ck
| Method ID | Method Description | Observable |
| T1189 | Drive By Compromise | The actor is utilizing a pretend Flash web site to unfold pretend a Flash installer. |
| T1059.001 | Command Scripting Interpreter: PowerShell | PowerShell is used to launch command strains (delete shadow copies, and many others.). |
| T1059.007 | Command and Scripting Interpreter: JavaScript | JavaScript is used within the pretend Flash web site to obtain the pretend Flash installer. |
| T1112 | Modify Registry | To disable Home windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender” and “HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Safety”. |
| T1083 | File and Listing Discovery | The actor is itemizing information on the sufferer system. |
| T1057 | Course of Discovery | The actor is itemizing working processes on the sufferer system. |
| T1012 | Question Registry | To carry out some registry modifications, the actor is first querying registry path. |
| T1082 | System Data Discovery | Earlier than encrypting information, the actor is itemizing laborious drives. |
| T1056.001 | Enter Seize: Keylogging | The exfiltration instrument has the potential to log person keystrokes. |
| T1005 | Information from Native System | |
| T1571 | Non-Customary Port | The actor is utilizing port “1177” to exfiltrate information. |
| T1048 | Exfiltration Over Various Protocol | |
| T1486 | Information Encrypted for Influence | Information encrypted by ransomware. |
| T1490 | Inhibit System Restoration | Delete Shadow Copies. |
Detection Mechanisms
Sigma Guidelines
Yara Guidelines
Babuk Ransomware Home windows
| rule Ransom_Babuk {
meta: description = “Rule to detect Babuk Locker” creator = “TS @ McAfee Enterprise ATR” date = “2021-01-19” hash = “e10713a4a5f635767dcd54d609bed977” rule_version = “v2” malware_family = “Ransom:Win/Babuk” malware_type = “Ransom” mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”
strings: $s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074} // How To Restore Your Recordsdata .txt $s2 = “delete shadows /all /quiet” fullword extensive
$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200 $pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071} $pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154 $pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C104000781040008
situation: filesize >= 15KB and filesize <= 90KB and 1 of ($s*) and three of ($sample*) } |
Exfiltration Instrument
| rule CRIME_Exfiltration_Tool_Oct2021 {
meta: description = “Rule to detect instrument used to exfiltrate information from sufferer programs” creator = “TS @ McAfee Enterprise ATR” date = “2021-10-04” hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”
strings: $pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4D $pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A $pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF8 $pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CC
situation: 3 of ($sample*) } |
IOCs
Infrastructure URLs
| http://atualziarsys.serveirc.com/Update4/
http://services5500.sytes.web/Update6/Replace.exe.rar http://suporte20082021.sytes.web/Update5/ http://atualziarsys.serveirc.com/update4/replace.exe.rar http://suporte20082021.sytes.web/Update3/ http://suporte01928492.redirectme.web/ http://atualziarsys.serveirc.com/Update3/ http://services5500.sytes.web/update8/replace.exe.rar http://suporte20082021.sytes.web/replace/ http://suporte20082021.sytes.web/Update5/Replace.exe.rar http://suporte01928492.redirectme.web/AppMonitorPlugIn.rar http://suporte01928492.redirectme.web/Update5/Replace.exe.rar http://services5500.sytes.web/update7/replace.exe.rar http://services5500.sytes.web/Update8/Replace.exe.rar http://services5500.sytes.web/Update8/Replace.bat.rar http://suporte01092021.myftp.biz/replace/ http://services5500.sytes.web/Update7/Replace.exe.rar http://suporte01928492.redirectme.web/Update7/Replace.bat.rar http://suporte01928492.redirectme.web/Update7/Replace.exe.rar http://services5500.sytes.web/update6/replace.exe.rar http://suporte01092021.myftp.biz/ http://services5500.sytes.web/Update6/Replace.bat.rar http://suporte01928492.redirectme.web/update6/replace.exe.rar http://suporte01928492.redirectme.web/update5/replace.exe.rar http://services5500.sytes.web/ http://suporte01928492.redirectme.web/Update6/Replace.exe.rar http://atualziarsys.serveirc.com/Update3 http://atualziarsys.serveirc.com/update3/replace.reg.rar http://24.152.38.205/pt/flashplayer28_install.zip http://suporte01928492.redirectme.web/Update7 http://atualziarsys.serveirc.com/ http://atualziarsys.serveirc.com/update3/mylink.vbs.rar http://suporte01928492.redirectme.web/update7/replace.exe.rar http://atualziarsys.serveirc.com/Update4/Replace.exe.rar http://suporte01928492.redirectme.web/appmonitorplugin.rar http://atualziarsys.serveirc.com/update3/replace.exe.rar http://suporte20082021.sytes.web/ http://suporte20082021.sytes.web/update3/replace.exe.rar http://atualziarsys.serveirc.com/Update4/Replace.exe2.rar http://suporte20082021.sytes.web/Update3/Replace.exe.rar http://suporte20082021.sytes.web/Update5/Replace.reg.rar http://atualziarsys.serveirc.com/Update4/Replace.exe2.rar/ http://atualziarsys.serveirc.com/Update4 http://suporte01092021.myftp.biz/replace/WindowsUpdate2.rar http://suporte01092021.myftp.biz/replace http://atualziarsys.serveirc.com/Update3/Replace.reg.rar/ http://atualziarsys.serveirc.com/Update3/Replace.exe.rar http://suporte20082021.sytes.web/Update3/Replace.exe.rar/ http://suporte01092021.myftp.biz/replace/WindowsUpdate2.rar/ http://atualziarsys.serveirc.com/Update4/Replace.exe.rar/ http://atualziarsys.serveirc.com/Update3/mylink.vbs.rar http://atualziarsys.serveirc.com/update4 http://atualziarsys.serveirc.com/update3 http://suporte01092021.myftp.biz/replace/Replace.rar http://suporte01928492.redirectme.web/AppMonitorPlugIn.rar/ http://suporte20082021.sytes.web/update5/replace.exe.rar http://suporte01092021.myftp.biz/update5/replace.exe.rar http://atualziarsys.serveirc.com/update4/replace.exe2.rar http://suporte01092021.myftp.biz/replace/windowsupdate2.rar http://suporte20082021.sytes.web/update2/replace.exe.rar http://suporte20082021.sytes.web/replace/windowsupdate2.rar http://atualziarsys.serveirc.com/Update4/mylink.vbs.rar http://atualziarsys.serveirc.com/favicon.ico http://24.152.38.205/1.rar http://24.152.38.205/1.exe http://appmonitorplugin.sytes.web/appmonitorplugin.rar http://suporte20082021.sytes.web/replace/WindowsUpdate2.rar http://appmonitorplugin.sytes.web/ http://suporte20082021.sytes.web/appmonitorplugin.rar http://suportmicrowin.sytes.web/appmonitorplugin.rar http://suportmicrowin.sytes.web/ http://suportmicrowin.sytes.web/AppMonitorPlugIn.rar http://appmonitorplugin.sytes.web/AppMonitorPlugIn.rar http://24.152.38.205/pt/setup.zip |
Infrastructure Domains
| services5500.sytes.web
atualziarsys.serveirc.com suporte01092021.myftp.biz suporte20082021.sytes.web suporte01928492.redirectme.web suportmicrowin.sytes.web appmonitorplugin.sytes.web |
Infrastructure IPs
| 149.56.147.236
24.152.38.205 54.38.122.66 149.56.38.168 149.56.38.170 24.152.36.48 66.70.170.191 66.70.209.174 142.44.129.70 51.79.107.245 46.105.36.189 178.33.108.239 54.39.193.37 24.152.37.115 144.217.139.134 24.152.36.58 51.38.19.201 51.222.97.177 51.222.53.150 144.217.45.69 87.98.137.173 144.217.199.24 24.152.37.19 144.217.29.23 198.50.246.8 54.39.163.60 54.39.84.55 24.152.36.30 46.105.38.67 24.152.37.96 51.79.63.229 178.33.107.134 164.132.77.246 54.39.163.58 149.56.113.76 51.161.120.193 24.152.36.210 176.31.37.238 176.31.37.237 24.152.36.83 24.152.37.8 51.161.76.193 24.152.36.117 137.74.246.224 51.79.107.134 51.79.44.49 51.222.173.152 51.79.124.129 51.79.107.242 51.222.173.148 144.217.117.172 54.36.82.187 54.39.152.91 54.36.82.177 142.44.146.178 54.39.221.163 51.79.44.57 149.56.38.173 24.152.36.46 51.38.19.198 51.79.44.59 198.50.246.11 24.152.36.35 24.152.36.239 144.217.17.186 66.70.209.169 24.152.36.158 54.39.84.50 51.38.19.200 144.217.45.68 144.217.111.5 54.38.164.134 87.98.171.7 51.79.124.130 66.70.148.142 51.255.119.19 66.70.209.168 54.39.239.81 24.152.36.98 51.38.192.225 144.217.117.10 144.217.189.108 66.70.148.136 51.255.55.134 54.39.137.73 66.70.148.137 54.36.146.230 51.79.107.254 54.39.84.52 144.217.61.176 24.152.36.150 149.56.147.236 51.38.19.196 54.39.163.57 46.105.36.133 149.56.68.191 24.152.36.107 158.69.99.10 51.255.55.136 54.39.247.244 149.56.147.204 158.69.99.15 144.217.32.24 149.56.147.205 144.217.32.213 54.39.84.53 79.137.115.160 144.217.233.98 51.79.44.56 24.152.36.195 142.44.146.190 144.217.139.13 54.36.82.180 198.50.246.14 137.74.246.223 24.152.36.176 51.79.107.250 51.161.76.196 198.50.246.12 66.70.209.170 66.70.148.139 51.222.97.189 54.39.84.49 144.217.17.185 142.44.129.73 144.217.45.67 24.152.36.28 144.217.45.64 24.152.37.39 198.27.105.3 51.38.8.75 198.50.204.38 54.39.221.11 51.161.76.197 54.38.122.64 91.134.217.71 24.152.36.100 144.217.32.26 198.50.246.13 54.36.82.188 54.39.84.25 66.70.209.171 51.38.218.215 54.39.8.92 51.38.19.205 54.39.247.228 24.152.36.103 24.152.36.104 51.79.44.43 54.39.152.202 66.70.134.218 24.152.36.25 149.56.113.79 178.32.243.48 144.217.45.66 66.70.173.72 176.31.37.239 54.38.225.81 158.69.4.173 24.152.37.189 54.36.146.129 198.50.246.15 51.222.102.30 51.79.105.91 51.79.9.91 51.222.173.151 51.79.107.124 51.222.173.142 144.217.17.187 149.56.85.98 51.79.107.244 144.217.158.195 24.152.36.178 192.95.20.74 51.79.117.250 |
Ransomware Hashes
| 106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761 ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1 c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6 67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a 98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099 c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169 |
Bitcoin Addresses
| 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2 |
PDB
| C:UsersworkdreamsDesktopTestesCrypt_FInalCrazy_CryptCrazyobjDebugAppMonitorPlugIn.pdb
C:UsersworkdreamsDesktoptestNopyfy-Ransomware-masterNopyfy-RansomwareNopyfy-RansomwareobjDebugNopyfy-Ransomware.pdb |
PowerShell Script
| a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353 |
Exfiltration Instrument
| ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd
c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53 |
Faux Flash Participant installer
| d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f |
Faux Anydesk Installer
| e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390 |
[ad_2]
