revengerat | a315a5023f879208dca5f5f5486c8bfc23ed13e18bac83cef13579a123532dce

Analysis

max time kernel
122s
max time network
130s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2024, 00:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup_nt.exe
Size

78.3MB
MD5

53d9920e0bc746101dda3d70e1b7b3d1
SHA1

a2c8ca9bdd1398cd0b08dd4824fb8714acf3c072
SHA256

a315a5023f879208dca5f5f5486c8bfc23ed13e18bac83cef13579a123532dce
SHA512

660951b3bcfde545d4eff4da63eeb0d4201a9167dd954cf1ce42eb351d15d3ff21baba914254c1096488e34b57999008c23588227b840d3979608faf07aaebc6
SSDEEP

1572864:/WIPn5UPrh+YnUaMRAMShUDuO69p2Xzixl3cgD5LJIqi9pV:Dn5UThvnHMRAjyDur9pcUoqYpV

Score

10^/10

revengerat discovery persistence privilege_escalation stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000001abed-52.dat	revengerat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	eowp.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 17 IoCs

pid	Process
4652	setup_nt.tmp
744	NinjaTok.exe
4540	NinjaTok.exe
3564	eowp.exe
5092	eowp.exe
2808	eowp.exe
4188	eowp.exe
880	eowp.exe
1332	eowp.exe
2932	eowp.exe
4192	eowp.exe
3084	eowp.exe
2960	eowp.exe
1240	eowp.exe
2776	eowp.exe
4952	eowp.exe
5220	eowp.exe

Loads dropped DLL 36 IoCs

pid	Process
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\NinjaTok\LiveCharts.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\EO.WebEngine.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-07AC4.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-V5BFT.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-E90OI.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-474MS.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\NinjaTok.exe	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-NCIIJ.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-JGFT8.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\System.Data.SQLite.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\Nevron.System.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-4FLNI.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-VFQUG.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-FOD4H.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\eowp.exe	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\EO.WebBrowser.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\QlmControls.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\LiveCharts.WinForms.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-B63H0.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\unins000.dat	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\Gibraltar.Agent.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\EO.Base.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-ENACF.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-OHAAF.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-3CGIU.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\Nevron.Presentation.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\QlmLicenseLib.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-NAK3N.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-LM070.tmp	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\LiveCharts.Wpf.dll	setup_nt.tmp
File opened for modification	C:\Program Files (x86)\NinjaTok\Newtonsoft.Json.dll	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\unins000.dat	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-CQFPQ.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-HSGOT.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-SG3P7.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\is-2T2N2.tmp	setup_nt.tmp
File created	C:\Program Files (x86)\NinjaTok\unins000.msg	setup_nt.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_nt.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_nt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NinjaTok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NinjaTok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eowp.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}	NinjaTok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation\ = "3Du+G8mlrvuFHN3YsyUOeKZeks6RaeZBDGYV7H0pyWLoo2AR3Of+bdTnywo3b4ZlQ30H94uvwwiutYQvT0pvQ6Yk79g0bxKvcqU+lUeTAwAPYKs42XPw7jZDa6brap8wfZbUedW4HSemRaZaSx43LHqprsOhgrSvhfQrBPxI5HzrPfauEYz7fCGqvwsN0UkOAKvtu5aVVHuqd+7aWWYmjcHzpdyYbaGLr4351RBuweaYyFRnjcvP2BAH03eV3okVHEjJM8zezXfEgiQNX6pK94iYF9NrlY6QiiIKxDWl6/k="	NinjaTok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Control\Control1 = "Ex\u0092\u009fyu\u0099x\u008fxxu\u008f\u0090z\u008b\u0092u\u008f\u0080\u0093\|\u0095ux\u0099y{\u009a\u0090{\u00a0\u008ety\u0081ux\u0081uzxz\|\u0083"	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NinjaTok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation\ = "3Du+G8mlrvuFHN3YsyUOeKZeks6RaeZBDGYV7H0pyWLoo2AR3Of+bdTnywo3b4ZlQ30H94uvwwiutYQvT0pvQ6Yk79g0bxKvcqU+lUeTAwAPYKs42XPw7jZDa6brap8wfZbUedW4HSemRaZaSx43LHqprsOhgrSvhfQrBPxI5HzrPfauEYz7fCGqvwsN0UkOAKvtu5aVVHuqd+7aWWYmjcHzpdyYbaGLr4351RBuweaYyFRnjcvP2BAH03eV3okVHEjJM8zezXfEgiQNX6pK94iYF9NrlY6QiiIKxDWl6/k="	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\InProcServer32	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NinjaTok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation\ = "3Du+G8mlrvuFHN3YsyUOeKZeks6RaeZBDGYV7H0pyWLoo2AR3Of+bdTnywo3b4ZlQ30H94uvwwiutYQvT0pvQ6Yk79g0bxKvcqU+lUeTAwAPYKs42XPw7jZDa6brap8wfZbUedW4HSemRaZaSx43LHqprsOhgrSvhfQrBPxI5HzrPfauEYz7fCGqvwsN0UkOAKvtu5aVVHuqd+7aWWYmjcHzpdyYbaGLr4351RBuweaYyFRnjcvP2BAH03eV3okVHEjJM8zezXfEgiQNX6pK94iYF9NrlY6QiiIKxDWl6/k="	NinjaTok.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node	NinjaTok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\InProcServer32\ = "C:\\Windows\\SysWow64\\kernel32.dll"	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}	NinjaTok.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Control	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Insertable	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation\ = "3Du+G8mlrvuFHN3YsyUOeKZeks6RaeZBDGYV7H0pyWLoo2AR3Of+bdTnywo3b4ZlQ30H94uvwwiutYQvT0pvQ6Yk79g0bxKvcqU+lUeTAwAPYKs42XPw7jZDa6brap8wfZbUedW4HSemRaZaSx43LHqprsOhgrSvhfQrBPxI5HzrPfauEYz7fCGqvwsN0UkOAKvtu5aVVHuqd+7aWWYmjcHzpdyYbaGLr4351RBuweaYyFRnjcvP2BAH03eV3okVHEjJM8zezXfEgiQNX6pK94iYF9NrlY6QiiIKxDWl6/k="	NinjaTok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Insertable\ = "1:7:C7<:<>"	NinjaTok.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{52865380-a8c0-4f8a-940b-0a336d90f33a}\Elevation	NinjaTok.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 19000000010000001000000021d008b47b7a2a81c8435903ded424c903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b1d000000010000001000000070253fbcbde32a014d38c1993098ad991400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde62000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda53000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f3352000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	eowp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	NinjaTok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B	eowp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	NinjaTok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 0f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f335090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	eowp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	setup_nt.tmp
4652	setup_nt.tmp
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
744	NinjaTok.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe
4540	NinjaTok.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	NinjaTok.exe
Token: SeDebugPrivilege	4540	NinjaTok.exe
Token: SeDebugPrivilege	3376	taskmgr.exe
Token: SeSystemProfilePrivilege	3376	taskmgr.exe
Token: SeCreateGlobalPrivilege	3376	taskmgr.exe
Token: 33	3376	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3376	taskmgr.exe
Token: SeDebugPrivilege	780	taskmgr.exe
Token: SeSystemProfilePrivilege	780	taskmgr.exe
Token: SeCreateGlobalPrivilege	780	taskmgr.exe
Token: 33	780	taskmgr.exe
Token: SeIncBasePriorityPrivilege	780	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
4652	setup_nt.tmp
744	NinjaTok.exe
744	NinjaTok.exe
4540	NinjaTok.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
4540	NinjaTok.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
744	NinjaTok.exe
744	NinjaTok.exe
4540	NinjaTok.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
4540	NinjaTok.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
3376	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe
780	taskmgr.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4652	2132	setup_nt.exe	74
PID 2132 wrote to memory of 4652	2132	setup_nt.exe	74
PID 2132 wrote to memory of 4652	2132	setup_nt.exe	74
PID 4652 wrote to memory of 744	4652	setup_nt.tmp	76
PID 4652 wrote to memory of 744	4652	setup_nt.tmp	76
PID 4652 wrote to memory of 744	4652	setup_nt.tmp	76
PID 744 wrote to memory of 3564	744	NinjaTok.exe	88
PID 744 wrote to memory of 3564	744	NinjaTok.exe	88
PID 744 wrote to memory of 3564	744	NinjaTok.exe	88
PID 744 wrote to memory of 5092	744	NinjaTok.exe	90
PID 744 wrote to memory of 5092	744	NinjaTok.exe	90
PID 744 wrote to memory of 5092	744	NinjaTok.exe	90
PID 5092 wrote to memory of 2808	5092	eowp.exe	92
PID 5092 wrote to memory of 2808	5092	eowp.exe	92
PID 5092 wrote to memory of 2808	5092	eowp.exe	92
PID 5092 wrote to memory of 4188	5092	eowp.exe	93
PID 5092 wrote to memory of 4188	5092	eowp.exe	93
PID 5092 wrote to memory of 4188	5092	eowp.exe	93
PID 5092 wrote to memory of 880	5092	eowp.exe	94
PID 5092 wrote to memory of 880	5092	eowp.exe	94
PID 5092 wrote to memory of 880	5092	eowp.exe	94
PID 5092 wrote to memory of 1332	5092	eowp.exe	95
PID 5092 wrote to memory of 1332	5092	eowp.exe	95
PID 5092 wrote to memory of 1332	5092	eowp.exe	95
PID 5092 wrote to memory of 2932	5092	eowp.exe	96
PID 5092 wrote to memory of 2932	5092	eowp.exe	96
PID 5092 wrote to memory of 2932	5092	eowp.exe	96
PID 5092 wrote to memory of 4192	5092	eowp.exe	97
PID 5092 wrote to memory of 4192	5092	eowp.exe	97
PID 5092 wrote to memory of 4192	5092	eowp.exe	97
PID 5092 wrote to memory of 3084	5092	eowp.exe	98
PID 5092 wrote to memory of 3084	5092	eowp.exe	98
PID 5092 wrote to memory of 3084	5092	eowp.exe	98
PID 5092 wrote to memory of 2960	5092	eowp.exe	99
PID 5092 wrote to memory of 2960	5092	eowp.exe	99
PID 5092 wrote to memory of 2960	5092	eowp.exe	99
PID 5092 wrote to memory of 1240	5092	eowp.exe	100
PID 5092 wrote to memory of 1240	5092	eowp.exe	100
PID 5092 wrote to memory of 1240	5092	eowp.exe	100
PID 5092 wrote to memory of 2776	5092	eowp.exe	101
PID 5092 wrote to memory of 2776	5092	eowp.exe	101
PID 5092 wrote to memory of 2776	5092	eowp.exe	101
PID 5092 wrote to memory of 4952	5092	eowp.exe	102
PID 5092 wrote to memory of 4952	5092	eowp.exe	102
PID 5092 wrote to memory of 4952	5092	eowp.exe	102
PID 5092 wrote to memory of 5220	5092	eowp.exe	103
PID 5092 wrote to memory of 5220	5092	eowp.exe	103
PID 5092 wrote to memory of 5220	5092	eowp.exe	103

C:\Users\Admin\AppData\Local\Temp\setup_nt.exe
"C:\Users\Admin\AppData\Local\Temp\setup_nt.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\is-FTTH2.tmp\setup_nt.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FTTH2.tmp\setup_nt.tmp" /SL5="$80234,81231563,776192,C:\Users\Admin\AppData\Local\Temp\setup_nt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files (x86)\NinjaTok\NinjaTok.exe
    "C:\Program Files (x86)\NinjaTok\NinjaTok.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Program Files (x86)\NinjaTok\eowp.exe
      "C:\Program Files (x86)\NinjaTok\eowp.exe" --eoim --eo_init_data=eo.ipc.temp.21.2.99.0.744.1.2
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3564
  - - C:\Program Files (x86)\NinjaTok\eowp.exe
      "C:\Program Files (x86)\NinjaTok\eowp.exe" --enable-speech-input --allow-proprietary-media-formats --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --lang=en-US --enable-media-stream --no-sandbox --eo_init_data=eo.ipc.temp.21.2.99.0.744.1.5
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=gpu-process --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --lang=en-US --allow-proprietary-media-formats --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=1548 /prefetch:2 --eo_init_data=eo.temp.5092.1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --lang=en-US --allow-proprietary-media-formats --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2292 /prefetch:8 --eo_init_data=eo.temp.5092.3
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:4188
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=2388 /prefetch:1 --eo_init_data=eo.temp.5092.5
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2500 /prefetch:1 --eo_init_data=eo.temp.5092.7
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2504 /prefetch:1 --eo_init_data=eo.temp.5092.9
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2524 /prefetch:1 --eo_init_data=eo.temp.5092.11
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2540 /prefetch:1 --eo_init_data=eo.temp.5092.13
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2548 /prefetch:1 --eo_init_data=eo.temp.5092.15
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2560 /prefetch:1 --eo_init_data=eo.temp.5092.17
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2572 /prefetch:1 --eo_init_data=eo.temp.5092.19
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2584 /prefetch:1 --eo_init_data=eo.temp.5092.21
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
    - - C:\Program Files (x86)\NinjaTok\eowp.exe
        
        "C:\Program Files (x86)\NinjaTok\eowp.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=1540,3389061470519245630,17601246559458926381,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.44" --enable-speech-input --allow-proprietary-media-formats --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2600 /prefetch:1 --eo_init_data=eo.temp.5092.23
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5220

C:\Program Files (x86)\NinjaTok\NinjaTok.exe
"C:\Program Files (x86)\NinjaTok\NinjaTok.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4516

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\09d87f5b5b884a26afedf7226815462e /t 4080 /p 744
1⤵
PID:4476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NinjaTok\Nevron.System.dll

Filesize
452KB

MD5
e8561b46f03835cc272445714f78d140

SHA1
6e24011c901e6d474b0a0134e1f1239f204f2e23

SHA256
3cd447f9bd1c5dfc7b070d483b451889372a069aa83977a82e3c05221cb3ad6b

SHA512
b308c6f6f28b80ef78185a5016ece6501e716bd88b52bf4da95ecbb29bd44c627b99dc9a1b68ddbb2617e331b72702ae05617f73755f8b85f38e765803037d6f

Download Submit
C:\Program Files (x86)\NinjaTok\NinjaTok.exe

Filesize
3.6MB

MD5
cda5912028959432a5d0af48c8867e88

SHA1
2cebec1a6c3e211d05484d211b0965a592426667

SHA256
c1a572faac4cd4f81d5030b14ea29791af40b24fcb940d7e909b6acb287b14e5

SHA512
629f2e498f3b05f10be813b018c2e3498d68d1a9960f46cacbf42127cb7b5b14c1c443240aae5e8989c48466ba3021b2e167d864e77210a7a3fd18d36bc132cc

Download Submit
C:\Program Files (x86)\NinjaTok\NinjaTok.exe.config

Filesize
29KB

MD5
9cb3daf23856b80102af5c9aa0701507

SHA1
6dc936ebf4a7fe0f6bee78324f2d02702edda7dd

SHA256
dc6cdc618301a8081b3bc332ec92aef4b80bc88bb56811dda796cbcd41e84358

SHA512
aa927d9f013bd20ca73d1ca1f15ba3bd789fb7770ff9768fe35aeb98d4807cc53bc6eb04637ecf377b5f78b85c76115c1c8e37071d0f2c0f8186bb454b569157

Download Submit
C:\Program Files (x86)\NinjaTok\QlmControls.dll

Filesize
2.0MB

MD5
6016e1ab0086ff7455c1a379504c88ea

SHA1
5a4b08961611d13aa997075b4318d2daee644a88

SHA256
6375cc413095c6ffebce2066f1f30c5e0aff2e5cfa514e392a353d6ecc2eab2f

SHA512
1d54dcb30c6d47d6fcbfe6a58162c91adf24262e4816ed727ae33bf7cd35e35074134c81c07862f8d448c32d1023df9b92f0d5c7a60b4435ebc072a00d4f3c17

Download Submit
C:\Program Files (x86)\NinjaTok\QlmLicenseLib.dll

Filesize
1.0MB

MD5
5eab86cc148bd1480db39061afd5434b

SHA1
de5e8991397007e1c8453feba222a056dac93c93

SHA256
454c0556059f4bc5c25695669936f68095d83afe0df894ae573f4954fdb7d4d8

SHA512
895bde5cdd3c6995b3ba838794db1324f3b68daa0f881f0ef9caa030a9b92d826bd3c7ae810ce5da7ceaed6fc05c949727db769892c3d06aa1ac5d773cfa5212

Download Submit
C:\ProgramData\Gibraltar\Local Logs\5ad42df7-fe16-4d5c-af9c-d0ab5742d25e.txt

Filesize
84B

MD5
72a24628d02ec9de61bb86345e39fff0

SHA1
c9c778a69d6b919d1fe7639fc17f2c2c0c19b0f2

SHA256
87de391726514b9b731923cc76ecc9a11fc413af2e117aa346595b903b99c7e6

SHA512
8e3d3813b15a592b56a2fd36a91e402f184d093061b3caa0e7797dfe005eddbfc92e47ded477808a800ac261e4835f56a140520d2937304223bea5acb8dc63be

Download Submit
C:\ProgramData\Gibraltar\Local Logs\Index.vdb3

Filesize
1.8MB

MD5
ac8470eb88bd1ae60779317610b28da8

SHA1
7295ebb8726247e8d0a9e9789bbc67c733427ad9

SHA256
3f806a8aa188ba04cce86cfb6bc6f42943d7e1da89cdfbc48bb460b7c18a93dd

SHA512
5b8d10ec2d9a0c8602c6e377a9f7bf04501b9e8eb737047fcb1792668f35db4749b15134ce303dba4ca8ba7bd55568bd54fb9fb247cba38c96d6c46ee04c55b6

Download Submit
C:\ProgramData\Gibraltar\Local Logs\Index.vdb3

Filesize
1.9MB

MD5
c1748b4f2eef9bcf5affebbb2b67b718

SHA1
8fd22cc9a5f3d6f3e71f13ecc06bf04c99a1f9f7

SHA256
cffcdf3e01b9d808e3def85ced25075525705b3dbbbcba6a937c0f8807a3ac30

SHA512
e0a860ab2edf2c63c4671f8c4230ecc4affe5619eb535f5d7a3156513d59a7c903b5712ac06807fdefac9b0f609ca36d244b274b554b4e2b29b4b90b6f507b2b

Download Submit
C:\ProgramData\Gibraltar\Local Logs\Index.vdb3

Filesize
1.9MB

MD5
34973fa69286c47da707299cb82b042b

SHA1
3ff15cf7a953c32bd887cca8fc336fc6b3db6e08

SHA256
ca3d37347c145ffbbe55e6ab3c16af6cad7513b637c6bf4c8fb58d0cd3ebf3cc

SHA512
53c65e3d9745e44462f4c1a45ddf48d7cc7cc9bd8041be7498c555327a1f5fb99d0e4b0754674b5fc7d56aa2306d685c1d250e4f1c98774ec5d110ccd77e330a

Download Submit
C:\ProgramData\Gibraltar\Local Logs\Index.vdb3

Filesize
1.9MB

MD5
db82211de6dcf1120e77399c622cbda9

SHA1
0fe6903bd70e91506977b743e891b9a89abd0780

SHA256
7acf025ed959988720e5916c99decb3976e0a7cf333b85f84a21e46b32aa9faa

SHA512
3a85f8a98c7937d646200a66a4f1ec32f339856aa1d0b0824e2c7228a7a003d55a33786cd06a1b7474b1887a57dffe03b02b5d4361aed035f5849d9fc48188ed

Download Submit
C:\ProgramData\Gibraltar\Local Logs\fafbb2d4-5d4b-4cb5-b103-f6d45056629a.hdr

Filesize
642B

MD5
7e6bcf299eb91946c6e790e529a73a32

SHA1
d31433b4dfcb60391532f6f1ac7342003ba80b1f

SHA256
07787bf7afabf76ae73423c418372e584fc5a1df336d837f4f10a333698c06a5

SHA512
1ae44c72c8382fdfb7838ece7ee4ed870b2f145d8d478088a23f8210f890095e270e7ce9e34de167de203067d31ce87f230b32a11ea458fa50bfbc48f098c6c2

Download Submit
C:\ProgramData\IsolatedStorage\nd5p5yyu.qes\ogpktuyv.gzq\StrongName.eqtxup5a0qal3oexw2jfyahqzm0cap2a\identity.dat

Filesize
520B

MD5
ca2b60516d59ab14dbf3e628aa53629a

SHA1
9d733c8b7954f46f70adc79b72e4fedfc6093ef5

SHA256
32fd0a98d30bcd00c601b1bc40ac92f3daa72d8ca848dfeb10f1d226131c43cb

SHA512
14f6aafc68536d7e4079df116f4d684479921b66ae48cdccc6137e26d87465d2642852787ba1385c269771eef6beafb6dc1dd15582f1861b17d22726d11bd641

Download Submit
C:\ProgramData\NinjaTok\database.db3

Filesize
20KB

MD5
1ec784e5c82d81a69428a27bd657a34a

SHA1
192cab8916982ccfe426ed073ab6e59ccbe1367b

SHA256
c7557a3b29c0048bc236440eb18f0539601000df415e5b9e9efd1228dc3d92cb

SHA512
4dad6ae653217c032b372002e6a51bb1522b8a1f7f77e60c691c7b4c0fd6c0253b9ba5c4de94a9d54e300fa4a78fd5070cc8f27e12046ed1e45f56e137136665

Download Submit
C:\ProgramData\NinjaTok\database.db3

Filesize
22KB

MD5
39dbbe71b12afca49261e12c09e6de03

SHA1
e8e28afe43de0205e9d0cb3d8fa28cc344ff6f0c

SHA256
276a153a0f4ae226085446c14f301d68205bd942e7ae1ac7b8d921b0f73d1878

SHA512
59ccf3d213fb69620c180c7cf3cd27faa1f7d398613a082f589806fd4ea048b6a13de39a632432624afa5910f3667e16c476bc0502b301bd44079d17741ea1e6

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000001

Filesize
23KB

MD5
3eae2883f19ee60a8843a57c80ee5f3e

SHA1
a888abe9190672ab85bbbdf5a8463fcb4cabbe37

SHA256
994366078aabafe05cc2c3349d4a506513cc6549f64b6beb9d3f285d1e9a18e2

SHA512
8a47af1dc75b5db02b9947b9a9b4247c8df1ebcf81cba371ef6540fa4d6fd926ac4df7ae9273ec0832714432765d0622108b9e83dc6176cacaa951cd5fae873e

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000002

Filesize
53KB

MD5
5e9dcd406e8c6cb15a6dc26060c819f8

SHA1
bfe54e16d0f11613a086582b49c95955f61db887

SHA256
42e0e221367a32410643e4ca3d8b8932f1e28b4fff6cd8753b0f48938440b8bd

SHA512
f02a38a52c09cca5bec26a6ad73c7d7acb3e15db538b4587d7f38d44b78d1bf21f49efe4411070464bcacc4935eab809b0f8e75b727dfdac323c618cb184ddf8

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000003

Filesize
53KB

MD5
b90eec94846876fd9a383146c8f7f6ba

SHA1
50edbe9304c41e45d7e5aba8e481723a43462e8c

SHA256
489e0b2669df5d5b22387a4c6d06fbecbb39c91cf34ef20c492bd202f55b9457

SHA512
f267fbf43ea3066409d6200b54f90bcd36a3c2cb4b703e54cad177d884cdd38618f2a92a1e1700acfd6267f85253366b8e9fd84576a7f577175a9026d6dbc5fa

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000004

Filesize
37KB

MD5
f62982e38e5bd718d7710462bc7d63fe

SHA1
38cdcb292702238ec8a2c84980a71a2ca9ee6e8c

SHA256
33ba6632bf9f85defbaea1f447221f782dbd87e09793115283902fc129c4569a

SHA512
3c4d2edd05d82788ce71a593a054bf460e5e713b4628747322abe079e84099b485c16fd0c473c9c57b10b74949d3217dbccacb4c941062fc40b44ad7e33ec5c6

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000005

Filesize
19KB

MD5
74257d866ae0680140c174767cc89b57

SHA1
07bee5a89721024c9d35bba5178f497d277894c1

SHA256
2a6b962a2eebdf5fbca2ab10e3e03821149a98d1f26da0f830daecc5c146a635

SHA512
653e4c54a1bd5d606d2690881c813496e52e8c229725ecd341920a81e466cfa3a3a55a4631b774b10122d9eaffeb84471c287d0cc5a41c4c3c765c6912433caf

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000006

Filesize
161KB

MD5
edf38781b509d641b35d6de0d072b025

SHA1
f4b02c604520ebb4c9df287bae079e81c86c9eef

SHA256
e8155167d681925b99fbadef4d8005ee86cdab4d92d48e978220b86d0da70edb

SHA512
96d62d8b3248164111e9955ed4fe4f2701aa1f375a82b9c7e7c6b5eb650f4513c9d3c71ae2bea73790c423ec9c44f6d7332973438e50c520010fbb3e44ecdbe6

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000007

Filesize
244KB

MD5
677b8c822be7d922ebdd8d56156cdb30

SHA1
3b73539c25a6a67f87c8b4d18d2abd67adf9c866

SHA256
a5f49a2e981023d40400b7587245b0414ae675d0122512317a4a61ca7fcff694

SHA512
34a106546b28da735b202d80209fabe334ade103fbb8563dcb7463aa065a8252ee9be81696e9c2c16923a67ec404454a8ae1df5da214b1193729c8108613d959

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000008

Filesize
27KB

MD5
d67adb1656e91545b2a434f0eaae77c9

SHA1
1b051aa44f20c60fee8db2aa306c0f7b742aca7e

SHA256
109d5bd9f226a7878f13a3784073dc4109550552f4af97432ab37f1beef1ce96

SHA512
5620f6aa53052257b3ef223b6729353deccf88f2dca21132d9499d395469935917879d94122bb01d8f2185a7104ae6cf7e92bd78d05da9e415f96bc1f7b713ac

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000009

Filesize
219KB

MD5
0befbfa08027391b2130c3efe5b5bb1e

SHA1
b90ea8cea108c4b8b7b53441f4ede05664790181

SHA256
749bba06a14d899c3a1a404464a97c29c4778e6ada378376670976e660a89213

SHA512
2d2bf0378a8676226bc8be04d4d8b025d42d33404f4ebff4bf0d8f24977bbd1b7583dcc5b142b6b07d0561144c049c405c6d787daaaf09aadcc62c5c278b15f6

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000a

Filesize
329KB

MD5
d8df8ba4659aee084b66b97b9f6f9585

SHA1
5effdd4919553879f423d14348ef94fc5bd00fb8

SHA256
554b8de428398c870db56ecc4a1f16e939eb4712f924a8878a71febe52c3bf49

SHA512
c047fde1cad6728fe7369858552e14c5462902f834b9f77f95dc9cf069d9eb815cb9f7273b479e8ad7ba932f235ae80fcc75d76641d895fe04b6bbf1ced9883d

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000b

Filesize
23KB

MD5
28f17983f6fb5b06cb30fc3b9e061d78

SHA1
b41fe9ef22e10357aa6e2713d8a275f54181cb06

SHA256
e13e9dfeb8d1d4a6ced794402438931d9d96093f8e9904922a30c4fe91598269

SHA512
23330e337b990ea7b478b93b7823675398ef6fb88538860a38d70d03d259aafb9338fa36b20c55d63d1e79b05f0fafbd1d94904999cb220ffd2633c70d30ea17

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000c

Filesize
17KB

MD5
c2027dbcf23c9281ba4660cbc4ec4957

SHA1
0fb7ee29b803e80100749085d3497327e1bf9938

SHA256
e5b3dea5b1c6e78dea60e918bd791daa896dcf61da631061b8d61bbf025c7aab

SHA512
1cca9c12d1afff93b898dd507778ebe4c771a9bcff17cabdc2ac99bf6bb7751ec4428e6eb53d8b0554e54495b8c37d1b7eab2192e4468f01da6dd9c4bc4fb667

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000d

Filesize
77KB

MD5
dcde9427e72c84f0a27c084027e12ae7

SHA1
f87ff585caf7f7a21ad7148d893c79b1323916f6

SHA256
68b5349c945ad0901267737e5ad0b37060b1d28c392b891bc0787b85549fc0af

SHA512
f08e5aa41a5b6da797fd8c3db37b3da4950f08df1f685c8fa35fdf6b673d240dd48e49c98aef50232e98058a2e7cc44edab200b8c8aed0ea7da44d345b3ec749

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000e

Filesize
71KB

MD5
48ac484228afa728cfd8b062749e5be9

SHA1
9bc9e6bb7d33c581ad739eb01fae4f560b64f6f2

SHA256
0b3380e67ec57d8fd0b954843b7c0412688ac22d1237be9f1df9a957b61af164

SHA512
d1ed3f17ce51b44212899c51228ccde712061b430d1a5c6c194d316ebdc0a5cc5f1aaca571cea675dd5d80297790a79daee294cb55863027bd8a0d80638e4bb3

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00000f

Filesize
46KB

MD5
3458ddbcbe51f615716b0635a56cb3ae

SHA1
87bfa95c27506403265385b359c8536498ae4e96

SHA256
509ba56a64ed57f2661c26ae2151f676efe600be98b1623edb141d9966c26a0b

SHA512
584dbb2dc4387aa464265029f6c6f61f4e72e00620a2ff0185fd54fe37ba0e3cf10151372dc6dc0655cdbf853cadaeea7cf773f3642bfbd34735d5ffa72eeb52

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000011

Filesize
33KB

MD5
febfdde857688bdae52619e33a103907

SHA1
b09d93a75637c3e009609da5814a7aedb0c110c1

SHA256
50441fd5067c9d3e9885772ff4a15d583240e95a6f952e436fd4b3e469d322e3

SHA512
65d811b83b1c9098db4a75a0feb441af42cf90f2f9a2b45ff90ecfb30f1fe9b65a68bd8cb1666e058ab0965dde7245b9ad30613425489b09b8f554855e9baf6f

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_000012

Filesize
24KB

MD5
78bd45264f9657b935e24821d344b0ba

SHA1
63e11b3ef3231b4b1cc596e90fabbac2551dcaf9

SHA256
ecfa576c26e9933814f89cedc781f676b797968131d14a683ab2c5f5392c9c13

SHA512
f7a8f47768591a8ad925939f5f62ec111126a2a65c56d3819a51ba8de7084be64246b559ee3e9abc1af1e0ebeeb48e4a63c473204658987c9a79790c81f2f1ad

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00001b

Filesize
42KB

MD5
8238aa59b6f4fa05f9db6f529878a7ff

SHA1
8f31bf2b0e7a5f72ed29e0e29c0694d521df96b8

SHA256
e1f11bbd7a0801772f179cd41094e8849ba467fc99dc98c1a032a77f839c1c03

SHA512
2106b66ecbcb3ff38368e7af8aea5e8f492c824cb6196355da6e2806ec014b46eca7490884d4998346b75e4eadd19f23f424ab6d09cc7c226ca91fceafc31ac1

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Cache\f_00001c

Filesize
40KB

MD5
0636c91e8dd0837af87a453afd3b84a4

SHA1
1ce0c7ee09f83bb24052938a51bf2d546c0a1099

SHA256
ebaa7b2271447f780d324573dc292d2a5c6d7741956f57bcedda35f753a62a26

SHA512
4361a7cb2143d454098f8a3d341970ea77dbb1ac35df1681db6cf3bafd5d50043f162cea84367321353f64bc4e56b094e07395da9cd242b6fb009295a78bd41d

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3b848b78b42a0718fd645d62c7594b96

SHA1
05740050162f8fe1d7c04c5dbb0b11c7c39d0c8b

SHA256
59236eb38bba6a386abc7fede32e30d41a975b59bc72465aeff57c54b7b73c0f

SHA512
ddd8f41aa5976ac45d5c7d7b6705b740f9a4e274e859786f120c5d14f0fbec2c01a1ff7739bc2a7c9ea5462471aee24ef744baf653cb5a2deb8b96e57e25d478

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8559c9669ee39455c970905a689c04f2

SHA1
1f50c7ae3dc01ce2e4c23de70274e8b7a9499180

SHA256
99fb737d0f5cfca9d43def3bef4562c6fd63fb23d2d6cad2888b745f1f9f23e1

SHA512
cecf8ba7e737ff8051f519f51cad9fcfcc7caf86d9b7ebc2b5a6bf950baf79e847ce19156381a446380950d3ce52dff02154778ed9cfd31fbd7cb0ff75e1caec

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\7551d789-b65e-4fe2-b02d-4ffe6eb2cf2e\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\7551d789-b65e-4fe2-b02d-4ffe6eb2cf2e\index-dir\the-real-index

Filesize
72B

MD5
e7b797b43c29722a6c8ea0114258ca33

SHA1
9deee839dd5eaf8a88837737fcb25f99d43fec3d

SHA256
cf0ab9be031ed2c8679c8013ea6b694e6d3ae1a93e05a1960f9c083dc2fe43b9

SHA512
a3c8fbad07c49711463918df1c4f89003a69267685148ff901b15cb5ad387f37070d4164d3de572f7dace020ca0ae678ce0c6436c728464004d8034550107069

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\7551d789-b65e-4fe2-b02d-4ffe6eb2cf2e\index-dir\the-real-index~RFe58d491.TMP

Filesize
48B

MD5
963eb8a068c09c975474ff14096f9d9f

SHA1
b204344b0b935c3390b33a5b4abcca69dd836d60

SHA256
a9184c3f5653f7dc03cb41237ccef4ba6e7444bf6e4d60704552c4597d82fa29

SHA512
5a2f9e1f99df1e4f72b2ea4b85aca65b51b7639403835a9840a943a128c42cfd627a422c8964e974027921957b4b8c69ca7566369953fc047e3b33246c833bea

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\bbcf1577-002f-45bb-8e1c-c4f2c2caa031\index-dir\the-real-index

Filesize
456B

MD5
3e3de3c8f8b90c7b57fc1c49e28106b2

SHA1
6912b5c4326217ed562f8030c57990553b556b66

SHA256
ff23c0e362572b85985c83544ba5e2a097f095a2892a43cb3d1685d04b4dffe7

SHA512
4d66ff81aa94134a47ef8190c54b495e962f0cf94546725306edbf603e8df2f814ac2dd32f4820b36d1a0d73adbada3ccc3a7019f3bdd27f6e51cf9585d206a0

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\bbcf1577-002f-45bb-8e1c-c4f2c2caa031\index-dir\the-real-index~RFe58d721.TMP

Filesize
48B

MD5
58a69b0e064069447a46a2042901c340

SHA1
68b0f499f8dac0a8ddca218520f77dc8c2cca815

SHA256
142ac34cb5cf7ccf62971924a658f877dcbe02e6be09b7cab0aaea54473144c4

SHA512
1c66d72713ec56b8f34e5a1c8243072c197bd648d36f9f45e28e6fcc2be2436a8130125b8cb28d772191f83d5810b9de623f1f246876546279003af300d68361

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\c45e6be6-1dbc-4193-ac45-cac516f221c2\9e1e2f85382039d6_0

Filesize
6KB

MD5
db9531704a7c440c9d4e2d0d59567b70

SHA1
3f7a1c66afa3c5fe7b967e6981e1d39be13872bc

SHA256
63e17ea9073302071f61c4874535e90759a27a718c8008a53d1e631847714da9

SHA512
8057e51bdebbe5aa72e239397a2716743ab5b75800b25a0c936ed56b43b188efa58b329f8c7fe2a16786e5dcc1edf79dc979f327ac095c95cac8f9bb410035cd

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\c45e6be6-1dbc-4193-ac45-cac516f221c2\index-dir\the-real-index

Filesize
72B

MD5
d6c5e868743dc3a902b3da1f95967db6

SHA1
b732eb31855f70fef0a11c85ecc11b6cf2e044e2

SHA256
4210b9b329808d6fac26bb71c0ffb7c5b2a11ddaeee79f007134af90f6c6da23

SHA512
c2a198aab69b8b2e0c11f966e45c41879c7b8adb5744409fbd345335c4c839640b3eb17de789f56311921dc2b7a931bcb4f25971b62a4a444ea5d9730d7d366e

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\c45e6be6-1dbc-4193-ac45-cac516f221c2\index-dir\the-real-index~RFe58dda9.TMP

Filesize
48B

MD5
5e7f3f6bb76ab2925b77eac26336f54c

SHA1
19df111f0606045411d8b036aada6412e6ef5b39

SHA256
14f039e1b0833eeeaead20e26e0485fbad60fa0a2ed0865c7a1a9ac5f36a0ab0

SHA512
0eee36377fdf98ae3307ea1bb99a7dd5915d964bfecf1971fac62b0b3caff7adc9d62bad81b5ce048db39f5af79288b845509a2e1b7150a0d3fbc2f37a29c1e7

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
288B

MD5
8b6bd97e2ef57dfadff84e084e2bedda

SHA1
37abf44e65f175f8f913dca7b4501ff857c0cd38

SHA256
27131b894ee791792bfd1c4c0b7c070572eed95c83a2341811d22248fdf340af

SHA512
ea80657c1dcd63c12ca6f6f40ad32fa45f6a3ba6d5313105bcb915968f19436440af5090588238929b05debd94838d2c71b1e920fb2235c1cbf1dd9d079ab41f

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
204B

MD5
af7f952be06bc6d0d5e52df224254d50

SHA1
21c6df7e63078366ba00ad348f6418b948111ae6

SHA256
26f2a0779060b5b72c84ba2c03240ec9d36910aead4d7bcb819c29daf06278af

SHA512
757b2d17c1ddb6a759f5250723da995b0bac50d6dba92a85fd7794204bf88bb33feba312e82238a42e53f3e7d8c1d407b1c285311b260d740bb516e082b03a12

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
294B

MD5
644ba3b7094431af8ecaed84c81956fb

SHA1
a4312f5e4728cc1fc8b3653d6570736b2eccaca7

SHA256
ca76fe8ff589c44ce75d10dac18508291676b2bb0851cdd4dcfb1658ce4703ef

SHA512
8552c62b7af7ddebb632b30b73d3cb5108f9b04979bdddf5f2fdfaaf9f31846af2fe7ec38a301d5c393d7eb6d50f6094288a64f3f560a31f1f12222096a301eb

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt~RFe588661.TMP

Filesize
120B

MD5
288d49e68a74fb8131784cbb15272a18

SHA1
b48e61783db5dff8b4ae2e732e7e3a2265e53d64

SHA256
3fffbc747612ea9b6a17e78e8fc451b94b8338e19aa26ef4aaa9889c7b4c17d5

SHA512
ea2e7588eb109be0cab8bcf3742aebbd66d48ca4ef9a0f30b681ab93729a660bfe0c3f3ee225235cf4b589dc721b4361aeb4b1613c1018805c3bd505d0b0d2a0

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
264B

MD5
80da21f5395b675f2b6d888d4306b489

SHA1
5ad5e7f1d401fb247407d907057ef1ea2ef9341c

SHA256
923828072425903c9d8182ad743b2cd0bd3d463a613fdeb619baa1156b06b4ab

SHA512
493ee14d635b4fd5013b42a39805d542564811cfd828958afcdedf69ee74ebe5c0af7e8ffe4128aff25a90827bc3faed14336f6b0342b21851921c92ea64de2e

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d452.TMP

Filesize
48B

MD5
94a4e547105082709a3c2f01cb22ebc6

SHA1
51957ec2d7f87b0f16d2824edb125a0a5c24ffce

SHA256
ae06b28e92d24ea27984f45aa5dcf63f3e1a4b6cf7a4e830a88549531de5c6bc

SHA512
313b3047c9a849b33490db73f009b269f1367130e699f54a6da82018804c4cae887976382dddee60aa8c1fe7e7458bf1d938250b967b21bbead48229cd621f30

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\TransportSecurity

Filesize
871B

MD5
6667458172d408e9eca12783cea35146

SHA1
4de320919f1302bd828f64916707cbef8c6ddbf2

SHA256
ad686d94b6a876b5d38b0ea5e1ce5e44cfebf5ab441c9f62fb0c9cea65419ac2

SHA512
bdd2c02c3171d3768e4c0579bbe25bdc7737e3e5dbb98b44ffd68c9ee6923636da43be32b3ea9c6fbe833bd008f12511af9fb18e23e884a32a51e304f5f2bf3b

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\TransportSecurity

Filesize
871B

MD5
79a3f8f76001f9ef0c12ab9986a940b6

SHA1
7e7ff0fe45d9c0054c068eef8158298d671df258

SHA256
9843a957d4df981902084ba75bce81a54ef580113dd41aac6a81280693639d6a

SHA512
3a3026592eb3ddf51dacc9826e9f5b817f1a1a1d3131f8a73cc877ff1a61e2782f9d8ee5a8c0a1f571651b68b61da8fe0f7969df678cae7245cfc1fda2b89134

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\TransportSecurity

Filesize
871B

MD5
7c40159ca5e42b1b6c6829a3d3198b51

SHA1
7710a357dcb904d2f48413d788b5901c025fa703

SHA256
ad11d13cec43796bb720e816c400b4204b1673b3410361abdb3c110badfc63f3

SHA512
bec71930273156cf4b3c528e768ec13ae2435307c4a9232ee8968ceb6e98fc09a062205a0bfed6785d33137b8c733994bc19d86d3a2862d868ddd09145e422e0

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\TransportSecurity

Filesize
863B

MD5
c1498338ae07e2b5d7a77d5a0b10e242

SHA1
7c75649d7c0b350569217c3e50173076e3313396

SHA256
32169264ba0333e5c1ddbc96a86a7bae8dc30a8a2541fac4cc469918a7382a8a

SHA512
7082409b2ec394e260ae71c046c68e4931fef8eb19b419b7dd77c74911aeab26b85928613caeac560be20c7e3a945b2823c62de936df564b737bcb69a03aa03e

Download Submit
C:\ProgramData\NinjaTok\eocache_paura.cc\TransportSecurity~RFe58d4c0.TMP

Filesize
871B

MD5
30a3fa20a5a55daf98482e269e4a5346

SHA1
77ed4ef66b32039ea5843ecd47799fd61871e82e

SHA256
65e794e05350e39ee0bc060aba269a6634fba0d237254ed5bcac6bbd59dcbb28

SHA512
29891cdd09e211dfd15ea61aea00ccb295d664f792fc5c69725f20fd4fc5a7a2263fd1685f377826ca8013c76d32408fdec4a5ceb50d4f857583e4bbc343c99e

Download Submit
C:\ProgramData\NinjaTok\errors\log.txt

Filesize
31B

MD5
06df5ff19c6383f09233bc59537fa084

SHA1
df5b2d9a374f4fe2570de25c6ef9a5a0d6918bce

SHA256
e8034f6bab4777fe2295808351c896d94190d5e25a4a124ce7f050c4b1612695

SHA512
25d9f0afc3b441b93a4d2dd1417301012a02a6b00bf20f22d40187cf83e253bf77e9ba7332b926fb0a2e881ca1752f9839ac86a4e1457a1d62c41bdb084bc4b5

Download Submit
C:\ProgramData\NinjaTok\errors\log.txt

Filesize
95B

MD5
167634bb49b97ec782ec6aaa41aaf1ce

SHA1
dd8dcb1c02ffdd7e1d483d6bd4381934829b7795

SHA256
9a158f634cc25c80e203fac37946c9c1897a81c8787e22d0100ba4b28c173a33

SHA512
e28da6166f255940b01220599603a903269479d403818ccb235335233f6a19aeb2fde26f5a8d520afd6f9a9be1af8d7cad233064f109cbeec4813da7c69d0250

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F46CEA70F8548E8E6B7FFCDB32F7867_BFBEFDF116E4E63D160F46FE1FB00BF5

Filesize
353B

MD5
fbe2cf77fc7e9ee2b139f99e01bc77f7

SHA1
316746fa3da7ed2da2ddc40b5fc64addd8ada3ad

SHA256
76653e4ea66a083e3dab5abe8d8a4ddfa7f0234fea2f78c1ee3941bb4d538a5b

SHA512
5a1e078f2c9b262813c0e864d3bc5949068a795631c1a7e6319269889a4fc193f7b224df19a08cfd1ec166b091825bad4c3cb668088fb8756fba7ba72b8dcab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_A26948B0BE9F5B34017BEF1D993C7F3E

Filesize
1KB

MD5
02c8102cd9b3f61d2da503810d56cb39

SHA1
08e1325c257e4b8a6f5e8c34ac75f19b53b11129

SHA256
ffcf0909f31de26d6669e4b666db6704c8228afc7a80ff046a3cd57942f46503

SHA512
4330c97e87481f231532200ea4b97cae064d8c891f6df6deaad7001a7d39ab39a35109b667569ea510b2b5fec357080b5d03372f160aab341ecc22603cb6f32c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0FA874C7EA676FCDEF73FF57D785986_46DDA2B567BFC9913B98771BB68F4518

Filesize
321B

MD5
84ac785ab458b3a09fdd6a3b01fa73e9

SHA1
411a3c1bbd2ba85cc2c7cc67c31b8aae245736a1

SHA256
b849206c86e00eadf987218372fd4bfc8f5d8d5f90f64231a4fa242a798d6f1d

SHA512
cdc0a7af70c75dbf8dc34431b47c65f86831ffc9de86a7db33408bb654acea48aaef267ec6369343903b377146195fcda27e1b460d1d695b90bbe6e16c3c54b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8F46CEA70F8548E8E6B7FFCDB32F7867_BFBEFDF116E4E63D160F46FE1FB00BF5

Filesize
492B

MD5
943872fb88ca568a1f6c0d9450b40ad3

SHA1
26d52cb1391d673b0afd74073652fba2dbed9392

SHA256
2b9d9162b2fbbf2e65604c379098d9bdcc700c3313b26beb3549b370e2335cbb

SHA512
82fd34ca10cf7562c838823668e0cabadf05d91e199b3580b9d0a027d44fd86e63b9da1ab576a5bfba3e5944f7b208cc368e49c4b8f5dcdc2c5f9ebc11d490fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_A26948B0BE9F5B34017BEF1D993C7F3E

Filesize
478B

MD5
ad2b8bd8537de8be24497f66d463eb12

SHA1
044631fd5b01acfc55488b647fcea7093b97d322

SHA256
b5ce38ebc5af0f6f744d324b49a470724bc3f4cc23b92c8e53e0e2c3f5bbec98

SHA512
5f9582441b72a7740403707a0ecc1501edfe50c55d23ae407a12850ee90a7606ccda92b3665463ce19b08f87f52466880a084daea281799a2d607eef2762be09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0FA874C7EA676FCDEF73FF57D785986_46DDA2B567BFC9913B98771BB68F4518

Filesize
496B

MD5
a50d0f78e1eac4c19d59ba2344421e75

SHA1
ef85b2e3ae1934eb084d4daa12b46c2c0718b511

SHA256
eaea93b2d0a075fc95520ac829b2eb00e40826b14cdecedce54c63ce5669e21e

SHA512
0e8a4fefff51719951fb1f56f693c592305a9af8af40d3aeed4928270c54a4aa6d9fcacee3584eacb9248dc8f4795287a36d7e396d45ee180a22fe1f0620cc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
d25830f9df4eefe9bfbe869d043aea48

SHA1
37a15fdea4b0cff08e80ab2cc265ea4d37f34196

SHA256
f5498ccfa8aef64f525fd79771d8234c601f1654fbcf6fe100fbf15f66c22e2d

SHA512
987f6b096af6b4302aafb78bd52d93528d13718920e17c94a6b7540f0a7bfeafd732c750d910e0001350b9528e97bb6065e851dbc2d6762295b70313a2b5f857

Download Submit
C:\Users\Admin\AppData\Local\NinjaTok\NinjaTok.exe_Url_wuitswdmggttjp5jmszsy0gjuewu5ixs\1.7.0.0\hlgsehzb.newcfg

Filesize
729B

MD5
e8e4b6a84a35b43f673152f570127d83

SHA1
2041d40b09e0063845d5d6dff6fb0d97b86cc273

SHA256
37a874cc3ccadf4b14132ec4208b5bf5c4b1e6da68f51ee4ec5b63f3d687030e

SHA512
173e21be63e5838f437295d0c2bae8594efcfe201648efb34dc1215cb354df17a0750f643d35b082da061dc7991a92abd09ec9e1dfc8cf42c7e8809657f2f37a

Download Submit
C:\Users\Admin\AppData\Local\NinjaTok\NinjaTok.exe_Url_wuitswdmggttjp5jmszsy0gjuewu5ixs\1.7.0.0\lg5iu2qh.newcfg

Filesize
1KB

MD5
875d922fbd660b15bf96bef4805ff5f8

SHA1
4ef3b32d5f73408f3286dfe7d741b48e89e9a49e

SHA256
45c16e81391a8cbf20f8a7746aca67fcf84f803ee323182c2de83cfb98d5b5e5

SHA512
c27108294079dafc5f18d93f0667694b4258a5b590843748a7e0df3f6e402737277b6c22627305b461b8907b1f29bb69135380348c9f65ba3db0ae7766f78398

Download Submit
C:\Users\Admin\AppData\Local\NinjaTok\NinjaTok.exe_Url_wuitswdmggttjp5jmszsy0gjuewu5ixs\1.7.0.0\r5nrqwyj.newcfg

Filesize
1KB

MD5
88e8b3809110eee15fe38b81721f52f2

SHA1
e37fcfd66e37a6706535e7e0bbcb9326a06e9138

SHA256
86118399dc6b4fa1e7ae5894f33c75691461c3b2b2e9b9aa1a2382b11d3f9d97

SHA512
25cf464cabf1cc3c6a564f0acbf40e8d2c694c38be3f90c78f6c7dd1c110db02f1c38f4c668dff44e8d685cd2cb14d3a19ea6e44f04cfeb4cb7ab0c866552ffc

Download Submit
C:\Users\Admin\AppData\Local\NinjaTok\NinjaTok.exe_Url_wuitswdmggttjp5jmszsy0gjuewu5ixs\1.7.0.0\user.config

Filesize
307B

MD5
8e36ab8e6b34727e26c51b77199c6116

SHA1
88f2b4bfbd6a5f36394826babfff8dd4b8fd8ae6

SHA256
1e650496b40c5ab62e86a1ed68f94486eb10d9baf3b6e06ff91df19a0dc01025

SHA512
b8ceb463b28b192a9554bf5549e1e9d1bdd830cfbe4d176dae06a62c1d0f397eaef01dbf14e7634e94422d0fc35bba6f2e0c55a6bc0c524c85f4f25b73f01b9e

Download Submit
C:\Users\Admin\AppData\Local\NinjaTok\NinjaTok.exe_Url_wuitswdmggttjp5jmszsy0gjuewu5ixs\1.7.0.0\zbwlh5de.newcfg

Filesize
585B

MD5
4a6aa94dcfe6453b744bf1fe9bb7c71d

SHA1
b7920b4b260b523397a5b44b3985414ea4a8da2e

SHA256
8f7c7163d67d80b94b6b289dd5b40b4d324a1582c25dfae01c595c58d333c421

SHA512
e8f4abe7bd3026712f55b91a4c9053a875334b8f20543f3aa682ad5155051e6e8aecbb42455e59e108a7df28aaec69de08ee2cb51fbcb72c7dbe7d424328a0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FTTH2.tmp\setup_nt.tmp

Filesize
3.0MB

MD5
11acff3664f703cb72bd32f9fe46ba9f

SHA1
687437cce4ea06c047006caf5721bbd2af5cf032

SHA256
e5eb875fc090a86828a69068ae069bb967d9ed7500a43974dae2af9750f8c8b9

SHA512
d0f18e78488aa5915211e20c093939774dd8244cdb40863b78b02bc8df765aac0198dc165aecbed488f8c40dac37b122681d6c3701ea2ce2fe2f64e41b13eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vezkhdfz.x0m\5rsxzitw.yz3

Filesize
22KB

MD5
a5b19a9424f541482fd15a70235842e1

SHA1
323f23fccd57f58c9c98ceed126f2fc7b540c6dd

SHA256
63a61c5c337439e39b773347dc6de1ce8b0b913bc51a5309f5a4969a2da10f8d

SHA512
c3156f90d7284c2054c7b7056dfa2f2b6e2608917c2b017838cfdba4f5ab8a80ff72cc5cab56f25ada5a9c4a09f6ccecef633a766995f1ba21ac4efd7e368b14

Download Submit
\Program Files (x86)\NinjaTok\EO.Base.dll

Filesize
3.4MB

MD5
4b1fc6b62c324c7db6838635acd11508

SHA1
49ec253c5f9633e390ab4e9a2b7400c9514e546b

SHA256
ef76cdda9326536b424aacc89e9f376515b1f8a633e6d9fe46f68bc3be9a8714

SHA512
44013e145e20ebb8592c8d03c62aa98ab1d08f9f0ad0d21701bef9dea9a0de715bdee408206bf4c3f11777831d6d5c4daf8dae8b6bd239bc6f0e78729f169bf4

Download Submit
\Program Files (x86)\NinjaTok\EO.WebBrowser.dll

Filesize
224KB

MD5
c5cf1eac645e71093f7701e244f6ec8f

SHA1
686c3016b5603b416fd122b86b535e7bda144587

SHA256
564061f4b4346e6805384610cdad8664a07fae5c58d40d5ed92a35e68bf725c7

SHA512
4acd28231c165d6900ef68c48b918add37bb834f7b869af454f1be3abf116940d45f162eca8d4d65ac35f9064d3a0a8d51459911385e7df3a0a516957ee818b6

Download Submit
\Program Files (x86)\NinjaTok\Gibraltar.Agent.dll

Filesize
3.4MB

MD5
e587d98467d6b5c7d9f3a39e0e00c708

SHA1
a5ad7dc2fbdcb75b17dfd6354fb6922fd8f009bb

SHA256
b7603ddfc09fb49d18a177af34a7781a09a5756114a5f3bf9536d1834d01ef98

SHA512
1307922516c0411b03cd6f7eb096112b4ee7fc5a77522031859f278a8c7d7f6a8ba7b0b0f0a5456f383e9c39e980d58f08c49fca12156e47aa4cf6b26e0880fa

Download Submit
\Program Files (x86)\NinjaTok\Nevron.Presentation.dll

Filesize
4.6MB

MD5
0ff88424da16ca7847cca1d7b4c90455

SHA1
96b29f8f21197e58944fcdc07013ab5b1b941dc3

SHA256
90f850a1a1eca8a8bb5c485385544e7d6cea7c0540972563eccbef5209d02c10

SHA512
c0e0a23aa865731f8870116da10c7e9f0ef05651c3fc5015dfba14f56e1107d2c5571c5e0244029048a1aaf41f4fbc11d21ff68cb16cda4ea46b9aa61166376b

Download Submit
\Program Files (x86)\NinjaTok\System.Data.SQLite.dll

Filesize
883KB

MD5
80725a732aba27911402f9ca09fede23

SHA1
1051744f654a6d20590970f9335e1ef246f0fa67

SHA256
49261be7f20c9d9dfd1ff35d71e9f3b1b7de17f65581c67beed43d933f1eb85c

SHA512
b24c5e5e55751b46af7fefec92552e04ddb6051e81174c1cae2d80ed1eb8b2c355c7a1eea93074abaeadfddf30e17a7425f14716cd4f2dfc50048b7fbfba6b49

Download Submit
memory/744-97-0x0000000006DF0000-0x0000000006E64000-memory.dmp

Filesize
464KB

Download
memory/744-146-0x000000000B8C0000-0x000000000B8FC000-memory.dmp

Filesize
240KB

Download
memory/744-67-0x0000000000B10000-0x0000000000EB6000-memory.dmp

Filesize
3.6MB

Download
memory/744-68-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/744-69-0x0000000005CF0000-0x00000000061EE000-memory.dmp

Filesize
5.0MB

Download
memory/744-70-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/744-71-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/744-72-0x00000000059C0000-0x0000000005A16000-memory.dmp

Filesize
344KB

Download
memory/744-93-0x0000000006C30000-0x0000000006C6C000-memory.dmp

Filesize
240KB

Download
memory/744-101-0x0000000007320000-0x00000000077C4000-memory.dmp

Filesize
4.6MB

Download
memory/744-105-0x0000000009DE0000-0x0000000009EF2000-memory.dmp

Filesize
1.1MB

Download
memory/744-113-0x0000000009F10000-0x0000000009FF3000-memory.dmp

Filesize
908KB

Download
memory/744-109-0x000000000A270000-0x000000000A5E0000-memory.dmp

Filesize
3.4MB

Download
memory/744-115-0x000000000A5E0000-0x000000000A930000-memory.dmp

Filesize
3.3MB

Download
memory/744-116-0x000000000A050000-0x000000000A09B000-memory.dmp

Filesize
300KB

Download
memory/744-120-0x000000000ACA0000-0x000000000B006000-memory.dmp

Filesize
3.4MB

Download
memory/744-124-0x00000000100F0000-0x000000001473C000-memory.dmp

Filesize
70.3MB

Download
memory/744-442-0x000000000D160000-0x000000000D22E000-memory.dmp

Filesize
824KB

Download
memory/744-441-0x0000000014740000-0x0000000014D46000-memory.dmp

Filesize
6.0MB

Download
memory/744-415-0x000000000C460000-0x000000000C570000-memory.dmp

Filesize
1.1MB

Download
memory/744-414-0x000000000C060000-0x000000000C09C000-memory.dmp

Filesize
240KB

Download
memory/744-413-0x000000000C260000-0x000000000C460000-memory.dmp

Filesize
2.0MB

Download
memory/744-125-0x000000000A190000-0x000000000A1F6000-memory.dmp

Filesize
408KB

Download
memory/744-147-0x000000000B790000-0x000000000B7B0000-memory.dmp

Filesize
128KB

Download
memory/2132-80-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2132-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2132-60-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2132-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2808-539-0x00000000027D0000-0x00000000027ED000-memory.dmp

Filesize
116KB

Download
memory/2808-521-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2808-523-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2808-524-0x0000000002060000-0x0000000002065000-memory.dmp

Filesize
20KB

Download
memory/2808-526-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2808-527-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2808-525-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/3564-498-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3564-484-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3564-491-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/3564-497-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/4188-551-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/4188-548-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4188-547-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4188-549-0x0000000002160000-0x0000000002165000-memory.dmp

Filesize
20KB

Download
memory/4188-553-0x0000000002830000-0x000000000284D000-memory.dmp

Filesize
116KB

Download
memory/4188-552-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/4188-550-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4540-326-0x000000000C2F0000-0x000000000C312000-memory.dmp

Filesize
136KB

Download
memory/4652-6-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/4652-79-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/4652-62-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/4652-61-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/5092-509-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/5092-511-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/5092-508-0x0000000002130000-0x0000000002135000-memory.dmp

Filesize
20KB

Download
memory/5092-512-0x0000000003110000-0x000000000312D000-memory.dmp

Filesize
116KB

Download
memory/5092-507-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/5092-506-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5092-510-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download