Dimnie: Hiding in Plain Sight



Category: Unit 42

A note to readers: The code samples included within this blog post may trigger alerts from your security software. Please note that this does not indicate an infection or an attack; rather, it is a notification that the code could be malicious if it were live.

Introduction

In mid-January of 2017 Unit 42 researchers became aware of reports of open-source developers receiving malicious emails. Multiple owners of Github repositories received phishing emails like the one below:

Though there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file as an attachment (SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e). This file contained embedded macro code that executed a commonly observed PowerShell command to download and execute a file.

dimme_1_1

Figure 1. The attackers used  a common technique to try to avoid static detection by introducing characters which the Windows shell will ignore but static engines will typically see as part of the string.

A more readable version of the PowerShell code is shown below:

On initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail lure, malicious attachment, macro, PowerShell downloader, and finally a binary payload (SHA256: 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22). Examining the payload’s communications caused us to raise our eyebrows.

Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.

Hidden Requests

Let us dive right in and have a look at a typical HTTP request from Dimnie to its command and control infrastructure.

dimme_1

Figure 2. Initial HTTP GET request from the compromised client and the server’s reply. The HTTP payload is truncated in this image.

Does this malware use a (now-defunct) Google service to aid its initial phone home? Not quite. Examining the HTTP request, this appears to be an HTTP Proxy request, as described by RFC2616:

The absoluteURI form is REQUIRED when the request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and return the response. Note that the proxy MAY forward the request on to another proxy or directly to the serverspecified by the absoluteURI. In order to avoid request loops, a proxy MUST be able to recognize all of its server names, including any aliases, local variations, and the numeric IP address. An example Request-Line would be:GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1To allow for transition to absoluteURIs in all requests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though HTTP/1.1 clients will only generate them in requests to proxies.

Dimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google PageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open to the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as a proxy. This seemingly RFC compliant request is merely camouflage.

We know what it isn’t, so we will dive deeper to figure out what is happening underneath the camouflage layer. Start by having a look at the DNS request that immediately preceded this HTTP GET request.

dimme_2

Figure 3. DNS request issued prior to the HTTP request above.

It looks pretty normal, but we can see an authoritative nameserver returning an IP address, 176.9.81[.]4, which is highlighted in the image below.

picture3

Figure 4. Nameserver responds to a Type A query with a valid response.

While it may not seem so at first glance, this DNS query is related to the initial GET request to Google. Below is the raw hex of the IP header of the HTTP request above:

dimme_4

Figure 5. Raw Hex of the IP Header from the HTTP GET request for Dimnie’s initial phone home.

The answer (176.9.81[.]4) from the initial DNS request for onechat[.]pw is used as the destination IP for the follow up HTTP request that appears to connect to toolbarqueries.google.com. Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections.

What the GET?

Since we have established the HTTP GET request to be largely falsified for camouflage purposes, we can now proceed to pick apart the initial outbound HTTP traffic. The contents of the HTTP GET parameter are reproduced below:

This GET request contains a single piece of data used by the malware: the contents of the “ch” parameter which is base64 encoded.

Decoding the “ch” parameter yields us a AES key which Dimnie uses to decrypt payloads. The attacker uses AES 256 in ECB mode to encrypt payloads which are push to a compromised host and decrypted.

The code below illustrates, in Python, the method we used to derive this key.

Besides the HTTP payload, which is an AES 256 ECB encrypted PE file (after decrypting, SHA256: 6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf), the server reply contains only one other HTTP header that seems to be used by the malware; the Cookie value sent back from the C2 server. This Cookie is a 48 byte, base64 encoded, AES 256 ECB encrypted series of UINT32 values pertaining to the payload (when requested) or outbound data (HTTP POSTs, see next section) as can be seen below (comments appended after //.)

Here is a list of possible types which may be found at offset 0x24:

Value Description
0x00000000 Main PE module received.
0x00000001 16 byte information sent to C2, probably PING/PONG.
0x00000002 PE Module received.
0x000003a4 Get module.
0x000003a6 Get main module.
0x00002000 Running process.
0x00003000 PC Information (Computer name, language, network card, …)
0x00038000 Keylogger data
0x00058000 Screenshots in PNG.
0x00018000 Unknown.
0x00098000 Unknown.
0x00418000 Unknown.
0x00118000 Unknown.
0x00218000 Unknown.
0x00818000 Unknown.
0x02000000 Unknown.

The values contain a preset, defined size for the payload as well as an expected CRC32 value. Effectively, the Cookie parameter is used to verify the payload’s integrity during the module downloader portion of the malware’s lifecycle. When the Cookie value is included in later C2 traffic, it is primarily used to identify the type of data being sent back to the server and the reporting module.

More Camouflage

Data exfiltration by the associated modules is performed using HTTP POST requests to another Google domain, gmail[.]com. However, just like the module downloader portion of the malware, these HTTP requests are hardcoded to be sent to an attacker controlled server. Again, Dimnie attempts to blend in by looking at least somewhat legitimate, although the data exfiltration traffic is far less convincing than that of the module downloads.

dimme_5

Figure 6. HTTP POST request with encrypted data.

Once again, the data is appended to an image header and encrypted using AES 256 in ECB mode. The Cookie value follows the same structure provided in the previous section. This initial push contains system information as can be seen in the decrypted output below (data enclosed in brackets has been edited):

During our analysis, we identified follow on POST requests containing screenshots of the compromised desktop and process activity lists which were encrypted and appended to a false JPEG header as described previously.

dimme_6

Figure 7. Process activity list, post-decryption.

Decoding the Traffic

Now that we understand how Dimnie retrieves its modules and how it protects them, we can use the derived AES key to decode the observed payloads from our PCAP data. The payloads themselves are never written to disk as they are downloaded and subsequently injected directly into memory. The module ID is stored at offset 0x2C as a 32 byte value in the Cookie field, however to calculate the “true” module ID we must use the following formula using the key found at offset 0x04 in the cookie: uModuleID = uID – uKey. Below is a table of observed module IDs, their functions, and type of information as referenced by the Cookie Header (at offset 0x24):

Module ID Function Information Value
0x20001 Main module: downloads other modules and injects them into memory. N/A
0x20002 DLL module which exports SvcMain and is injected into another process. N/A
0x20003 Contains 58 bytes in front of the DOS header. Purpose unknown. Appears to be a copy of the main module. N/A
0x20004 Extracts PC information and sends it back to C2. 0x03000
0x20005 Enumerates running processes and sends the list back to the C2. 0x2000
0x20006 Module that can logkey strokes, take screenshots, interact with smartcards and more. Uses RegisterRawInputDevices/GetRawInputData for logging keys.  0x38000, 0x418000, 0x818000, 0x98000, 0x118000, 0x218000, 0x58000
0x20007 Keylogger module which has two PE files appended. Both PE files contain the same functionality but are different architecture (x86 and x64). It sends back the logged keys and clipboard data to the C2 0x38000
0x20008 Module that can take screenshots and send them back to the C2. 0x58000
0x20009 Self-destruct module which deletes all files on the C:\ Drive. 0x02000000

The self-destruct module, 0x20009, drops and executes the following batch script:

The primary purpose of the modules we’ve observed observed is information stealing and reconnaissance. It should be noted that Dimnie’s modular framework allows for a variety of capabilities to be accessed by its operators, thus the modules observed during the analyzed campaign may not encompass all available functionality.

Conclusion

The global reach of the January 2017 campaign which we analyzed in this post is a marked departure from previous Dimnie targeting tactics. Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.

Customers are protected by IPS, Dimnie is detected as malware by Wildfire, and Autofocus customers can see related samples using the Dimnie tag.

We are also including IOCs for this malware family dating back to 2014 which include domains from DNS lookups (Appendix A) and dropper hashes (Appendix B). IOCs specifically mentioned in this post are included in the next section.

IOCs Mentioned in this Report

We’ve purposefully omitted legitimate domains and IPs from this listing.

Initial Phishing Email: b70a17d21ec6552e884f01db47b4e0aa08776a6542883d144b9836d5c9912065

Malicious .doc file: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e,

Dimnie loader: 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22,

Sample decrypted main module:  6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf

Appendix A: Associated SHA256 Hashes

15895f99011f466f2ddfa8345478b2387762d98eecf2ada51ad7f70618406ba1

7d8ec31d9d98802e9b1ebc49c4b300fa901934b3d2d602fa36cc5d7c5d24b3bc

046bc7347a66c977a89ba693307f881b0c3568314bb7ffd952c8705a2ff9bf9d

1b5e57fa264b2ce145b39f9fc2279b21f6b212aeca8eaa27f68cdcdbdef1900f

4b10cc374ed9e2c69231fcfa1b1d96496785ecf148f9445192f24385068e7b0c

e47ce23ec14114d3abeba090baa77b9bec876f947df67076dddb9087387735c7

d99c699e399afcd9e5abcff8c9b4a40af3e428f0c452c646653c79ec1a623bba

b6dc94f75ea4d2b46cf41079b1ac4cf48fe7786019396f379822fe6e21c9929d

a4df4a25e847d95a86a257bef7d2b349e9908bec37f0199f9f217d9cc0e28564

caba117fdf3ca61b1b17121adb4546e829df5426ab8944e5c4672f4a8619d0fe

3ffec5efb775c7d977f1e0ad1e8a51a111394e0ed113f58809fc8441b2c0f731

3d94881f0125093576dd01cd54cfd937cdca2b3050ad9aa4c5db2514d9aa686c

1d06464bafd24c228fd66df9cbf8feceda1346cef8648c2cd87cf617547bbe1e

9c403782571042fe2e3efb3acc35a26867956235a2a9472798bd664b65698c3a

d0eaec396ae11110dc4f51f3340d4735790876510de438f8a161577c7aa72d1e

222beafedbb604d200099cee657505f1d11b371403c7c9c12103adf28a561289

0f76bcda668095a8d2fe7a1282d463dcf04201e1c5a35856f117703bcd9428ef

c4bc691d7b8a16ff68ed338878451d1ba681aa181922cabd0b999b935ded673e

67a1dead18afc43c69a97de3e39bd84dec91df751a45bbda7ac5874f746c147c

7c4c2c898f611fd12a244822f5a2080da51126713d4ed1b3c950aa0ba6f92d93

67df79166bb258e77959c326c21563ea41f3f119d8e8486043efb83c868e636f

5661e7c23ed6058157b39ed29fa37690148d377b1faa7c7b89024daf0ef7e904

bbe7abc992928a45b618fbd7fbdd472ec3e4a47126f21ec38ad8257afe0c091f

05e30073cbd18b0ff2cfeab307e2e8cd2226d921a1872f17fcc312fc601fa93e

4a25bf18783ad32e08aaff0707d8fdae88647da4e0bfd22d83850e0dfa4ab148

3109724914f0eec8ee5167b15e43fc71e58106983ad0d2137c96239d5b25ad7c

c333173687879f3a6387f5afd915d9a4f042ffeb96f4cdf4514a5433de558f6f

071d91e67c42811d96d15a4a6dff740cc5d704ca352d9bc03778a2a6abd552f4

d884ae7b4f88973d2fb763b00c41171353310696e66dcde5733558ca68cd68d5

3944c7586e17399051785e1ae0311f4b98e74825291249a784428a64a80240e5

f76fe0b83e45a77ebc36ab12a27a5cf49be74fb154c51cb793e946c45bc4e12f

9f2367e31987327ef5710f7dcbfa089382c1967247c5ac1e2342e1e10e495fb5

5f45450f3342fd4f7f08651d58f775d47a25a44758039a577811eed6c094dfa7

824b93c4662cdc072488cf82d34569dd27d6f1fced5cb83f045825ed2e4b463c

441b1db0595565ac059552790e96524851843b22787238291f286b16c9c951d4

ba6022401ed257f82b7107319a7ec928044acd3dcb60dfab1ac7df2823ffef25

0a5c9818aa579082af224abc02dad60d77f4ded6533d143100b7744b58e289a2

871cefc4f9faf8658804dbe8332e3b511172ea29545e13c303ae1809edf8a0f6

bf3869e420ac8686b9ae3b14d679f45b34909ff998887f9fd0c8126853d6a4ed

8eef688751eed591bedd2fcc18d32bb84df11fdda62a16c963561aeeae56f6f4

c18775abf5c992cbd9b3b0c401fb0ee66bbe092e44b0b1b3cdd17fdc353d825e

ea6a8a46b61e2a8813c4146461e4c961dfb2cbcf277d8bb9edfc14be73f9f073

119972c1029267df7c5a8e607a2f034e7f8a3396ea49c67430842e0ff2de70eb

488c93d2e5413b974f489030c1f7484d2a6610cda0dd5a389b6a30371817d108

4ebb33fcf64afcd534ac83e72e49a4392b586bd31ef20b7bea2717cb9cde4928

a8779654e5abf142aaaca29b1abc0cbf1f5430e8a8fe7d955ae3ba6f1a9a3747

445e1aaa68169f30efa3d7d04f378c646abbbb3515430005b66d9e9ac182006c

417d6ec4701da0396bdffb8da0d582dabde35dedf9d468bcbe36f94df6dcf8e3

8a4748311e74cbf4f66a55ee4561728d0542929e9c260eda6d30bbde054fa53c

6a71582fb919a1300b98b035eb154602bf5452ff80d364a1f6603240cdbd8293

b01756a3f4b8d687a9fce4301f5f56b4dfb7befe29550096b262935f63f02cc4

b91fbf574bf080af82cd24977d00205dc0860ad7afb01f8f4a0ce0f910f9de6e

829797843357a5417f4de7b7f8f970ccfaccf30ecc80ed9c15e796897012d3e5

b10a1189aeb784c899bb5eb46b6cf1528b2ef6e3c0673159db4438e7aa39f6d7

2ba2491ce6a1814206dfe2aa9b1129f6085f1a18fd9b8c831caad286b095ee90

78961c49fa961bac01ebc8ef62077bc8fc8a3389f39fd7ee9d655447f0282fe2

aaa1511a156a11cff7e09367184972c067b65cae6573a8b4844dbe0a01894118

e64678633c8e876fc9313bfe5a8401953eaefdd8e7e006221cd5009f471fc389

2cedcdaa116feed52819914db3f19edf58c004a4a28c62f556d2ce3ced84b0f6

417addbd5817cc9dcf4f77f6240a56cd11a94c9a89e646d589e5ed26710cbcac

ff19d4f2c6527b2d4ecf65fa85115fddaec5420ef4346e1b6a21b28ccc5604b5

6e676f6be660799fbb4037c0c1ad39f9933b3e84cba0642fb7b892465b87325b

f9531a1ca3ee933812b709cc07a7d6ab6f8ee9900eee64ad97e936a68c5847e5

df56d66b8d9a16258a0b449084e3d82f8e338f0d0ff140bbcec1848357107dda

81ff2560c2f999d51f45b62110a5d37921a94d1af47f694780f9df8ed6c932ca

f9e6817f348cbfc4ca672ea275f3da390c31b45266e57b1f0f13f7c7ca37a3eb

eda0dfc38e7f32efe209902e653553a231de906b3a8894d31c3e39bd3a7e3a99

567cce05449594ed622160b443e81fb9e38989d830749d9e8bb5853f73226d11

62b8b1c425bce735789ab19b7e520304d85005df418221eb0f9b242d9e671a45

03766d99a1d7551ac4056c121c017ae70443d50c152ec1b06249c891baed435a

1d0a9d2e3c08f54b95575e4341f1d9699eb29ddbcf45757b1814ceabc9418a03

7dcda64fdfb2069f3b5f5047cfac6f2abfb6a2fb7591f974e5c0348ae86b6909

913589ca3fa86f9de6582204040753c779dd830e33876de338683587d7498766

590a4dedb34956e454d384e882440e731d50a83a819cfef000596d165a7d32c5

d0b44b803893fc08c08c653b2e0ca2ca2e2f52ef8cd49f0ac145337af5b2175f

cc74ef19129d061ba97801839ff04c00df07f684ff62df89061d7694c3a9c244

302b0b3731f86facb6be3fbe8eadf18d00d696175fc1590fc012b9c90fd60de6

bf4b6f9f28166c0c6916548694a09f98ab5e4e9c3012323b3a5fb3e6a6b33d9e

b857f5244e18fa9efc9b820dc70b827674f28bcea9ab7ef666e2271f0de4c9ef

0a46ce6d1d54fed2b200622ad0d5977e00e7865fe26c4cc69efa573e1ae542ad

10b8eaae1e00dfb40186a1d32f0c3cc10a47b9258afbbbdd81569b96b2c79a07

7b23f7c1ca90affc891ac89d6c9b592e0c47f1a539b9e8a87f6431fc0158404f

cc8585b57a9a371fb6d7250395bdcddca07150a7dd97c3a9dd67e408812feb8e

35074e717332d8fe3336448c8cf065bab56b978819b4685e618b094674be06df

a60c52336dc58251b28fba6345f75236bd7cf82c19702fa777fc926f04a5f75f

0bf94cbf7120ba5810c24772ba9752d22a31129cbed2009ebbed5bce18c916d5

052e93c7733e1a1fc5094682ab3cc3324b838d5260a1bed899ff93ef0966608c

3a9ec7a665475ca2f8e4eb314a3b845a727b3a99a818263284604b76b1857960

30d40c80ead9fd48b39aeee9c6f9d38951470d16bbe2bac09107d66f197cf012

e91c5056fc764bea87cc5a265a18c93140420ac15b030fa061f4e54e453d6c1e

5893e01e6ac20cfa75f184d1f6d708e3ccb3ff6da9f5183da415e3126e4d84b7

2d9b959ad8e19d2dd1d60e1bcbcfb014fcd9d671316b310d864fb2d881c16462

770c79684d74bdf8fb6d0d7cf138ddd06fdf7506e91eab09d79ded677f04ab98

98bbf1b17196a525e810689833dae910b144daf8ce85f31c73b9d0ca2dbdc426

0c760dc72a02073921d696840c31a372648a9f964be0afc0bd14554cb3a6be61

66f3b47798a56b74517094038862ce1a4555e5c975427db3b00835377cc26725

21e406638bffc35ad1929c5b03a0bbd42d1a39fb481d1954e0c15135e01e3c6e

01431670bfa2a14419323ba4731e2b9f03d9bc7362ae78b06792eb605249ff0f

517db060d4b0d8ae3a22d37f67311d9f5e2bf93d07424a4b9be5fefe84c571e6

3eb15bd22b9c70cfaa57a08eccb60de60e6bdaba00489ad0c61139504ec1b274

cc7b1846fa441c13cc03a8089013c55fd8c7bbabde049cf578df2633afebabff

eb47d187d81488b11690ac3191ad8e17774d8a11e559d692fcc344a905c34183

7f8c517b0873991b320d3f94e76f639afadf1481550c8931bae2b46afe204aa9

414475578f2d5642be77f2ea18df1f3ea97fc78a5b985944076c41f8b6e3fa54

a9fc88b00fe9ba84397aa7eba29a3dcc34da69a2eb89d9135cbfc04725605703

d390f1198f1b0c2307859b523a8fca918994c48cc630bff60f1b1fe159f974cb

fa56be12aec3eae896d372839d20bb02f45a8f167cfb44ca9b9e517f8bf454c5

8f0cf083af5412a8c228fe8d7755c2dd186248bf73de5db693019a0435de7dad

e593d990025104eeacc1bf48c3cf02a9f4503b056e6f17806dbc82e66f1878cc

6764806968caeec57f239584098f45eb4cdf1c1610d1a85b5c065bd4a3682fd9

63aa7d6759523c216de2bc85621f34d2a08f6c3c9dea8f4d3e0d1eae28afecdb

4a8336797a98e2f74062a477cf88a1c6be603102a3ead70d69823c5d3306536a

0595605bb8b6f4369e04be003c8de77d60d51c676bf463452758f0441c3dddac

611f0f92151aef878550ca0cbfb98433180607f374f5b68b72393a3d43f65381

7e275e43f70ac7962e5f4b503521af1862ac86ac8952aad52f7ff8452463b6d4

fd7f3195d0b9530131c5860e5db4755f9bf95c5cdc2b1c5563be5f49b0d35857

2fee7fbabcf1b4381ec3c8ef951bcdf9e204b9d8418815cc84efdd909a882413

f423bf186440e7ac1924a75bf3c532d61d62592d664e7bb004c10881fda3bade

3e21da2bfb27dc428214f94f6424b3d745e5590df45f333ad1f20552afbd410a

7ccdecd7997e78e766e2eddc1dd0d5b2a0ff8d601a7acaddf024c0fc2f4204dc

fc9b309039e083e390627f8203b6428a51ab570b3839a1e1efcc4b2855803fab

a1ca4464b092f361ae6c0bf60867c93fb507ca3f9c6de045979d708997539a7f

8e6d0b88a84ce804938ea9b5c41b0ed497ce00b070ce0b596913b4dc65501352

2aefd28e364b92ea42573d5f937ec53bd864e73cd8b7d40da27cbda2c6f9592a

86bd7d9187a273a9b0082ca84fcfec05d7f7ad5fe03360533004eadd64a86017

20b1853bec49af02aff6cd22b2c25e41a48df7a2cfbff785f6a110eff8742f6b

beb5a1afc328ab2f34f56a65ff4161d37be91adecfceaa83a2bc20b63fd35eed

3998a7feb58bc3f4741b9585ecdad04b1d16026ba116630c0d7b69f2651a9ec8

82fc70f991759e53daa66f2cc4f0873426049215b073973365341b000fa26585

2acff0e4efcf15d9b21f15869b955cfafa8f188d7e38de52c729c260d3cffc4c

9aa03d7f128678225dcdde8b8f8a792b7d56c768afde401a7ee779469a469271

03262308f43830db8fa4c3568aee387df5de96743c287bc6b49bea309b2dc373

95637e684a42583be98f3c1d2567cb5bdc3e7fcb875f054b58b1036f32834ada

f3ac0db23744528e8169c1bc58c844b0fdfa4129c5e8700b4bffb07daa75d1e4

e38804084d5cb0e7e80fd9144ed012dc92e89b68586dc2611ee90392d2fe46f7

6a1999cd18373653766b9385c3e60a3f21ffa040180172eb206142f601384d76

85176e6b449dc548af04c29fe13e8622c275c84691d449d6392607013f6fce07

d653637357b94b8547f5d81e78248c5f7dec8f64a3f7918563c1b5fa9086b3e8

97ee5dc97b2d21d299034cb02cc814a63494a31689afa3be9e47015b40b8b308

b1f47264a60d732ad917770406badcfaa3b845d85841c46b27ea758ee82f18c2

201480d3fe6598cb7557c4940e5db96e71de9a15364b19865ee61c11658e2b5b

ed9f3dba0c9a987094d1921e5316398aea169bf907ce848d6518ea40db15c46d

c2ba05bbebb35e99780c87e23a3d6f7b05ffcb17b21ee27f05fb62ec13e25b0e

abc4b46a96f432605336dbe376a92feeb77d768c473d52b725a853a3abeae92c

b2eae31ae2fecf69a5940e5e7d3ec90b241bd1223a4af25204676b67a176c88c

2d2c65e64f18e38991c609ca7d16cafb928c5c96132fe8f361dc3f31473b93f7

5750fcf5b4e31fcab9e81f154e1ec04105dd909f46ffdb9bcb986d7da9e6c22b

8ab4e92cd37cda1273f2359ec8d2c4b9cc4cf02faa199f8fe71f4f200a3ab31d

c693c3983f3c6e2e20d338ba240ff7411121a674b267ff86914156f9a91d5be4

cc05d4bffba7464194bf25ef5f8dfe9541048404b29e31fa93392663b1873501

375005db3906b1aad931c0207932ccdc99a191e9ceb100ae364ee1f2ca15682d

f9b85d337aeba34d23cbe1340f596cc908f572cbeeb5fed4fb389d779c7d5004

941007ae7918e8eb1845598053cf7fc4b0c17d708c2dbd1d1b13d2dc12b138e1

6069b42bfdf59ce5ec95f068e871ee266fa7593457eb4b38dda113014be87ce6

d3f4e3459bbe753ea8c022eef425d5b098b0f32c0e4cc4f390442d9796ed4ee2

9dd9befeefdc13ae72bf90952892eb357bdff72083c282fb73dd3821afe43e72

eb1f746dbdc2598757423e4505ff898b8308282e638f9b940d84870e7a196fba

32b7a4f26eb3e2f44eeb82b95f9971572aeb82f1e218bbad39b2a8238d1448bd

e3e708a03186f373d002e6e84c649bbd95668c2c17dee9c7fb0143f3d675837c

b909e6e7f909abbb57af26b244b330f822ed552a3c4dadd028079d8070108c10

813fdde0b998bda3247eadab873677972681274b4a9905030bf8d76727d57a6c

0353e9168983735e8efd2d53b4c498b7810f49e67169e33eb42ed2ef8d3a13eb

49b2fae0ae4d9cf71c2766a0d965d8a50bacd8c522eb45656b8b5f6a1c7c8f51

54e54c459dbe3224d3f4947b30f20b365224552afac4bd45ddadfacee9a7cbe2

6b8b394add913d3c410787f0c711217fec60a917872465de04290a8003b73535

3977472c733eafb7e71f8fd6fece5d2cfc849ec88e9d6942082531f3f88818b2

b2faf0d9f8f436968f3851ae863f3b3d9190b1be5856f2bd044e6b04447efa2f

53e4330ba988627e5f1f5544f23fae1c66c0f2d714a922b1130a1c9dc2efeda5

2c5871fb46e6fbf95266830ba7b4923449d0bc99a4efd7586ff5556ca049ea1c

20b2c347268546d317711aa693d078c0dcac247e486e3b87e45b099fabdff607

c8dee4c2212c7bf8eb9cd7635ff42526b17340fb198a801cdaa8d4ef72a3c1db

c3511e8d5de1ab2146ddb8ecc735890ef5cec0b31d175fca2fb2b88d60ec3e43

947e55e3454031972cc3d11006a60091b2197cc9e241e562ed900b82e4f28bd9

ba03da023f13796dd6dd70db0234da5df33ddc18ba274cdc62c282d56c695ece

de3aa81710f2580d3ac690c1f6d087a4672f29ccaa36e3901e4904056f83a48d

b3f371cc899440583095bac2817fba2ae2c7c3cac9c121d0798e03730589ad33

daefdf3c053971d35eb4a7447cf74c0335066d557ddbe56f01611e8b9a38b512

0dac129154c01867ca391da20227fdf7d7e3a9dd4cf42eac76833a051153794f

dd3ada0bb17356592e13bae5961c0bb131e645d2c957f1f2047cc25528f60518

f94b5803298a18b6ddc5eab202db6ae4e7199adf298ce16698e8053a36d5f934

6e7cb2c05000d0e609cebdb7d598fffc48eb5e7d1d589fc0947e322cdcffa070

dfc6ff1c54d3b7c2d6aa3ab9573debfe83b2d9a82c20b765a852c77d792ab10e

a0af21826f06da5292dfea3574648137292e31df1cd70a8262f03354dabfb38b

788222fe51e7bc91ce229f67557843db34e1ad68296069ed3235b022407fa610

858dc8648024588c644466e0386e101a925295f4b8ba3e3b7235aab7eee2788c

25eb81fc61b60b1a01eafc040b292b8c206a883555d1db3b80103f6a09b92f7d

a0ee38e7edac534827a1501bcc535ab7f604abfe654eb34b330ececc544cb084

c870b4dffa82f8b60efaf7b98875e4f823a207dfb2f0023ca1700392ca91c5c0

cb677ce864730abb68cb007f5ce3cf067fa982d5ec5e79402f4dd28506f763c7

29c653c91fa209754ffdc7d5d450df1eacea065eb327943d613a5341d4d091b7

0919a323113724b2e8734a3178996cedee88f827f7706423acf8407568a93bce

4aceb41286ad09a78a31006e65c374fd82f3f0682592cfa1b06a390b4450404a

8a1d7fe6146ad99ee806586f217e067cd34d5bff7dd44d516e08576c22b1a382

6905b72571b27eb36191c5394fdb8aa91a25561e2f65bb7f6283cd67b8b42695

cd0fcb23fe5387245008d5aba8e9f937bae13da0f5319e4c0952a0e5f8715fca

927d28f4be7b208111298aede19ea6a33d69769081747504a2a6fc0e65596582

0f7810dddc7f204c7da31f6d599ddf7b671dc635aa1c415dd3f5a65ffa0d72e9

665079b17747eb20e80e97a8d8b432fd3760cbe72edba4bac5f3dc95e2576d57

d24c97b62ed06288d3887dd9b720da4900e8703360fe48d62899e6ee156eda20

1d130eee41544ea7389f90a1cc19d2535ab5236985912c3cc000e5a9d2416e81

485c8b3339b13cd8cbb52c03b1024665f9307490a107c0bd8205cebf76cdcd3b

fffef40864cecb56422bb793055749084ab1d756a35075d60cd547b2a7b074cd

444dfc3bbb7406135002e3b6a75e48cd4ac40bb3213f9ba4836ad202e5fcea4a

d13c9c157d9ef56620698b20e2ffca8d9dcac3dd3109382098f423ca9588031f

0f710fb601b78993e28808184c8e868a474dcb679d61bd80e01f215eecf22f83

4a9c473209596f2abb19c0a15b638458ef2c27a208053ec6f89b7b5e8efc882f

b36087991947633cfb1d758065323daf9e2179f668a31e6f639d85f946bef3cd

93ce0b122022fbd855b22e88b6598f705a319154cc3b6693f0a55fee8382fdbf

dc0bbbd2d6b7d37886059415d6cdcb4ac93b55ae06162670407b6aa0eaf44b63

ebfb311bf63b625ddf60d925669cf6b52a8980636a7b1536341cc78ac494eeb4

c7b07e16f61c792b8ccf5de098b0b291957b83184786b578bf87dcf3aba06d1e

550b73295af24954fba98ad5a86b2fb977d57e951c3b7f5deb10189bbb26a6fc

42c5651efc6ff62f6315f315f25c0407e773e702f43cca806ffb4c8ff899f524

69d69ef813c95e73881b8c0c567652f4c4c208d25ba778760f8becf79ac924e3

a1f766bbb2beae7a1211003e3b3e63f006ed28a1b7fb2e1549af1ffa2f0f477b

45c3824018e889e8fb006a83386a1e459b563cf9db1546f49c4bbc5faa9ea74e

e911e6e631d26b2f93779868d4b20224b2bfde798f2d42cb9870d951f4f10c53

f66536dff13b1ba415bd4c5fc172632465d33cc388899e976a49380da5620e45

f1af98d63fec8e0164aa6bac58c680c80075545aabdbdc49ef9cb45694d14642

e701fa1b68a80e77863e06de17a19a2f489aefe8af8b47bc0d908c726eb41053

03307e8bbbdceaa8393cdd13fd854d2705b5bfdf211b40a53113b915debbfc02

b5a785aa5284b96f08e9b191b3c1259d13e478523504486a24191b6e239b74e2

7c324b8b01db025d627df826283af003f54d2d5f20d6d52bee380a69a1fcd9d4

08cc9d83ae7f9805058555a43ec0f0daa73346feb38c2c244b3a4311f623d3b7

e73b2fdd33a250705dd044761a1890afe5ba0b1553b2c7ae5dbedd45e58c0a0a

e3d368a3e613f27cfd17db2ed439b6980f9bf0d10458d25066e316e4193c5d18

bfdad4010fb8104881c0392ff3d60e43e9eee73a7f8d00ab2097898dcfc14710

35f636b1876b17b923486924ebe629a98465b480f6635c9db09a16814a5eada3

320183fca03a973f746adba3e5bdac62be152bc4d32c6cf466383cd951ec2560

206c8c6f0bf5792631387b823cb4c1682041805b5c3241cd6d700c6e5475066b

b33e64b53c8f4af8e8cc75feb2de709da7614082ffd19f7a2110eb1b8b8ab546

31f6399b3423324eea084964bd979689bb367021b424e264f32c3787bfce85e7

4a1dcecd71ff7323eb3d0b1bcfc4d61b859e7734fcaa33b01bc3b727557b4d52

c2b5a2df6b792edac0d491a643cb525012f959934ba7a1846e14e51c810d8d42

ff5c86f1287d1b8ffc5822792ac00255176d706859749b7f2d4baef49f1f833a

dfa8a776451866e2773d57f79a839b2baddbf50792794993bdcefd0631c3f9b3

2977ecd28f44130c0afec70578b1c4fe240e39ad201d2ddd7fe1d9c2bd1330a2

5e0612a0124b15e193f630346800aee5307477110a5d4f8df23fc41d1d451387

b39ffb21bcba526d3ee503bcfdd18aee2a2bdec4b0798c6648fd3f25f3d78bb5

b86f42f252d586d032ee0e4022585c457f98f667bbe9f2f4ba4d53e6f34537fa

b30f53594e7e4b21a54c4011d67b2075185ca1b53084078b624341a8ab906702

7e83122da3f7152a5a03deca48dd600315b1c8c285c9e5922e7d691d6afe0f4f

271431e7eb1c89b52ffb154912925dcf9fc4210fa91a2b4c27f27037f1bc9e02

f98ac9b51c9395ed3d28dbfae6116b2f753dfec679223c6a4f9dac948a0e95a8

cc60033583227cda159007add0b3274f5752195bdae47495ee49d299b0a39ff4

0299289e2146e4655a8ba43191243dafab24023dafa857eaf82ed3ef423013a8

63f1f839dbac88b1ad4022e152379d3d909f30eaf34d08b3c459f16845082c94

b7bf2ad207ac67e422bc69ec0058fb21a8f52061b564e1ef565887eaf3dd1dca

d9c2be7b02dcf65889d764ba4ebf9908672c2a234cb4291d89826ff749909623

ca752bfec0b9f14a36c69e0c90edcc846f67923ae81ef5c5719480aecbbedff9

d23d4055c99b7bd3581a83443d934c95d2ec8dd9c690ba29b611e64587add39f

dd4d9ff987aaa9f2bdf526207a97d7182ef3be37fa08591a40e9bdcb8937c2d4

e3feff7f25d06c8e01d62d76a5f6272fa92f41ae05e0fbff51b67b9cc55cf452

00b3dcdeed117b8eaefff05246114c2ca49e88b3ccbac073c5cd87318e215f37

34084bc57ca269c05ef65720bc39d8bd284000316242721982f4538af351852a

df4e6982fe1977a49e37239b2d28a60b39317eb8dcb3e383c74b70fa62007b47

221302051095909ea47eac8ac8b9bcc82c51bab6946aca7c8822aee732fbee30

0205f46daf74ac9a66ac89dad04b805528656e482f452e616e9f260f1ec6f710

09cef29d19f76796b6effae5d6e193efc98c9e1e9e6523566ec995a78daf3dfc

ef704e0118c5935e0afd4632d10c1ef1e69ae026e73fcdc9d9b272db50a8aeba

126636a1fb2e955970051505d834d3d3571105cb82b28393c05222332e29e9c1

f9583642689abf8b472ebd1f67b7ef9b7728837452ac476e68c3f06d62447c6d

5050de5d74798d634d7639ef9638da8f9be63158bbcf2bbfb50038a7ee1e53ed

70871cb6d07a406f6b1748e5614e1ec33b879b159484a9f82354025a801cd1c3

26a93a22a3080545ab09ee93a7385cc0a85d9a75df8d0d88310d8bc639530714

abd5cf43abd878e8d7633e19bc309de840ec4e12624cabd99ac6152d9455d44f

b84328459e911de77827392db7967bb9ebefe90e365a8369ab8716a6b50aa5a2

dfdb3b363d82d552b8b1a1de116f6e68c2a055170a5c83f43575ad3ae9b90ddb

e5ef4e95831f24f345b4c00834b88b19098cada540da6aa60ba7ca861d20fd95

8e04108c5e164c1f077f0abeac10fdf295207e1f160350d999527ce23f078385

385b7126e4f3634ea1dda80d8bb4790e1b1a904d6232e51d0888ffd744b97dbf

3b12c8915af0cea47a7126b4a7f1ae788972dfac366d5573ef2681ff3d13ad41

05bb5e77bb934779bc7b6fff863bdc4f4db9759bf939c3cfff3ab0f75fcd13e7

e7ee85ec5a7c228be03b201502a1e74186f36c7611917bacd9fc67501df3606c

9f7e640951097f84b7ab42514ec2eae951b3c1b817c68efa9daae4345d2695b2

88e075627d93bbf43eabd699ca9afac0cceaf43f18f8c7ac43f2a7f93a247b55

06b8fa74196fa7edccb77a4bde000928a8ec15d56c5dd3c4af7237f876fc0991

c6db6e329d73616e6869bbb4f86fbdcab88c948176253df82729a2010493b09a

93867701be29f7154cf9f4bc72faad9e9859f4db3ed3030c04fcf03bab085b10

7f4fc4475cf86628ac5277c363fbe0bf47e87e726e4247eabe788e4440bf5bff

fd348ee3cc11647a87a7a065cc8dcc63cacad3349da567ce6cb5eb3f7d0a6ad1

fb6aa05b6c9a6d394d33f2a6cdd4a9c626eaf784990b69aab15e6ebc51908739

90aa424f52bd1f227ace86348c707ecc711c808526805915c50dfebf4bc49186

b131f561551cfe16804cffa4ed1651576ddb9e880913d245c23c7756311e474c

1d9ea027c8494e88148aa1b2d87bd13cf753902445423ac63257b89ccff1dd9e

88aafb45bb4e7d68b5476b4673fd38f49c233d42475f7460afae37610004b54a

40c4c891231a3932b5c15b42e1ff302f6fdf4776aab25a67f827333621795d9a

3191b3988616e9e834c883348ab635727d3d1b7e964226ee9488c1e7a482ce3f

f33d5ebb15bf924e590a2bea2c4cb914f1398b5694c2958b0c97c548327403ff

3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22

76c566798ffcede356a8ba95a56c0400d41c746ad1a0f8503b66c9ae3a9e28da

09e39c3598fc68bd8193e47bad89723a8a989fc439cd717bc6cbdc596b144305

6d97956e23d15262be7af32eceff949ee708904cf5dce9cb6f6d732c37fe0692

5994178fd21ef4fbcea34a27890e24d56e5ebd247d26b4219f4d5475e4e00a9c

b2484daed920e8065605675822eb3b0e66d947f024dbc8193f39988a6e37afd9

4f7a58f1809fd0685ec815d0f5c910d39ef27ed2c4576339b3477a44aa756bad

86debb3398b60748c2c1d0d88694c7308f2017c6737490e84fe688396a0c5aa4

f2693ac1f73aa32dc4682ca66918e3ed78ed490cabc942018a6eca8c4aed9630

810e765fc4b9f838ed619a777528b243573d79e93ab29d8e1e3071ea2619fe0f

18241e18bdb290aa026d87c6d3dfa780d76347e8e966f3956bdfe44f36325473

c88771c9a6adc3c8bd6bd2d173c82f0e1c1a5966cbb2f05c5471b978840c2223

5f2e9aa038862b16ab09e6960262a25993e715df786a339bea352411e5e8ab12

f0b5592de97e7e7193b76e073ee21b090884f503c85258ab0cc1d780ae4e41c4

f22ed39d51c61cae0e03b2be39e05d1bfef05e55320aace141332a4a8ed3bd2c

de77795f1344857af0b583e38939f1cbf789b0989b6c8dca4e8ea3a6f0e646a1

60c2d4a1a5f757f5c9d3686bf85a5529e040049723ca3988e1f9560ea93a386d

3c0f463ac70d2f2415fbdb0446ba0fad290fd93b3db9708ffc4a4bdca0b5d4f7

9bb12887255696617d3e6356fe9f343473f6805db7dfabc6585a2ecd3289bff7

2829d72b813345348681d402184d53ec74fa491a0f3c726aae6c39b901fac1e9

d95990b7b03d017a64b8aa9f6133416176902d4195af9917660088245f4ebe7a

e267f9233c885d662804197e153e69cb2f7704f14b5d082dce7fe3c2d581d4df

6886aa1e2760b874a4950cac08e76259ff476a1976a0aeca4d392f60eefca6cc

1773b425ac6c670cabfdfa300c0b0c2724bd0585b87218c3119af39c170d3074

12558c50b9b61d080aac7b0890f1b95142316ae0d4e78dfb98672571543ecf6e

05789b1487fa274943d967834ad530bc89d94aeed8c240f96d9922f05d6fb101

a797aff0ed250f1fffbc6a718796b63907a94ac21d6bb712a5e7786670a9d1fe

f842607898e226fb480979112b0d67e3266ed7abf55f854851db0686ef5e4987

5584a83d69a01b2a3402c21f78284f6de8ac0a7e5dd5b25b6b9b59eb95f4eeaf

86c2d111086dba6c114ed114b1392183c2be4283b1702d5970601d7a29201178

1583319eb9266680c0cdc81937c76242306f365b767abe4f85322bace65f9d3c

949ad75ea9292d2d85498dc3a9ee033d736e40deba1a19a44419d91cee218a58

9011510e459b324b98b45284fba36d92c3dcafb2c9dc7a8a29256b3439a1c526

de6134aec7b39d8f90dcaf1da03ad50ecbc8b48a6e62b6a67d0cec68e9968267

c373ad48e60fb8a396a80927546e9898760422447981238d91679e6ee8a09d6d

2663d24e63d15e6f247039f7d0fb51958eddb5ad7043a2d305e24f8db6477271

8ff4c76bc1bf9a10b17fdcfdd300b89df94be848ecb0af81f6aefba38ec5bfae

102602fd35bd0d00d28f4dfb1bc4eb2a207e4d8cb9f4311ac7b1133f9e43da26

5f860598d21cceeb7d67142b3a75f94cdee5a4bd7ab8718a35b04264154097e3

f3e45f9e4dbd773b64cfe164de9e42f250f996b58b619fc2f0773be7965d235d

6369d5d194bcc1db2ba8d85c3d15b031a1c2f12463a4259e7cd4686c598e436b

ad91716f7148e6f1ecb70184139e32dcf8f5e521cd3f039f5a44d39d9c3ce09b

a8ba70be73578d901c5e2427fd2f63e06801dcba8726a82f1875d84ba147aaa3

7647a422655510e1de02e3d43b176d5c26d1d621680db9a58c047c9bdb615402

3b9b73d3b6e3337974e2bb2d1d49227fe5611354ebf294df56a514a8abfb413a

1a32705bffda8774bf600c81d77a517e809ba9efd93a4fa8608ae9ee78968e3c

413d664b5a7c3e6dbb1f39a971e09aee66e509846604f99ecfdb2be744ab8056

780129565290dfbc00f9bd85c6c0c2a74c980d2baa3ce7f60c102441155d4b07

bfff5e3879908b721c1c9c78cb8162dde2c557c7d8b2e191d75e702c437a4662

3f6a79d68262bbd4401fb9e889ab93d863cde5f095f6bbf3da286f06e41fb39d

215e742c07a0675d309855caf0a5b0560ef679e12b9f15c8ab2a22706bd6353a

1123b618043e9578eb6a50a5ee41bae55c23126448a100cdcfdae255a4f7d408

69c22ca5a0814c285769a05f93235161b24360d02cf24c9527a0eef8becc3886

103e8aa2363344bdbda105d471a6086d2fd4ca87bd71509c0704a096c13da70c

78d88775a781cb31e00dba41d7bb1f67a0928b2dc1b4ab6a0d26f038f894f175

ec341985ced6f2a6001e8b17491682cb69fefc417a90ae2773bc2de4fd6b705c

d2b523a861ecaa02e3ea0ea542087a09ea640ed36bc2c9cba311e91c7b01ecd0

66cbe12b2b6e8869bc5399f96aa73ebc949de0530030f358cca48077aae0b294

d9ee7be833f760311805e92c7b9c448d2c609f258997038383cb337d8183fe71

14ff515a168fb6649f58c4a9d86531b151187df3bfdd1589cbc9804d3a1ec7c9

023f81fd3a34ef94c9fd6928304426929672d4c7e9c98e60b631cbd2e2a56731

cbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449

93369c703becbc0bb9960fb55b7d61ae733638e1e6eab10336faf8ce877925f6

f3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54be

3e30805f1de04950d50d08176c8ac3c2974b42b30913c9aa11693d1a0e34b98a

3cada2c960ec431d0f13edcbee4dcfef1dcbdce0538b511f110cbee2e6470722

cec7a9270993443ed9cd798a3ac64693195805a410f56468518fa48cf5923876

9003bfa0553e0e027105f822d08a82050854ecf6488db4d3c412d6996b1bf632

5e139ca25b1519cc28a8096cb28d2be69f57b1af037674a81902f9c605777543

f40f1dda30d5f959bc21b0049432c53bb06992c7c8fdd5e886a9b3a0fab06877

b2a2d63c68fce4d4bfddd4fd8584b6c638ee26664785df436c48ffa16e177893

fa91599afa18eff9735b0c0328c8cb0fc305f8d924ebb36a609e50e4a6ab256c

0a31bfdc22ff3cea5a160b2c32a98764027be7512ced50825d1be0b93a7e7aa4

6bd3c86cb1f04d08407fccda35b0dd2fc8bd83a3c10f913dded93b4bbba182c9

0909f8383cd77107234b5c1aa1c80a1f1bc2e8a2832284ff3de6636d5ed16b8a

9dde31f29d5180b26eb93dfe2fc07bae76f929b8d3add20fc577033ae234b437

28e888ec5247511d01df376f4be7e08c64841df37d9846580e87145c8efbbd10

5693592ed69ca1cf0a5f8dcf8f548c063da287ce3e164a89df720a39a290feea

1b6651a523be1c42f779877ad11f3b52130686aad4fd4ecdfbc15afbcea56aa2

6d99f010c237fec5ff022cdf2f0df8b26429c1d5f223ca4f1658fc833c9cef3e

46089e4e9aebf5fd5ad1ffaecb3bee5d7490f2cc53b5ed66b7509282ca29438b

998481fbb26e890b83e1738ee12281103ca77775a20c1c6f1705eb6552237e3b

4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0

1f376d4c4febcafa6bdcf8877121c20697046c15f71983a9210762fbf3b5455e

0321f7948476480ab1875ccdeac46c37a58c2f60d63d2a787bdcf292ff2a5685

3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70b

dad5e918c4ce849f682485bd79e097ac097b554daa897b12151b4595d67980aa

7b801c415f2fb9210c4d89e7d6332c1a812defe78b234d658b60f9337b8f4266

75285821f9997b304058e8bf76c7c3f9f4abcf47e0dffea73d6256f657b9e778

210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdc

97bbfb81f930d138ff47c3b899eee6917802385b8c8c1626a7679c5cab41c4a2

cbc9e5552cda22130cd7a84cd4b3c68e95eb3f8c2e83dd77253bd1822d1f840d

bf00cd1bc34ce457b0e4a99a8df5b7fda512496dc32f2762923254bc85261afb

9de260dcfe2f5a852c0cff238ffc3fe3fc93feff008463af49f68c9f5b5ebc9b

cadb1646563a317ac72579e8691c464bab439667811fb0d850bc2e950a3a332c

dd3d708ba8ce177fd1f756ac5eb3347a0ec7cf65706438ea5bbdfe9125b0dbe4

31df6ec1089e720c09e29f35ce33203359128c99cc0e4b03ec3e38237e8151ff

e349394a043e11410ed3e7c35c70d85dbb9c5e512b593e51e1acde3b404414a2

dddb5843c775ae47b37fd02c378699b4e250ac32739f30e0949bdaa28050a595

42da6fd7f6ba8b90ffd1298d068045c7928cef6506642e69859e0b962b5864a8

e6624eb4520d41516f64aa64a00ee224c8bf257403a12a9665d552348dad1bd5

79ca3b8afac2ca896d7db2110789a187ad75810e2d92aa6f0378f73c1f72006f

ad08a0e1dace8d5a443a4bd21ec8d935e267f364ae1b152edaccb0b1f82870d7

b87ada7c17cdb5b7c3cf1e6a0d35515c62112126f2f983c1190a6d9d1060b7db

2ec204d0f35404c2548ac3dbc7b02e5db7ba28d4bc5c701986f0bfcee2a5fa5a

77e1dfaeb73c4edf762f9503c428c1d92af6882b48305f5f5b070ec136575e43

610d37dfb3089b516e4bced89de0c5161614d50ca511853f7be81138dfc4e844

60ff74d053037b5ae70eeaf199a0acba35f58d275d12915ae8ed813dbf9a5b55

376943f886b264824f6063e7dfc54a1a2d5071a3d44dec05208596079d6cf276

89d4d851e6729a854fccb4d4f9277f9f545396714ff2b108d29c7ff418a501a3

18db52a63720187b2afd57667e9ebdcb0a50a8e99909340281dcd07e266d761f

bb05a0d905b915e2e84a8e69c2af438f72730131c5a1e3e1fe85df13c61182ac

187155b727346d63c1b1c8e4e3ae88aed89746a4a323b5170139fa5aa760b3a3

7451c813eebe45ee8c743abc5e75c9475cab427d44e9a255f89f73c4e7ca7106

44cd0fdb877838f559d60500cd08cee66d8a79005d7e86f81671c18ec7ab3cb5

810aed604e1ec5d5aec00c783bc44e5ca753c5c0f2dc64f431c8f8d48b6dbf41

Appendix B: Associated Domains

1c-host[.]host

1cpred[.]org

allforest[.]pw

antiprt[.]com

atonix[.]pw

babbabbab[.]ru

babbabbab2[.]ru

babbebbab[.]com

babbebbab2[.]com

babbibbab2[.]ua

babbihbab[.]host

babblabbab2[.]link

babblahbab[.]com

babblebbab[.]pw

babblebbab2[.]pw

babblehbab[.]top

babblibbab2[.]xyz

babblihbab[.]link

babblohbab[.]pw

babblulbab[.]pw

babbobbab[.]link

babbohbab[.]com

babbolbab[.]host

babbolbab[.]ru

babbrabbab2[.]xyz

babbrebbab[.]rocks

babbrebbab2[.]rocks

babbrehbab[.]pw

babbribbab2[.]space

babbrihbab[.]xyz

babbrohbab[.]rocks

babbrulbab[.]rocks

babbulbab[.]com

babchabbab[.]org

babchabbab2[.]org

babchebbab2[.]ru

babchehbab[.]in

babchibbab[.]com

babchihbab[.]org

babcholbab[.]org

babclabbab2[.]space

babclebbab[.]biz

babclebbab2[.]biz

babclehbab[.]rocks

babclibbab2[.]in

babclihbab[.]space

babclohbab[.]biz

babclulbab[.]biz

babcrabbab2[.]in

babcrambab[.]ru

babcrebbab[.]org

babcrebbab2[.]org

babcrehbab[.]biz

babcribbab[.]ru

babcrihbab[.]in

babcrohbab[.]org

babcruhbab[.]host

babcrulbab[.]org

babdabbab[.]ua

babdabbab2[.]ua

babdebbab[.]link

babdebbab2[.]link

babdibbab2[.]pw

babdihbab[.]top

babdobbab[.]xyz

babdohbab[.]link

babdolbab[.]top

babdrabbab2[.]ru

babdrambab[.]ua

babdrebbab[.]com

babdrebbab2[.]com

babdrehbab[.]org

babdribbab[.]ua

babdrihbab[.]host

babdrohbab[.]com

babdruhbab[.]top

babdrulbab[.]com

babdulbab[.]link

babfabbab[.]pw

babfabbab2[.]pw

babfebbab[.]top

babfebbab[.]xyz

babfebbab2[.]xyz

babfibbab2[.]rocks

babfihbab[.]pw

babflabbab2[.]ua

babflambab[.]pw

babflebbab[.]link

babflebbab2[.]link

babflehbab[.]com

babflibbab[.]pw

babflihbab[.]top

babflohbab[.]link

babfluhbab[.]pw

babflulbab[.]link

babfobbab[.]space

babfohbab[.]xyz

babfolbab[.]pw

babfrabbab2[.]pw

babfrebbab[.]xyz

babfrebbab2[.]xyz

babfrehbab[.]link

babfribbab[.]rocks

babfrihbab[.]pw

babfrohbab[.]xyz

babfrulbab[.]xyz

babfulbab[.]xyz

babgabbab2[.]rocks

babgebbab[.]space

babgebbab2[.]space

babgibbab2[.]biz

babgihbab[.]rocks

babglabbab2[.]rocks

babglebbab[.]space

babglebbab2[.]space

babglehbab[.]xyz

babglibbab[.]biz

babglihbab[.]rocks

babglohbab[.]space

babglulbab[.]space

babgobbab[.]in

babgofbab[.]biz

babgohbab[.]space

babgrabbab2[.]biz

babgrebbab[.]in

babgrebbab2[.]in

babgrehbab[.]space

babgribbab[.]org

babgrihbab[.]biz

babgrohbab[.]in

babgrulbab[.]in

babgulbab[.]space

babhabbab2[.]biz

babhebbab[.]in

babhebbab2[.]in

babhibbab2[.]org

babhihbab[.]biz

babhohbab[.]in

babhulbab[.]in

babjabbab2[.]org

babjebbab[.]ru

babjebbab2[.]ru

babjibbab2[.]com

babjihbab[.]org

babjohbab[.]host

babjulbab[.]host

babkabbab2[.]com

babkebbab[.]ua

babkebbab2[.]ua

babkehbab[.]host

babkibbab2[.]link

babkihbab[.]com

babkohbab[.]top

babkulbab[.]top

bablabbab2[.]link

bablebbab[.]pw

bablebbab2[.]pw

bablehbab[.]top

bablibbab2[.]xyz

bablihbab[.]link

bablohbab[.]pw

bablulbab[.]pw

babmabbab[.]xyz

babmabbab2[.]xyz

babmebbab[.]rocks

babmebbab2[.]rocks

babmehbab[.]pw

babmibbab2[.]space

babmihbab[.]xyz

babmilbab[.]pw

babmohbab[.]rocks

babmulbab[.]rocks

babnabbab2[.]space

babnebbab[.]biz

babnebbab2[.]biz

babnehbab[.]rocks

babnibbab2[.]in

babnihbab[.]space

babnohbab[.]biz

babnulbab[.]biz

babpabbab2[.]in

babpebbab[.]org

babpebbab2[.]org

babpehbab[.]biz

babpibbab2[.]ru

babpihbab[.]in

babplabbab2[.]org

babplebbab[.]ru

babplebbab2[.]ru

babplehbab[.]in

babplibbab[.]com

babplifbab[.]ru

babplihbab[.]org

babplohbab[.]host

babplulbab[.]host

babpohbab[.]org

babprabbab2[.]com

babprebbab[.]ua

babprebbab2[.]ua

babprehbab[.]host

babpribbab[.]link

babprihbab[.]com

babprulbab[.]top

babpulbab[.]org

babrabbab2[.]ru

babrebbab[.]com

babrebbab2[.]com

babrehbab[.]org

babribbab2[.]ua

babrihbab[.]host

babrohbab[.]com

babrulbab[.]com

babsabbab2[.]ua

babsahbab[.]host

babsebbab[.]link

babsebbab2[.]link

babsehbab[.]com

babsibbab2[.]pw

babsihbab[.]top

babskabbab2[.]link

babskebbab[.]pw

babskebbab2[.]pw

babskehbab[.]top

babskibbab[.]xyz

babskihbab[.]link

babslabbab2[.]xyz

babslebbab2[.]rocks

babslehbab[.]pw

babslibbab[.]space

babslihbab[.]xyz

babsmabbab2[.]space

babsmebbab2[.]biz

babsmehbab[.]rocks

babsmibbab[.]in

babsmihbab[.]space

babsnabbab2[.]in

babsnebbab2[.]org

babsnehbab[.]biz

babsnibbab[.]ru

babsnihbab[.]in

babsofbab[.]pw

babsohbab[.]link

babspabbab[.]ru

babspabbab2[.]ru

babspebbab2[.]com

babspefbab[.]ru

babspehbab[.]org

babspibbab[.]ua

babspihbab[.]host

babspolbab[.]host

babstabbab[.]ua

babstabbab2[.]ua

babstebbab2[.]link

babstefbab[.]com

babstehbab[.]com

babstibbab[.]pw

babstihbab[.]top

babstolbab[.]top

babstrabbab[.]pw

babstrabbab2[.]pw

babstrebbab2[.]xyz

babstrefbab[.]pw

babstrehbab[.]link

babstribbab[.]rocks

babstrihbab[.]pw

babstrolbab[.]pw

babsulbab[.]link

babswabbab[.]rocks

babswabbab2[.]rocks

babswebbab2[.]space

babswehbab[.]xyz

babswibbab[.]biz

babswihbab[.]rocks

babswolbab[.]rocks

babtabbab2[.]pw

babtahbab[.]top

babtebbab[.]xyz

babtebbab2[.]xyz

babtehbab[.]link

babtibbab2[.]rocks

babtihbab[.]pw

babtohbab[.]xyz

babtrabbab[.]biz

babtrabbab2[.]biz

babtrebbab2[.]in

babtrehbab[.]space

babtribbab[.]org

babtrihbab[.]biz

babtrolbab[.]biz

babtulbab[.]xyz

babvabbab2[.]rocks

babvahbab[.]pw

babvebbab[.]space

babvebbab2[.]space

babvehbab[.]xyz

babvibbab2[.]biz

babvihbab[.]rocks

babvohbab[.]space

babvulbab[.]space

babwabbab2[.]biz

babwahbab[.]rocks

babwebbab[.]in

babwebbab2[.]in

babwehbab[.]space

babwibbab2[.]org

babwihbab[.]biz

babwohbab[.]in

babwulbab[.]in

babyabbab2[.]org

babyahbab[.]biz

babyebbab[.]ru

babyebbab2[.]ru

babyehbab[.]in

babyibbab2[.]com

babyihbab[.]org

babyohbab[.]host

babyulbab[.]host

babzabbab2[.]com

babzahbab[.]org

babzebbab[.]ua

babzebbab2[.]ua

babzehbab[.]host

babzibbab2[.]link

babzihbab[.]com

babzohbab[.]top

babzulbab[.]top

bannarbor[.]pw

bisquitshore[.]xyz

bitrixon[.]biz

buhgalter[.]pw

buhgalter[.]rocks

buhgalters[.]xyz

businessolution[.]site

cheturion[.]org

chipacom[.]net

cloneduring[.]pw

companysafa[.]biz

corpofname[.]pw

datamining[.]press

dersteoyna[.]pw

dovnikus[.]su

efros[.]pw

flashclicks[.]info

forbusinessgo[.]xyz

fortificar[.]net

fracking[.]host

gateoflife[.]pw

gaz[.]rocks

gedealer[.]pw

globuspp[.]pw

grandvita[.]pw

greenlanterns[.]xyz

greenworldsun[.]xyz

guardomorph[.]com

guwang[.]pw

jobforreborn[.]xyz

kokinatsu[.]pw

kukuzaki[.]me

kupala[.]me

lastsnow[.]link

maradonianos[.]pw

mercurytod[.]pw

muxa[.]club

mycorpsafa[.]biz

n-nalog78[.]com

newsunconcept[.]in

newsupport[.]us

nothingmore[.]us

novayarabota[.]pw

nvpn[.]pw

odejda77[.]net

okvd[.]biz

olen[.]bid

onechat[.]pw

placetobuy[.]pw

platej[.]pw

poplata-da[.]org

portw[.]org

powersand[.]link

pricemeet[.]pw

puldisk[.]xyz

rabotadnya[.]pw

raintor[.]pw

ricarier[.]org

rosgaz[.]pw

rumoney[.]xyz

salesforlife[.]top

salesline[.]top

sam-sam[.]pw

sandstyle[.]biz

sandw[.]pw

santrimo[.]lol

seclist[.]site

seclist[.]top

selenaspace[.]space

sellgrax[.]club

semodo[.]pw

sensetunoespossible[.]cat

shortsell[.]trade

shortselling[.]club

sixgoats[.]pw

snp500[.]trade

solotender[.]pw

sslprivate[.]org

tapalulumba[.]com

taskhoper[.]com

titleworld[.]pw

torglend[.]com

tradertop[.]top

trendkop[.]pw

tyuocruz1312[.]net

uchet[.]pw

uchet[.]space

visitpalace[.]xyz

volumexp[.]xyz

vortexenism[.]biz

vpnserv[.]pw

vwv.flashclicks[.]info

winsocket[.]xyz

yearreviews[.]net

 

ignite17-social-cover-img-facebook-820x340

Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

 

Updated 3/30/17: To remove unnecessary IPS Signature number.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS