{ "id": "c6989856-74d5-4536-a7e9-6df67899b867", "created_at": "2026-04-10T03:21:30.774736Z", "updated_at": "2026-04-10T13:12:47.801942Z", "deleted_at": null, "sha1_hash": "18cbccb4aebe6a2f09a48f8e984c0e414faa9a99", "title": "The new Bigviktor Botnet is Targeting DrayTek Vigor Router", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1521075, "plain_text": "The new Bigviktor Botnet is Targeting DrayTek Vigor Router\r\nBy Alex.Turing\r\nPublished: 2020-07-10 · Archived: 2026-04-10 03:17:50 UTC\r\nOverview\r\nOn June 17, 2020, 360Netlab Threat Detecting System flagged an interesting ELF sample\r\n( dd7c9d99d8f7b9975c29c803abdf1c33 ), further analysis shows that this is a DDos Bot program that propagates\r\nthrough the CVE-2020-8515 vulnerability which targets the DrayTek Vigor router device, and it uses DGA\r\n(Domain generation algorithm) to generate C2 domain names.\r\nThe program uses \"viktor\" as file name ( /tmp/viktor ) in the propagation process, also a special string\r\n0xB16B00B5 (big boobs) was used in the sample , we combined the two and named it Bigviktor.\r\nFrom the network’s perspective, Bigviktor’s DGA generates 1000 domain names every month, and traverses the\r\n1000 domain names by requesting RC4 encryption \u0026 ECSDA256 signed s.jpeg , When a live C2 responses the\r\nrequest, bot then takes the next step to request for image.jpeg from C2 to get more instructions.\r\nBigviktor supports 8 kinds of instructions, which can be divided into 2 major functions\r\n• DDoS attack\r\n• Self-renewal\r\nThe overall network structure is shown in the figure,\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 1 of 36\n\nBotnet scale\r\nDaily Active Bot\r\nDGA is a double-edged sword. While giving the author good chance to evade detection, it also gives security\r\nresearcher the opportunity to register domain names to hijack infected hosts of botnets.\r\nWe registered several domains names generated by Bigviktor in June and July ( workfrequentsentence.club ,\r\nwaitcornermountain.club ), so we were able to tap into it network to measure the scale of the Botnet. As of now\r\nwe only see about 900 active infected IPs. However, When taking a look at the requests of Bigviktor DGA domain\r\nname, we can see the trend is steadily going up. Its daily active Bot trend is shown in the figure below:\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 2 of 36\n\nBot geographic location\r\nThe IP area distribution of infected devices is as follows:\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 3 of 36\n\nThe main ASN distribution of these IPs is as follows:\r\n412 AS45899|VNPT_Corp\r\n194 AS7552|Viettel_Group\r\n190 AS18403|The_Corporation_for_Financing_\u0026_Promoting_Technology\r\n90 AS3462|Data_Communication_Business_Group\r\n82 AS15525|Servicos_De_Comunicacoes_E_Multimedia_S.A.\r\n66 AS8151|Uninet_S.A._de_C.V.\r\n52 AS45903|CMC_Telecom_Infrastructure_Company\r\n34 AS3352|Telefonica_De_Espana\r\n28 AS17552|True_Internet_Co.,Ltd.\r\n22 AS8881|1\u00261_Versatel_Deutschland_GmbH\r\nInfected device\r\nBy obtaining the title of the infected device's 80, 8080, and 443 port web pages, we know that the currently\r\ndistributed version of the infected DrayTek Vigor router is:\r\n269 Vigor 2960\r\n107 Vigor 3900\r\n87 Vigor 300B\r\nReverse analysis\r\nWe have captured a total of 2 versions. The first version of the bot program seems to have bugs and cannot run\r\nnormally. This article uses the latest version as an example for reverse analysis.\r\nMD5:dd7c9d99d8f7b9975c29c803abdf1c33\r\nELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped\r\nPacker: None\r\nGenerally speaking, the Bigviktor function is relatively simple. It binds a local port at runtime to implement a\r\nsingle instance, uses the RC4 algorithm to decrypt sensitive resources, including the strings to be used by DGA,\r\nand then uses DGA to generate 1000 C2 domain names based on these strings. Then the bot uses the libcurl library\r\nto send a request to the built-in legit websites to test network connectivity. If the network is up, it moves on to next\r\nstep to request the s.jpeg from the C2 domain to verify the legitimacy of C2; after passing the legality test, it goes\r\nto final step to request the male.jpeg and image.jpeg resources from the C2 domain to conduct DDos attack.\r\nWe can roughly divide the bot behaviors into two categories: auxiliary behavior and malicious behavior, let us\r\ntake a close look.\r\nAuxiliary behavior\r\n1: Use libcurl library to access network resources\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 4 of 36\n\nDNS Option:\r\n 1.1.1.1,8.8.8.8\r\nUser-Agent Option:\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/\r\nAccept Option:\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n2: Bind port 61322 to implement a single instance\r\n3: RC4 encrypts sensitive resources, the resources include the stings required by DGA, legit websites,\r\nupgrade file storage path, etc.\r\nThe RC4 key is\r\nDA B2 F1 F7 32 FD 03 BA 58 DB FF 53 8B F2 6F 01\r\n02 FF 00 01 03 05 00 DE 02 FF 00 01 7C DF 92 91\r\nTake the suffixes required by DGA to generate domain as an example, the ciphertext is as follows\r\n00000000 34 f5 96 77 11 66 35 4f 1d ae b6 04 57 77 79 9d |4õ.w.f5O.®¶.Wwy.|\r\n00000010 db 36 d4 a8 38 5a e2 9f 6a a2 79 bf 6a 6f bf 2f |Û6Ô¨8Zâ.j¢y¿jo¿/|\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 5 of 36\n\n00000020 cb 84 63 d4 70 c7 64 11 c6 d0 71 b3 f0 bb 54 c9 |Ë.cÔpÇd.ÆÐq³ð»TÉ|\r\n00000030 cc f7 50 60 e2 53 72 1a ae 87 61 17 88 b0 2a 04 |Ì÷P`âSr.®.a..°*.|\r\n00000040 71 ec f8 3d cc 42 8b 28 27 81 9b 4d 80 0c 50 3f |qìø=ÌB.('..M..P?|\r\n00000050 d5 01 4b 8d 62 48 7f 88 7f a0 09 b9 53 b0 a0 0d |Õ.K.bH....¹S°.|\r\n00000060 41 6c 59 cd 2a 42 36 f1 71 71 12 bf fd 59 66 52 |AlYÍ*B6ñqq.¿ýYfR|\r\n00000070 b2 ab c4 1e c5 30 14 19 c8 08 82 ee 29 8c 54 ab |²«Ä.Å0..È..î).T«|\r\n00000080 34 99 0e f1 15 c8 e6 69 5e 33 3c c7 c6 ee 44 8a |4..ñ.Èæi^3\u003cÇÆîD.|\r\n00000090 c2 b4 7c 76 fc 08 cf cd 0c db 34 82 e0 08 40 52 |´|vü.ÏÍ.Û4.à.@R|\r\n000000a0 07 ec d4 0e e9 57 ee 4f 2d 0b 7e 19 51 75 b4 10 |.ìÔ.éWîO-.~.Qu´.|\r\n000000b0 3b 97 d8 29 64 aa 4b 5c 67 77 16 b6 36 4b 6d c2 |;.Ø)dªK\\gw.¶6KmÂ|\r\n000000c0 47 09 bd b0 a7 d4 43 21 2c e5 af 41 8a ea 25 dc |G.½°§ÔC!,å¯A.ê%Ü|\r\n000000d0 fe d3 18 28 bc 19 07 19 cd f0 84 51 9e 6a 3e b1 |þÓ.(¼...Íð.Q.j\u003e±|\r\n000000e0 5f 2a e0 13 51 ba 62 46 26 83 86 63 0b ed ad be |_*à.QºbF\u0026..c.í.¾|\r\n000000f0 59 51 e7 0b cf a7 d0 1a 94 e8 ed c2 cc f2 21 17 |YQç.ϧÐ..èíÂÌò!.|\r\n00000100 e5 7a b5 6f 84 66 8a a1 c1 18 52 cb 50 38 6b ea |åzµo.f.¡Á.RËP8kê|\r\n00000110 4b 10 13 56 13 b4 9c b2 3b b4 3e 4c 3c cc 01 cc |K..V.´.²;´\u003eL\u003cÌ.Ì|\r\n00000120 81 ab 13 97 6c 49 e7 85 54 5f d0 92 3f 9b 7d a8 |.«..lIç.T_Ð.?.}¨|\r\n00000130 44 72 81 54 50 4f e1 7f b5 fd 1a 78 3b 14 e3 d4 |Dr.TPOá.µý.x;.ãÔ|\r\nAfter decryption\r\n00000000 61 72 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |art.............|\r\n00000010 63 6c 69 63 6b 00 00 00 00 00 00 00 00 00 00 00 |click...........|\r\n00000020 63 6c 75 62 00 00 00 00 00 00 00 00 00 00 00 00 |club............|\r\n00000030 63 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 |com.............|\r\n00000040 66 61 6e 73 00 00 00 00 00 00 00 00 00 00 00 00 |fans............|\r\n00000050 66 75 74 62 6f 6c 00 00 00 00 00 00 00 00 00 00 |futbol..........|\r\n00000060 69 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |in..............|\r\n00000070 69 6e 66 6f 00 00 00 00 00 00 00 00 00 00 00 00 |info............|\r\n00000080 6c 69 6e 6b 00 00 00 00 00 00 00 00 00 00 00 00 |link............|\r\n00000090 6e 65 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |net.............|\r\n000000a0 6e 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |nl..............|\r\n000000b0 6f 62 73 65 72 76 65 72 00 00 00 00 00 00 00 00 |observer........|\r\n000000c0 6f 6e 65 00 00 00 00 00 00 00 00 00 00 00 00 00 |one.............|\r\n000000d0 6f 72 67 00 00 00 00 00 00 00 00 00 00 00 00 00 |org.............|\r\n000000e0 70 69 63 74 75 72 65 73 00 00 00 00 00 00 00 00 |pictures........|\r\n000000f0 72 65 61 6c 74 79 00 00 00 00 00 00 00 00 00 00 |realty..........|\r\n00000100 72 6f 63 6b 73 00 00 00 00 00 00 00 00 00 00 00 |rocks...........|\r\n00000110 74 65 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 |tel.............|\r\n00000120 74 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 |top.............|\r\n00000130 78 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 |xyz.............|\r\n4: Access a legit website to test newtork connectivity and obtain the current date\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 6 of 36\n\nThe legit websites can be decrypted by RC4, and we got the following sites\r\njd.com  weibo.com vk.com\r\ncsdn.net okezone.com office.com\r\nxinhuanet.com babytree.com livejasmin.com\r\ntwitch.tv naver.com aliexpress.com\r\nstackoverflow.com tribunnews.com yandex.ru\r\nsoso.com        msn.com facebook.com\r\nyoutube.com      baidu.com en.wikipedia.org\r\ntwitter.com amazon.com imdb.com\r\nreddit.com pinterest.com ebay.com\r\ntripadvisor.com craigslist.org walmart.com\r\ninstagram.com google.com nytimes.com\r\napple.com linkedin.com indeed.com\r\nplay.google.com espn.com webmd.com\r\ncnn.com homedepot.com etsy.com\r\nnetflix.com quora.com microsoft.com\r\ntarget.com merriam-webster.com forbes.com\r\ntmall.com baidu.com qq.com\r\nsohu.com taobao.com 360.cn\r\ntianya.cn\r\nVisit one of these URLs to get the current date, which will be used in DGA.\r\nformat %a, %d %b %Y\r\nFri, 10 Jul 2020\r\nMalicious behavior\r\n1: Use the C2 domain name generated by DGA\r\nThe format of the domain name is [prefix.]verbe[-]adjective[-]noun.surfix , the content in [] indicates\r\noptional, theprefix has 40 words, the verbe has 100 words, the adjective has 525 words, noun has 1522 words, and\r\nsurfix has 20 words. The algorithm is implemented as follows\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 7 of 36\n\nvoid GenNewKey(uint32_t \u0026key)\r\n {\r\n uint32_t tmp = key ^ (key \u003c\u003c 13) ^ ((key ^ (uint32_t)(key \u003c\u003c 13)) \u003e\u003e 17);\r\n key = tmp ^ 32 * tmp;\r\n };\r\n string c2url;\r\n GenNewKey(seed);\r\n //1:prefix part\r\n if (seed % 5 == 0)\r\n {\r\n GenNewKey(seed);\r\n c2url += prefix[seed % 40];\r\n c2url += \".\";\r\n }\r\n //2:verbe part\r\n GenNewKey(seed);\r\n c2url += verbe[seed % 100];\r\n GenNewKey(seed);\r\n if (seed % 10 \u003c= 1)\r\n c2url += \"-\";\r\n //3:adj part\r\n GenNewKey(seed);\r\n c2url += adj[seed % 525];\r\n GenNewKey(seed);\r\n if (seed % 10 \u003c= 1)\r\n c2url += \"-\";\r\n //4:noun part\r\n GenNewKey(seed);\r\n c2url += noun[seed % 1522];\r\n c2url += \".\";\r\n //5:surfix part\r\n GenNewKey(seed);\r\n c2url += surfix[seed % 20];\r\nThe current date converts into a string with format %b %Y 00:00 and the initial key is the first 4 bytes of the\r\nSHA256 value of the string, for example\r\ncurrtent date: Fri, 10 Jul 2020\r\nformat ----\u003eJul 2020 00:00\r\nsha256 ----\u003e6ac0f83915ed5d7b9bb7055723084df001b16a552d758de3c415f083f931ab8c\r\nget first 4 bytes ----\u003e key=0x6ac0f839\r\nTherefore, the DGA doamin is different every month. Taking the July key (0x6ac0f839) as an example, the first 5\r\ndomains generated\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 8 of 36\n\nc2url: decidefresh-county.in\r\nc2url: payculturaltour.org\r\nc2url: standvisiblereach.rocks\r\nc2url: meanforwardcap.top\r\nc2url: raisefitsize.rocks\r\nWhen we observe the actual DNS data in packet, we can see the result matches.\r\nSee the end of the article for all DGA domains in July.\r\n2: Get the current effective C2\r\nTo connect to a vaild C2, Bigviktor start from a random position of the 1000 DGA domains. If there is no valid\r\nC2, it goes back to the first domain name and start over again.\r\nIn order to ensure that the network is completely controllable and not stolen by others, Bigviktor will verify the\r\nsignature of the s.jpeg file. Only after passing the signature verification, a C2 is deemed valid.\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 9 of 36\n\nThe real payload encryption is hidden in the jpeg ( s.jpeg;image.jpeg )file. The structure of jpeg is IMAGE\r\nDATA(16 BYTES): Half-RC4 KEY(16 BYTES): Ciphertext . Each sample integrates a Half-RC4 KEY(16\r\nBYTES),each payload integrates a Half-RC4 KEY(16 BYTES), two Half-RC4 keys are spelled into a complete\r\nRC4 key(32 BYTES); also a hard-coded ECDSA256 public key is used to verify the decrypted payload.\r\n Half-RC4 KEY:\r\n 82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67\r\n Pub KEY:\r\n 03 2F 37 51 43 1F A3 58 81 66 86 F7 BA 4C A2 30\r\n 45 2C 9B 9E 12 9A E9 97 CF 69 09 CF 7F 42 D4 97 88\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 10 of 36\n\nTake s.jpeg(md5:4c6d0bed21bc226dbaf4e6adc7402563) as an example\r\nSplice out the complete RC4 key\r\n Half RC4 KEY from s.jpeg + Half Rc4 from sample\r\n ------------------------------------------------------\r\n 46 00 B2 65 B0 3F 97 7F CF CB 65 31 1F D2 B3 A0\r\n 82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 11 of 36\n\nDecrypt Ciphertext to get\r\nWhen the verification is successful, a valid C2 is obtained.The procedures of verification need to meet these\r\ncondition\r\nsignature verification\r\nPlaintext[2] ==\\x00,Plaintext[3] ==\\x09\r\nC2 in the plaintext is same as the Dga domain which responds to the s.jpeg request.\r\n3:Ask for specific tasks from C2\r\nAfter the Bot obtains a valid C2, it will request the image.jpeg resource from C2\r\nSimilarly, image.jpeg also needs to be decrypted and verified. After successful verification, the Bot will perform\r\nthe corresponding DDos attack or update according to the instructions of image.jpeg.\r\nBigviktor supports a total of 8 operations,\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 12 of 36\n\ncmd\r\ncmd \r\ndescription\r\n1 null\r\n2 connect attack\r\n3\r\ntcp syn attack\r\nwith fixed source\r\nip\r\n4\r\ntcp syn attack\r\nwith random\r\nsource ip\r\n6 update\r\n7\r\ntcp syn attack\r\nwith random\r\nsourceip from\r\nmale.jpeg\r\n8\r\ntcp syn attack\r\nwith random\r\nsourceip from\r\nmale.jpeg\r\n9 null\r\nTake a payload from June,image.jpeg(md5: 2e8c223f8ac1f331c36acd32ee949f6f ) as an\r\nexample\r\nDecrypt Ciphertext to get\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 13 of 36\n\ncmd\r\ncmd \r\ndescription\r\nWe can see that bot will launch \"connect\" ddos attack and the target is\r\n202.162.108.55:80. The result matches the pcap info.\r\nReaders are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.\r\nIOC\r\nSample MD5\r\n7b1ab096b63480864df7b0dcfebe2e2e\r\ndd7c9d99d8f7b9975c29c803abdf1c33\r\nURL\r\nhttp://91[.219.75.87/binary\r\nhttp://91[.219.75.87/arm7\r\nC2-IP\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 14 of 36\n\n151.80.235.228 AS16276|OVH_SAS France|Hauts-de-France|Gravelines\r\nC2-Domain\r\nuseinsidehigh.com:80\r\nwriteseparateliterature.com:80\r\nPayload\r\n4c6d0bed21bc226dbaf4e6adc7402563 s.jpeg\r\n2e8c223f8ac1f331c36acd32ee949f6f image.jpeg\r\nDGA domains in July\r\ndecidefresh-county.in\r\npayculturaltour.org\r\nstandvisiblereach.rocks\r\nmeanforwardcap.top\r\nraisefitsize.rocks\r\nwww2.tellapartspring.realty\r\nexpectrawknee.com\r\ndecidesurepizza.rocks\r\nimg.leavetall-sky.nl\r\ndodifferentuser.fans\r\nbecome-thatspare.futbol\r\nplay-better-parent.observer\r\ntelldesignerpanic.art\r\nappear-weakrate.observer\r\nsupport.showremote-conclusion.fans\r\nraiseover-piano.org\r\nmeancoolpick.pictures\r\nbringjunior-bench.art\r\nssl.remainunhappyboy.info\r\nreadafterask.net\r\nleavelogicalambition.tel\r\ntakedramaticprimary.rocks\r\ntest.likerarereality.xyz\r\ncloud.runconstantnerve.fans\r\nstopseafemale.observer\r\noffer-individualthroat.fans\r\nmeanthickprivate.info\r\nturnfederalemploy.art\r\ntellcold-top.one\r\nmail2.comefirmdeposit.nl\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 15 of 36\n\nliketypicalcorner.net\r\nbuyliving-balance.observer\r\nvideo.continueleft-contact.nl\r\naskformer-mission.top\r\nlearnaggressive-she.org\r\nemail.hearlateformal.in\r\nkeepunitedbirth.art\r\nturntruebreakfast.futbol\r\ncutmaingolf.art\r\ndev.likefemalepush.rocks\r\ndev.holdfeelingpreference.click\r\nfindvariousfish.tel\r\ntftp.seempowerful-south.art\r\nvideo.comepureproposal.link\r\nwatchcapable-sample.rocks\r\ngrowborn-law.click\r\nbringefficientvalue.one\r\nbeginlower-man.nl\r\nspeakoriginalworld.one\r\nputmoneyearth.fans\r\nhave-wastebutton.futbol\r\nfindwildcollar.info\r\nlivepotentialdebt.pictures\r\nmail.pull-capableprofession.tel\r\npassbornsafe.rocks\r\nspendcuteform.realty\r\nwalkgrandspot.pictures\r\ntake-scaredline.art\r\nset-expensiveice.click\r\ngetnovelscratch.in\r\nlook-existinghang.com\r\ncloud.considerunhappymain.click\r\nwww.hold-futuredisk.rocks\r\nopenlegalbus.fans\r\nblog.hearfreshmachine.tel\r\nmail.callthatcouple.click\r\nleaveswimming-cold.one\r\ngo-healthyproject.observer\r\nmeanconnect-construction.nl\r\nwalknervous-video.nl\r\nbecomelast-western.com\r\nremembersquare-sale.info\r\nprovide-roundwill.com\r\nblog.standswimming-double.rocks\r\nsecure.seem-famoushire.tel\r\nspeakotheropening.org\r\nholdsudden-psychology.top\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 16 of 36\n\nhold-frontfilm.one\r\nbringbusinesshold.realty\r\ngiveacceptablepay.link\r\nallowremoteindependent.pictures\r\nhelpsillyhate.click\r\nknowyellowinstruction.info\r\nseeinternationalmachine.art\r\nconsidermalescrew.click\r\npaylife-camp.tel\r\nmakeold-course.com\r\nwww2.becomewarmrefrigerator.nl\r\ndownload.decidewisecourt.rocks\r\nlose-originalemployer.observer\r\nleadeastprompt.futbol\r\nchangeconfidentboot.art\r\nwaitcornermountain.club\r\nww1.understandlegal-cancel.link\r\nsuggest-global-other.realty\r\nchangeluckytitle.com\r\nplayprivateconstruction.art\r\nblog.mean-anyimagination.info\r\ndecide-currentemployment.top\r\nconsiderupsetvirus.fans\r\nletcornercurve.fans\r\ntalkfamousfather.club\r\nfindvastcoat.org\r\nmail2.use-farbitter.org\r\nremember-chemical-status.tel\r\nvpn.try-signalsort.org\r\naddhappyswim.xyz\r\nstandsuddeninternal.tel\r\nraiseanxiousguitar.one\r\nspeak-weekly-hire.org\r\nneedclosetonight.realty\r\nmail.fallfrequent-affair.fans\r\nstartpregnantreference.pictures\r\nappeartight-fun.fans\r\ncutplastic-drag.club\r\nworksea-assumption.com\r\nbuytrainingdrag.one\r\nneedfemalebrown.futbol\r\nwant-mountainform.observer\r\npop.getless-remove.pictures\r\nmail2.runelectronic-collar.fans\r\nraiselogicalpin.tel\r\nbelieveextraorganization.realty\r\nremote.servepleasant-cloud.pictures\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 17 of 36\n\nallowotherdesire.in\r\nset-partycount.realty\r\ndiecutemuscle.net\r\nstart-sexualfactor.net\r\ndienearbychart.xyz\r\nns1.requireanxiousflight.nl\r\na.happenaction-item.tel\r\nsecure.reportperfectyouth.xyz\r\nruntraditionalact.observer\r\nbecomeunfairsugar.info\r\nnews.growfrontclimate.tel\r\nimages.expectpurplewriter.pictures\r\nimages.seemmaterialvegetable.pictures\r\nrunsuitablestruggle.xyz\r\nappearfullfoundation.tel\r\nsellharddead.in\r\ncontinuebothpipe.com\r\nwatchvegetabledatabase.click\r\nstopmiddleapple.net\r\nuse-sweetdebt.rocks\r\nmeet-purechurch.club\r\nhearduewarning.nl\r\nadddifferent-reference.nl\r\ndownload.takehousemom.click\r\nbuildrawcloset.xyz\r\nputactualsecond.realty\r\nmove-muchagreement.club\r\nvpn.letfirst-concept.observer\r\nth.sitthin-character.rocks\r\nwww2.dieseparatefeed.in\r\nblog.buyextremeatmosphere.click\r\nbelievelegalscale.info\r\nbuildappropriatestable.net\r\nwatch-coolproject.fans\r\ndoalternativeseries.link\r\npull-inevitable-medicine.org\r\nstaybroadcost.fans\r\nseeofficial-thanks.net\r\nreadlostdiscount.art\r\nserve-redtour.fans\r\nshowleatherloss.click\r\nx.putweird-situation.net\r\nloseanotherdisease.realty\r\nmail2.become-alternativeside.futbol\r\nsetimpressive-sign.click\r\nx.appearavailablebad.realty\r\nstartunusual-status.futbol\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 18 of 36\n\nnoc.waituglyclick.org\r\ndownload.buildthinkreserve.fans\r\nexpectvegetablecurrency.xyz\r\nftp.spenddirtyrepublic.tel\r\nemail.die-prettycandle.art\r\npop.make-active-pass.click\r\nlovebeginningvast.realty\r\nincludeotherwisefamily.xyz\r\nwork-historicalarm.nl\r\npassclosescience.pictures\r\na.sitloud-damage.info\r\naddinternalfreedom.futbol\r\nset-okconcert.realty\r\nrequireenvironmentalhelp.nl\r\ndownload.need-beginningfinal.art\r\nofferdecent-twist.in\r\ndieoriginalpeak.futbol\r\nlearnremarkabledefinition.futbol\r\nkillembarrassedclient.net\r\nkillterriblerecord.tel\r\nimages.createrichdisplay.observer\r\nholdlowerfunny.fans\r\nsitsorrycash.realty\r\nplayprevioustrain.net\r\nchangewestbar.net\r\nshowaggressivedamage.nl\r\nfeelnecessary-counter.click\r\nliveproudconsequence.realty\r\ntry-decent-joint.info\r\ntrylatter-trainer.com\r\nshowsick-crack.tel\r\nhelp-animal-boyfriend.org\r\nfollowpropercollar.nl\r\ntake-cultural-white.futbol\r\nworkindividualpull.click\r\ndosecuregeneral.link\r\nlikeseaprogress.art\r\nworktrueamount.info\r\npullmalechurch.info\r\nloseseaconstruction.realty\r\naddliveruin.top\r\nwriterelevanteast.com\r\nhelpsquare-ticket.org\r\nstart-unlikelyspring.top\r\ncutrepresentativeslice.xyz\r\nseemiddle-cigarette.in\r\nstopafternoonhistory.xyz\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 19 of 36\n\ncomedrunkindustry.rocks\r\nworkenvironmentalthing.club\r\nconsiderover-expression.xyz\r\nreportcreative-advance.rocks\r\nremainfemaleblind.observer\r\nleavewildcarry.observer\r\nweb.mean-businessgreen.observer\r\nfollowworkstar.futbol\r\nallowamazing-operation.click\r\ngw.havefreshversion.org\r\nremembergrosssingle.click\r\nlikecutedevelopment.info\r\nimages.showwest-funeral.club\r\nletclassicrefrigerator.in\r\nsayinterestingshow.com\r\nwritesufficientglad.click\r\ntest.considerusefuldrawing.art\r\nliveslowstar.link\r\ncomebudget-improvement.com\r\nsetconfidentessay.link\r\nhappenunablerock.tel\r\nsitapartdepartment.org\r\ncontinueopenmap.com\r\ntest.writepretendcheek.one\r\nbuild-representative-score.club\r\nhappen-eithermajor.realty\r\nssl.passplasticdiscussion.observer\r\nkillbestinevitable.futbol\r\npullelectricaltone.observer\r\nimg.movemeanadvertising.in\r\nstartsuccessfulsick.link\r\ncreateinevitablelayer.one\r\nsetwinterfee.pictures\r\nallow-exactsport.info\r\nhelpapartpossession.org\r\ngw.appearsuchquality.com\r\nbecomefutureleather.xyz\r\nuse-leastmarriage.xyz\r\nincludebestjacket.rocks\r\ncam.turn-federalnovel.tel\r\nmeetelectricalmain.click\r\npop.needmajor-pin.com\r\nnoc.sit-royaltrouble.net\r\nofferwildincome.top\r\nremote.heareveningwhole.xyz\r\nserveokexchange.click\r\ncome-totalsignature.club\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 20 of 36\n\nofferlowersimple.one\r\ntest.cutforwardnasty.nl\r\nlivemassive-give.org\r\nssl.understandweird-chocolate.info\r\nbecomeparkingpositive.fans\r\nknow-excitingappointment.realty\r\nplaytemporaryhand.tel\r\ngrowdaughtercross.in\r\nreportculturaldistance.club\r\ndecide-physicalexam.com\r\nsell-ordinaryradio.com\r\nbuy-big-reason.org\r\nww1.bedependenthospital.top\r\nth.continuenexttop.in\r\nfeelenoughmedicine.net\r\ncontinueflat-meet.org\r\nhearresidentworry.futbol\r\nservesufficientplace.art\r\nx.leadnervouspresident.info\r\nsuggestminorconcept.link\r\nimg.providecomprehensivenerve.nl\r\nwinloosefeedback.nl\r\nfindoppositebonus.one\r\nchange-evenexplanation.link\r\nwalkdeadluck.futbol\r\nsitbusiness-note.rocks\r\nhappenfungather.fans\r\noffer-characterdiamond.xyz\r\nknow-first-background.link\r\ndev.show-trainingdouble.in\r\nkeepmanycard.top\r\nns1.makechance-chapter.click\r\nreportsparegear.one\r\nimages.remainthin-wall.observer\r\nlovesuperconsideration.rocks\r\nwww.dostraightcalm.observer\r\nletfutureslide.one\r\nfindmediumlog.net\r\nrequire-globalfix.fans\r\nkeep-forwardsomewhere.link\r\nbringparkingperception.observer\r\nweb.fallleastcamera.top\r\nshowparkingconcern.futbol\r\nfind-worksun.one\r\nweb.tellaccuratefoot.club\r\ntellleft-scene.observer\r\nappeartop-writing.link\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 21 of 36\n\nlikeextremecategory.info\r\nlearnheadexchange.realty\r\npasslogicalminor.link\r\nasktotalfile.in\r\nwatchasleeplight.futbol\r\nbringpluscan.futbol\r\nemail.be-careful-midnight.one\r\nvideo.offer-psychologicalknowledge.info\r\nseemostuncle.realty\r\nftp.takelegalcourt.observer\r\nfollowwillingpsychology.link\r\ncontinueexactresponse.observer\r\nshop.seeplentyboot.pictures\r\nns1.make-wonderful-hold.observer\r\npop.sayalonelight.realty\r\ninclude-severe-society.click\r\nfollowsuspiciousmoment.nl\r\ntftp.includerepresentativepost.xyz\r\nhelpsuccessfultitle.top\r\nincludevisualconsideration.observer\r\nbringafraidslide.realty\r\nlearnchancetelephone.info\r\nmovesmallentrance.org\r\ngive-superdate.nl\r\nrequiredaymoment.in\r\nlikeactionif.futbol\r\nnoc.likeemotionalpreference.one\r\nopenhorror-tie.realty\r\nexpectevenmilk.top\r\nmeanactioninternet.link\r\nimages.begreen-simple.one\r\nincludeleather-she.pictures\r\ntalkawareissue.club\r\nsayindependentplayer.xyz\r\nchangeillegalriver.info\r\nseelongthroat.observer\r\nplayanxiousrole.info\r\nfeelminutedegree.observer\r\nfollownastymountain.rocks\r\ntellprettyegg.org\r\npassactualstable.observer\r\nmail2.leadbestmistake.observer\r\nhelp-aliveresearch.info\r\nrunsalt-college.com\r\ntellbest-necessary.link\r\nrequireannualpolice.pictures\r\npullyoungview.realty\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 22 of 36\n\nmakedarkcontract.observer\r\nshop.help-healthythought.net\r\nremain-practicaloutside.observer\r\nsellenvironmental-harm.futbol\r\nstop-thismilk.info\r\nincludeuniquecandle.pictures\r\nthinkrelevantchildhood.org\r\nwebmail.waitspecialistcompany.in\r\nseem-brilliant-device.futbol\r\ntakerightpartner.observer\r\nmail.useplanebus.fans\r\nthinkperfectcompany.tel\r\nappearpresentshirt.realty\r\nbringupstairscommunity.club\r\nkeep-electronicinteraction.in\r\nfallnice-blue.link\r\nsendappropriatefuneral.info\r\ntellawaydesign.top\r\ntftp.runswimmingimprovement.fans\r\nlookthenpositive.pictures\r\nmoveplastic-history.top\r\nhavewildhit.com\r\ncloud.playsouthnormal.nl\r\nsetswimmingsuit.in\r\nmovepositivemove.link\r\nplaygrosslandscape.art\r\ncreatenextguest.rocks\r\ngominutepie.club\r\nkillfemaleprofile.click\r\nspendimmediaterush.club\r\nopenweekly-watch.one\r\ndev.believedesignercharacter.in\r\ntry-redcommittee.com\r\ntftp.providestill-thing.net\r\nincludemothermiddle.realty\r\nsmtp.writebeginningitem.xyz\r\nopen-proudprinciple.com\r\nnoc.expectbravewonder.art\r\nreadcivil-slip.click\r\ngo-motorprofessor.click\r\nfeeldramaticdig.pictures\r\nbeexcellentangle.xyz\r\nstartafterchemistry.xyz\r\nvpn.give-formerhat.top\r\nwritefunnyassignment.fans\r\nwebmail.buy-roughcigarette.fans\r\ngiverawdistrict.xyz\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 23 of 36\n\ncome-historicalinstruction.org\r\nmail2.tellannualarrival.observer\r\nserver.find-simpleincrease.in\r\nimg.live-informal-desk.futbol\r\nbuildefficientstaff.rocks\r\nseeguiltybike.futbol\r\nallowtypicalmonitor.link\r\nlook-famousexcitement.nl\r\nlead-awaybar.observer\r\nreaddresssense.link\r\nwww1.rememberlocalgift.in\r\nbuildusualrisk.observer\r\nwork-extremestop.link\r\nread-educationalpanic.net\r\nexpectagohusband.in\r\nincludepowerfulworker.info\r\nlosewholeauthor.com\r\nwork-wastedivide.in\r\nsellbig-test.org\r\nrequire-livingmeaning.com\r\nspendusedchildhood.click\r\nneedvaluableanywhere.pictures\r\nlikesoftbowl.net\r\nhelpcivil-net.org\r\ncallupstairseconomy.link\r\nreadkitchenmotor.click\r\nfallcalmanimal.pictures\r\nemail.takefederal-leading.xyz\r\nwait-rareenergy.com\r\nneedsaltswim.click\r\nwinlower-command.in\r\ntellhugecandidate.one\r\nreportrawchapter.xyz\r\nbeginaccurateoriginal.tel\r\nsetshotguard.one\r\nremote.turnpartyengineer.club\r\nbuyhousecomfortable.com\r\nturn-successful-official.observer\r\ntftp.walkmediumgroup.futbol\r\nfallpriorshopping.futbol\r\nwaitpleasantquality.rocks\r\nshowscaredsquare.one\r\nstop-closecard.tel\r\nmoveminimum-self.rocks\r\nsupport.followholidayairline.observer\r\nplaydarksociety.top\r\nsitenoughdetail.net\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 24 of 36\n\nbecomeaccurateuser.rocks\r\nworkheavybrief.fans\r\nsetafteradult.net\r\nmakewhat-title.club\r\nhear-relative-philosophy.observer\r\nkeepmoneygrade.pictures\r\nspend-firstinterest.art\r\nasklocalnasty.link\r\ntalk-alive-family.nl\r\nsell-significantoccasion.top\r\nbedressfold.fans\r\nwaithappysell.top\r\nlead-lostsurround.link\r\nfindinternalmain.realty\r\nthink-legalresult.link\r\nwww2.dofullhold.club\r\nbeordinarynews.art\r\npass-wineunit.nl\r\nappearemergencytruth.info\r\nturndistinctscreen.nl\r\nleadfederalwater.top\r\nthink-capable-concentrate.in\r\nbringdrunk-monitor.com\r\nset-joint-equivalent.com\r\nunderstandinnercompany.art\r\nloveleather-extent.click\r\ntrypatient-detail.one\r\nappearminutehunt.one\r\naskinteresting-daughter.club\r\nssl.expectupsetif.club\r\nrundesperatebook.tel\r\nspeakdressinternet.com\r\nneedcuriousfootball.top\r\nnoc.stayaccuraterelative.link\r\nbringshotdemand.com\r\nmovefreenature.com\r\nww1.changeshotprofit.pictures\r\nstandsexual-instruction.com\r\nreadweakpoint.realty\r\ngrowrealistictext.realty\r\nknowunfairprocedure.futbol\r\nappear-leading-jacket.observer\r\nnews.losefairsuit.top\r\npullleading-promotion.top\r\nlooklessparent.xyz\r\nlikeoutsidepresence.one\r\nwebmail.talk-normalred.link\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 25 of 36\n\nlook-small-image.org\r\nshow-clean-command.art\r\nstartfriendlyconstant.info\r\nlookwholebelt.xyz\r\nlearn-sweetcream.top\r\ndieeitherimage.com\r\nsuggestfunny-salt.link\r\nsithealthymembership.info\r\nplayculturalresponsibility.com\r\nsaygeneralprize.pictures\r\nappearhonestcup.org\r\nbegin-leftspare.one\r\nbelievepublicpermit.in\r\nmail2.lookcreativeintroduction.in\r\nfall-capablepersonal.in\r\nhearnorth-fortune.com\r\nlearncuriousideal.link\r\nremote.havecompletesoil.net\r\ndosmoothhousing.info\r\nreachinternationalchapter.one\r\nunderstandafternoon-oven.art\r\nprovideenoughrich.one\r\nweb.showplanegrandfather.in\r\nreport-existinginstruction.tel\r\ndodecent-entry.in\r\nbecomestreetnose.info\r\nvideo.gomaterialcap.realty\r\nkilltemporarybrush.com\r\nth.lookpracticalteacher.one\r\nhear-basiccrew.realty\r\ntalkexpertbirthday.realty\r\nmail2.get-evenversion.art\r\ncomeadultfamily.art\r\nsmtp.understandillegal-great.one\r\nimg.addangrylip.in\r\nstopsilvernews.nl\r\ncontinue-mentaleffort.xyz\r\ndieafternoonvisual.click\r\ntrywhite-juice.club\r\nask-betterequipment.nl\r\ngo-awareinflation.rocks\r\nprovideeducationaltie.link\r\nloveunfairlow.org\r\nbuildnational-preference.realty\r\nreadvariousengineer.one\r\nlearndry-possible.click\r\nexpectunlikelygrand.info\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 26 of 36\n\nraise-weekly-till.net\r\ntake-rare-figure.xyz\r\nseeplasticbeing.click\r\nleavekindeducation.club\r\nincludecorrectmembership.futbol\r\ncontinueinitialgrocery.realty\r\nworkrelevant-tackle.observer\r\nfeelinternal-grandfather.link\r\nplaysafeunion.link\r\nknow-deep-brick.nl\r\nofferillegaldrink.fans\r\nwriteoldpolice.one\r\nofferdowntown-stand.top\r\nspendopeningchart.realty\r\nlosefewmouth.org\r\nstaymaterialcash.observer\r\nsitpastgirl.futbol\r\nprovidetraditionalanybody.realty\r\nbuildnicelake.one\r\nwww2.killnumerousdriver.nl\r\nhaveappropriatewhite.realty\r\ndovegetableguard.tel\r\nmail.sendconsistentsafety.info\r\nremember-independentstorm.net\r\nstartequivalentship.org\r\nthink-leftcapital.pictures\r\nwork-basicexpert.info\r\nconsiderhonest-north.nl\r\na.callresponsible-difference.observer\r\nwalktimefuneral.one\r\nallowroundminute.xyz\r\ngounable-administration.tel\r\nth.sendsilverscale.link\r\npull-particular-trainer.net\r\nmovegreengrowth.futbol\r\nrununhappysecretary.fans\r\nleaveangryextreme.link\r\nloseeast-possibility.pictures\r\nlive-prettyhalf.fans\r\nimages.cutnegativeentrance.club\r\nbeginslight-application.nl\r\nunderstandboring-drink.click\r\nsecure.askafterjoin.realty\r\nlearnstillintroduction.click\r\ncomegladsalt.realty\r\nsitgrandbench.art\r\nwatcheducationalcloset.nl\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 27 of 36\n\nappearoldboss.tel\r\nremainmaximumrepublic.fans\r\nbuyavailablestay.net\r\nplay-happyrefrigerator.tel\r\nunderstand-leftnet.tel\r\nspendgamenurse.tel\r\nadd-localmuscle.art\r\nunderstandvisiblefire.rocks\r\nwww.runjuniorstress.observer\r\nrunold-response.art\r\ncontinuepracticalswitch.observer\r\nsellextension-fall.click\r\nstart-negativecourse.com\r\nspendlegalrepeat.com\r\ndiecornerconsideration.click\r\nleadresident-drive.futbol\r\nwww.payforeignglad.club\r\nplay-logical-unit.net\r\nbecome-used-grass.pictures\r\ncutsubstantialdeal.rocks\r\nstandfinalbid.art\r\nleaddependenttale.futbol\r\ndie-used-back.in\r\nplay-flatambition.nl\r\nraiseagent-pressure.art\r\nopenthenmouse.top\r\nreadobviouscow.info\r\nuseresidentfunction.tel\r\nstandafterpicture.observer\r\nraise-proofmight.xyz\r\nneedfarking.club\r\nshowseriousback.art\r\nsmtp.sitprizerelative.observer\r\nraiseextensionmuscle.art\r\nknow-financiallecture.rocks\r\nlookdeepmake.com\r\nprovidenewexamination.click\r\nkeep-constantfinish.click\r\nfeelconnectconcert.link\r\nnoc.buildacceptablewait.futbol\r\nopenexactanimal.one\r\nsend-bestweb.one\r\nexpectstrangeprocedure.realty\r\npasssevereconfidence.club\r\nx.setentire-cup.pictures\r\nserver.thinkpurplerepeat.info\r\ndownload.paytightcomparison.top\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 28 of 36\n\ngoagent-read.in\r\nsendcapital-recording.xyz\r\nfollow-femaleside.nl\r\nlikecoldclient.net\r\nhappen-sparelay.click\r\nmakedecent-individual.net\r\nwaitwhite-bit.nl\r\nsellwestreport.fans\r\nwork-realisticdevelopment.art\r\ngoworkingprize.rocks\r\ndo-plenty-cross.realty\r\ntakethink-force.observer\r\nsuggestsevereblood.art\r\nmeandirtybox.nl\r\nadmin.loveeastfood.org\r\nstaymental-energy.xyz\r\ngo-local-gap.club\r\nemail.servepoliticalhighway.org\r\ncallnorthkiss.club\r\nemail.takesilver-impact.rocks\r\nsellweirdsensitive.club\r\nstaydifferentobject.nl\r\nwritesilverstruggle.net\r\nserver.allowdrunkabuse.com\r\nlivestatusnail.in\r\nmovetimething.nl\r\nreportresponsibleswitch.tel\r\nwriteseparateliterature.com\r\nsitnearby-tackle.nl\r\naddpsychologicalbuilding.org\r\nbuy-moremarch.click\r\nserveofficialpoint.art\r\ncomesmartfeeling.one\r\nww1.be-lostwindow.net\r\naddavailablekind.xyz\r\nbringupstairs-adult.realty\r\nset-consistent-property.one\r\nwatchaggressivecategory.info\r\nbegin-both-branch.futbol\r\nth.runroutineinvite.net\r\nstopproofcommission.info\r\nplay-culturalplate.nl\r\nwww2.read-incident-branch.net\r\ncomeeitherhelp.tel\r\nappearlegalprocedure.net\r\nseemmiddledelay.tel\r\nmeancreativecommittee.org\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 29 of 36\n\nwww1.believesimilar-thing.futbol\r\nexpectsouthinevitable.futbol\r\nseemdress-homework.top\r\nhappen-homewave.rocks\r\naddpuretop.art\r\ntellreasonabledocument.click\r\ngrowminimumtelevision.net\r\npop.come-awareyard.net\r\nunderstandvisualstation.tel\r\nsecure.giveglad-city.art\r\nlikenearbystomach.realty\r\nlosecoolanalysis.fans\r\ngetoriginaltrash.click\r\nincludefamousdrag.fans\r\nspendfamiliar-gather.tel\r\nworkmanychampionship.futbol\r\nlearnanother-inside.tel\r\nsitbrightrope.com\r\nopenunhappypicture.futbol\r\nwww.trywide-principle.futbol\r\nchangeminor-march.futbol\r\nworkgeneraltrick.info\r\nadd-criticalvoice.art\r\nbuystraightdeep.fans\r\nsayintelligentaspect.click\r\nliveplasticcounty.click\r\ndecideillegalquality.top\r\nfeelgold-series.pictures\r\nbbs.dodrunkanything.com\r\nremainbothfeel.fans\r\nbringeasttruck.com\r\ncreateobviouspeople.top\r\nconsiderproperproduct.com\r\nadddeepresolve.link\r\nhelp-recentspeech.pictures\r\nhappen-southcountry.art\r\nservecorner-strength.com\r\nemail.likemobilelocation.click\r\nreadborn-access.pictures\r\na.takeuglyparent.com\r\nmeanmountainpride.click\r\nbelieve-headrise.club\r\nrunaccordingload.nl\r\nth.winrealpriority.rocks\r\nhearnewnegative.observer\r\nincludedifferentdetail.observer\r\nbuildchickentraffic.fans\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 30 of 36\n\nuse-physicaldepression.tel\r\nconsiderpowerfulfruit.observer\r\ntest.buy-timeshoulder.com\r\nplaysuddenbird.in\r\nkillseveral-city.one\r\ntakesignalincident.in\r\nwork-reasonablebreak.pictures\r\nbesadenvironment.art\r\nshoweastyard.one\r\nseeprettyinspector.in\r\nbuygladexchange.art\r\nraiseeastbedroom.xyz\r\nletmad-juice.in\r\nexpecthappydrop.nl\r\nbegin-ordinarystupid.rocks\r\ngoaggressivenasty.xyz\r\nwritegloballandscape.in\r\nputenvironmentalimagination.futbol\r\nwantbrightear.one\r\nconsider-culturalmenu.net\r\npay-cornerfat.one\r\nsuggest-relativereputation.tel\r\ncam.lookfewnewspaper.nl\r\nturn-everybitter.net\r\nfind-cooloutcome.info\r\ncontinueexpertcontract.tel\r\nholdthickshift.observer\r\nhelpdeepsnow.click\r\ntrybitter-twist.pictures\r\npop.offersingle-preparation.in\r\nseemsingleroof.observer\r\nbbs.requireobviouscandle.xyz\r\nturnroughcandy.net\r\nhearnextchest.pictures\r\nopenhardmanagement.com\r\nthink-exactstroke.top\r\nbeginannualgirl.in\r\nprovidechemical-release.top\r\nth.usebestpull.com\r\nwww.dolatefruit.org\r\nprovidebasicmiddle.org\r\nsecure.lookstupidvaluable.click\r\nthinkrelevant-sail.nl\r\ngivelogical-brain.net\r\nwatchpotentialinitial.info\r\nstartinternalgolf.net\r\nwww.happen-openingcake.club\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 31 of 36\n\ntftp.pullleastbeing.art\r\nhelpsaferepeat.com\r\nthinksmartfact.net\r\ncloud.let-specialcomparison.net\r\nvpn.sellroughswitch.pictures\r\ngo-hungrycarpet.art\r\nfollownaturalmeasurement.futbol\r\nstand-inevitabletradition.info\r\nserver.speakgooddog.futbol\r\nfeelsexualisland.observer\r\nunderstandinternationalphrase.art\r\nsellnativeself.nl\r\nlove-perfecthealth.link\r\na.waitloud-currency.observer\r\nsecure.raise-illdeparture.futbol\r\nknowenvironmentalambition.observer\r\ncam.believesaltleading.observer\r\nthinkdeadsurprise.fans\r\nofferfalse-education.observer\r\nremainactive-beach.pictures\r\nwww1.raisefederalclimate.club\r\nwatchworkhalf.observer\r\nserveokfinish.info\r\nwww2.reportcuriouswait.link\r\nrun-classicspray.tel\r\nmeetpastaccident.tel\r\nplayplasticaccount.club\r\nstandvaluablestay.com\r\nruntraditionalmess.in\r\ndev.move-significant-assignment.club\r\nconsidercompletequality.one\r\naddbornticket.one\r\nftp.createsorrymembership.nl\r\nprovidefriendlycity.net\r\nssl.lovegreatglad.realty\r\nwanteconomywash.net\r\ngw.setusualdouble.realty\r\nopenminorboot.tel\r\nbecivilappearance.rocks\r\nsupport.callactualsimple.click\r\nrememberbasicsuggestion.one\r\nsaycompetitiveseat.in\r\nlovefast-check.link\r\nlearnsouthern-art.rocks\r\nconsiderprofessionalowner.tel\r\nmeanspecificclassroom.nl\r\nbring-fewspare.xyz\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 32 of 36\n\nread-obvious-stress.org\r\nstand-eastappointment.art\r\nkillacceptabledump.click\r\nhappentypicalweather.one\r\nemail.stayupstairswave.top\r\nwebmail.doevening-literature.realty\r\nadmin.passbravesleep.observer\r\naddboth-league.realty\r\nraiseplastictowel.club\r\ncomelittlebit.org\r\ngw.continuechoicelink.club\r\nhappenpopularfamiliar.fans\r\nallow-classicscale.net\r\nexpecttightimagination.rocks\r\nnoc.beginonlypromise.art\r\nserveappropriatebutton.one\r\nusesillypermission.top\r\ninclude-eachpension.pictures\r\nremembertrainingpermit.rocks\r\nunderstandfemale-equipment.pictures\r\ndieresponsible-brief.link\r\ntftp.offer-corner-border.one\r\nsaybriefgreat.realty\r\ntellkindkeep.pictures\r\nhold-tough-farmer.top\r\npassnationaldifference.net\r\nshop.send-deep-month.pictures\r\nbuystrictconsist.observer\r\nofferremarkabledress.com\r\nbuycomprehensiveopening.tel\r\nfall-appropriate-employee.art\r\nseemheadchip.observer\r\nsendremarkablesock.pictures\r\nsell-psychological-board.club\r\nmeanimportantmarriage.in\r\nstayconstanta.nl\r\nknowfatmedium.one\r\nprovidecriticalplay.click\r\nbeparkingtechnology.futbol\r\nspeakcuriousextension.futbol\r\nwww.speakwooden-evening.realty\r\nallowcomplexleather.futbol\r\nsetaggressivewall.realty\r\nleadchemicalsuccess.nl\r\ncreatepracticalimportance.tel\r\nlikeremoteinitial.info\r\nm.setsuddendesign.in\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 33 of 36\n\nkillmaintransportation.com\r\nplaycapitalsad.org\r\ntftp.learnsorrytype.nl\r\nkeepwrongphone.futbol\r\nlet-emergencysinger.observer\r\nofferafterbrick.link\r\nseemcharactermixture.club\r\nexpectwild-concept.rocks\r\nmakesome-tower.click\r\nsayasleepresource.art\r\nremainyellowregular.tel\r\nmean-lastoutside.org\r\nwww1.movestock-nose.nl\r\nfollowemergency-camp.nl\r\noffernoveloutside.xyz\r\nlooknicenorth.top\r\nlovetrainingtoe.observer\r\nleadwrongactor.in\r\nth.consider-immediate-specialist.top\r\nraiseslight-win.club\r\nseemlonely-quality.info\r\ntftp.buildappropriatevast.club\r\nfollowalonewonder.rocks\r\nweb.growstillscreen.art\r\nrememberprofessionalpresentation.rocks\r\nrequirestrongchip.pictures\r\ntryanotherunique.club\r\ndecideopenwriting.com\r\nhelpunusual-daughter.pictures\r\nemail.followsmalldeparture.link\r\nrememberbeautiful-test.top\r\nsend-searecipe.info\r\nbuypersonallife.xyz\r\ncreatekitchenchild.click\r\nhavemuch-page.pictures\r\nexpectbackgroundaddition.observer\r\nleavequietmarket.org\r\nstarthismix.link\r\nmovepresentinternational.realty\r\ndointeresting-control.futbol\r\nww1.remainsoutherncity.pictures\r\nusecarproduce.one\r\nraiseeveningcorner.art\r\nbelievesecret-female.net\r\nhappenlivingtill.one\r\nshop.loseeaststill.xyz\r\ndecidefineentry.info\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 34 of 36\n\nopenphysicalsympathy.info\r\nlovevisualdebate.nl\r\ntryopeningwhile.link\r\nhave-plasticdrawer.top\r\nnews.tellpregnantratio.one\r\nchangeunhappysecond.observer\r\nreportkitchen-formal.one\r\ntrypopularreplacement.click\r\ntrymaster-self.pictures\r\nwantsecretdevice.rocks\r\nfeelwideestate.xyz\r\nemail.killcheap-poetry.futbol\r\nletparkingbuddy.art\r\ndo-sensitivesex.info\r\ncutmanymine.xyz\r\nbuild-comprehensivepick.club\r\nfollowdirty-reach.club\r\nth.getunfairscene.futbol\r\nchangeintelligentdeep.com\r\nconsiderhisreputation.nl\r\nbuildcurrentlesson.one\r\ncloud.set-thinkpattern.one\r\nbringdeep-revolution.one\r\naskeducationalsuggestion.futbol\r\ndopretendgear.com\r\nftp.pull-topsector.fans\r\nbringbrightpull.in\r\nwork-afraidyard.art\r\nstandtalltarget.in\r\nset-slight-proof.futbol\r\nvpn.diefreeyesterday.futbol\r\nliveequalbook.tel\r\nlearnpretendtechnology.net\r\nstartseparateopening.nl\r\nfind-yellownational.fans\r\ncallmedium-son.one\r\nhappenexternal-candy.click\r\nstoptraditionalfuel.futbol\r\nraisetotalapplication.art\r\nspend-accordingwill.rocks\r\npullnearbywall.tel\r\ntalkeitherjuice.fans\r\ncontinueunablebet.observer\r\nimg.cutwonderfulcheek.observer\r\nfollowobviouscode.club\r\nwaitlonelygift.nl\r\npassaggressivedefinition.pictures\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 35 of 36\n\nssl.putsea-people.club\r\nkillleadingexam.realty\r\nwaitotherwiserequirement.fans\r\nfeelpure-conference.rocks\r\nstayoriginalprocess.fans\r\npulltimeswitch.observer\r\nleadlevelcomfortable.xyz\r\nstartbriefeffective.net\r\nsayembarrassed-maintenance.fans\r\nwantrelevantbar.pictures\r\nknowbornoutside.click\r\ndo-innerpen.club\r\ntryresponsible-injury.click\r\nwebmail.remembersafehang.art\r\nraisefewmix.in\r\nholdstatus-forever.net\r\nchange-distinctrecording.net\r\ncomeplasticpermission.futbol\r\nsuggestgreatstudio.top\r\nemail.bringpretty-guide.org\r\nchangesouth-preference.org\r\nwantseverebread.futbol\r\nsellbettermail.observer\r\ndecideawayad.futbol\r\nstaymassive-yellow.xyz\r\nwww1.understandusefulpaint.org\r\nworkcheap-disaster.nl\r\nletpatientunique.link\r\nwatchfair-bug.nl\r\nholdasleepstructure.observer\r\nSource: https://blog.netlab.360.com/bigviktor-dga-botnet/\r\nhttps://blog.netlab.360.com/bigviktor-dga-botnet/\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.netlab.360.com/bigviktor-dga-botnet/" ], "report_names": [ "bigviktor-dga-botnet" ], "threat_actors": [], "ts_created_at": 1775791290, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18cbccb4aebe6a2f09a48f8e984c0e414faa9a99.pdf", "text": "https://archive.orkl.eu/18cbccb4aebe6a2f09a48f8e984c0e414faa9a99.txt", "img": "https://archive.orkl.eu/18cbccb4aebe6a2f09a48f8e984c0e414faa9a99.jpg" } }