# COVID-19 and FMLA Campaigns used to install new IcedID banking malware **[blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware](https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware)** June 18, 2020 Juniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as “.dat” files. This campaign also takes advantage of the COVID-19 pandemic by using keywords such as COVID-19 and FMLA in email sender names and attachment names. IcedID is a banking malware that performs Man-in-the-Browser attacks to steal financial information. In this blog, we will detail this campaign’s infection chain and also touch on the network communications, including how quickly threat actors update and change their network communication. ## 1st Stage (Malicious Office Files) The first stage of the infection chain starts with phishing emails with malicious attachments, such as below: ----- Sha256 of attachment: 822a8e3dfa14cd7aaac749dc0515c35cf20632717e191568ba5daf137db7ec17 The Word document has a malicious macro in it and, when opened by the victim, it will drop and execute a file in a specific folder. C:\1\Whole\PFSDNSKDF.EXE (Ee9fd78107cdcaffc274cf2484d6c74c56c7f3be39b1896894d9525506118d1e) It achieves this by reading a binary embedded in it and using Windows Management Instrumentation (WMI) to execute the binary. ----- Olevba output of the malicious word document ## 2nd Stage Loader The file C:\1\Whole\PFSDNSKDF.EXE that was dropped by the malicious document is another loader whose purpose is to download another IcedID loader. It first unpacked itself by reading a binary file embedded in its resource, decrypting it and executing in memory. It will then loop on the following domains, using WinHTTP queries: support.apple.com www.intel.com help.twitter.com support.microsoft.com connuwedro[.]xyz support.oracle.com All of the above queries are normal, except for connuwedro[.]xyz. It does this to evade detection by trying to blend to normal traffic. It is specifically looking for a response that is a PNG file and ignores responses with tags present in an html, such as the following: ----- Code Snippet for filtering out benign domains It expects a PNG file as a response from connuwedro[.]xyz. To confirm this, it will specifically look for the DWord “IDAT”, which is a tag found in any PNG files. Code snippet for finding the ‘IDAT’ keyword on PNG file It would then decrypt this PNG file using the RC4 algorithm and execute the embedded binary. It also includes checksum checking in the code to make sure that it is the correct file. This technique is also known as steganography. The binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour. Task Job of 3rd stage loader The hash of the binary is c35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e and we designate it as the 3rd stage loader whose purpose is to download the IcedID main module. ## 3rd Stage Loader and Main Module ----- This is the loader that will download the IcedID main module. Similar to the second stage, it applies the same technique of unpacking itself and using steganography. It unpacks an embedded binary in its resource and executes it. Once unpacked, it will download the IcedID main module as a PNG file from the following link: https://cucumberz99[.]club/image?id={01XXXXXXXXXXXXXXXXXXXXXX} This domain resolves to 31.24.224[.]12, during our analysis. The image will be saved in the following directory: IcedID stored as PNG file This image is stored at that specific location so that when the third stage loader starts, it does not need to download it again. The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset. The decrypted code is not a complete PE image, as it does not contain any header. Most of its strings are also encrypted, which makes analysis even harder. The first part of the shellcode is to spawn a suspended process of msiexec.exe. Code snippet for injecting to msiexec.exe It calls the following series of API calls to inject itself on the remote process before it exits: **ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread,** **NtResumeThread.** Using msiexec.exe /i {random name}.msi is a simple technique to try to conceal itself and look like a normal installation of an msi application. The code injected into an msiexec.exe sends a beacon signal to the CnC server and awaits commands. The commands include: ----- Update the IcedID main module Update configurations Send bot logs to the server Execute a shellcode from the CnC server Collect system information Download and execute a file from the CnC server Execute a command and send results to the server Reboot the client machine Upload a file to the server Extract passwords stored in browsers and mail applications ### Man-in-the-Browser The IcedID core’s main function is to steal financial data using webinjects. The IcedID main module, which is injected into msiexec process, watches for specific browser process names: Firefox.exe Chrome.exe Iexplore.exe When it finds that a browser process is present, three things happen: It creates a local proxy that listens on 127.0.0.1:56654 It hooks the following API on the browsers: Chrome.exe and Iexplore.exe CertGetCertificateChain CertVerifyCertificateChainPolicy connect Firefox.exe connect SSL_AuthCertificateHook or function from the library SSL3.dll It generates a self-signed certificate in the %TEMP% folder With these three things, all connections to the browser are proxied to msiexec.exe and it achieves full control of the browser. ----- TCPView results on a system infected with IcedID It will monitor browser activity related to financial transactions and inject forms on the fly to try to steal credit card details. Among the banks and financial-related services it targets are the following: Amazon.com American Express AT&T Bank Of America Capital One Chase CIBC Comeriсa Dell Discover Dollar Bank eBay Erie Bank E-Trade Frost Bank Halifax UK Hancock Bank Huntington Bank J.P. Morgan Lloyds Bank M&T bank Centennial Bank PNC RBC Charles Schwab SunTrust Bank Synovus T-Mobile Union Bank ----- USAA US Bank Verizon Wireless Wells Fargo More details about the functionality of the main module have already been discussed by various security blogs. We link to these in the reference section. ## Let’s Go Hunt ### 1st Stage Loader The vast majority of benign documents do not perform any network communication, even towards benign domains. The following network behavior could be used for finding other samples related to this campaign. With this, we have found other samples that are using COVID-19 and FMLA keywords. All of them have macros. VT search for finding related malware For the second stage, we found 29 unique domains with varying IP resolutions. ----- Download Domains for Third Stage ### 3rd Stage and Main Module The network communication of this IcedID is unique, as it follows this specific format: {cnc_domain}/image/?id=01XXXXXXXXXXXXXXXXXXXXXX VT Query for hunting third stage loaded Using VTs behavior search module, we are able to find approximately 250 unique samples. Out of these samples, we identified 62 unique C2 domains. The complete list of hashes and domains will be listed in the IOC section of this blog. The following data shows how quickly IcedID threat actors update or change their CnC. ----- CnC Domains for March CnC Domains for April CnC Domains for May ----- CnC Domains for June A commonality among these download and CnC domains is that they only use the following TLDS: .xyz .club .top .pw .online .email .best .bid .site .uno All of these domains also use the Nameserver dnspod.com Nameserver information of IcedID download and CnC domains ## Self-signed certificates IcedID uses TLS in all of its communication but the certificate is self-signed. They can be spotted, as they use this kind of a self-signed certificate. The keyword “Internet Widgits Pty Ltd” is also being used by Trickbot, another banking malware, and it is believed that Trickbot and IcedID are cousins. ----- Network Miner output of IcedID certificate ## Conclusion IcedID is a very complex malware and there is no doubt the threat actors behind this are very much capable with constant updates to their arsenal. In summary, this latest IcedID Campaign focused on evasion by implementing the following: Signed Binary Proxy Execution using msiexec Full steganography HTTPS communication String encryption Blend communication with normal traffic Juniper Advanced Threat Prevention (ATP) products detect this malware. Juniper ATP detection ## IOC 1st stage malicious documents ----- 822a8e3dfa14cd7aaac749dc0515c35cf20632717e191568ba5daf137db7ec17 74d6e374d7958e70c6733b6c17e2f0d79b629e172aaf385c142c76678647f3b8 436b0c94c1be2be6b328830568ef7f031b45bf6d2377fa9f4b1f872ffb39b369 4ca8c054641c1f11c033cc20ebae77c4a41853e2fe693ecf4b93a9719b624c1e afdb9b4c2e9a47a137a385e41a47727c0a04b2001aab60d6b3e099d0faf4ddef e4f89d4ff1d26e0959c7147df641c6dae3e0d15729a5fd275857e98225b44245 3ff97578adea9f45bccea091234c5ccee6a12b3c52e7e29195a45e3c191aa926 e15744eb13666670ad3cf256c31df57a01c40f355a0f8a592294187d4fedc257 454ff6a5ebf01fc7d9c1ced5b081d582d11119ab9b49fc06ccaf22b1b0259c23 54197c58c9693580c8ca961d8ff326cbad7688b23627114f7437c59fede46e82 f1bf5ef89f644b1558dd54e68148e60310d537ca45c2daae2b410c30540d7de6 e48e4e74dc7e67523878a2cf68b2ce72b5e5c999897e075d6b993e41c81f4174 ef2ab4bc4ee63dd1b9f04a56fe727a87f56ddd476bc1cd72c78f4d31abff322a fd11736701395813459091b6d07878c52b448a4d9a5825517a0308fbfe6fa070 9979063dae01bdfffd946ed012e69fabb82be3795323a52b06532b42b0f59609 09c3ada49c47af20854d87fbb76a24263d759f93f8de7e5af88549111ce55dda 10ab8bfff505a3add9537bf742ede32f985e9f1ecc3a8afca99005b7255bca1b a6e0690db18e89187c2a9b0924585264606482dfdd9ac97c744bb649615ced65 1e988d02dedc8307c518e6bc2c6f8be14e4f0cd941972622deebcd90a6f09013 f4fecef8cd7c7688d98ff168e137c70d98f01866114e552ede71aa28e2088018 b0dc0a79862585b381afb61b05640276d51001961ddf9608703195bc183f1f06 8664c34e72bc78098668331faa8f5113ad798a29c085662a0a9d83c4598843b2 404650dbf9d8d4fcf844f529b042b895979f3a87334fb97925805c8072725ea8 f5d8de500a504f6493af21ac67f50f5a4de5d6371e36c3a2251ac098f256187b 385a41aaa192a8cd56bc35b1841a8e4a31f4cae1d5b68542ae7584b6420d363e 55e1ba8683bb6b1d2a4f8b16b16ede25943d66e5884c9793f8c078614d12d9c4 dea7eaee76df0fa27ae5ddd2988222b8afefd73ff80f5a5a14108cb499b85a23 f30f283832f7a371c2c23cb2b5801e71bd33856c026480ab9165e584300fa3b3 57ea3ae558efce33cf28a5cefa26e93a07186e5cdf799d5d066edaf581f66706 2e294fbc75cefcbece50a3e57730212fd7672a4cce487db0bdfd241032a5bcb7 3a11e16512b0f4c1380c5f94ff65312c421955c5693ea73260e2274eb34470c8 ## 2nd stage download domains 2pillsofhunderts[.]pw 3chickens[.]pw 3glanzepages[.]top bividilli[.]xyz carpetkisa[.]xyz connuwedro[.]xyz feminization[.]xyz filacolonel[.]xyz ----- fredoferodo[.]top frenchfries8[.]top ghefgekil[.]club gigakolors[.]club goodcolonell[.]xyz groggypirogy[.]top hinkaly[.]club karantino[.]xyz kassadesada[.]top knockaddress[.]xyz knockdomain[.]xyz lokolojazz[.]club pyramide33[.]pw siffersniffer[.]best silkycow[.]pw stuffed8tomatoes[.]club testermeisterz[.]top tryfreder[.]xyz vodkahater[.]xyz yahzdaje2[.]website zajjizev[.]club ## 3rd stage loader hashes c35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e 014b422e6c1bc23db2b5898dd0c49ac61fbac174c1e0d916f68b41cfb535cdb5 015243f1e4fa8c0eabf86ae752056e2876e50b3b67e95fa486451904d311580d 021cae01a3e9e734ca0b96c30d7d358b7b41c84565c95b448771de56ae85621e 063ed7054f8f7d72cb34f9a37725b5974fdafc743c338b07bc7b0b2ab6a212e1 06d21126d11e3fd07c66c7f9c096f80fa8046b5e1bf4370187401890fdf4fd5c 07671c10dd548d8a535939c0282d6710b07c8e2e8e7efa466de09202d02cd550 08bb93772c22c2842e968f5ad3753062530c4fcee87110afe46d95889c484dfb 0b0b92a625911a7065cf0e48d470acac71290c6832363a715b1f46aff01fe4c8 0c69c38b7d436280492807d77a308f2eec5007afc0683aa206358db91c116def 15041d3408372977905bda10cbccd9a86135eb441152968299e3c05ebcbae93c 16ae5983ca6e3f7bf893e0ba9ef44f2f46270a717abed860fdd56a7ad5cc8f77 16efa114618cdf5426f514c79597d29fe0ced79f32c5b56985cf2820854d7a36 18726b5405dc2f8159f3496939c5df3ca742ff271a2dd294b033433203f35eb3 1faa5ce90b3496c6938f3fe3a25f89939a297254a183fb75a8d58abfcc9fddfd 1fd7fea39524f3e5edcd0d41e9b2f9c9fa639ec22e80bacd173b7744b4a05601 2660abba68d81b50c997b787a98484e1eeea47269cdbe1f5ae87e6ac086b5237 26e0468acd186e744e895f116d14e20179d74f61fa819b5984442cac51f07b00 284aaafa51b1131e6656b270af6c3a032cf454ead1d5f0a5926ebe22772cf0d9 ----- 2aab4bb300e505e278a20a2aa804c9ba5920c2513b425440b1c818d53a0dd672 2b7ccec0aa1d9f09fb7d17034acf00b0e96dd47ecabe767b419a474a0854e42c 2ba7ecdb95e16f4af77d2cb09e301306c2115350da49e36afa26a365fceb110c 2bfa9f878dce2de087715d7986e369197aecd166a635c80a2f2c39a9b8e327fd 2e1d4c5755845068909b229939511d6a9a0b7b5df6801f44a3a3a274d6048804 32efada9f1ba73c5ded10c2338fe261e0e4c997f48696464978af942c9f2599f 3391f3da58a8b440b0c58084a280cf9cac28395ecf87c8307d5efb9d66b6164f 359ea0e4217bea81d92e6e274681ab7df24caaaaa0e6ad412e2f9045113c6ea1 386becd1260847d03958dbc82b5f6565e2855ed5439eef34b57678410877174e 396a445f43fc63122543cbb16fe2919e19aa2371f7165c3817acac7885701afd 3a09fb755bb94cfbd598d16c3a8dd430be51a1eed9dc5791a8f07bab6e2bc284 4267ef18ddeb15cf6920e2bc89f5c9247b6f554112a124ee2211281ce98ec04f 43275d3fdf60216df9c0151b11db2896a1dd56b9e7267ed6db78f4ef21cb8b46 44271a7612f1b32ed5fb0bac211992ea5e5c243710b9b4e8ad83f08af6a6cf4f 46a19f4b4dcfcb51b0db1718ad6d64bf0eb28170c61421e87e7edc07facd329c 48293a9ec8e7d12370cb1c1266653053ad5861761c74c437b2350aa909490327 4aec02ec7bc4ff2fbde2e36eb40411bcd69ee2dd9abeaccdd306a3aca8f5ad1a 4e7161be03f206c1b086bb15b47470ec1c9381302eb34d0e76915496aec77193 50cee93429653fd24d534c31c52a94e71b4fdc1e5409f8ac4ae2a81210ea12e2 5542f9cc78b5aa2901c2187f1dcee8e214aca20465c81c4da51035477d19287c 55acf5558ef68bd26148074c6f916311ea760edc6cbd136973ea638c98606a93 57100de2a289e45824f5cbaf8074e3f6e543eb2aa9a18584b1a007c7b4ddaa48 5c91d58ad4b5f1536c2548ac3080f02155df555025c634659cb15dfc5ec2143f 5de3eb250030550512c0ce92923ff30bc16529a45a5f24c624e9d7c7a4e0c1e4 5e38dcb3632d7ac183bded4662c139db2f54c104ae1efda75b62b0bd0b9882f1 61ca03447437e224ac301c56a72684a3c08310a3b850aff69952d124b488bc4e 696ef2c7fb064b293173bae309c1cabe3d2dd2d1a1becab040acb05c82022c2e 69fced2e42d5fcb3b0ade5ebc81359c1f8c2e51935db74f40c94fb5c646130d9 6c02225c8a5ae583e738417866bc2f66636834ff025749da7f36ea639cbcacb6 6c878a7145e9f783f28b665207d9d180d04d0fe8e42bb2ff594faf5692f25ebd 72d4df9bca3cdf2074ffa84580c01fa425d528be54f331c59eb27a12a3736093 7a41e722fb6fd0067378cba5e4ddcb9c122205f41eee22204ce83af63a89b4fe 7babfaa95153f3f4c06630ff30d225760ae4a50e75764b9e049d8d70bfd88107 7f45cf09a572799af51ea935b95b185c05e13f749c9f1e2a2d41f8001c76487e 7fb71830442acb35dd86e559d632d7a14c21b60639203c61d371831b78dde6e3 81869e50ce5599cab247458445cc36b5a3108398f1ed520d29a4e7395a81afe0 82f48defd2de04d87de86ce8e584c6cb1bad8581d99e65ae99b58ef96f623089 87322aed33bf01ca618ad94e1d6a042bae91c978fabfb3e7fcccfa75a64c5d6a 882a9e7001dd1618c593f68e11f77c8e86239f610283e88981eecab93b5158a7 8831ac358046286facb6ca2643927aa837907937d1895ee3b73472c58bf3ef2c 8a4b045d11a898ced073e564e601b9624ace121be688ec20f31d56bc1edfc377 8a60949ae63dd0d80a49485a7a2ce1a29505ed76eee018ef12d28ac70bece07d ----- 8d1b83eff1b3c604365fd29de1bb43204852de842c0bb148975fe7a7485310e4 8d97b91ce882f9405b7a7de5b1f08fdef0a0db4303977140546ebff72af1bc7f 9118ba30cefcc565be8a9ba85ee66da7670f18b08ec3cb205be80e78bf64f5fa 927a8d1445750400db3850d0b2dc3522b0f373098385373efa3d7762120f3689 949d06fb921d1e32be7232933d0578c086112c5b782640cd5b9a6b6570f27bf7 961588c90fe84a65e9aff3b98a95cd46d581add783ce639065665a01a16530f5 961ced78105cf07255f79dd7ad0ecaa2360b6ac08264acfb22d927e3d7f441c4 96c825103005a025660b5d32002a636d2242801949d0b970a77625be268a8cd5 97a32b419c28bfa62220fc8a7c715a899bf84484e34a75ee97c766d7d43b2b4a 9c19493c7ecb8067a0a52e089b819f53adf6a1f6b0535b42f1e5325a789125d9 9caa061ca9619b215e657357f368e9fa7d64e402c13d55b76578c5acddd25aab 9ff86c3e52aea34f885d1f298ee9e448368d941bf122f61278b6d50addb36744 a234c29baff478276e9ae616046d98ca1ed57311616691a7e048e0af6d9c1c44 a24fe24beb66aef2978017939f29a7eb3cbd1ca3d210a9834cae112ba86d075b a299a3d1d838adc37ea985039650b7b32428d3787a0b7e31feeafcb831eb984d a3d5871579dd194d86e5af84e306c38d27703bbe9b7e7d4209b68cafd21464e6 a55a668b4180ea3cd58472dc0fb9b45dd92c09cf049644cbc25f5b50a9d05001 a6fa541a097faa1f61b7085eb52b46bd893944f93a8bd20205118b1b7b802fd4 a9129fc61d0ea9a2756c64febfc486895e37312e5ff8eabd16b7ff201bb90e7c ad58f15ff69ee59a32ae410acd564cd4b53a5cfaea6ede136046cee12f1c0b59 adc05158b29dcb3f96532e526bdb296cb5e424a96e6f7b83b6c0b82b811d2740 ade52f993013635afe7eaf0d91cc0521b97f3de1ca541882bde3ee94c872982f ade6356fb4f693664d5dcb54c3e1ca6a9013ef653b473bdd7a2e1407bddc6193 b6c2ebd3be005f672514cbc3ab320b9dd887f17b6bc14bd5bd34adc5a951ef17 b78d867fa64b9c7f8ad19b6fc4ec934b3c1c13e6fe080c84d4685629f18a0de6 b7de965c5e2cfef42def39f124d37d1302ea93b91aa394d2cf41cfa7df2607e6 b8768315d048093fc216c8921dcc392628d977ea97efcf352e5a89035635ffdd b90881ea27e45a5beec5abdcfa7f83709b8ca02b9a533a7d1325df059522d21c bdb743a2f2cd6ef45f9d0c97ec8feb590831d108bc7d434b5f65e87ab4be9746 bf4da5aa980f12573157473f694210276a72d4f26cb7bfce38b84be5e33fd195 c35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e c57c797dc857427dd9d34524f32897cd001dd0d5526b7ae382158989a57541a4 c7ef139a5291a1e2b70551f4fc8290a4bc963ba4bf36101aa787eab21fa2aa83 ca59caa3199f6ec24cead3e4b705f8a22c5b78f3b62f84791c03784e3b55993a cba5edb9a6a3c25b635a050492d6f9e6cd69f916ec57f4787e5b2e3a8356182c cddb94b07baa8502aa7ec15815606d89630fc6d62790a42fb9b0aabe76700de1 cebb538862dcfa960e48d09a7d44dc0b096cff66bd61606f54949433ce94ff7f ced9b6411f4c3db104f9b25b9c638f5874097219152c1800fd7988f03da15b29 cf79819a5ab92e53568736463be90254504a60a07543f6d1d14148808940519e d5e2868d0eaab6056d49a9f2a35842e0d2390e84beed0e352ed3cb19f3dc380e d8619ab7066af14878548719f8737ec110df19badbdd3d6394a941127c268d19 d9ea9d94359fa3e8edda3e1e659925f25e7003a8254b52229800220b67b651bb ----- df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec df30ccce6ec03c03e2e1ca041200267cd3b708946cc2f18577dfee7ea351272c e0d78b3a64c0d256d4be7c2b959fb8ce49950bd2abb975aa35b6421d1be6e9e9 e1a2490b48fe59d053f5d486af00f72b2973d71ea87496c8158cd60e72f9b386 e48d5ea33faf98eb5264896ad8fdc72cb53998282c871edd189a615096c3ec56 e624144b6c38455eb528fa2fdb1631b822608bde5eacbec097a18ef3e54c40b7 e6c21816d712973a1e6b615164ed475dc58694afb88c69ec61c81bba7daa1297 e7bcd48b2948a278876343900aa3ee30cab266e6fa26c3031eee5dd846983ce2 ea6cecdaef1dde96281060a27ba65beb4079c04313697f60073be1196af7ecc6 ebac2e585e43af2737f6bdf291b93e88dfddb64efc97ed5c514afd2848814515 ec1f379b1032fc9f8acb9785d83978e3197dda7a3ab42ff697529c8cb7dfa579 ec56f0a98216810fe2706d04c9c7350e3e125b3e3207ccde0442f91fb8804921 ee1bc25f45c431fce214dc0f0838fa8969142296a20c3887282750521ee41518 ee29459f34c2d80b939ee41268e4c7f09eb639b2f4b97346ef10722d999323ec eeb4caedbe98e144bf7e30165f9c4e16525b964927af3dda94616abe18d0c476 ef25d0b852fc83e6843c0ad7e081cbcc4541a4a0713f81a8261375f451585f6b f02094836adc271479734dfd5326a74f79a7545b679df03e03e339cd5db0c116 f3ba5d0b27ff406dcd1c624aee919f394d231b878f040ec23e36c7f0cf81df99 f77ff256c9e359a4d6fb7dc28aebaef987c919c54b001494e1624df09b73fb26 f78bfa34d031119443d2e4fac2c291cd2e16fe932cec448cd88b8f8592aa76d5 f7b5c622fd5f295615df5af2ad883f5946ad2f72002c4c3be1a9ad0df7c2b2e5 fb82d8338af07adaa5d46c372e5597015ccfb0f6e48dd9dbfceb282d5e8781b7 fd56107c80cef6e7b7493d01175d6801ba28c0393c4f36f440bc97c8cf5f0e3d ## CnC domains 30miles[.]xyz antivarevare[.]club antivarevare[.]pw bavadivaclub[.]club beradocolon[.]top bluekit[.]pw bonwes[.]bid bredretre[.]uno carztesla[.]xyz chumocarz[.]club citytrallbus[.]xyz colocarantino[.]xyz cosacasa[.]top costacolonel[.]club costamustero[.]pw coucarachiz[.]top cozyappt[ ]club ----- crossbones[.]email cryptocrio[.]pw cryptocrio[.]top cucumberz99[.]club dayafterthe[.]xyz dezisenkor[.]club docccutime[.]xyz emergencytoolz[.]pw extraordinarycurc[.]club fekilopol[.]xyz fidelliware[.]pw filacolonel[.]site filteroggy[.]pw fishmak[.]pw flighfinder[.]xyz flightslots[.]online forwardnogi[.]pw fullplainefares[.]club gerenada[.]club glassyradua[.]xyz goodservers[.]top herekeder[.]best instarobotics[.]club loacorecoder[.]club menosmeno[.]best millogorillo[.]top nadalia[.]top northdestrickt[.]top oggytarakan[.]club oggythecoucca[.]xyz polymorphis[.]top pravizzillo[.]club pravizzillo[.]email presserdresser[.]best pythonfinder[.]top safebanktest[.]top seguridadcolonel[.]club sharedocar[.]xyz smallhole[.]club svaerossi[.]pw tourdayly[.]top trythisone2[.]best ----- uxozhuki[.]pw vereseptem[.]pw withoutemblems[.]top ## References -----