# The new Bigviktor Botnet is Targeting DrayTek Vigor Router **blog.netlab.360.com/bigviktor-dga-botnet/** Alex.Turing July 10, 2020 #### 10 July 2020 / DDoS ## Overview #### On June 17, 2020, 360Netlab Threat Detecting System flagged an interesting ELF sample ( dd7c9d99d8f7b9975c29c803abdf1c33 ), further analysis shows that this is a DDos Bot program that propagates through the CVE-2020-8515 vulnerability which targets the DrayTek Vigor router device, and it uses DGA (Domain generation algorithm) to generate C2 domain names. The program uses "viktor" as file name ( /tmp/viktor ) in the propagation process, also a special string 0xB16B00B5 (big boobs) was used in the sample, we combined the two and named it Bigviktor. From the network’s perspective, Bigviktor’s DGA generates 1000 domain names every month, and traverses the 1000 domain names by requesting RC4 encryption & ECSDA256 signed s.jpeg, When a live C2 responses the request, bot then takes the next step to request for image.jpeg from C2 to get more instructions. Bigviktor supports 8 kinds of instructions, which can be divided into 2 major functions • DDoS attack • Self-renewal The overall network structure is shown in the figure, ----- ## Botnet scale ### Daily Active Bot #### DGA is a double-edged sword. While giving the author good chance to evade detection, it also gives security researcher the opportunity to register domain names to hijack infected hosts of botnets. We registered several domains names generated by Bigviktor in June and July ( workfrequentsentence.club, waitcornermountain.club ), so we were able to tap into it network to measure the scale of the Botnet. As of now we only see about 900 active ----- #### infected IPs. However, When taking a look at the requests of Bigviktor DGA domain name, we can see the trend is steadily going up. Its daily active Bot trend is shown in the figure below: ### Bot geographic location ----- #### The IP area distribution of infected devices is as follows: The main ASN distribution of these IPs is as follows: ``` 412 AS45899|VNPT_Corp 194 AS7552|Viettel_Group 190 AS18403|The_Corporation_for_Financing_&_Promoting_Technology 90 AS3462|Data_Communication_Business_Group 82 AS15525|Servicos_De_Comunicacoes_E_Multimedia_S.A. 66 AS8151|Uninet_S.A._de_C.V. 52 AS45903|CMC_Telecom_Infrastructure_Company 34 AS3352|Telefonica_De_Espana 28 AS17552|True_Internet_Co.,Ltd. 22 AS8881|1&1_Versatel_Deutschland_GmbH ### Infected device #### By obtaining the title of the infected device's 80, 8080, and 443 port web pages, we know that the currently distributed version of the infected DrayTek Vigor router is: 269 Vigor 2960 107 Vigor 3900 87 Vigor 300B ## Reverse analysis ``` ----- #### We have captured a total of 2 versions. The first version of the bot program seems to have bugs and cannot run normally. This article uses the latest version as an example for reverse analysis. ``` MD5:dd7c9d99d8f7b9975c29c803abdf1c33 ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped Packer: None Generally speaking, the Bigviktor function is relatively simple. It binds a local port at runtime to implement a single instance, uses the RC4 algorithm to decrypt sensitive resources, including the strings to be used by DGA, and then uses DGA to generate 1000 C2 domain names based on these strings. Then the bot uses the libcurl library to send a request to the built-in legit websites to test network connectivity. If the network is up, it moves on to next step to request the s.jpeg from the C2 domain to verify the legitimacy of C2; after passing the legality test, it goes to final step to request the male.jpeg and image.jpeg resources from the C2 domain to conduct DDos attack. We can roughly divide the bot behaviors into two categories: auxiliary behavior and malicious behavior, let us take a close look. ## Auxiliary behavior #### 1: Use libcurl library to access network resources DNS Option: 1.1.1.1,8.8.8.8 User-Agent Option: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" Accept Option: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 2: Bind port 61322 to implement a single instance ``` ----- #### 3: RC4 encrypts sensitive resources, the resources include the stings required by DGA, legit websites, upgrade file storage path, etc. The RC4 key is ``` DA B2 F1 F7 32 FD 03 BA 58 DB FF 53 8B F2 6F 01 02 FF 00 01 03 05 00 DE 02 FF 00 01 7C DF 92 91 Take the suffixes required by DGA to generate domain as an example, the ciphertext is as follows ``` ----- ``` 00000000 34 f5 96 77 11 66 35 4f 1d ae b6 04 57 77 79 9d |4õ.w.f5O.®¶.Wwy.| 00000010 db 36 d4 a8 38 5a e2 9f 6a a2 79 bf 6a 6f bf 2f |Û6Ô¨8Zâ.j¢y¿jo¿/| 00000020 cb 84 63 d4 70 c7 64 11 c6 d0 71 b3 f0 bb 54 c9 |Ë.cÔpÇd.ÆÐq³ð»TÉ| 00000030 cc f7 50 60 e2 53 72 1a ae 87 61 17 88 b0 2a 04 |Ì÷P`âSr.®.a..°*.| 00000040 71 ec f8 3d cc 42 8b 28 27 81 9b 4d 80 0c 50 3f |qìø=ÌB.('..M..P?| 00000050 d5 01 4b 8d 62 48 7f 88 7f a0 09 b9 53 b0 a0 0d |Õ.K.bH... .¹S° .| 00000060 41 6c 59 cd 2a 42 36 f1 71 71 12 bf fd 59 66 52 |AlYÍ*B6ñqq.¿ýYfR| 00000070 b2 ab c4 1e c5 30 14 19 c8 08 82 ee 29 8c 54 ab |²«Ä.Å0..È..î).T«| 00000080 34 99 0e f1 15 c8 e6 69 5e 33 3c c7 c6 ee 44 8a |4..ñ.Èæi^3<ÇÆîD.| 00000090 c2 b4 7c 76 fc 08 cf cd 0c db 34 82 e0 08 40 52 |´|vü.ÏÍ.Û4.à.@R| 000000a0 07 ec d4 0e e9 57 ee 4f 2d 0b 7e 19 51 75 b4 10 |.ìÔ.éWîO-.~.Qu´.| 000000b0 3b 97 d8 29 64 aa 4b 5c 67 77 16 b6 36 4b 6d c2 |;.Ø)dªK\gw.¶6KmÂ| 000000c0 47 09 bd b0 a7 d4 43 21 2c e5 af 41 8a ea 25 dc |G.½°§ÔC!,å¯A.ê%Ü| 000000d0 fe d3 18 28 bc 19 07 19 cd f0 84 51 9e 6a 3e b1 |þÓ.(¼...Íð.Q.j>±| 000000e0 5f 2a e0 13 51 ba 62 46 26 83 86 63 0b ed ad be |_*à.QºbF&..c.í.¾| 000000f0 59 51 e7 0b cf a7 d0 1a 94 e8 ed c2 cc f2 21 17 |YQç.ϧÐ..èíÂÌò!.| 00000100 e5 7a b5 6f 84 66 8a a1 c1 18 52 cb 50 38 6b ea |åzµo.f.¡Á.RËP8kê| 00000110 4b 10 13 56 13 b4 9c b2 3b b4 3e 4c 3c cc 01 cc |K..V.´.²;´>L<Ì.Ì| 00000120 81 ab 13 97 6c 49 e7 85 54 5f d0 92 3f 9b 7d a8 |.«..lIç.T_Ð.?.}¨| 00000130 44 72 81 54 50 4f e1 7f b5 fd 1a 78 3b 14 e3 d4 |Dr.TPOá.µý.x;.ãÔ| #### After decryption 00000000 61 72 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |art.............| 00000010 63 6c 69 63 6b 00 00 00 00 00 00 00 00 00 00 00 |click...........| 00000020 63 6c 75 62 00 00 00 00 00 00 00 00 00 00 00 00 |club............| 00000030 63 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 |com.............| 00000040 66 61 6e 73 00 00 00 00 00 00 00 00 00 00 00 00 |fans............| 00000050 66 75 74 62 6f 6c 00 00 00 00 00 00 00 00 00 00 |futbol..........| 00000060 69 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |in..............| 00000070 69 6e 66 6f 00 00 00 00 00 00 00 00 00 00 00 00 |info............| 00000080 6c 69 6e 6b 00 00 00 00 00 00 00 00 00 00 00 00 |link............| 00000090 6e 65 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |net.............| 000000a0 6e 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |nl..............| 000000b0 6f 62 73 65 72 76 65 72 00 00 00 00 00 00 00 00 |observer........| 000000c0 6f 6e 65 00 00 00 00 00 00 00 00 00 00 00 00 00 |one.............| 000000d0 6f 72 67 00 00 00 00 00 00 00 00 00 00 00 00 00 |org.............| 000000e0 70 69 63 74 75 72 65 73 00 00 00 00 00 00 00 00 |pictures........| 000000f0 72 65 61 6c 74 79 00 00 00 00 00 00 00 00 00 00 |realty..........| 00000100 72 6f 63 6b 73 00 00 00 00 00 00 00 00 00 00 00 |rocks...........| 00000110 74 65 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 |tel.............| 00000120 74 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 |top.............| 00000130 78 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 |xyz.............| 4: Access a legit website to test newtork connectivity and obtain the current date ``` ----- #### The legit websites can be decrypted by RC4, and we got the following sites ``` jd.com weibo.com vk.com csdn.net okezone.com office.com xinhuanet.com babytree.com livejasmin.com twitch.tv naver.com aliexpress.com stackoverflow.com tribunnews.com yandex.ru soso.com msn.com facebook.com youtube.com baidu.com en.wikipedia.org twitter.com amazon.com imdb.com reddit.com pinterest.com ebay.com tripadvisor.com craigslist.org walmart.com instagram.com google.com nytimes.com apple.com linkedin.com indeed.com play.google.com espn.com webmd.com cnn.com homedepot.com etsy.com netflix.com quora.com microsoft.com target.com merriam-webster.com forbes.com tmall.com baidu.com qq.com sohu.com taobao.com 360.cn tianya.cn Visit one of these URLs to get the current date, which will be used in DGA. format %a, %d %b %Y Fri, 10 Jul 2020 ## Malicious behavior #### 1: Use the C2 domain name generated by DGA The format of the domain name is [prefix.]verbe[-]adjective[-]noun.surfix, the content in [] indicates optional, theprefix has 40 words, the verbe has 100 words, the adjective has 525 words, noun has 1522 words, and surfix has 20 words. The algorithm is implemented as follows ``` ----- ``` void GenNewKey(uint32_t &key) { uint32_t tmp = key ^ (key << 13) ^ ((key ^ (uint32_t)(key << 13)) >> 17); key = tmp ^ 32 * tmp; }; string c2url; GenNewKey(seed); //1:prefix part if (seed % 5 == 0) { GenNewKey(seed); c2url += prefix[seed % 40]; c2url += "."; } //2:verbe part GenNewKey(seed); c2url += verbe[seed % 100]; GenNewKey(seed); if (seed % 10 <= 1) c2url += "-"; //3:adj part GenNewKey(seed); c2url += adj[seed % 525]; GenNewKey(seed); if (seed % 10 <= 1) c2url += "-"; //4:noun part GenNewKey(seed); c2url += noun[seed % 1522]; c2url += "."; //5:surfix part GenNewKey(seed); c2url += surfix[seed % 20]; #### The current date converts into a string with format %b %Y 00:00 and the initial key is the first 4 bytes of the SHA256 value of the string, for example currtent date: Fri, 10 Jul 2020 format ---->Jul 2020 00:00 sha256 ---->6ac0f83915ed5d7b9bb7055723084df001b16a552d758de3c415f083f931ab8c get first 4 bytes ----> key=0x6ac0f839 Therefore, the DGA doamin is different every month. Taking the July key (0x6ac0f839) as an example, the first 5 domains generated c2url: decidefresh-county.in c2url: payculturaltour.org c2url: standvisiblereach.rocks c2url: meanforwardcap.top c2url: raisefitsize.rocks ``` ----- #### When we observe the actual DNS data in packet, we can see the result matches. See the end of the article for all DGA domains in July. 2: Get the current effective C2 To connect to a vaild C2, Bigviktor start from a random position of the 1000 DGA domains. If there is no valid C2, it goes back to the first domain name and start over again. In order to ensure that the network is completely controllable and not stolen by others, Bigviktor will verify the signature of the s.jpeg file. Only after passing the signature verification, a C2 is deemed valid. ----- #### The real payload encryption is hidden in the jpeg ( s.jpeg;image.jpeg )file. The structure of jpeg is IMAGE DATA(16 BYTES): Half-RC4 KEY(16 BYTES): Ciphertext . Each ``` sample integrates a Half-RC4 KEY(16 BYTES),each payload integrates a Half-RC4 KEY(16 BYTES), two Half-RC4 keys are spelled into a complete RC4 key(32 BYTES); also a hard-coded ECDSA256 public key is used to verify the decrypted payload. Half-RC4 KEY: 82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67 Pub KEY: 03 2F 37 51 43 1F A3 58 81 66 86 F7 BA 4C A2 30 45 2C 9B 9E 12 9A E9 97 CF 69 09 CF 7F 42 D4 97 88 Take s.jpeg(md5:4c6d0bed21bc226dbaf4e6adc7402563) as an example Splice out the complete RC4 key Half RC4 KEY from s.jpeg + Half Rc4 from sample ----------------------------------------------------- 46 00 B2 65 B0 3F 97 7F CF CB 65 31 1F D2 B3 A0 82 BC 09 D5 47 A9 37 27 8F ED F1 7B 29 2A FA 67 ``` ----- #### Decrypt Ciphertext to get When the verification is successful, a valid C2 is obtained.The procedures of verification need to meet these condition signature verification Plaintext[2] ==\x00,Plaintext[3] ==\x09 C2 in the plaintext is same as the Dga domain which responds to the s.jpeg request. 3:Ask for specific tasks from C2 After the Bot obtains a valid C2, it will request the image.jpeg resource from C2 Similarly, image.jpeg also needs to be decrypted and verified. After successful verification, the Bot will perform the corresponding DDos attack or update according to the instructions of image.jpeg. ----- #### Bigviktor supports a total of 8 operations, cmd cmd description 1 null 2 connect attack 3 tcp syn attack with fixed source ip 4 tcp syn attack with random source ip 6 update 7 tcp syn attack with random sourceip from male.jpeg 8 tcp syn attack with random sourceip from male.jpeg 9 null Take a payload from June,image.jpeg(md5: 2e8c223f8ac1f331c36acd32ee949f6f ) as an example Decrypt Ciphertext to get ----- #### We can see that bot will launch connect ddos attack and the target is 202.162.108.55:80. The result matches the pcap info. ## Contact us #### Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn. ## IOC #### Sample MD5 ``` 7b1ab096b63480864df7b0dcfebe2e2e dd7c9d99d8f7b9975c29c803abdf1c33 URL http://91[.219.75.87/binary http://91[.219.75.87/arm7 C2-IP 151.80.235.228 AS16276|OVH_SAS France|Hauts-de-France|Gravelines C2-Domain useinsidehigh.com:80 writeseparateliterature.com:80 Payload 4c6d0bed21bc226dbaf4e6adc7402563 s.jpeg 2e8c223f8ac1f331c36acd32ee949f6f image.jpeg ``` ----- #### DGA domains in July ----- ``` decidefresh county.in payculturaltour.org standvisiblereach.rocks meanforwardcap.top raisefitsize.rocks www2.tellapartspring.realty expectrawknee.com decidesurepizza.rocks img.leavetall-sky.nl dodifferentuser.fans become-thatspare.futbol play-better-parent.observer telldesignerpanic.art appear-weakrate.observer support.showremote-conclusion.fans raiseover-piano.org meancoolpick.pictures bringjunior-bench.art ssl.remainunhappyboy.info readafterask.net leavelogicalambition.tel takedramaticprimary.rocks test.likerarereality.xyz cloud.runconstantnerve.fans stopseafemale.observer offer-individualthroat.fans meanthickprivate.info turnfederalemploy.art tellcold-top.one mail2.comefirmdeposit.nl liketypicalcorner.net buyliving-balance.observer video.continueleft-contact.nl askformer-mission.top learnaggressive-she.org email.hearlateformal.in keepunitedbirth.art turntruebreakfast.futbol cutmaingolf.art dev.likefemalepush.rocks dev.holdfeelingpreference.click findvariousfish.tel tftp.seempowerful-south.art video.comepureproposal.link watchcapable-sample.rocks growborn-law.click bringefficientvalue.one beginlower-man.nl speakoriginalworld.one putmoneyearth.fans have-wastebutton.futbol findwildcollar.info livepotentialdebt.pictures mail.pull-capableprofession.tel passbornsafe.rocks ``` ----- ``` spendcuteform.realty walkgrandspot.pictures take-scaredline.art set-expensiveice.click getnovelscratch.in look-existinghang.com cloud.considerunhappymain.click www.hold-futuredisk.rocks openlegalbus.fans blog.hearfreshmachine.tel mail.callthatcouple.click leaveswimming-cold.one go-healthyproject.observer meanconnect-construction.nl walknervous-video.nl becomelast-western.com remembersquare-sale.info provide-roundwill.com blog.standswimming-double.rocks secure.seem-famoushire.tel speakotheropening.org holdsudden-psychology.top hold-frontfilm.one bringbusinesshold.realty giveacceptablepay.link allowremoteindependent.pictures helpsillyhate.click knowyellowinstruction.info seeinternationalmachine.art considermalescrew.click paylife-camp.tel makeold-course.com www2.becomewarmrefrigerator.nl download.decidewisecourt.rocks lose-originalemployer.observer leadeastprompt.futbol changeconfidentboot.art waitcornermountain.club ww1.understandlegal-cancel.link suggest-global-other.realty changeluckytitle.com playprivateconstruction.art blog.mean-anyimagination.info decide-currentemployment.top considerupsetvirus.fans letcornercurve.fans talkfamousfather.club findvastcoat.org mail2.use-farbitter.org remember-chemical-status.tel vpn.try-signalsort.org addhappyswim.xyz standsuddeninternal.tel raiseanxiousguitar.one speak-weekly-hire.org ``` ----- ``` needclosetonight.realty mail.fallfrequent-affair.fans startpregnantreference.pictures appeartight-fun.fans cutplastic-drag.club worksea-assumption.com buytrainingdrag.one needfemalebrown.futbol want-mountainform.observer pop.getless-remove.pictures mail2.runelectronic-collar.fans raiselogicalpin.tel believeextraorganization.realty remote.servepleasant-cloud.pictures allowotherdesire.in set-partycount.realty diecutemuscle.net start-sexualfactor.net dienearbychart.xyz ns1.requireanxiousflight.nl a.happenaction-item.tel secure.reportperfectyouth.xyz runtraditionalact.observer becomeunfairsugar.info news.growfrontclimate.tel images.expectpurplewriter.pictures images.seemmaterialvegetable.pictures runsuitablestruggle.xyz appearfullfoundation.tel sellharddead.in continuebothpipe.com watchvegetabledatabase.click stopmiddleapple.net use-sweetdebt.rocks meet-purechurch.club hearduewarning.nl adddifferent-reference.nl download.takehousemom.click buildrawcloset.xyz putactualsecond.realty move-muchagreement.club vpn.letfirst-concept.observer th.sitthin-character.rocks www2.dieseparatefeed.in blog.buyextremeatmosphere.click believelegalscale.info buildappropriatestable.net watch-coolproject.fans doalternativeseries.link pull-inevitable-medicine.org staybroadcost.fans seeofficial-thanks.net readlostdiscount.art serve-redtour.fans showleatherloss.click ``` ----- ``` x.putweird situation.net loseanotherdisease.realty mail2.become-alternativeside.futbol setimpressive-sign.click x.appearavailablebad.realty startunusual-status.futbol noc.waituglyclick.org download.buildthinkreserve.fans expectvegetablecurrency.xyz ftp.spenddirtyrepublic.tel email.die-prettycandle.art pop.make-active-pass.click lovebeginningvast.realty includeotherwisefamily.xyz work-historicalarm.nl passclosescience.pictures a.sitloud-damage.info addinternalfreedom.futbol set-okconcert.realty requireenvironmentalhelp.nl download.need-beginningfinal.art offerdecent-twist.in dieoriginalpeak.futbol learnremarkabledefinition.futbol killembarrassedclient.net killterriblerecord.tel images.createrichdisplay.observer holdlowerfunny.fans sitsorrycash.realty playprevioustrain.net changewestbar.net showaggressivedamage.nl feelnecessary-counter.click liveproudconsequence.realty try-decent-joint.info trylatter-trainer.com showsick-crack.tel help-animal-boyfriend.org followpropercollar.nl take-cultural-white.futbol workindividualpull.click dosecuregeneral.link likeseaprogress.art worktrueamount.info pullmalechurch.info loseseaconstruction.realty addliveruin.top writerelevanteast.com helpsquare-ticket.org start-unlikelyspring.top cutrepresentativeslice.xyz seemiddle-cigarette.in stopafternoonhistory.xyz comedrunkindustry.rocks workenvironmentalthing.club ``` ----- ``` considerover expression.xyz reportcreative-advance.rocks remainfemaleblind.observer leavewildcarry.observer web.mean-businessgreen.observer followworkstar.futbol allowamazing-operation.click gw.havefreshversion.org remembergrosssingle.click likecutedevelopment.info images.showwest-funeral.club letclassicrefrigerator.in sayinterestingshow.com writesufficientglad.click test.considerusefuldrawing.art liveslowstar.link comebudget-improvement.com setconfidentessay.link happenunablerock.tel sitapartdepartment.org continueopenmap.com test.writepretendcheek.one build-representative-score.club happen-eithermajor.realty ssl.passplasticdiscussion.observer killbestinevitable.futbol pullelectricaltone.observer img.movemeanadvertising.in startsuccessfulsick.link createinevitablelayer.one setwinterfee.pictures allow-exactsport.info helpapartpossession.org gw.appearsuchquality.com becomefutureleather.xyz use-leastmarriage.xyz includebestjacket.rocks cam.turn-federalnovel.tel meetelectricalmain.click pop.needmajor-pin.com noc.sit-royaltrouble.net offerwildincome.top remote.heareveningwhole.xyz serveokexchange.click come-totalsignature.club offerlowersimple.one test.cutforwardnasty.nl livemassive-give.org ssl.understandweird-chocolate.info becomeparkingpositive.fans know-excitingappointment.realty playtemporaryhand.tel growdaughtercross.in reportculturaldistance.club decide-physicalexam.com ``` ----- ``` sell ordinaryradio.com buy-big-reason.org ww1.bedependenthospital.top th.continuenexttop.in feelenoughmedicine.net continueflat-meet.org hearresidentworry.futbol servesufficientplace.art x.leadnervouspresident.info suggestminorconcept.link img.providecomprehensivenerve.nl winloosefeedback.nl findoppositebonus.one change-evenexplanation.link walkdeadluck.futbol sitbusiness-note.rocks happenfungather.fans offer-characterdiamond.xyz know-first-background.link dev.show-trainingdouble.in keepmanycard.top ns1.makechance-chapter.click reportsparegear.one images.remainthin-wall.observer lovesuperconsideration.rocks www.dostraightcalm.observer letfutureslide.one findmediumlog.net require-globalfix.fans keep-forwardsomewhere.link bringparkingperception.observer web.fallleastcamera.top showparkingconcern.futbol find-worksun.one web.tellaccuratefoot.club tellleft-scene.observer appeartop-writing.link likeextremecategory.info learnheadexchange.realty passlogicalminor.link asktotalfile.in watchasleeplight.futbol bringpluscan.futbol email.be-careful-midnight.one video.offer-psychologicalknowledge.info seemostuncle.realty ftp.takelegalcourt.observer followwillingpsychology.link continueexactresponse.observer shop.seeplentyboot.pictures ns1.make-wonderful-hold.observer pop.sayalonelight.realty include-severe-society.click followsuspiciousmoment.nl tftp.includerepresentativepost.xyz ``` ----- ``` helpsuccessfultitle.top includevisualconsideration.observer bringafraidslide.realty learnchancetelephone.info movesmallentrance.org give-superdate.nl requiredaymoment.in likeactionif.futbol noc.likeemotionalpreference.one openhorror-tie.realty expectevenmilk.top meanactioninternet.link images.begreen-simple.one includeleather-she.pictures talkawareissue.club sayindependentplayer.xyz changeillegalriver.info seelongthroat.observer playanxiousrole.info feelminutedegree.observer follownastymountain.rocks tellprettyegg.org passactualstable.observer mail2.leadbestmistake.observer help-aliveresearch.info runsalt-college.com tellbest-necessary.link requireannualpolice.pictures pullyoungview.realty makedarkcontract.observer shop.help-healthythought.net remain-practicaloutside.observer sellenvironmental-harm.futbol stop-thismilk.info includeuniquecandle.pictures thinkrelevantchildhood.org webmail.waitspecialistcompany.in seem-brilliant-device.futbol takerightpartner.observer mail.useplanebus.fans thinkperfectcompany.tel appearpresentshirt.realty bringupstairscommunity.club keep-electronicinteraction.in fallnice-blue.link sendappropriatefuneral.info tellawaydesign.top tftp.runswimmingimprovement.fans lookthenpositive.pictures moveplastic-history.top havewildhit.com cloud.playsouthnormal.nl setswimmingsuit.in movepositivemove.link playgrosslandscape.art ``` ----- ``` createnextguest.rocks gominutepie.club killfemaleprofile.click spendimmediaterush.club openweekly-watch.one dev.believedesignercharacter.in try-redcommittee.com tftp.providestill-thing.net includemothermiddle.realty smtp.writebeginningitem.xyz open-proudprinciple.com noc.expectbravewonder.art readcivil-slip.click go-motorprofessor.click feeldramaticdig.pictures beexcellentangle.xyz startafterchemistry.xyz vpn.give-formerhat.top writefunnyassignment.fans webmail.buy-roughcigarette.fans giverawdistrict.xyz come-historicalinstruction.org mail2.tellannualarrival.observer server.find-simpleincrease.in img.live-informal-desk.futbol buildefficientstaff.rocks seeguiltybike.futbol allowtypicalmonitor.link look-famousexcitement.nl lead-awaybar.observer readdresssense.link www1.rememberlocalgift.in buildusualrisk.observer work-extremestop.link read-educationalpanic.net expectagohusband.in includepowerfulworker.info losewholeauthor.com work-wastedivide.in sellbig-test.org require-livingmeaning.com spendusedchildhood.click needvaluableanywhere.pictures likesoftbowl.net helpcivil-net.org callupstairseconomy.link readkitchenmotor.click fallcalmanimal.pictures email.takefederal-leading.xyz wait-rareenergy.com needsaltswim.click winlower-command.in tellhugecandidate.one reportrawchapter.xyz beginaccurateoriginal.tel ``` ----- ``` setshotguard.one remote.turnpartyengineer.club buyhousecomfortable.com turn-successful-official.observer tftp.walkmediumgroup.futbol fallpriorshopping.futbol waitpleasantquality.rocks showscaredsquare.one stop-closecard.tel moveminimum-self.rocks support.followholidayairline.observer playdarksociety.top sitenoughdetail.net becomeaccurateuser.rocks workheavybrief.fans setafteradult.net makewhat-title.club hear-relative-philosophy.observer keepmoneygrade.pictures spend-firstinterest.art asklocalnasty.link talk-alive-family.nl sell-significantoccasion.top bedressfold.fans waithappysell.top lead-lostsurround.link findinternalmain.realty think-legalresult.link www2.dofullhold.club beordinarynews.art pass-wineunit.nl appearemergencytruth.info turndistinctscreen.nl leadfederalwater.top think-capable-concentrate.in bringdrunk-monitor.com set-joint-equivalent.com understandinnercompany.art loveleather-extent.click trypatient-detail.one appearminutehunt.one askinteresting-daughter.club ssl.expectupsetif.club rundesperatebook.tel speakdressinternet.com needcuriousfootball.top noc.stayaccuraterelative.link bringshotdemand.com movefreenature.com ww1.changeshotprofit.pictures standsexual-instruction.com readweakpoint.realty growrealistictext.realty knowunfairprocedure.futbol appear-leading-jacket.observer ``` ----- ``` news.losefairsuit.top pullleading-promotion.top looklessparent.xyz likeoutsidepresence.one webmail.talk-normalred.link look-small-image.org show-clean-command.art startfriendlyconstant.info lookwholebelt.xyz learn-sweetcream.top dieeitherimage.com suggestfunny-salt.link sithealthymembership.info playculturalresponsibility.com saygeneralprize.pictures appearhonestcup.org begin-leftspare.one believepublicpermit.in mail2.lookcreativeintroduction.in fall-capablepersonal.in hearnorth-fortune.com learncuriousideal.link remote.havecompletesoil.net dosmoothhousing.info reachinternationalchapter.one understandafternoon-oven.art provideenoughrich.one web.showplanegrandfather.in report-existinginstruction.tel dodecent-entry.in becomestreetnose.info video.gomaterialcap.realty killtemporarybrush.com th.lookpracticalteacher.one hear-basiccrew.realty talkexpertbirthday.realty mail2.get-evenversion.art comeadultfamily.art smtp.understandillegal-great.one img.addangrylip.in stopsilvernews.nl continue-mentaleffort.xyz dieafternoonvisual.click trywhite-juice.club ask-betterequipment.nl go-awareinflation.rocks provideeducationaltie.link loveunfairlow.org buildnational-preference.realty readvariousengineer.one learndry-possible.click expectunlikelygrand.info raise-weekly-till.net take-rare-figure.xyz seeplasticbeing.click ``` ----- ``` leavekindeducation.club includecorrectmembership.futbol continueinitialgrocery.realty workrelevant-tackle.observer feelinternal-grandfather.link playsafeunion.link know-deep-brick.nl offerillegaldrink.fans writeoldpolice.one offerdowntown-stand.top spendopeningchart.realty losefewmouth.org staymaterialcash.observer sitpastgirl.futbol providetraditionalanybody.realty buildnicelake.one www2.killnumerousdriver.nl haveappropriatewhite.realty dovegetableguard.tel mail.sendconsistentsafety.info remember-independentstorm.net startequivalentship.org think-leftcapital.pictures work-basicexpert.info considerhonest-north.nl a.callresponsible-difference.observer walktimefuneral.one allowroundminute.xyz gounable-administration.tel th.sendsilverscale.link pull-particular-trainer.net movegreengrowth.futbol rununhappysecretary.fans leaveangryextreme.link loseeast-possibility.pictures live-prettyhalf.fans images.cutnegativeentrance.club beginslight-application.nl understandboring-drink.click secure.askafterjoin.realty learnstillintroduction.click comegladsalt.realty sitgrandbench.art watcheducationalcloset.nl appearoldboss.tel remainmaximumrepublic.fans buyavailablestay.net play-happyrefrigerator.tel understand-leftnet.tel spendgamenurse.tel add-localmuscle.art understandvisiblefire.rocks www.runjuniorstress.observer runold-response.art continuepracticalswitch.observer ``` ----- ``` sellextension fall.click start-negativecourse.com spendlegalrepeat.com diecornerconsideration.click leadresident-drive.futbol www.payforeignglad.club play-logical-unit.net become-used-grass.pictures cutsubstantialdeal.rocks standfinalbid.art leaddependenttale.futbol die-used-back.in play-flatambition.nl raiseagent-pressure.art openthenmouse.top readobviouscow.info useresidentfunction.tel standafterpicture.observer raise-proofmight.xyz needfarking.club showseriousback.art smtp.sitprizerelative.observer raiseextensionmuscle.art know-financiallecture.rocks lookdeepmake.com providenewexamination.click keep-constantfinish.click feelconnectconcert.link noc.buildacceptablewait.futbol openexactanimal.one send-bestweb.one expectstrangeprocedure.realty passsevereconfidence.club x.setentire-cup.pictures server.thinkpurplerepeat.info download.paytightcomparison.top goagent-read.in sendcapital-recording.xyz follow-femaleside.nl likecoldclient.net happen-sparelay.click makedecent-individual.net waitwhite-bit.nl sellwestreport.fans work-realisticdevelopment.art goworkingprize.rocks do-plenty-cross.realty takethink-force.observer suggestsevereblood.art meandirtybox.nl admin.loveeastfood.org staymental-energy.xyz go-local-gap.club email.servepoliticalhighway.org callnorthkiss.club ``` ----- ``` email.takesilver impact.rocks sellweirdsensitive.club staydifferentobject.nl writesilverstruggle.net server.allowdrunkabuse.com livestatusnail.in movetimething.nl reportresponsibleswitch.tel writeseparateliterature.com sitnearby-tackle.nl addpsychologicalbuilding.org buy-moremarch.click serveofficialpoint.art comesmartfeeling.one ww1.be-lostwindow.net addavailablekind.xyz bringupstairs-adult.realty set-consistent-property.one watchaggressivecategory.info begin-both-branch.futbol th.runroutineinvite.net stopproofcommission.info play-culturalplate.nl www2.read-incident-branch.net comeeitherhelp.tel appearlegalprocedure.net seemmiddledelay.tel meancreativecommittee.org www1.believesimilar-thing.futbol expectsouthinevitable.futbol seemdress-homework.top happen-homewave.rocks addpuretop.art tellreasonabledocument.click growminimumtelevision.net pop.come-awareyard.net understandvisualstation.tel secure.giveglad-city.art likenearbystomach.realty losecoolanalysis.fans getoriginaltrash.click includefamousdrag.fans spendfamiliar-gather.tel workmanychampionship.futbol learnanother-inside.tel sitbrightrope.com openunhappypicture.futbol www.trywide-principle.futbol changeminor-march.futbol workgeneraltrick.info add-criticalvoice.art buystraightdeep.fans sayintelligentaspect.click liveplasticcounty.click decideillegalquality.top ``` ----- ``` feelgold series.pictures bbs.dodrunkanything.com remainbothfeel.fans bringeasttruck.com createobviouspeople.top considerproperproduct.com adddeepresolve.link help-recentspeech.pictures happen-southcountry.art servecorner-strength.com email.likemobilelocation.click readborn-access.pictures a.takeuglyparent.com meanmountainpride.click believe-headrise.club runaccordingload.nl th.winrealpriority.rocks hearnewnegative.observer includedifferentdetail.observer buildchickentraffic.fans use-physicaldepression.tel considerpowerfulfruit.observer test.buy-timeshoulder.com playsuddenbird.in killseveral-city.one takesignalincident.in work-reasonablebreak.pictures besadenvironment.art showeastyard.one seeprettyinspector.in buygladexchange.art raiseeastbedroom.xyz letmad-juice.in expecthappydrop.nl begin-ordinarystupid.rocks goaggressivenasty.xyz writegloballandscape.in putenvironmentalimagination.futbol wantbrightear.one consider-culturalmenu.net pay-cornerfat.one suggest-relativereputation.tel cam.lookfewnewspaper.nl turn-everybitter.net find-cooloutcome.info continueexpertcontract.tel holdthickshift.observer helpdeepsnow.click trybitter-twist.pictures pop.offersingle-preparation.in seemsingleroof.observer bbs.requireobviouscandle.xyz turnroughcandy.net hearnextchest.pictures openhardmanagement.com ``` ----- ``` think exactstroke.top beginannualgirl.in providechemical-release.top th.usebestpull.com www.dolatefruit.org providebasicmiddle.org secure.lookstupidvaluable.click thinkrelevant-sail.nl givelogical-brain.net watchpotentialinitial.info startinternalgolf.net www.happen-openingcake.club tftp.pullleastbeing.art helpsaferepeat.com thinksmartfact.net cloud.let-specialcomparison.net vpn.sellroughswitch.pictures go-hungrycarpet.art follownaturalmeasurement.futbol stand-inevitabletradition.info server.speakgooddog.futbol feelsexualisland.observer understandinternationalphrase.art sellnativeself.nl love-perfecthealth.link a.waitloud-currency.observer secure.raise-illdeparture.futbol knowenvironmentalambition.observer cam.believesaltleading.observer thinkdeadsurprise.fans offerfalse-education.observer remainactive-beach.pictures www1.raisefederalclimate.club watchworkhalf.observer serveokfinish.info www2.reportcuriouswait.link run-classicspray.tel meetpastaccident.tel playplasticaccount.club standvaluablestay.com runtraditionalmess.in dev.move-significant-assignment.club considercompletequality.one addbornticket.one ftp.createsorrymembership.nl providefriendlycity.net ssl.lovegreatglad.realty wanteconomywash.net gw.setusualdouble.realty openminorboot.tel becivilappearance.rocks support.callactualsimple.click rememberbasicsuggestion.one saycompetitiveseat.in lovefast-check.link ``` ----- ``` learnsouthern art.rocks considerprofessionalowner.tel meanspecificclassroom.nl bring-fewspare.xyz read-obvious-stress.org stand-eastappointment.art killacceptabledump.click happentypicalweather.one email.stayupstairswave.top webmail.doevening-literature.realty admin.passbravesleep.observer addboth-league.realty raiseplastictowel.club comelittlebit.org gw.continuechoicelink.club happenpopularfamiliar.fans allow-classicscale.net expecttightimagination.rocks noc.beginonlypromise.art serveappropriatebutton.one usesillypermission.top include-eachpension.pictures remembertrainingpermit.rocks understandfemale-equipment.pictures dieresponsible-brief.link tftp.offer-corner-border.one saybriefgreat.realty tellkindkeep.pictures hold-tough-farmer.top passnationaldifference.net shop.send-deep-month.pictures buystrictconsist.observer offerremarkabledress.com buycomprehensiveopening.tel fall-appropriate-employee.art seemheadchip.observer sendremarkablesock.pictures sell-psychological-board.club meanimportantmarriage.in stayconstanta.nl knowfatmedium.one providecriticalplay.click beparkingtechnology.futbol speakcuriousextension.futbol www.speakwooden-evening.realty allowcomplexleather.futbol setaggressivewall.realty leadchemicalsuccess.nl createpracticalimportance.tel likeremoteinitial.info m.setsuddendesign.in killmaintransportation.com playcapitalsad.org tftp.learnsorrytype.nl keepwrongphone.futbol ``` ----- ``` let emergencysinger.observer offerafterbrick.link seemcharactermixture.club expectwild-concept.rocks makesome-tower.click sayasleepresource.art remainyellowregular.tel mean-lastoutside.org www1.movestock-nose.nl followemergency-camp.nl offernoveloutside.xyz looknicenorth.top lovetrainingtoe.observer leadwrongactor.in th.consider-immediate-specialist.top raiseslight-win.club seemlonely-quality.info tftp.buildappropriatevast.club followalonewonder.rocks web.growstillscreen.art rememberprofessionalpresentation.rocks requirestrongchip.pictures tryanotherunique.club decideopenwriting.com helpunusual-daughter.pictures email.followsmalldeparture.link rememberbeautiful-test.top send-searecipe.info buypersonallife.xyz createkitchenchild.click havemuch-page.pictures expectbackgroundaddition.observer leavequietmarket.org starthismix.link movepresentinternational.realty dointeresting-control.futbol ww1.remainsoutherncity.pictures usecarproduce.one raiseeveningcorner.art believesecret-female.net happenlivingtill.one shop.loseeaststill.xyz decidefineentry.info openphysicalsympathy.info lovevisualdebate.nl tryopeningwhile.link have-plasticdrawer.top news.tellpregnantratio.one changeunhappysecond.observer reportkitchen-formal.one trypopularreplacement.click trymaster-self.pictures wantsecretdevice.rocks feelwideestate.xyz email.killcheap-poetry.futbol ``` ----- ``` letparkingbuddy.art do-sensitivesex.info cutmanymine.xyz build-comprehensivepick.club followdirty-reach.club th.getunfairscene.futbol changeintelligentdeep.com considerhisreputation.nl buildcurrentlesson.one cloud.set-thinkpattern.one bringdeep-revolution.one askeducationalsuggestion.futbol dopretendgear.com ftp.pull-topsector.fans bringbrightpull.in work-afraidyard.art standtalltarget.in set-slight-proof.futbol vpn.diefreeyesterday.futbol liveequalbook.tel learnpretendtechnology.net startseparateopening.nl find-yellownational.fans callmedium-son.one happenexternal-candy.click stoptraditionalfuel.futbol raisetotalapplication.art spend-accordingwill.rocks pullnearbywall.tel talkeitherjuice.fans continueunablebet.observer img.cutwonderfulcheek.observer followobviouscode.club waitlonelygift.nl passaggressivedefinition.pictures ssl.putsea-people.club killleadingexam.realty waitotherwiserequirement.fans feelpure-conference.rocks stayoriginalprocess.fans pulltimeswitch.observer leadlevelcomfortable.xyz startbriefeffective.net sayembarrassed-maintenance.fans wantrelevantbar.pictures knowbornoutside.click do-innerpen.club tryresponsible-injury.click webmail.remembersafehang.art raisefewmix.in holdstatus-forever.net change-distinctrecording.net comeplasticpermission.futbol suggestgreatstudio.top email.bringpretty-guide.org ``` ----- ``` changesouth preference.org wantseverebread.futbol sellbettermail.observer decideawayad.futbol staymassive-yellow.xyz www1.understandusefulpaint.org workcheap-disaster.nl letpatientunique.link watchfair-bug.nl holdasleepstructure.observer ``` -----