YARA rules for APT1
99 rules · scoped to actor · back to APT1
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Regin_Sample_1 {
meta:
description = "Semiautomatically generated YARA rule - file-3665415_sys"
author = "Florian Roth"
date = "25.11.14"
score = 70
hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
id = "13478652-155f-52ba-af16-53f27c92e052"
strings:
$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
$s2 = "External Naming Failed - Status %x" fullword ascii
$s3 = "------- Same multiport - different interrupts" fullword ascii
$s4 = "%x occurred prior to the wait - starting the" fullword ascii
$s5 = "'user registry info - userPortIndex: %d" fullword ascii
$s6 = "Could not report legacy device - %x" fullword ascii
$s7 = "entering SerialGetPortInfo" fullword ascii
$s8 = "'user registry info - userPort: %x" fullword ascii
$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
$s10 = "Kernel debugger is using port at address %X" fullword ascii
$s12 = "Release - freeing multi context" fullword ascii
$s13 = "Serial driver will not load port" fullword ascii
$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
$s20 = "'user registry info - userIndexed: %d" fullword ascii
$fp1 = "Enter SerialBuildResourceList" ascii fullword
condition:
all of them and filesize < 110KB and filesize > 80KB and not $fp1
}
rule Regin_Sample_2 {
meta:
description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
id = "1091a598-e964-5f67-9267-531d66831bee"
strings:
$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" wide
$s1 = "atapi.sys" fullword wide
$s2 = "disk.sys" fullword wide
$s3 = "IoGetRelatedDeviceObject" fullword ascii
$s4 = "HAL.dll" fullword ascii
$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" ascii
$s6 = "PsGetCurrentProcessId" fullword ascii
$s7 = "KeGetCurrentIrql" fullword ascii
$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
$s9 = "KeSetImportanceDpc" fullword ascii
$s10 = "KeQueryPerformanceCounter" fullword ascii
$s14 = "KeInitializeEvent" fullword ascii
$s15 = "KeDelayExecutionThread" fullword ascii
$s16 = "KeInitializeTimerEx" fullword ascii
$s18 = "PsLookupProcessByProcessId" fullword ascii
$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
}
rule Regin_Sample_3 {
meta:
description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
author = "@Malwrsignatures"
date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
id = "eefc174f-4b17-5c90-8478-3eaaf80e9a78"
strings:
$s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" wide
$s3 = "mntoskrnl.exe" fullword wide
$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" wide
$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
$s6 = "Service Pack" fullword wide
$s7 = ".sys" fullword wide
$s8 = ".dll" fullword wide
$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" wide
$s11 = "IoGetRelatedDeviceObject" fullword ascii
$s12 = "VMEM.sys" fullword ascii
$s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii
condition:
uint32(0) == 0xfedcbafe and all of ($s*) and filesize > 160KB and filesize < 200KB
}
rule Regin_Sample_Set_2 {
meta:
description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
author = "@MalwrSignatures"
date = "26.11.14"
hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"
id = "0b21091d-413e-54dd-83d1-5d824fb013f2"
strings:
$s0 = "HAL.dll" fullword ascii
$s1 = "IoGetDeviceObjectPointer" fullword ascii
$s2 = "MaximumPortsServiced" fullword wide
$s3 = "KeGetCurrentIrql" fullword ascii
$s4 = "ntkrnlpa.exe" fullword ascii
$s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
$s6 = "ConnectMultiplePorts" fullword wide
$s7 = "\\SYSTEMROOT" wide
$s8 = "IoWriteErrorLogEntry" fullword ascii
$s9 = "KeQueryPerformanceCounter" fullword ascii
$s10 = "KeServiceDescriptorTable" fullword ascii
$s11 = "KeRemoveEntryDeviceQueue" fullword ascii
$s12 = "SeSinglePrivilegeCheck" fullword ascii
$s13 = "KeInitializeEvent" fullword ascii
$s14 = "IoBuildDeviceIoControlRequest" fullword ascii
$s15 = "KeRemoveDeviceQueue" fullword ascii
$s16 = "IofCompleteRequest" fullword ascii
$s17 = "KeInitializeSpinLock" fullword ascii
$s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
$s19 = "IoCreateDevice" fullword ascii
$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
condition:
filesize < 40KB and filesize > 30KB and all of them
}
rule Regin_Sample_Set_1 {
meta:
description = "Detects Regin Backdoor sample"
author = "@MalwrSignatures"
date = "27.11.14"
modified = "2023-01-06"
hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
id = "b0f24a0b-10e7-5549-a300-516df8644cb0"
strings:
$hd = { fe ba dc fe }
$s0 = "d%ls%ls" fullword wide
$s1 = "\\\\?\\UNC" fullword wide
$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
$s6 = "\\\\.\\Global\\%s" fullword wide
$s7 = "temp" fullword wide
$s8 = "\\\\.\\%s" fullword wide
$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
$s10 = "sscanf" fullword ascii
$s11 = "disp.dll" fullword ascii
$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
$s13 = "%d.%d.%d.%d%c" fullword ascii
$s14 = "imagehlp.dll" fullword ascii
$s15 = "%hd %d" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
}
rule apt_regin_legspin {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin's Legspin module"
version = "1.0"
last_modified = "2015-01-22"
modified = "2023-01-27"
reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
md5 = "29105f46e4d33f66fee346cfd099d1cc"
id = "2abd3605-d9bf-53f0-8521-ac8dc18d9fce"
strings:
$a1="sharepw"
$a2="reglist"
$a3="logdump"
$a4="Name:" wide
$a5="Phys Avail:"
$a6="cmd.exe" wide
$a7="ping.exe" wide
$a8="millisecs"
condition:
uint16(0) == 0x5A4D and all of ($a*)
}
rule apt_regin_hopscotch {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin's Hopscotch module"
version = "1.0"
last_modified = "2015-01-22"
modified = "2023-01-27"
reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
md5 = "6c34031d7a5fc2b091b623981a8ae61c"
id = "907042ba-8e64-5ca7-9a83-70c28af1ab99"
strings:
$a1="AuthenticateNetUseIpc"
$a2="Failed to authenticate to"
$a3="Failed to disconnect from"
$a4="%S\\ipc$" wide
$a5="Not deleting..."
$a6="CopyServiceToRemoteMachine"
$a7="DH Exchange failed"
$a8="ConnectToNamedPipes"
condition:
uint16(0) == 0x5A4D and all of ($a*)
}
rule Regin_Related_Malware {
meta:
description = "Malware Sample - maybe Regin related"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
reference = "VT Analysis"
date = "2015-06-03"
hash = "76c355bfeb859a347e38da89e3d30a6ff1f94229"
id = "9377dd52-244f-5289-a2a3-88b6377b2dd2"
strings:
$s1 = "%c%s%c -p %d -e %d -pv -c \"~~[%x] s; .%c%c%s %s /u %s_%d.dmp; q\"" fullword wide /* score: '22.015' */
$s0 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide /* PEStudio Blacklist: os */ /* score: '26.02' */
$s2 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii /* score: '13.01' */
$s3 = "disp.dll" fullword ascii /* score: '11.01' */
$s4 = "msvcrtd.dll" fullword ascii /* score: '11.005' */
$s5 = "%d.%d.%d.%d%c" fullword ascii /* score: '11.0' */
$s6 = "%ls_%08x" fullword wide /* score: '8.0' */
$s8 = "d%ls%ls" fullword wide /* score: '7.005' */
$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide /* score: '6.025' */
condition:
$s1 or 3 of ($s*)
}
rule PAExec {
meta:
description = "Detects remote access tool PAEXec (like PsExec) - file PAExec.exe"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 40
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "ee564534-b921-5639-a7ed-5da79d6bf86a"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
(uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*)) or (3 of them)
}
rule APT_Cloaked_PsExec
{
meta:
description = "Looks like a cloaked PsExec. This may be APT group activity."
date = "2014-07-18"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3"
strings:
$s0 = "psexesvc.exe" wide fullword
$s1 = "Sysinternals PsExec" wide fullword
condition:
uint16(0) == 0x5a4d and $s0 and $s1
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is
and not filepath matches /RECYCLE.BIN\\S-1/
}
rule PAExec_Cloaked {
meta:
description = "Detects a renamed remote access tool PAEXec (like PsExec)"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/"
date = "2017-03-27"
score = 70
hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc"
id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8"
strings:
$x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii
$x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide
$x3 = "PAExec %s - Execute Programs Remotely" fullword wide
$x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide
$x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide
$x6 = "%%SystemRoot%%\\%s.exe" fullword wide
$x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii
$x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) )
and not filename == "paexec.exe"
and not filename == "PAExec.exe"
and not filename == "PAEXEC.EXE"
and not filename matches /Install/
and not filename matches /uninstall/
}
rule Impacket_Tools_psexec {
meta:
description = "Compiled Impacket Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/maaaaz/impacket-examples-windows"
date = "2017-04-07"
hash1 = "27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364"
id = "5e8d0964-7e6a-5ff6-b9db-e37f997c3e05"
strings:
$s1 = "impacket.examples.serviceinstall(" ascii
$s2 = "spsexec" fullword ascii
$s3 = "impacket.examples.remcomsvc(" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 17000KB and 2 of them )
}
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule MAL_LNX_SSHDOOR_Triton {
meta:
description = "Signature detecting "
author = "Marc-Etienne M.Leveille, modified by Florian Roth"
email = "leveille@eset.com"
reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
date = "2018-12-05"
license = "BSD 2-Clause"
id = "51ec2e60-d84a-5271-a7fe-e12d597be00c"
strings:
/* SSH binaries - specific strings */
$a_usage1 = "usage: ssh ["
$a_usage2 = "usage: %s [options] [command [arg ...]]"
$a_old_version1 = "-L listen-port:host:port"
$a_old_version2 = "Listen on the specified port (default: 22)"
$a_usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]"
/* SSH binaries - combo required */
$ac_usage = "usage: %s [options] [file ...]\n"
$ac_log1 = "Could not open a connection to your authentication agent.\n"
$ac_pass2 = "Enter your OpenSSH passphrase:"
$ac_log2 = "Could not grab %s. A malicious client may be eavesdropping on you"
$ac_pass3 = "Enter new passphrase (empty for no passphrase):"
$ac_log3 = "revoking certificates by key ID requires specification of a CA key"
/* Strings from malicious files */
/* abafar */
$s_log_c = "%s:%s@%s"
$s_log_d = "%s:%s from %s"
/* akiva */
$s_log_aki = /(To|From):\s(%s\s\-\s)?%s:%s\n/
/* alderaan */
$s_log_ald = /login\s(in|at):\s(%s\s)?%s:%s\n/
/* ando */
$ando_s1 = "%s:%s\n"
$ando_s2 = "HISTFILE"
$ando_i = "fopen64"
$ando_m1 = "cat "
$ando_m2 = "mail -s"
/* anoat */
$s_log_ano = "%s at: %s | user: %s, pass: %s\n"
/* batuu */
$s_args_bat = "ssh: ~(av[%d]: %s\n)"
$s_log_bat = "readpass: %s\n"
/* banodan */
$s_banodan1 = "g_server"
$s_banodan2 = "mine.sock"
$s_banodan3 = "tspeed"
$s_banodan4 = "6106#x=%d#%s#%s#speed=%s"
$s_banodan5 = "usmars.mynetgear.com"
$s_banodan6 = "user=%s#os=%s#eip=%s#cpu=%s#mem=%s"
/* borleias */
$s_borleias_log = "%Y-%m-%d %H:%M:%S [%s]"
/* ondaron */
$s_daemon = "user:password --> %s:%s\n"
$s_client = /user(,|:)(a,)?password@host \-\-> %s(,|:)(b,)?%s@%s\n/
/* polis_massa */
$s_polis_log = /\b\w+(:|\s-+>)\s%s(:%d)?\s\t(\w+)?:\s%s\s\t(\w+)?:\s%s/
/* quarren */
$s_quarren_log = "h: %s, u: %s, p: %s\n"
/* chandrilla */
$chandrila_log = "S%s %s:%s"
$chandrila_magic = { 05 71 92 7D }
/* atollon */
// single byte offset from base pointer
$atollon_bp = /(\xC6\x45.{2}){25}/
// dword ss with single byte offset from base pointer
$atollon_bp_dw = /(\xC7\x45.{5}){20}/
// 4-bytes offset from base pointer
$atollon_bp_off = /(\xC6\x85.{5}){25}/
// single byte offset from stack pointer
$atollon_sp = /(\xC6\x44\x24.{2}){25}/
// 4-bytes offset from stack pointer
$atollon_sp_off = /(\xC6\x84\x24.{5}){25}/
/* other strings */
$atollon_f1 = "PEM_read_RSA_PUBKEY"
$atollon_f2 = "RAND_add"
$atollon_log = "%s:%s"
$atollon_rand = "/dev/urandom"
/* bespin */
$bespin_log1 = "%Y-%m-%d %H:%M:%S"
$bespin_log2 = "%s %s%s"
$bespin_log3 = "[%s]"
/* coruscant */
$coruscant_s1 = "%s:%s@%s\n"
$coruscant_s2 = "POST"
$coruscant_s3 = "HTTP/1.1"
/* crait */
$crait_i1 = "flock"
$crait_i2 = "fchmod"
$crait_i3 = "sendto"
/* jakuu */
$jakuu_dec = /GET\s\/\?(s|c)id=/
$jakuu_enc1 = "getifaddrs"
$jakuu_enc2 = "usleep"
$jakuu_ns = "gethostbyname"
$jakuu_log = "%s:%s"
$jakuu_rc4 = { A1 71 31 17 11 1A 22 27 55 00 66 A3 10 FE C2 10 22 32 6E 95 90 84 F9 11 73 62 95 5F 4D 3B DB DC }
/* kamino */
$kamino_s1 = "/var/log/wtmp"
$kamino_s2 = "/var/log/secure"
$kamino_s3 = "/var/log/auth.log"
$kamino_s4 = "/var/log/messages"
$kamino_s5 = "/var/log/audit/audit.log"
$kamino_s6 = "/var/log/httpd-access.log"
$kamino_s7 = "/var/log/httpd-error.log"
$kamino_s8 = "/var/log/xferlog"
$kamino_i1 = "BIO_f_base64"
$kamino_i2 = "PEM_read_bio_RSA_PUBKEY"
$kamino_i3 = "srand"
$kamino_i4 = "gethostbyname"
/* kessel */
$kessel_rc4 = "Xee5chu1Ohshasheed1u"
$kessel_s1 = "ssh:%s:%s:%s:%s"
$kessel_s2 = "sshkey:%s:%s:%s:%s:%s"
$kessel_s3 = "sshd:%s:%s"
$kessel_i1 = "spy_report"
$kessel_i2 = "protoShellCMD"
$kessel_i3 = "protoUploadFile"
$kessel_i4 = "protoSendReport"
$kessel_i5 = "tunRecvDNS"
$kessel_i6 = "tunPackMSG"
/* mimban */
$mimban_s1 = "<|||%s|||%s|||%d|||>"
$mimban_s2 = />\|\|\|%s\|\|\|%s\|\|\|\d\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|</
$mimban_s3 = "-----BEGIN PUBLIC KEY-----"
$mimban_i1 = "BIO_f_base64"
$mimban_i2 = "PEM_read_bio_RSA_PUBKEY"
$mimban_i3 = "gethostbyname"
condition:
uint32be(0) == 0x7f454c46 and // ELF
( 1 of ($a_*) or 2 of ($ac_*) ) // SSH Binary
and (
( 1 of ($s*) ) or
( all of ($ando_s*) and ($ando_i or all of ($ando_m*)) ) or
( all of ($atollon*) ) or
( all of ($bespin*) ) or
( all of ($chandrila*) ) or
( all of ($coruscant*) ) or
( 2 of ($crait*) ) or
( $jakuu_log and $jakuu_ns and ($jakuu_dec or all of ($jakuu_enc*) or $jakuu_rc4)) or
( 5 of ($kamino_s*) and 3 of ($kamino_i*) ) or
( 2 of ($kessel_s*) or 2 of ($kessel_i*) or $kessel_rc4 ) or
( 2 of ($mimban_s*) and 2 of ($mimban_i*) )
)
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule MAL_LNX_CamaroDragon_HorseShell_Oct23 {
meta:
description = "Detects CamaroDragon's HorseShell implant for routers"
author = "Florian Roth"
reference = "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/"
date = "2023-10-06"
score = 85
hash1 = "998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c"
id = "9e54745f-146f-50a6-b30f-53aaaa6907b5"
strings:
$x1 = "echo \"start shell '%s' failed!\" > .remote_shell.log" ascii fullword
$x2 = "*****recv NET_REQ_HORSE_SHELL REQ_CONNECT_PORT*****" ascii fullword
$s1 = "m.cremessage.com" ascii fullword
$s2 = "POST http://%s/index.php HTTP/1.1" ascii fullword
$s3 = "wzsw_encrypt_buf" ascii fullword
$s4 = "body:%d-%s" ascii fullword
$s5 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident" ascii fullword /* String occurs 1 times in goodware */
$s6 = "process_http_read_events" ascii fullword
$op1 = { c4 34 42 00 02 30 63 00 40 10 60 00 09 ae 62 00 48 8e 62 00 cc }
$op2 = { 27 f4 8c 46 27 f0 03 20 f8 09 00 60 28 21 }
condition:
uint16(0) == 0x457f and
filesize < 600KB and (
1 of ($x*)
or 3 of them
)
or 5 of them
}
rule WebCrack4_RouterPasswordCracking {
meta:
description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638"
id = "e3d50ff8-e58d-5c60-9acd-25ba95a21f68"
strings:
$s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii
$s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii
$s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii
$s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii
$s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule APT15_Malware_Mar18_RoyalCli {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f"
strings:
$s1 = "\\Release\\RoyalCli.pdb" ascii
$s2 = "%snewcmd.exe" fullword ascii
$s3 = "Run cmd error %d" fullword ascii
$s4 = "%s~clitemp%08x.ini" fullword ascii
$s5 = "run file failed" fullword ascii
$s6 = "Cmd timeout %d" fullword ascii
$s7 = "2 %s %d 0 %d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule APT15_Malware_Mar18_RoyalDNS {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
id = "c2f519db-2750-53ce-ae18-697ea041faaf"
strings:
$x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
$x2 = "%s\\r.exe" fullword ascii
$s1 = "rights.dll" fullword ascii
$s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii
$s3 = "Nwsapagent" fullword ascii
$s4 = "%s\\r.bat" fullword ascii
$s5 = "%s\\s.txt" fullword ascii
$s6 = "runexe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
( pe.exports("RunInstallA") and pe.exports("RunUninstallA") ) or
1 of ($x*) or
2 of them
)
}
rule APT15_Malware_Mar18_BS2005 {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
id = "700bbe14-d79e-5a35-aab3-31eacd5bd950"
strings:
$x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
$x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
$a1 = "http://%s/content.html?id=%s" fullword ascii
$a2 = "http://%s/main.php?ssid=%s" fullword ascii
$a3 = "http://%s/webmail.php?id=%s" fullword ascii
$a9 = "http://%s/error.html?tab=%s" fullword ascii
$s1 = "%s\\~tmp.txt" fullword ascii
$s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii
$s3 = "DisableFirstRunCustomize" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
1 of ($x*) or
2 of them
)
}
rule APT15_Malware_Mar18_MSExchangeTool {
meta:
description = "Detects malware from APT 15 report by NCC Group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HZ5XMN"
date = "2018-03-10"
hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
id = "81b826b6-8c2e-5a8a-a626-9515d40dbbb0"
strings:
$s1 = "\\Release\\EWSTEW.pdb" ascii
$s2 = "EWSTEW.exe" fullword wide
$s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii
$s4 = "tmp.dat" fullword wide
$s6 = "/v or /t is null" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule clean_apt15_patchedcmd{
meta:
author = "Ahmed Zaki"
description = "This is a patched CMD. This is the CMD that RoyalCli uses."
sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
id = "c6867ad4-f7f2-5d63-bffd-07599ede635d"
strings:
$ = "eisableCMD" wide
$ = "%WINDOWS_COPYRIGHT%" wide
$ = "Cmd.Exe" wide
$ = "Windows Command Processor" wide
condition:
uint16(0) == 0x5A4D and all of them
}
rule malware_apt15_royalcli_1{
meta:
description = "Generic strings found in the Royal CLI tool"
author = "David Cannings"
sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc"
strings:
$ = "%s~clitemp%08x.tmp" fullword
$ = "%s /c %s>%s" fullword
$ = "%snewcmd.exe" fullword
$ = "%shkcmd.exe" fullword
$ = "%s~clitemp%08x.ini" fullword
$ = "myRObject" fullword
$ = "myWObject" fullword
$ = "2 %s %d 0 %d\x0D\x0A"
$ = "2 %s %d 1 %d\x0D\x0A"
$ = "%s file not exist" fullword
condition:
uint16(0) == 0x5A4D and 5 of them
}
rule malware_apt15_royalcli_2{
meta:
author = "Nikolaos Pantazopoulos"
description = "APT15 RoyalCli backdoor"
id = "d4acfd2d-385d-5063-898e-d339b50733eb"
strings:
$string1 = "%shkcmd.exe" fullword
$string2 = "myRObject" fullword
$string3 = "%snewcmd.exe" fullword
$string4 = "%s~clitemp%08x.tmp" fullword
$string6 = "myWObject" fullword
condition:
uint16(0) == 0x5A4D and 2 of them
}
rule malware_apt15_bs2005{
meta:
author = "Ahmed Zaki"
md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
description = "APT15 bs2005"
strings:
$ = "%s&%s&%s&%s" wide ascii
$ = "%s\\%s" wide ascii fullword
$ = "WarOnPostRedirect" wide ascii fullword
$ = "WarnonZoneCrossing" wide ascii fullword
$ = "^^^^^" wide ascii fullword
$ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
$ ="IEharden" wide ascii fullword
$ ="DEPOff" wide ascii fullword
$ ="ShownVerifyBalloon" wide ascii fullword
$ ="IEHardenIENoWarn" wide ascii fullword
condition:
( uint16(0) == 0x5A4D and 5 of them ) or
( uint16(0) == 0x5A4D and 3 of them and
( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
pe.imports("ole32.dll", "CoCreateInstance")
)
)
}
rule malware_apt15_royaldll_2 {
meta:
author = "Ahmed Zaki"
sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
description = "DNS backdoor used by APT15"
id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
strings:
$= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
$= "netsvcs" wide ascii fullword
$= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
$= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$= "myWObject" wide ascii
condition:
uint16(0) == 0x5A4D and all of them
and pe.exports("ServiceMain")
and filesize > 50KB and filesize < 600KB
}
rule malware_apt15_exchange_tool {
meta:
author = "Ahmed Zaki"
md5 = "d21a7e349e796064ce10f2f6ede31c71"
description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
id = "f07b9537-0741-51c8-a9fa-836430fe4855"
strings:
$s1= "subjectname" fullword
$s2= "sendername" fullword
$s3= "WebCredentials" fullword
$s4= "ExchangeVersion" fullword
$s5= "ExchangeCredentials" fullword
$s6= "slfilename" fullword
$s7= "EnumMail" fullword
$s8= "EnumFolder" fullword
$s9= "set_Credentials" fullword
$s18 = "/v or /t is null" wide
$s24 = "2013sp1" wide
condition:
uint16(0) == 0x5A4D and all of them
}
rule malware_apt15_generic {
meta:
author = "David Cannings"
description = "Find generic data potentially relating to AP15 tools"
id = "4eb50731-22df-5f7a-bf5f-166ef84cf8b5"
strings:
// Appears to be from copy/paste code
$str01 = "myWObject" fullword
$str02 = "myRObject" fullword
/*
6A 02 push 2 ; dwCreationDisposition
6A 00 push 0 ; lpSecurityAttributes
6A 00 push 0 ; dwShareMode
68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess
50 push eax ; lpFileName
FF 15 44 F0 00 10 call ds:CreateFileA
*/
// Arguments for CreateFileA
$opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
condition:
2 of them
}
rule APT12_Malware_Aug17 {
meta:
description = "Detects APT 12 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
date = "2017-08-30"
hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec"
condition:
( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" )
}
rule APT17_Sample_FXSST_DLL {
meta:
description = "Detects Samples related to APT17 activity - file FXSST.DLL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/ZiJyQv"
date = "2015-05-14"
hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
strings:
$x1 = "Microsoft? Windows? Operating System" fullword wide
$x2 = "fxsst.dll" fullword ascii
$y1 = "DllRegisterServer" fullword ascii
$y2 = ".cSV" fullword ascii
$s1 = "GetLastActivePopup"
$s2 = "Sleep"
$s3 = "GetModuleFileName"
$s4 = "VirtualProtect"
$s5 = "HeapAlloc"
$s6 = "GetProcessHeap"
$s7 = "GetCommandLine"
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
( all of ($x*) or all of ($y*) ) and all of ($s*)
}
rule APT10_Malware_Sample_Gen : FILE {
meta:
description = "APT 10 / Cloud Hopper malware campaign"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
date = "2017-04-06"
score = 80
strings:
$c2_1 = "002562066559681.r3u8.com" ascii
$c2_2 = "031168053846049.r3u8.com" ascii
$c2_3 = "0625.have8000.com" ascii
$c2_4 = "1.gadskysun.com" ascii
$c2_5 = "100fanwen.com" ascii
$c2_6 = "11.usyahooapis.com" ascii
$c2_7 = "19518473326.r3u8.com" ascii
$c2_8 = "1960445709311199.r3u8.com" ascii
$c2_9 = "1j.www1.biz" ascii
$c2_10 = "1z.itsaol.com" ascii
$c2_11 = "2012yearleft.com" ascii
$c2_12 = "2014.zzux.com" ascii
$c2_13 = "202017845.r3u8.com" ascii
$c2_14 = "2139465544784.r3u8.com" ascii
$c2_15 = "2789203959848958.r3u8.com" ascii
$c2_16 = "5590428449750026.r3u8.com" ascii
$c2_17 = "5q.niushenghuo.info" ascii
$c2_18 = "6r.suibian2010.info" ascii
$c2_19 = "9gowg.tech" ascii
$c2_20 = "Hamiltion.catholicmmb.com" ascii
$c2_21 = "a.wubangtu.info" ascii
$c2_22 = "a1.suibian2010.info" ascii
$c2_24 = "abc.wikaba.com" ascii
$c2_25 = "abcd120719.6600.org" ascii
$c2_26 = "abcd120807.3322.org" ascii
$c2_27 = "acc.emailfound.info" ascii
$c2_28 = "acc.lehigtapp.com" ascii
$c2_29 = "acsocietyy.com" ascii
$c2_31 = "ad.webbooting.com" ascii
$c2_32 = "additional.sexidude.com" ascii
$c2_33 = "af.zyns.com" ascii
$c2_34 = "afc.https443.org" ascii
$c2_35 = "ako.ddns.us" ascii
$c2_36 = "androidmusicapp.onmypc.us" ascii
$c2_37 = "announcements.toythieves.com" ascii
$c2_38 = "anvprn.com" ascii
$c2_39 = "aotuo.9966.org" ascii
$c2_40 = "apec.qtsofta.com" ascii
$c2_41 = "app.lehigtapp.com" ascii
$c2_42 = "apple.cmdnetview.com" ascii
$c2_43 = "apple.defensewar.org" ascii
$c2_44 = "apple.ikwb.com" ascii
$c2_45 = "appledownload.ourhobby.com" ascii
$c2_46 = "appleimages.itemdb.com" ascii
$c2_47 = "appleimages.longmusic.com" ascii
$c2_48 = "applelib120102.9966.org" ascii
$c2_49 = "applemirror.organiccrap.com" ascii
$c2_50 = "applemirror.squirly.info" ascii
$c2_51 = "applemusic.isasecret.com" ascii
$c2_52 = "applemusic.itemdb.com" ascii
$c2_53 = "applemusic.wikaba.com" ascii
$c2_54 = "applemusic.xxuz.com" ascii
$c2_55 = "applemusic.zzux.com" ascii
$c2_56 = "apples.sytes.net" ascii
$c2_57 = "appleupdate.itemdb.com" ascii
$c2_58 = "architectisusa.com" ascii
$c2_59 = "area.wthelpdesk.com" ascii
$c2_60 = "army.xxuz.com" ascii
$c2_61 = "art.p6p6.net" ascii
$c2_62 = "asfzx.x24hr.com" ascii
$c2_64 = "availab.wikaba.com" ascii
$c2_65 = "availability.justdied.com" ascii
$c2_66 = "ba.my03.com" ascii
$c2_67 = "baby.macforlinux.net" ascii
$c2_68 = "baby.myie12.com" ascii
$c2_69 = "baby.usmirocomney.net" ascii
$c2_70 = "back.jungleheart.com" ascii
$c2_71 = "back.mofa.dynamic-dns.net" ascii
$c2_72 = "bak.have8000.com" ascii
$c2_73 = "bak.ignorelist.com" ascii
$c2_74 = "bak.un.dnsrd.com" ascii
$c2_75 = "balance1.wikaba.com" ascii
$c2_76 = "balk.n7go.com" ascii
$c2_77 = "banana.cmdnetview.com" ascii
$c2_78 = "barrybaker.6600.org" ascii
$c2_79 = "bbs.jungleheart.com" ascii
$c2_80 = "bdoncloud.com" ascii
$c2_81 = "be.mrslove.com" ascii
$c2_82 = "be.yourtrap.com" ascii
$c2_83 = "belowto.com" ascii
$c2_84 = "bethel.webhop.net" ascii
$c2_85 = "bexm.cleansite.biz" ascii
$c2_86 = "bezu.itemdb.com" ascii
$c2_87 = "bk56.twilightparadox.com" ascii
$c2_88 = "blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii
$c2_89 = "blog.defensewar.org" ascii
$c2_90 = "brand.fartit.com" ascii
$c2_91 = "bridgeluxlightmadness.com" ascii
$c2_92 = "bulletproof.squirly.info" ascii
$c2_93 = "cao.p6p6.net" ascii
$c2_94 = "cata.qtsofta.com" ascii
$c2_95 = "catholicmmb.com" ascii
$c2_96 = "cc.dynamicdns.co.uk" ascii
$c2_97 = "ccfchrist.com" ascii
$c2_98 = "ccupdatedata.authorizeddns.net" ascii
$c2_99 = "cd.usyahooapis.com" ascii
$c2_100 = "cdn.incloud-go.com" ascii
$c2_101 = "center.shenajou.com" ascii
$c2_102 = "cgei493860.r3u8.com" ascii
$c2_103 = "chaindungeons.com" ascii
$c2_104 = "chibashiri.com" ascii
$c2_105 = "childrenstow.com" ascii
$c2_106 = "cia.ezua.com" ascii
$c2_107 = "cia.toh.info" ascii
$c2_108 = "ciaoci.chickenkiller.com" ascii
$c2_109 = "civilwar123.authorizeddns.org" ascii
$c2_110 = "civilwar520.onmypc.org" ascii
$c2_111 = "ckusshani.com" ascii
$c2_112 = "cloud-kingl.com" ascii
$c2_113 = "cloud-maste.com" ascii
$c2_114 = "cloudns.8800.org" ascii
$c2_115 = "cmdnetview.com" ascii
$c2_116 = "cms.sindeali.com" ascii
$c2_117 = "cnnews.mylftv.com" ascii
$c2_118 = "commissioner.shenajou.com" ascii
$c2_119 = "commons.onedumb.com" ascii
$c2_120 = "contactus.myddns.com" ascii
$c2_121 = "contactus.onmypc.us" ascii
$c2_122 = "contract.4mydomain.com" ascii
$c2_123 = "contractus.qpoe.com" ascii
$c2_124 = "contractus.zzux.com" ascii
$c2_125 = "coreck.suayay.com" ascii
$c2_128 = "ctdl.windowsupdate.itsaol.com" ascii
$c2_129 = "ctdl.windowsupdate.nsatcdns.com" ascii
$c2_130 = "ctldl.appledownload.ourhobby.com" ascii
$c2_131 = "ctldl.applemusic.itemdb.com" ascii
$c2_132 = "ctldl.itunesmusic.jkub.com" ascii
$c2_133 = "ctldl.microsoftmusic.onedumb.com" ascii
$c2_134 = "ctldl.microsoftupdate.qhigh.com" ascii
$c2_135 = "ctldl.windowsupdate.authorizeddns.org" ascii
$c2_136 = "ctldl.windowsupdate.authorizeddns.us" ascii
$c2_137 = "ctldl.windowsupdate.dnset.com" ascii
$c2_138 = "ctldl.windowsupdate.esmtp.biz" ascii
$c2_139 = "ctldl.windowsupdate.ezua.com" ascii
$c2_140 = "ctldl.windowsupdate.gettrials.com" ascii
$c2_141 = "ctldl.windowsupdate.itsaol.com" ascii
$c2_142 = "ctldl.windowsupdate.lflinkup.com" ascii
$c2_143 = "ctldl.windowsupdate.mrface.com" ascii
$c2_144 = "ctldl.windowsupdate.nsatcdns.com" ascii
$c2_145 = "ctldl.windowsupdate.organiccrap.com" ascii
$c2_146 = "ctldl.windowsupdate.x24hr.com" ascii
$c2_147 = "cvnx.zyns.com" ascii
$c2_148 = "cwiinatonal.com" ascii
$c2_149 = "daddy.gostudyantivirus.com" ascii
$c2_150 = "dcc.jimingroup.com" ascii
$c2_151 = "dd.ddns.us" ascii
$c2_152 = "de.onmypc.info" ascii
$c2_153 = "dear.loveddos.com" ascii
$c2_154 = "dec.seyesb.acmetoy.com" ascii
$c2_155 = "dedgesuite.net" ascii
$c2_156 = "dedydns.ns01.us" ascii
$c2_157 = "defensewar.org" ascii
$c2_158 = "demoones.com" ascii
$c2_159 = "department.shenajou.com" ascii
$c2_160 = "details.squirly.info" ascii
$c2_161 = "development.shenajou.com" ascii
$c2_162 = "devilcase.acmetoy.com" ascii
$c2_163 = "dfgwerzc.3322.org" ascii
$c2_164 = "dick.ccfchrist.com" ascii
$c2_165 = "digsby.ourhobby.com" ascii
$c2_166 = "disruptive.https443.net" ascii
$c2_167 = "dlmix.ourdvs.com" ascii
$c2_168 = "dnspoddwg.authorizeddns.org" ascii
$c2_170 = "document.methoder.com" ascii
$c2_171 = "document.shenajou.com" ascii
$c2_172 = "domainnow.yourtrap.com" ascii
$c2_173 = "download.applemusic.itemdb.com" ascii
$c2_174 = "download.microsoftmusic.onedumb.com" ascii
$c2_175 = "download.windowsupdate.authorizeddns.org" ascii
$c2_176 = "download.windowsupdate.dedgesuite.net" ascii
$c2_177 = "download.windowsupdate.dnset.com" ascii
$c2_178 = "download.windowsupdate.itsaol.com" ascii
$c2_179 = "download.windowsupdate.lflinkup.com" ascii
$c2_180 = "download.windowsupdate.nsatcdns.com" ascii
$c2_181 = "download.windowsupdate.x24hr.com" ascii
$c2_182 = "downloadlink.mypicture.info" ascii
$c2_183 = "drives.methoder.com" ascii
$c2_184 = "dst.1dumb.com" ascii
$c2_185 = "duosay.com" ascii
$c2_186 = "dyncojinf.6600.org" ascii
$c2_187 = "dynsbluecheck.7766.org" ascii
$c2_188 = "ea.onmypc.info" ascii
$c2_189 = "ea.rebatesrule.net" ascii
$c2_190 = "edgar.ccfchrist.com" ascii
$c2_191 = "ehshiroshima.mylftv.com" ascii
$c2_192 = "emailfound.info" ascii
$c2_193 = "eric-averyanov.wha.la" ascii
$c2_194 = "essashi.com" ascii
$c2_195 = "eu.acmetoy.com" ascii
$c2_196 = "eu.wha.la" ascii
$c2_197 = "eu.zzux.com" ascii
$c2_198 = "everydayfilmlink.com" ascii
$c2_199 = "ewe.toshste.com" ascii
$c2_200 = "eweek.2waky.com" ascii
$c2_201 = "exprenum.com" ascii
$c2_202 = "express.lflinkup.com" ascii
$c2_203 = "extraordinary.dynamic-dns.net" ascii
$c2_204 = "f068v.site" ascii
$c2_205 = "fabian.ccfchrist.com" ascii
$c2_206 = "fastemail.dnsrd.com" ascii
$c2_207 = "fastmail2.com" ascii
$c2_208 = "fbi.sexxxy.biz" ascii
$c2_209 = "fbi.zyns.com" ascii
$c2_210 = "fcztqbg.zj.r3u8.com" ascii
$c2_211 = "feed.jungleheart.com" ascii
$c2_212 = "fftpoor.com" ascii
$c2_213 = "fg.v4.download.windowsupdates.dnsrd.com" ascii
$c2_214 = "fgipv6.download.windowsupdate.com.mwcname.com" ascii
$c2_215 = "file.zzux.com" ascii
$c2_216 = "files.architectisusa.com" ascii
$c2_217 = "film.everydayfilmlink.com" ascii
$c2_218 = "filmlist.everydayfilmlink.com" ascii
$c2_219 = "findme.epac.to" ascii
$c2_220 = "fire.mrface.com" ascii
$c2_221 = "fish.toh.info" ascii
$c2_222 = "fiveavmersi.websegoo.net" ascii
$c2_223 = "fjs.wikaba.com" ascii
$c2_224 = "flea.poulsenv.com" ascii
$c2_225 = "flynews.edns.biz" ascii
$c2_226 = "fo.mysecondarydns.com" ascii
$c2_227 = "foal.wchildress.com" ascii
$c2_228 = "follow.wha.la" ascii
$c2_229 = "foo.shenajou.com" ascii
$c2_230 = "for.ddns.mobi" ascii
$c2_231 = "fr.wikaba.com" ascii
$c2_232 = "franck.demoones.com" ascii
$c2_233 = "ftp.2014.zzux.com" ascii
$c2_234 = "ftp.additional.sexidude.com" ascii
$c2_235 = "ftp.afc.https443.org" ascii
$c2_236 = "ftp.announcements.toythieves.com" ascii
$c2_237 = "ftp.apple.ikwb.com" ascii
$c2_238 = "ftp.appledownload.ourhobby.com" ascii
$c2_239 = "ftp.appleimages.itemdb.com" ascii
$c2_240 = "ftp.appleimages.longmusic.com" ascii
$c2_241 = "ftp.appleimages.organiccrap.com" ascii
$c2_242 = "ftp.applemirror.organiccrap.com" ascii
$c2_243 = "ftp.applemirror.squirly.info" ascii
$c2_244 = "ftp.applemusic.isasecret.com" ascii
$c2_245 = "ftp.applemusic.itemdb.com" ascii
$c2_246 = "ftp.applemusic.wikaba.com" ascii
$c2_247 = "ftp.applemusic.xxuz.com" ascii
$c2_248 = "ftp.applemusic.zzux.com" ascii
$c2_249 = "ftp.appleupdate.itemdb.com" ascii
$c2_250 = "ftp.architectisusa.com" ascii
$c2_251 = "ftp.asfzx.x24hr.com" ascii
$c2_252 = "ftp.availab.wikaba.com" ascii
$c2_253 = "ftp.availability.justdied.com" ascii
$c2_254 = "ftp.back.jungleheart.com" ascii
$c2_255 = "ftp.balance1.wikaba.com" ascii
$c2_256 = "ftp.be.mrslove.com" ascii
$c2_257 = "ftp.brand.fartit.com" ascii
$c2_258 = "ftp.bulletproof.squirly.info" ascii
$c2_259 = "ftp.cia.ezua.com" ascii
$c2_260 = "ftp.cia.toh.info" ascii
$c2_261 = "ftp.civilwar123.authorizeddns.org" ascii
$c2_262 = "ftp.civilwar520.onmypc.org" ascii
$c2_263 = "ftp.cloudfileserverbs.dynamicdns.co.uk" ascii
$c2_264 = "ftp.cnnews.mylftv.com" ascii
$c2_265 = "ftp.commons.onedumb.com" ascii
$c2_266 = "ftp.contractus.qpoe.com" ascii
$c2_267 = "ftp.cvnx.zyns.com" ascii
$c2_268 = "ftp.de.onmypc.info" ascii
$c2_269 = "ftp.details.squirly.info" ascii
$c2_270 = "ftp.devilcase.acmetoy.com" ascii
$c2_271 = "ftp.disruptive.https443.net" ascii
$c2_272 = "ftp.domainnow.yourtrap.com" ascii
$c2_273 = "ftp.ea.onmypc.info" ascii
$c2_274 = "ftp.ehshiroshima.mylftv.com" ascii
$c2_275 = "ftp.eric-averyanov.wha.la" ascii
$c2_276 = "ftp.eu.acmetoy.com" ascii
$c2_277 = "ftp.eu.wha.la" ascii
$c2_278 = "ftp.eu.zzux.com" ascii
$c2_279 = "ftp.fbi.sexxxy.biz" ascii
$c2_280 = "ftp.file.zzux.com" ascii
$c2_281 = "ftp.findme.epac.to" ascii
$c2_282 = "ftp.fire.mrface.com" ascii
$c2_283 = "ftp.fjs.wikaba.com" ascii
$c2_284 = "ftp.fr.wikaba.com" ascii
$c2_285 = "ftp.fuck.ikwb.com" ascii
$c2_286 = "ftp.fuckmm.dns-dns.com" ascii
$c2_287 = "ftp.generat.almostmy.com" ascii
$c2_288 = "ftp.goldtoyota.com" ascii
$c2_289 = "ftp.goodmusic.justdied.com" ascii
$c2_290 = "ftp.helpus.ddns.info" ascii
$c2_291 = "ftp.hii.qhigh.com" ascii
$c2_292 = "ftp.innocent-isayev.sexidude.com" ascii
$c2_293 = "ftp.invoices.sexxxy.biz" ascii
$c2_294 = "ftp.iphone.vizvaz.com" ascii
$c2_295 = "ftp.itlans.isasecret.com" ascii
$c2_296 = "ftp.itunesdownload.jkub.com" ascii
$c2_297 = "ftp.itunesdownload.wikaba.com" ascii
$c2_298 = "ftp.itunesimages.itemdb.com" ascii
$c2_299 = "ftp.itunesimages.itsaol.com" ascii
$c2_300 = "ftp.itunesimages.qpoe.com" ascii
$c2_301 = "ftp.itunesmirror.fartit.com" ascii
$c2_302 = "ftp.itunesmirror.itsaol.com" ascii
$c2_303 = "ftp.itunesmusic.ikwb.com" ascii
$c2_304 = "ftp.itunesmusic.jetos.com" ascii
$c2_305 = "ftp.itunesmusic.jkub.com" ascii
$c2_306 = "ftp.itunesmusic.zzux.com" ascii
$c2_307 = "ftp.itunesupdate.itsaol.com" ascii
$c2_308 = "ftp.itunesupdates.organiccrap.com" ascii
$c2_309 = "ftp.japanfilmsite.ikwb.com" ascii
$c2_310 = "ftp.jimin.mymom.info" ascii
$c2_311 = "ftp.jp.serveuser.com" ascii
$c2_312 = "ftp.key.zzux.com" ascii
$c2_313 = "ftp.knowledge.sellclassics.com" ascii
$c2_314 = "ftp.lan.dynssl.com" ascii
$c2_315 = "ftp.latestnews.epac.to" ascii
$c2_316 = "ftp.latestnews.organiccrap.com" ascii
$c2_317 = "ftp.leedong.longmusic.com" ascii
$c2_318 = "ftp.macfee.mrface.com" ascii
$c2_319 = "ftp.maffc.mrface.com" ascii
$c2_320 = "ftp.malware.dsmtp.com" ascii
$c2_321 = "ftp.manager.jetos.com" ascii
$c2_322 = "ftp.martin.sellclassics.com" ascii
$c2_323 = "ftp.mason.vizvaz.com" ascii
$c2_324 = "ftp.mediapath.organiccrap.com" ascii
$c2_325 = "ftp.microsoft.got-game.org" ascii
$c2_326 = "ftp.microsoft.mrface.com" ascii
$c2_327 = "ftp.microsoftimages.organiccrap.com" ascii
$c2_328 = "ftp.microsoftmusic.mrbasic.com" ascii
$c2_329 = "ftp.microsoftqckmanager.pcanywhere.net" ascii
$c2_330 = "ftp.microsoftupdate.mrbasic.com" ascii
$c2_331 = "ftp.microsoftupdate.qhigh.com" ascii
$c2_332 = "ftp.micrsoftware.dsmtp.com" ascii
$c2_333 = "ftp.mircsoft.compress.to" ascii
$c2_334 = "ftp.mmy.ddns.us" ascii
$c2_335 = "ftp.mod.jetos.com" ascii
$c2_336 = "ftp.mofa.dynamic-dns.net" ascii
$c2_337 = "ftp.mofa.ns01.info" ascii
$c2_338 = "ftp.moscowdic.trickip.org" ascii
$c2_339 = "ftp.msg.ezua.com" ascii
$c2_340 = "ftp.musicfile.ikwb.com" ascii
$c2_341 = "ftp.musicjj.zzux.com" ascii
$c2_342 = "ftp.mymusicbox.vizvaz.com" ascii
$c2_343 = "ftp.myphpwebsite.itsaol.com" ascii
$c2_344 = "ftp.myrestroomimage.isasecret.com" ascii
$c2_345 = "ftp.na.americanunfinished.com" ascii
$c2_346 = "ftp.na.onmypc.org" ascii
$c2_347 = "ftp.newsdata.jkub.com" ascii
$c2_348 = "ftp.newsroom.cleansite.info" ascii
$c2_349 = "ftp.no.authorizeddns.org" ascii
$c2_350 = "ftp.nsa.mefound.com" ascii
$c2_351 = "ftp.nt.mynumber.org" ascii
$c2_352 = "ftp.nttdata.otzo.com" ascii
$c2_353 = "ftp.nz.compress.to" ascii
$c2_354 = "ftp.ol.almostmy.com" ascii
$c2_355 = "ftp.oracleupdate.dns04.com" ascii
$c2_356 = "ftp.portal.mrface.com" ascii
$c2_357 = "ftp.portal.sendsmtp.com" ascii
$c2_358 = "ftp.portalser.dynamic-dns.net" ascii
$c2_359 = "ftp.praskovya-matveyeva.mefound.com" ascii
$c2_360 = "ftp.praskovya-ulyanova.dumb1.com" ascii
$c2_361 = "ftp.products.almostmy.com" ascii
$c2_362 = "ftp.products.cleansite.us" ascii
$c2_363 = "ftp.products.serveuser.com" ascii
$c2_364 = "ftp.purchase.lflinkup.org" ascii
$c2_365 = "ftp.recent.dns-stuff.com" ascii
$c2_366 = "ftp.recent.fartit.com" ascii
$c2_367 = "ftp.referred.gr8domain.biz" ascii
$c2_368 = "ftp.referred.yourtrap.com" ascii
$c2_369 = "ftp.register.ourhobby.com" ascii
$c2_370 = "ftp.registration2.instanthq.com" ascii
$c2_371 = "ftp.registrations.4pu.com" ascii
$c2_372 = "ftp.registrations.organiccrap.com" ascii
$c2_373 = "ftp.remeberdata.iownyour.org" ascii
$c2_374 = "ftp.reserveds.onedumb.com" ascii
$c2_375 = "ftp.rethem.almostmy.com" ascii
$c2_376 = "ftp.sdmsg.onmypc.org" ascii
$c2_377 = "ftp.se.toythieves.com" ascii
$c2_378 = "ftp.secertnews.mrbasic.com" ascii
$c2_379 = "ftp.senseye.ikwb.com" ascii
$c2_380 = "ftp.senseye.mrbonus.com" ascii
$c2_381 = "ftp.septdlluckysystem.jungleheart.com" ascii
$c2_382 = "ftp.seraphim-yurieva.justdied.com" ascii
$c2_383 = "ftp.serv.justdied.com" ascii
$c2_384 = "ftp.server1.proxydns.com" ascii
$c2_385 = "ftp.seyesb.acmetoy.com" ascii
$c2_386 = "ftp.shugiin.jkub.com" ascii
$c2_387 = "ftp.singed.otzo.com" ascii
$c2_388 = "ftp.sstday.jkub.com" ascii
$c2_389 = "ftp.support1.mrface.com" ascii
$c2_390 = "ftp.supportus.mefound.com" ascii
$c2_391 = "ftp.svc.dynssl.com" ascii
$c2_392 = "ftp.synssl.dnset.com" ascii
$c2_393 = "ftp.tamraj.fartit.com" ascii
$c2_394 = "ftp.tfa.longmusic.com" ascii
$c2_395 = "ftp.thunder.wikaba.com" ascii
$c2_396 = "ftp.ticket.instanthq.com" ascii
$c2_397 = "ftp.ticket.serveuser.com" ascii
$c2_398 = "ftp.tokyofile.2waky.com" ascii
$c2_399 = "ftp.tophost.dynamicdns.co.uk" ascii
$c2_400 = "ftp.transfer.lflinkup.org" ascii
$c2_401 = "ftp.transfer.mrbasic.com" ascii
$c2_402 = "ftp.transfer.vizvaz.com" ascii
$c2_403 = "ftp.ugreen.itemdb.com" ascii
$c2_404 = "ftp.uk.dynamicdns.org.uk" ascii
$c2_405 = "ftp.un.ddns.info" ascii
$c2_406 = "ftp.un.dnsrd.com" ascii
$c2_407 = "ftp.usa.itsaol.com" ascii
$c2_408 = "ftp.well.itsaol.com" ascii
$c2_409 = "ftp.well.mrbasic.com" ascii
$c2_410 = "ftp.wike.wikaba.com" ascii
$c2_411 = "ftp.windowfile.itemdb.com" ascii
$c2_412 = "ftp.windowsimages.itemdb.com" ascii
$c2_413 = "ftp.windowsimages.qhigh.com" ascii
$c2_414 = "ftp.windowsmirrors.vizvaz.com" ascii
$c2_415 = "ftp.windowsupdate.2waky.com" ascii
$c2_416 = "ftp.windowsupdate.3-a.net" ascii
$c2_417 = "ftp.windowsupdate.authorizeddns.us" ascii
$c2_418 = "ftp.windowsupdate.dns05.com" ascii
$c2_419 = "ftp.windowsupdate.esmtp.biz" ascii
$c2_420 = "ftp.windowsupdate.ezua.com" ascii
$c2_421 = "ftp.windowsupdate.fartit.com" ascii
$c2_422 = "ftp.windowsupdate.gettrials.com" ascii
$c2_423 = "ftp.windowsupdate.instanthq.com" ascii
$c2_424 = "ftp.windowsupdate.jungleheart.com" ascii
$c2_425 = "ftp.windowsupdate.lflink.com" ascii
$c2_426 = "ftp.windowsupdate.mrface.com" ascii
$c2_427 = "ftp.windowsupdate.mylftv.com" ascii
$c2_428 = "ftp.windowsupdate.rebatesrule.net" ascii
$c2_429 = "ftp.windowsupdate.sellclassics.com" ascii
$c2_430 = "ftp.windowsupdate.serveusers.com" ascii
$c2_431 = "ftp.yandexr.sellclassics.com" ascii
$c2_432 = "fu.epac.to" ascii
$c2_433 = "fuck.ikwb.com" ascii
$c2_434 = "fuckanti.com" ascii
$c2_435 = "fuckdd.8800.org" ascii
$c2_436 = "fuckmm.8800.org" ascii
$c2_437 = "fuckmm.dns-dns.com" ascii
$c2_438 = "fukuoka.cloud-maste.com" ascii
$c2_439 = "g3ypf.online" ascii
$c2_440 = "gadskysun.com" ascii
$c2_441 = "gavin.ccfchrist.com" ascii
$c2_442 = "generat.almostmy.com" ascii
$c2_443 = "generousd.hopto.org" ascii
$c2_444 = "gensuzuki.6600.org" ascii
$c2_446 = "gh.mysecondarydns.com" ascii
$c2_447 = "gifuonlineshopping.mynumber.org" ascii
$c2_448 = "glicense.shenajou.com" ascii
$c2_449 = "globalnews.wikaba.com" ascii
$c2_450 = "gmail.com.mailsserver.com" ascii
$c2_451 = "gmpcw.com" ascii
$c2_452 = "gold.polopurple.com" ascii
$c2_453 = "goldtoyota.com" ascii
$c2_454 = "goodmusic.justdied.com" ascii
$c2_455 = "goodsampjp.com" ascii
$c2_456 = "gooesdataios.instanthq.com" ascii
$c2_457 = "google.macforlinux.net" ascii
$c2_458 = "google.usrobothome.com" ascii
$c2_459 = "googlemeail.com" ascii
$c2_460 = "gostudyantivirus.com" ascii
$c2_461 = "gostudymbaa.com" ascii
$c2_462 = "gotourisma.com" ascii
$c2_463 = "gt4study.com" ascii
$c2_464 = "gtsofta.com" ascii
$c2_465 = "haoyujd.info" ascii
$c2_466 = "happy.workerisgood.com" ascii
$c2_467 = "have8000.com" ascii
$c2_468 = "helpus.ddns.info" ascii
$c2_469 = "helshellfucde.8866.org" ascii
$c2_470 = "hg8fmv.racing" ascii
$c2_471 = "hii.qhigh.com" ascii
$c2_472 = "hk.2012yearleft.com" ascii
$c2_473 = "hk.cmdnetview.com" ascii
$c2_474 = "hk.have8000.com" ascii
$c2_475 = "hk.loveddos.com" ascii
$c2_476 = "home.trickip.org" ascii
$c2_477 = "hostport9.net" ascii
$c2_478 = "hotmai.info" ascii
$c2_479 = "hotmail.com.mailsserver.com" ascii
$c2_480 = "hukuoka.cloud-maste.com" ascii
$c2_481 = "iamges.itunesmusic.jkub.com" ascii
$c2_482 = "ibmmsg.strangled.net" ascii
$c2_483 = "icfeds.cf" ascii
$c2_484 = "idpmus.hostport9.net" ascii
$c2_486 = "im.suibian2010.info" ascii
$c2_487 = "image.websago.info" ascii
$c2_488 = "images.itunesmusic.jkub.com" ascii
$c2_489 = "images.thedomais.info" ascii
$c2_490 = "images.tyoto-go-jp.com" ascii
$c2_491 = "images.windowsupdate.organiccrap.com" ascii
$c2_492 = "imap.architectisusa.com" ascii
$c2_493 = "imap.dnset.com" ascii
$c2_494 = "imap.lflink.com" ascii
$c2_495 = "imap.onmypc.net" ascii
$c2_496 = "imap.ygto.com" ascii
$c2_497 = "img.station155.com" ascii
$c2_498 = "improvejpese.com" ascii
$c2_499 = "incloud-go.com" ascii
$c2_500 = "incloud-obert.com" ascii
$c2_501 = "ingemar.catholicmmb.com" ascii
$c2_502 = "innocent-isayev.sexidude.com" ascii
$c2_503 = "innov-tec.com.ua" ascii
$c2_504 = "inspgon.re26.com" ascii
$c2_505 = "interpreter.shenajou.com" ascii
$c2_506 = "invoices.sexxxy.biz" ascii
$c2_508 = "iphone.vizvaz.com" ascii
$c2_509 = "ipv4.applemusic.itemdb.com" ascii
$c2_510 = "ipv4.itunesmusic.jkub.com" ascii
$c2_511 = "ipv4.japanenvnews.qpoe.com" ascii
$c2_512 = "ipv4.microsoftmusic.onedumb.com" ascii
$c2_513 = "ipv4.microsoftupdate.mrbasic.com" ascii
$c2_514 = "ipv4.microsoftupdate.qhigh.com" ascii
$c2_515 = "ipv4.windowsupdate.3-a.net" ascii
$c2_516 = "ipv4.windowsupdate.authorizeddns.org" ascii
$c2_517 = "ipv4.windowsupdate.authorizeddns.us" ascii
$c2_518 = "ipv4.windowsupdate.dnset.com" ascii
$c2_519 = "ipv4.windowsupdate.esmtp.biz" ascii
$c2_520 = "ipv4.windowsupdate.ezua.com" ascii
$c2_521 = "ipv4.windowsupdate.fartit.com" ascii
$c2_522 = "ipv4.windowsupdate.gettrials.com" ascii
$c2_523 = "ipv4.windowsupdate.itsaol.com" ascii
$c2_524 = "ipv4.windowsupdate.lflink.com" ascii
$c2_525 = "ipv4.windowsupdate.lflinkup.com" ascii
$c2_526 = "ipv4.windowsupdate.mrface.com" ascii
$c2_527 = "ipv4.windowsupdate.mylftv.com" ascii
$c2_528 = "ipv4.windowsupdate.nsatcdns.com" ascii
$c2_529 = "ipv4.windowsupdate.x24hr.com" ascii
$c2_530 = "ipv6microsoft.dlmix.ourdvs.com" ascii
$c2_531 = "itlans.isasecret.com" ascii
$c2_532 = "itunesdownload.jkub.com" ascii
$c2_533 = "itunesdownload.vizvaz.com" ascii
$c2_534 = "itunesdownload.wikaba.com" ascii
$c2_535 = "itunesimages.itemdb.com" ascii
$c2_536 = "itunesimages.itsaol.com" ascii
$c2_537 = "itunesimages.qpoe.com" ascii
$c2_538 = "itunesmirror.fartit.com" ascii
$c2_539 = "itunesmirror.itsaol.com" ascii
$c2_540 = "itunesmusic.ikwb.com" ascii
$c2_541 = "itunesmusic.jetos.com" ascii
$c2_542 = "itunesmusic.jkub.com" ascii
$c2_543 = "itunesmusic.zzux.com" ascii
$c2_544 = "itunesupdate.itsaol.com" ascii
$c2_545 = "itunesupdates.organiccrap.com" ascii
$c2_546 = "iw.mrslove.com" ascii
$c2_547 = "ixrayeye.com" ascii
$c2_548 = "james.tffghelth.com" ascii
$c2_549 = "janpan.bigmoney.biz" ascii
$c2_550 = "janpun.americanunfinished.com" ascii
$c2_551 = "jap.japanmusicinfo.com" ascii
$c2_552 = "japan.fuckanti.com" ascii
$c2_553 = "japan.linuxforover.com" ascii
$c2_554 = "japan.loveddos.com" ascii
$c2_555 = "japanenvnews.qpoe.com" ascii
$c2_556 = "japanfilmsite.ikwb.com" ascii
$c2_557 = "japanfst.japanteam.org" ascii
$c2_558 = "japanmusicinfo.com" ascii
$c2_559 = "japanteam.org" ascii
$c2_560 = "jcie.mofa.ns01.info" ascii
$c2_561 = "jepsen.r3u8.com" ascii
$c2_562 = "jica-go-jp.bike" ascii
$c2_563 = "jica-go-jp.biz" ascii
$c2_564 = "jimin-jp.biz" ascii
$c2_565 = "jimin.jimindaddy.com" ascii
$c2_566 = "jimin.mymom.info" ascii
$c2_567 = "jimindaddy.com" ascii
$c2_568 = "jimingroup.com" ascii
$c2_569 = "jimintokoy.com" ascii
$c2_570 = "jj.mysecondarydns.com" ascii
$c2_571 = "jmuroran.com" ascii
$c2_572 = "jp.rakutenmusic.com" ascii
$c2_573 = "jp.serveuser.com" ascii
$c2_574 = "jpcert.org" ascii
$c2_575 = "jpn.longmusic.com" ascii
$c2_576 = "jpnxzshopdata.authorizeddns.org" ascii
$c2_577 = "jpstarmarket.serveusers.com" ascii
$c2_578 = "kaka.lehigtapp.com" ascii
$c2_579 = "kawasaki.cloud-maste.com" ascii
$c2_580 = "kawasaki.unhamj.com" ascii
$c2_581 = "kennedy.tffghelth.com" ascii
$c2_582 = "key.zzux.com" ascii
$c2_583 = "kikimusic.sellclassics.com" ascii
$c2_584 = "kmd.crabdance.com" ascii
$c2_585 = "knowledge.sellclassics.com" ascii
$c2_586 = "ktgmktanxgvn.r3u8.com" ascii
$c2_587 = "kxsbwappupdate.dhcp.biz" ascii
$c2_588 = "kztmusiclnk.dnsrd.com" ascii
$c2_589 = "lan.dynssl.com" ascii
$c2_590 = "last.p6p6.net" ascii
$c2_591 = "latestnews.epac.to" ascii
$c2_592 = "latestnews.organiccrap.com" ascii
$c2_593 = "leedong.longmusic.com" ascii
$c2_594 = "lehigtapp.com" ascii
$c2_595 = "lennon.fftpoor.com" ascii
$c2_596 = "license.shenajou.com" ascii
$c2_597 = "lie.jetos.com" ascii
$c2_598 = "linuxforover.com" ascii
$c2_599 = "linuxsofta.com" ascii
$c2_600 = "lion.wchildress.com" ascii
$c2_601 = "lizard.poulsenv.com" ascii
$c2_602 = "logon-live.com" ascii
$c2_603 = "lottedfstravel.webbooting.com" ascii
$c2_604 = "loveddos.com" ascii
$c2_605 = "lzf550.r3u8.com" ascii
$c2_606 = "ma.vizvaz.com" ascii
$c2_607 = "mac.goldtoyota.com" ascii
$c2_608 = "mac.methoder.com" ascii
$c2_609 = "macfee.mrface.com" ascii
$c2_610 = "macforlinux.net" ascii
$c2_611 = "maffc.mrface.com" ascii
$c2_612 = "mail.architectisusa.com" ascii
$c2_613 = "mail.macforlinux.net" ascii
$c2_614 = "mailcarriage.co.uk" ascii
$c2_615 = "mailj.hostport9.net" ascii
$c2_616 = "mailserever.com" ascii
$c2_617 = "mailsserver.com" ascii
$c2_618 = "mailvserver.com" ascii
$c2_619 = "malcolm.fftpoor.com" ascii
$c2_620 = "malware.dsmtp.com" ascii
$c2_621 = "manager.architectisusa.com" ascii
$c2_622 = "manager.jetos.com" ascii
$c2_623 = "markabcinfo.dynamicdns.me.uk" ascii
$c2_624 = "martin.sellclassics.com" ascii
$c2_625 = "mason.vizvaz.com" ascii
$c2_626 = "mbaby.macforlinux.net" ascii
$c2_627 = "medexplor.thedomais.info" ascii
$c2_628 = "mediapath.organiccrap.com" ascii
$c2_629 = "meiji-ac-jp.com" ascii
$c2_630 = "mesjm.emailfound.info" ascii
$c2_631 = "message.emailfound.info" ascii
$c2_632 = "message.p6p6.net" ascii
$c2_633 = "messagea.emailfound.info" ascii
$c2_634 = "methoder.com" ascii
$c2_635 = "mf.ddns.info" ascii
$c2_636 = "microcnmlgb.3322.org" ascii
$c2_637 = "microdef.2288.org" ascii
$c2_638 = "microhome.wikaba.com" ascii
$c2_639 = "microsoft.got-game.org" ascii
$c2_640 = "microsoft.mrface.com" ascii
$c2_641 = "microsoftdownload.zzux.com" ascii
$c2_642 = "microsoftempowering.sendsmtp.com" ascii
$c2_643 = "microsoften.com" ascii
$c2_644 = "microsoftgame.mrface.com" ascii
$c2_645 = "microsoftgetstarted.sexidude.com" ascii
$c2_646 = "microsoftimages.organiccrap.com" ascii
$c2_647 = "microsoftmirror.mrbasic.com" ascii
$c2_648 = "microsoftmusic.itemdb.com" ascii
$c2_649 = "microsoftmusic.mrbasic.com" ascii
$c2_650 = "microsoftmusic.onedumb.com" ascii
$c2_651 = "microsoftqckmanager.pcanywhere.net" ascii
$c2_652 = "microsoftstore.jetos.com" ascii
$c2_653 = "microsoftstores.itemdb.com" ascii
$c2_654 = "microsoftupdate.mrbasic.com" ascii
$c2_655 = "microsoftupdate.qhigh.com" ascii
$c2_656 = "microsoftupdates.vizvaz.com" ascii
$c2_657 = "micrsoftware.dsmtp.com" ascii
$c2_658 = "mircsoft.compress.to" ascii
$c2_659 = "mivsee.website0012.net" ascii
$c2_660 = "mmofoojap.2288.org" ascii
$c2_661 = "mmy.ddns.us" ascii
$c2_662 = "mobile.2waky.com" ascii
$c2_663 = "mocha.100fanwen.com" ascii
$c2_664 = "mod.jetos.com" ascii
$c2_665 = "mofa-go-jp.com" ascii
$c2_666 = "mofa.dynamic-dns.net" ascii
$c2_667 = "mofa.ns01.info" ascii
$c2_668 = "mofa.strangled.net" ascii
$c2_669 = "mofaess.com" ascii
$c2_670 = "mongoles.3322.org" ascii
$c2_671 = "monkey.2012yearleft.com" ascii
$c2_672 = "moscowstdsupdate.toythieves.com" ascii
$c2_673 = "mrsloveaqx.mrslove.com" ascii
$c2_674 = "ms.ecc.u-tokyo-ac-jp.com" ascii
$c2_675 = "mseupdate.ourhobby.com" ascii
$c2_676 = "msg.ezua.com" ascii
$c2_677 = "msn.incloud-go.com" ascii
$c2_678 = "muller.exprenum.com" ascii
$c2_679 = "music.applemusic.itemdb.com" ascii
$c2_680 = "music.cleansite.us" ascii
$c2_681 = "music.websegoo.net" ascii
$c2_682 = "musicfile.ikwb.com" ascii
$c2_683 = "musicinfo.everydayfilmlink.com" ascii
$c2_684 = "musiclinker.jkub.com" ascii
$c2_685 = "musicsecph.squirly.info" ascii
$c2_686 = "mx.yetrula.eu" ascii
$c2_687 = "myie12.com" ascii
$c2_688 = "mymusicbox.lflinkup.org" ascii
$c2_689 = "mymusicbox.vizvaz.com" ascii
$c2_690 = "myphpwebsite.itsaol.com" ascii
$c2_691 = "myrestroomimage.isasecret.com" ascii
$c2_692 = "mytwhomeinst.sendsmtp.com" ascii
$c2_693 = "myurinikoreaaps.ninth.biz" ascii
$c2_694 = "na.americanunfinished.com" ascii
$c2_695 = "na.onmypc.org" ascii
$c2_696 = "nasa.xxuz.com" ascii
$c2_697 = "nec.website0012.net" ascii
$c2_698 = "news.100fanwen.com" ascii
$c2_699 = "newsdata.jkub.com" ascii
$c2_700 = "newsfile.toythieves.com" ascii
$c2_701 = "newsreport.justdied.com" ascii
$c2_702 = "newsroom.cleansite.info" ascii
$c2_703 = "nezwq.ezua.com" ascii
$c2_704 = "ngcc.8800.org" ascii
$c2_705 = "niushenghuo.info" ascii
$c2_706 = "nk10.belowto.com" ascii
$c2_707 = "nk20.belowto.com" ascii
$c2_708 = "nlddnsinfo.https443.org" ascii
$c2_709 = "nmrx.mrbonus.com" ascii
$c2_710 = "nn.dynssl.com" ascii
$c2_711 = "no.authorizeddns.org" ascii
$c2_712 = "node.mofaess.com" ascii
$c2_713 = "nodns2.qipian.org" ascii
$c2_714 = "nposnewsinfo.qhigh.com" ascii
$c2_715 = "ns1.belowto.com" ascii
$c2_716 = "ns1.tlchs2.ml" ascii
$c2_717 = "ns2.belowto.com" ascii
$c2_718 = "ns21.belowto.com" ascii
$c2_719 = "ns22.belowto.com" ascii
$c2_720 = "ns4.belowto.com" ascii
$c2_721 = "ns5.belowto.com" ascii
$c2_722 = "nsa.mefound.com" ascii
$c2_723 = "nsatcdns.com" ascii
$c2_724 = "nt.mynumber.org" ascii
$c2_725 = "nttdata.otzo.com" ascii
$c2_726 = "nunluck.re26.com" ascii
$c2_727 = "nz.compress.to" ascii
$c2_728 = "oipbl.com" ascii
$c2_729 = "ol.almostmy.com" ascii
$c2_730 = "oldbmwy.com" ascii
$c2_731 = "oms.sindeali.com" ascii
$c2_732 = "openmofa.8866.org" ascii
$c2_733 = "oracleupdate.dns04.com" ascii
$c2_734 = "osaka-jpgo.com" ascii
$c2_735 = "outlook.otzo.com" ascii
$c2_736 = "owlmedia.mefound.com" ascii
$c2_737 = "p6p6.net" ascii
$c2_738 = "peopleinfodata.3-a.net" ascii
$c2_739 = "phptecinfohelp.itemdb.com" ascii
$c2_740 = "pictures.everydayfilmlink.com" ascii
$c2_741 = "pj.qpoe.com" ascii
$c2_742 = "points.mofaess.com" ascii
$c2_743 = "polopurple.com" ascii
$c2_744 = "pop.architectisusa.com" ascii
$c2_745 = "pop.loveddos.com" ascii
$c2_746 = "portal.mrface.com" ascii
$c2_747 = "portal.sendsmtp.com" ascii
$c2_748 = "portalser.dynamic-dns.net" ascii
$c2_749 = "poulsenv.com" ascii
$c2_750 = "praskovya-matveyeva.mefound.com" ascii
$c2_751 = "praskovya-ulyanova.dumb1.com" ascii
$c2_752 = "premium.redforlinux.com" ascii
$c2_753 = "products.almostmy.com" ascii
$c2_754 = "products.cleansite.us" ascii
$c2_755 = "products.serveuser.com" ascii
$c2_756 = "program.acmetoy.com" ascii
$c2_757 = "prrmes4019.r3u8.com" ascii
$c2_758 = "purchase.lflinkup.org" ascii
$c2_759 = "q6.niushenghuo.info" ascii
$c2_760 = "qtsofta.com" ascii
$c2_761 = "quick.oldbmwy.com" ascii
$c2_762 = "r3u8.com" ascii
$c2_763 = "radiorig.com" ascii
$c2_764 = "rain.orctldl.windowsupdate.authorizeddns.us" ascii
$c2_765 = "rakutenmusic.com" ascii
$c2_766 = "rdns-4.infoproduto1.tk" ascii
$c2_767 = "re26.com" ascii
$c2_768 = "read.xxuz.com" ascii
$c2_769 = "recent.dns-stuff.com" ascii
$c2_770 = "recent.fartit.com" ascii
$c2_771 = "record.hostport9.net" ascii
$c2_772 = "record.webssl9.info" ascii
$c2_773 = "record.wschandler.com" ascii
$c2_774 = "redforlinux.com" ascii
$c2_775 = "referred.gr8domain.biz" ascii
$c2_776 = "referred.yourtrap.com" ascii
$c2_777 = "register.ourhobby.com" ascii
$c2_778 = "registration2.instanthq.com" ascii
$c2_779 = "registrations.4pu.com" ascii
$c2_780 = "registrations.organiccrap.com" ascii
$c2_781 = "reports.tomorrowforgood.com" ascii
$c2_782 = "reserveds.onedumb.com" ascii
$c2_783 = "resources.applemusic.itemdb.com" ascii
$c2_784 = "rethem.almostmy.com" ascii
$c2_785 = "rg197.win" ascii
$c2_786 = "rlbeiydn.hi.r3u8.com" ascii
$c2_787 = "saiyo.exprenum.com" ascii
$c2_788 = "sakai.unhamj.com" ascii
$c2_789 = "salvaiona.com" ascii
$c2_790 = "sappore.cloud-maste.com" ascii
$c2_791 = "sapporo.cloud-maste.com" ascii
$c2_792 = "sapporot.com" ascii
$c2_793 = "sat.suayay.com" ascii
$c2_794 = "saverd.re26.com" ascii
$c2_795 = "sbuudd.webssl9.info" ascii
$c2_796 = "sc.weboot.info" ascii
$c2_797 = "scholz-versand.com" ascii
$c2_798 = "scorpion.poulsenv.com" ascii
$c2_799 = "scrlk.exprenum.com" ascii
$c2_800 = "sdmsg.onmypc.org" ascii
$c2_801 = "se.toythieves.com" ascii
$c2_802 = "sea.websegoo.net" ascii
$c2_803 = "secertnews.mrbasic.com" ascii
$c2_804 = "secmicrosooo.6600.org" ascii
$c2_805 = "secnetshit.com" ascii
$c2_806 = "secserverupdate.toh.info" ascii
$c2_807 = "sell.mofaess.com" ascii
$c2_808 = "sema.linuxsofta.com" ascii
$c2_809 = "send.have8000.com" ascii
$c2_810 = "send.mofa.ns01.info" ascii
$c2_811 = "sendmsg.jumpingcrab.com" ascii
$c2_812 = "senseye.ikwb.com" ascii
$c2_813 = "senseye.mrbonus.com" ascii
$c2_814 = "septdlluckysystem.jungleheart.com" ascii
$c2_815 = "seraphim-yurieva.justdied.com" ascii
$c2_816 = "serv.justdied.com" ascii
$c2_817 = "server1.proxydns.com" ascii
$c2_818 = "seyesb.acmetoy.com" ascii
$c2_819 = "sha.25u.com" ascii
$c2_820 = "sha.ikwb.com" ascii
$c2_821 = "shenajou.com" ascii
$c2_822 = "shoppingcentre.station155.com" ascii
$c2_823 = "shrimp.UsFfUnicef.com" ascii
$c2_824 = "shrimp.bdoncloud.com" ascii
$c2_825 = "shugiin.jkub.com" ascii
$c2_826 = "sindeali.com" ascii
$c2_827 = "singed.otzo.com" ascii
$c2_828 = "siteinit.info" ascii
$c2_829 = "sky.oldbmwy.com" ascii
$c2_830 = "sma.jimindaddy.com" ascii
$c2_831 = "smo.gadskysun.com" ascii
$c2_832 = "smtp.architectisusa.com" ascii
$c2_833 = "smtp.macforlinux.net" ascii
$c2_834 = "smtp230.toldweb.com" ascii
$c2_835 = "somthing.re26.com" ascii
$c2_836 = "sstday.jkub.com" ascii
$c2_837 = "start.usrobothome.com" ascii
$c2_838 = "station155.com" ascii
$c2_839 = "stevenlf.com" ascii
$c2_840 = "stone.jumpingcrab.com" ascii
$c2_841 = "style.u-tokyo-ac-jp.com" ascii
$c2_842 = "suayay.com" ascii
$c2_843 = "suibian2010.info" ascii
$c2_844 = "support1.mrface.com" ascii
$c2_845 = "supportus.mefound.com" ascii
$c2_846 = "suzukigooogle.8866.org" ascii
$c2_847 = "svc.dynssl.com" ascii
$c2_848 = "synssl.dnset.com" ascii
$c2_849 = "sz.thedomais.info" ascii
$c2_850 = "taipei.yourtrap.com" ascii
$c2_851 = "taipeifoodsite.ocry.com" ascii
$c2_852 = "tamraj.fartit.com" ascii
$c2_853 = "telegraph.mefound.com" ascii
$c2_854 = "test.usyahooapis.com" ascii
$c2_855 = "tfa.longmusic.com" ascii
$c2_856 = "tffghelth.com" ascii
$c2_857 = "thedomais.info" ascii
$c2_858 = "ticket.instanthq.com" ascii
$c2_859 = "ticket.jetos.com" ascii
$c2_860 = "ticket.serveuser.com" ascii
$c2_861 = "tidatacenter.shenajou.com" ascii
$c2_862 = "tisdatacenter.shenajou.com" ascii
$c2_863 = "tisupdateinfo.faqserv.com" ascii
$c2_864 = "tokyo-gojp.com" ascii
$c2_865 = "tokyofile.2waky.com" ascii
$c2_866 = "tomorrowforgood.com" ascii
$c2_867 = "tophost.dynamicdns.co.uk" ascii
$c2_868 = "toshste.com" ascii
$c2_869 = "toya.7766.org" ascii
$c2_870 = "transfer.lflinkup.org" ascii
$c2_871 = "transfer.mrbasic.com" ascii
$c2_872 = "transfer.vizvaz.com" ascii
$c2_873 = "trasul.mypicture.info" ascii
$c2_874 = "travelyokogawafz.fartit.com" ascii
$c2_875 = "trendmicroupdate.shenajou.com" ascii
$c2_876 = "trendsecurity.shenajou.com" ascii
$c2_877 = "trout.belowto.com" ascii
$c2_878 = "tv.goldtoyota.com" ascii
$c2_879 = "tw.2012yearleft.com" ascii
$c2_880 = "twmusic.proxydns.com" ascii
$c2_881 = "twpeoplemusicsite.my03.com" ascii
$c2_882 = "twtravelinfomation.toythieves.com" ascii
$c2_883 = "twx.mynumber.org" ascii
$c2_884 = "tyoto-go-jp.com" ascii
$c2_885 = "u-tokyo-ac-jp.com" ascii
$c2_886 = "u1.FartIT.com" ascii
$c2_887 = "u1.haoyujd.info" ascii
$c2_888 = "ubuntusofta.com" ascii
$c2_889 = "ugreen.itemdb.com" ascii
$c2_890 = "ui.hdcdui.com" ascii
$c2_891 = "uk.dynamicdns.org.uk" ascii
$c2_892 = "ukuoka.cloud-maste.com" ascii
$c2_893 = "ultimedia.vmmini.com" ascii
$c2_894 = "un.ddns.info" ascii
$c2_895 = "un.dnsrd.com" ascii
$c2_896 = "unhamj.com" ascii
$c2_897 = "update.yourtrap.com" ascii
$c2_898 = "updatemirrors.fartit.com" ascii
$c2_899 = "updates.itsaol.com" ascii
$c2_900 = "ups.improvejpese.com" ascii
$c2_901 = "urearapetsu.com" ascii
$c2_902 = "usa.got-game.org" ascii
$c2_903 = "usa.itsaol.com" ascii
$c2_904 = "usa.japanteam.org" ascii
$c2_905 = "usffunicef.com" ascii
$c2_906 = "usmirocomney.net" ascii
$c2_907 = "usrobothome.com" ascii
$c2_908 = "usyahooapis.com" ascii
$c2_909 = "uu.logon-live.com" ascii
$c2_910 = "uu.niushenghuo.info" ascii
$c2_911 = "ux.niushenghuo.info" ascii
$c2_912 = "v4.appledownload.ourhobby.com" ascii
$c2_913 = "v4.itunesmusic.jkub.com" ascii
$c2_914 = "v4.microsoftmusic.onedumb.com" ascii
$c2_915 = "v4.microsoftupdate.mrbasic.com" ascii
$c2_916 = "v4.windowsupdate.DEDGESUITE.NET" ascii
$c2_917 = "v4.windowsupdate.authorizeddns.org" ascii
$c2_918 = "v4.windowsupdate.dnset.com" ascii
$c2_919 = "v4.windowsupdate.itsaol.com" ascii
$c2_920 = "v4.windowsupdate.lflinkup.com" ascii
$c2_921 = "v4.windowsupdate.mrface.com" ascii
$c2_922 = "v4.windowsupdate.nsatcdns.com" ascii
$c2_923 = "v4.windowsupdate.x24hr.com" ascii
$c2_924 = "v4.windowsupdates.dnsrd.com" ascii
$c2_925 = "veryhuai.info" ascii
$c2_926 = "video.vmdnsup.org" ascii
$c2_927 = "vmdnsup.org" ascii
$c2_929 = "vmyiersend.WEBSAGO.INFO" ascii
$c2_930 = "vmyisan.website0012.net" ascii
$c2_932 = "wchildress.com" ascii
$c2_934 = "wcxh.mynetav.net" ascii
$c2_935 = "wdsupdates.com" ascii
$c2_936 = "webbooting.com" ascii
$c2_937 = "webdirectnews.dynamicdns.biz" ascii
$c2_938 = "webinfoseco.ygto.com" ascii
$c2_939 = "webmailentry.jetos.com" ascii
$c2_940 = "weboot.info" ascii
$c2_941 = "websago.info" ascii
$c2_942 = "websegoo.net" ascii
$c2_943 = "website0012.net" ascii
$c2_944 = "websiteboo.website0012.net" ascii
$c2_945 = "websqlnewsmanager.ninth.biz" ascii
$c2_946 = "webssl9.info" ascii
$c2_947 = "well.itsaol.com" ascii
$c2_948 = "well.mrbasic.com" ascii
$c2_949 = "whale.toshste.com" ascii
$c2_950 = "whellbuy.wschandler.com" ascii
$c2_951 = "whyis.haoyujd.info" ascii
$c2_952 = "wike.wikaba.com" ascii
$c2_953 = "windowfile.itemdb.com" ascii
$c2_954 = "windowsimages.itemdb.com" ascii
$c2_955 = "windowsimages.qhigh.com" ascii
$c2_956 = "windowsmirrors.vizvaz.com" ascii
$c2_957 = "windowsstores.gettrials.com" ascii
$c2_958 = "windowsstores.organiccrap.com" ascii
$c2_959 = "windowsupdate.2waky.com" ascii
$c2_960 = "windowsupdate.3-a.net" ascii
$c2_961 = "windowsupdate.acmetoy.com" ascii
$c2_962 = "windowsupdate.authorizeddns.net" ascii
$c2_963 = "windowsupdate.authorizeddns.org" ascii
$c2_964 = "windowsupdate.authorizeddns.us" ascii
$c2_965 = "windowsupdate.com.mwcname.com" ascii
$c2_966 = "windowsupdate.dedgesuite.net" ascii
$c2_967 = "windowsupdate.dns05.com" ascii
$c2_968 = "windowsupdate.dnset.com" ascii
$c2_969 = "windowsupdate.esmtp.biz" ascii
$c2_970 = "windowsupdate.ezua.com" ascii
$c2_971 = "windowsupdate.fartit.com" ascii
$c2_972 = "windowsupdate.gettrials.com" ascii
$c2_973 = "windowsupdate.instanthq.com" ascii
$c2_974 = "windowsupdate.itsaol.com" ascii
$c2_975 = "windowsupdate.jungleheart.com" ascii
$c2_976 = "windowsupdate.lflink.com" ascii
$c2_977 = "windowsupdate.mrface.com" ascii
$c2_978 = "windowsupdate.mylftv.com" ascii
$c2_979 = "windowsupdate.nsatcdns.com" ascii
$c2_980 = "windowsupdate.organiccrap.com" ascii
$c2_981 = "windowsupdate.rebatesrule.net" ascii
$c2_982 = "windowsupdate.sellclassics.com" ascii
$c2_983 = "windowsupdate.serveusers.com" ascii
$c2_984 = "windowsupdate.vizvaz.com" ascii
$c2_985 = "windowsupdate.wcwname.com" ascii
$c2_986 = "windowsupdate.x24hr.com" ascii
$c2_987 = "windowsupdate.ygto.com" ascii
$c2_988 = "windowsupdates.dnset.com" ascii
$c2_989 = "windowsupdates.ezua.com" ascii
$c2_990 = "windowsupdates.ikwb.com" ascii
$c2_991 = "windowsupdates.itemdb.com" ascii
$c2_992 = "windowsupdates.proxydns.com" ascii
$c2_993 = "workerisgood.com" ascii
$c2_994 = "woyaofanwen.com" ascii
$c2_995 = "wschandler.com" ascii
$c2_996 = "wthelpdesk.com" ascii
$c2_997 = "wubangtu.info" ascii
$c2_998 = "www-meti-go-jp.tyoto-go-jp.com" ascii
$c2_999 = "www.2014.zzux.com" ascii
$c2_1000 = "www.97sm.com" ascii
$c2_1001 = "www.9gowg.tech" ascii
$c2_1002 = "www.abdominal.faqserv.com" ascii
$c2_1003 = "www.additional.sexidude.com" ascii
$c2_1004 = "www.afc.https443.org" ascii
$c2_1005 = "www.androidmusicapp.onmypc.us" ascii
$c2_1006 = "www.announcements.toythieves.com" ascii
$c2_1007 = "www.anx-own-334.mrbasic.com" ascii
$c2_1008 = "www.apple.ikwb.com" ascii
$c2_1009 = "www.appledownload.ourhobby.com" ascii
$c2_1010 = "www.appleimages.itemdb.com" ascii
$c2_1011 = "www.appleimages.longmusic.com" ascii
$c2_1012 = "www.appleimages.organiccrap.com" ascii
$c2_1013 = "www.applejuice.itemdb.com" ascii
$c2_1014 = "www.applemirror.organiccrap.com" ascii
$c2_1015 = "www.applemirror.squirly.info" ascii
$c2_1016 = "www.applemusic.isasecret.com" ascii
$c2_1017 = "www.applemusic.itemdb.com" ascii
$c2_1018 = "www.applemusic.wikaba.com" ascii
$c2_1019 = "www.applemusic.xxuz.com" ascii
$c2_1020 = "www.applemusic.zzux.com" ascii
$c2_1021 = "www.appleupdate.itemdb.com" ascii
$c2_1022 = "www.appleupdateurl.2waky.com" ascii
$c2_1023 = "www.architectisusa.com" ascii
$c2_1024 = "www.army.xxuz.com" ascii
$c2_1025 = "www.art.p6p6.net" ascii
$c2_1026 = "www.asfzx.x24hr.com" ascii
$c2_1027 = "www.availab.wikaba.com" ascii
$c2_1028 = "www.availability.justdied.com" ascii
$c2_1029 = "www.babymusicsitetr.mymom.info" ascii
$c2_1030 = "www.back.jungleheart.com" ascii
$c2_1031 = "www.balance1.wikaba.com" ascii
$c2_1032 = "www.be.mrslove.com" ascii
$c2_1033 = "www.belowto.com" ascii
$c2_1034 = "www.billing.organiccrap.com" ascii
$c2_1035 = "www.blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii
$c2_1036 = "www.brand.fartit.com" ascii
$c2_1037 = "www.bulletproof.squirly.info" ascii
$c2_1038 = "www.cabbage.iownyour.biz" ascii
$c2_1039 = "www.ccupdatedata.authorizeddns.net" ascii
$c2_1040 = "www.cdn.incloud-go.com" ascii
$c2_1041 = "www.center.shenajou.com" ascii
$c2_1042 = "www.chaindungeons.com" ascii
$c2_1043 = "www.cia.ezua.com" ascii
$c2_1044 = "www.cia.toh.info" ascii
$c2_1045 = "www.civilwar123.authorizeddns.org" ascii
$c2_1046 = "www.civilwar520.onmypc.org" ascii
$c2_1047 = "www.cloud-maste.com" ascii
$c2_1048 = "www.cnnews.mylftv.com" ascii
$c2_1049 = "www.commissioner.shenajou.com" ascii
$c2_1050 = "www.commons.onedumb.com" ascii
$c2_1051 = "www.contractus.qpoe.com" ascii
$c2_1052 = "www.corp-dnsonline.itsaol.com" ascii
$c2_1053 = "www.courier.jetos.com" ascii
$c2_1054 = "www.cress.mynetav.net" ascii
$c2_1055 = "www.ctdl.windowsupdate.nsatcdns.com" ascii
$c2_1056 = "www.ctldl.microsoftupdate.qhigh.com" ascii
$c2_1057 = "www.ctldl.windowsupdate.authorizeddns.us" ascii
$c2_1058 = "www.ctldl.windowsupdate.esmtp.biz" ascii
$c2_1059 = "www.ctldl.windowsupdate.mrface.com" ascii
$c2_1060 = "www.cwiinatonal.com" ascii
$c2_1061 = "www.dasoftactivemodule.toythieves.com" ascii
$c2_1062 = "www.dasonews.youdontcare.com" ascii
$c2_1063 = "www.daughter.vizvaz.com" ascii
$c2_1064 = "www.de.onmypc.info" ascii
$c2_1065 = "www.details.squirly.info" ascii
$c2_1066 = "www.development.shenajou.com" ascii
$c2_1067 = "www.devilcase.acmetoy.com" ascii
$c2_1068 = "www.disruptive.https443.net" ascii
$c2_1069 = "www.dns-hinettw.25u.com" ascii
$c2_1070 = "www.document.shenajou.com" ascii
$c2_1071 = "www.domainnow.yourtrap.com" ascii
$c2_1072 = "www.download.windowsupdate.nsatcdns.com" ascii
$c2_1073 = "www.ea.onmypc.info" ascii
$c2_1074 = "www.eddo.qpoe.com" ascii
$c2_1075 = "www.ehshiroshima.mylftv.com" ascii
$c2_1076 = "www.eric-averyanov.wha.la" ascii
$c2_1077 = "www.eu.acmetoy.com" ascii
$c2_1078 = "www.eu.wha.la" ascii
$c2_1079 = "www.express.lflinkup.com" ascii
$c2_1080 = "www.extraordinary.dynamic-dns.net" ascii
$c2_1081 = "www.f068v.site" ascii
$c2_1082 = "www.facefile.fartit.com" ascii
$c2_1083 = "www.fertile.authorizeddns.net" ascii
$c2_1084 = "www.file.zzux.com" ascii
$c2_1085 = "www.findme.epac.to" ascii
$c2_1086 = "www.fire.mrface.com" ascii
$c2_1087 = "www.firstnews.jkub.com" ascii
$c2_1088 = "www.fjs.wikaba.com" ascii
$c2_1089 = "www.foal.wchildress.com" ascii
$c2_1090 = "www.fr.wikaba.com" ascii
$c2_1091 = "www.freegamecenter.onedumb.com" ascii
$c2_1092 = "www.fruit.qhigh.com" ascii
$c2_1093 = "www.fuck.ikwb.com" ascii
$c2_1094 = "www.fuckmm.dns-dns.com" ascii
$c2_1095 = "www.fukuoka.cloud-maste.com" ascii
$c2_1096 = "www.g3ypf.online" ascii
$c2_1097 = "www.garlic.dyndns.pro" ascii
$c2_1098 = "www.generat.almostmy.com" ascii
$c2_1099 = "www.glicense.shenajou.com" ascii
$c2_1100 = "www.goldtoyota.com" ascii
$c2_1101 = "www.goodmusic.justdied.com" ascii
$c2_1102 = "www.gooesdataios.instanthq.com" ascii
$c2_1103 = "www.grammar.jkub.com" ascii
$c2_1104 = "www.helpus.ddns.info" ascii
$c2_1105 = "www.hii.qhigh.com" ascii
$c2_1106 = "www.hinetonlinedns.dns05.com" ascii
$c2_1107 = "www.incloud-go.com" ascii
$c2_1108 = "www.innocent-isayev.sexidude.com" ascii
$c2_1109 = "www.interpreter.shenajou.com" ascii
$c2_1110 = "www.invoices.sexxxy.biz" ascii
$c2_1111 = "www.iphone.vizvaz.com" ascii
$c2_1112 = "www.ipv4.microsoftupdate.mrbasic.com" ascii
$c2_1113 = "www.ipv4.windowsupdate.3-a.net" ascii
$c2_1114 = "www.ipv4.windowsupdate.esmtp.biz" ascii
$c2_1115 = "www.ipv4.windowsupdate.fartit.com" ascii
$c2_1116 = "www.ipv4.windowsupdate.lflink.com" ascii
$c2_1117 = "www.ipv4.windowsupdate.mrface.com" ascii
$c2_1118 = "www.ipv4.windowsupdate.mylftv.com" ascii
$c2_1119 = "www.ipv4.windowsupdate.nsatcdns.com" ascii
$c2_1120 = "www.itlans.isasecret.com" ascii
$c2_1121 = "www.itunesdownload.jkub.com" ascii
$c2_1122 = "www.itunesdownload.vizvaz.com" ascii
$c2_1123 = "www.itunesdownload.wikaba.com" ascii
$c2_1124 = "www.itunesimages.itemdb.com" ascii
$c2_1125 = "www.itunesimages.itsaol.com" ascii
$c2_1126 = "www.itunesimages.qpoe.com" ascii
$c2_1127 = "www.itunesmirror.fartit.com" ascii
$c2_1128 = "www.itunesmirror.itsaol.com" ascii
$c2_1129 = "www.itunesmusic.ikwb.com" ascii
$c2_1130 = "www.itunesmusic.jetos.com" ascii
$c2_1131 = "www.itunesmusic.jkub.com" ascii
$c2_1132 = "www.itunesmusic.zzux.com" ascii
$c2_1133 = "www.itunesupdate.itsaol.com" ascii
$c2_1134 = "www.itunesupdates.organiccrap.com" ascii
$c2_1135 = "www.japanenvnews.qpoe.com" ascii
$c2_1136 = "www.jd978.com" ascii
$c2_1137 = "www.jimin.jimindaddy.com" ascii
$c2_1138 = "www.jimin.mymom.info" ascii
$c2_1139 = "www.jp.serveuser.com" ascii
$c2_1140 = "www.jpnappstore.ourhobby.com" ascii
$c2_1141 = "www.jpnewslogs.sendsmtp.com" ascii
$c2_1142 = "www.jpnxzshopdata.authorizeddns.org" ascii
$c2_1143 = "www.kawasaki.cloud-maste.com" ascii
$c2_1144 = "www.kawasaki.unhamj.com" ascii
$c2_1145 = "www.key.zzux.com" ascii
$c2_1146 = "www.knowledge.sellclassics.com" ascii
$c2_1147 = "www.lan.dynssl.com" ascii
$c2_1148 = "www.last.p6p6.net" ascii
$c2_1149 = "www.latestnews.epac.to" ascii
$c2_1150 = "www.latestnews.organiccrap.com" ascii
$c2_1151 = "www.leedong.longmusic.com" ascii
$c2_1152 = "www.leeks.mrbonus.com" ascii
$c2_1153 = "www.liberty.acmetoy.com" ascii
$c2_1154 = "www.license.shenajou.com" ascii
$c2_1155 = "www.lion.wchildress.com" ascii
$c2_1156 = "www.loveddos.com" ascii
$c2_1157 = "www.macfee.mrface.com" ascii
$c2_1158 = "www.macforlinux.net" ascii
$c2_1159 = "www.maffc.mrface.com" ascii
$c2_1160 = "www.malware.dsmtp.com" ascii
$c2_1161 = "www.manager.jetos.com" ascii
$c2_1162 = "www.markabcinfo.dynamicdns.me.uk" ascii
$c2_1163 = "www.mason.vizvaz.com" ascii
$c2_1164 = "www.mediapath.organiccrap.com" ascii
$c2_1165 = "www.meiji-ac-jp.com" ascii
$c2_1166 = "www.messagea.emailfound.info" ascii
$c2_1167 = "www.microsoft.got-game.org" ascii
$c2_1168 = "www.microsoft.mrface.com" ascii
$c2_1169 = "www.microsoftempowering.sendsmtp.com" ascii
$c2_1170 = "www.microsoftgame.mrface.com" ascii
$c2_1171 = "www.microsoftgetstarted.sexidude.com" ascii
$c2_1172 = "www.microsoftimages.organiccrap.com" ascii
$c2_1173 = "www.microsoftmirror.mrbasic.com" ascii
$c2_1174 = "www.microsoftmusic.itemdb.com" ascii
$c2_1175 = "www.microsoftmusic.mrbasic.com" ascii
$c2_1176 = "www.microsoftqckmanager.pcanywhere.net" ascii
$c2_1177 = "www.microsoftupdate.mrbasic.com" ascii
$c2_1178 = "www.microsoftupdate.qhigh.com" ascii
$c2_1179 = "www.micrsoftware.dsmtp.com" ascii
$c2_1180 = "www.mircsoft.compress.to" ascii
$c2_1181 = "www.mmy.ddns.us" ascii
$c2_1182 = "www.mod.jetos.com" ascii
$c2_1183 = "www.mofa.dynamic-dns.net" ascii
$c2_1184 = "www.mofa.ns01.info" ascii
$c2_1185 = "www.moonnightthse.zyns.com" ascii
$c2_1186 = "www.moscowdic.trickip.org" ascii
$c2_1187 = "www.moscowstdsupdate.toythieves.com" ascii
$c2_1188 = "www.mseupdate.ourhobby.com" ascii
$c2_1189 = "www.msg.ezua.com" ascii
$c2_1190 = "www.msn.incloud-go.com" ascii
$c2_1191 = "www.musicfile.ikwb.com" ascii
$c2_1192 = "www.musicjj.zzux.com" ascii
$c2_1193 = "www.musicsecph.squirly.info" ascii
$c2_1194 = "www.mymusicbox.lflinkup.org" ascii
$c2_1195 = "www.mymusicbox.vizvaz.com" ascii
$c2_1196 = "www.myrestroomimage.isasecret.com" ascii
$c2_1197 = "www.mytwhomeinst.sendsmtp.com" ascii
$c2_1198 = "www.myurinikoreaaps.ninth.biz" ascii
$c2_1199 = "www.na.americanunfinished.com" ascii
$c2_1200 = "www.na.onmypc.org" ascii
$c2_1201 = "www.networkjpnzee.mynetav.org" ascii
$c2_1202 = "www.newcityoforward.rebatesrule.net" ascii
$c2_1203 = "www.newdnssec-info.4mydomain.com" ascii
$c2_1204 = "www.newsdata.jkub.com" ascii
$c2_1205 = "www.newsfile.toythieves.com" ascii
$c2_1206 = "www.newsroom.cleansite.info" ascii
$c2_1207 = "www.nlddnsinfo.https443.org" ascii
$c2_1208 = "www.no.authorizeddns.org" ascii
$c2_1209 = "www.nposnewsinfo.qhigh.com" ascii
$c2_1210 = "www.nsa.mefound.com" ascii
$c2_1211 = "www.nt.mynumber.org" ascii
$c2_1212 = "www.nttdata.otzo.com" ascii
$c2_1213 = "www.nuisance.serveusers.com" ascii
$c2_1214 = "www.nz.compress.to" ascii
$c2_1215 = "www.ol.almostmy.com" ascii
$c2_1216 = "www.oldbmwy.com" ascii
$c2_1217 = "www.onion.jkub.com" ascii
$c2_1218 = "www.onlinednsserver.sendsmtp.com" ascii
$c2_1219 = "www.oracleupdate.dns04.com" ascii
$c2_1220 = "www.oyster.jkub.com" ascii
$c2_1221 = "www.p6p6.net" ascii
$c2_1222 = "www.packetsdsquery.dns05.com" ascii
$c2_1223 = "www.pepper.sexxxy.biz" ascii
$c2_1224 = "www.phptecinfohelp.itemdb.com" ascii
$c2_1225 = "www.pickled.myddns.com" ascii
$c2_1226 = "www.polopurple.com" ascii
$c2_1227 = "www.portal.mrface.com" ascii
$c2_1228 = "www.portal.sendsmtp.com" ascii
$c2_1229 = "www.portalser.dynamic-dns.net" ascii
$c2_1230 = "www.praskovya-matveyeva.mefound.com" ascii
$c2_1231 = "www.praskovya-ulyanova.dumb1.com" ascii
$c2_1232 = "www.products.almostmy.com" ascii
$c2_1233 = "www.products.cleansite.us" ascii
$c2_1234 = "www.products.serveuser.com" ascii
$c2_1235 = "www.purchase.lflinkup.org" ascii
$c2_1236 = "www.rainbow.mypop3.org" ascii
$c2_1237 = "www.re26.com" ascii
$c2_1238 = "www.read.xxuz.com" ascii
$c2_1239 = "www.recent.dns-stuff.com" ascii
$c2_1240 = "www.recent.fartit.com" ascii
$c2_1241 = "www.redflower.isasecret.com" ascii
$c2_1242 = "www.referred.gr8domain.biz" ascii
$c2_1243 = "www.referred.yourtrap.com" ascii
$c2_1244 = "www.register.ourhobby.com" ascii
$c2_1245 = "www.registration2.instanthq.com" ascii
$c2_1246 = "www.registrations.4pu.com" ascii
$c2_1247 = "www.registrations.organiccrap.com" ascii
$c2_1248 = "www.remeberdata.iownyour.org" ascii
$c2_1249 = "www.reserveds.onedumb.com" ascii
$c2_1250 = "www.rethem.almostmy.com" ascii
$c2_1251 = "www.rg197.win" ascii
$c2_1252 = "www.sakai.unhamj.com" ascii
$c2_1253 = "www.sapporo.cloud-maste.com" ascii
$c2_1254 = "www.sauerkraut.sellclassics.com" ascii
$c2_1255 = "www.saverd.re26.com" ascii
$c2_1256 = "www.sbuudd.webssl9.info" ascii
$c2_1257 = "www.sdmsg.onmypc.org" ascii
$c2_1258 = "www.se.toythieves.com" ascii
$c2_1259 = "www.secertnews.mrbasic.com" ascii
$c2_1260 = "www.secnetshit.com" ascii
$c2_1261 = "www.secserverupdate.toh.info" ascii
$c2_1262 = "www.senseye.ikwb.com" ascii
$c2_1263 = "www.senseye.mrbonus.com" ascii
$c2_1264 = "www.septdlluckysystem.jungleheart.com" ascii
$c2_1265 = "www.seraphim-yurieva.justdied.com" ascii
$c2_1266 = "www.serv.justdied.com" ascii
$c2_1267 = "www.server1.proxydns.com" ascii
$c2_1268 = "www.seyesb.acmetoy.com" ascii
$c2_1269 = "www.showy.almostmy.com" ascii
$c2_1270 = "www.shugiin.jkub.com" ascii
$c2_1271 = "www.sindeali.com" ascii
$c2_1272 = "www.singed.otzo.com" ascii
$c2_1273 = "www.sojourner.mypicture.info" ascii
$c2_1274 = "www.sstday.jkub.com" ascii
$c2_1275 = "www.support1.mrface.com" ascii
$c2_1276 = "www.supportus.mefound.com" ascii
$c2_1277 = "www.svc.dynssl.com" ascii
$c2_1278 = "www.sweetheart.sexxxy.biz" ascii
$c2_1279 = "www.synssl.dnset.com" ascii
$c2_1280 = "www.tamraj.fartit.com" ascii
$c2_1281 = "www.telegraph.mefound.com" ascii
$c2_1282 = "www.tfa.longmusic.com" ascii
$c2_1283 = "www.thunder.wikaba.com" ascii
$c2_1284 = "www.ticket.instanthq.com" ascii
$c2_1285 = "www.ticket.serveuser.com" ascii
$c2_1286 = "www.tisupdateinfo.faqserv.com" ascii
$c2_1287 = "www.tokyofile.2waky.com" ascii
$c2_1288 = "www.tophost.dynamicdns.co.uk" ascii
$c2_1289 = "www.transfer.lflinkup.org" ascii
$c2_1290 = "www.transfer.mrbasic.com" ascii
$c2_1291 = "www.transfer.vizvaz.com" ascii
$c2_1292 = "www.twgovernmentinfo.acmetoy.com" ascii
$c2_1293 = "www.twsslpopservupro.dynssl.com" ascii
$c2_1294 = "www.ugreen.itemdb.com" ascii
$c2_1295 = "www.uk.dynamicdns.org.uk" ascii
$c2_1296 = "www.un.ddns.info" ascii
$c2_1297 = "www.un.dnsrd.com" ascii
$c2_1298 = "www.unhamj.com" ascii
$c2_1299 = "www.usa.itsaol.com" ascii
$c2_1300 = "www.usffunicef.com" ascii
$c2_1301 = "www.usliveupdateonline.ygto.com" ascii
$c2_1302 = "www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp.com" ascii
$c2_1303 = "www.v4.windowsupdate.mrface.com" ascii
$c2_1304 = "www.v4.windowsupdate.nsatcdns.com" ascii
$c2_1305 = "www.vmmini.com" ascii
$c2_1306 = "www.wchildress.com" ascii
$c2_1307 = "www.webdirectnews.dynamicdns.biz" ascii
$c2_1308 = "www.webmailentry.jetos.com" ascii
$c2_1309 = "www.websqlnewsmanager.ninth.biz" ascii
$c2_1310 = "www.well.itsaol.com" ascii
$c2_1311 = "www.well.mrbasic.com" ascii
$c2_1312 = "www.windowfile.itemdb.com" ascii
$c2_1313 = "www.windowsimages.itemdb.com" ascii
$c2_1314 = "www.windowsimages.qhigh.com" ascii
$c2_1315 = "www.windowsmirrors.vizvaz.com" ascii
$c2_1316 = "www.windowsupdate.2waky.com" ascii
$c2_1317 = "www.windowsupdate.3-a.net" ascii
$c2_1318 = "www.windowsupdate.acmetoy.com" ascii
$c2_1319 = "www.windowsupdate.authorizeddns.net" ascii
$c2_1320 = "www.windowsupdate.authorizeddns.org" ascii
$c2_1321 = "www.windowsupdate.authorizeddns.us" ascii
$c2_1322 = "www.windowsupdate.dns05.com" ascii
$c2_1323 = "www.windowsupdate.dnset.com" ascii
$c2_1324 = "www.windowsupdate.esmtp.biz" ascii
$c2_1325 = "www.windowsupdate.ezua.com" ascii
$c2_1326 = "www.windowsupdate.fartit.com" ascii
$c2_1327 = "www.windowsupdate.gettrials.com" ascii
$c2_1328 = "www.windowsupdate.instanthq.com" ascii
$c2_1329 = "www.windowsupdate.itsaol.com" ascii
$c2_1330 = "www.windowsupdate.jungleheart.com" ascii
$c2_1331 = "www.windowsupdate.lflink.com" ascii
$c2_1332 = "www.windowsupdate.mrface.com" ascii
$c2_1333 = "www.windowsupdate.mylftv.com" ascii
$c2_1334 = "www.windowsupdate.nsatcdns.com" ascii
$c2_1335 = "www.windowsupdate.organiccrap.com" ascii
$c2_1336 = "www.windowsupdate.rebatesrule.net" ascii
$c2_1337 = "www.windowsupdate.sellclassics.com" ascii
$c2_1338 = "www.windowsupdate.serveusers.com" ascii
$c2_1339 = "www.windowsupdate.x24hr.com" ascii
$c2_1340 = "www.yahoo.incloud-go.com" ascii
$c2_1341 = "www.yandexr.sellclassics.com" ascii
$c2_1342 = "www.yeahyeahyeahs.3322.org" ascii
$c2_1343 = "www.yokohamajpinstaz.mrbonus.com" ascii
$c2_1344 = "www.zaigawebinfo.rebatesrule.net" ascii
$c2_1345 = "www.zebra.incloud-go.com" ascii
$c2_1346 = "www2.qpoe.com" ascii
$c2_1347 = "www2.zyns.com" ascii
$c2_1348 = "www2.zzux.com" ascii
$c2_1349 = "x7.usyahooapis.com" ascii
$c2_1350 = "xi.dyndns.pro" ascii
$c2_1351 = "xi.sexxxy.biz" ascii
$c2_1352 = "xread10821.9966.org" ascii
$c2_1353 = "xsince.tk" ascii
$c2_1354 = "xt.dnset.com" ascii
$c2_1355 = "xyrn998754.2288.org" ascii
$c2_1356 = "yahoo.incloud-go.com" ascii
$c2_1357 = "yallago.cu.cc" ascii
$c2_1358 = "yandexr.sellclassics.com" ascii
$c2_1359 = "yeahyeahyeahs.3322.org" ascii
$c2_1360 = "yeap1.jumpingcrab.com" ascii
$c2_1361 = "yfrfyhf.youdontcare.com" ascii
$c2_1362 = "yo.acmetoy.com" ascii
$c2_1363 = "za.myftp.info" ascii
$c2_1364 = "zabbix.servercontrols.pw" ascii
$c2_1365 = "zaigawebinfo.rebatesrule.net" ascii
$c2_1367 = "zebra.UsFfUnicef.com" ascii
$c2_1368 = "zebra.bdoncloud.com" ascii
$c2_1369 = "zebra.incloud-go.com" ascii
$c2_1370 = "zebra.unhamj.com" ascii
$c2_1371 = "zebra.wthelpdesk.com" ascii
$c2_1372 = "zero.pcanywhere.net" ascii
$c2_1373 = "zg.ns02.biz" ascii
$c2_1374 = "zone.demoones.com" ascii
condition:
1 of ($c2_*)
}
rule APT_APT10_Malware_Imphash_Dec18_1 {
meta:
description = "Detects APT10 malware based on ImpHashes"
author = "Florian Roth (Nextron Systems)"
reference = "AlienVault OTX IOCs - statistical sample analysis"
date = "2018-12-28"
id = "2de195a3-63a4-50ac-a83d-ab0db0f784bf"
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and (
pe.imphash() == "0556ff5e5f8744bff47d4921494ba46d" or
pe.imphash() == "cb1194123f68a68eb14552c085b620ce" or
pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or
pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
pe.imphash() == "a5d0545030be75a421529c2b0be6c4bd" or
pe.imphash() == "94491f4a812b0297419dc888aa4fd2a5"
)
}
rule APT17_Malware_Oct17_1 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
id = "457312d8-5bfe-5282-9ace-2f169278569c"
strings:
$s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
$s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
$s3 = "\\msvcrt.dll" ascii
$s4 = "\\TSMSISrv.dll" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}
rule APT17_Malware_Oct17_2 {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
id = "9f21514a-168b-5158-8322-60fa8499b11a"
strings:
$x1 = "Cookie: __xsptplus=%s" fullword ascii
$x2 = "http://services.fiveemotions.co.jp" fullword ascii
$x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
$s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
$s3 = "hWritePipe2 Error:%d" fullword ascii
$s4 = "Not Support This Function!" fullword ascii
$s5 = "Global\\PnP_No_Management" fullword ascii
$s6 = "Content-Type: image/x-png" fullword ascii
$s7 = "Accept-Language: ja-JP" fullword ascii
$s8 = "IISCMD Error:%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.exports("_foo@0") or
1 of ($x*) or
6 of them
)
}
rule APT17_Unsigned_Symantec_Binary_EFA {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
id = "56eec517-8b00-5cb5-9806-249e50f53b99"
strings:
$s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
$s2 = "\\\\.\\SYMEFA" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
}
rule APT17_Malware_Oct17_Gen {
meta:
description = "Detects APT17 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/puVc9q"
date = "2017-10-03"
hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
strings:
$x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
$x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
$s1 = "hWritePipe2 Error:%d" fullword ascii
$s2 = "Not Support This Function!" fullword ascii
$s3 = "Cookie: SESSIONID=%s" fullword ascii
$s4 = "http://0.0.0.0/1" fullword ascii
$s5 = "Content-Type: image/x-png" fullword ascii
$s6 = "Accept-Language: en-US" fullword ascii
$s7 = "IISCMD Error:%d" fullword ascii
$s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and (
pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
1 of ($x*) or
6 of them
)
)
}
rule MAL_Hogfish_Report_Related_Sample {
meta:
description = "Detects APT10 / Hogfish related samples"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
date = "2018-05-01"
hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac"
hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee"
hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262"
id = "7fc4fdda-b71f-5c9c-87a4-5d8290b99348"
strings:
$s1 = "R=user32.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and (
pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or
1 of them
)
}
rule HttpBrowser_RAT_dropper_Gen1 {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 70
hash1 = "808de72f1eae29e3c1b2c32be1b84c5064865a235866edf5e790d2a7ba709907"
hash2 = "f6f966d605c5e79de462a65df437ddfca0ad4eb5faba94fc875aba51a4b894a7"
hash3 = "f424965a35477d822bbadb821125995616dc980d3d4f94a68c87d0cd9b291df9"
hash4 = "01441546fbd20487cb2525a0e34e635eff2abe5c3afc131c7182113220f02753"
hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b"
hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53"
hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc"
id = "2e347024-ac5f-5e8c-a8b0-53eaa9a03979"
strings:
$x1 = "1001=cmd.exe" fullword ascii
$x2 = "1003=ShellExecuteA" fullword ascii
$x3 = "1002=/c del /q %s" fullword ascii
$x4 = "1004=SetThreadPriority" fullword ascii
/* $s1 = "pnipcn.dllUT" fullword ascii
$s2 = "ssonsvr.exeUT" fullword ascii
$s3 = "navlu.dllUT" fullword ascii
$s4 = "@CONOUT$" fullword wide
$s5 = "VPDN_LU.exeUT" fullword ascii
$s6 = "msi.dll.urlUT" fullword ascii
$s7 = "setup.exeUT" fullword ascii
$s8 = "pnipcn.dll.urlUT" fullword ascii
$s9 = "ldvpreg.exeUT" fullword ascii */
$op0 = { e8 71 11 00 00 83 c4 10 ff 4d e4 8b f0 78 07 8b } /* Opcode */
$op1 = { e8 85 34 00 00 59 59 8b 86 b4 } /* Opcode */
$op2 = { 8b 45 0c 83 38 00 0f 84 97 } /* Opcode */
$op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
$op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */
$op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
}
rule HttpBrowser_RAT_Sample1 {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 80
hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
id = "8babf47f-006c-5001-9753-08ac08f5e861"
strings:
$s0 = "update.hancominc.com" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and $s0
}
rule HttpBrowser_RAT_Sample2 {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 80
hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
id = "693d381f-50b0-5f06-b725-78243b67092c"
strings:
$s0 = "nKERNEL32.DLL" fullword wide
$s1 = "WUSER32.DLL" fullword wide
$s2 = "mscoree.dll" fullword wide
$s3 = "VPDN_LU.exeUT" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule HttpBrowser_RAT_Gen {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 90
hash1 = "0299493ccb175d452866f5e21d023d3e92cd8d28452517d1d19c0f05f2c5ca27"
hash2 = "065d055a90da59b4bdc88b97e537d6489602cb5dc894c5c16aff94d05c09abc7"
hash3 = "05c7291db880f94c675eea336ecd66338bd0b1d49ad239cc17f9df08106e6684"
hash4 = "07133f291fe022cd14346cd1f0a649aa2704ec9ccadfab809ca9c48b91a7d81b"
hash5 = "0f8893e87ddec3d98e39a57f7cd530c28e36d596ea0a1d9d1e993dc2cae0a64d"
hash6 = "108e6633744da6efe773eb78bd0ac804920add81c3dde4b26e953056ac1b26c5"
hash7 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
hash8 = "1277ede988438d4168bb5b135135dd3b9ae7d9badcdf1421132ca4692dd18386"
hash9 = "19be90c152f7a174835fd05a0b6f722e29c648969579ed7587ae036679e66a7b"
hash10 = "1e7133bf5a9fe5e462321aafc2b7770b8e4183a66c7fef14364a0c3f698a29af"
hash11 = "2264e5e8fcbdcb29027798b200939ecd8d1d3ad1ef0aef2b8ce7687103a3c113"
hash12 = "2a1bdeb0a021fb0bdbb328bd4b65167d1f954c871fc33359cb5ea472bad6e13e"
hash13 = "259a2e0508832d0cf3f4f5d9e9e1adde17102d2804541a9587a9a4b6f6f86669"
hash14 = "240d9ce148091e72d8f501dbfbc7963997d5c2e881b4da59a62975ddcbb77ca2"
hash15 = "211a1b195cf2cc70a2caf8f1aafb8426eb0e4bae955e85266490b12b5322aa16"
hash16 = "2d25c6868c16085c77c58829d538b8f3dbec67485f79a059f24e0dce1e804438"
hash17 = "2d932d764dd9b91166361d8c023d64a4480b5b587a6087b0ce3d2ac92ead8a7d"
hash18 = "3556722d9aa37beadfa6ba248a66576f767e04b09b239d3fb0479fa93e0ba3fd"
hash19 = "365e1d4180e93d7b87ba28ce4369312cbae191151ac23ff4a35f45440cb9be48"
hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0"
hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81"
hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a"
id = "0ba9facb-7385-56ce-9e20-d86261a39cd1"
strings:
$s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide
$s1 = "HttpBrowser/1.0" fullword wide
$s2 = "set cmd : %s" ascii fullword
$s3 = "\\config.ini" wide fullword
condition:
uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
}
rule PlugX_NvSmartMax_Gen {
meta:
description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 70
hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef"
hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0"
hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5"
hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338"
hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e"
id = "5ecd25a8-9717-527f-bb6e-3259b9a60458"
strings:
$s0 = "NvSmartMax.dll" fullword ascii
$s1 = "NvSmartMax.dll.url" fullword ascii
$s2 = "Nv.exe" fullword ascii
$s4 = "CryptProtectMemory failed" fullword ascii
$s5 = "CryptUnprotectMemory failed" fullword ascii
$s7 = "r%.*s(%d)%s" fullword wide
$s8 = " %s CRC " fullword wide
$op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */
$op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */
$op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
}
rule HttpBrowser_RAT_dropper_Gen2 {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 70
hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166"
id = "cd559642-a102-5946-8a7f-16c10e7f746d"
strings:
$s1 = "navlu.dll.urlUT" fullword ascii
$s2 = "VPDN_LU.exeUT" fullword ascii
$s3 = "pnipcn.dllUT" fullword ascii
$s4 = "\\ssonsvr.exe" ascii
$s5 = "/c del /q %s" fullword ascii
$s6 = "\\setup.exe" ascii
$s7 = "msi.dllUT" fullword ascii
$op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */
$op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */
$op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */
$op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */
$op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
}
rule ThreatGroup3390_Strings {
meta:
description = "Threat Group 3390 APT - Strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 60
id = "9a44393b-5220-5376-ba18-2330f4623cd6"
strings:
$s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"©" ascii
$s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014"
$s3 = "ren *.rar *.zip" fullword ascii
$s4 = "c:\\temp\\ipcan.exe" fullword ascii
$s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii
condition:
1 of them and filesize < 30KB
}
rule ThreatGroup3390_C2 {
meta:
description = "Threat Group 3390 APT - C2 Server"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://snip.ly/giNB"
date = "2015-08-06"
score = 60
id = "232b5052-e349-55f1-bd7e-1afc5d35abe4"
strings:
$s1 = "api.apigmail.com"
$s2 = "apigmail.com"
$s3 = "backup.darkhero.org"
$s4 = "bel.updatawindows.com"
$s5 = "binary.update-onlines.org"
$s6 = "blackcmd.com"
$s7 = "castle.blackcmd.com"
$s8 = "ctcb.blackcmd.com"
$s9 = "darkhero.org"
$s10 = "dav.local-test.com"
$s11 = "test.local-test.com"
$s12 = "dev.local-test.com"
$s13 = "ocean.local-test.com"
$s14 = "ga.blackcmd.com"
$s15 = "helpdesk.blackcmd.com"
$s16 = "helpdesk.csc-na.com"
$s17 = "helpdesk.hotmail-onlines.com"
$s18 = "helpdesk.lnip.org"
$s19 = "hotmail-onlines.com"
$s20 = "jobs.hotmail-onlines.com"
$s21 = "justufogame.com"
$s22 = "lnip.org"
$s23 = "local-test.com"
$s24 = "login.hansoftupdate.com"
$s25 = "long.update-onlines.org"
$s26 = "longlong.update-onlines.org"
$s27 = "longshadow.dyndns.org"
$s28 = "longshadow.update-onlines.org"
$s29 = "longykcai.update-onlines.org"
$s30 = "lostself.update-onlines.org"
$s31 = "mac.navydocument.com"
$s32 = "mail.csc-na.com"
$s33 = "mantech.updatawindows.com"
$s34 = "micr0soft.org"
$s35 = "microsoft-outlook.org"
$s36 = "mtc.navydocument.com"
$s37 = "navydocument.com"
$s38 = "mtc.update-onlines.org"
$s39 = "news.hotmail-onlines.com"
$s40 = "oac.3322.org"
$s41 = "ocean.apigmail.com"
$s42 = "pchomeserver.com"
$s43 = "registre.organiccrap.com"
$s44 = "security.pomsys.org"
$s45 = "services.darkhero.org"
$s46 = "sgl.updatawindows.com"
$s47 = "shadow.update-onlines.org"
$s48 = "sonoco.blackcmd.com"
$s49 = "test.logmastre.com"
$s50 = "up.gtalklite.com"
$s51 = "updatawindows.com"
$s52 = "update-onlines.org"
$s53 = "update.deepsoftupdate.com"
$s54 = "update.hancominc.com"
$s55 = "update.micr0soft.org"
$s56 = "update.pchomeserver.com"
$s57 = "urs.blackcmd.com"
$s58 = "wang.darkhero.org"
$s59 = "webs.local-test.com"
$s60 = "word.apigmail.com"
$s61 = "wordpress.blackcmd.com"
$s62 = "working.blackcmd.com"
$s63 = "working.darkhero.org"
$s64 = "working.hotmail-onlines.com"
$s65 = "www.trendmicro-update.org"
$s66 = "www.update-onlines.org"
$s67 = "x.apigmail.com"
$s68 = "ykcai.update-onlines.org"
$s69 = "ykcailostself.dyndns-free.com"
$s70 = "ykcainobody.dyndns.org"
$s71 = "zj.blackcmd.com"
$s72 = "laxness-lab.com"
$s73 = "google-ana1ytics.com"
$s74 = "www.google-ana1ytics.com"
$s75 = "ftp.google-ana1ytics.com"
$s76 = "hotmailcontact.net"
$s77 = "208.115.242.36"
$s78 = "208.115.242.37"
$s79 = "208.115.242.38"
$s80 = "66.63.178.142"
$s81 = "72.11.148.220"
$s82 = "72.11.141.133"
$s83 = "74.63.195.236"
$s84 = "74.63.195.236"
$s85 = "74.63.195.237"
$s86 = "74.63.195.238"
$s87 = "103.24.0.142"
$s88 = "103.24.1.54"
$s89 = "106.187.45.162"
$s90 = "192.151.236.138"
$s91 = "192.161.61.19"
$s92 = "192.161.61.20"
$s93 = "192.161.61.22"
$s94 = "103.24.1.54"
$s95 = "67.215.232.179"
$s96 = "96.44.177.195"
$s97 = "49.143.192.221"
$s98 = "67.215.232.181"
$s99 = "67.215.232.182"
$s100 = "96.44.182.243"
$s101 = "96.44.182.245"
$s102 = "96.44.182.246"
$s103 = "49.143.205.30"
$s104 = "working_success@163.com"
$s105 = "ykcaihyl@163.com"
$s106 = "working_success@163.com"
$s107 = "yuming@yinsibaohu.aliyun.com"
condition:
uint16(0) == 0x5a4d and 1 of them
}