Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

ICYMI: Emotet Reappeared Early This Year, Unfortunately

Executive Summary

Emotet first appeared in 2014 and continues to be a dangerous and resilient malware, despite attempts by law enforcement agencies to take it down in early 2021. Even following a major takedown effort from Europol, Emotet has been relentless over time and earlier this year it was back with epoch 4 and epoch 5 versions leveraging macros and embedded scripts in Microsoft Word and Microsoft OneNote, respectively.

Since their return last year, Trellix has continued to monitor Emotet to identify new infection vectors and changes in their activities and methodology. In this blog, we will highlight its Global Prevalence, Infection Vectors, new TTPs and discuss detection opportunities to help keep organizations safe from this malware. We will also cover how Trellix Products offer protection against these TTPs.

Introduction

Emotet (also known as Geodo and Heodo) is a well-known Banking Trojan, but also functions as a downloader/ dropper of other malware. In January 2021, Emotet infrastructure was taken down – but returned by November that year and increasing its operations in 2022 and early 2023. Emotet continues to be a dangerous and resilient malware due to fact that the Emotet Threat Actors leverage several distinct infection chains (Malicious Macros/VBS/WSF, ZipBombing, LNK files, HTA files) over a short course of time.

When Emotet resumed operations in the month of March 2023 after a small hiatus, the initial infection vector was a heavily padded Microsoft Word document with a macro. Soon thereafter, following a policy enforced by Microsoft, they moved from Word documents to OneNote sections. In the latest versions of Emotet payloads, we have observed significant changes in its TTPs, including new delivery vectors to evade detection mechanisms.

Emotet - Global Prevalence

Figure 1 shows the Global Prevalence for the Emotet Malware that has been continuously tracked by Trellix's Threat Intelligence Group (TIG).

From the intelligence data gathered by TIG, Top 10 impacted countries include Estonia, Thailand, Guatemala, Israel, Singapore, Turkey, Italy, United Arab Emirates, Ukraine and Portugal. The top 5 industry sectors that are targeted include E-Commerce, Energy/ Utilities, Financial Services, Government, HealthCare.

Figure 1: Global Prevalence of Emotet Malware in Trellix Insights
Figure 1: Global Prevalence of Emotet Malware in Trellix Insights

Infection Vector: Email

The major infection vector is malicious email campaigns and thread hijacked emails, with multiple variants. Emotet frequently uses traditional phishing methods like thread hijacking techniques as part of its attack flow. This technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet. The botnet uses this stolen email data to create fake replies impersonating the original senders.

In the next sections, we discuss the prevalent variants across victims including “zip bombing”, OneNote attachments, and encrypted attachments.

Figure 2: Emotet Email (Variant: Invoice Themed Emails)

Variant 1: Invoice Themed Emails

Instead of using a hijacked email, this time the attacker added reply format (‘RE:’) in the Subject field and included a malicious ZIP file as an attachment. We have seen various invoice themed emails spreading Emotet.

The ZIP file contains a Word document which is larger than 500MB. Documents are padded with 00 byte to increase the file size and make it harder for antivirus solutions to scan and detect malware.

Figure 2: Emotet Email (Variant: Invoice Themed Emails)
Figure 2: Emotet Email (Variant: Invoice Themed Emails)

Variant 2: Using OneNote as a Dropper

This variant uses the same email structure as the invoice themed emails. As Microsoft is blocking macros by default, attackers have started using OneNote. OneNote documents have an embedded VBScript/JavaScript which gets the payload.

Figure 3: Emotet Email (Variant: OneNote as Dropper)
Figure 3: Emotet Email (Variant: OneNote as Dropper)

Variant 3: Encrypted Malicious Attachment

This variant of attack features a password protected attachment. We have seen both password protected ZIP files and OneNote documents. This is usually done to evade AV detection and bypass file scanning detection.

    Figure 4: Emotet Email (Variant: Malicious Attachment)
Figure 4: Emotet Email (Variant: Malicious Attachment)

Our team extracted and downloaded the final payloads from various such examples. We then transferred them over to a sandbox environment, where we could execute the payload safely to detect and examine its maliciousness based on dynamic analysis.

MITRE Mappings

In this section we have mapped each phase of the attack flow to its MITRE technique. This helps to understand how the attack progresses.

Attack Behavior

Example

MITRE ATT&CK

Malicious email with attachment.

A threat actor lured a user to open an email with a malicious zip attachment.

User executes the malicious document, allowing the macros/ embedded Scripts to run.

User Opens the Word/OneNote doc and clicks on enable content/ allowing it to run the scripts.

Weaponized macro with VB/JS scripts that trigger further executions from the document.

Word reaches out to C2 servers/ spawns regsvr32 binary as per the embedded script.

Obfuscate commands executed from payloads, used to evade signature-based detections and application control mechanisms.

Threat actors have obfuscated the embedded scripts, which gets  de-obfuscated at runtime.

Application connects with attacker-controlled servers and downloads further payloads as needed.

Word document/OneNote file connects with external servers to download Emotet malware payloads and loaders.

Application leverages Windows binary Regsvr32 for the proxy execution of malicious code.

The document spawns regsvr32 to execute the DLL’s downloaded.

Malware modules add an entry to “run keys” in the Registry/Startup folder.

Regsvr32 binary creates persistence on the machine by adding Registry Run Keys, which will execute the loader DLL when a user logs in.

Malware module executes discovery commands for enumeration

Regsvr32 executes system discovery commands for enumeration via ipconfig.exe and systeminfo.exe.

Threat actors inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

Regsvr32 injects code into a copy of certutil.exe.

Threat actors acquire credentials from web browsers by reading files specific to the target browser with the help of tools.

Injected CertUtil uses NirSoft modules (e.g.: WebBrowserPassView) to retrieve browser credentials.

Threat actor employs asymmetric encryption algorithm to conceal command and control traffic.

The malware fingerprints the infected machine and sends the collected info to C2. This data transmitted is encrypted via ECC (Elliptic Curve Cryptography) algorithm.

Threat actors exfiltrate the data over an existing command and control channel to attacker-controlled servers.

Regsvr32.exe binary starts network connections with multiple command and control servers hardcoded in the core module.

Table 1: MITRE mappings

Dissecting Emotet

In the next few sections, we will explain each of Emotet’s TTPs and attack vectors in detail. When Emotet spam activity began in March 2023, it started delivering malicious documents embedded in Zip files, sent as email attachments. The documents employ social engineering techniques to trick users into enabling the macros. Initial distribution was seen through Word documents with malicious macros.

These Word documents were heavily padded to help evade detection from security products. This binary padding technique is used by Emotet to inflate file sizes so that they exceed the size limitations imposed by anti-malware solutions such as sandboxes and scan engines.

Eventually, the threat actors behind Emotet malware switched from Word documents with macros to OneNote files with embedded scripts. This is likely because Microsoft’s new policy disabled the execution of Office Macros in documents that were downloaded from the Internet.

Figure 5 shows the templates used by the attacker in Word and OneNote files to entice the user to enable the macro content.

Figure 5: Microsoft Office Word Document with Macros
Figure 5: Microsoft Office Word Document with Macros

Figure 6: OneNote Document with Embedded Script
Figure 6: OneNote Document with Embedded Script

As seen in the Figure 6, the Word document consists of a macro that the user must give explicit approval to run by clicking ‘Enable Content’. Similarly in OneNote sections, the user must give explicit approval when it warns about attachments being opened. Thus, each of these vectors involves user interaction to make the attack run, thereby limiting its effectiveness.

Attack Flow

Figure 7 shows how the recent Emotet Malware attack proceeds as it traverses across its kill chain.

Figure 7: Emotet attack flow
Figure 7: Emotet attack flow

Phishing: Spear Phishing Attachment (T1566.001)

As seen in the ‘Infection Vector’ section above, the most prevalent technique of infection is through emails. In early March 2023, Emotet malicious spam campaigns spiked, which leveraged the email thread hijacking technique. This technique uses legitimate messages stolen from infected computers' email clients. There have been multiple variants based on the email template discussed in that section.

User Execution: Malicious File (T1204.002)

The user downloads the Zip file that is received from the email, extracts the Word/OneNote document, and executes it. As shown in Figures 5 and 6, the template tries to lure the user into enabling macros The Word documents in this campaign contained malicious VBA macros that, when executed, functioned as an Emotet downloader, retrieving the Emotet payloads from attacker-controlled distribution servers and infecting systems, thus adding them to the Emotet.

In the following sections, we will discuss each of the attack payloads: Word Document Payload and OneNote Document Payload.

Word Document Payload

When the Emotet activities began in March 2023, all initial payloads targeted Microsoft Office documents. The dropper document uses the null (0x00) byte padding technique to inflate the file size. The macro is also heavily obfuscated, and when executed fetches the Emotet DLL hosted on external attacker-controlled servers.

Command and Scripting Interpreter: Visual Basic (T1059.005)

Threat actors behind Emotet embedded a VBScript within this malicious Word document, which is executed upon opening the document and enabling content as shown in Figure 5.

Obfuscated Files or Information (T1027)

The macro can be visualized by enabling Developer Mode. The macro inside is completely obfuscated/encrypted as shown in Figure 8 . Emotet’s downloaders that are based on Microsoft Word format use VBA AutoOpen macros to execute the code that downloads the Emotet loader DLL.

Figure 8: Obfuscated Macro inside the Document
Figure 8: Obfuscated Macro inside the Document

Ingress Tool Transfer (T1105)

On analyzing the functions which decrypt and print the output with a debugger, we can decrypt this macro as shown in Figure 9. We can see that the Word document reaches out to external IPs and downloads additional DLLs, which in turn are executed via regsvr32. The files created /dropped are named with ‘infected’ time.

Figure 9: Macros decrypted to show contacted domains and usage of regsvr32.
Figure 9: Macros decrypted to show contacted domains and usage of regsvr32.

Figure 10 shows the files created/unzipped from winword.exe with the help of macros. Note the use of infected time in the filenames.

Figure 10: File Creations form a Word Document
Figure 10: File Creations form a Word Document

System Binary Proxy Execution: Regsvr32 (T1218.010)

Microsoft Word documents can spawn Regsvr32 and execute the dropped a ‘.tmp’ file, which is a DLL file. Soon after execution, it copies itself into the ‘AppData\Local’ folder and a new regsvr32 binary is spawned, which executes this copied DLL.

Figure 11:  WinWord Spawning Regsvr32 for executions of DLL Files
Figure 11: WinWord Spawning Regsvr32 for executions of DLL Files

The copied DLL is created from the core Emotet DLL, with internal name “E.dll”

Figure 12: Emotet Core DLL
Figure 12: Emotet Core DLL

This core DLL drops the cloned DLL to the AppData/Local directory and executes it with the regsvr32 binary.

Figure 13: Emotet Core DLL creating cloned copy to AppData/Local Folder
Figure 13: Emotet Core DLL

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

The regsvr32 binary then creates persistence by adding an entry to the "run keys" in the registry as shown in Figure 14:

Figure 14: Registry Run keys created by Regsvr32 binary.
Figure 14: Registry Run keys created by Regsvr32 binary.

System Information Discovery (T1082)

The regsvr32 binary also spawns the systeminfo.exe binary, and uses the system native ‘systeminfo’ command to retrieve all details about the infected Windows system.

Figure 15: Regsvr32 Spawning systeminfo.exe, executing ‘systeminfo’ command.
Figure 15: Regsvr32 Spawning systeminfo.exe, executing ‘systeminfo’ command.

System Network Configuration Discovery (T1016)

The regsvr32 also spawns ipconfig.exe binary and uses system native ipconfig /all command to gather details of infected host’s network adapters.

 Figure 16: Regsvr32 Spawning ipconfig.exe, executing ‘ipconfig /all’ command.
Figure 16: Regsvr32 Spawning ipconfig.exe, executing ‘ipconfig /all’ command.

Process Injection: Process Hollowing (T1055.012)

The Emotet module uses a copy of certutil.exe to inject its code. Figure 17 shows the dropping of certutil.exe in the Temp folder and accessing it with granted access code: 0x1FFFFF. CertUtil.exe is renamed with a random string and dropped. Along with copies of the CertUtil binary, a ‘.tmp’ files are also dropped, which is used to save the information collected. Each time the process is run, it is accompanied with the ‘.tmp’ file.

Figure 17: Regsvr32 dropping certutil and loading it, for injection in memory
Figure 17: Regsvr32 dropping certutil and loading it, for injection in memory

Credentials from Web Browsers (T1555.003)

Emotet uses modules from NirSoft for subsequent artifacts which are injected into CertUtil. NirSoft provides freeware utilities for password recovery. This is not the first time we have noticed the use of NirSoft tools by Emotet for credential access. Figure 18 shows the usage of the NirSoft binary command run via CertUtil.exe and the process tampering event.

Figure 18: Process Tampering Event and Usage of NirSoft module run via CertUtil.
Figure 18: Process Tampering Event and Usage of NirSoft module run via CertUtil.

Encrypted Channel: Asymmetric Cryptography (T1573.002)

The new Emotet modules also uses Elliptic Curve Cryptography (ECC) for asymmetric encryption, leveraging an onboard elliptic-curve Diffie-Hellman (ECDH-ECK1) public key for encryption and an onboard elliptic-curve Digital Signature Algorithm (ECDSA-ECS1) public key for data/server response validation. These encryption keys are used to identify the Emotet botnets. This time Emotet has epoch Version 4 and epoch Version 5.

Figure 19: Emotet Core DLL leveraging ECC Cryptographic method.
Figure 19: Emotet Core DLL leveraging ECC Cryptographic method.

Exfiltration Over C2 Channel (T1041) / Application Layer Protocol: Web Protocols (T1071.001)

Once the core DLL executes and successfully infects the victim, it reaches out to its C2. It then pings each of the IPs from its hardcoded C2 list. In Figure 20, it shows the connection made with an external IP by the regsvr32 binary and usage of the ‘WinHttpSendRequest’ in WINHTTP.dll for the network traffic.

Figure 20: Emotet Network Traffics initiated from regsvr32.
Figure 20: Emotet Network Traffics initiated from regsvr32.

Many C2 IPs are hardcoded in the core module.

Figure 21: Emotet C2 IPs extracted.

Emotet Payload Downloads

Figure 22 shows the download activity of the Emotet loader DLL from an external server via HTTP ‘GET’ request with the useragent: Mozilla/4.0 (compatible;Win32;WinHttp.WinHttpRequest.5).

Figure 22: Download of Emotet Payload
Figure 22: Download of Emotet Payload

Emotet Certificate

Emotet uses self-signed SSL connections to Emotet’s infrastructure. Typical Emotet SSL certificates is shown in Figure 23:

Figure 23: Typical Emotet Infrastructure Certificate
Figure 23: Typical Emotet Infrastructure Certificate

OneNote Document Payload

While initial Emotet operations used Microsoft Word, later they shifted focus to OneNote files. This is likely due to policy enforcement from Microsoft, which resulted in various threat actors moving away from macro-based exploits. There were multiple variants of payloads used by Emotet in OneNote exploits. Some of which are discussed below:

User Execution: Malicious File (T1204.002)

WSF/VBS Payloads:

The threat actors leveraged Windows Script File (WSF), which is scripted to retrieve and execute the Emotet binary payload from a remote server. The script file is inserted in the “view” button within the OneNote document as shown below.

When the user clicks the “View” button on a OneNote page section, it triggers a hidden action that drops and executes a .wsf file (Windows Script File) called “click.wsf” using “wscript.exe”.

Figure 24: OneNote section with malicious WSF
Figure 24: OneNote section with malicious WSF

Command and Scripting Interpreter: Visual Basic (T1059.005)

Threat actors leveraged VBScript in the WSF file to download and execute the loader DLL.

Obfuscated Files or Information (T1027)

The contents in the Dropped WSF file are obfuscated. The below Image shows the obfuscated content and the decrypted version.

Figure 25: Obfuscated WSF script
Figure 25: Obfuscated WSF script

Ingress Tool Transfer (T1105)

The above WSF file contents (which are obfuscated) can be easily de-obfuscated by replacing the ‘Execute’ command with the ‘Echo’ command, so that wscript prints the output instead of executing it, as shown in Figure 26. The de-obfuscated content shows the hardcoded URLs by which Emotet payloads are downloaded by wscript.exe.

Figure 26: Decoded WSF Script
Figure 26: Decoded WSF Script

When running the WSF script, wscript.exe contacts the external URLs and downloads the Emotet payloads.

Figure 27: wscript downloading Emotet payloads.
Figure 27: wscript downloading Emotet payloads.

System Binary Proxy Execution: Regsvr32 (T1218.010)

Upon dropping the DLLs, wscript.exe spawns the regsvr32.exe binary to execute the dropped DLLs, as shown in Figure 28:

Figure 28: wscript spawning regsvr32 to execute the dropped DLL (radC44CD.tmp.dll)
Figure 28: wscript spawning regsvr32 to execute the dropped DLL (radC44CD.tmp.dll)

After the execution of regsvr32, the rest of the attack patterns are similar to those using Microsoft Word.

JS Payload:

Another Emotet variant embedded the object inside of the OneNote files as JavaScript instead of VBScript. Everything else remains the same, with the only change being to its initial infection script.

Figure 29: OneNote section with JS
Figure 29: OneNote section with JS

Command and Scripting Interpreter: JavaScript (T1059.007)

In this case, the threat actors leveraged embedded JavaScript to download and execute the loader DLL. This is further explained below.

Obfuscated Files or Information (T1027)

The contents in the dropped JS file are obfuscated. Figure 30 shows the obfuscated content and Figure 31 shows the decrypted version.

Figure 30: Obfuscated JavaScript File
Figure 30: Obfuscated JavaScript File

Ingress Tool Transfer (T1105)

This script is heavily obfuscated and can be de-obfuscated using any JavaScript de-obfuscating tool. The de-obfuscated content shows the hardcoded URLs by which Emotet payloads are downloaded using wscript.exe, and later executed by regsvr32.exe with the ‘/s’ flag as seen in Figure 31.

Figure 30: Obfuscated JavaScript File
Figure 31: Execution Flow of the JavaScript showing the execution of Wscript, Domains, Regsvr32

The rest of the execution phases are similar to the case with the Word document payload described in the “Word Document Payload” section. With the recent resurgence, Emotet has modified its TTPs several times in a very short span of time, to maximize the likelihood of evading detection and successfully infecting victims.

Conclusion

Emotet evolved multiple times over the years since 2014 and has been a prolific and resilient threat, even surviving a takedown of its infrastructure in 2021. The rise and fall of Emotet serve as a stark reminder of the ever-evolving nature of cyber threats and the need for a united front to combat them effectively. Throughout this blog, we have delved into the initial infection vector, modus operandi and impacts of its infection.

Threat actors are constantly evolving their tactics and techniques to maximize the likelihood of successfully infecting victims. In today’s dynamic threat landscape, educating users or employees about the risks of opening untrusted files, can help prevent them from falling victim to this type of malware infection. By staying informed, fostering the culture of cybersecurity awareness and forging strong partnerships, both individual users and organisations can greatly reduce the risk of getting infected.

Detection Opportunities

At Trellix, we are committed to protecting our customers from upcoming and emerging threats to their enterprise networks, including those found in the wild. Trellix SecOps builds advanced detection features, improving our Threat Detection capabilities. At Trellix, we have an in-house tracker that grabs the latest samples from both open and closed sources, enriching our information and driving our product innovation. This ensures that our clients are protected. The following sections highlight Trellix product coverage, Sigma coverage, Snort Rules and IOC’s.

Trellix Product Coverage

Trellix Products
Detection Signatures
Trellix Network Security
Trellix Cloud MVX
Trellix File Protect
Trellix Malware Analysis
Trellix SmartVision
Trellix Email Security
Trellix Detection as a Service
Static:
FEC_Downloader_Macro_Generic_57 (703560)
FE_Trojan_Macro_Generic_303_FEBeta (419536)
FE_Trojan_ZIP_Generic_11_FEBeta (419542)


 ---------------


Dynamic:
Suspicious Process Macro Regsvr32 Activity
Suspicious File Drop and Execute DLL
Suspicious Process Office Running DllLL
Suspicious Process REGSVR32 Activity
Potential ZipBomb
Suspicious Static Analysis One Doc and ZipBomb
Trellix Endpoint Security (HX)
EMOTET F (FAMILY)
VBA:Amphitryon.683
VBA.Heur.Mefisto.64.CA37C439.Gen
VB:Trojan.Valyria.8017
Trojan.GenericKD.65838502
Trojan.GenericKD.65838478
Trojan.GenericKD.65838472
Trojan.GenericKD.65828578
VB:Trojan.Valyria.8017
Trojan.GenericKD.65826783
Trellix Helix
WINDOWS METHODOLOGY [Office Suspicious Child Process]
WINDOWS METHODOLOGY [AppData Local Path - DLL Load]
WINDOWS METHODOLOGY [Suspicious Network Connection]
WINDOWS METHODOLOGY [Suspicious System Discovery Commands]
WINDOWS METHODOLOGY [Registry Run Key Modified]
WINDOWS METHODOLOGY [Wscript - Suspicious Child Process]
WINDOWS METHODOLOGY [Suspicious Regsvr32 Execution With Image Extension]
WINDOWS METHODOLOGY [Stored Browser Credential Access]
WINDOWS METHODOLOGY [Suspicious Regsvr32 Execution Path]
Trellix Endpoint Security (ENS)
Signature
SC Version
W97M/Downloader.dwu
DAT 10646
Emotet-FTY
DAT 10644
Emotet-FTV
DAT 10644
Emotet-FTR
DAT 10644
Emotet-FTS
DAT 10644
Emotet-FTY
DAT 10644
Emotet-FTN
DAT 10644
Emotet-FUA
DAT 10646
Emotet-FUB
DAT 10646

SIGMA Coverage

Rule 1:

title: Suspicious process spawned from Wscript
status: experimental
description: Detects suspicious child processes of WScript
date: 2023/03/26
tags:
- defense_evasion
- t1059.005
- t1059.007
- t1218.010
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
    - \wscript.exe
    Image|endswith:
    - \regsvr32.exe
 
  condition: selection
 
level: high

Rule 2:

title: Regsvr32 RunKey Modifications
status: experimental
description: Detects direct modification of AutoStart Extensibility Point (ASEP) in registry using Regsvr32
date:  2023/03/26
tags:
- persistence
- t1547.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_1:
    Image|endswith: \regsvr32.exe
  selection_2:
    CommandLine|contains:
    - \software\Microsoft\Windows\CurrentVersion\Run
 
  condition: all of selection_*
 
level: high



Rule 3:

title: CertUtil in Suspicious Location
status: experimental
description: Detects the execution of CertUtil from a suspicious folder.
date: 2023/03/26
tags:
- defense_evasion
- t1036
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
    - \certutil.exe
 
  filter:
  - Image|startswith:
    - C:\Windows\System32\
    - C:\Windows\SysWOW64\
    - C:\Windows\WinSxS\
 
 condition: selection and not filter
 
level: high

SNORT Rules:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Emotet SSL/TLS Certificate";flow:established, to_client; tls.cert_subject; content:"O=Global Security, OU=IT Department, CN=example.com"; classtype:trojan-activity; rev:1; metadata: created_at 2023_03_28;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious UserAgent in Outbound Traffic"; flow:to_server,established;fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B|WinHttp.WinHttpRequest.5)"; http_header; content:"GET"; http_method; service http; classtype:trojan-activity; rev:1; metadata: created_at 2023_03_28;)


IOCs

IP/ Ports

129.232.188.93|443

164.90.222.65|443

159.65.88.10|8080

172.105.226.75|8080

115.68.227.76|8080

187.63.160.88|80

169.57.156.166|8080

185.4.135.165|8080

153.126.146.25|7080

197.242.150.244|8080

139.59.126.41|443

186.194.240.217|443

103.132.242.26|8080

206.189.28.199|8080

163.44.196.120|8080

95.217.221.146|8080

159.89.202.34|443

119.59.103.152|8080

183.111.227.137|8080

201.94.166.162|443

103.75.201.2|443

149.56.131.28|8080

79.137.35.198|8080

5.135.159.50|443

66.228.32.31|7080

91.121.146.47|8080

153.92.5.27|8080

45.235.8.30|8080

72.15.201.15|8080

107.170.39.149|8080

45.176.232.124|443

82.223.21.224|8080

167.172.199.165|8080

213.239.212.5|443

202.129.205.3|8080

94.23.45.86|4143

147.139.166.154|8080

167.172.253.162|8080

91.207.28.33|8080

188.44.20.25|443

104.168.155.143|8080

110.232.117.186|8080

164.68.99.3|8080

1.234.2.232|8080

173.212.193.249|8080

182.162.143.56|443

160.16.142.56|8080

101.50.0.91|8080

103.43.75.120|443

203.26.41.132

101.99.3.20

91.207.181.106|443

103.159.224.46|8080

128.199.24.148|8080

165.22.211.113|8080

165.227.166.238|8080

167.172.248.70|8080

178.128.23.9|7080

178.128.31.80|443

178.128.82.218|443

190.90.233.69|443

213.32.75.32|8080

 1.234.2.232:8888

 187.63.16 0.88:80

 147.139.166.154:8000

 91.207.28.33:8000

 5.135.159.50:443

 153.92.5.27:8000

 213.239.212.5:443

 167.172.253.162:8888

 153.126.146.25:7888

 119.59.183.152:8888

 183.111.227.137:8088

 159.89.202.34:443

 110.232.117.186:8080

 129.232.188.93:443

 172.105.226.75:8080

 197.242.150.244:8080

 66.228.32.31:7880

 91.121.146.47:8888

 45.176.232.124:443

 160.16.14 2.56:8080

 94.23.45.86:4143

 182.162.143.56:443

 82.223.21.224:8080


Domain / URLs

snaptikt.com

esentai-gourmet.kz

189dom.com

mtp.evotek.vn

midcoastsupplies.com.au

File Hashes:

caf14473a76ef90784522fd1f19c661dcf2009e8218579b1881f0c93b9deae0e

756f7180b681025f6dc02a89eca5154f8493cf7ea14b43cc146d21a2a09c32d3

51f1fdf15170d27b6c36e52407bc57e614400179e93fb406eb8e8d6a1d3ecfa7

a7a50e22f0c7ef99f481db7a4f832717e92096c7bc1f6e10bddc0169768beddc

1c9be74d8f870d1218685a86a51ffb01d96524a742fe9f610eb07d9c345e3961

3b4fad0f7faeaa5d64daa9188a67b0de49f8909321e969c086204414652795ff

4d9a6dfca804989d40eeca9bb2d90ef33f3980eb07ca89bbba06d0ef4b37634b

afbc2421cd177bf8ca5e42f8b51c0330f1a7bec7b3214483ce653c691dbbb235

4bc2d14585c197ad3aa5836b3f7d9d784d7afe79856e0ddf850fc3c676b6ecb1

a0fe232fc8549e095d56da4467af9a01b4c766ae07178fce89bd486afa2846ad

4dd92c67830fbfe62fdfd431b426092ca041387c9e1598ea7e7fd18c7ef821cf

5400be12ec93d6936c2393bce3a285865e0b5f9280f2c0ce80b1827d07e84620

d8b45395fabe03155050debe2c8669ebc3a38f0d151143129f4361d5dbf51616

7fde09df1f14b2dc101d904878f5e444f2c3290d1a46c7b0bd118e38efaee776

6b6637981cebcd025a31ec87b5cbb358dbe9ec29303cbd49e98c3b73c2fd1492

77c030abcd8d074fc1cf89afbf8e30df8f8768856560d4ae460a7b03cc6efb1e

276087353bb1816f2da27616169fd6ccc02111904fac86e1c1a98dfbf28410c7

81871761e94a0d0237f739ca3edb0c74859d0f526d06622bc0f3874304a36a99

fa3d349119a0d23573d2f35770da77e082ce3434934a6e98ed43696b40043761

b34a411b34d08b739bb46b4168befe54e4be490a189bfedbc8a71c378e20e5b6

478e9b93cb18b9341463b2ef1a2f716f5fdb1cfe95415bae63b8b0dd58faa213

e0c953fd3b246dd2c23b4545508e8924870447d98a799ad7f9a1b7f79c99ce00

e2f009ca5f798e67ecff5de60b57d123fae09bb852c8f3300260caeb8ea3864f

ef83b4a7000b2d750d15cee1ff4f80e421b59be76535b56f8f2e209a233e5b22

5f093d22fb90f358a3b30e9b8ee1b354602d1138aa85be43e51b3e046f4bb74d

a7bb0dfac8598a140ffb6909c1c84424fbb1e540331e27b2f4b4278917bce154

158b8b9cfd21dbe5e445294a1969a524311c8ebcd390e561872b6ab2e7e48f81

bf8f2fd4617ae5f61bed155952fd2e5b072ae52b6b2f2e10f063aef67c54a853

ad17022657361744ddbafb5bc128adb422c0adea536b1d25638812ff4c09f54e

93b2278ca162e14b6913007e15f43779011e0f38cceeafd07621a21cfba0691a

b78056e71dcb3bfcf9b93e99d236a56a3ae8b365fedcb93a99ec713872bf9b7d

2a85d34f09898cfd4390fd4fdfd5e181a9ab8b76fdeb19e48c4121c642d713e5

8d4427329c8bde96652807caa270a0950be8f917076cb1c5bb893995c995a5ac

17eca4943b3040c47babe49d2d1f59f4852695e2348fe107ec935e38416e511b

01426cf98cc9c644f4a10d5613e0652960ff898c95deafb36db6eb2673f55cb5

06dae86292a7c4aa6c4c1daa6320a1613356dd8efb13143af6cc31f51085339a

ddceb4ff53a28163f6fa8997c5e4add3219a63e7281d2d4ac857f3d44f839797

fe4861a51211c399880a9378f70447421439efd2598abacf7b821e898c57ea65

2c5899c397f3ee4069618b6f864705f0f2d99132b62a3b4a4c0538e1f78f7bff

3f5e93f40e01e3193eae3e1dda93aa3b20c4683bdb6b50304f372e55f05e56ca

95312c538d7b0617cf859d06b4468d9fb468bad816249ec7586aca1df9df1e8a

bc495a04c0ab16a115b6ce3213966d1d7a0b7f265ae9f75d9206d21eb6cb4be7

531a34e224ba7a7f7bda8f8fc0a2b6f14eafe30a166fa75bd648d34c710ff8b2

cf28182e85defbd0c7f167d4d041242c42103b9c17febe059eaf7b765c07b920

70e9d80b287cec24d97ec11b5bb9a27c70e1e65004c21ea03407ebeddf5ffc03

cfad0dcd5988f2f30d91b4c51bf68ff571ec988393934ecd7bcb876163f5ea66

36fced0bbe2ddc463e54bc8061f8e04387aa99a48f048d98e342f3a6b4b576a1

82b47d588d848f8e89725d2c346a757eb4307dfb299cfe53b1cb3cd434a75353

05f08eb6cabb138c18ba34f8745f440efb66d514c4434e353cc7bfc399d27679

c601e8c4491d0d108bd959fb818bef91063355a715219a0ae39063dd329e2674

296f90e54ff6bd509bb7bcebe2cac761cca7e8d814dfcd32306d1b3795ec7f96

cb6ace7df29bf871ee0cb6efbcb6c70e3542364e1de54b28f79fcfd674556901

bab835d2c283cee2b1afd044126ca34bba9d86c3b483883536f9910490aa1c26

87942501af3e7ac7e2c2957b53081c26a38cf53bd81f981a051e337309a2be78

919026099830f5983fefb1dccd5a455dde09af0745fb06e0f36dbeb44a5968d6

46698db3a5c33d791390e5d7bd6b5b27d3cd882a77e3c751ed61378f41a49e2c

6f2c660d0241bd16353897f2f5053d7881d725cb11c80d4e3219d9a11a93d913

9a358c9a72d4c083975ad07939cc61be864d87dc31370be86ad25cfc38f6b5e4

82f6277d83395b80a5938895242db48eb381e5d90148d9d36f1b8c5fd2fdf01f

4c6682442c09628d31b0628976be2229243a444c333fa2f21587a09eecb66ff7

60ed53966b1a03a8b62f38bd986680d07d32d5373eb2e1017243a5e56c360889

50cf8c54a661864adc325101562012858204c266bd750df2111c1b360295f0b0

219b8b680cdb109192f256e6fea049b683ee5b8128821c962ea18dc8261999a2

3901d17687ba652696e230f6118b2b0f4970f35e504b04f78a2b227c000e57b4

e66703a04903e7bb72a399b9f82b068d50444a1656421c0a933fbd49a5632a96

73b63b12507b780f6e37ebc5a86ddd75edaa88895c32b0e04a6d41ead78f77b4

42326f441b884ed241285299379f739a5218fe7d3a43be01709b41269df5f9d0

c8e5c7ae92aaccf4d678ec38ef87cced6e8f5d49ade81d36ec16d47863075e8e

c9b6bf7242684234d57a3ea22bb08ef61dab6b8dc716d68466fb0fe497dd76ba

32c4a024eb1d2e6663eebf5881a6ae1b4e8e8c40cf44083c21a5b8ca52dbe865

72525bfd30a07d7094ca12f1cc9dbed4292ec3741201d76aab3a92f7b866d3bb

3a5364f5c47a3082d2e5b9a1f9ff2b30bf1455e5a51e022f5a3a0253f74abfe5

e34f283e6c42994ac9075cde8a341480f9d0a8f85097f8de3b6b4a959bf8c2c9

672a1e5a8a0d30687d3510672086e9ca7a29deff46b8a63dd7b7ba6149a01b42

2f6f003637f398376f72891d578620d5b9649df1fbc5113bea2c377bdaa3601c

0ea8aa916237b8c56266eaa242153eff8f19dd85ade9d6bc0c3c065909415325

82c686354cb49727b40f46546e791eafe90ba6a58912a638a43105045e55dc3c

6780fdcbeae81f470907367bb0d08a29738d0744344e31b3f125c3bbf139e872

f69f5abe3956b2dcb02592209f941d8bbd65630866da650e45d5d9c683d1e981

fbe4c084d44a1b42840ece71b97198bae8ac059311c382c4d8005e6c69e027f6

6f9f0b51aaa11810ded4080d39bed24ff7649bc3fccc587ced5e9398951e27e0

bfe0dde9bb9e21ee13fed780813883c0a543ec011ee7718793848514bee38a1e

b2aad0cfe1e52fdd02a5948649f037215e3846d020bc0f04712f32aaa5d70c64

181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

b0412b6bf2bf2ea874ef2a7f0967956d20f6fe5aa75604755dd234b71faaba6a

9b85d53c592fa72cc4b83d2b1c7fc6b161f02131d82a5a9df5cc9196add8b5d8

1aa186d60ccf50a91cbbecaa8a97d64e33f5bc7f995685566153dfdbc4524825

064d6af066c9ffe0b45cd09f7424a4865c6ec839f7786ead27f40bd0ca21a15b

db732daf92ed02271c901c3fbf63cd065babe89d78e666952f1ef8b6cc6be7a9

d2d6f45a9f94e6531d6cd379637243b65a7ea4ad2fa76e4357b0ecff24066141

fce0482ee7c45671ae67d74e6565c51b3440d42d05c77a0e15168322368161ea

7de848261b76b769f81d5b1697046e219cc47cf941b42fe889167d72e64a5f13

ad01667492d50abc857f36415182959220b43c39ebe784d75fd39d38ddcf3e7b

efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc

be2a81d6412dff018bbabfac1c008d57cce8f623935156cdbf1c7f26c8be216c

de9128c4ed72697f78cca5d5f5bc728fe4ea5cc3cd47600a27687b590e87a69f

534a5e2bdfdba8041ca3f218b35d35c6f70fef6db7e1b97e9f598a44706f2960

c4aab3c80d50e8e0015f3538e57098281a6d10ea39f6e93b2319570d84aaf671

38136a459b33a78c7e23691c880cb25ad463f5d615cf85cb8ceecda4e7f9ebc4

0bf0d9c68bd4fbb1dcfc2a0b1076927d2ae51995d03b244bc0a04d51fcbd42f0

e3baa791c0959539988a51e12bbad056b584bf14ecdd75de65077a1f9ca0479c

abeeec8805129592d6e24fdbb641b74989c3f6cfe944f59027484fcb367c044e

9b3119b6183eea08a6934736766f611e44ca00c0ae06aa890cbbbc57b83e6819

d7282f411b6f68f5c3a1657eb37a0f550d9d966a169b9290043d9e93b5f18ba3

7e9593cc48bd88ee558278de167307e7fea381272147a93065669da8da8a6ccc

685b22e7220ed04b3e2aeef8afeb52e22529a105b9efe00fe84c1675725fbfaa

c070bf966a8d0e9a473685e67bf3091ddda302eb9a54425727a325554aa35ed4

221608d1df1262559e6416acb37d114b0e6c4308e30fcde50b979548f64d709f

1123590c74f22e24e047fb79c74bf61a4d2d52326805d046dd668c4c50b1318e

17278c375e4191ab84b5fff5d15a587f8d0b4a47111d0d9fa077fc6ec0e3d6fb

aac6d4928496db46eb70c7a9e5a0c27569b45df06e13203d9ed65cc2ba66acb8

839c0561c751c954c89eee7648790dba26457a5c450ef895738068c43cc09565

43541ab315ae68522b075aed479a1f844636167d9bd8cf4f68121fd591494ff5

b7e817a14b6350c206f1565f64df81b9ec5baadda30915f2ec05676f2a5c4f94

52958240a41e5d67cfa33ea8e29e48bb2196ddaf3dac097bc2462f1548f59cc5

2669e3c5e0d825151f8d0237b28cff0c401852e7b500f57255f1ee856ba62bf5

a873911592c3ce95d36e009f40bb376f587ad0ba6971a150a2ac10c87a2465f5

c6c30499dc0f62b933373f1bbe7484a94acd265a5d8a42298f970a82b4c883cd

224c824cb2c3021ce627024afec4dcdc7eba94abce6704ed4a4f1681767a904c

7641eb83245ae812875b97220d93227440c5e2ba2b7c46981118f4dae42789e5

2112b5695e7bbe910a6efbab32332027a7fd6384f54c55c6e61a26812ad47e6d

fdc4a380cc9b93b335a365e949e4b0498f6bcec5119ea6b1f435555478bebece

673bc1c81390a70de56e11ce2384b0975631e29b6392be97f17e6a76b7e36d7b

0c686801d2e203bd7f1c0afb0ec332478488b5608e47f826b64f8fb36f1062af

f2223da36c8d349a3545f952992ffc45ad0649dfec02f4ca8d0bc50f151794db

3ce1cad6f8b4edd122e05310b9e060bf009fe139ded80dce078e0280038c878e

5cf502de5ce9826e22d2c6fb41e86efc774e44a116f9f712e645421e84ab52e1

90b0d17f208cbe43116cf05d6c3e1dcbb7078697ef8f8ea4a83569f5492871ee

0663c87b796c01fc839ab0d169701d13d3feee0556347e09c088fbf43c7f20ea

9ca132b1b8da9ec7fc40d95dd39a06526181881aef913c42d14c412c32d77326

4ec23d327a426c1b002c2c0ecebb54685b314ae3011c6978cefac00157ffc828

2df6b1cd8dd906d8b2f7e6d98c411593a34b72df34de184136e47e54d937bf43

15a463b29fdb9f1ed30d2ca222373ee85e0b30c4163c3ff672e51d9db74c9e07

a85fa869a88e0c5464efb2e86ab86b97035374ea96bcc9c59a4fd7f7e3ba5de1

6aeaf084573615bd69c68cb1d24457fdd3c6331311ad6d1706b0bd8c85cd2cac

c191488f6682aec8db2960eba1323dd3f6f174b30a319e1028604682d00f139a

f2c64fce12861fc8f993a4d54d04434de80dab047958cec25e679b26626e1acc

ced5eec72aeabf65b78be1c75509a7d12816c2fa5e4b1fe4178e11cf78c6eb38

22a830debc4ca331ff5278ccc207bc7b82b2ad637e11e91320ae888b558036be

a160050e8c981c6ff7e0d9806fadc09ef687187b58bbeecdfef31b7bbb48c6e3

e88815629b271bf951f54187be2080a5b6e0c7dec07bfbb04944eda77750c179

a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248

0174b9247b4688267dbce9b039b200b8eb15f34dfd604c49436b46731882d094

a4cc1fff6eae705fab7fe91be559831ca6d55c604897edaeef099a7d9598dd42

3fd0964eb74075e3431e27920ccdb2d6edffa8b8c2dac307a20f183d72e0cbdd

4792472bd90dab5885a789793a3309109b7f8d305203faa011d92b0efdf1720b

d51f3f397440cd60e830f42efc468b63c0d9c424c2694e59ce523490bb3cd9b1

78b9f580f1c848004499727ce4ba7c47bb9e4c8fd23937aa28804ccec9b54c6e

1c98f3d0d6b78e1f503e96819930a1e5fb563a966fa49f2a8b32a60a34e7e62e

6fb2aad3d73f0d17bc8326d9ec84e29ef105439b88ae6b4bbcd55db97c752815

f253047d5f182f3f5bd1552697d4ce1c6ff759b5ac9de08f65562c30e76b05b2

0d6d91b7d72749a3a9beb4b3e18791da47cd5984928a65b99f39ddb9ade709bb

cb638551632b271c9993266834e78a2c9a64a4b9deb8590497b0901f1044e6ff

2f9475299156547969aec53ba9cf58863e541d7e43a695dbf9806d23336046a8

c01beeab53ca6529fed539afb9fe319890bb55cb2e8e30ce450f09bc54d92e8f

74f5badd7da82ab7b7128dfc57038ce83e324d9568138264908c8accbfde41d0

3dd0f428c89c74f8291971a19f4f079db9e480f9260536f37088ea53fc470d9d

8637dfa48b83c418989b5a283ce273755d160080bed837007c02c2c6b70637ef

d0d59e7559032627b6a2bf58c525dc900298df1e95c514fe55c3ec88b5c4d129

68f7abaea1fe0516ad45fb7ede752a3c9375f07a666ecb7b3f354f5166db234e

f973eebaba3e989d593cecf786c3e018a5b61305d1bd504191524db035effd69

c9ad1b284f7a3a64fabae60856cf88493732c0803b64c8be729786e5bcf29fd1

229abc31bd70610df1f76719dc5be85f6813c2f55c0192bb91f40096b052efa3

41c501e6800f09ac8073c268cae1ac45a29b27857617ce2d82fdf032bc305bee

1ff633d16618815b1d29a69417b8657425f47146749de3ddaf5b41fe02751cb8

8cb861e9cd9d60c60a1274be7f07f5024b0ee149e1f38b633a0942e49291ae82

67b548f8e1c30f4155cfb39e58c1ac82f442a2bb049ee0b732d89f89eeb49354

e5ee7b35e68eda8a4b5da7520954a4680bdbb5214ba4f61b1afd2d92701a1c95

4c5ab0921008241e3034ae02ad607cbf13a5265b6aace630c3f840ef87196d8a

5b027a2b1efaa7cf12ece62a230d56f181d8b51138da455f9bddfe99e0589a94

bd35d966865ab458f624875836f1f7c9dcc0a5b7922a664787dbd2fc6ae70bc0

90c3637d782627ddeb2a16643c8c16e28b0210f496c5bfa8d9b36b86025b639f

74af8b1127ff5d4a22d07af55936bbe8c9256663237bb414853a03b168402a67

7ff8280b952742f7bd4e44f91faefffb7cefbd8651a98d4f68a67a39c54f3e09

7e0046c7543d47207536a55860655165c4ba26219e505afb97dfafa64705d90f

653ad7762dd346ad8fd7e56511f0f2579fd37baba20b525e8193ea6721f0d98a

b2bb80310dca2ee1127f4723ca27cf6a59f0243760e139f6f108cdb692b795f7

789f63ac1cd0fd363120b5d62a8e08f6ce7d9055d71fc966c3f9acc221ea0091

f408af193c192fc2e12cceca786d71423a46ac3c87858bfda02719c118e72197

e3bfa07ab83ffdd74398a6aed95348fe2d7955f8ee964d788ca2915fc5f10812

f8037b934e18d58dfa58b9b021b4ff35a7cf7344a36036269d2d066ffbb1ba52

f5498c6f589a41cdd73f82f7aff91ebf1690874b98cdb2a617e0d9b7cb3ac3f7

d9988c6dcd1c169af8db5bc3c363f18f66501a63dd9fc1b671ad32f5de359472

f0cef48f6cbe22b19bde6cccc5f63edd26303691dc3c9d8796f635ccc61a9ba6

a762357e7b567df839f1b86028f2d64ab5fcb711b5399e44128cbb5eb229a6e4

28d5d3f037898f43263f487ba43b1c80eab715749a743bd4ef280682a98ff74e

22d9b272b534166f2f7cbf7250bfeff13b2063df8a207fd96f24d85c2b24c334

94fa19be99b9665bc98c270e5e38cf95bc851f2936900b6c25b56935627ae7dd

ede6a86d5154c9116e1266757c74f7191c331664b9d4b292bc954d004f402dc6

ca34aaf4013e3db63591705e05725e4425442c5b0643bec842d48c247e24fb1f

0bae876236e60228f85c07d744e0955fa9d27504ab531fc7b78bb1288f3b4e8d

902d6afd9e87e2d5fc3566129ea2be831bdf725195e271ddddbdccbe53e43f49

1e8792672bf36515c9b92476fd07835b0fb7d306dca015945ba40fccc0cc25ad

3695ed0ba836d615bbadea21eefaf5c0b565a4af6aff8c09aba17b3e3dbd2ada

5af562943b53fe20ac191d0f18aa263f946c66c8a0c1d4738d4cd03e901656ba

f5df6f0ebee7885bdae8dd9839d76e610b0c30a777c6f2902ea1ffa7a973440a

861389800aba82afef0d4e3f11d6cf21c64846d8ed689d1a974b16431193a6d2

2bda55be6a855e101864a0c18496bc54359ea30ba915a20d8b6b9722020b0778

2f21415d40b62a43f4185eef974d22e69bd9b27fab9462e010ae1b68a118cb2c

f616da0ebb4f984aecd40da922c0cdf70987643a86afadc969aa76598120cd5d

2c1b9fe3e2cf7f8a3edaadafacf1f40ea6c54271976c76e78203b92c325dbb9b

d97cac08bd28d344b867759ffc120c45f6d062b38386e7ebf428b52d7db0fbb0

175532b58aed98e076c5d0e4b8c18c5c6cbe9e762d4735a86ebdd3d039365164

92e35aabe2753c1b509415139e2d296a9b8b87f47f1ee6f50ac95f1151a7bcbc

820936c152fcb0930d83640c9879a04b8b1dc676b4b42d1f376bb92d475257a9

a13b394e4017c0c77faf4fab6c3aea4de3443f11610cc85a1d677249b9b2bc3a

5756e0750a4f3990a01d2c56e4f2521bd9a57cc6a9d147ffdd297ba1726e1db2

d430677d27483e668500a5b08106c7a1fd5f16bb4342f90b240580af046fc527

af6f22e5bc75e711505fa348ce968ef13a7110ff5cacfce4885244f58bc8f373

a6d45450a1734c4e3b45469c4921862d0ac16b8e19cce98db0325ed4dcbf6bd3

76a070fcc05ff3c973b3614ac8919de16e47917a7f894b984fd29ae0fea48ff1

069b513b8ed07188abb982911eca15ae92e18eac8c313fd56c82994966d12702

99f24175940d7511c81847e8855c73c1eec23a287612924e53eadf50f6d1d603

ab95cced90dd16a741f991226df7fac38ca514e18deb95c730eb7e7efe4da589

dcdfad2582ed24815329fa572d0f291e32d1c86e0350055fdee6186418a24676

e2aef90b55e080b7aea4bd6d78e66ffa37229a2f9c6d05f7bcf71c4dc6b5977a

25bde3ebce59179044418d4fe498021ec46acbaf813b51218103b7caf0a2886b

377698ce3de22da834145839157bfb115b2a2be3a5a49616f2e91310292bd6e9

70f6f6d9db24df7a2c6615957481918ae9ed4d60017f6183370410e5d06f86b6

8547c78314b6e9eba42e1a26bf0057d45b7b185a84636deae14284970e8c82c5

72e6cda4a88b38e1a10d56031c1f42a78de30d8b55153bb6f2e705053bc489e0

97d2ba690c03498a4a88a7c10a4169f373ed53bffd45fce700661c13a0d3c56e

3c7b4f1ff49bdf70af09337b3603a4465559225b0e28792a1d22ad3bb81401f4

68c8aff3ee0a038a884abbd483102f52cb84ef81fa5524d7552247dd1a6e74ea

2c8b2410fc876526532744bb023653b436241caa5c7fe06393c87139baa767db

503c1f96a8b54e64a449597c2a5e3e82470243d40fc46a0520ba66d1a0a878cf

5d766c009242236a45ad728f68a004b7be1b366bb3aeedff4711c896902a289f

64c1c60aee1eca4267611b86cfcba5902fe9ef327518ba216957837292c0b1b2

4d0365db19f58bcbfb092c04799c70866cd060fdb22de42cd27bc320dd06349f

377fc324bb1de5d8986320704ed1e4f77c79028e4843f7a33242d6823cc1053c

5a092b0034f937f68ad7e5679ed840039fb824df8cad8f74b890cb7f4e42f0cd

cd5f6ed2ac01e81166d834d33dd272d17e4214fb8cd2ba5632c42aa9865ee589

b7412cebd2b113144016959f2dba85873a3edb87c6727eac1c781b56ec447f25

22976808e0ff7d617067cca7142ea2574bfcb91595ed82d79e18e57cb884fc61

85864bf0e1992f9d84508401bfe4e250832f56e251029052791a57615a81367d

743106ede62ed796e0a513fd85ccea79c3e49500da1f01aec5fb50b4bf0f5d50

3aa3d10d774fff8cdceb4b6cbbb5da011a273a4123f615bbe00c3b151915eb09

94f1b39c178faa38a0bd0ad6ed504a2ad82bd8df05f3c4023214bd0c271b1489

a036687afaaa83df0ef7350fd8e5cb30f32d1a5e4b02b45f236b7e3be7250ccc

81bfd82b017cadbaf16644eae8b415411a516a994bc19962d5bed87abe69ba9e

1b7e694ed2f4e927e579d58291169031fe3dbe81fa531d40f1a821d3b15ec15e

4659836caf431739d1daf83bed991743fdb150110911fa629a65ea53382d72d3

6922fef58d115c96081973d8ea55708fdcd0a896ccf25329047e5fde1c535adb

d56c348288cc7f506e9590eea5f802e6c0baee1e4a39cbcb079133217dbf931d

702fe11ec88304d7743824c5ba2f5ffc78b93de85bc089b8e23be7f72f9b33ee

fb74b1eb454fddb41011ae5b3f343589bf49d4be7e8ced6cbc25d6e9191bd862

e4ba63e4be1ef987c35e960c4fb891f628a45f8f64b657bb74787e54aceec4be

52b058afda2302346a14e57a12dcc45f62276bfa9300b3b06e7d808a0026d7fc

6ba3993b0f9e4e527f4f63c01ea026ad7a8f7c8bf78457d0d4bbdcfebc9d8dd6

31ef5f1afc2dd841040db0adbb87b093973173aa58c3cbe76235ec29f1f609ad

60300393d4267da280fcbd4b3aafa25ae8b213afc92710f5beb1876c58c3bc70

6f36abd95c3323a7d3560bd6c100cb1d34b937c7d8441ef6911a28ca376551a8

170e76ed5744c144ac84e86631185e63346550f2b0c899ed8dd4f07117102bee

f14f7fff748a8d59d665acb7b3c2b136db789887fb7ff6e991d1b670798514d2

632c280bdfebe864cf7ddf27a1afb70f08bf11c73bed31fd087266925d172945

fe13c5c6b797849d8a0df4501341e89d28291807ec3585c8ee3f5162ee77c9ea

c12f54d9db04a829300c2dd556b5fea5f13c6b7f1c157961b2dd35ecec07e9c4

5d16d4ce034ee7b7911e9acb53f1e75bff1940476dc1ec4b56f2a6d978da9cd0

084c717946dac70208356946767f4e3588bfbb6b16e254fce1048008a11b23bf

eaf050eabdfffde46a85a1651438dbbae8a3e048090c80f231efddef019895a0

51426a84b7d11adc9862042ed09e2cdeb6769953b82c59e437f9b66c7b52ecaa

b992745cc02a4f58d83f3d1dcf762106549f28bc93fc3aa7dd43ac6061861dae

e28e984bbe2da5d07b9592e48f502d5980607f8933c35e8af3a060d9c2a2bdf9

055f074cb0d02467bd084d8c7974b56eb2c9c069a67b52251d7acf6b60498de1

e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92

f9d896ea5854244772384362280d3a735bf2b429caadbbb88960078c87054a94

4de88b9c4dce32d9c2ccdd7a8295d7aba3fa04e575f204a05265284c0b4338a6

c57da4e102b2a89dc8066fa2a9ad8639f6620f99fab6b5c5058493dba7b78d36

df92b51119c69423299a6c77ef48ccf5c88871f17a6178e55a12896e364854ee

797b42e5843f190754a729e183e118490bfff4f594d2de7ecf7ce44a2da241a0

9e42283df84507855a4f2e0041072d3b5c366f678deb6740b267a5d3e3eb0d3f

b3912d75fb1b62b31e9538c665d923302913eb60d3c150811c3702856ca122ee

4f9894afb1672d06ab08a4a28264efcadd501eb7fec96b167a8ee73605cf6a32

640c855ed21ebc4202796e8320ec1bcb783954f3c1cb2a8d4b6c08b552a1a0cc

c6391461a4278c741a977b22425a8e0441c1c7eaa0f07717edf99fc1499a78a4

4ae47c5f127c9e70fc3ce10f44e475334af3c62e800a31255c3029d023a4a629

988d82d5b1032b465b0e0c3b60fd5f822209f4cdc9ab04de91139be98dac9ecd

f86f7bcd05d8c2bd10dacea88dcdd6a8a625c960a669cb70714399e6dc38e073

ec88df46903c51e37b4a01781fa56ef2660a6003e6e5e1e39cdad1f65095f672

5f03c3fccc63f88641dd6d6629ef1e290a37e849feaadc9c24e86f083be58563

b6f1de35fb634e720766ad4890ffc46b1ea70009d5345b5b063b241c8960a4fc

0b7adbaf23ba3d04bbacf7fafcbb9a155fa091089074f1cf2afef56588e7ebc5

3a21dc47739a632c2c5547bdea2020a170c385836a61bf6a595aff6ee37b1d6d

6c9660839a523d6c085775056fd7bc2bfae4109b294e5c9ddcbccd48a1fcce56

22f18a5e58e95585d54fda33650f448717f63acbd5e220ae2783e53361c4eebf

bf82c1046472b614b3a418e649e13630cea206551934ed2269d5c566b6d8e36f

de8081cfbb09b591530ae0d10a274e5c308e076f79512323b5c2d5dc590c4498

6212f82f82fa56b29731f0fff760c2cd526183af6d88921dadcf27a966ca8e0b

867d37e39eca966e299f66134f34111d71994322ca258764f52a6bb6cbe3de62

6e1d192b59f1320cc66cce1a87c496bd3ea7d3d10158782d39fb00a93b260bcd

bb717d78d28510a85111c03d5d80151f620286b08887b21a182c15b22dfdf50d

2a5d629a4645bf7e5a38f790f411fdbc96fa0ca814d04d27892421993caf4adb

692a2dfdd14e1eebd55cd8338fe1079436a7b934c93210027027b3236ab12bd3

063765712d9b927f451d12c8942b49ef16314a40eb0b712705890938621507e1

271327bcfa899612b77c8dede70a4fc29992029fb407ce49396e8c9e744e7d5c

34d17479f101c95b858ca4c9e54b5f3a6e7ffda281a9c9460a11be2831f8af54

38b9e035854f4696dd96d1338287410c80b4d3084ac369ff4b8a1291735f1bb2

180ed66287d01ebf68fb8c8e047c8f0d0cb0e9e4540674da1e7b75edb58058fc

1e041bead6abf833504e173d6b1026ee766bfef84635a7d222e520a673d8896c

6e3e1c928de68a893d469a0ce583e745a8fea28d52c66e58da4359cdf764f3a9

e704e802c9e5a6528efa76bcd386ca291a0b7f2411d3961adc15e164a95c8d91

694c17d75e085701e022b3546c5f8d60ba741bfebff48e535abba4bc652aaa3e

0fe394f7bb8883f18a70dfd637bf3d3b785ae4e8d9c886f0d3f30153c5474e76

1e941c8652aeeec451482b3804a9a3262839dd31bbc33098bbf5007b38427999

aa5547e42b9704ef5764ff4c470aba382463a1aa33626d83b0e610f4da6ce141

c5ac80b0f92e3c424d3eccbeb2f79d68800360b313ccbab4855b7e5f2b927344

b4337a636049658bd281de947f0357e33efa17f3f80c3904d959cf6777df001d

10b5a88a8665ad85d23ae5477538d6eea4de1487339b18fc835aac14d3f7164e

9f4e36a948bfd696324038eedeb9b3225119da9ddf2aced1d14459e3e2c49c96

5eeb3c3ae69941127e6c03581fc6274614e2d934631cca6c82cda688fb1ebadc

2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

5697f2ac10e6f1a82497b6b8b19df905f77980ed0644ccd93d2e7bdbfd912241

a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968

b75681c1f99c4caf541478cc417ee9e8fba48f9b902c45d8bda0158a61ba1a2f

e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

7921f1264b5ea1dd6c0ba0c7d0f7d5571b42452a5601f29e5f86704d7d73e273

c569ceb7fd1b5d5d860807dc12b8d71621c186bf8668bc5795b8e430db474f47

fc76f47878fc0787c52a41798d49dd738e99b0faeca95832c9dab46f197b8e53

1247d21002b20a15def542f68b04915e14daf29c8eb6a8814539501fe36324f7

f72a8aaff1ece757156621c9dd14b7dd056cc87ac78bb6b968da2f74197396ea

0f3ba94e10c72a31ef11bcf580ddbdabb43b5ed37b84638db1c973a1577c9be3

9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

RECENT STORIES

Get the latest cybersecurity insights from our LinkedIn Digest. Subscribe on LinkedIn

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.