Bcc86c024f6bd004772c4bef39249e2c

From aldeid
Jump to navigation Jump to search

Description

Summary

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 bcc86c024f6bd004772c4bef39249e2c
SHA1 815c92f5061d6c3a7c094003975acdd68f714084
SHA256 caaaf550aa0e5a6cc81af048b5a7155e2aa5a52fc14c0a29867ecf4a36f7eeec
ssdeep 3072:p8DTumuhez9/Xwwb50UUgaonCgV8c3Jc6gMxU+d9axMoPu:pFm7z9vwwb5RUga/s+6HeysO
File size 100.6 KB ( 103030 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
  • Win32 Executable MS Visual C++ (generic) (41.0%)
  • Win64 Executable (generic) (36.3%)
  • Win32 Dynamic Link Library (generic) (8.6%)
  • Win32 Executable (generic) (5.9%)
  • Win16/32 Executable Delphi generic (2.7%)

Detection

Antivirus detection

Antivirus Result Update
Ad-Aware Trojan.Generic.7224364 20140415
AegisLab 20140415
Agnitum Worm.Ngrbot!nBqqjl///rY 20140414
AhnLab-V3 Trojan/Win32.Agent 20140414
AntiVir TR/Graftor.617589 20140415
Antiy-AVL Worm/Win32.Ngrbot 20140415
Avast Win32:Flooder-HQ [Trj] 20140415
AVG Dropper.Generic5.EHG 20140415
Baidu-International Worm.Win32.Ngrbot.aON 20140414
BitDefender Trojan.Generic.7224364 20140415
Bkav 20140415
ByteHero 20140415
CAT-QuickHeal Backdoor.Bifrose.AE6 20140415
ClamAV Win.Trojan.Ngrbot-13 20140415
CMC Worm.Win32.Ngrbot!O 20140411
Commtouch W32/Dorkbot.G.gen!Eldorado 20140415
Comodo Worm.Win32.Agent.BSM 20140415
DrWeb BackDoor.Bifrost.40 20140415
Emsisoft Worm.Win32.Ngrbot (A) 20140415
ESET-NOD32 a variant of Win32/Injector.URT 20140415
F-Prot W32/Dorkbot.G.gen!Eldorado 20140415
F-Secure Trojan.Generic.7224364 20140414
Fortinet W32/Dorkbot.AS!tr 20140413
GData Trojan.Generic.7224364 20140415
Ikarus Backdoor.Win32.Bifrose 20140415
Jiangmin Backdoor/Ruskill.ce 20140415
K7AntiVirus Riskware ( b8133cd50 ) 20140414
K7GW EmailWorm ( 002d22d51 ) 20140414
Kaspersky Worm.Win32.Ngrbot.bzm 20140415
Kingsoft Worm.Ngrbot.(kcloud) 20140415
Malwarebytes 20140415
McAfee Generic BackDoor.aew 20140415
McAfee-GW-Edition Generic BackDoor.aew 20140415
Microsoft Trojan:Win32/Injector.AB 20140415
MicroWorld-eScan Trojan.Generic.7224364 20140415
NANO-Antivirus Trojan.Win32.Bublik.cjgnqh 20140415
Norman Bifrose.CJGL 20140415
nProtect Trojan.Generic.7224364 20140414
Panda Bck/Bifrost.gen 20140414
Qihoo-360 HEUR/Malware.QVM02.Gen 20140415
Rising PE:Backdoor.Win32.Fednu.qw!1075350914 20140414
Sophos Troj/Kazy-S 20140415
SUPERAntiSpyware Trojan.Agent/Gen-Ruskill 20140415
Symantec Backdoor.Trojan 20140415
TheHacker W32/Ngrbot.bzm 20140413
TotalDefense 20140415
TrendMicro TSPY_NGRBOT_CA08296D.TOMC 20140415
TrendMicro-HouseCall TSPY_NGRBOT_CA08296D.TOMC 20140415
VBA32 Worm.Ngrbot 20140414
VIPRE Trojan.Win32.Injector.ab (v) 20140415
ViRobot Worm.Win32.A.Ngrbot.93696 20140415

Snort detection

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Links

Artifacts

Persistence

The malware achieves persistence by creating following registry keys:

Key Name Type Value
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836} stubpath REG_EXPAND_SZ C:\WINDOWS\system32\Bifrost\server.exe s
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon REG_SZ C:\WINDOWS\TEMP\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run msmmsgr REG_SZ C:\WINDOWS\TEMP\x\services.exe

Files activity

Following files are created:

File Size Type Hash
C:\Documents and Settings\malware\Application Data\addons.dat 25 KB (24821 bytes) data (encrypted)
  • MD5: e62361d4e6257ebfda6052df5ccbbeee
  • SHA1: f590dee9c6c7223142deb41c3f76e467d3e764b4
  • SHA256: 3a8068db1861678aa95708360d9376a88bffb4898d983449d0d1330c9fd5d42c
C:\WINDOWS\system32\Bifrost\logg.dat 2.4 KB (2411 bytes) Non-ISO extended-ASCII text, with NEL line terminators
  • MD5: 50ab16caa7ffd50fa00148c01dc77be1
  • SHA1: f4b927542893940d7e9c36c7ec91f975eb501ae7
  • SHA256: 20b8cd15691fe47a366a72a1250125b34e04abfb977c7f9311fe04567c5fd28f
C:\WINDOWS\system32\Bifrost\server.exe 101KB (103030 bytes) PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • MD5: bcc86c024f6bd004772c4bef39249e2c
  • SHA1: 815c92f5061d6c3a7c094003975acdd68f714084
  • SHA256: caaaf550aa0e5a6cc81af048b5a7155e2aa5a52fc14c0a29867ecf4a36f7eeec
C:\WINDOWS\Temp\services.exe 101 KB (103030 bytes) PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • MD5: bcc86c024f6bd004772c4bef39249e2c
  • SHA1: 815c92f5061d6c3a7c094003975acdd68f714084
  • SHA256: caaaf550aa0e5a6cc81af048b5a7155e2aa5a52fc14c0a29867ecf4a36f7eeec

The malware copies itself to 2 locations:

  • C:\WINDOWS\system32\Bifrost\server.exe
  • C:\WINDOWS\Temp\services.exe

Registry database

Created entries

Key Name Type Value
HKLM\SOFTWARE\Bifrost nck REG_BINARY ed 1b e6 27 b9 28 d6 32 74 c3 cd 74 fa 93 5b 67
HKCU\Software\Bifrost klg REG_BINARY 01
HKCU\Software\Bifrost plg1 REG_BINARY ea 44 dc 02 a3 27 d7 5f 11 ad b9 07 da f2 35 03 2a 35 8e 58 1b 0e 11 94 d4 f9 10 0d 18 48 b7 af da 5d 59 bf cd e5 bc b0 21 a8 58 eb 14 e8 13 8a ad 69 39 70 95 91 53 5e 9c 3c 53 77 15 3a c2 06 5b 13 df f5 40 38 26 56 14 e7 0f 84 ab b3 1d f6 b0 c6 b0 1e 68 5b 70 93 28 05 0a c5 2d 69 e5 88 99 b6 9d 02 12 80 47 d5 fd e3 11 cf 82 2a 3f eb dc db fe 5c fc a9 e2 24 96 58 84 2f 39 9b 65 8f 07 dd 00 93 9f 17 44 40 e1 28 66 c5 5f 99 d8 45 16 96 7b c9 61 11 f8 90 18 95 d1 97 26 05 44 ba e3 e1 73 99 ed c0 24 97 e5 6a b7 c4 f3 fd 87 5e a7 4e e8 38 35 4c 6d a6 66 fc 51 8e 31 64 b2 44 71 3d 2b d0 e8 b3 0f 9c d0 a8 c5 ef 3f d2 cb a2 57 73 4c d8 1a 15 1a fc 0c 29 05 4e 74 a2 f7 21 12 c6 a2 54 cf db 59 8a c3 ce ef 8f 8f 35 ba a5 0f 93 8d b2 29 5f f3 4d 04 fb 9b 74 85 41 36 3a d8 5a 8f 41

Deleted entries

Key Name Type Value
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum 0 REG_SZ SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum 0 REG_SZ SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

Modified entries

Key Name Type Prev. value New value
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum Count REG_DWORD 0x00000001 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum NextInstance REG_DWORD 0x00000001 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum Count REG_DWORD 0x00000001 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum NextInstance REG_DWORD 0x00000001 0x00000000

Mutexes

The malware creates following mutex: qqq

Network indicators

Contacted domains

  • semaa.no-ip.biz

Encrypted payloads

Encrypted payloads are regularly sent to semaa.no-ip.biz on port 81/tcp:

00000000  b2 00 fa 00 e2 2d d6 67  cc 44 a2 c8 8c bf b2 4b .....-.g .D.....K
00000010  d5 e4 9c 8a f2 91 97 52  77 61 41 ac 34 65 3f 3e .......R waA.4e?>
00000020  16 2c 84 1e fc c1 c8 df  7c f9 c4 f3 1f b3 e2 67 .,...... |......g
00000030  82 cd 52 17 5a 16 73 81  67 ee ac a9 fd 8c 2f 6a ..R.Z.s. g...../j
00000040  1c e5 71 39 23 64 6f 6c  df db a6 19 67 e6 db b8 ..q9#dol ....g...
00000050  51 d3 05 0e 0c 02 ce 9a  3a f2 4e 67 5f 9b f7 71 Q....... :.Ng_..q
00000060  21 ae 70 cc 31 8f 74 8b  ef ab f9 7b 8f 5c 5b 14 !.p.1.t. ...{.\[.
00000070  3b 94 a0 9c ab 14 17 2f  47 74 6b 45 81 25 10 6f ;....../ GtkE.%.o
00000080  90 b1 0e e7 53 31 ef bd  e5 72 c5 53 eb b3 5f 38 ....S1.. .r.S.._8
00000090  07 7c 6b 53 0d 7a 2f a8  6b e6 4c e0 f5 8a b8 a8 .|kS.z/. k.L.....
000000A0  bd d0 a3 ce 0d 12 e7 4d  7f 4d b9 35 6e 10 fd 5e .......M .M.5n..^
000000B0  37 b0 ea ec e7 4e                                7....N

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
------------------------------------------------------------
.text      0x1000       0x773c       0x7800       6.387610    
.data      0x9000       0x11b0       0x1200       7.547794
.rdata     0xb000       0xf20        0x1000       5.051954    
.bss       0xc000       0x57e4       0x0          0.000000
.idata     0x12000      0x810        0xa00        4.399176    
.rsrc      0x13000      0x8750       0x8800       7.917358

Resources

Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x13100  0x777d   LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0x1a880  0xf      LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_ICON            0x1a890  0xea8    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_GROUP_ICON      0x1b738  0x14     LANG_NEUTRAL SUBLANG_NEUTRAL          MS Windows icon resource - 1 icon

IAT

Module Function
ADVAPI32.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll

Strings

1+P@
XX+Z
X8+Z
X[^_
;MZt
0[^_
Y[^_
5adoy
\[^_
\[^_
<[^_
,[^_
,[^_
TEMP
TEMPf
TEMP
TEMPf
%4"A
%("A
%8"A
% "A
%$"A
,[^_
 t6~
,[^_
,[^_
,[^_
<[^_
<[^_
,[^_
,[^_
}$;] t-
,[^_
,[^_
,[^_
$|c@
@DCUNG
t'Bt<
t3Bt6
$ t@
< tT<	tP
Y[^]
8Pu#
<[^_
%d"A
%p"A
%x"A
%t"A
%T"A
%P"A
%@"A
%<"A
%L"A
%H"A
%0"A
%,"A
%X"A
%D"A
%?/?!
"o;h(Y
T*_}x:
j Bz
u\B&
y7bT
Ab61
T<*2
a.z9
DGt2
&5	M{
yM;-
jMG\^
C?9z
bcKU
!+g\
"%-U^7
PaH?
dv&4
wj-K
.n\	
g&H`
~8lI
d^AE
;]>r
^(O= 
W1O	g_?
*,]I
Fv\;
Eub'z
\j#M
SRqDIK
_maz
mn`I:T`H
{OJW
z(~c
5_	 
=;&o
~?Pa w
WFgO
(>nH&p
gTzu
|k	.T
B=!&|
!\1c
libgcj_s.dll
_Jv_RegisterClasses
Mars
UIIaaa12areplcervariablsse
5UIreplcervariablsse
OOIefwreplcervariablsse
IOO6replcervariablsse
IOreplcervariablsse
OO4s4replcervariablsse
Oreplcervariablsse
Ys3s3replcervariablsse
Y3replcervariablsse
Ys2s2replcervariablsse
Y4replcervariablsse
Yaaa12areplcervariablsse
Y5replcervariablsse
Yefwreplcervariablsse
Y6replcervariablsse
UYreplcervariablsse
Ureplcervariablsse
Js4s4replcervariablsse
Jreplcervariablsse
FRs3s3replcervariablsse
SDF3replcervariablsse
FSFs2s2replcervariablsse
SDFS4replcervariablsse
FDSaaa12areplcervariablsse
SDF5replcervariablsse
DFefwreplcervariablsse
6SFDreplcervariablsse
sqsreplcervariablsse
qsreplcervariablsse
qs4s4replcervariablsse
sqw3s3replcervariablsse
qw3replcervariablsse
wqs2s2replcervariablsse
qw4replcervariablsse
wqaaa12areplcervariablsse
qw5replcervariablsse
ewqfwreplcervariablsse
qw6replcervariablsse
wqreplcervariablsse
qwreplcervariablsse
des4s4replcervariablsse
aq1replcervariablsse
1bs3s3replcervariablsse
1a3replcervariablsse
1bs2s2replcervariablsse
1a4replcervariablsse
1baaa12areplcervariablsse
1a1b5replcervariablsse
1befwreplcervariablsse
1a6replcervariablsse
1breplcervariablsse
1areplcervariablsse
s4s4replcervariablsse
replcervariablsse
s3s3replcervariablsse
3replcervariablsse
s2s2replcervariablsse
4replcervariablsse
aaa12areplcervariablsse
5replcervariablsse
efwreplcervariablsse
6replcervariablsse
DEPACKEND
ERROR
%.2x
ee250412268cbd418c02a0fce843a69c
failed compatibility
Expected: %s
Got: %s
windir
services.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
msmmsgr
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d 
ctfmon
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d 
CreateProcessA
KERNEL32
NtUnmapViewOfSection
NtSetContextThread
VirtualAllocEx
NTDLL
GetThreadContext
NtWriteVirtualMemory
ResumeThread
tModuleHandleA
VirtualProtect
GetModuleFileNameA
CreateFileA
GlobalAlloc
GlobalFree
ReadFile
GetFileSize
CloseHandle
IsDebuggerPresent
FiLe encrypted successfully !
File access error :(
Invalid PE file !
Not enough memory :(
Files with a filesize of 0 aren't allowed !
There's no room for a new section :(
Too many sections !
Too much ImageImportDescriptors !
KeRnEl32.dLl
LoadLibraryA
GetProcAddress
sdS@
std::exception
std::bad_exception
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
pure virtual method called
std::bad_alloc
../../runtime/pseudo-reloc.c
VirtualQuery (addr, &b, sizeof(b))
../../../../gcc-4.4.1/libgcc/../gcc/config/i386/cygming-shared-data.c
0 && "Couldn't retrieve name of GCClib shared data atom"
ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch"
0 && "Couldn't add GCClib shared data atom"
-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32
N10__cxxabiv115__forced_unwindE
N10__cxxabiv117__class_type_infoE
N10__cxxabiv119__foreign_exceptionE
N10__cxxabiv120__si_class_type_infoE
N9__gnu_cxx24__concurrence_lock_errorE
N9__gnu_cxx26__concurrence_unlock_errorE
St13bad_exception
St9bad_alloc
St9exception
St9type_info
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
AddAtomA
CloseHandle
CopyFileA
CreateMutexA
CreateProcessA
CreateSemaphoreA
ExitProcess
FindAtomA
FindResourceA
GetAtomNameA
GetCommandLineA
GetCurrentThreadId
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetTickCount
GlobalAlloc
GlobalFree
InterlockedDecrement
InterlockedIncrement
LoadResource
LockResource
OpenMutexA
ReleaseSemaphore
SetLastError
SetUnhandledExceptionFilter
SizeofResource
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
_write
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
getenv
malloc
memcpy
memmove
printf
puts
remove
signal
sprintf
strcat
strcmp
strcpy
strncpy
GetActiveWindow
MessageBoxA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
@}3y
RWaf
4o i
HFw,
}SX"0K
wp+x
>|Fui	
1cB1t"0
}c=g
Ap~rO
[S^HN
o-SMs
|SNj
z%t 
HQzpH
.sCTA
|.?iI
.*aac
/5"Gz
V[d_4W
N7'=
xsx9
r$hY6
XcR+N
?q#3
Kf77
v,iF]
m>a1
 kSi
"N,u
l%Vc
RyT'
rr~8
puj.%
Z6.)
n)J3*
!OUcK
mU9<i
6nuH
y_z\k:<q
x>\jn
[=HmJ
`~{C
l-RD
5Wzd
tN]Ev
mm|o
mn9IN
_T(	a"n
 >Z]
_Oi	/
|n+;
b;$3
'dNBZ
I-):
K^|\
L_*@<
5}Rz
qntY
CH:^
aiIGH
sTs~
/X=~T
,bkI
g	"(
EyMD
{DfL
L{Jo
aRgL3
$v+\
Lh_Pu
.FV`
`	 J
Rl#0
2j|$,
[`7Ra
`:0N
R(l2%
Tn"O
~+##
@a2f
n2AB
,Y S
o0{z
klfPSp
Yb/!
<~q:
%sn[
\'ci
&n}ot
jbHd
N`'-
p.U\
t}Y*
zhsi
&IsM
w7&5X
f]v4,I
0b?p
'6V}
2wm}
P/C|
Ag7W
<	p_
7mVQ#
1+\?
S!_>L
}#:S
h&s<
@?W]x)
1C^N
gOx}
y6]Qs
Lzb_
- h3
IL.x
@C0H
r7cS
Uy?q
9x{s
}jis
RW aW
R13'\
H)o[:f
k5wa
,3|+L
iAx8A
jWV#
G>HY
,hgN}
Aw7%
6EKp
6~CW
0^rk
2{9	
!]RW
S4^]
,Xc9
F`p?
Ol.n
O4=u
BB}'V
"?IE
"M@V~
Y!Y7
aEh'U
g)C;
}u9U
`W'F
_<Y%
cdHKF
$Oh4
-rF2
%9I-
7GdP
_Ym`L.0^
U$T.
iP{%
.#8$Gs
3tCQZ)Yi
8Fv%
9b8~
cJLk
Ovs`
mXe#*
>p[:F
`CKV#
8eM(<
b5rhe
%@|+AC$=
[':%l
BOU^O
|R_ Z
0P:/p
CWwN
F?\B
/mJ1F
c:f`w+
,z41:
YV3-
ceIzP
o\lCv
6%t[
HKE~~ 
*G`I
ybrMwy
3u&?
Up\9N
eZ? 
d%]>
us4h)
,Nd+
qP%?
zly~
wV)3
Z<[5_
@-bN
*m_EwY
}J_d
]c;vz
1A_'_A[
wd_[
/Z>G
`lEEd&
1_.xV
gZmz
\C)1o
LME8n4?
|ta;XJi
`~+s
r8ai
H%M|
9L]8
XF[H
1#GJ{
8d#6<
iM&|
*U/|v>
xmMY
zd=F,
?'no
%eb)
@DDa
&91#[
@|IB
|8nO
]wb&
'w5{
+iS=P
0N8~X
:K[E
%8YR
FM2Xizp\e
_()f
zd9t
#^x#X
={5i
D0z,
8wd\`
[)M}Dfar
'7d(
N5dh
=\V5
U|ZR
cey~
)Ej@
Fq1f
'O81
,2ol
]:i|
=T"41
If@s
{Mxe
',K2K
AnMZK/4
6Gc>
$Z!(
(ZQC#
cg<&+u
ky~.
[7h?rV
%edjws
L)Oh
EGOoW
LaPL
@T-;
4,>2
su*_
$K^b
1P_=@
ZkA?
2*cm
.~AkW
z.%v
u6O@
~wlE&
v@`G
jRq`
.\Y6
Z0ca.ua)
{Jd/
iV/Y
"owvS
<>@B}0A
W,fx
<{Q 
H&?#`
&`[M
|zP(d
QT R{
.9%}
QdeR
R?uV
}P@`
w8L#
]Ld4
hxm<
+~Mr
[{89
z8-[F
Cd%y
0V|Zd
DoC'
35Ld^
/	99>8yzz
Yd@-D
hn$Y
z3Y;
e2|Pzn
{>^}
~0	kM
F{9O
j^J	
+&M4X
Yi!(a1
y/^}!
B`s=
LlSa
	cv~
2TWOIy
qA ?5
zfcp
7YEo
J:!8
}gY.
s_M>
8$8B
!9%9
J]-o
97P	@c4-
Nc(L3
:Ar,n
ZLTM
7]-	
qh<hj
?0(C6
^Y[r
E,j)
;PdZJ
rlad
#,7@
*ZCTc
j^P-o@B,^
	w^af
0&|A
^U-.
(azSxv
c*+h
Lc	A
~[`~T
g+kq}
:lKj
jr<a
L<*]%
W77A
C#[/>iiD>8!#7
SSSSSSSS
WU'%]469=EFHJNl0#A
!d"(.469=EFHJMTr
$(.469=EFHJ
$(.469=EFM
$(.469=ET
P!AW
$(.469F
$(.46J
fm,&
%53,&
/953,&
]:953,&
XYYYYO#
i=:953,&H
	d*g
Ysssssss
i=;:953,M
qqqqqqq)A
m:::::::R
svvvvvvvgA
]:::::::M
B$1_`ajbgA
^::::::;M
K[d[
$(.469+A
)::::EMT
$(.46%A
`=JS
$(]#
R:953,&
=:953,&
TFB=:953,&
RHEB=:953,&
HEB=:953,&"\f
xgsTMJ
HEB=:953-\2
nNMJ
HEB=:`^[@
8nDDbih/[g
x!!ff
?[8?GOQY
0c%%\\))8?GlQV
lc%%\\))dd++ee//>nl
ed))dd++ee///^^^O
{{]^///^^^^Q
SMJJ
}zwmmhvLHFFHJMZ
YYYY
}}}yyyti=BF
JMRS
}}}yyytt
JMRS
}}}yyyttp
JMRT
}}}yyyttpD
OMRT
}}}yyyttppGW
luunniiDu


Comments

Keywords: NGRBot qqq Bifrost bcc86c024f6bd004772c4bef39249e2c