Cyber ​​attack campaign against German commercial companies

Table of Contents

Description of the current situation

Current reports point to offensive cyber activities, including the cyber attack campaign by the Emissary Panda group (APT27) against German commercial companies.

The Federal Office for the Protection of the Constitution (BfV) has information about a large-scale cyber espionage campaign by APT27. They mainly use the HYPERBRO malware. According to current information, the group has been exploiting vulnerabilities in Microsoft Exchange and Zoho AdSelf Service Plus software as an attack vector since March 2021.

It cannot be ruled out that APT 27, in addition to stealing business secrets, also tries to infiltrate the networks of their customers and service providers (supply chain attack).

You want to spare yourself the damage of an attack?
Test your IT now with a professional penetration test!
For the penetration test

The grouping APT27 Emissary Panda

The cyber espionage group APT27 has been active since at least 2010. The Office for the Protection of the Constitution has recently observed an increase in attacks against German targets using the HYPERBRO malware.

The Federal Office for the Protection of the Constitution assumes that APT 27 will continue to attack the German economy and has therefore published the detection rules and indicators (Indicators of Compromise) listed below to enable companies to identify a compromise. The functionality of HYPERBRO is shown below using a current variant as an example.

The attack vector

The attackers were aware of the vulnerability in Zoho Manage Engine ADSelfService Plus software (CVE-2021-40539) and Microsoft Exchange Server 2013, 2016 and 2019 (CVE-2021-26855, CVE-2021-26857, CVE -2021-26858 and CVE-2021-27065) used to deliver HYPERBRO.

The technical analysis

HYPERBRO is a Remote Access Tool (RAT) that typically consists of the following

components (see Fig. 1):

Components from HYPERBRO
  1. Legitimate Executable (msmpeng.exe or vfhost.exe) – in this case, legitimate CyberArk Viewfinity software signed with a valid but expired certificate.
  2. Malicious DLL3 (vftrace.dll) loaded by legitimate loader using DLL hijacking method.
  3. Malware Payload (thumb.dat) in binary executable format (PE files) containing executable shellcode, a malicious DLL and attack infrastructure information (C2 addresses).
  4. When executing the payload, a malware configuration file (config.ini) is also stored as a file in the folder.

Installation process

The HYPERBRO installation process runs as follows (see Fig. 2):

Installation process of HYPERBRO

1. The executable loads the malicious DLL via DLL hijacking.

2. The DLL loads and decodes the thumb.dat, the malware payload.

3. Another DLL is loaded from thumb.dat into memory and executed there.

4. The storage location of the HYPERBRO data and the authorization level is checked.

4a. Without admin rights, the data comes into the %ProgrammData%\windefenders\.

4b. With admin rights in the %ProgramFiles%\Common Files\windefenders\.

5. The malware will restart in the new location to imitate Window Defender.

				
					%ProgramFiles%\Common Files\windefenders\

This folder can only be written to with administrative rights.

If HYPERBRO was started without administrative rights,

(4.b), however, the malware is in

moved to the following folder:

				
					%ProgramData%\windefenders\

By moving to this folder, HYPERBRO also imitates the WindowsDefender software. Then (5.) HYPERBRO restarts itself at the new storage location. In addition, Process Hollowing (in svchost.exe) is used and, under certain circumstances, the creation of a temporary service to enable execution with local system rights (in some HYPERBRO variants).

execution process

The first three steps of running HYPERBRO again (after installation or with every system restart) are exactly the same as during installation (see Fig. 3):

Execution Process of HYPERBRO

1. The executable loads the malicious DLL via DLL hijacking.

2. The DLL loads and decodes the thumb.dat, the malware payload.

3. Another DLL is created from the thumb.dat loaded into memory and executed there.

4. The storage location of the HYPERBRO data and the authorization level is checked.

4a. Without admin rights, a Run Key created in the registry.

4b. With admin rights, a Service created.

5. There will be a Mutex Objekt created to prevent further infection.

6. One config.ini is created, which contains a GUID for the C2 communication.

7. the DLL from the thumb.dat is via Process Hollowing in the svchost.exe loaded.

If required, HYPERBRO can load further processes into memory in order to enable further functions (e.g. key logging). These new processes communicate with the main process via named pipes (Fig.4).

HYPERBRO execution process in memory

Cyber ​​attack campaign against German commercial companies

Command and Control Server (C2)

HYPERBRO communicates with hard-coded C2 servers and receives further instructions from there. Known C2 servers can be found below under Indicators of Compromise (IOCs). HYPERBRO usually communicates via TCP port 443.

In individual cases it can happen that several variants of HYPERBRO are installed in the same network by the attacker, but with different C2 server addresses.

recommended action

Check the provided IOCs. In particular, log files and active network connections should be searched for connections to the external systems mentioned in the IOCs section. Since the IOCs provided may be changed by the actor, historical network logs (from the end of January 2021) should be checked to rule out infections that have already occurred in the past.

Furthermore, the attached detection rules can help to find a HYPERBRO infection.

Indicators of Compromise (IOCs)

Type IOC feature
IP 104.168.236.46 C2 server
IP 103.79.77.200 C2 server
IP 87.98.190.184 C2 server

Other possible indicators of infection

The following indicators could also have a legitimate origin, but should still be carefully scrutinized:

File %TEMP%\.key.log Log file with keystrokes (recorded by the keylogger)
File %TEMP%\.clip.log Log file with contents of the clipboard
Mutex   80A85553-1E05-4323-B4F9-43A4396A4507 Mutex created by the program to prevent multiple execution
Service wind fenders Is created when malware is executed with admin rights Display name “Windows Defenders” Description “Windows Defenders Service”
Process msiexec.exe Optionally, further injection in msiexec can be triggered by the appropriate C2 command
User Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 User Agent String used by the malware for C2 (https).
remote path /api/v2/ajax Path on the C2 server to which POST requests are transmitted
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\windefenders Run Key as a persistence mechanism when running without admin rights
Files/paths %ProgramFiles%\Common Files\windefenders\%ProgramFiles%\CommonFiles\windefenders\config.ini%ProgramFiles%\CommonFiles\windefenders\msmpeng.exe%ProgramFiles%\CommonFiles\windefenders\thumb.dat%ProgramFiles%\CommonFiles\windefenders\ vftrace.dll%ProgramData%\windefenders\%ProgramData%\windefenders\config.ini%ProgramData%\windefenders\msmpeng.exe%ProgramData%\windefenders\thumb.dat%ProgramData%\windefenders\vftrace.dll Locations and components of the malware

Detection Rule I: Stage Loader

Note: The following Yara rule is used to identify the initial stage loader from the HYPERBRO malware's vftrace.dll file and detects the corresponding decoding function. 
				
					import “pe”
rule vftrace_loader {
meta:
id = “4eEDO8F3p27FeY5YLIPjrA”
fingerprint = “b14d0c555f2908a31fefdfa23876d48589cd04dec9e7338a96bc85b0bf58b458”
version = “1.0”
first_imported = “2022-01-14”
last_modified = “2022-01-14”
status = “RELEASED”
sharing = “TLP:WHITE”
source = „BUNDESAMT FUER VERFASSUNGSSCHUTZ“
author = „Bundesamt fuer Verfassungsschutz“
description = “Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function.”
category = “MALWARE”
malware = “HYPERBRO”
mitre_att = “S0398”
reference = „Warnmeldung des BFV - Aktuelle APT27-Angriffskampagne gegen deutsche Wirtschaftsunternehmen“
hash = “333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A”
strings:
$decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
condition:
$decoder_routine and pe.exports(“D_C_Support_SetD_File”) and (pe.characteristics & pe.DLL) and filesize < 5MB
}

Detection Rule II: New variants of the payload (from the end of 2021)

Note: The following Yara rule is used to identify the HYPERBRO Loader Shellcode in the thumb.dat file and possibly during execution in memory.

				
					rule thumb_dat_shellcode_encoded
{
meta:
id = “4xBEgDqWksKAhAycnr9yEX”
fingerprint = “ed9d24bbb9d63a6c015d3d4c273b544b62483beb6f128e45d3d5d0900965d163”
version = “1.0”
first_imported = “2022-01-07”
last_modified = “2022-01-07”
status = “RELEASED”
sharing = “TLP:WHITE”
source = „BUNDESAMT FUER VERFASSUNGSSCHUTZ“
author = „Bundesamt fuer Verfassungsschutz“
description = “Yara rule to detect Hyperbro Loader Shellcode with all possible ADD/SUB encodings and in its decoded form at the
start of *thumb.dat* files. Tested against *thumb.dat* from 2019 and 2021.”
category = “MALWARE”
malware = “HYPERBRO”
mitre_att = „S0398“
reference = „Warnmeldung des BFV - Aktuelle APT27-Angriffskampagne gegen deutsche Wirtschaftsunternehmen“
hash = “601A02B81E3BD134C2CF681AC03D696B446E10BF267B11B91517DB1B233FEC74”

strings:
$thumb_dat_content1 = { E8 6B 09 00 00 C3 55 8B EC 51 51 83 65 F8 00 8B }
$thumb_dat_content2 = { E9 6C 0A 01 01 C4 56 8C ED 52 52 84 66 F9 01 8C }
$thumb_dat_content3 = { EA 6D 0B 02 02 C5 57 8D EE 53 53 85 67 FA 02 8D }
$thumb_dat_content4 = { EB 6E 0C 03 03 C6 58 8E EF 54 54 86 68 FB 03 8E }
$thumb_dat_content5 = { EC 6F 0D 04 04 C7 59 8F F0 55 55 87 69 FC 04 8F }
$thumb_dat_content6 = { ED 70 0E 05 05 C8 5A 90 F1 56 56 88 6A FD 05 90 }
$thumb_dat_content7 = { EE 71 0F 06 06 C9 5B 91 F2 57 57 89 6B FE 06 91 }
$thumb_dat_content8 = { EF 72 10 07 07 CA 5C 92 F3 58 58 8A 6C 00 07 92 }
$thumb_dat_content9 = { F0 73 11 08 08 CB 5D 93 F4 59 59 8B 6D 01 08 93 }
$thumb_dat_content10 = { F1 74 12 09 09 CC 5E 94 F5 5A 5A 8C 6E 02 09 94 }
$thumb_dat_content11 = { F2 75 13 0A 0A CD 5F 95 F6 5B 5B 8D 6F 03 0A 95 }
$thumb_dat_content12 = { F3 76 14 0B 0B CE 60 96 F7 5C 5C 8E 70 04 0B 96 }
$thumb_dat_content13 = { F4 77 15 0C 0C CF 61 97 F8 5D 5D 8F 71 05 0C 97 }
$thumb_dat_content14 = { F5 78 16 0D 0D D0 62 98 F9 5E 5E 90 72 06 0D 98 }
$thumb_dat_content15 = { F6 79 17 0E 0E D1 63 99 FA 5F 5F 91 73 07 0E 99 }
$thumb_dat_content16 = { F7 7A 18 0F 0F D2 64 9A FB 60 60 92 74 08 0F 9A }
$thumb_dat_content17 = { F8 7B 19 10 10 D3 65 9B FC 61 61 93 75 09 10 9B }
$thumb_dat_content18 = { F9 7C 1A 11 11 D4 66 9C FD 62 62 94 76 0A 11 9C }
$thumb_dat_content19 = { FA 7D 1B 12 12 D5 67 9D FE 63 63 95 77 0B 12 9D }
$thumb_dat_content20 = { FB 7E 1C 13 13 D6 68 9E 00 64 64 96 78 0C 13 9E }
$thumb_dat_content21 = { FC 7F 1D 14 14 D7 69 9F 01 65 65 97 79 0D 14 9F }
$thumb_dat_content22 = { FD 80 1E 15 15 D8 6A A0 02 66 66 98 7A 0E 15 A0 }
$thumb_dat_content23 = { FE 81 1F 16 16 D9 6B A1 03 67 67 99 7B 0F 16 A1 }
$thumb_dat_content24 = { 00 82 20 17 17 DA 6C A2 04 68 68 9A 7C 10 17 A2 }
$thumb_dat_content25 = { 01 83 21 18 18 DB 6D A3 05 69 69 9B 7D 11 18 A3 }
$thumb_dat_content26 = { 02 84 22 19 19 DC 6E A4 06 6A 6A 9C 7E 12 19 A4 }
$thumb_dat_content27 = { 03 85 23 1A 1A DD 6F A5 07 6B 6B 9D 7F 13 1A A5 }
$thumb_dat_content28 = { 04 86 24 1B 1B DE 70 A6 08 6C 6C 9E 80 14 1B A6 }
$thumb_dat_content29 = { 05 87 25 1C 1C DF 71 A7 09 6D 6D 9F 81 15 1C A7 }
$thumb_dat_content30 = { 06 88 26 1D 1D E0 72 A8 0A 6E 6E A0 82 16 1D A8 }
$thumb_dat_content31 = { 07 89 27 1E 1E E1 73 A9 0B 6F 6F A1 83 17 1E A9 }
$thumb_dat_content32 = { 08 8A 28 1F 1F E2 74 AA 0C 70 70 A2 84 18 1F AA }
$thumb_dat_content33 = { 09 8B 29 20 20 E3 75 AB 0D 71 71 A3 85 19 20 AB }
$thumb_dat_content34 = { 0A 8C 2A 21 21 E4 76 AC 0E 72 72 A4 86 1A 21 AC }
$thumb_dat_content35 = { 0B 8D 2B 22 22 E5 77 AD 0F 73 73 A5 87 1B 22 AD }
$thumb_dat_content36 = { 0C 8E 2C 23 23 E6 78 AE 10 74 74 A6 88 1C 23 AE }
$thumb_dat_content37 = { 0D 8F 2D 24 24 E7 79 AF 11 75 75 A7 89 1D 24 AF }
$thumb_dat_content38 = { 0E 90 2E 25 25 E8 7A B0 12 76 76 A8 8A 1E 25 B0 }
$thumb_dat_content39 = { 0F 91 2F 26 26 E9 7B B1 13 77 77 A9 8B 1F 26 B1 }
$thumb_dat_content40 = { 10 92 30 27 27 EA 7C B2 14 78 78 AA 8C 20 27 B2 }
$thumb_dat_content41 = { 11 93 31 28 28 EB 7D B3 15 79 79 AB 8D 21 28 B3 }
$thumb_dat_content42 = { 12 94 32 29 29 EC 7E B4 16 7A 7A AC 8E 22 29 B4 }
$thumb_dat_content43 = { 13 95 33 2A 2A ED 7F B5 17 7B 7B AD 8F 23 2A B5 }
$thumb_dat_content44 = { 14 96 34 2B 2B EE 80 B6 18 7C 7C AE 90 24 2B B6 }
$thumb_dat_content45 = { 15 97 35 2C 2C EF 81 B7 19 7D 7D AF 91 25 2C B7 }
$thumb_dat_content46 = { 16 98 36 2D 2D F0 82 B8 1A 7E 7E B0 92 26 2D B8 }
$thumb_dat_content47 = { 17 99 37 2E 2E F1 83 B9 1B 7F 7F B1 93 27 2E B9 }
$thumb_dat_content48 = { 18 9A 38 2F 2F F2 84 BA 1C 80 80 B2 94 28 2F BA }
$thumb_dat_content49 = { 19 9B 39 30 30 F3 85 BB 1D 81 81 B3 95 29 30 BB }
$thumb_dat_content50 = { 1A 9C 3A 31 31 F4 86 BC 1E 82 82 B4 96 2A 31 BC }
$thumb_dat_content51 = { 1B 9D 3B 32 32 F5 87 BD 1F 83 83 B5 97 2B 32 BD }
$thumb_dat_content52 = { 1C 9E 3C 33 33 F6 88 BE 20 84 84 B6 98 2C 33 BE }
$thumb_dat_content53 = { 1D 9F 3D 34 34 F7 89 BF 21 85 85 B7 99 2D 34 BF }
$thumb_dat_content54 = { 1E A0 3E 35 35 F8 8A C0 22 86 86 B8 9A 2E 35 C0 }
$thumb_dat_content55 = { 1F A1 3F 36 36 F9 8B C1 23 87 87 B9 9B 2F 36 C1 }
$thumb_dat_content56 = { 20 A2 40 37 37 FA 8C C2 24 88 88 BA 9C 30 37 C2 }
$thumb_dat_content57 = { 21 A3 41 38 38 FB 8D C3 25 89 89 BB 9D 31 38 C3 }
$thumb_dat_content58 = { 22 A4 42 39 39 FC 8E C4 26 8A 8A BC 9E 32 39 C4 }
$thumb_dat_content59 = { 23 A5 43 3A 3A FD 8F C5 27 8B 8B BD 9F 33 3A C5 }
$thumb_dat_content60 = { 24 A6 44 3B 3B FE 90 C6 28 8C 8C BE A0 34 3B C6 }
$thumb_dat_content61 = { 25 A7 45 3C 3C 00 91 C7 29 8D 8D BF A1 35 3C C7 }
$thumb_dat_content62 = { 26 A8 46 3D 3D 01 92 C8 2A 8E 8E C0 A2 36 3D C8 }
$thumb_dat_content63 = { 27 A9 47 3E 3E 02 93 C9 2B 8F 8F C1 A3 37 3E C9 }
$thumb_dat_content64 = { 28 AA 48 3F 3F 03 94 CA 2C 90 90 C2 A4 38 3F CA }
$thumb_dat_content65 = { 29 AB 49 40 40 04 95 CB 2D 91 91 C3 A5 39 40 CB }
$thumb_dat_content66 = { 2A AC 4A 41 41 05 96 CC 2E 92 92 C4 A6 3A 41 CC }
$thumb_dat_content67 = { 2B AD 4B 42 42 06 97 CD 2F 93 93 C5 A7 3B 42 CD }
$thumb_dat_content68 = { 2C AE 4C 43 43 07 98 CE 30 94 94 C6 A8 3C 43 CE }
$thumb_dat_content69 = { 2D AF 4D 44 44 08 99 CF 31 95 95 C7 A9 3D 44 CF }
$thumb_dat_content70 = { 2E B0 4E 45 45 09 9A D0 32 96 96 C8 AA 3E 45 D0 }
$thumb_dat_content71 = { 2F B1 4F 46 46 0A 9B D1 33 97 97 C9 AB 3F 46 D1 }
$thumb_dat_content72 = { 30 B2 50 47 47 0B 9C D2 34 98 98 CA AC 40 47 D2 }
$thumb_dat_content73 = { 31 B3 51 48 48 0C 9D D3 35 99 99 CB AD 41 48 D3 }
$thumb_dat_content74 = { 32 B4 52 49 49 0D 9E D4 36 9A 9A CC AE 42 49 D4 }
$thumb_dat_content75 = { 33 B5 53 4A 4A 0E 9F D5 37 9B 9B CD AF 43 4A D5 }
$thumb_dat_content76 = { 34 B6 54 4B 4B 0F A0 D6 38 9C 9C CE B0 44 4B D6 }
$thumb_dat_content77 = { 35 B7 55 4C 4C 10 A1 D7 39 9D 9D CF B1 45 4C D7 }
$thumb_dat_content78 = { 36 B8 56 4D 4D 11 A2 D8 3A 9E 9E D0 B2 46 4D D8 }
$thumb_dat_content79 = { 37 B9 57 4E 4E 12 A3 D9 3B 9F 9F D1 B3 47 4E D9 }
$thumb_dat_content80 = { 38 BA 58 4F 4F 13 A4 DA 3C A0 A0 D2 B4 48 4F DA }
$thumb_dat_content81 = { 39 BB 59 50 50 14 A5 DB 3D A1 A1 D3 B5 49 50 DB }
$thumb_dat_content82 = { 3A BC 5A 51 51 15 A6 DC 3E A2 A2 D4 B6 4A 51 DC }
$thumb_dat_content83 = { 3B BD 5B 52 52 16 A7 DD 3F A3 A3 D5 B7 4B 52 DD }
$thumb_dat_content84 = { 3C BE 5C 53 53 17 A8 DE 40 A4 A4 D6 B8 4C 53 DE }
$thumb_dat_content85 = { 3D BF 5D 54 54 18 A9 DF 41 A5 A5 D7 B9 4D 54 DF }
$thumb_dat_content86 = { 3E C0 5E 55 55 19 AA E0 42 A6 A6 D8 BA 4E 55 E0 }
$thumb_dat_content87 = { 3F C1 5F 56 56 1A AB E1 43 A7 A7 D9 BB 4F 56 E1 }
$thumb_dat_content88 = { 40 C2 60 57 57 1B AC E2 44 A8 A8 DA BC 50 57 E2 }
$thumb_dat_content89 = { 41 C3 61 58 58 1C AD E3 45 A9 A9 DB BD 51 58 E3 }
$thumb_dat_content90 = { 42 C4 62 59 59 1D AE E4 46 AA AA DC BE 52 59 E4 }
$thumb_dat_content91 = { 43 C5 63 5A 5A 1E AF E5 47 AB AB DD BF 53 5A E5 }
$thumb_dat_content92 = { 44 C6 64 5B 5B 1F B0 E6 48 AC AC DE C0 54 5B E6 }
$thumb_dat_content93 = { 45 C7 65 5C 5C 20 B1 E7 49 AD AD DF C1 55 5C E7 }
$thumb_dat_content94 = { 46 C8 66 5D 5D 21 B2 E8 4A AE AE E0 C2 56 5D E8 }
$thumb_dat_content95 = { 47 C9 67 5E 5E 22 B3 E9 4B AF AF E1 C3 57 5E E9 }
$thumb_dat_content96 = { 48 CA 68 5F 5F 23 B4 EA 4C B0 B0 E2 C4 58 5F EA }
$thumb_dat_content97 = { 49 CB 69 60 60 24 B5 EB 4D B1 B1 E3 C5 59 60 EB }
$thumb_dat_content98 = { 4A CC 6A 61 61 25 B6 EC 4E B2 B2 E4 C6 5A 61 EC }
$thumb_dat_content99 = { 4B CD 6B 62 62 26 B7 ED 4F B3 B3 E5 C7 5B 62 ED }
$thumb_dat_content100 = { 4C CE 6C 63 63 27 B8 EE 50 B4 B4 E6 C8 5C 63 EE }
$thumb_dat_content101 = { 4D CF 6D 64 64 28 B9 EF 51 B5 B5 E7 C9 5D 64 EF }
$thumb_dat_content102 = { 4E D0 6E 65 65 29 BA F0 52 B6 B6 E8 CA 5E 65 F0 }
$thumb_dat_content103 = { 4F D1 6F 66 66 2A BB F1 53 B7 B7 E9 CB 5F 66 F1 }
$thumb_dat_content104 = { 50 D2 70 67 67 2B BC F2 54 B8 B8 EA CC 60 67 F2 }
$thumb_dat_content105 = { 51 D3 71 68 68 2C BD F3 55 B9 B9 EB CD 61 68 F3 }
$thumb_dat_content106 = { 52 D4 72 69 69 2D BE F4 56 BA BA EC CE 62 69 F4 }
$thumb_dat_content107 = { 53 D5 73 6A 6A 2E BF F5 57 BB BB ED CF 63 6A F5 }
$thumb_dat_content108 = { 54 D6 74 6B 6B 2F C0 F6 58 BC BC EE D0 64 6B F6 }
$thumb_dat_content109 = { 55 D7 75 6C 6C 30 C1 F7 59 BD BD EF D1 65 6C F7 }
$thumb_dat_content110 = { 56 D8 76 6D 6D 31 C2 F8 5A BE BE F0 D2 66 6D F8 }
$thumb_dat_content111 = { 57 D9 77 6E 6E 32 C3 F9 5B BF BF F1 D3 67 6E F9 }
$thumb_dat_content112 = { 58 DA 78 6F 6F 33 C4 FA 5C C0 C0 F2 D4 68 6F FA }
$thumb_dat_content113 = { 59 DB 79 70 70 34 C5 FB 5D C1 C1 F3 D5 69 70 FB }
$thumb_dat_content114 = { 5A DC 7A 71 71 35 C6 FC 5E C2 C2 F4 D6 6A 71 FC }
$thumb_dat_content115 = { 5B DD 7B 72 72 36 C7 FD 5F C3 C3 F5 D7 6B 72 FD }
$thumb_dat_content116 = { 5C DE 7C 73 73 37 C8 FE 60 C4 C4 F6 D8 6C 73 FE }
$thumb_dat_content117 = { 5D DF 7D 74 74 38 C9 00 61 C5 C5 F7 D9 6D 74 00 }
$thumb_dat_content118 = { 5E E0 7E 75 75 39 CA 01 62 C6 C6 F8 DA 6E 75 01 }
$thumb_dat_content119 = { 5F E1 7F 76 76 3A CB 02 63 C7 C7 F9 DB 6F 76 02 }
$thumb_dat_content120 = { 60 E2 80 77 77 3B CC 03 64 C8 C8 FA DC 70 77 03 }
$thumb_dat_content121 = { 61 E3 81 78 78 3C CD 04 65 C9 C9 FB DD 71 78 04 }
$thumb_dat_content122 = { 62 E4 82 79 79 3D CE 05 66 CA CA FC DE 72 79 05 }
$thumb_dat_content123 = { 63 E5 83 7A 7A 3E CF 06 67 CB CB FD DF 73 7A 06 }
$thumb_dat_content124 = { 64 E6 84 7B 7B 3F D0 07 68 CC CC FE E0 74 7B 07 }
$thumb_dat_content125 = { 65 E7 85 7C 7C 40 D1 08 69 CD CD 00 E1 75 7C 08 }
$thumb_dat_content126 = { 66 E8 86 7D 7D 41 D2 09 6A CE CE 01 E2 76 7D 09 }
$thumb_dat_content127 = { 67 E9 87 7E 7E 42 D3 0A 6B CF CF 02 E3 77 7E 0A }
$thumb_dat_content128 = { 68 EA 88 7F 7F 43 D4 0B 6C D0 D0 03 E4 78 7F 0B }
$thumb_dat_content129 = { 69 EB 89 80 80 44 D5 0C 6D D1 D1 04 E5 79 80 0C }
$thumb_dat_content130 = { 6A EC 8A 81 81 45 D6 0D 6E D2 D2 05 E6 7A 81 0D }
$thumb_dat_content131 = { 6B ED 8B 82 82 46 D7 0E 6F D3 D3 06 E7 7B 82 0E }
$thumb_dat_content132 = { 6C EE 8C 83 83 47 D8 0F 70 D4 D4 07 E8 7C 83 0F }
$thumb_dat_content133 = { 6D EF 8D 84 84 48 D9 10 71 D5 D5 08 E9 7D 84 10 }
$thumb_dat_content134 = { 6E F0 8E 85 85 49 DA 11 72 D6 D6 09 EA 7E 85 11 }
$thumb_dat_content135 = { 6F F1 8F 86 86 4A DB 12 73 D7 D7 0A EB 7F 86 12 }
$thumb_dat_content136 = { 70 F2 90 87 87 4B DC 13 74 D8 D8 0B EC 80 87 13 }
$thumb_dat_content137 = { 71 F3 91 88 88 4C DD 14 75 D9 D9 0C ED 81 88 14 }
$thumb_dat_content138 = { 72 F4 92 89 89 4D DE 15 76 DA DA 0D EE 82 89 15 }
$thumb_dat_content139 = { 73 F5 93 8A 8A 4E DF 16 77 DB DB 0E EF 83 8A 16 }
$thumb_dat_content140 = { 74 F6 94 8B 8B 4F E0 17 78 DC DC 0F F0 84 8B 17 }
$thumb_dat_content141 = { 75 F7 95 8C 8C 50 E1 18 79 DD DD 10 F1 85 8C 18 }
$thumb_dat_content142 = { 76 F8 96 8D 8D 51 E2 19 7A DE DE 11 F2 86 8D 19 }
$thumb_dat_content143 = { 77 F9 97 8E 8E 52 E3 1A 7B DF DF 12 F3 87 8E 1A }
$thumb_dat_content144 = { 78 FA 98 8F 8F 53 E4 1B 7C E0 E0 13 F4 88 8F 1B }
$thumb_dat_content145 = { 79 FB 99 90 90 54 E5 1C 7D E1 E1 14 F5 89 90 1C }
$thumb_dat_content146 = { 7A FC 9A 91 91 55 E6 1D 7E E2 E2 15 F6 8A 91 1D }
$thumb_dat_content147 = { 7B FD 9B 92 92 56 E7 1E 7F E3 E3 16 F7 8B 92 1E }
$thumb_dat_content148 = { 7C FE 9C 93 93 57 E8 1F 80 E4 E4 17 F8 8C 93 1F }
$thumb_dat_content149 = { 7D 00 9D 94 94 58 E9 20 81 E5 E5 18 F9 8D 94 20 }
$thumb_dat_content150 = { 7E 01 9E 95 95 59 EA 21 82 E6 E6 19 FA 8E 95 21 }
$thumb_dat_content151 = { 7F 02 9F 96 96 5A EB 22 83 E7 E7 1A FB 8F 96 22 }
$thumb_dat_content152 = { 80 03 A0 97 97 5B EC 23 84 E8 E8 1B FC 90 97 23 }
$thumb_dat_content153 = { 81 04 A1 98 98 5C ED 24 85 E9 E9 1C FD 91 98 24 }
$thumb_dat_content154 = { 82 05 A2 99 99 5D EE 25 86 EA EA 1D FE 92 99 25 }
$thumb_dat_content155 = { 83 06 A3 9A 9A 5E EF 26 87 EB EB 1E 00 93 9A 26 }
$thumb_dat_content156 = { 84 07 A4 9B 9B 5F F0 27 88 EC EC 1F 01 94 9B 27 }
$thumb_dat_content157 = { 85 08 A5 9C 9C 60 F1 28 89 ED ED 20 02 95 9C 28 }
$thumb_dat_content158 = { 86 09 A6 9D 9D 61 F2 29 8A EE EE 21 03 96 9D 29 }
$thumb_dat_content159 = { 87 0A A7 9E 9E 62 F3 2A 8B EF EF 22 04 97 9E 2A }
$thumb_dat_content160 = { 88 0B A8 9F 9F 63 F4 2B 8C F0 F0 23 05 98 9F 2B }
$thumb_dat_content161 = { 89 0C A9 A0 A0 64 F5 2C 8D F1 F1 24 06 99 A0 2C }
$thumb_dat_content162 = { 8A 0D AA A1 A1 65 F6 2D 8E F2 F2 25 07 9A A1 2D }
$thumb_dat_content163 = { 8B 0E AB A2 A2 66 F7 2E 8F F3 F3 26 08 9B A2 2E }
$thumb_dat_content164 = { 8C 0F AC A3 A3 67 F8 2F 90 F4 F4 27 09 9C A3 2F }
$thumb_dat_content165 = { 8D 10 AD A4 A4 68 F9 30 91 F5 F5 28 0A 9D A4 30 }
$thumb_dat_content166 = { 8E 11 AE A5 A5 69 FA 31 92 F6 F6 29 0B 9E A5 31 }
$thumb_dat_content167 = { 8F 12 AF A6 A6 6A FB 32 93 F7 F7 2A 0C 9F A6 32 }
$thumb_dat_content168 = { 90 13 B0 A7 A7 6B FC 33 94 F8 F8 2B 0D A0 A7 33 }
$thumb_dat_content169 = { 91 14 B1 A8 A8 6C FD 34 95 F9 F9 2C 0E A1 A8 34 }
$thumb_dat_content170 = { 92 15 B2 A9 A9 6D FE 35 96 FA FA 2D 0F A2 A9 35 }
$thumb_dat_content171 = { 93 16 B3 AA AA 6E 00 36 97 FB FB 2E 10 A3 AA 36 }
$thumb_dat_content172 = { 94 17 B4 AB AB 6F 01 37 98 FC FC 2F 11 A4 AB 37 }
$thumb_dat_content173 = { 95 18 B5 AC AC 70 02 38 99 FD FD 30 12 A5 AC 38 }
$thumb_dat_content174 = { 96 19 B6 AD AD 71 03 39 9A FE FE 31 13 A6 AD 39 }
$thumb_dat_content175 = { 97 1A B7 AE AE 72 04 3A 9B 00 00 32 14 A7 AE 3A }
$thumb_dat_content176 = { 98 1B B8 AF AF 73 05 3B 9C 01 01 33 15 A8 AF 3B }
$thumb_dat_content177 = { 99 1C B9 B0 B0 74 06 3C 9D 02 02 34 16 A9 B0 3C }
$thumb_dat_content178 = { 9A 1D BA B1 B1 75 07 3D 9E 03 03 35 17 AA B1 3D }
$thumb_dat_content179 = { 9B 1E BB B2 B2 76 08 3E 9F 04 04 36 18 AB B2 3E }
$thumb_dat_content180 = { 9C 1F BC B3 B3 77 09 3F A0 05 05 37 19 AC B3 3F }
$thumb_dat_content181 = { 9D 20 BD B4 B4 78 0A 40 A1 06 06 38 1A AD B4 40 }
$thumb_dat_content182 = { 9E 21 BE B5 B5 79 0B 41 A2 07 07 39 1B AE B5 41 }
$thumb_dat_content183 = { 9F 22 BF B6 B6 7A 0C 42 A3 08 08 3A 1C AF B6 42 }
$thumb_dat_content184 = { A0 23 C0 B7 B7 7B 0D 43 A4 09 09 3B 1D B0 B7 43 }
$thumb_dat_content185 = { A1 24 C1 B8 B8 7C 0E 44 A5 0A 0A 3C 1E B1 B8 44 }
$thumb_dat_content186 = { A2 25 C2 B9 B9 7D 0F 45 A6 0B 0B 3D 1F B2 B9 45 }
$thumb_dat_content187 = { A3 26 C3 BA BA 7E 10 46 A7 0C 0C 3E 20 B3 BA 46 }
$thumb_dat_content188 = { A4 27 C4 BB BB 7F 11 47 A8 0D 0D 3F 21 B4 BB 47 }
$thumb_dat_content189 = { A5 28 C5 BC BC 80 12 48 A9 0E 0E 40 22 B5 BC 48 }
$thumb_dat_content190 = { A6 29 C6 BD BD 81 13 49 AA 0F 0F 41 23 B6 BD 49 }
$thumb_dat_content191 = { A7 2A C7 BE BE 82 14 4A AB 10 10 42 24 B7 BE 4A }
$thumb_dat_content192 = { A8 2B C8 BF BF 83 15 4B AC 11 11 43 25 B8 BF 4B }
$thumb_dat_content193 = { A9 2C C9 C0 C0 84 16 4C AD 12 12 44 26 B9 C0 4C }
$thumb_dat_content194 = { AA 2D CA C1 C1 85 17 4D AE 13 13 45 27 BA C1 4D }
$thumb_dat_content195 = { AB 2E CB C2 C2 86 18 4E AF 14 14 46 28 BB C2 4E }
$thumb_dat_content196 = { AC 2F CC C3 C3 87 19 4F B0 15 15 47 29 BC C3 4F }
$thumb_dat_content197 = { AD 30 CD C4 C4 88 1A 50 B1 16 16 48 2A BD C4 50 }
$thumb_dat_content198 = { AE 31 CE C5 C5 89 1B 51 B2 17 17 49 2B BE C5 51 }
$thumb_dat_content199 = { AF 32 CF C6 C6 8A 1C 52 B3 18 18 4A 2C BF C6 52 }
$thumb_dat_content200 = { B0 33 D0 C7 C7 8B 1D 53 B4 19 19 4B 2D C0 C7 53 }
$thumb_dat_content201 = { B1 34 D1 C8 C8 8C 1E 54 B5 1A 1A 4C 2E C1 C8 54 }
$thumb_dat_content202 = { B2 35 D2 C9 C9 8D 1F 55 B6 1B 1B 4D 2F C2 C9 55 }
$thumb_dat_content203 = { B3 36 D3 CA CA 8E 20 56 B7 1C 1C 4E 30 C3 CA 56 }
$thumb_dat_content204 = { B4 37 D4 CB CB 8F 21 57 B8 1D 1D 4F 31 C4 CB 57 }
$thumb_dat_content205 = { B5 38 D5 CC CC 90 22 58 B9 1E 1E 50 32 C5 CC 58 }
$thumb_dat_content206 = { B6 39 D6 CD CD 91 23 59 BA 1F 1F 51 33 C6 CD 59 }
$thumb_dat_content207 = { B7 3A D7 CE CE 92 24 5A BB 20 20 52 34 C7 CE 5A }
$thumb_dat_content208 = { B8 3B D8 CF CF 93 25 5B BC 21 21 53 35 C8 CF 5B }
$thumb_dat_content209 = { B9 3C D9 D0 D0 94 26 5C BD 22 22 54 36 C9 D0 5C }
$thumb_dat_content210 = { BA 3D DA D1 D1 95 27 5D BE 23 23 55 37 CA D1 5D }
$thumb_dat_content211 = { BB 3E DB D2 D2 96 28 5E BF 24 24 56 38 CB D2 5E }
$thumb_dat_content212 = { BC 3F DC D3 D3 97 29 5F C0 25 25 57 39 CC D3 5F }
$thumb_dat_content213 = { BD 40 DD D4 D4 98 2A 60 C1 26 26 58 3A CD D4 60 }
$thumb_dat_content214 = { BE 41 DE D5 D5 99 2B 61 C2 27 27 59 3B CE D5 61 }
$thumb_dat_content215 = { BF 42 DF D6 D6 9A 2C 62 C3 28 28 5A 3C CF D6 62 }
$thumb_dat_content216 = { C0 43 E0 D7 D7 9B 2D 63 C4 29 29 5B 3D D0 D7 63 }
$thumb_dat_content217 = { C1 44 E1 D8 D8 9C 2E 64 C5 2A 2A 5C 3E D1 D8 64 }
$thumb_dat_content218 = { C2 45 E2 D9 D9 9D 2F 65 C6 2B 2B 5D 3F D2 D9 65 }
$thumb_dat_content219 = { C3 46 E3 DA DA 9E 30 66 C7 2C 2C 5E 40 D3 DA 66 }
$thumb_dat_content220 = { C4 47 E4 DB DB 9F 31 67 C8 2D 2D 5F 41 D4 DB 67 }
$thumb_dat_content221 = { C5 48 E5 DC DC A0 32 68 C9 2E 2E 60 42 D5 DC 68 }
$thumb_dat_content222 = { C6 49 E6 DD DD A1 33 69 CA 2F 2F 61 43 D6 DD 69 }
$thumb_dat_content223 = { C7 4A E7 DE DE A2 34 6A CB 30 30 62 44 D7 DE 6A }
$thumb_dat_content224 = { C8 4B E8 DF DF A3 35 6B CC 31 31 63 45 D8 DF 6B }
$thumb_dat_content225 = { C9 4C E9 E0 E0 A4 36 6C CD 32 32 64 46 D9 E0 6C }
$thumb_dat_content226 = { CA 4D EA E1 E1 A5 37 6D CE 33 33 65 47 DA E1 6D }
$thumb_dat_content227 = { CB 4E EB E2 E2 A6 38 6E CF 34 34 66 48 DB E2 6E }
$thumb_dat_content228 = { CC 4F EC E3 E3 A7 39 6F D0 35 35 67 49 DC E3 6F }
$thumb_dat_content229 = { CD 50 ED E4 E4 A8 3A 70 D1 36 36 68 4A DD E4 70 }
$thumb_dat_content230 = { CE 51 EE E5 E5 A9 3B 71 D2 37 37 69 4B DE E5 71 }
$thumb_dat_content231 = { CF 52 EF E6 E6 AA 3C 72 D3 38 38 6A 4C DF E6 72 }
$thumb_dat_content232 = { D0 53 F0 E7 E7 AB 3D 73 D4 39 39 6B 4D E0 E7 73 }
$thumb_dat_content233 = { D1 54 F1 E8 E8 AC 3E 74 D5 3A 3A 6C 4E E1 E8 74 }
$thumb_dat_content234 = { D2 55 F2 E9 E9 AD 3F 75 D6 3B 3B 6D 4F E2 E9 75 }
$thumb_dat_content235 = { D3 56 F3 EA EA AE 40 76 D7 3C 3C 6E 50 E3 EA 76 }
$thumb_dat_content236 = { D4 57 F4 EB EB AF 41 77 D8 3D 3D 6F 51 E4 EB 77 }
$thumb_dat_content237 = { D5 58 F5 EC EC B0 42 78 D9 3E 3E 70 52 E5 EC 78 }
$thumb_dat_content238 = { D6 59 F6 ED ED B1 43 79 DA 3F 3F 71 53 E6 ED 79 }
$thumb_dat_content239 = { D7 5A F7 EE EE B2 44 7A DB 40 40 72 54 E7 EE 7A }
$thumb_dat_content240 = { D8 5B F8 EF EF B3 45 7B DC 41 41 73 55 E8 EF 7B }
$thumb_dat_content241 = { D9 5C F9 F0 F0 B4 46 7C DD 42 42 74 56 E9 F0 7C }
$thumb_dat_content242 = { DA 5D FA F1 F1 B5 47 7D DE 43 43 75 57 EA F1 7D }
$thumb_dat_content243 = { DB 5E FB F2 F2 B6 48 7E DF 44 44 76 58 EB F2 7E }
$thumb_dat_content244 = { DC 5F FC F3 F3 B7 49 7F E0 45 45 77 59 EC F3 7F }
$thumb_dat_content245 = { DD 60 FD F4 F4 B8 4A 80 E1 46 46 78 5A ED F4 80 }
$thumb_dat_content246 = { DE 61 FE F5 F5 B9 4B 81 E2 47 47 79 5B EE F5 81 }
$thumb_dat_content247 = { DF 62 00 F6 F6 BA 4C 82 E3 48 48 7A 5C EF F6 82 }
$thumb_dat_content248 = { E0 63 01 F7 F7 BB 4D 83 E4 49 49 7B 5D F0 F7 83 }
$thumb_dat_content249 = { E1 64 02 F8 F8 BC 4E 84 E5 4A 4A 7C 5E F1 F8 84 }
$thumb_dat_content250 = { E2 65 03 F9 F9 BD 4F 85 E6 4B 4B 7D 5F F2 F9 85 }
$thumb_dat_content251 = { E3 66 04 FA FA BE 50 86 E7 4C 4C 7E 60 F3 FA 86 }
$thumb_dat_content252 = { E4 67 05 FB FB BF 51 87 E8 4D 4D 7F 61 F4 FB 87 }
$thumb_dat_content253 = { E5 68 06 FC FC C0 52 88 E9 4E 4E 80 62 F5 FC 88 }
$thumb_dat_content254 = { E6 69 07 FD FD C1 53 89 EA 4F 4F 81 63 F6 FD 89 }
$thumb_dat_content255 = { E7 6A 08 FE FE C2 54 8A EB 50 50 82 64 F7 FE 8A }

condition:
any of them and filesize < 5MB
}
Increase the security of your IT system now!
You will receive detailed advice from us!
Contact us now

References

BSI 

URL

DIVIDE
Facebook f Twitter Linkedin-in Icon xing
OTHER CONTRIBUTIONS

Table of Contents