# PROMETHIUM extends global reach with StrongPity3 APT **[blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html)** _[By Warren Mercer, Paul Rascagneres and Vitor Ventura.](https://twitter.com/SecurityBeard/)_ ## News summary The threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four years. They continue to expand their victimology and attack seemingly non related countries. This kind of continuous improvement suggests there is a possibility that this is an exported solution for other actors to use. ## Executive summary [The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times](https://cybersecurity.att.com/blogs/labs-research/newly-identified-strongpity-operations) over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year. ### What's new? Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized ----- setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player). ### How did it work? Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This leads us to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a [CitizenLab report from 2018.](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. In some cases, it will reconfigure Windows Defender before dropping the malware to prevent detection. ### So what? This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the [system. Previous research even linked PROMETHIUM to state-sponsored threats. The](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission. PROMETHIUM has been resilient over the years. Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop. ## 2019-2020 Campaigns ### Potential infection vectors Despite the numbers of samples and the quantity of C2 servers, Cisco Talos did not identify the infection vectors. We have no evidence that the websites of the real applications were compromised to host the malicious installer. The infection vector does not seem to be related to a supply-chain attack, either. [Based on the previous research from CitizenLab and the artifacts from the new](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) campaigns, we estimate that the infection vector could be the same as in 2018. When the targeted users tried to download a legitimate application on the official website, the ISP performs an HTTP redirect. For more information about the methodology used in the past, we recommend reading the paper from CitizenLab. ### New victimology The report from CitizenLab highlights the intervention of service providers during the initial attack vector implying state support. It also refers to the change from FinSpy, a well-known malware developed by a lawful interception company, to StrongPity2. At the time, they concluded that most of the victims were in Turkey and Syria. ----- Our research indicates that the victims are now in many different regions of the world. Countries affected by StrongPity The many different versions of the malware, coupled with the fact that the domains are hardcoded indicates that a tool such as a Builder is used to generate the binaries. We can conclude that the PROMETHIUM threat actor is interested in new countries or the malicious framework developed by this threat actor is exported in more countries than previously thought. ----- Trojanized Firefox Installer One interesting detail, which is aligned with CitizenLab's claim that Turkish people were the most targeted, is the Turkish language version of the Firefox Installer. ### C2 infrastructure Talos has identified at least three different campaigns since July 2019. We clustered the campaigns based on the domain creation date. Domain clusters The fact we clustered these into different campaigns does not mean that they have been conducted sequentially. In fact, our analysis of each domain showed that these are overlapping campaigns — some of them going back to 2018. ----- ----- Domain activity timeline Some of these domains may already be sinkholed, thus posing no threat. However, the fact that the number of hits is still high shows that the infection vectors are still active. It is interesting to note that this threat actor uses HTTPS on the C2. They always use selfsigned certificates. ### Main differences between StrongPity2 and StrongPity3 StrongPity3 is the evolution of StrongPity2, with a few differences. The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key has a persistence mechanism that has been replaced by the creation of a service. This service changes its name from package to package. The service executable's only job is to launch the C2 contact module upon service startup. The remaining malware flow is the same on both versions. The dropped files are now stored in a folder located in C:\DOCUME~1\ ~1\LOCALS~1\Temp\ always following the same pattern similar to the following: 4CA-B25C11-A27BC. The C2 path pattern has also changed, we have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor animal named based. ### Malware #### Trojanized applications We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack and Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. ----- Anti-virus checks on Firefox trojanized installer Before writing the toolkit into the hard drive, the fake Firefox installer executes a PowerShell command that will add the directories used by the malware to the Windows Defender exclusions list and prevent sample submission at the same time. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped. We'll now break down the 5kplayer trojanized installer. The setup deploys three files which are part of the toolset: rmaserv.exe, winprint32.exe and mssqldbserv.xml. ----- Execution flow As the execution flow shows, the setup will only execute rmaserv.exe. The remaining modules are executed by rmaserv.exe when this executable will be executed as a service. #### The malicious service: rmaserv.exe This binary has two main features. If it is executed with the "help" parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. Here is the code to perform this task: ----- rmaserv.exe entry function This follows the design pattern described in the Microsoft Windows documentation, [which can be found here. This has a notable side effect: if rmaserv.exe is executed isolated](https://docs.microsoft.com/en-us/windows/win32/services/writing-a-service-program-s-main-function) on a sandbox (so without the parameter), the service is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed. The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components. #### C2 contact module: winprint32.exe Regularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe. This module is responsible for launching the document search module, contact the C2 and exfiltrate the collected documents. It will create a mutex with the name ["YeucqCcpgapiZISEdRSNiL". Afterward, it will launch two processes:](https://www.virustotal.com/gui/search/behaviour%25253A%252522YeucqCcpgapiZISEdRSNiL%252522) C:\DOCUME~1\~1\LOCALS~1\Temp\4CA-B25C11A27BC\mssqldbserv.xml C:\DOCUME~1\~1\LOCALS~1\Temp\4CA-B25C11-A27BC\wintasks.xml ----- Mutex creation Then, it will start an infinite loop. The first step inside the loop is to contact the C2 over HTTPS. On the first contact, it will send an identification of the victim based on the hard disk volume serial number. Contact C2 loop After a 6,050- milliseconds delay, it will search for "sft" files (the encoded archive containing the documents to be exfiltrated), which will then be exfiltrated to the C2. Afterward, it will sleep for another 6,050 milliseconds before restarting. This module can be executed independently of the rest of the toolkit. Talos didn't identify any kind of anti-sandboxing mechanisms on it, either. #### Document search module: Mssqldbserv.xml [This module has been described before in the article here. The purpose of this tool is to](https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/) parse the hard drive for files with a specific extension and create an archive with these files. Finally, the archive is encoded before being sent to the C2. ----- mssqldbserv.xml main function However, there are some interesting details we decided to share. Clearly, this was not originally designed to be executed in the background. The first instructions in the main function hide the console window from the user. Afterward, the module will delete old "sft" files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\DOCUME~1\ ~1\LOCALS~1\Temp\4CA-B25C11-A27BC\, each selected file will be compressed into the file kr.zp. The kr.zp data is then read and encoded using the same unusual encoded scheme. ``` byte = byte XOR (byte >> 4) ``` If the file is larger than 2048*53 bytes (~ 106kb) it is split into chunks and saved into the sft files according to the naming convention below. ``` gui_app0_[VolumeSerialNumber]_[MonthDayHourMinuteSecondMilliseconds]_[Counter].sft ``` ----- Since this module does not have a loop, it will only be executed at the communications module startup, which means that it is only executed once per service start. #### Mysterious Wintask.xml Our initial analysis in a sandbox showed that the C2 contact module attempts to execute this file, searching for it in the same path as the document search module, which we further corroborated with manual analysis. However, we couldn't obtain this file. All files in the toolkit are dropped by the trojanized software and it's clear that the C2 contact module expects this file to exist (the specific name changes form dropper to dropper). None of the trojanized software we analyzed dropped this file, manual analysis showed that there were no checks to decide whether to drop it. One possibility is that these are remains of old code that was abandoned in the meantime. ## Conclusion The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving forward with their agenda. After first being documented, they changed their toolkit but not their techniques or procedures. Since then, their toolkit has been the same, with just enough updates to keep their activities as efficient as possible. During this period, the victimology has expanded behind their initial focus in Europe and Middle East to a global operation targeting organizations on most continents. These characteristics can be interpreted as signs that this threat actor could in fact be part of an enterprise service for hire operation. We believe this has hallmarks a professionally packaged solution due to the similarity of each piece of malware being extremely similar but used across different targets with minor changes. Additionally, as explained by Citizen Lab, we saw in the past a lawful Interception tool was used instead of StrongPity. This usage could corroborate our theory. ## Coverage Ways our customers can detect and block this threat are listed below. [Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the](https://www.cisco.com/c/en/us/products/security/advanced-malware-protection) malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically. [Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html) prevents access to malicious websites and detects malware used in these attacks. [Email Security can block malicious emails sent by threat actors as part of their campaign.](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html) [Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) [Intrusion Prevention System (NGIPS), Cisco ISR, and Meraki MX can detect malicious](https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html) activity associated with this threat. ----- [AMP Threat Grid helps identify malicious](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html) binaries and build protection into all Cisco Security products. [Umbrella, our secure internet gateway](https://umbrella.cisco.com/) (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available [for purchase on Snort.org.](https://www.snort.org/products) ## IOCs ### Hashes 5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695 ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372 fad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4 bdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23 3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267 b75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46 bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8 835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416 55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430 e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899 3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e dd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905 02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f f1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555 5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23 e4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c 80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f e80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f 783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135 3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48 4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4 ----- 2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681 2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e d0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d c790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a dbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a 24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af a6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4 d8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2 dbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b b1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7 b4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb bb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a 89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3 9ce65cced9949cef6b69f86542533e653b91ce7d43cb6b51e8ae402b6dadf651 ff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66 fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5 6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4 418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38 61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625 1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19 c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5 e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569 4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190 65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab a1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882 40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b fcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1 c2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6 91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac 4235f33576b503faacbafb1b612f5fdf91fb406e73964f61064f232bd2b9c21c f1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555 1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19 e26a76def39740596843a57c3edcfe9f5000af5f5b538215a5799db58f41fe33 91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac c2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6 40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b fcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1 84942df440c892c1e63aff41d9fe4694ea4b8a9102c62faf07c4510671abef13 e80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2 d0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d dbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a 2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681 dbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b e4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c ----- b1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7 2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e c790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a 4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f d8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2 80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f e4c55a5b1c07d93b2ae956f7404279c1a68344e7d27e6a3aa917c79c17f7fa05 89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3 b4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb bb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541 3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48 c72bf8537fc189b81855666d7f59ad8e24011c735921a15932275757a485e7a4 fbd66a4f385e8c573c51c19a49c7e9c2ffa1639f4648721591b7ea0af845a313 12e670dc36ac50e86a58f759fa4a5de25e574227a19e1942aaa788c82540a910 a6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4 e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569 783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135 5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23 a1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882 24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af dd812ba2bc5f441d8a9594443040f8fea7e3f91bdf1dd1968bbbbc7747e0bc68 4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190 b75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46 3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267 bdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23 2ee74ceaa5964cf223aefb3cf4e0c25ea96c7d4bc0eba48439716e763d2f3837 bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8 18c6224decd141a6412f3d2aa71dbd086e9a71bd51b3baed1cb2b2715d676872 02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f 3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e 2ab2a6e863538b162b0c7b4287b3e9f65116a9ad9efce6ebb9018c69bbf71460 3a96f09255af4eb1d3fe3ea6dd4befc71543ef317b1d9f9561255a725eb48a62 dd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905 c1787de8b5a293197582000d8b94095d8377a5d42aa0b4940a7039cbf4df4b72 a83a882fbe094f4d00a8dc589869adc8a1432a966295fa0c46c2afcced3aac1f 55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430 11849a6fcb76267676532422db4e9bf4f5c8c525fea0d950f844736bedb8b53e fad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca 7ae0aa490bad2fa152cd097caaaebfcef7a393a74e886a02b22109b38a4d9fc4 d912445a5e8beda7e842756fd6e598d91ef0526c913a6f1e6135957f19fa64ca c94e52455826c63a8800e6a66d72db467e1266f3b06aabbaad14c0d7463ee266 55b0bc3b61ee76561ffaa1323fd20a9522e786bfa5eadbba621582ad529ff9e1 2a7898573bd8be121eda249e7521efd2d599354d51fabae7edafef9d60dae8b1 6f0b9fdc7edf43a9d1262263320e623a7e2b349f54185491262fe5184413222f ----- 44ba0bfe401a07f4570fd3ca26f5955350ac831a21326face55465f8d9a7ec52 7c195b85528b3ed75672fbcea0d32a2f45d541cf8c71e855b03d6266a8facdc0 e8e2f7538530b6ea3f4726b13bf76c4e0696cdaf1a0547294b447c21df1c594d 8e3993583cd2506ccbac4b247949ddee7d6971432576a0f9c485f9f0942054ae 586fc08567a69f4abbafd05c98be469dfaaa9b93eaccc5043dcf22d2b666bf63 d40a3503a960663187a83f560e94563cd11606a610a4b176b0ac065af037f175 d77901484e91445d8d11b82ff487b9e56b48930fe3086e5858ea754e9f490c1f f694f02ee26d544ad41f543ecd166bd71d02b3723b8a5ee515a9c2944a667971 6424307ea25f1889e4b9fb8a64d860e42681cddf71a5a70af7963ab282225c8d ed2aa3272db6eebedcabbb3c61cb699e6ec5d91b4297b8a6186a03f5b4999a80 154f3f4338184bc113dc874de6270a025d6d9c3d2a989f2b32d7d90fa222e0c9 2ed2553ec6efdf24266be1eb812ab1978ec926d1b8bf281a547be2e43173eeee b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4 39cf2459a85f9b8bcc81233964e05dec3f5ec9e8de74329f995c6a0cc8a8db36 3165650b667f315eae56895ee2041ffb17f89a92b034efd045f5e88bf788016d 5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695 cac5c0da0b4495a1dee326e4259fb8bcdecb162a780d0d215ad33e751ebbff34 ea750383d3af605e5cdf2647b9cd30886aa8a428b3bcf6bc96cc178c9afa78d9 8e670fc7e22d0fa3eb96262686bd7eec18f81e3dc1eb9b55526078ffd9ae00c3 03c314990a8d262530f114092c85fd9ddcbd8c423f8bd769864809d1af2f5fad d63533bb200525a0a88a68c592c8d4f534fcf83b0acf8ec6be24b7059b0352ae 68f5819687e8f410dea315f32cd04e33ca7c3ec62e9bb9bae9e03b5ded29970e 6684c2348d205962d41977b2db6263733809b635cdc039447373c34e04d6bc20 64a448ee194fe58c8c212faa4fbe737f8088ef387cc4551a0f1d86e9d4bdab02 211aae5346741680cb921d73e2833368cd0f0cc36e15b16115599554dcb2386d a4377256776becf75f0f61874cfec3729e17e894f5c9fc1576321f0398142878 b1916e7de11e87fa45c222d0532955e781f6695ae0ee15775894d3b3aa72ba98 ff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4 fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4 c59544a76fd425b76d7d9b4805d817c8a91a6a63c9862200c927e27efcd20bfa ### Domain upd-ncx4-server[.]com upd3-srv-system-app[.]com syse-update-app4[.]com upd32-secure-serv4[.]com system2-cdn5-mx8[.]com secure-upd21-app2[.]com ms21-app3-upload[.]com apt5-secure3-state[.]com upd8-sys2-apt[.]com update5-sec3-system[.]com ----- state-awe3-apt[.]com app-system2-update[.]com awe232-service-app[.]com ms6-upload-serv3[.]com updt-servc-app2[.]com cdn2-system3-secrv.[]com file3-netwk-system[.]com service-net2-file[.]com system2-access-sec43[.]com ms-sys-security[.]com mailtransfersagents[.]com hostoperationsystems[.]com inhousesoftwaredevelopment[.]com mentiononecommon[.]com safecopydisk[.]com fileservingpro[.]com network-msx-system33[.]com mx3-rewc-state[.]com -----