# URLs used for malicious Notepad++ update deployments
http://45.76.155.202/update/update.exe
http://45.32.144.255/update/update.exe
http://95.179.213.0/update/update.exe
http://95.179.213.0/update/install.exe
http://95.179.213.0/update/AutoUpdater.exe

# System information upload URLs
http://45.76.155.202/list
https://self-dns.it.com/list

# URLs used by Metasploit downloaders to deploy Cobalt Strike beacons
https://45.77.31.210/users/admin
https://cdncheck.it.com/users/admin
https://safe-dns.it.com/help/Get-Start

# URLs used by Cobalt Strike Beacons delivered by malicious Notepad++ updaters
https://45.77.31.210/api/update/v1
https://45.77.31.210/api/FileUpload/submit
https://cdncheck.it.com/api/update/v1
https://cdncheck.it.com/api/Metadata/submit
https://cdncheck.it.com/api/getInfo/v1
https://cdncheck.it.com/api/FileUpload/submit
https://safe-dns.it.com/resolve
https://safe-dns.it.com/dns-query

# URLs used by the Chrysalis backdoor and the Cobalt Strike Beacon payloads associated with it, as previously identified by Rapid7
https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
https://api.wiresguard.com/update/v1
https://api.wiresguard.com/api/FileUpload/submit