Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives

Photo by Robynne Hu on Unsplash

Context

Cobalt Strike it’s a commercial post exploitation platform for Windows based environments. The Cobalt Strike beacon (implant) can be delivered in multiple ways to the chosen target even without exploiting technical vulnerabilities in the target environment (e.g. malicious email attachments). The product functionality can be enhanced through plug-ins and over the years it gained notoriety with both offensive security teams (red teamers) and threat actors. Since 2019 Cobalt Strike was used in multiple big game ransomware attacks, APT campaigns, and espionage.

To share some personal statistics related to Cobalt Strike, in 25 large scale incidents I investigated over the past 12 months, I encountered Cobalt Strike in 20 big-game ransomware cases and in one APT campaign. Just to quote other researchers:

“Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans.” Cisco Talos

Like all good tools, every time a new version of Cobalt Strike is released, within a month we can expect to see the cracked version being offered on underground forums, and this contributes as well to the surge of Cobalt Strike use in cyber attacks.

Cracked Cobalt Strike 4.2 offered on an underground forum

Cobalt Strike detection methods

The industry is full of good tools, so what’s the fuss about Cobalt Strike?

The product has reached a balance between functionality and ease of use that attracts experienced and novice users as well (and, the official video course is free).

Given the proliferation of Cobalt Strike in cyber attacks, incident responders developed specific workflows to analyze Cobalt Strike beacons on disk, in memory and on the network.

Recently the product evolved to be stealthier and it offers various ways to execute the beacon without writing data on disk (fileless execution), and this poses a challenge to incident responders and blue teams as the network and memory detection are more difficult than the on disk detection.

Specially during DFIR (digital forensics and incident response) engagements we often have to rely on incomplete data, systems that were rebooted, lack of event logs and inconsistent network logs. Dealing with fileless malware on top of that can make the investigations even harder.

More than once, during investigations I had to parse and analyze millions of network events and tens of thousands of IP addresses while trying to find somehow the Cobalt Strike C2 servers cause all other endpoint artifacts were not available.

In this article I will go over some network-based techniques which can be used by blue teams, incident responders and threat intelligence analysts to detect Cobalt Strike C2 servers in the wild, for active and proactive defense.

Cobalt Strike threat surface detection using JARM fingerprints

JARM fingerprints were developed by the Salesforce Engineering team as a method to detect malicious C2 servers, and is a good method to reduce the threat surface from billions of IP addresses to something more manageable before analyzing each C2 server.

In April 2021 I identified 3 Cobalt Strike JARM fingerprints, in C2 servers deployed all around the world. The current available literature is focused on researching C2s that match the 07…b1 JARM fingerprint, which is still widespread, but the other fingerprints shouldn’t be discarded from analysis:

• 07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175
• 2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53
• 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

Using Shodan I reduced the threat surface of potential Cobalt Strike C2 servers to several tens of thousands IP addresses:

07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175 (32,764 IPs)

2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53 (6,919 IPs)

07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 (7,092 IPs)

The threat surface, based solely on the JARM fingerprints is large compared to the actual number of C2s I found active on 03 May 3, 2021. (474 active C2 servers)

Cobalt Strike threat surface detection using the default certificate serial number

From what I’ve seen in the wild, many C2 servers are using a generic certificate that has the serial number 146473198. Now, I know that the JARM fingerprints are based on the TLS certificates, but different implementations using the same certificate can lead to different JARM fingerprints, and as such searching for potential C2 servers based on the serial numbers can complement the JARM fingerprints approach:

Version: 3 (0x2)
Serial Number: 146473198 (0x8bb00ee)
Fingerprint Algorithm: sha256WithRSAEncryption
Issuer: C=, ST=, L=, O=, OU=, CN=
Validity
Not Before: May 20 18:26:24 2015 GMT
Not After: May 17 18:26:24 2025 GMT
Subject: C=, ST=, L=, O=, OU=, CN=

On 3rd May 2021 I found 914 potential C2 servers, based on Shodan results.

Cobalt Strike C2 servers threat surface based on certificate serial number

Again, the threat surface is large compared to the actual number of C2s I found active 03 May 3, 2021 but to point out on interesting fact, there was less than 50% overlap between the JARM fingerprints population and the certificate-based detection.

Threat surface reduction by payload retrieval

Both the JARM detection and the certificate detection methods are a good starting point to map the potential threat surface. Combining both methods will likely increase the threat surface and provide more data for the payload retrieval part.

Cobalt Strike payloads can be retrieved by actively interacting with a Cobalt Strike C2 server. The techniques were already described by other researchers and are available on the internet. For a faster threat surface reduction I used the NMAP implementation of the payload retrieval technique. The script was created by GitHub user “whickey-r7” (grab_beacon_config) and is effective at retrieving the beacon configuration from a Cobalt Strike C2 server:

Nmap scan report for 193.29.13.201
Host is up (0.014s latency).
PORT    STATE SERVICE
80/tcp  open  http
| cobalt:
| x86 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 60000
| Jitter: 0
| C2 Server: 193.29.13.201,/__utm.gif
| HTTP Method Path 2: /submit.php
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
| x64 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 60000
| Jitter: 0
| C2 Server: 193.29.13.201,/j.ad
| HTTP Method Path 2: /submit.php
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
443/tcp open  https
| cobalt:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 60000
| Jitter: 0
| C2 Server: 193.29.13.201,/g.pixel
| HTTP Method Path 2: /submit.php
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 60000
| Jitter: 0
| C2 Server: 193.29.13.201,/__utm.gif
| HTTP Method Path 2: /submit.php
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\rundll32.exe
| Spawnto_x64: %windir%\sysnative\rundll32.exe
| Proxy_AccessType: 2 (Use IE settings)

The script can be used to automate the Cobalt Strike detection at scale on thousand IP addresses. Of course, the payload retrieval technique could be applied on the entire internet address space but for most organizations that would be an overkill and a waste of resources.

By scanning the entire threat surface, made up of all the servers identified with the JARM fingerprints and the certificate serial, I found 474 active Cobalt Strike C2 servers on 3rd May 3, 2021.

After that I queried Shodan with a combination between the JARM fingerprints and the default certificate serial and that resulted in a reduced threat surface of 477 Cobalt Strike C2 servers (out of which 474 were still active).

Conclusions

The network-based detection approaches described in the article offer a cost-effective way to proactively defend networks against threat actors that leverage Cobalt Strike to conduct offensive operations or against big-game ransomware groups. The method is not perfect, as threat actors can modify Cobalt Strike in several ways in order to reduce detection, and as such the detection and mitigation efforts must evolve as well, to keep pace with the evolving threats.

Appendix A — Cobalt Strike C2 Servers List (3rd May 2021)

1.14.132.218,/kj.js
1.14.132.218,/ur.js
1.15.139.40,/activity
1.15.139.40,/push
1.15.139.40,/visit.js
1.15.175.22,/j.ad
1.15.230.57,/load
1.15.230.57,/match
10.10.16.2,/ga.js
10.248.1.135,/ga.js
100.24.56.227,/bing
101.132.149.198,/match
101.132.251.212,/en_US/all.js
101.28.128.125,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books,101.28.128.116,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books,101.28.128.29,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
103.234.54.146,/activity
103.234.54.146,/ptj
103.234.54.146,/push
103.234.72.248,/pixel
103.234.72.248,/ptj
103.234.72.64,/updates
103.242.133.19,/dpixel
103.73.97.119,/updates
103.79.79.16,/jquery-3.3.1.min.js
104.243.46.74,/__utm.gif
104.243.46.74,/ca
104.243.46.74,/push
104.248.148.74,/cx
104.248.148.74,/en_US/all.js
104.36.231.42,/cx
104.36.231.42,/j.ad
106.15.197.67,/jquery-3.3.1.min.js
106.52.152.85,/IE9CompatViewList.xml
106.52.152.85,/push
106.52.181.247,/match
106.55.153.204,/en_US/all.js
108.166.207.133,/cm
108.166.207.133,/pixel
109.201.142.17,/IE9CompatViewList.xml
109.201.142.17,/updates.rss
109.236.84.121,/IE9CompatViewList.xml
109.236.84.121,/load
109.236.84.121,/updates.rss
113.31.118.7,/g.pixel
113.31.118.7,/match
113.31.118.7,/pixel
113.31.118.7,/push
114.117.208.80,/geo/collect/v1
114.55.173.68,/g.pixel
114.55.173.68,/IE9CompatViewList.xml
115.159.143.241,/en_US/all.js
115.159.143.241,/ga.js
116.62.115.46,/dot.gif
116.62.115.46,/ptj
117.78.1.204,/jquery-3.3.1.min.js
119.29.189.237,/cx
119.29.189.237,/load
119.3.141.162,/jquery-3.3.1.min.js
120.48.22.178,/j.ad
120.79.29.153,/cm
120.92.139.155,/en_US/all.js
120.92.139.155,/j.ad
120.92.139.155,/match
120.92.139.155,/ptj
121.196.153.136,/ca
121.196.63.110,/cx
121.5.103.116,/visit.js
121.5.162.169,/ga.js
123.57.73.247,/updates
124.156.148.167,/pixel.gif
13.51.149.17,/cm
13.51.149.17,/cx
13.51.149.17,/match
134.122.134.87,/activity
134.209.5.246,/j.ad
134.209.5.246,/visit.js
134.209.92.85,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
139.155.27.71,/activity
139.155.27.71,/dpixel
139.155.27.71,/en_US/all.js
139.155.42.254,/ga.js
139.155.42.254,/ptj
139.162.221.161,/jquery-3.3.1.min.js,192.46.221.58,/jquery-3.3.1.min.js
139.196.153.6,/ptj
139.196.153.6,/updates.rss
139.60.161.99,/activity
139.60.161.99,/cx
139.60.161.99,/en_US/all.js
14.192.48.91,/dpixel
14.192.48.91,/ptj
144.34.187.147,/wp08/wp-includes/dtcla.php
145.249.106.104,/cm
145.249.106.104,/dpixel
145.249.106.104,/visit.js
145.249.107.35,/__utm.gif
145.249.107.35,/en_US/all.js
145.249.107.35,/IE9CompatViewList.xml
149.248.1.200,/updates.rss
149.28.20.245,/search/
149.28.233.123,/__utm.gif
149.28.233.123,/ca
149.28.233.123,/visit.js
151.236.14.53,/en_US/all.js
151.236.14.53,/load
154.220.3.226,/preload
154.91.164.69,/cm
154.91.164.69,/dpixel
155.138.215.103,/ca
156.236.114.72,/dpixel
156.236.114.72,/ptj
156.255.2.36,/pixel.gif
156.255.3.224,/visit.js
159.75.136.108,/g.pixel
160.124.103.152,/updates.rss
163.172.39.102,/index.jsp
164.138.25.191,/resolve/alter/,46.19.37.133,/resolve/alter/
167.179.79.212,/jquery-3.3.1.min.js
172.241.27.70,/bg.css
172.67.129.206,/bfs/static/jinkela/long/sentry/sentry-5.7.1.vue.min.js
172.81.205.217,/IE9CompatViewList.xml
172.82.148.202,/us/ky/louisville/312-s-fourth-st.html
172.98.192.91,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
172.98.192.94,/__utm.gif
172.98.192.94,/g.pixel
173.82.197.229,/fwlink
175.24.138.70,/dot.gif
176.105.252.144,/fwlink
176.111.174.66,/dot.gif
176.111.174.66,/updates.rss
176.121.14.113,/activity
176.121.14.113,/ca
176.121.14.113,/j.ad
18.163.120.26,/__utm.gif
18.163.120.26,/match
185.106.123.101,/fwlink
185.14.29.42,/jquery-3.3.1.min.js
185.153.199.164,/pixel
185.153.199.164,/visit.js
185.158.248.106,/activity
185.158.248.106,/en_US/all.js
185.158.248.106,/ga.js
185.158.249.38,/dpixel
185.158.249.38,/ga.js
185.158.249.38,/pixel
185.158.249.38,/pixel.gif
185.162.235.35,/fwlink
185.162.235.35,/pixel.gif
185.162.235.35,/push
185.20.186.108,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
185.213.175.149,/updates
185.232.52.137,/dpixel
185.232.52.137,/IE9CompatViewList.xml
185.232.52.137,/load
185.25.51.172,/mobile-android
185.25.51.55,/copyright.js
185.82.202.123,/j.ad
188.119.113.24,/__utm.gif
192.168.100.103,/fam_newspaper.html
193.112.10.125,/en_US/all.js
193.29.13.201,/__utm.gif
193.29.13.201,/g.pixel
193.29.13.201,/j.ad
193.29.13.209,/pixel
193.29.13.209,/updates.rss
194.15.216.20,/dot.gif
194.165.16.60,/cx
194.165.16.60,/fwlink
194.165.16.60,/push
195.123.217.45,/jquery-3.3.1.min.js
195.123.222.12,/jquery-3.3.1.min.js
195.123.222.5,/jquery-3.3.1.min.js
202.182.101.162,/match
207.148.107.212,/load
207.148.65.247,/ptj
209.141.37.21,/ca
209.141.37.21,/dot.gif
209.141.37.21,/updates.rss
212.95.157.61,/push
212.95.157.61,/updates.rss
213.135.78.244,/hr.css
213.202.211.246,/metro91/admin/1/ppptp.jpg
213.217.0.216,/pixel
213.217.0.216,/push
213.217.0.216,/updates.rss
213.217.0.217,/__utm.gif
213.217.0.217,/cx
213.217.0.217,/match
213.217.0.217,/pixel.gif
213.217.0.218,/ca
213.217.0.218,/IE9CompatViewList.xml
213.252.244.213,/fam_cart
213.252.245.19,/ab
217.12.201.100,/jquery-3.3.1.min.js
217.12.218.46,/jquery-3.3.1.min.js
218.253.251.115,/ga.js
218.253.251.115,/IE9CompatViewList.xml
23.106.223.79,/activity
23.163.0.12,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
3.137.217.140,/dot.gif
31.44.184.232,/__utm.gif
31.44.184.232,/pixel
31.44.184.73,/dot.gif
31.44.184.73,/en_US/all.js
31.44.184.73,/IE9CompatViewList.xml
31.44.184.73,/updates.rss
31.44.3.198,/ptj
34.92.237.17,/dot.gif
34.96.156.66,/pixel.gif
35.200.6.25,/ur.js
35.221.239.215,/jquery-3.3.1.min.js
35.224.197.52,/__utm.gif
35.224.197.52,/ga.js
35.224.197.52,/pixel.gif
35.236.132.18,/load
35.236.132.18,/updates.rss
37.252.120.101,/resolve/alter/
37.61.205.212,/updates
39.97.216.224,/IE9CompatViewList.xml
42.192.119.64,/load
42.193.127.38,/owa/
42.193.220.214,/updates.rss
42.194.133.101,/en_US/all.js
42.194.133.101,/visit.js
45.137.10.148,/dpixel
45.138.209.73,/fwlink
45.144.3.120,/ca
45.145.36.210,/ga.js
45.146.164.199,/__utm.gif
45.146.164.199,/dpixel
45.146.165.143,/complete/search
45.199.160.117,/ca
45.32.136.204,/jquery-3.3.1.min.js,axiommortgagebankers.com,/jquery-3.3.1.min.js
45.32.92.183,/dot.gif
45.32.92.183,/j.ad
45.33.27.73,/cx
45.33.27.73,/dpixel
45.33.27.73,/en_US/all.js
45.33.27.73,/push
45.76.202.78,/IE9CompatViewList.xml
45.76.202.78,/j.ad
45.77.249.181,/updates.rss
45.92.156.97,/__utm.gif
45.92.156.97,/updates.rss
45.93.201.114,/en_US/all.js
45.93.201.114,/pixel.gif
46.101.98.38,/sxn/start
47.103.102.194,/pixel
47.103.158.65,/cm
47.104.143.234,/__utm.gif
47.104.156.242,/v1/act
47.104.253.89,/cx
47.104.253.89,/push
47.108.16.11,/2016–08–15/proxy/Test/main/index
47.108.246.116,/pixel
47.110.147.243,/ca
47.111.163.10,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
47.114.36.45,/dot.gif
47.115.54.254,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
47.56.219.26,/j.ad
47.57.125.197,/__utm.gif
47.57.125.197,/activity
47.57.125.197,/pixel
47.57.125.197,/ptj
47.90.202.152,/updates.rss
47.94.20.209,/admin
47.98.99.15,/visit.js
47.99.178.84,/cx
47.99.178.84,/ga.js
49.234.184.176,/en_US/all.js
49.234.184.176,/fwlink
49.234.93.169,/cx
49.234.93.169,/dpixel
49.235.217.243,/pixel,https://m1xg.tk,/pixel,https://m1xg.cf,/activity
49.235.92.191,/__utm.gif
49.235.92.191,/cm
5.181.156.46,/j.ad
5.189.184.60,/RELEASE.html
5.2.70.173,/__utm.gif
5.2.70.173,/fwlink
5.2.70.173,/visit.js
5.252.179.195,/match
5.34.178.43,/posting.js
5.34.182.210,/updates.rss
5.39.221.60,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
51.83.79.151,/cm
51.83.79.151,/load
52.211.36.208,/s/ref=nb_sb_noss_1/089–89185991–7448134/field-keywords=eye
52.229.22.93,/pixel.gif
54.202.73.244,/complete/search,api.mysmilediscountdental.com,/complete/search
59.63.224.101,/cm
61.168.100.179,/api/getit
62.171.142.145,/api/getit
66.42.56.42,/jquery-3.3.1.min.js
69.49.229.88,/ca
69.49.229.88,/dot.gif
69.49.229.88,/dpixel
69.49.229.88,/ga.js
74.121.148.47,/image/
78.128.112.134,/match
78.128.112.215,/g.pixel
79.110.52.172,/activity
8.136.228.12,/groupcp
8.140.105.214,/ca
8.140.105.214,/cx
8.210.161.205,/ca
8.210.161.205,/IE9CompatViewList.xml
81.69.10.55,/g.pixel
81.70.155.208,/fwlink
85.208.110.108,/cm
88.198.165.127,/nd
94.103.94.203,/match
94.103.94.203,/visit.js
95.179.239.225,/dot.gif
95.179.239.225,/IE9CompatViewList.xml
98.142.143.100,/access/
a.officecalendar.biz,/owa/
accounts.bankpaygateway.com,/jquery-1.12.1.min.js
aphina-sec.com,/j.ad
aphina-sec.com,/push
api.onedriev.tk,/jquery-3.3.1.min.js
asismdnu.asisdns.space,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
assets.outlook.com,/find.html
avetool.com,/us/ky/louisville/312-s-fourth-st.html
azama12.com,/jquery-3.3.1.min.js
banweb.cityu.dev,/core/wp-includes/pol.php,cc12234.cityu.dev,/center/gateway/common.php,lb23311.cityu.dev,/center/gateway/common.php
banweb.cityu.dev,/core/wp-includes/pol.php,cc12234.cityu.dev,/core/wp-includes/pol.php,lb23311.cityu.dev,/core/wp-includes/pol.php
banweb.cityu.dev,/include/template/ClassSvc.php,cc12234.cityu.dev,/include/template/ClassSvc.php,lb23311.cityu.dev,/core/wp-includes/pol.php
bbs.robomaster.com,/viewerng/meta,tianqi.com,/viewerng/meta,juejin.cn,/viewerng/meta,btcfans.com,/viewerng/meta,xue338.com,/viewerng/meta,python2.net,/viewerng/meta,w2bc.com,/viewerng/meta,jiangzi.com,/viewerng/meta,mytokencap.com,/viewerng/meta
best73.com,/SocContent/webfont.css,www.shopex.cn,/SocContent/webfont.css
bigbrotheriswatchingyou.herokuapp.com,/IE9CompatViewList.xml
bigbrotheriswatchingyou.herokuapp.com,/pixel
bookcasegreeting632.roman-indigo.com,/viewerng/meta
braunballon.com,/jquery-3.3.1.min.js
buy9182.com,/RELEASES.js
cdn.lbwd.net,/s/ref=nb_sb_noss_1/596–20814129–5816322/field-keywords=time
cdn.sogou-update.com,/copyright.css
cdn.sogou-update.com,/template.css
cdn.usbankcreditcards.com,/oscp/
charityhouseofbrooklin.com,/mobile-android
chmowd.xyz,/MicrosoftUpdate/ShellEx/KB242742/default.aspx,powssxctaiwan.xyz,/MicrosoftUpdate/ShellEx/KB242742/default.aspx
client.elisea-mutuelle.fr,/jquery-3.3.1.min.js
cloudflare.com,/r_config
clubuz.com,/us/ky/louisville/312-s-fourth-st.html
control.commanderinthe.cloud,/search/
cuphq.com,/pixel.gif,104.243.41.123,/cm
cuphq.com,/visit.js,104.243.41.123,/fwlink
cymkpuadkduz.xyz,/latest/pip-check
d3kgm44zuz83i3.cloudfront.net,/access/
DailyHealthGuide.org,/jquery-3.3.1.min.js
dain22.net,/userid=
dataoss.microsoft.com.w.kunluncan.com,/jquery-3.3.1.min.js
dataprotocol.site,/config
dataprotocol.site,/login
docrule.com,/en.css,prepcar.com,/sq.css
docrule.com,/link.css,prepcar.com,/sq.css
domways.com,/us/ky/louisville/312-s-fourth-st.html
drellio.com,/userid=
ec2–54–82–176–65.compute-1.amazonaws.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
expoless.com,/us/ky/louisville/312-s-fourth-st.html
exrap.com,/us/ky/louisville/312-s-fourth-st.html
fastpic-domain.com,/logo.js,185.25.51.67,/na.js
fastpic-domain.com,/na.js,185.25.51.67,/logo.js
fastpighostmerch.com,/html
fedex-global.com,/MicrosoftUpdate/ShellEx/KB242742/default.aspx
feusa.net,/userid=
findcola.com,/us/ky/louisville/312-s-fourth-st.html,64.187.239.74,/us/ky/louisville/312-s-fourth-st.html,gemsurf.com,/us/ky/louisville/312-s-fourth-st.html
fish.hellomrsone.com,/jquery-3.3.1.min.js
forteupdate.com,/activity
forteupdate.com,/IE9CompatViewList.xml
forteupdate.com,/match
fubukipr.xyz,/rs
fut1.net,/userid=
gonzofabriq.com,/jquery-3.3.1.min.js
grayballon.com,/jquery-3.3.1.min.js
greattxmsng-imgx.com,/ak.js
hars2t.com,/userid=
helle1.net,/userid=
help01.softether.net,/users/sign_in,work.cloud01.tk,/users/sign_in,work.cloud20.tk,/users/sign_in,185.118.166.205,/users/sign_in
idxup.com,/us/ky/louisville/312-s-fourth-st.html,dbhigh.com,/us/ky/louisville/312-s-fourth-st.html
img.alicdn.com,/contentsvc/microsofticon,at.alicdn.com,/contentsvc/microsofticon,ald.taobao.com,/contentsvc/microsofticon,www.aliyunbaike.com,/contentsvc/microsofticon
iorgcloud.cf,/visit.js
isaacrevia.com,/bg
jquery.thinkphp.me,/jquery-3.3.1.min.js
js.news1010.net,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
kasaa.net,/userid=
keit1on.net,/userid=
lagrom.com,/send.html
lhweb.xyz,/Sample/DownloadFile
liojikd.com,/posting.js
liojikd.com,/RELEASE.js
luoli233.top,/dot.gif
luoli233.top,/IE9CompatViewList.xml
luoli233.top,/ptj
maren2.com,/userid=
massflip.com,/us/ky/louisville/312-s-fourth-st.html,mixalt.com,/us/ky/louisville/312-s-fourth-st.html
mgfee.com,/fo.html
microsoftchina.org,/dot.gif
mingrand.com,/jquery-3.3.1.min.js
oaelf.com,/us/ky/louisville/312-s-fourth-st.html,sslfeed.com,/us/ky/louisville/312-s-fourth-st.html
pebrord.com,/homes/for_sale/atlanta/,www.pebrord.com,/homes/for_sale/atlanta/
pepesec.azureedge.net,/s/ref=nb_sb_noss_1/647–50007454–8514032/field-keywords=person
pepesec2.azureedge.net,/s/ref=nb_sb_noss_1/089–89185991–7448134/field-keywords=eye
pnwcontent-delivery.com,/pixel
pnwcontent-delivery.com,/updates.rss
presidentofschool14.com,/ab
private.medicaloptionsfinance.com,/real-world-investing/
qw.hashsystem.xyz,/RELEASE,as.hashsystem.xyz,/RELEASE,xz.hashsystem.xyz,/RELEASE
rabbitumed.com,/metro91/admin/1/ppptp.jpg
register.hr-tencent.com,/view/
repdot.com,/us/ky/louisville/312-s-fourth-st.html
resnote.com,/us/ky/louisville/312-s-fourth-st.html,172.82.148.202,/us/ky/louisville/312-s-fourth-st.html
rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants
riolist.com,/av
safeconnections.xyz,/__utm.gif
safeconnections.xyz,/__utm.gif,176.123.8.228,/__utm.gif
sbgprodib.oberto.za.net,/__utm.gif
scalewa.com,/sm.html
service.office247.tech,/match
service-0dibtqsv-1255352921.cd.apigw.tencentcs.com,/api/getit
service-4f1dmvy9–1252742900.sh.apigw.tencentcs.com,/api/getit
service-6eqxujkd-1255352921.cd.apigw.tencentcs.com,/api/getit
service-dr6r4kg0–1304343953.gz.apigw.tencentcs.com,/api/getid
service-j024ikqq-1259268926.gz.apigw.tencentcs.com,/api/getit
service-muqfpxbh-1304245224.cd.apigw.tencentcs.com,/api/getit
service-p44yb571–1300400844.cd.apigw.tencentcs.com,/script/VUE/src/main.js
service-pfzr9eww-1304703456.hk.apigw.tencentcs.com,/api/getit
services.rogerscorp.cloud,/jquery-3.3.1.min.js
shimatos.com,/jquery-3.3.1.min.js
shop.redlist.cyou,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
shopdsld-invoce.com,/ky.js
sitehealthcheck.org,/oscp/
ssl363648.cloudflaressl.com,/cm
static.azureimgages.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
stereeofficeknot.net,/safebrowsing/rd/nX4Yecwd6qp3a3T7BhgTvJbjFwAwgUZj0-N3zAu1AP4BE
support.cloudways.com,/ocsp/a/
synergiedental.com,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7–0KIOkUDC7h2
syscx.com,/dot.gif
syscx.com,/dpixel
tailgatethenation.com,/find.html
telemetry.wessonlabpartners.com,/jquery-3.3.1.min.js,admitting.healthfitconnection.com,/jquery-3.3.1.min.js,skilled_nursing.healthmanagementtoday.com,/jquery-3.3.1.min.js
tess2.net,/userid=
test.axibala.club,/cm
test.axibala.club,/g.pixel
test.axibala.club,/ga.js
test2.floridasattorneys.com,/blog
tmestoragetest.azureedge.net,/obj_
touchroof.com,/modcp,focuslex.com,/modcp
ts.wii.qq.com,/ping
tulls.net,/userid=
udpdeliveryddp.com,/fam_cart
update.software-update.tk,/upload/google-3
us.netsuite-labs.com,/ocsp/a/
us-systemtest.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books,207.148.29.168,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books
vanguard.medicaloptionsfinance.com,/real-world-investing/
vianodata.com,/match
vianodata.com,/push
w.668526.com,/default
wellser.org,/userid=
wenku.qq.com.0a492012.c.cdnhwc1.com,/Activate/v1.87/3O3SB5SNQ5
workfromhomeblueprints.azureedge.net,/update/
www.bankrate.com,/index.html,cnn.com,/index.html
www.bloomberg.com,/table/
www.csmu.website,/cx
www.csmu.website,/ga.js
www.cumberlandplasticsurgery.com,/user/profile
www.google-dev.tk,/jquery-3.3.1.min.js
www.hellomrsone.com,/jquery-3.3.1.min.js
www.nfsq.ml,/__utm.gif
www.qiniu.com,/pixel
www.qiniu.com,/s
www.qs-hosting.com,/ocsp/a/
www.unwomen.org,/jquery-3.3.1.min.js,www.prodibi.com,/jquery-3.3.1.min.js,www.oriental-residence.com,/jquery-3.3.1.min.js
www.weixim.ga,/__utm.gif
x-w-x.herokuapp.com,/jquery-3.3.1.min.js
zipflag.com,/us/ky/louisville/312-s-fourth-st.html