**MAR** **1** **_h_** **2019** **IN** **THE** **UNITED** **STATES** **DISTRICT** **COURT** **FOR** **THE** **DISTRICT** **OF** **COLUMBIA** **Clerk,** U,S, District and _^_ Bankruptcy Courts **)** MICROSOFT CORPORATION, a Washington ) corporation, **)** _Plaintiff,_ **)** **Case;** **1:19-cv-00716** **(JURY-DEMAND)** **_)_** **Assigned** **To** **;** **Amy** **B.** **Jackson** **V.** **_)_** **Assign.** **Date** **:** **3/14/2019** **)** **Description:** **TRO/PI** JOHN DOES 1-2, CONTROLLING A **)** COMPUTER NETWORK AND THEREBY **)** **FILED** **UNDER** **SEAL** **PURSUANT** **TO** INJURING PLAINTIFF AND ITS **)** **LOCAL** **RULE** **5.1** CUSTOMERS, **)** **)** _Defendants._ **_)_** **_)_** **_)_** **_)_** **_)_** **MICROSOFT’S** **MOTION** **FOR** **PROTECTIVE** **ORDER** **TEMPORARILY** **SEALING** **DOCUMENTS** Pursuant to Fed. R. Civ. P. 26(c)(1) and Local Civil Rule 5, Plaintiff Microsoft Corp. (“Microsoft”) hereby moves for a protective order temporarily sealing the pleadings associated with the _Ex_ _Parte_ Motion For Preliminary Injunction Order, and the following documents in particular, filed by Microsoft in this action; 1. The instant Motion for Protective Order Sealing Documents and accompanying documents, including the Brief in support of this Motion; 2. The declaration of Gabriel M. Ramsey in Support of Motion for Protective Order Sealing Documents; 3. Microsoft’s _Ex_ _Parte_ Motion For Preliminary Injunction Order and accompanying documents; 4. The Declaration of David Anselmi in Support of Microsoft’s _Ex_ _Parte_ Motion For Preliminary Injunction Order and attachments thereto; ----- 5. [Proposed] Preliminary Injunction Order and accompanying documents. Microsoft respectfully requests that these materials be sealed pending execution of the _ex_ _parte_ relief sought in Microsoft’s Motion For Preliminary Injunction Order, in particular the disabling of the domains set forth in Appendix A to the proposed Preliminary Injunction Order. Microsoft respectfully requests that upon the execution of the portion of the Order disabling the domains in Appendix A to the Preliminary Injunction Order, the foregoing documents be filed in the public docket. Upon execution of that _ex_ _parte_ relief, Microsoft will file with the Clerk of the Court a Notice that the Preliminary Injunction Order has been executed. Microsoft further requests that upon execution of the Preliminary Injunction Order, Microsoft be permitted to disclose such materials as it deems necessary to commence its efforts to provide Defendants notice of any further hearings and service of pleadings associated with the instant Motion for Preliminary Injunction Order. Microsoft respectfully requests that should the Court decide not to grant the _ex_ _parte_ temporary relief requested in Microsoft’s _Ex_ _Parte_ Motion For Preliminary Injunction Order, that the materials be sealed indefinitely. ----- Dated: March 14,2019 Respectfully submitted, /s/ _Julia_ _R._ _Milewski_ Julia R. Milewski (D.C. Bar No. 1008678) Justin D. Kingsolver (D.C. Bar. No. 1033806) Matthew B. Welling _{pro_ _hac_ _vice_ pending) CROWELL & MORING LLP 1001 Pennsylvania Avenue NW Washington DC 20004-2595 Telephone: (202) 624-2500 Fax: (202) 628-5116 [jmilewski@crowell.com](mailto:jmilewski@crowell.com) [jkingsolver@crowell.com](mailto:jkingsolver@crowell.com) [mwelling@crowell.com](mailto:mwelling@crowell.com) Gabriel M. Ramsey _(pro_ _hac_ _vice_ pending) CROWELL & MORING LLP 3 Embarcadero Center, 26th Floor San Francisco, CA 94111 Telephone: (415) 986-2800 Fax: (415) 986-2827 [gramsey@crowell.com](mailto:gramsey@crowell.com) Richard Domingues Boscovich _(pro_ _hac_ _vice_ pending) MICROSOFT CORPORATION One Microsoft Way Redmond, WA 98052-6399 Telephone: (425) 704-0867 Fax: (425) 936-7329 [rbosco@microsoft.com](mailto:rbosco@microsoft.com) _Attorneysfor_ _PlaintiffMicrosoft_ _Corp._ ----- **IN** **THE** **UNITED** **STATES** **DISTRICT** **COURT** **FOR** **THE** **DISTRICT** **OF** **COLUMBIA** **)** MICROSOFT CORPORATION, a **_)_** Washington corporation, **_)_** _Plaintiff,_ **_)_** **_)_** **V.** **_)_** Civil Action No; **)** JOHN DOES 1-2, CONTROLLING A ) **FILED** **UNDER** **SEAL** **PURSUANT** **TO** COMPUTER NETWORK AND THEREBY **)** **LOCAL** **RULE** **5.1** INJURING PLAINTIFF AND ITS **)** CUSTOMERS, **)** **)** _Defendants._ **)** **_)_** **_)_** **_)_** **BRIEF** **IN** **SUPPORT** **OF** **MICROSOFT’S** **MOTION** **FOR** **PROTECTIVE** **ORDER** **TEMPORARILY** **SEALING** **DOCUMENTS** Microsoft submits the following memorandum in support of its Motion for a Protective Order Sealing Documents. ``` BACKGROUND ``` Microsoft has filed an Ex Parte Motion for Preliminary Injunction (“Preliminary Injunction Motion”) to prevent the activities of John Doe Defendants 1 and 2 (collectively “Defendants”) who are engaged in harmful and malicious Internet activities directed at Microsoft, its customers, and the general public. In the Preliminary Injunction Motion, Microsoft seeks ex parte relief to disable the recently registered domains set forth in **Appendix** A to the Complaint. That will cease the irreparable harm resulting from Defendants’ conduct. Microsoft seeks relief under seal, with respect to the portion of the Order disabling the domains in **Appendix** A to the Complaint, because advance public disclosure or notice of that requested relief would allow Defendants to evade such relief and 1 ----- further prosecution of this action, thereby perpetuating the irreparable harm at issue. The reasons for Microsoft’s request are set forth in detail in the Preliminary Injunction Motion filed concurrently herewith. Therefore, Microsoft requests that the Ex Parte Motion to Supplement Preliminary Injunction Order and associated pleadings be sealed pending execution of the ex parte relief sought in Microsoft’s Preliminary Injunction Order, in particular disabling of the domains set forth in **Appendix** **A** to the Complaint. Microsoft’s requested sealing order is narrowly tailored to impose the least restriction on the public’s right of access to information as possible. Microsoft requests that all sealed documents be immediately unsealed upon execution of the portion of the Order disabling the domains set forth in **Appendix** **A** to the Complaint. As soon as that relief is executed, all papers will be made available on the public docket. ###### ARGUMENT The right of access to court records is not absolute. _Nixon_ v. _Warner_ _Commc_ _'ns,_ _Inc.,_ 435 U.S. 589, 597-98 (1978). Although both common law and the First Amendment afford the public a qualified right of access to judicial proceedings. _In_ _re_ _Fort_ _Totten_ _Metrorail_ _Cases,_ 960 F. Supp. 2d 2, 5 (D.C. Cir. 2013), the D.C. Circuit has expressed doubts about whether the First Amendment right of access applies outside of the criminal context. _SEC_ v. _Am._ _Int’l_ _Grp.,_ 712 F.3d 1,5 (D.C. Cir. 2013); _Ctr._ _for_ _Nat’I_ _Sec._ _Studies_ _v._ _DOJ,_ 331 F.3d 918, 935 (D.C. Cir. 2003); _In_ _re_ _Reporters_ _Comm,_ _for_ _Freedom_ _ofthe_ _Press,_ 773 F.2d 1325, 1337 (D.C. Cir. 1985) (Scalia, J.) (doubting that the benefits of open criminal trials inure to civil suits between private parties). Competing interests may outweigh the public’s common law right of access to judicial records. _United_ _States_ _v._ _Hubbard,_ 650 F.2d 293, 317-22 (D.C. Cir. 1980). Indeed, “[a] district 2 ----- court has authority to seal and unseal documents as part of its ‘supervisory power over its own records and files. 995 United _Stales_ v. _Ring,_ 47 F. Supp. 3d 38, 40 (D.D.C. 2014) (quoting _Nixon_ _v._ _Warner_ _Commons,_ _Inc.,_ 435 U.S. 589, 598 (1978)); _In_ _re_ _Nat’l_ _Broad._ _Co.,_ 653 F.2d 609, 613 (D.C. Cir. 1981) (“Because of the difficulties inherent in formulating a broad yet clear rule to govern the variety of situations in which the right of access must be reconciled with legitimate countervailing public or private interests, the decision as to access is one which rests in the sound discretion of the trial court.”). Under D.C. Circuit law, the district court should weigh the following when presented with a motion to seal or unseal: “(1) the need for public access to the documents at issue; (2) the extent ###### of previous public access to the documents; (3) the fact that someone has objected to disclosure, and the identity of that person; (4) the strength of any property and privacy interests asserted; (5) the possibility of prejudice to those opposing disclosure; and (6) the purposes for which the documents were introduced during the judicial proceedings.” _Hubbard,_ 650 F.2d at 317-22; _Metlife,_ _Inc._ v. _Fin._ _Stability_ _Oversight_ _Council,_ 865 F.3d 661, 666 (D.C. Cir. 2017) (Garland, C.J.) (“[T]he Flubbard test has consistently served as our lodestar because it ensures that we fully account for the various public and private interests at stake.”). The Federal Rules of Civil Procedure also recognize the important public and judicial interest in protecting confidential business information. _See_ Fed. R. Civ. P. 26(c)(1)(G) (empowering courts to order “that a trade secret or other confidential research, development, or commercial information not be revealed or be revealed only in a specified way”). Likewise, Supreme Court and D.C. Circuit authority recognize the necessity of non-public ex parte proeeedings. _See_ _Granny_ _Goose_ _Foods,_ _Inc._ v. _Teamsters,_ 415 U.S. 423, 439, 94 S. Ct. 1113 (1974) (“Ex parte temporary restraining orders are no doubt necessary in certain 3 ----- circumstances...”); _Carroll_ _v._ _President_ _and_ _Com’rs_ _ofPrincess_ _Anne,_ 393 U.S. 175, 180 (1968) (“There is a place in our jurisprudence for ex parte issuance, without notice, of temporary restraining orders.”); _Omar_ v. _Harvey,_ 2006 WL 286861, at *1 (D.D.C. Feb. 6, 2006) (holding that an ex parte restraining order is appropriate where plaintiff demonstrates notice would render fruitless further prosecution of the action); _Council_ _on_ _American-Islamic_ _Relations_ v. _Gaubatz,_ 667 F. Supp. 2d 67, 75 (D.D.C. Nov. 3, 2009) (noting that ex parte restraining orders may be appropriate in circumstances where notice is impossible). In this case, Microsoft’s rights and interests in protecting its ability to obtain ex parte temporary relief, and the necessity of sealing its pleadings in order to effectively disable the domains in **Appendix** A to the Complaint, is paramount over any competing public interest to _immediate_ access to the information Microsoft requests be sealed. If Microsoft’s papers are not sealed, the relief sought would very likely be rendered fruitless, and there is a substantial risk Defendants would destroy evidence. Defendants are highly-sophisticated cybercriminals. They access Microsoft’s services without authorization; hack into high-value computer networks; install malware on the networks to gain and maintain long-term, surreptitious access to that network; and locate and exfiltrate sensitive information off of the networks. _See_ Preliminary Injunction Motion, filed contemporaneously herewith. If Defendants knew Microsoft sought the relief set forth in the Preliminary Injunction Motion, they could quickly adapt the command and control infrastructure used to secretly establish themselves on a victim’s network. _Id._ at 14. In fact. Defendants have shown that this is their intention. Defendants continue to misuse Microsoft’s trademarks and brand names to make their domains seem legitimate. Declaration of David Anselmi In Support Of Microsoft’s Motion to Supplement Preliminary Injunction Order (“Anselmi Deck”) ^ 4, set forth at **Appendix** **B** to this Brief Given Microsoft’s actions against 4 ----- Defendants in this case, even disclosing that Microsoft has filed a Preliminary Injunction Motion gives Defendants the opportunity to change their command and control infrastructure, set forth at **Appendix** **A** to the Complaint. Additionally, evidence shows that when the Phosphorus defendants become aware of efforts to mitigate or investigate their activities, they take steps to conceal their activities and to conceal the injury caused to their victims, making it more difficult for their victims to adequately assess the damage or take steps to mitigate that injury going forward. _Id._ ^ 32. For example, once Defendants become aware that domains in Phosphorus’ active infrastructure become known to the security community, they abandon that infrastructure and move to new infrastructure that is used to continue their efforts to intrude upon the computers of existing victims and new victims. _Id._ In the last five years, Microsoft has brought similar cases against John Doe defendants who have been conducting illegal activities through identifiable but movable infrastructures on the Internet very similar to that used by Phosphorus. Declaration of Gabriel M. Ramsey In Support ###### Of Motion For Protective Order (“Ramsey Deck”) f 5, set forth at Appendix C to this Brief In four of those cases, the defendants immediately attempted to either destroy evidence or move their command and control infrastructure upon detecting the legal action being taken against them. _Id._ This underscores the risk that the Defendants in this case will take similar steps to destroy evidence and move their command and control infrastructure in **Appendix** **A** if they are given notice of the Preliminary Injunction Motion. _Id._ ^ 6. The harm that would be caused by the public filing of Microsoft’s Preliminary Injunction Motion would far outweigh the public’s right to access that information. There is no need for the public to have immediate access to the Preliminary Injunction Motion and supporting documents while Microsoft is seeking ex parte relief with respect to the domains in **Appendix** **A** to the 5 ----- Complaint, which will only be effective if these materials remain under seal. Applying the balancing test set forth in governing law demonstrates that Microsoft’s interest in obtaining effective relief outweigh any immediate public right to disclosure. Microsoft only seeks to seal such information for a limited period of time, until after effective ex parte temporary relief has been obtained, disabling the domains in **Appendix** **A** to the Complaint. After such point, sealing will no longer be necessary, and Microsoft will Immediately commence efforts to provide Defendants notice of future hearings and service of related pleadings—at which point, all documents will be unsealed and the public will be given full access to these proceedings. Microsoft, upon execution of the ex parte relief disabling the domains in **Appendix** **A** to the Complaint, will file with the Clerk of the Court a Notice that the temporary restraining order has been executed. The Clerk of the Court may then file all documents related to this request on the public docket. Should, however, the Court decide not to grant the ex parte relief Microsoft requests, Microsoft asks that such materials remain sealed for an indefinite period, as public disclosure or notice absent the ex parte relief requested would facilitate Defendants’ harmful and malicious Internet activities. Given the limited period of sealing as an alternative that balances the public interest in access with Microsoft’s important interests in maintaining these materials under seal for a brief period of time, granting the instant request to seal is warranted and consistent with the legal framework for addressing this issue. 6 ----- Dated: March 14, 2019 Respectfully submitted, ###### /s/ Julia R. Milewski Julia R. Milewski (D.C. Bar No. 1008678) Justin D. Kingsolver (D.C. Bar. No. 1033806) Matthew B. Welling _{pro_ _hac_ _vice_ pending) CROWELL & MORING LLP 1001 Pennsylvania Avenue NW Washington DC 20004-2595 Telephone: (202) 624-2500 Fax: (202) 628-5116 [jmilewski@crowell.com](mailto:jmilewski@crowell.com) [Jkingsolver@crowell.com](mailto:Jkingsolver@crowell.com) [mwelling@crowell.com](mailto:mwelling@crowell.com) Gabriel M. Ramsey _(pro_ _hac_ _vice_ pending) CROWELL & MORING LLP 3 Embarcadero Center, 26th Floor San Francisco, CA 94111 Telephone: (415)986-2800 Fax: (415) 986-2827 [gramsey@crowell.com](mailto:gramsey@crowell.com) Richard Domingues Boscovich _(pro_ _hac_ _vice_ pending) MICROSOFT CORPORATION One Microsoft Way Redmond, WA 98052-6399 Telephone: (425) 704-0867 Fax: (425) 936-7329 [rbosco@microsoft.com](mailto:rbosco@microsoft.com) _Attorneysfor_ _PlaintiffMicrosoft_ _Corp._ _1_ ----- ## APPENDIX A ----- **APPENDIX** **A** **■ORG** **DOMAINS** **_Resistry_** **Public** **Interest** **Registry** **(PIR)** **1775** **Wiehle** **Avenue** **Suite** **200** **Reston** **Virginia** **20190** **United** **States** yahoo-verification.org Domain Administrator Yahoo! Inc. 109 First Sunnyvale CA 94988 BA ###### Phone:+1.4038493301 Fax: +1.4038493302 [domainadmin@yahoo-verification.org](mailto:domainadmin@yahoo-verification.org) **.COM,** **.NET.** **.NAME** **DOMAINS** **_Resistry_** **VeriSign,** **Inc.** **VeriSign** **Information** **Services,** **Inc.** **12061** **Bluemont** **Way** **Reston** **Virginia** **20190** **United** **States** support-servics.com Registrant Name: hash crypt Registrant Organization: hashcrypt Registrant Street: nbcj hjf,m Registrant City: losangles Registrant State/Province: Alabama Registrant Postal Code: 35004 Registrant Country: US Registrant Phone: +1.09876543567 Registrant Email: [hashcrypt@protonmail.com](mailto:hashcrypt@protonmail.com) verification-llve.com Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: AS8068 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, Registrant City: toranto Registrant State/Province: toranto Registrant Postal Code: 64043 Registrant Country: UM__________________________________ __ ----- Registrant Phone: +1.6509234001 Registrant Fax: +1.6509234002 Registrant Email: [test9179@porotonmail.com](mailto:test9179@porotonmail.com) com-mailbox.com Registrant Name: Priview Service Registrant Organization: mish Registrant Street: No 885, Azar st Registrant City: Dubai Registrant State/Province: Dubai Registrant Postal Code: 98120 Registrant Country: AE Registrant Phone: +97.3218526 Registrant Fax:+97.3218526 Registrant Email: [domain.seller2017@yandex.com___________________](mailto:domain.seller2017@yandex.com) com-myaccuants.com Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: CN Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [co5940551458104@domainidshield.com____________](mailto:co5940551458104@domainidshield.com) notification-accountservice.com Registrant Name: mosa alnarjani Registrant Organization: Registrant Street: baqdad, alqusair st, no 246 Registrant City: baqdad Registrant State/Province: baqdad Registrant Postal Code: 548996 Registrant Country: IQ Registrant Phone: +964.7730061463 Registrant Email: [meisam.bayat.sector@gmail.com___________________](mailto:meisam.bayat.sector@gmail.com) accounts-web-mail.com Registrant Name: Domain Administrator Registrant Organization: Yahoo! Inc. Registrant Street: 107 First Avenue Registrant City: Sunnyvale Registrant State/Province: CA Registrant Postal Code: 94989 Registrant Country: US Registrant Phone: +1.4038493300 Registrant Fax: +1.4038493301 Registrant Email: [test9179@yahoo.com____________________________](mailto:test9179@yahoo.com) customer-certificate.com Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong______________________________________ 2 ----- Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com________________](mailto:whoisprivacy@domainidshield.com) session-users-activities.com Domain ID Shield Service Domain ID Shield Service CO., Limited FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG ``` Hong Kong Hong Kong 999077 ``` HK ``` Phone: +852.21581835 Fax:+852.30197491 ``` [whoisprivacy@domainidshield.com_______________________________](mailto:whoisprivacy@domainidshield.com) user-profile-credentials.com Domain ID Shield Service Domain ID Shield Service CO., Limited FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG ``` Hong Kong Hong Kong 999077 HK Phone:+852.21581835 Fax:+852.30197491 ``` [whoisprivacy@domainidshield.com_________](mailto:whoisprivacy@domainidshield.com) verify-linke.com Registrant Name: sora bara Registrant Organization: narabara Registrant Street: ara Registrant City: mara Registrant State/Province: nara Registrant Postal Code: 7482957439 Registrant Country: BI Registrant Phone: +1.234124323 Registrant Fax: +1.2129876243 Registrant Email: [test9179@protonmail.com](mailto:test9179@protonmail.com) support-servics.net Registrant Name: Support Services Inc. Registrant Organization: Support Services Inc. Registrant Street: 1901 Amphitheatre Parkway Registrant City: Mountain View Registrant State/Province: 64043 Registrant Postal Code: 64043 Registrant Country: US Registrant Phone: +1.6509234001 Registrant Fax: +1.6509188572 Registrant Email: [test9179@protonmail.com](mailto:test9179@protonmail.com) verify-linkedin.net Registrant Name: sora bara Registrant Organization: none______________ 3 ----- Registrant Street: ara Registrant City; mara Registrant State/Province: nara Registrant Postal Code: 748295743 Registrant Country: BI Registrant Phone: +75.234124323 Registrant Fax: +86.12124321 Registrant Email: [dnsadmin@verify-linkedin.com](mailto:dnsadmin@verify-linkedin.com) yahoo-verification.net Registrant Organization: Yahoo! Inc. Registrant Street; 107 First Avenue Registrant City: Sunnyvale Registrant State/Province; CA Registrant Postal Code: 94989 Registrant Country: BA Registrant Phone: +1.4038493300 Registrant Fax: +1.4038493301 Registrant Email: [test9179@yahoo.com](mailto:test9179@yahoo.com) yahoo-verify.net Registrant Name: Domain Administrator Registrant Organization: Yahoo! Inc. Registrant Street: 701 First Avenue Registrant City: Sunnyvale Registrant State/Province: CA Registrant Postal Code: 98089 Registrant Country: Bl Registrant Phone: +1.4083893300 Registrant Fax: +1.4083893301 Registrant Email: [domainadmin@yahoo-verify.net](mailto:domainadmin@yahoo-verify.net) hereyouare.ddns.net Registrant Name: Dan Durrer Registrant Organization: No-IP.com Registrant Street: 425 Maestro Dr. Second Floor Registrant City: Reno Registrant State/Province: NV Registrant Postal Code; 8951 1 Registrant Country: US Registrant Phone: +1.7758531883 Registrant Email: [domains@no-ip.com](mailto:domains@no-ip.com) outlook-verify.net Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: One Microsoft Way, Redmond, WA, 98052, US Registrant City: Washington Registrant State/Province: Canada Registrant Postal Code: 7482957439 Registrant Country: US Registrant Phone: +1.234124323 Registrant Phone Ext: Registrant Fax; +1.2129876243 Registrant Fax Ext: Registrant Email: [supportiveemail@protonmail.com___________](mailto:supportiveemail@protonmail.com) com-users.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited 4 ----- Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country; CN Registrant Phone: +852.21581835 Registrant Phone Ext: Registrant Fax: +852.30197491 Registrant Fax Ext: Registrant Email: [co5806503530204@domainidshield.com____________](mailto:co5806503530204@domainidshield.com) verifiy-account.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) telegram.net Registrant Name: NS-CLOUD-B1 .GOOGLEDOMAlNS.COM Registrant Organization: Domains By Proxy, LLC Registrant Street: clientTransferProhibited [https://icann.0rg/epp#clientTransfe](https://icann.0rg/epp%23clientTransfe) Registrant City; Arizona Registrant State/Province: Arizona Registrant Postal Code: 0056 Registrant Country: US Registrant Phone: +1.4806242505 Registrant Fax; +1.4806242506 Registrant Email: [verdonew@protonmail.com](mailto:verdonew@protonmail.com) account-verifiy.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) myaccount-services.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL 5 ----- TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) com-identifier-servlcelog.name Registrant Name: Whois Agent Registrant Organization: Domain Protection Services, Inc. Registrant Street: PO Box 1769 Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80201 Registrant Country: US Registrant Phone: +1.7208009072 Registrant Fax: +1.7209758725 Registrant Email: [https://www.name.com/contact-domain-whois/com-](https://www.name.com/contact-domain-whois/com-identifier-servicelog.name) [identifier-servicelog.name](https://www.name.com/contact-domain-whois/com-identifier-servicelog.name) [abuse@name.com___________________________________________](mailto:abuse@name.com) **■BID** **DOMAINS** ###### Resistry **c/o** **Neustar,** **Inc.** **21575** **Ridgetop** **Circle** **Sterling,** **VA** **20166** **United** **States** **dot** **Bid** **Limited** **2nd** **Floor,** **Leisure** **Island** **Business** **Centre** **Ocean** **Village** ###### GXll lAA **Gibraltar** **Global** **Registry** **Services** **Limited** **327** **Main** **Streeet,** **Gibraltar** **GXll** **lAA** Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ microsoft-update.bid Registrant Phone: +968.8007762430 6 ----- Registrant Fax: +968.8007762430 Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 outlook-livecom.bid Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 update-microsoft.bid Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) **■CLOUD** **DOMAINS** ###### Resistry **c/o** **Neustar,** **Inc.** **21575** **Ridgetop** **Circle** **Sterling,** **VA** **20166** **United** **States** **ARUBA** **PEC** **S.p.A.** **Via** **Sergio** **Ramelli** **8** **52100** **Arezzo** **(AR)** **Italy** Registrant Name: Whois Agent Registrant Organization: Domain Protection Services, Inc. Registrant Street: PO Box 1769 Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80201 Registrant Country: US Registrant Phone: +1.7208009072 Registrant Fax: +1.7209758725 documentsfilesharing.cloud [documentsfilesharing.cloud@protecteddomainservices.com](mailto:documentsfilesharing.cloud@protecteddomainservices.com) 7 ----- **.CLUB** **DOMAINS** **_Resistry_** **.CLUB** **DOMAINS,** **LLC** **100** SE **3rd** **Ave.** **Suite** **1310** **Fort** **Lauderdale,** **FL** **33394** **United** **States** Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 com-microsoftonline.club Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) **.INFO.** **.MOBL** **.PRO** **DOMAINS** **_Resistry_** **Afilias,** **Inc.** **300** **Welsh** **Road** **Building** **3,** **Snite** **105** **Horsham,** **PA** **19044** **United** **States** confirm-session-identifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-management.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirmation-service.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) document-share, info Registrant Organization: Martini Registrant State/Province: Tashkent Registrant Country: UZ [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) broadcast-news, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customize-identity.info Registrant Organization: Domain ID Shield Service CO., Limited 8 ----- Registrant State/Province: Hong Kong Registrant Country; HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) webemail.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-identifier-servicelog.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customize-identity.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) documentsharing.info Registrant Organization: will co Registrant State/Province: VA Registrant Country: AF [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) notification-accountservice.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) identifier-activities, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) documentofficupdate. info Registrant Organization: William Brown Registrant State/Province: VA Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recoveryusercustomer. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) serverbroadcast.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) account-profile-users.info Registrant Organization: arsalan co. Registrant State/Province: Louisiana Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) account-service- Registrant Organization: Domain ID Shield Service CO., Limited management.info Registrant State/Province; Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) accounts-manager.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK__________________ ________________ 9 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) activity-confirmation- Registrant Organization: Domain ID Shield Service CO., Limited service.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-accountidentifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Provinee: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-privacy-help.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.eom__________________________](mailto:onlinenic-enduser@onlinenic.eom) com-sessionidentifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onIinenic-enduser@onIinenie.com__________________________](mailto:onIinenic-enduser@onIinenie.com) eom-useraccount.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirmation-users-servlee.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirm-identity.info Registrant Organization: Domain ID Shield Serviee CO., Limited Registrant State/Provinee: Hong Kong Registrant Country: HK [onIinenie-enduser@onIinenie.eom__________________________](mailto:onIinenie-enduser@onIinenie.eom) confirm-session- Registrant Organization: Domain ID Shield Service CO., Limited identification.info Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) continue-sesslon-identifier.info Registrant Organization: Domain ID Shield Serviee CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customer-recovery.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) eustomers-activities.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) elitemaildelivery.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) email-delivery, info Registrant Organization: Domain ID Shield Service CO., Limited 10 ----- Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) identify-user-session.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) message-serviceprovider.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) notificationapp.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notification-manager.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recognized-activity.info Registrant Organization: will co Registrant State/Province: VA Registrant Country: VA [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recover-customers-service.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) recovery-session-change.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) service-recovery-session.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) service-session-continue.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-mail-customers.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-managment.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-verify-user.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK___________________________________ 11 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) shop-sellwear.info Registrant Organization: maryam s32 Registrant State/Province: tersite Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) supportmailservice.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) terms-service-notification.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) user-activity-issues.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) useridentity-confirm.lnfo Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) users-issue-services.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) verify-user-session.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) login-gov.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notificatlon-signal-agnecy.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notifications-center.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) identifier-services-sessions.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) customers-manager.info Registrant Organization: Home Registrant State/Province: TX Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) session-manager.info Registrant Organization: Home 12 ----- Registrant State/Province: TX Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) customer-managers, info Registrant Organization; Home Registrant State/Provinee: TX Registrant Country; US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) confirmation-recovery- Registrant Organization: Domain ID Shield Service CO., Limited options.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) service-session-confirm.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-recovery-options, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) services-session- Registrant Organization: Domain ID Shield Service CO., Limited confirmation.info Registrant State/Provinee: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notification-managers.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province; Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) activities-services- Registrant Organization: Domain ID Shield Service CO., Limited notification.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onIinenic.com__________________________](mailto:onlinenic-enduser@onIinenic.com) activities-recovery-options.info Registrant Organization; Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.eom](mailto:onlinenic-enduser@onlinenic.eom) activity-session-recovery.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customers-services.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) recovery-session-change.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notification-manager, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK___________________________________ 13 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) session-managment.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) sessions-notification.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) download-teamspeak. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) services-issue-notification.lnfo Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) microsoft-upgrade.mobi Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) broadcastnews.pro Registrant State/Province: UT Registrant Country: US [abuse@name.com__________](mailto:abuse@name.com) **.NETWORK,** **.WORLD** **DOMAINS** _Resistry_ **Binky** **Moon,** **EEC** **Donuts** **Inc.** **5808** **Lake** **Washington** **Blvd** **NE,** **Suite** **300** **Kirkland,** **WA** **98033** **United** **States** mobile-messengerplus.network Registrant Name: Cave Detector Registrant Organization: Masqat Co Registrant Street: No 64, Lion St Registrant City: Masqat Registrant State/Province: Masqat Registrant Postal Code: 85641 Registrant Country: OM Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 14 ----- JR-egistrant Email: [cave.detector@yandex.com](mailto:cave.detector@yandex.com) sessions-identifier- Registrant Name: REDACTED FOR PRIVACY memberemailid.network Registrant Organization: Domain Protection Services, Inc. Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: CO Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar: Name.com, Inc. Registrar lANA ID: 625 Registrar Abuse Contact Email: [abuse@name.com](mailto:abuse@name.com) Registrar Abuse Contact Phone: +7.202492374 15 ----- # APPENDIX B ----- **IN** **THE** **UNITED** **STATES** **DISTRICT** **COURT** **FOR** **THE** **DISTRICT** **OF** **COLUMBIA** ) MICROSOFT CORPORATION, a ) Washington corporation, ) Plaintiff, ) ) **V.** ) ) Civil Action No: JOHN DOES 1-2, CONTROLLING A ) COMPUTER NETWORK AND THEREBY ) INJURING PLAINTIFF AND ITS CUSTOMERS, ) ) ) Defendants. ) ) **DECLARATION** **OF** **DAVID** **ANSELMI** **IN** **SUPPORT** **OF** **MICROSOFT’S** **APPLICATION** **FOR** **AN** **EMERGENCY** **EX** **PARTE** **TEMPORARY** **RESTRAINING** **ORDER** **AND** **ORDER** **TO** **SHOW** **CAUSE** **RE** **PRELIMINARY** **INJUNCTION** I, David Anselmi, declare as follows: 1. I am a Senior Investigator in the Digital Crimes Unit of Microsoft Corporation’s Legal and Corporate Affairs Group. I make this declaration in support of Microsoft’s application for an Emergency Ex Parte Temporary Restraining Order And Order To Show Cause Re Preliminary Injunction. I make this declaration of my own personal knowledge and, if called as a witness, I could and would testify competently to the truth of the matters set forth herein. 2. In my current role at Microsoft, I assess technical security threats to Microsoft and the impact of such threats on Microsoft’s business and customers. Prior to my current role, I worked as Senior Technologist, dealing with security of Microsoft’s online services. Among my responsibilities were protecting Microsoft’s customer-facing online service assets from network- based attacks. Prior to that, while also employed by Microsoft, I worked as a Senior Technologist, dealing with protecting Microsoft’s corporate resources from network-based 1 ----- attacks. Before joining Microsoft, I worked for Excell Data Corporation as a Program Manager performing security firewall deployment, configuration, and administration. I am a graduate of the United States Military Academy, West Point, and served for 27 years as a United States Army Communications Electronics Officer (11 years active, 16 years reserve), attaining the rank ###### of Lieutenant Colonel. I have been employed by Microsoft since February 1997. **I.** **OVERVIEW** **OF** **INVESTIGATION** **INTO** **PHOSPHORUS** **AND** **CONCLUSIONS** 3. My declaration concerns an organization that is engaged in systematic criminal activity on the Internet. Because the identities of the individuals behind the activity addressed in this declaration are unknown, I therefore refer to them collectively by the codename that Microsoft has assigned to this group: “Phosphorus.” Others in the security community who have researched this group of actors refer to the group by other names, including “APT 35,” “Charming Kitten,” and “Ajax Security Team.” The defendants have been linked to an Iranian hacking group or groups. I have investigated the infrastructure described in this declaration and have determined that the defendants have registered Internet domains using fictitious names and fictitious physical addresses that are purportedly located in multiple cities and countries. Defendants have registered domains using functioning email addresses by whieh they communicated with domain registrars in order to complete the registration process. 4. Microsoft investigators have been monitoring and gathering information on the Phosphorus defendants. In the course of such investigation, I have been working with and directing a team that (1) engaged in the analysis and creation of “signatures” (which can be thought of as digital fingerprints) for the infrastructure used by the Phosphorus defendants, (2) discovered login activity into Microsoft services from Phosphorus-controlled infrastructure on the Internet, (3) matched reported Phosphorus phishing email campaigns to registered domains, (4) monitored domain registrations associated with the Phosphorus-controlled email addresses and other pertinent WHOIS record information, (5) monitored infrastructure frequently utilized by the Phosphorus defendants in order to identify new domains being registered by the Phosphorus defendants, (6) have confirmed resolution settings to particular Internet service 2 ----- providers (ISPs) which have frequently been used by the Phosphorus defendants in the past, and (7) reviewed peer findings and public reporting on the Phosphorus defendants. 5. As alluded in paragraph 4(1), the investigative team has developed methods to help us identify new domains registered by the Phosphorus actors. Particular features of the Phosphorus infrastructure have been identified and patterns of content, non-content, and technical features have been determined to be exclusively and specifically associated with the Phosphorus defendants. These features, when identified in the aggregate, provide a high level of confidence that a given domain is a Phosphorus domain. Each such domain is manually reviewed in detail by one or more subject matter experts as necessary to ascertain whether it is, in fact, a Phosphorus domain. Based on this analysis, we have identified characteristics of the registration and maintenance of certain domains which, when coupled with the nature of the activities observed being carried out through the domains, are a reliable method to correlate such domains to actions undertaken by the defendants. 6. Based on our investigation and analysis, Microsoft has determined that the Phosphorus defendants specialize in targeting and stealing credentials of prominent users of the Internet. The Phosphorus defendants target Microsoft and non-Microsoft customers in both the private and public sectors, including businesses in a variety of different industries. Based on our research, the Phosphorus defendants have targeted Microsoft customers, political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East. For example, attached as **Exhibit** **1** is a true and correct copy of a research report by security research firm FireEye regarding the Phosphorus group (which that firm has called “Ajax Security Team”). 7. The Phosphorus defendants’ objectives appear to be obtaining account credentials to later retrieve sensitive communications within the accounts. We believe that the Phosphorus defendants have been active since 2013 and continue to pose a threat today and into the future. **II.** **PHOSPHORUS’** **METHOD** **OF** **COMPROMISING** **AND** **STEALING** **3** ----- **INFORMATION** **FROM** **VICTIMS** 8. The Phosphorus defendants typically attempt to compromise the personal (not work) accounts of the targeted individuals through a technique known as “spear phishing.” Spear phishing attacks are conducted in the following fashion: After researching a victim organization, the spear phisher will identify individuals associated with that organization through gathering publicly available information and by social engineering. The spear phisher will then initiate communications with the victim by using names, companies, and/or contents that are familiar to the victim. The ensuing communications exchanges are used to social engineer information, identify additional targets, entice a target into opening up a malicious attachment, and more. Microsoft has observed fake social networking profiles being created by Phosphorus defendants which would obviously present significant leverage in carrying out such an attack. Attached as **Exhibit** **2** are true and correct copies of such fake social networking profiles, created by the Phosphorus defendants on the Linkedin social media service. 9. Another technique utilized by the Phosphorus defendants is to send a targeted individual an email speeifically crafted to appear as if there is an issue with the targeted individual’s account. Phishing emails often use generic domain names that appear to be tied to account activity and that require input of credentials for authentication. For example, domains such as service-accountrecoverv.com. The Phosphorus defendants send the targeted individual an email specifically crafted to appear as if there is an issue with the targeted individual’s account. Through research and investigation, Microsoft has determined that the Phosphorus defendants have used the domains listed in **Exhibit** **3** (which is also reflected as **Appendix** **A** to the Complaint) in its command and control infrastructure. As can be seen in **Exhibit** **3,** the Phosphorus defendants sometimes also disguise their command and control domains by incorporating the names and trademarks of some well-known companies and organizations, including Microsoft’s “Microsoft” and Windows “Live” brands, as well as the “Linkedin” brand. For example, the Phosphorus defendants use the domains com-microsoftonline.club. verification- live.com. and verifv-linkedin.net. 4 ----- 10. The Phosphorus defendants’ use of Microsoft trademarks is meant to confuse victims into clicking on links controlled by the Phosphorus defendants. When the user clicks on the links, they are taken to deceptive web pages that induce the victim to type in their Microsoft credentials, at which point the Phosphorus defendants obtain access to those credentials. This will result in the threat actors being able to log into the victim’s account and access their email. The Phosphorus defendants can also download a copy of the victim’s address book to be used for future targeting of additional intended victims. Not having safe emails impacts Microsoft’s brands and services. Customers expect Microsoft to provide safe and trustworthy products and services. There is a great risk that Microsoft’s customers, both individuals and the enterprises for which they work, may incorrectly attribute these problems to Microsoft’s products and services, thereby diluting and tarnishing the value of these trademarks and brands. 11. The Phosphorus defendants send these emails from a variety of online email services. As discussed above, there are multiple Phosphorus created domains mimicking Microsoft brands, and those domains are clearly designed to be included in spear phishing emails as links to websites that the Phosphorus defendants have set up in advance and which they control. When a victim clicks on the link in the email, his or her computer is connected with the Phosphorus-controlled website. The victim is then presented a copy of a webpage that appears to be a login page for a webmail provider of which the victim is a subscriber. In fact, this is a fake login page that is designed to induce the user to type in their webmail credentials. If the victim enters the correct credentials, at that point the Phosphorus actors obtain the user’s credentials and can thereafter access the user’s webmail account to steal email content and other information. 12. **Figures** **1** **and** **2** below show copies of such webpages created by the Phosphorus defendants, designed to look like legitimate Microsoft Outlook login pages; 5 ----- ###### Outlook Web App - ’■ **:1** inni.r - ###### r :j p!'!' .t rn;:u: cr r I, li-ir -f - ■r _n_ - ii' j I'l r/ii 'T **•»** '.i cro:.:lt _v\:>_ - j ###### Figure 1 3^ #■ **E** ###### Figure 2 6 ----- 13. Phosphorus targets other brands beyond Microsoft and purport to be password reset or account login pages of other companies. For example, the Phosphorus defendants use fake emails instructing users to click links and type in credentials, fake “Verify” buttons prompting users to type their credentials into fraudulent login pages and fake “Sign in” pages instructing users to enter their user name and password. All of these methods are designed to induce users to type in credentials. As seen above with respect to the fake Microsoft login pages inviting users to type in their Microsoft Outlook “User name” and “Password,” this scheme is typical of the Phosphorus defendants’ activities. **Figures** **3** through 6 are further examples of this tactic: **Figure** **3** **7** ----- ###### Figure 4 **o** ###### One account. All of Google. - ^ _&_ _i_ ###### Figure 5 8 ----- hi! :u;>l Uiiod y 0!u! - r i'VrCOCitly 5, _j_ _o._ 7! c; (■;■ if **Figure** **6** 14. Upon successful compromise of a victim account, the Phosphorus defendants will not only be able to log into the account and review the victim’s emails, but may also delete the spear phishing email that they previously sent to the user in an attempt to obfuscate their activities. 15. The Phosphorus defendants have targeted victims who are using Microsoft email services, and Microsoft investigators have confirmed that Phosphorus defendants have intruded into those accounts to steal information of Microsoft’s users. **Figures** **1** **and** **2** above demonstrate the Phosphorus defendants targeting users of Microsoft’s Outlook email services. 16. Microsoft investigators were also able to locate the control panel used by the Phosphorus defendants to create links sent to intended victims as well as to track successfully compromised victims who clicked on those links, typed in their credentials and had those credentials stolen by the defendants. Microsoft analysts identified the Phosphorus domain confirm-session-identification.info which led to discovery of the control panel URL. This control panel was accessed by a URL that was open and required no authentication. The control panel that the Phosphorus defendants used to monitor and control their access to victim accounts 9 ----- was present on the domain: confirm-session-identification.info. The domain confirm-session- identification.info was registered on 10/17/2018 as seen in the WHOIS record from a commonly used domain research tool called Domaintools.com. This WHOIS record is reflected in **Figure** **7:** Domain Dame ; C OHF IRM - Sf SSI Oil - IDt'HTI f- n . INFO R e g 3.5. f: r" y D o _m_ a i i: 0 : D S 0 3 3 0 0 0002 4 0 2 7 0 & 5 3 - L 1? M S R e g i sta r _H01S_ S e r' v e r : `Registrar` `URL:` `https;` . on n e n i c . c o m ``` Updated Date: C r(?at ion Date : 2018 - 10- 1711,1 : 2 7 ; 08Z Registry fxpiry Dale; 2019 -10 - 1?T11 :27;08Z ``` `e` `g` `i` `s` `t` `r'-` `ar’` `R` `e` `g` `i` `s` `t` `r` `a` `t` `i` `o` `n` `1:` `x` `p` `i` `r"` _a_ `t` `ion` `0` `ate:` Registrar; OnlinetilC, Inc. Registrar IZ^IA TD; 82. Registrar ftbiise Contact bmail; Registr-ar Abuse Contact Pt'sone: Reseller: ``` Domain Status : serverlransterProhibited https://ic arm .org/epp« serverTransferProhibited ``` `Dome` `i` `n` `St` `at` `us` `:` `addPe` _r_ `i` `od` `tv` `t` `tp` `s` `;` `//` `1` `c` `an` `n` `.` `or` `g/epp?f` `addP` iod `Registrant` `Or` `ga` `n` `i` `a` `t` `ion` `;` `Domain` `ID` `Shield` `Ser` c e **_(_** 1. i m i t: e d ``` Registrant St a t e/Provi nc e ; Hosvg Kong Registrant Country: CH name Server; HSi.DllS-DIY.NET ``` `fianse` Server: MS2.DNS-DIY.fi: DHSSEC: unsigned URL of ti'i ICANN wiiois I `nac` `c` `u` `r''ac` `y` `Comp` `1` `ai` `rv` `t` `Form` `is` `h` `11` `p` `s` `;` `/` `/` `www` `.` `i` `c` `ann` `.` `or` `g/v;i` `c` `f` `/` ``` The Registrar of Record identified in this output may have an RODS service that can be queried for- addit ``` **Figure** 7 17. The domain conFirm-session-identiFication.info resolved to IP address 190.2.154.35 (Netherlands) from October 18th-20th, 2018 and then moved to CloudFlare IP address, 104.27.134.98 (US). The control panel below was obtained from the confirm-session- identification.info domain, when hosted on 104.27.134.98, on 11/04/2018. When visiting the URL http:// confirm-session-identification.info/recovery/ on 11/04/2018 the control panel did not require authentication to view its contents. Upon visiting this URL on 11/04/2018, we confirmed that the Phosphorus defendants use a unique ID (URL) for each targeted user. A redacted list of the users targeted can be seen in the email column in Figure 8 below. 10 ----- ###### Figure 8 18. The Phosphorus defendants’ email panel has a “Monitor” screen for tracking ###### compromised users. As seen in the screenshot below (Figure 9), there is at least one victim observed at the time of accessing the unauthenticated email panel: Target Email Auth Auth Date and password/code Type Result Time Ct:rA>:3-6 User Agent IP country city 0 iWinao.vs NT 8 I Wine-’. >:6-1) AppiaVv'e&KisSS' 36 (KHTr.fL, : _ke_ GscKo) 3S ‘I;'2 1 Si. 174 Untied A.f.e f Icai'N e A._Yc rk C?'ifame’6S,0 34’r?7, KiO Safti:’! 36 ###### Figure 9 ----- 19. Additionally, the settings tab **(Figure** **10)** shows that when users’ credentials are compromised, the credentials stolen from Microsoft users and others are emailed to the Yahoo account [soup_mctavish@yahoo.com](mailto:soup_mctavish@yahoo.com) with the subject line “Yahoo-Pishing.” Note here that the Phosphorus defendants misspelled “Phishing”). **+** 'rd'dp; .iliru-ijlilr- ###### 0 - (i) Dashboard Enititl Ncime iftpoiiUf MoniSor t.?/ SsWmgs Emad Passivorrt ruportor © Manage Database Rfipor^ifr NarF5f,! Q!-” t«goui Email Name Reiciver rn' ,• L'lfC RopQr1ft Ox3c5tjlo Pr!:ct;-ss fo! 'vV'i’ido'.vs OxOQ3f Win32 Vv’in32 EXE *;?X€? 1 0 0 0 ; i;j 0 0 Excci.toljic-, 32-!'>!: 0,0 _'O-'i_ - eaOn nxe- _\-U ,i!ra'_ jpyi'ight 20’3 '' 0 appi cati-ur uun! 380 or kr and r - .valiblnj-. 4 0 ###### Figure 11 III. PHOSPHORUS HAS ATTACKED MANY MICROSOFT CUSTOMERS IN THE DISTRICT OF COLUMBIA AND AROUND THE WORLD 23. Through its investigation, Microsoft has determined that the Phosphorus ###### defendants have targeted Microsoft customers in the District of Columbia and throughout the United States. In only the last few months alone, four new individual victims of the Phosphorus 14 ----- defendants’ email intrusion activities have been identified in the District of Columbia. **IV.** **HARM** **TO** **MICROSOFT** **AND** **MICROSOFT** **CUSTOMERS** 24. Phosphorus irreparably harms Microsoft by damaging its reputation, brands, and customer goodwill. Microsoft is the provider of the Windows operating system and Outlook, Hotmail, OneDrive and Office 365 email and cloud services, as well as a variety of other software and services. Microsoft is the owner of the “Microsoft,” ’’Windows,” “Outlook,” ###### “Windows Live,” “Hotmail,” “OneDrive” and “Office 365” trademarks. Trademark registrations for marks infringed by the Phosphorus defendants are attached to Microsoft’s complaint as **Appendix** **B.** Microsoft has invested substantial resources in developing high-quality products and services. Microsoft has also invested, through its subsidiaries, in high value brands and services such as the “Linkedin” brand and service. Due to the high quality and effectiveness of Microsoft’s products and services and the expenditure of significant resources by Microsoft to market those products and services, Microsoft has generated substantial goodwill with its customers, has established a strong brand, and has developed the Microsoft name and the names ###### of its products and services into strong and famous world-wide symbols that are well-recognized within its channels of trade. Microsoft has registered trademarks representing the quality of its products and service and its brand, including the trademarks listed above. 25. Microsoft’s customers whose email accounts are compromised through the defendants’ credential theft are damaged by these activities. Similarly, Microsoft’s customers whose computers are infected with the malicious Stealer software are damaged by changes to Windows, which alter the normal and approved settings and functions of the user’s operating system, destabilize it, and enable unauthorized monitoring of the user and theft of user data. 26. In effect, once infected, altered and controlled by the Stealer software, the Windows operating system ceases to operate normally and is now a tool of deception and theft aimed at the owner of the infected computer. Yet they still bear the Microsoft Windows trademark. This is obviously meant to mislead Microsoft’s customers, and it causes extreme damage to Microsoft’s brands and trademarks. 15 ----- 27. Customers are usually unaware of the fact that their email accounts are compromised, that their computers are infected, that they are being monitored by the defendants or that sensitive information is being stolen from them. Even if aware of an account intrusion or an infection of their computer, users often lack the technical resources or skills to resolve the problem, allowing their accounts and computers to be misused indefinitely, as manual steps to change account credentials or remove the malicious software may be difficult for ordinary users. They may be futile to a degree too where the Phosphorus defendants have software installed to observe the victim’s activities and attempts to remediate the intrusion. Even with professional assistance, cleaning an infected end-user computer can be exceedingly difficult, time-consuming, and frustrating. This demonstrates the extreme problems that the activities of the Phosphorus defendants cause for Microsoft’s customers and the irreparable injury to both Microsoft and its customers. Microsoft and other members of the public must invest considerable time and resources investigating and remediating the defendants’ intrusion into accounts and computers. 28. The activities of the Phosphorus defendants injure Microsoft and its reputation, brand, and goodwill. Users subject to the negative effects of the Phosphorus defendants’ spear phishing emails sometimes incorrectly believe that Microsoft is the source of the problem, and thus there is a significant risk that Microsoft customers will be confused in this way in the future. There is a great risk that Microsoft customers may incorrectly attribute these problems to Microsoft and associate these problems with Microsoft’s products and services, thereby diluting and tarnishing the value of these trademarks and brands. **V.** **DISRUPTING** **PHOSPHORUS’** **ILLEGAL** **ACTIVITIES** 29. The Phosphorus defendants’ illegal activities will not be easy to disrupt. Evidence indicates that the Phosphorus defendants are highly sophisticated, well-resourced, organized, and patient. The Phosphorus defendants specialize in targeting individuals in organizations holding sensitive data, by gathering extensive information about their employees through publicly available information and social media, using that information to fashion phishing attacks intended to trick those employees into compromising their credentials, and 16 ----- disguising its activities using the names and trademarks of Microsoft and other legitimate companies. 30. The most vulnerable point in the Phosphorus defendants’ operations are a number ###### of Internet domains through which the Phosphorus defendants obtain victim credentials, log into compromised accounts, and review sensitive information from victim accounts. A core subset of these is listed in **Appendix** **A** to the Complaint. These domains sometimes incorporate trademarks that are owned by Microsoft or by other companies that have been informed of and have no objection to Microsoft’s proposal to take possession of these domains. Granting Microsoft possession of these domains will enable Microsoft to channel all communications to those domains to secure servers, and thereby cut off the means by which the Phosphorus defendants collect victim credentials. In other words, any time a user clicks on a link in a spear phishing email and provides their username and password, that information will be prevented from going to the defendants at the Phosphorus domains, because those domains will be hosted on a Microsoft-controlled, secure server, beyond the control of defendants. While it is not possible to rule out the possibility that the Phosphorus defendants could use fall back mechanisms to evade the requested relief, redirecting this core subset of Phosphorus domains will directly disrupt current Phosphorus infrastructure, mitigating risk and injury to Microsoft and its customers. The requested relief will also serve the public interest, in protecting customers of other web services companies who have consented to the relief sought in this action. 31. I believe that the most effective way to suspend the injury caused to Microsoft, its consumers, and the public, is to take the steps described in the [Proposed] Ex Parte Temporary Restraining Order and Order to show Cause Re Preliminary Injunction (“Proposed TRO”). This relief will significantly hinder the Phosphorus defendants’ ability to compromise additional accounts and identify new potential victims to target. In the absence of such action, the Phosphorus defendants will be able to continue using this infrastructure to target new accounts, exposing potential new victims to the Phosphorus defendants’ malieious activities. 17 ----- 32. The Phosphorus defendants’ teehniques are designed to resist technieal mitigation efforts, eliminating easy technical means to curb the injury being caused. For example, once domains in the Phosphorus defendants’ active infrastructure become known to the security community, the defendants abandon that infrastructure and move to new infrastructure that is used to continue the Phosphorus defendants’ efforts to compromise accounts of new victims. For this reason, providing notice to the Phosphorus defendants in advance of redirection of the domains at issue would render attempts to disable the infrastructure futile. Further, when the Phosphorus defendants become aware of efforts to mitigate or investigate their activities, they take steps to conceal their activities and to conceal the injury that has been caused to victims, making it more difficult for victims to adequately assess the damage or take steps to mitigate that injury going forward. For this reason as well, providing notice to the Phosphorus defendants in advance of redirection of the domains at issue would render attempts to mitigate the harm futile, or at least much more difficult for Microsoft. Piecemeal requests to disable these domains, informal dispute resolution or notice to the defendants prior to redirecting the domains would be insufficient to curb the injury. Based on my experience observing the operation of numerous intrusions such as those carried out by the Phosphorus defendants, and prior investigations and legal actions involving such intrusions and actors, 1 believe that the Phosphorus defendants would take swift preemptive action to conceal the extent of the victimization of Microsoft and its customers and to defend their infrastructure, if they were to learn of Microsoft’s impending action and request for relief 33. I am informed and believe there have been prior instances where security researchers or the government attempted to curb injury caused by actors carrying out intrusions such as those in this case, but allowed those actors to receive notice. In these cases, the actors quickly concealed the scope and nature of their intrusion, and moved the infrastructure to new, unidentified locations on the Internet and took other countermeasures causing the actors to continue their operations and destroying or concealing evidence of their operations. Indeed, CERTFA published a report on this actor group on December 13, 2018 **(Exhibit** **4).** Subsequent 18 ----- to that report, the control panel cited in Figures 8 through 10 was updated to require authentication. For all of these reasons, I believe that the only way to mitigate injury and disrupt the most recent, active Phosphorus infrastructure, is to redirect the domains at issue prior to providing notice to the defendants, 34. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct to the best of my knowledge. Executed this day of ,2019. /■-A David E. Ansclmi 19 ----- ###### EXHIBIT 1 ----- SPECIAL REPORT IS ###### 2013 Authors; Mart Villeneuve, Ned Moran j Thoufique Haq and Mike Scott ----- **Fireeye:** **Operation** **Saffron** **Rose** **2013** i M **I** I % **I** Introduction .....2 Background 2 Attack Vectors ....... 4 The “Stealer” Malware .... 6 The “Stealer” Builder and Tools 11 **Command-and-Control** **Infrastructure** **...13** **Victimology** ... **15** **Attribution** ..... **16** **Conclusion** 19 About FireEye, Inc ........19 **1** [www.firccyc.com](http://www.firccyc.com) cT^FireEye ----- Fireeye: Operation Saffron Rose 2013 ###### We believe we're seeing an evolution and development in Iranian-based cyber activity, n years past, Iranian actors primarily committed politically-motivated website defacement and DDoS attacks.^ More recently, however, suspected Iranian actors have destroyed data on thousands of computers with the Shamoon virus,^ and they have penetrated the Navy Marine Corps Intranet (NMCI), which is used by the U.S. Navy worldwide. 3 In this report, we document the activities of the Background Ajax Security Team, a hacking group believed to be The transition from patriotic hacking to cyber operating from Iran. Members of this group have espionage is not an uncommon phenomenon. It accounts on popular Iranian hacker forums such as typically follows an Increasing politicization within ashiyanej.jorg and shabgardf.jorg, and they have the hacking community, particularly around engaged in website defacements under the group geopolitical events. This is followed by increasing name “AjaxTM" since 2010. By 2014, the Ajax links between the hacking community and the Security Team had transitioned from performing state, particularly military and/or intelligence defacements (their last defacement was in organizations. December 2013) to malware-based espionage, using a methodology consistent with other in the late 1990's and early 2000’s, a similar advanced persistent threat actors in this region. transition occurred within the Chinese hacking community. During that time period, the Chinese it is unclear if the Ajax Security Team operates in hacking community engaged in website isolation or if they are a part of a larger defacements and denial of service attacks in coordinated effort. The Ajax Security Team itself conjunction with incidents such as the accidental uses malware tools that do not appear to be bombing of the Chinese embassy in Belgrade in publicly available. We have seen this group 1999, the collision of a U.S. spy plane and a leverage varied social engineering tactics as a Chinese military plane in 2001, and the Japanese means to lure their targets into infecting Prime Minister's controversial visit to the themselves with malware. Although we have not Yasukuni shrine in 2005''* Around this time a observed the use of exploits as a means to infect significant shift in philosophy began to take place. victims, members of the Ajax Security Team have previously used publicly available exploit code in Members of the Chinese hacking community that web site defacement operations. participated in such attacks soon found that transitioning to cyber espionage was more In sum, FireEye has recently observed the Ajax rewarding—both in terms of developing a more Security Team conducting multiple cyber advanced skill set as well as in monetary espionage operations against companies in the remuneration. One group known as NCPH defense industrial base (DIB) within the Unites (Network Crack Program Hacker), whose States, as well as targeting local Iranian users of founding member "Wicked/Withered Rose” was a anti-censorship technologies that bypass Iran's patriotic hacker, made the transition to cyber Internet filtering system. espionage by founding a "hacker-for-hire" group 1 HP Security Research. "Threat Intelligence Briefing Episode 11". February 2014. 2 Perlroth, N. "In Cyberattack on Saudi _fit_ T U.S. Secs Iran Firing Back". October 2012. 3 Gaiiaghcr, S. "Iranians hacked Navy network for four months? Not a surprise". February 2014. 4 Key. "Honker Union of Chino to launch network attacks against Japan is a rumor". September 2010. 2 [www.firGeye.com](http://www.firGeye.com) **i.ScaS19cb Ivit98 ufilllAil CODi / ###### \ _KM'"_ .Kcouni- ven^'.not updo.te-niiiior. intei-upd.ite.ccni uiuasnii.t osshom tivahoo.ccni SS.lsO.. .07 SI 17.23.226 7S.63.230.il6 **Figure** **13:** Overlap between the phishing and stealer clusters idcnes.niaicoriaini.C' 60c-a3clbcr61<.\8S273!;2 GcadfC'S76e \ ntcl i.ipciato.com Giitials.tk\ office.vVincioivs-GssC!/ di.tk ns2 a.cioccn'2014,orij\ \\ infcii Ub.i.qov. kG .aidyrminqnuitl coni \ vvincICiVj-c-ssenrJais.tk 3.D.2d4.i5i aofoconf201-;.oiq diaxtrn.OiCj [14 www rlreeyc com](http://www.rlreeyc.com) Am I. Von lii qiil.Change 1 iilnq, ivhcUi tiiK| ciillc ('SiillHiWhllp yofir rights aix- (Mullttssiv sltlpixui away and a dii lntorship f (i dnfini's i saiiilv, docs il .‘Yum silniK 1 ig vcjii guve known Is cnimbllng and thov anr d«‘sp«*ral up....wake np. Asht-af. N. "WOpIsrac!: Hacktivists Starting Cyber Attack against Israel on 7th of April". March 2013. "OpUSA Targeting Government & Financial Sectors on 07 May 2013: Likely Toots, Targets and Mitigating Measures". May 2013. [17 www.fireeye.com](http://www.fireeye.com) FireEye ----- **Fireeye:** Operation Saffron Rose 2013 ''HUrr!c4nE!” features prominently in aii the For example, the Ajax Security Team could just be group's activities and defacements. Although there using anti-censorship tools as a lure because they has been a decline in public-facing Ajax Security are popular in Iran, in order to engage in activities Team activity, this coincides with an increase in that would be considered traditional cybercrime. In malware activity linked to the group's one case, "HUrrlcAnEI", using the email address infrastructure. keyvan.ajaxtm@gmail[,]com, has been flagged for possible fraud by an online retailer. While - ~2009-Membership in ashiyane.org and “EfUrr!c4nE!" is engaged in operations that align shabgard.org forums with Iran's political objectives, he may also be dabbling in traditional cybercrime. - 2010“ 2012“Defacements, Release of exploits for CMS This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran's - 2012 - 2013—Increasing politicization, hacker groups and any direct Iranian government participation on #Oplsrael, #OpUSA or military involvement. - 2013 - 2014—Transition to cyber-espionage On the spectrum of state responsibility, these attacks align with state-encouraged attacks, which The increasing politicization of the Ajax Security are defined as attacks in which: Team aligns with the timing of their activities against the perceived enemies of Iran. In addition Third parties control and conduct the attack, but to attacking companies in the U.S., they have the national government encourages them as a targeted domestic users of anti-censorship matter of policy. **[28]** technology. Recruiting hackers through this model allows Iran While the objectives of this group are consistent to influence their activities, and provides the with Iran's efforts at controlling political dissent Iranian government plausible deniability, but a lack and expanding offensive cyber capabilities, the of direct control also means that the groups may be relationship between this group and the Iranian unpredictable and engage in unsanctioned attacks. government remains inconclusive. **Figure** **16:** Screenshot fraudof an onlinealert retailer's **OiderlD** **CustomersID** **IP** **E-mail** **ShippingAddress&** **ZIP** **CustomerName** **CC** **number** **Pa>iuentMethod** **ExpiraUouDate** **Source** **Created** 1 H)217MVSJ<);5 : : - Hcoicy, J. "Beyond Allributlon: Seeking National Responsibility for Cyber Attacks". January 2012. 18 [www.firccYG.com](http://www.firccYG.com) FireEye ----- **Fireeye;** **Operation** **Saffron** **Rose** **2013** Conclusion About FireEye The increased politicization of the Ajax Security FireEye has invented a purpose-built, virtual Team, and the transition from nuisance machine-based security platform that provides defacements to operations against internal real-time threat protection to enterprises and dissidents and foreign targets, coincides with governments worldwide against the next moves by Iran aimed at increasing offensive cyber generation of cyber attacks. These highly capabilities. While the relationship between actors sophisticated cyber attacks easily circumvent such as the Ajax Security Team and the Iranian traditional signature-based defenses, such as government is unknown, their activities appear to next-generation firewalls, IPS, anti-virus, and align with Iranian government poiitica! objectives. gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection The capabilities of the Ajax Security Team remain without the use of signatures to protect an unclear. This group uses at least one malware organization across the primary threat vectors and family that is not publicly available. We have not across the different stages of an attack life cycle. directly observed the Ajax Security Team use exploits to deliver malware, but it is unclear if they The core of the FireEye platform is a virtual or other Iranian actors are capable of producing or execution engine, complemented by dynamic acquiring exploit code. threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,500 While the Ajax Security Team’s capabilities remain customers across more than 40 countries, unclear, we know that their current operations including over 100 of the Fortune 500. have been somewhat successful as measured by the number of victims seen checking into to an Ajax Security Team controlled CnC server. We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term. Wc thank Kenneth Goers and Jen Weedon for their support and analysis on these findings. FIretye, Inc. IkdO McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) j [info@fireeye.com](mailto:info@fireeye.com) **[www.fireeye.com](http://www.fireeye.com)** ©2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. Ail other brands, products, or service names are or may be trademarks or service marks of their respective owners. - RPT.OSR.EN US.082014 [19 www.flreeyc.com](http://www.flreeyc.com) FireEye ----- ##### EXHIBIT 2 ----- **Phosphorus** **Fraudulent** **Linkedin** **Profiles** On 10/02/2018, Microsoft Threat Intelligence Center analysts regarding three potential fake PHOSPHORUS Linkedin pages. A trusted third party partner noted that several members of their organizations that work on economic sanctions received connection requests to connect from the following profiles. **Suspected** **Fake** **Profile** **#1:** www.linkedin[.]com/in/dana-nastas-9a6b85171/ Dana Nastas - 3id **The** **World** **Bank** Lead Social Development Specialist at The World Bank **The** **Johns** **Hopkins** **University** **-** **Paul** **H.** **Nitze** **School** **of** **Ad...** **ML** **See** **contact** **Info** 35 connections Experience **The** **World** **Bank** **12** yrs **1** ino **Lead** **Social** **Development** **Specialist** Aug 2013 - Present - 5 yrs 3 mos Leading World Bank projects in the areas of social and local development and social accountability in the MENA region. Representing World Bank in dialogue with Government of Jordan and with donor commuiiity. **Manager,** **Fragility** **and** **Conflict** Jun 2009 - Jul 2013 - 4 yrs 2 n^os Managing the World Bank Institute's practice on fragility and conflict. Building local capacity tliroLigh skills and leadership development and facilitating coalition building around key deveiopmental/reform issues. **Senior** **Operations** **Officer,** **Fragility** **and** **Conflict** **Group** Oct 2006 - Aug 2009 - 2 yrs 11 mos Advised on and supported World Bank engagement in Fragile and Conflict Affected States (FCS), including leading the reform of World Bank's operational policies for FCS. ----- The fake profile above appears to have been created by taking information from the following real profile: [www.linkedin.com/in/sima-kanaan-a622191](http://www.linkedin.com/in/sima-kanaan-a622191) b **United** **Nations** **High** Sima Kanaan - ird **Commissioner** **for** **Refugees** Senior Development Advisor at United Nations High **^** **The** **Johns** **Hopkins** **University** Commisioner for Refugees **-** **Paul** **H.** **Nitze** **School** **of...** iil **See** **contact** **info** 500connections. Experience **Senior** **Development** **Advisor** United Nations **High** Commissioner for Refugees Supporting UNHCR's MENA Dir Tor s office and count programs' ongoing efforts to ccilaborate vVith development organi/alions and host tcuniries to’.varcis finding and implementing compreiicnsive and sustainable solutions for refugees **The** **World** **Bank** **^** **12** yrs **1** mo **Lead** **Social** **Development** **Specialist** Aug 201.S - Present - 5 yrs .if mos Leading Vw'orlci Bank projects in the areas of sociai and local development and social accountability in the MENA region. Representing World Bank in dialogue with Government of Jordan and with donor community **Manager,** **Fragility** **and** **Conflict** Jun 2009 “ Jul 2013 - 4 yrs 2 mos Managing the World Bank Institute's practice on fragility and conflict. Building local capacity througii skills and leadership development and facilitating coalition building around key developmental/reform Issues. **Senior** **Operations** **Officer,** **Fragility** **and** **Conflict** **Group** Oct 2006 - Aucj 2009 2 yrs 11 mos Advised on and supported World Sank engagement in Fragile and Conflict Affected States fFCS'i including leading the reform of World Bank's operational policies for i^CS. ----- With the exception of the position title used, the exact same verbiage was used in the summary section, experience, education, and interests. The major difference is that Sima Kanaan has over 500+ connections and the suspected fake account for Dana Nastas only had 35 as of 7PM on 10/02/2018. **Suspected** **Fake** **Profile** **#2:** www.linkedin[.]com/in/emmanuel-tyler-227b86171/ ###### Emmanuel Tyler :?rc: i.. The World Bank Global Lead - Technology, Innovation, & Climate Smart North Carolina State Agriculture, The World Bank Group University fl't See contact info ) oo connections Stipporting investments in Climate Resilient Agriculture and Natural Resource Management. My vrork also involves analytical economic and sector studies. I hold a Higher National Certificate (HNC) in Quantitative Biology & Analytical Biochemistry from Hertfordshire University (England), a BSc in Forestry from the University of Aberdeen (Scotland), and a PhD in Soil Science & Agronomy from North Carolina State University (USA). My professional career is dedicated to facilitating global food security, stistainable livelihoods for farmers, and the conservation of natural resources and ecosystems services to ensure the : equitable and sustainable development of societies globally. I have 35 years of agriculture and natural resource management experience in Sub-Saharan Africa, East Asia, Latin America, the Middle East and North Africa, and South Asia. Currently, I am focusing on designing and managing climate resilient landscapes across tite World Bank's Agriculture Investments portfolio with cross cutting linkages to the Environment, Urban-Rurai-Social. and Water investments. ----- The fake profile above appears to have been created by taking information from the following real profile: linkedin.com/in/erickfernandes/ ###### Erick Fernandes The World Bank Global Lead - Technology, Innovation, & Climate Smart North Carolina State Agriculture, The World Bank Group University liJ See contact info _Qo_ 500+ connections Supporting investments in Climate Resilient Agriculture and Natural Resource Management. My work also involves analytical economic and sector studies. I hold a Higher National Certificate (HNC) in Quantitative Biology & Analytical Biochemistry from Hertfordshire University (England), a BSc in Forestry i from the University of Aberdeen (Scotland), and a PhD in Soil Science & Agronomy from North Carolina State University (USA). My professional career is dedicated to facilitating global food security, sustainable : livelihoods for farmers, and the conservation of natural resources and ecosystems services to ensure the ectuitable and sustainable development of societies globally. I have 35 years of agriculture and tiatural resource management experience in Sub-Saharan Africa, East Asia, Latin America, the Middle East and North Africa, and South Asia. Currently, I am focusing on designing and managing climate resilient landscapes across the World Bank's Agriculture investments portfolio with cross cutting linkages to the Environment, Urban-Rural-Social, and Water investments. ResearchGate profile ss ----- The exact same verbiage was used in the summary section, experience, education, and interests. The major difference is that Mr. Fernandes has over 500+ connections and the suspected fake account for Emmanuel Tyler only had 86 connections as of 7PM on 10/02/2018. **Suspected** **Fake** **Profile** **#3:** https://www.linkedinf.1corn/in/raphael"Zehavi"23b065T72/ Raphael Zehavi - z ,i Israel Ministry of Finance Director Genera! Ministry of Finance The London Scitool of Economics and Political... See contact info .3 conitf-c ticns Highly expefiGstced Director General withi strong history of working in the governnient as w-ell as the pcivet sector .SkiHed in Ncgotiat on. Business Planning, OperatiotiS Management. Analytical Skitis, and Strategy . Strong business development professional w-ith a Master of Science (MSc) focused in Finance ... Experience Director General Israel Ministry of Finance Director General Israel s Authority for Television & Radio ♦ ♦ ♦ ZIM Integrated Shipping Services ###### ZIM General Manager Israel & Near East Area The fake profile above appears to have been created by taking information from the following real profile: [https://www.linkedin.com/in/shai-babad-aa19a189/](https://www.linkedin.com/in/shai-babad-aa19a189/) ----- ###### Shai Babad • Israel Ministry of Finance Director General Ministry of Finance The London School of Economics and Political... **l:1j** See contact info :£i 500+ connections Highly experienced Director General with strong history of working in the government as well as the privet sector .Skilled in Negotiation, Business Planning, Operations Management, Analytical Skills, and Strategy . Strong business development professional with a Master of Science (MSc) focused in Finance ... 7 more Experience **Director** **General** Israel Ministry of Finance M;-1V i-'re VI'S o r ;>$ Director General Israel's Authority for Television & Radio Jkin 201.D - **f’** **1** yr / nios ru ###### ♦ ♦ ♦ ♦ **♦** **♦** ♦ **ZIM** **Integrated** **Shipping** **Services** 6 yrs 11 nios ###### ZIM ----- The exact same verbiage was used in the summary section, experience, education, and interests. The major difference is that Mr. Babad has over 500+ connections and the suspected fake account for Raphael Zehavi only had 13 connections as of 10/3/2018 at 10:00AM. ----- ##### EXHIBIT 3 ----- **APPENDIX** **A** **.ORG** **DOMAINS** **_Resistry_** **Public** **Interest** **Registry** **(PIR)** **1775** **Wiehle** **Avenue** **Suite** **200** **Reston** **Virginia** **20190** **United** **States** yahoo-verification.org Domain Administrator Yahoo! Inc. 109 First Sunnyvale CA 94988 BA ###### Phone:+1.4038493301 Fax:+1.4038493302 [domainadmin@yahoo-verification.org](mailto:domainadmin@yahoo-verification.org) **■COM.** **.NET,** **.NAME** **DOMAINS** **_Resistry_** **VeriSign,** **Inc.** **VeriSign** **Information** **Services,** **Inc.** **12061** **Bluemont** **Way** **Reston** **Virginia** **20190** **United** **States** support-servics.com Registrant Name: hash crypt Registrant Organization: hashcrypt Registrant Street: nbcj hjf,m Registrant City: losangles Registrant State/Province: Alabama Registrant Postal Code: 35004 Registrant Country: US Registrant Phone: +1.09876543567 Registrant Email: [hashcrypt@protonmail.com](mailto:hashcrypt@protonmail.com) verification-live.com Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: AS8068 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, Registrant City: toranto Registrant State/Province: toranto Registrant Postal Code: 64043 Registrant Country: UM____________________________________ ----- Registrant Phone: +1.6509234001 Registrant Fax: +1,6509234002 Registrant Email: [test9179@porotonmail.com](mailto:test9179@porotonmail.com) com-mailbox.com Registrant Name: Priview Service Registrant Organization: mish Registrant Street: No 885, Azar st Registrant City: Dubai Registrant State/Province: Dubai Registrant Postal Code: 98120 Registrant Country: AE Registrant Phone: +97.3218526 Registrant Fax: +97.3218526 Registrant Email: [domain.seller2017@yandex.com](mailto:domain.seller2017@yandex.com) com-myaccuants.com Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: CN Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [co5940551458104@domainidshield.com](mailto:co5940551458104@domainidshield.com) notification-accountservice.com Registrant Name: mosa alnarjani Registrant Organization: Registrant Street: baqdad, alqusair st, no 246 Registrant City: baqdad Registrant State/Province: baqdad Registrant Postal Code: 548996 Registrant Country: IQ Registrant Phone: +964.7730061463 Registrant Email: [meisam.bayat.sector@gmail.com](mailto:meisam.bayat.sector@gmail.com) accounts-web-maiI.com Registrant Name: Domain Administrator Registrant Organization: Yahoo! Inc. Registrant Street: 107 First Avenue Registrant City: Sunnyvale Registrant State/Province: CA Registrant Postal Code: 94989 Registrant Country: US Registrant Phone: +1.4038493300 Registrant Fax: +1.4038493301 Registrant Email: [test9179@yahoo.com](mailto:test9179@yahoo.com) customer-certificate.com Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong 2 ----- Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) session-users-activities.com Domain ID Shield Service Domain ID Shield Service CO., Limited FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Flong Kong Hong Kong 999077 HK ###### Phone:+852.21581835 Fax:+852.30197491 [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) user-profile-credentials.com Domain ID Shield Service Domain ID Shield Service CO., Limited FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Hong Kong Hong Kong 999077 HK ###### Phone:+852.21581835 Fax: +852.30197491 [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) verify-linke.com Registrant Name: sora bara Registrant Organization: narabara Registrant Street: ara Registrant City: mara Registrant State/Province: nara Registrant Postal Code: 7482957439 Registrant Country: B1 Registrant Phone: +1.234124323 Registrant Fax: +1.2129876243 Registrant Email: [test9179@protonmail.com](mailto:test9179@protonmail.com) support-servics.net Registrant Name: Support Services Inc. Registrant Organization: Support Services Inc. Registrant Street: 1901 Amphitheatre Parkway Registrant City: Mountain View Registrant State/Province: 64043 Registrant Postal Code: 64043 Registrant Country: US Registrant Phone: +1.6509234001 Registrant Fax: +1.6509188572 Registrant Email: [test9179@protonmail.com](mailto:test9179@protonmail.com) verify-linkedin.net Registrant Name: sora bara Registrant Organization: none______________ 3 ----- Registrant Street: ara Registrant City: mara Registrant State/Province: nara Registrant Postal Code: 748295743 Registrant Country: BI Registrant Phone: +75.234124323 Registrant Fax: +86.12124321 Registrant Email: [dnsadmin@verify-linkedin.com](mailto:dnsadmin@verify-linkedin.com) yahoo-verification.net Registrant Organization: Yahoo! Inc. Registrant Street: 107 First Avenue Registrant City: Sunnyvale Registrant State/Province: CA Registrant Postal Code: 94989 Registrant Country: BA Registrant Phone: +1.4038493300 Registrant Fax: +1.4038493301 Registrant Email: [test9179@yahoo.com](mailto:test9179@yahoo.com) yahoo-verify.net Registrant Name: Domain Administrator Registrant Organization: Yahoo! Inc. Registrant Street: 701 First Avenue Registrant City: Sunnyvale Registrant State/Province: CA Registrant Postal Code: 98089 Registrant Country: BI Registrant Phone: +1.4083893300 Registrant Fax: +1.4083893301 Registrant Email: [domainadmin@yahoo-verify.net](mailto:domainadmin@yahoo-verify.net) hereyouare.ddns.net Registrant Name: Dan Durrer Registrant Organization: No-IP.com Registrant Street: 425 Maestro Dr. Second Floor Registrant City: Reno Registrant State/Province: NV Registrant Postal Code: 89511 Registrant Country: US Registrant Phone: +1.7758531883 Registrant Email: [domains@no-ip.com](mailto:domains@no-ip.com) outlook-verify.net Registrant Name: Domain Administrator Registrant Organization: Microsoft Corporation Registrant Street: One Microsoft Way, Redmond, WA, 98052, US Registrant City: Washington Registrant State/Province: Canada Registrant Postal Code: 7482957439 Registrant Country: US Registrant Phone: +1.234124323 Registrant Phone Ext: Registrant Fax: +1.2129876243 Registrant Fax Ext: Registrant Email: [supportiveemail@protonmail.com___________](mailto:supportiveemail@protonmail.com) com-users.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited 4 ----- Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: CN Registrant Phone: +852.21581835 Registrant Phone Ext: Registrant Fax: +852.30197491 Registrant Fax Ext: Registrant Email: [co5806503530204@domainidshield.com____________](mailto:co5806503530204@domainidshield.com) verifiy-account.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Flong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) ###### telegram.net Registrant Name: NS-CLOUD-B1 .GOOGLEDOMAlNS.COM Registrant Organization: Domains By Proxy, LLC Registrant Street: clientTransferProhibited [https://icann.0rg/epp#clientTransfe](https://icann.0rg/epp%23clientTransfe) Registrant City: Arizona Registrant State/Province: Arizona Registrant Postal Code: 0056 Registrant Country: US Registrant Phone: +1.4806242505 Registrant Fax: +1.4806242506 Registrant Email: [verdonew@protonmail.com_______________________](mailto:verdonew@protonmail.com) account-verifiy.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City: Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com](mailto:whoisprivacy@domainidshield.com) myaccount-services.net Registrant Name: Domain ID Shield Service Registrant Organization: Domain ID Shield Service CO., Limited Registrant Street: FLAT/RM A, 9/F SILVERCORP INTERNATIONAL 5 ----- TOWER, 707-713 NATHAN ROAD, MONGKOK, KOWLOON, HONG KONG Registrant City; Hong Kong Registrant State/Province: Hong Kong Registrant Postal Code: 999077 Registrant Country: HK Registrant Phone: +852.21581835 Registrant Fax: +852.30197491 Registrant Email: [whoisprivacy@domainidshield.com________________](mailto:whoisprivacy@domainidshield.com) com-identifier-servicelog.name Registrant Name: Whois Agent Registrant Organization: Domain Protection Services, Inc. Registrant Street: PO Box 1769 Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80201 Registrant Country: US Registrant Phone: +1.7208009072 Registrant Fax: +1.7209758725 Registrant Email: [https://www.name.com/contact-domain-whois/com-](https://www.name.com/contact-domain-whois/com-identifier-servicelog.name) [identifier-servicelog.name](https://www.name.com/contact-domain-whois/com-identifier-servicelog.name) [abuse@name.com________________________________________](mailto:abuse@name.com) **■BID** **DOMAINS** ###### Resistrv **_do_** **Neustar,** **Inc.** **21575** **Ridgetop** **Circle** **Sterling,** **VA** **20166** **United** **States** **dot** **Bid** **Limited** **2nd** **Floor,** **Leisure** **Island** **Business** **Centre** **Ocean** **Village** ###### GXll lAA **Gibraltar** **Global** **Registry** **Services** **Limited** **327** **Main** **Streeet,** **Gibraltar** **GXll** **lAA** Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ microsoft-update.bid Registrant Phone: +968.8007762430 6 ----- Registrant Fax: +968.8007762430 Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 outlook-livecom.bid Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 update-microsoft.bid Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) **.CLOUD** **DOMAINS** ###### Resistrv **c/o** **Neustar,** **Inc.** **21575** **Ridgetop** **Circle** **Sterling,** **VA** **20166** **United** **States** **ARUBA** **PEC** **S.p.A.** **Via** **Sergio** **Ramelli** **8** **52100** **Arezzo** **(AR)** **Italy** Registrant Name: Whois Agent Registrant Organization: Domain Protection Services, Inc. Registrant Street: PO Box 1769 Registrant City: Denver Registrant State/Province: CO Registrant Postal Code: 80201 Registrant Country: US Registrant Phone: +1.7208009072 Registrant Fax: +1.7209758725 documentsfilesharing.cloud [documentsfilesharing.cloud@protecteddomainservices.com](mailto:documentsfilesharing.cloud@protecteddomainservices.com) 7 ----- **.CLUB** **DOMAINS** **_Resistry_** **.CLUB** **DOMAINS,** **LLC** **100** **SE** **3rd** **Ave.** **Suite** **1310** **Fort** **Lauderdale,** **FL** **33394** **United** **States** Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 eom-microsoftonline.club Registrant Email: chada.martini^yandex.eom **.INFO,** **.MOBL** **.PRO** **DOMAINS** **_Resistry_** **Afilias,** **Inc.** **300** **Welsh** **Road** **Building** **3,** **Suite** **105** **Horsham,** **PA** **19044** **United** **States** confirm-session-identifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-management, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirmation-service.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) document-share, info Registrant Organization: Martini Registrant State/Province: Tashkent Registrant Country: UZ [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) broadcast-news, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customize-identity.info Registrant Organization: Domain ID Shield Service CO., Limited 8 ----- Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) webemail.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-identifier-servicelog.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com_____________](mailto:onlinenic-enduser@onlinenic.com) customize-identity.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) documentsharing.info Registrant Organization: will co Registrant State/Province: VA Registrant Country: AF [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) notification-accountservice.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) identifier-activities.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onIinenic.com](mailto:onlinenic-enduser@onIinenic.com) documentofficupdate.info Registrant Organization: William Brown Registrant State/Province: VA Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recoveryusercustomer. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) serverbroadcast. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) account-profi le-users. info Registrant Organization: arsalan co. Registrant State/Province: Louisiana Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) account-serviee- Registrant Organization: Domain ID Shield Service CO., Limited management.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) accounts-manager. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK 9 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) activity-confirmation- Registrant Organization: Domain ID Shield Service CO., Limited service.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-accountidentifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-privacy-help.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-sessionidentifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) com-useraccount.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirmation-users-service.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirm-identity.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) confirm-session- Registrant Organization: Domain ID Shield Service CO., Limited identification.info Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) continue-session-identifier.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com____________________](mailto:onlinenic-enduser@onlinenic.com) customer-recovery, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com_________________________](mailto:onlinenic-enduser@onlinenic.com) customers-activities.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) elitemaildelivery.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com________________________](mailto:onlinenic-enduser@onlinenic.com) email-delivery.info Registrant Organization: Domain ID Shield Service CO., Limited 10 ----- Registrant State/Province: Hong Kong Registrant Country: CN [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) identify-user-session.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) message-serviceprovider.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com_______________ ________](mailto:onlinenic-enduser@onlinenic.com) notificationapp.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notification-manager.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recognized-activity.info Registrant Organization: will co Registrant State/Province: VA Registrant Country: VA [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) recover-customers-service.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com________________________](mailto:onlinenic-enduser@onlinenic.com) recovery-session-change.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com________________________](mailto:onlinenic-enduser@onlinenic.com) service-recovery-session,info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) service-session-continue.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-mail-customers.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-managment.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com________________________](mailto:onlinenic-enduser@onlinenic.com) session-verify-user.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK 11 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) shop-sellwear.info Registrant Organization: maryam s32 Registrant State/Province: tersite Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) supportmailservice.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) terms-service-notlfication.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) user-activity-issues, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) useridentity-confirm.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) users-issue-services.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) verify-user-session.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) login-gov.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com____________________ _____](mailto:onlinenic-enduser@onlinenic.com) notification-signal-agnecy.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notifications-center.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) identifier-services-sessions.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) customers-manager. info Registrant Organization: Home Registrant State/Province: TX Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) session-manager, info Registrant Organization: Home 12 ----- Registrant State/Province: TX Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) customer-managers, info Registrant Organization: Home Registrant State/Province: TX Registrant Country: US [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) confirmation-recovery- Registrant Organization: Domain ID Shield Service CO., Limited options.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) service-session-confirm.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) session-recovery-options.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) services-session- Registrant Organization: Domain ID Shield Service CO., Limited confirmation.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) notification-managers.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) activities-services- Registrant Organization: Domain ID Shield Service CO., Limited notification.info Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) activities-recovery-options.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) activity-session-recovery, info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) customers-services.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) recovery-session-change.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) notification-manager.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK___________________________________ 13 ----- [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) session-managment.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) sessions-notification.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com__________________________](mailto:onlinenic-enduser@onlinenic.com) download-teamspeak. info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) services-issue-notification.info Registrant Organization: Domain ID Shield Service CO., Limited Registrant State/Province: Hong Kong Registrant Country: HK [onlinenic-enduser@onlinenic.com](mailto:onlinenic-enduser@onlinenic.com) microsoft-upgrade.mobi Registrant Name: Chada Martini Registrant Organization: cavy Registrant Street: No 67, King st Registrant City: Tashkent Registrant State/Province: Tashkent Registrant Postal Code: 46543 Registrant Country: UZ Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 Registrant Email: [chada.martini@yandex.com](mailto:chada.martini@yandex.com) broadcastnews.pro Registrant State/Province: UT Registrant Country: US [abuse@name.com__________](mailto:abuse@name.com) **.NETWORK.** **.WORLD** **DOMAINS** ###### Resistry **Binky** **Moon,** **LLC** **Donuts** **Inc.** **5808** **Lake** **Washington** **Blvd** **NE,** **Suite** **300** **Kirkland,** **WA** **98033** **United** **States** mobile-messengerplus.network Registrant Name: Cave Detector Registrant Organization: Masqat Co Registrant Street: No 64, Lion St Registrant City: Masqat Registrant State/Province: Masqat Registrant Postal Code: 85641 Registrant Country: OM Registrant Phone: +968.8007762430 Registrant Fax: +968.8007762430 14 ----- Registrant Email; [cave.detector@yandex.com](mailto:cave.detector@yandex.com) sessions-identifier- Registrant Name: REDACTED FOR PRIVACY memberemailid.network Registrant Organization: Domain Protection Services, Inc. Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: CO Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RODS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar: Name.com, Inc. Registrar lANA ID: 625 Registrar Abuse Contact Email: [abuse@name.com](mailto:abuse@name.com) Registrar Abuse Contact Phone: +7.202492374 15 ----- ##### EXHIBIT 4 ----- ###### The Return of The Charming Kitten A review of the latest wave of organized phishing attacks by Iranian state-backed hackers Welcome [victim@gmail.com](mailto:victim@gmail.com) v The Return of The Charming Kitten {■’C ###### Abstract Phishing attacks are the most common form of infiltration used by Iranian state-backed hackers to gain access into accounts. Certfa reviews the latest campaign of phishing attacks that has been carried out and dubbed as “The Return of The Charming Kitten”. In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians civil and ----- ###### human rights activists and journalists around the world. Our review in Certfa demonstrates that the hackers - knowing that their victims use two- step verification - target verification codes and also their email accounts such as Yahoo! and Gmail. As a result, Certfa believes the safest existing way to confront these attacks is using Security Keys such as YubiKey. Introduction In early October 2018, MDOugh, a Twitter user'', revealed phishing attacks of a group of Iranian hackers against US financial institution infrastructure. According to this user, these attacks could possibly be a reaction to new sanctions against Iran. The account mentioned a domain with the address accounts[-]support[.]services for the first time. This domain is linked to a group of hackers who are supported by the Iranian government, and that we believe have close ties with the Islamic Revolutionary Guard Corps (IRGC). ClearSky^ has previously published detailed reports on their activities. A month after these attacks, the administrators of accounts-support[.]services expanded their activities and started targeting civil and human rights activists, political figures and also Iranian and Western journalists. Methods of Attacks Cur investigation illustrates that the attackers are utilising different methods to carry out their attacks. These methods can be put into two categories: ----- ###### 1. Phishing attacks through unknown email or social media and messaging accounts 2. Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers We have also found that the hackers have collected information on their targets prior to the phishing attack. The hackers design specific plans for each target based on the level of targets’ cyber knowledge, their contacts, activities, working time, and their geographic situation. We also noticed that, unlike in previous phishing campaigns, in some cases the hackers did not change the password of their victims’ accounts in these latest attacks. This allows them to remain undetected and monitor a victim’s communications via their email in real time. Fake alerts of unauthorised access According to the samples of phishing attacks, the main trick used by these hackers to deceive their targets is that of sending fake alerts through email addresses such as notifications. maiiservices@gmaii[.]com, norepiy. customermails@gmail[.]com, customer]email-deiivery[.]info etc. stating that unauthorised individuals have tried to access their accounts. ----- Do you recognise this activily? **!>•** l.tr,:- l-'-. Vi.l.ltlbi.l '40, I'; ACCOUNT ###### fh [https://sites.google.com/'view/biahblahblah/blahblahblah](https://sites.google.com/'view/biahblahblah/blahblahblah) ###### By using this method, attackers pretend that the email provider has sent security alerts to the targets and they should immediately review and restrict suspicious accesses. More details are available in the “Destination Link” section. Fake file sharing on Google Drive Sending links with titles such as share files from Google Drive has been one of the most common tricks that hackers have used in recent years. A unique point of these attacks in comparison with the previous ones is that they use Google Site^, which allows the hackers to show a fake download page of Google Drive, which tricks the users into thinking it’s a real Google Drive page. ----- _&_ _G_ ' cjoocjie.com ... ###### oql^ Dovmload link is fsady rsf ###### For example, the hacker had used hxxps://sites.google[.]com/view/sharingdrivesystem to deceive the users and convince them the page is the authentic Google Drive as users can see google.com in the address bar of their browsers. Certfa has reported this link and similar links to Google and Google has now terminated them. By creating websites with the same design and look of Google Drive file sharing page, hackers pretend to be sharing a file with the user, which they should download and run it on their devices. They use hacked Twitter, Facebook and Telegram accounts to send these links and target new users. The truth is there is not any file and the hackers use this page to direct their targets to the fake Google login page, which the users enter their credential details including 2 factor authentication. ----- ###### The Attack Structure Most of these attacks are currently occurring through phishing emails. As a result, it would be useful to take a look the original content in recent phishing campaigns. stylejs'xx ity" target - mg src _d_ mg srcs:"ht X ###### 1. Destination fink 1.1. Trusted Stage: Internet users around the world consider Google’s main domain (google.com) to be a safe and secure address. The attackers misuse this fact and create fake pages on sites.google.com (which is a subdomain of Google) to deceive their targets. Google’s Site service gives its users an ability to show various contents on it. The attackers use this ability to send fake alerts and redirect their targets to insecure websites or embedded phishing pages as a iframe on those pages. ----- **I** _iii_ I f / **attacker-** **domai** **n** **.com** Most users can easily detect the phishing website by looking at the domain names and full URLs. **google.com** Attackers use Google's Site Service, which allows them to create web pages under site.google.com, to send safe and secure looking links to their targets. **google.com** After creating websites on Google's Site service, the attackers send links to their targets. These link can redirect their targets to malicious websites or steal their data directly. ###### 1.2. Untrusted Stage: Since Google can quickly recognise and eliminate suspicious and malicious links on sites.google.com, the hackers use their own website. The links of phishing websites have similar patterns to a previous phishing campaign which was launched in the past years. For example, attackers use words such as “management”, customize”, “service”, “identification”, “session”, “confirm” etc. in the domains name and phishing URLs to deceive users who want to verify their website addresses. 2. Clickable image in emails The hackers use an image, instead of texts, in the body of their emails, to bypass Google’s security and anti-phishing system. For this purpose, attackers have also used ----- ###### third party services such as Firefox Screenshot"^ to host their email images. Suspicious activity in your account in! - " t tjmix Do you recognize this activity? _!\