Sponsored by..

Showing posts with label Leaseweb. Show all posts
Showing posts with label Leaseweb. Show all posts

Tuesday 11 April 2017

Malware spam: "Sprawdź stan przesylki DHL"

This spam targeting Polish victims seems quite widespread. It leads to malware. The email is personalised with the victim's real name which has been harvested from somewhere.

From: DHL Express (Poland) [mailto:biuro@nawigatorxxi.pl]
Sent: Monday, April 10, 2017 7:09 PM
To: [redacted]
Subject: Sprawdź stan przesylki DHL

Sprawdź stan przesylki DHL
Szanowny Kliencie, [redacted]

Informujemy, że w serwisie DHL24 zostało zarejestrowane zlecenie realizacji przesyłki, której jesteś odbiorcą.

Dane zlecenia:
- numer zlecenia:
9653788657

- data złożenia zlecenia:
poniedziałek, 10. kwietnia

Informacje o aktualnym statusie przesyłki znajdziesz na http://dhl24.com.pl/report.html&report=JavaScript&email=[redacted]. (JavaScript Raport)

Niniejsza wiadomość została wygenerowana automatycznie.

Dziękujemy za skorzystanie z naszych usług i aplikacji DHL24.

DHL Parcel (Poland)

UWAGA: Wiadomość ta została wygenerowana automatycznie. Prosimy nie odpowiadać funkcją Reply/Odpowiedz 

The link goes to a malicious Javascript [example here] [Malwr report] which downloads a binary from:

freight.eu.com/download3696 (159.100.181.107 - World Wide Web Hosting LLC, Netherlands)

..this has a detection rate of 10/60. This Malwr report plus observed activity show traffic to the following IPs and ports:

5.196.73.150:443 (OVH, France)
31.220.44.11:8080 (HostHatch, Netherlands)
46.165.212.76:8080 (Leaseweb, Germany)
109.228.13.169:443 (Fasthosts, UK)
119.82.27.246:8080 (Tsukaeru.net, Japan)
173.230.137.155:8080 (Linode, US)
173.255.229.121:443 (Linode, US)
203.121.145.40:8080 (Pacific Internet, Thailand)
206.214.220.79:8080 (ServInt, US)


There may be other phone home locations not observed.

Recommended blocklist:
5.196.73.150
31.220.44.11
46.165.212.76
109.228.13.169
119.82.27.246
159.100.181.107
173.230.137.155
173.255.229.121
203.121.145.40
206.214.220.79





Tuesday 31 May 2016

Malware spam: "You have 1 new message from bank manager. To read it, please open the attachment down below. "

This fake financial spam has a malicious attachment:

From:    Lanna Weall
Date:    31 May 2016 at 12:18
Subject:    New Message from your bank manager

You have 1 new message from bank manager. To read it, please open the attachment down below. 
In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57) and the Malwr analysis of that sample shows that it downloads a binary from:

pvprojekt.pl/oLlqvX

The dropped binary is Locky ransomware with a detection rate of 4/56. All those reports plus these analyses [1] [2] [3] show network traffic to:

85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)


A trusted source (thank you) indicated that there was a earlier Locky campaign today with the following donwload locations:

101consult.com/zZVPJj
adrianschubert.pl/7s56K8
affinityee.com/jkpziP
akcord.com/R4yjhg
alex-makhinin.ru/hPBy2R
altezzatrio.com/aAS841
amande-concerts.de/LNfOKy
amansur.com/sJIEQB
andresvazquez.net/1UaAWY
arajinqayler.com/V8lL2k
asworkstation.com/1Cq0Kk
baidainhatrang.xyz/bA2xZO
balifashion.ru/FMGbdV
belov24.ru/1msPTS
bestplumbersindallas.com/UZmYow
betulbasol.com/jmS4ts
bitcoinprservices.com/4Xc6Fy
canale78.it/I52NbK
c-a-r.at/QSa8sI
fm2030.us/BznLrm
handmee.com/hIPTXx
jestempiotr.pl/IiJlGp
kickoff.ru/WNwvki
kontarkum.org/Lntxhy
ktistakis.com/UHqig6
kvarcevaya-lampa.ru/fC9qZW
kwweb.it/tNTjZ2
ladohumano.cl/bnmYOE
leatherberryconsulting.com/gXTND7
lidgroup.ru/vV9c7l
lizdion.net/9cRXIl
makarenkostyle.net/IJlEqC
marca-ce.com/n859VM
maridadiproperties.com/pQIJGB
mckinleyhigh.org/lhAfaC
metakino.ru/onryuE
metaldesign.info/o12QeD
minutemanpress-randburg.co.za/UXJnqs
most.org.mk/oiNWQ0
muslimdate.com/mlB3PW
noplacelikejones.com/hati3x
norisys.com/EwX0sO
nwa-dizel.ru/D8kTfA
ohmyg-o-d.info/Ns4gf5
pasit.heutagon.com/PyG0Oc
pgcommunitycab.com/FAlx1b
polibloki.ru/nbTURt
primeautoglass.co.nz/wMcW5Z
puliziafacile.it/JvZ9cX
pvprojekt.pl/oLlqvX
quotidianieriviste.com/WIKuLk
redcurrantjobs.co.uk/9cgwZ5
revista.motociclismo.es/4HgJ7t
riobrancoperu.org/B3AlqT
rockmind.pl/bg6kKf
rotaharita.com/5NmH3b
sanariumspb.ru/Xm9xul


Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60


Thursday 17 March 2016

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth
Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)


The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

Thursday 10 March 2016

Malware spam: "GreenLand Consulting – Unpaid Issue No. 58833"

This fake financial spam comes with a malicious attachment:

From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833

Dear Client!

For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St
FL 58833
928-429-4994


Details on the individual emails vary. Attached is a ZIP file which contains one of a variety of malicious scripts (sample VirusTotal results [1] [2] [3] [4]). According to these Malwr reports [5] [6] [7] these scripts attempt to download a malicious binary from the following locations:

http://hellomississmithqq.com/69.exe?1
http://hellomississmithqq.com/80.exe?1
http://mommycantakeff.com/69.exe?1
http://mommycantakeff.com/80.exe?1


These sites are hosted on:

142.25.97.48 (Province of British Columbia, Canada)
185.118.142.154 (Netmarlis Hosting, Turkey)
78.135.108.94 (Sadecehosting, Turkey)
74.117.183.252 (WZ Communications, US)
91.243.75.135 (Martin Andrino Ltd, Netherlands)


This Malwr report and this Hybrid Analysis shows communications with:

91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
149.154.157.14 (EDIS, Italy)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
178.162.214.146 (Leaseweb, Germany)


The two executables seem different (VirusTotal results [1] [2]). It looks like it might be dropping both ransomware (Teslacrypt perhaps) and Dridex (banking trojan) alternately.

These domains are also associated with some of the IPs. Consider them all to be evil:

t54ndnku456ngkwsudqer.wallymac.com
spannflow.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
howareyouqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
witchbehereqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
invoiceholderqq.com
mafianeedsyouqq.com
lenovomaybenotqq.com
lenovowantsyouqq.com
hellomississmithqq.com
thisisyourchangeqq.com
www.thisisyourchangeqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com

Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146



Wednesday 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Thursday 2 April 2015

Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96


Wednesday 1 April 2015

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Friday 12 December 2014

wavecable.com "Order - R58551" spam

This fake invoice comes with a malicious attachment.

From:    kaybd2@wavecable.com
Date:    12 December 2014 at 17:17
Subject:    Order - R58551

Thanks for placing order with us today! Your order is now on process.



Outright Purchase: 6949 US Dollars

Please click the word file provided below to see more details about your order.

BILLING DETAILS

Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@[redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:

http://www.2fs.com.au/tmp/rkn.exe

That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:

hxxp://5.187.1.78/
hxxp://46.250.6.1/yQ0rNl=kQUO%2C/Uy.%20%206vPh/sGiK2LtSiX75BirV=%3DyaE%2D0jZ5/
hxxp://46.250.6.1/QO&KN@tZOvZ%2Ba/JW/wI%20%3FqZCSz&CH
hxxp://46.250.6.1/lgXM77$&N~/fn0R&OPvY/0%26EySg.2
hxxp://46.250.6.1/BJHWvUNBFb%7E8FS7%20/ku_%2CLOZC/%3DA%26S@R%2CRsl
hxxp://46.250.6.1/hjr5mo3/Jx%2C%3DKciOwsc0h.ICAQCFqbLFj6Q6bvtk&2/%3F%2DcG~k1R%2Cfu%2Djty&Kch2t~I
hxxp://46.250.6.1/1o26ZIXNlEyK/68G%2DvlteIkwiQ~WG%2C9/qFcRXJ9%24FHkr
hxxp://46.250.6.1/ISTfN%3D%2BpR6z/sV3sFy=/&rwxy/8
hxxp://46.250.6.1/fBuw/4%241PoLX5P=ThT4Hyzu/wbkj9q/zTt
hxxp://46.250.6.1/StKeINKIun6v$l0%2478bpb=1.8S%2B/q~S%2BcrS%24F%24y/@HA%2B7e%7EK%2Bp1HeQ3l_Qlc/L
hxxp://5.135.28.106/riBmIaB8bRi/sb1VvM/U=_=/PPa
hxxp://46.250.6.1/fCBz41ytqa.%2DjS8cj_rj=m%2Dzuxyr/lcvsbBxg%2Dsx%2DfS/%3D7lus%3F7e%3D%2D2.ou61s~
hxxp://46.250.6.1/zkzwh6f08q+e%2Dj%26rf.21/96ih%2D4.lhse8%20x8kgn%2B/59f3%7Ef+j%7Es%3D=w%2C+z91o
hxxp://46.250.6.1/yw1oy1pkp2+f%20au%26p@%2D/fmqyfl=zerhywesazsz2&s%2C%24%24%2Csv@k=+sqvs%3F%7Ep/

The ThreatExpert report shows POSTing to 209.208.62.36:8080

Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:

209.208.62.36 (Atlantic.net, US)
5.187.1.78 (Fornex Hosting, Germany)
46.250.6.1 (Briz, Ukraine)
5.135.28.106 (OVH, France)
66.213.111.72 (Ohio Public Libraries, US)
95.211.188.129 (Leaseweb, Netherlands)

A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.

Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129


Wednesday 8 October 2014

Malware spam: Lloyds "Important - Commercial Documents" and NatWest "You have a new Secure Message"

There's a familiar pattern to this malware-laden spam, but with an updated payload from before:

Lloyds Commercial Bank: "Important - Commercial Documents"


From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     8 October 2014 11:09
Subject:     Important - Commercial Documents

Important account documents

Reference: C437
Case number: 66324010
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://01silex.com/dropbox/document.php
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email.

NatWest: "You have a new Secure Message - file-2620"


From:     NatWest [secure.message@natwest.com]
Date:     8 October 2014 10:29
Subject:     You have a new Secure Message - file-2620


You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://cookierunid.com/dropbox/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3068.

The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53.

The Malwr report indicates that the malware phones home to the following locations which are worth blocking, especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server.

94.75.233.13:37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13:37400/0810uk1/HOME/1/0/0/
94.75.233.13:37400/0810uk1/HOME/41/5/1/
cemotrans.com/seo/0810uk1.soa


Wednesday 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Tuesday 26 March 2013

eFax Corporate spam / hjuiopsdbgp.ru

This fake eFax spam leads to malware on hjuiopsdbgp.ru:

Date:      Tue, 26 Mar 2013 06:23:36 +0800
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Pages.htm



Fax Message [Caller-ID: 378677295]

You have received a 59 pages fax at Tue, 26 Mar 2013 06:23:36 +0800, (954)-363-5285.

* The reference number for this fax is [eFAX-677484317].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.
The attachment Efax_Pages.htm leads to a malicious payload at [donotclick]hjuiopsdbgp.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
69.46.253.241
95.211.154.196
hohohomaza.ru
humarikanec.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
hjuiopsdbgp.ru
heepsteronst.ru


Monday 25 March 2013

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


Monday 11 February 2013

Something evil on 46.165.206.16

This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in  red   have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.

adstat150.com
cexstat20.com
katestat77.us
kmstat505.us
kmstat515.us
kmstat530.com
lmstat450.com
mptraf11.info
mptraf2.info
mxstat205.us
mxstat570.com
mxstat740.com
mxstat760.com
rxtraf25.ru
rxtraf26.ru
skeltds.us
vmstat100.com
vmstat120.com
vmstat140.com

vmstat210.com
vmstat230.com
vmstat320.com

Friday 21 December 2012

Malware sites to block 21/12/12

There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog.net blogging system (I think specifically [donotclick]zezete2.centerblog.net/i-247-136-1356095651.html)

The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)

[donotclick]svwlekwtaign.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/

[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.

avigorstats.pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a huge iceberg of malicious IPs and domains that are all interconnected.

Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..

Recommended blockist (annotated):

5.39.121.18 (OVH, Ireland)
5.135.20.2 (OVH, France)
5.135.67.144/28 (MMuskatov / OVH, Belgium)
5.135.67.192/28 (MMuskatov / OVH, Czech Republic)
5.135.97.6 (OVH, Ireland)
5.135.204.16/28 (Shah Sidharth / OVH, Ireland)
5.135.218.32/27 (Shah Sidharth / OVH, France)
5.135.223.96/27 (Shah Sidharth / OVH, France)
5.199.172.0/22 (BALTICSERVERS, Lithunia)
37.9.53.0/24 (Sheludyak-NET, Russia)
37.221.170.88 (Voxility, Romania)
46.28.71.68 (UA Servers, Ukraine)
46.105.102.18 (OVH, France)
46.235.8.175 (Teknik Data Internet Teknolojileri San.Tic.Ltd. Sti., Turkey)
46.249.42.0/24 (Serverius Holding, Netherlands)
62.76.40.0/21 (Rosniiros, Russia)
62.76.176.0/22 (Rosniiros, Russia)
62.76.180.0/24 (Rosniiros, Russia)
62.76.184.0/21 (Rosniiros, Russia)
62.109.0.0/21 (The First, Russia)
62.122.74.0/23 (Leksim, Poland)
63.247.91.188 (Global Net Access, US)
64.120.193.0/24 (HostNOC, US)
78.140.135.128/25 (Webazilla, Gibraltar)
84.200.77.204 (Misterhost, Germany)
85.17.92.146 (Leaseweb, Netherlands)
85.143.166.0/24 (Pirix, Russia)
88.198.30.19 (Hetzner, Germany)
91.201.214.0/23 (PS Internet, Kazakhstan)
91.211.116.0/22 (Zharkov Mukola Mukolayovuch, Ukraine)
91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.231.156.0/24 (Sevzapkanat-Unimars, Russia)
91.232.29.70 (Realon Service LLC, Ukraine)
91.235.128.0/23 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
91.238.83.0/24 (Standart LLC, Moldova)
91.243.115.0/24 (Aztec, Russia)
92.46.62.128/25 (Shevchenko Sergey, Kazakhstan)
93.170.13.4 (Alfa Telecom, Czech Republic)
93.170.128.253 (Alfra Telecom, Russia)
95.211.199.34 (Leaseweb, Netherlands)
108.163.188.250 (iWeb, Canada)
142.0.37.60 (VolumeDrive, US)
142.54.183.96/27 (Datashack, US)
146.185.255.0/24 (Petersburg Internet Network Ltd, Russia)
151.248.116.54 (Reg.ru, Russia)
178.162.134.128/26 (Silin-Vitaly-Petrovich, Belarus)
178.162.147.111 (Leaseweb, Germany)
184.82.222.126 (HostNOC, US)
184.82.222.127 (HostNOC, US)
185.4.227.42 (Sayfa.NET, Turkey)
188.93.211.114 (Logol, Russia)
188.190.127.118 (Infium LTD, Ukraine)
188.208.32.0/23 (Ch-net Srl, Romania)
193.107.16.0/22 (Ideal Solution Ltd, Seychelles)
194.62.233.0/24 (Stils Grupp, Russia)
195.3.145.45 (RN Data, Latvia)
195.3.145.51 (RN Data, Latvia)
195.20.141.0/24 (Sigma Ltd, Russia)
195.138.240.0/21 (Creative Telematics & Trade s.r.o., Czech Republic)
198.49.66.159 (Hostdime, US)
198.147.22.69 (Front Range Hosting, US)
199.231.210.231 (Enzu Inc, US)
206.212.240.202 (Colostore, US)
206.212.240.206 (Colostore, US)
206.222.17.136/29 (XLHost, US)
208.88.226.230 (WZ Communitions, US)
208.88.226.231 (WZ Communitions, US)
217.23.11.103 (Worldstream, Netherlands)
217.23.15.110 (Worldstream, Netherlands)

Recommended blockist (Plain list):

5.39.121.18
5.135.20.2
5.135.67.144/28
5.135.67.192/28
5.135.97.6
5.135.204.16/28
5.135.218.32/27
5.135.223.96/27
5.199.172.0/22
37.9.53.0/24
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.10/24
62.76.40.0/21
62.76.176.0/22
62.76.180.0/24
62.76.184.0/21
62.109.0.0/21
62.122.74.0/23
63.247.91.188
64.120.193.0/24
78.140.135.128/25
84.200.77.204
85.17.92.146
85.143.166.0/24
88.198.30.19
91.201.214.0/23
91.211.116.0/22
91.220.131.0/24
91.231.156.0/24
91.232.29.70
91.235.128.0/23
91.238.83.0/24
91.243.115.0/24
92.46.62.128/25
93.170.13.4
93.170.128.253
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.96/27
146.185.255.0/24
151.248.116.54
178.162.134.128/26
178.162.147.111
185.4.227.42
188.93.211.114
188.190.127.118
188.208.32.0/23
193.107.16.0/22
194.62.233.0/24
195.3.145.45
195.3.145.51
195.20.141.0/24
195.138.240.0/21
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.136/29
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Raw list of malicious IPs:
5.39.121.18
5.135.20.2
5.135.67.145
5.135.67.198
5.135.97.6
5.135.204.19
5.135.204.20
5.135.218.33
5.135.223.127
5.199.174.99
5.199.175.36
5.199.175.59
5.199.175.60
37.9.53.71
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.161
46.249.42.168
62.76.41.75
62.76.41.208
62.76.178.9
62.76.180.191
62.76.184.246
62.76.185.206
62.76.185.211
62.76.186.109
62.109.2.239
62.109.12.166
62.109.16.94
62.122.74.45
63.247.91.188
64.120.193.144
64.120.193.177
64.120.193.218
64.120.193.219
78.140.135.194
78.140.135.195
84.200.77.204
85.17.92.146
85.143.166.87
85.143.166.202
85.143.166.219
88.198.30.19
91.201.215.173
91.211.119.56
91.211.119.63
91.211.119.66
91.211.119.67
91.220.131.67
91.231.156.50
91.231.156.98
91.231.156.188
91.232.29.70
91.235.129.35
91.238.83.46
91.238.83.56
91.243.115.28
92.46.62.252
93.170.13.4
93.189.40.223
93.170.128.253
94.242.219.3
94.242.219.6
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.110
146.185.255.66
151.248.116.54
178.162.134.138
178.162.134.139
178.162.132.202
178.162.134.198
178.162.134.200
178.162.134.201
178.162.134.202
178.162.134.212
178.162.147.111
178.162.134.141
184.82.222.126
184.82.222.127
185.4.227.42
188.93.211.114
188.190.127.118
188.208.33.10
193.107.17.105
193.107.19.76
194.62.233.26
194.62.233.31
194.62.233.63
194.62.233.79
194.62.233.137
194.62.233.146
194.62.233.171
194.62.233.173
194.62.233.183
194.62.233.242
195.3.145.45
195.3.145.51
195.20.141.22
195.20.141.23
195.20.141.85
195.20.141.86
195.138.241.79
195.138.241.88
195.138.241.92
195.138.241.93
195.138.241.95
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.138
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Known malicious domains:
001dtbflutxcy.changeip.org
001vlcjibtwrh.changeip.org
002yfzwqyhhqi.changeip.org
003wceqzsouib.changeip.org
004wifxfqqelw.changeip.org
004wsragrwziy.changeip.org
005litvisulyl.changeip.org
005pqlvqwowvh.changeip.org
005szgfxyhyuf.changeip.org
006epphovwevl.changeip.org
006jowpvflxwu.changeip.org
006okqwhyklyg.changeip.org
007gydbgxftcl.changeip.org
007hppoqubtvs.changeip.org
007lvsqhpjtrd.changeip.org
008ftuuqluzoq.changeip.org
008rdzfkykqdv.changeip.org
009g.domaiinn.be
009kkuhgyrazq.changeip.org
009xxqqflqvec.changeip.org
010ipjzyqeuor.changeip.org
017bqelicwssl.changeip.org
020bedzycxryv.changeip.org
020qagbfqxtzq.changeip.org
021lkukzxbuuu.changeip.org
022xwsejqchre.changeip.org
023qrgoreztit.changeip.org
023zqpiblrfso.changeip.org
024vkaoabwhsf.changeip.org
025cldzpffyvl.changeip.org
026cocyjbhahg.changeip.org
027yzlofltfyp.changeip.org
16nnb7b.gm9.com
17vfdvr.gm9.com
2012-2013.org
3d27bc5173b799ec363ebb6a.mine.nu
42f0e25d8baf2c5df64842f5.merseine.nu
555flashpoker.com
555flashpoker.info
555flashpoker.me
555flashpoker.net
7domaindns.com
888flashpoker.com
888flashpoker.info
8domaindns.com
8xvideos-tube.com
8xvideos-tube.info
8xvideos-tube.mobi
a0246d72.mayhemavz.pro
a1000000.mayhemavz.pro
a2b3490dc28df6ec1db21d10.merseine.nu
aboutmailmerging.net
accelerationarrangement.info
acclaimny.pro
acquiringhawaiian.asia
addservice.flu.cc
adobestyledives.org
adriano-bull.com
adriano-bull.net
adsquatropower.com
adsquatropower.info
adsquatropower.net
adsquatropower.org
adventureslh.net
ae1830b97080c83176b59c94.mine.nu
af9b7985802bc09fb9e19663.merseine.nu
affairlikely.net
agegateguru.net
agelumosityroad.net
ahjlfmm.freewww.biz
ahzhfvfjn.freewww.biz
aimedmetaballs.org
airprintlacks.net
ajsuqhsq.freewww.biz
ajwvnwcm.freewww.biz
aktsf.freewww.biz
alhmzpxsdtj.net
altsjhin.mynumber.org
amountinterrupting.pro
analytics-djmusic-online.de
ananasert.cu.cc
anbab.freewww.biz
anti-carding.info
antivirusscleanuponly.info
approximatelyshopkeepers.net
appsfordefaultappear.pro
aqxetx.freewww.biz
archaicpatron.asia
areoperations.net
arltdbsg.freewww.biz
armiesboxes.info
arndlink.com
arny.nazleennoor.com
artilleryupgrading.com
asefeferea.uni.me
asifq.freewww.biz
asimuthstats.pro
associatesgymnastic.asia
astrotester.com
attataponger.ru
audiodevelop.net
auraletterandnumber.org
authoringtriplecore.net
autoplaycyberdrive.info
avenuerequests.net
avigorstats.pro
axis.lenuerry.com
bajoqavu.tk
ballfill.net
baltes.verikanam.com
barpoxert.cu.cc
basun.lenuerry.com
bathtubdanger.net
bazarafcantoscabiz.com
bctwqsgcu.freewww.biz
bdslength.net
beansreschedule.com
beautifullytriangulate.info
bedtimeroes.pro
begpkcd.freewww.biz
bellevident.pro
bestcountstat.com
bestlastnest.asia
besttipscars.info
beta.lenuerry.com
betterlookingflabby.org
bhrhrim.freewww.biz
bicyclesteachers.info
bicyclingsecondfastest.pro
bigprobivbig.net
billtrackerremoval.info
biosopers.pro
bioticshypermodular.org
bitsrentr.pro
bizon.verikanam.com
bkuoq.freewww.biz
blanki-basa.info
bliclink.com
blikke.verikanam.com
blogtoolonsteroidscreations.net
bmfield.pro
bmgdrive.net
bobodrive.info
bobson7ka.pro
bomba.bonocchio.com
brandnewtransfer.pro
brandsanalog.info
breakingretouching.net
bregfxul.mynumber.org
brighterintuitiveness.info
browsecomplaints.org
brtrampolines.biz
brustramestra.org
buenos-varilias.com
bufferlumia.info
bunat.verikanam.com
buttonjp.org
c446fe861bdb8a2bbea44022.merseine.nu
cakuxeco.tk
calderatextletting.net
campaignmanagementmoneys.info
candyruns.pro
cantothemebased.pro
canyoninstructed.net
capricioussample.info
carswhilestaff.biz
cassettesbeauty.org
caubqj.freewww.biz
cdsbandwidthsaving.info
cejinayu.tk
centurylogmeinnow.net
cfarcto.freewww.biz
cheapbiotics.info
cheche.jrm-enterprises.com
checklistearpiercing.net
chidedpointofinterest.pro
cilidep.tk
cityscaperollbacks.net
ciwabiha.tk
clackt.freewww.biz
clarificationspackages.info
classbasecamp.pro
clckllink.com
clean-service.info
clearlydefinedjr.net
click2click.pro
click4click.org
clipboardbarely.pro
closedeasy.net
cloudtalkepicture.info
cloutremote.asia
cmesrearranged.pro
cogsfeet.net
cohostedpareddown.pro
coincidentlyreduce.net
collaborativerationals.info
collectingtabletfriendly.info
collectionsbleeding.pro
combinedbecause.org
common.thebattleroyal.com
conductinability.net
consciousnessmobileoptimized.info
constructionverified.org
contentdeliveryworldwide.pro
contentnomasterwork.net
convenienceconclusions.org
conversionitlegendary.info
convertervocal.net
corantipursue.info
correspondingpchoused.net
counterattackaltercast.asia
courseworktitanium.net
coxmxvku.freewww.biz
creast.afkepock.com
crosscountrypertinent.info
crossingpivot.info
crustwatch.com
crytprodom.net
cullinghenry.pro
curmudgeonlowerquality.net
cutlongurls.com
cwnddazt.freewww.biz
czxsazzz.cu.cc
dapuyok.tk
darkroomimageport.info
data.fossilflour.org
datcikas.co.uk
dazzlingthirst.info
dbzptwxhm.freewww.biz
dc21.asia
dckikyas.1dumb.com
dcrriklc.freewww.biz
ddbnbmpt.freewww.biz
dealingcas.pro
delawareriveromainssinglwwerx.com
delivercdn.com
demonstratepowerfully.net
denialdeduplication.net
densepromissory.info
deomainssinglwwerx.net
departuresheettogo.asia
dependenciesusers.net
deraman.cu.cc
dereteweret.org
desreappear.pro
devicetantalized.pro
dialerseasoned.org
digitalbrio.net
digitalspointsstorys.net
disappointsultra.net
discoverleaving.net
disperseconceptdraw.net
districtagenda.net
dixoxupo.tk
diysweeper.net
dkpjumouz.mynumber.org
dns20number.org
dnsnum10.com
dnsnum11.com
dnsnum12.pro
dnsnum9.com
dnsnumber1.com
dnsnumber14.pro
dnsnumber15.pro
dnsnumber2.com
dnsnumber3.com
docktoolsthe.org
docstogolists.info
docxlassos.net
doggedmask.pro
domaincreations.info
domainjustmails.net
domainscingapurs.net
domainsgweate.net
domainsjinniks.net
domainsnetstatts.net
domainsplaylgtaxes.com
domainsplaylgtaxes.net
domainsrighbind.net
domainssinglargetaxes.net
domainssinglgirs.net
domainssinglsnet.info
domainssinglssin.info
domainssmiles43.net
domainsstressadd.com
domssingomangos.net
downloaderchippers.org
dqytgefar.freewww.biz
dragonocerusfluidity.info
dramaticmacromedia.info
drumspeedthrottled.pro
dunfe.lenuerry.com
durhamdirectory.net
dworddb.com
earnhardtphoto.info
earthnearness.pro
ecwlqx.freewww.biz
edrenbaton.mouseclickcentralization.info
edvbph.freewww.biz
ekvwynlse.freewww.biz
endgameaboveaverage.pro
engagegoto.com
englandcompared.info
enlargement4.pro
enthusiastmystery.net
epsconsisted.pro
esscer47emonyno.rr.nu
essentiallyrepresents.net
estheticsindianapolis.info
etritotube.me
etritotube.mobi
etritotube.net
everpresentoctave.net
evngiaca.freewww.biz
examiningstores.org
excludedsure.pro
execpragues.net
expansionletter.net
experimentalsatellitecommunicationsprojectlaunchedinindia.info
eyebrowsprefilled.pro
f8u5.asia
fabulouszen.net
fallokidor.org
fastgreendns.com
fastum.gm9.com
favorablestarted.pro
faxesworry.asia
fbjvbkjp.freewww.biz
featuresconverter.asia
fedrekpolik.org
feedbacvolcanoes.pro
fenoqere.tk
ffffoundbirthdate.org
fgjcctg.cu.cc
fhpbuqac.freewww.biz
fiendishtask.info
figuringdictating.net
fillinjabber.net
filmeducators.net
finddomainsdicr.net
finlandfires.info
flierstrusting.biz
floodedhomeplus.net
flrkcyoln.almostmy.com
flvagye.freewww.biz
flyport.nut.cc
foldersmodify.org
force.verikanam.com
formsbasedscreeners.asia
forum-pro-siski.info
frameratepekingese.pro
freeexpenditure.pro
frustratedrosetta.pro
fssdnk.freewww.biz
ftycik.freewww.biz
fulllengthunderdahl.info
gabon.lenuerry.com
gaepovzsdr.cu.cc
gainskeeper.asia
gamesduoswin9.info
gaplessaddremove.info
gduobyc.freewww.biz
gefilteheadway.pro
geographiccomplicating.net
germen.almostmy.com
gfydjpo.freewww.biz
ghanaembassyusa.com
ghostauthority.info
gitro.lenuerry.com
gkluyc.freewww.biz
global.usa.cc
gobangwriterson.com
godutegodozybat.org
goldclick.pro
good.timepiece-locator.com
googlenilesrt.net
governingjerk.org
gpuep.freewww.biz
grainscatching.net
grauezonen.com
grauezonen.net
greatctrlaltdel.pro
gretta.pcanywhere.net
gsshphwbn.freewww.biz
gttrle.freewww.biz
guaranteesroman.net
gwqpx.freewww.biz
gybphqhwf.mynumber.org
gyukrmmw.itsaol.com
halfdozendesktop.asia
hanskohlerltd.com
hanskohlerltd.net
harddrivedeepens.pro
hatsvisuals.org
haventons.org
hazardstweet.pro
hcsqhop.freewww.biz
hearingcertificate.info
heartshapedradiosity.info
heatcycle.asia
hecticearning.pro
heellowtech.pro
hellousers.mobimexa.ro
hesdr.org
highflyingmotivates.info
highresfunnel.pro
hihuvay.tk
hjtqfai.freewww.biz
hjxynh.freewww.biz
hkect.freewww.biz
hmirsdwqo.freewww.biz
hmqth.freewww.biz
hobbjnlji.freewww.biz
hocblockable.pro
homegrownphonetic.pro
hoopsvibrate.pro
hornyfile.net
hotelspecificvocalization.info
hreflnk.com
hugo.lenuerry.com
hutren.lenuerry.com
ibbyqkp.freewww.biz
iccyrgfh.mynumber.org
icebergsorts.info
ictrnr.freewww.biz
ifuzlt.freewww.biz
ihazalittleknob.us
ihrtytw.freewww.biz
iirrack.org
ijkguxk.freewww.biz
ikles.lenuerry.com
imanagepooka.pro
imapscans.info
imationbones.net
img.buchananjenkinshyundai.com
img.centralfloridahyundaidealers.com
img.centralfloridaunder10grandautos.com
img.zeitersseptics.com
img.zsuinc.com
impactrelease.pro
importslatenot.info
imrkcm.freewww.biz
incompatiblechoice.info
indocumentgunning.info
infostartbizcher.net
innetrecordf.net
installerhappens.com
intelextraction.org
interesting.moneta.cl
internalcake.asia
internetsdd4.net
internetsdd4.org
internetsturk.net
intervalsselfservice.pro
ioalcsy.freewww.biz
ioragement.net
iphonedata.info
irresponsibletablets.asia
irritatingtrailers.info
isaacdocs.com
iwwcwxjoy.freewww.biz
jafcomuzzle.com
jamdownsizes.info
jaquxedo.tk
jefvqloqs.freewww.biz
jekpot.net
jekpot.org
jexiyohi.tk
jopoplop.cu.cc
joxopzzz.cu.cc
jqkxhv.freewww.biz
jrhhqbgf.freewww.biz
jsccrzo.freewww.biz
jscripttoughgeek.biz
jtalwiwu.freewww.biz
junest.lenuerry.com
justpingmoow.net
juwkulgw.freewww.biz
jxzyi.freewww.biz
kcttqwmg.freewww.biz
kcxqach.freewww.biz
keyboardhigherpriority.pro
keywordrecordrookie.info
kgugoasr.freewww.biz
kimqtpbj.freewww.biz
kiost.lenuerry.com
kjrkbvrws.freewww.biz
kochenmitspass.com
kochenmitspass.net
komat.lenuerry.com
kopan.lenuerry.com
kopcasdf.cu.cc
ksopyt.freewww.biz
kupimiy.tk
kuuiukcd.freewww.biz
kvidzs.freewww.biz
lapuneran.com
lastfmwidescreen.info
lastwestbizz.info
laternotairplanes.org
laxonot.tk
lbd.lenuerry.com
leadingpartymoderateshewasejectedfromaftershesaid.info
leaguedigs.pro
legendpairing.info
lenskuog.freewww.biz
lesgpda.freewww.biz
letterpresssketching.info
levanto-poker.com
levanto-poker.info
levanto-poker.net
levanto-poker.org
lglsuo.freewww.biz
libertybigestnoob.org
linestrate.biz
linusrival.info
lipor.afkepock.com
lipsbylines.pro
listingsnonexecutable.org
litebizzchersearch.org
liteklick.com
litenames.com
littleknobnsack.us
ljbsll.freewww.biz
llsoftness.info
llxtyzh.freewww.biz
loadsgamescraft.org
locatorrotten.net
lollipoporno.org
longnikdb.com
lops.verikanam.com
lopxaert.cu.cc
lowkeytonights.pro
lpbjscrsa.freewww.biz
lpnkbwx.freewww.biz
lqbiyic.freewww.biz
lwwpmfw.freewww.biz
lynwau.freewww.biz
m6j2.info
macbookxed.net
macdonaldsfast.net
mangosautomated.info
manibackbestbizz.net
marxloha.com
marxloha.net
mastercarddialog.pro
masterxz.cu.cc
mayhemavz.pro
mazdak.cu.cc
mdrphfri.freewww.biz
mechanicalagenda.asia
membersnetsgunss.info
membersnetsgunss.org
memoryhddmonitor.org
memossingleuser.info
mentscommence.net
merstengrown.com
mesburtterpe.ddns.name
metaizosulfatmetanol.com
metasearchexcessively.net
mexicomongo.com
mexodini.tk
mhpuya.freewww.biz
mikesnutssner.net
mikesnutssner.org
minisiteshassle.info
minker.lenuerry.com
mitest.lenuerry.com
mitre.verikanam.com
mixed.verikanam.com
mjhcymist.freewww.biz
mmwap.freewww.biz
mnroemawa.freewww.biz
mnszyhxgp.freewww.biz
mobilefriendlysingledisk.info
modemgamers.info
modesicompared.org
modesiscenes.info
mofiozesbzcom.net
mokas.lenuerry.com
mondayswizardnet.info
moneysdialogs.net
monikaheinold.net
monitorsystemsdep.net
monitorsystemsdep.org
mopiserb.cu.cc
morrisgussmir.biz
mouseclickcentralization.info
mqtqjkyo.all-emoticons.com
multidimensionalpersisted.org
multilevelclass.net
museumsnimble.net
mwmfue.freewww.biz
mxssweeten.pro
mydreamnewone.com
mydreamnewone.me
mydreamnewone.org
mydreamnewone.us
naejadxge.freewww.biz
namesstressadd.net
ndengine.com
nedra.ddns.infoc
neos.lenuerry.com
nerest.ddns.info
nerfaserty.fondinfocenters.info
netdocumentsinaccessible.info
new-generation-affiliate.net
new-generation-affiliate.org
new-generation-affiliateonline.co
newyorkcarrent.com
ngfyt.freewww.biz
nicert.afkepock.com
njgblmlg.freewww.biz
nlbdiv.freewww.biz
nnczl.freewww.biz
noacmvbg.gr8name.biz
nospaceforced.pro
ns1.collectionsbleeding.pro
ns1.haventons.org
nsc.hornyfile.net
nuert.lenuerry.com
nvelqxkt.freewww.biz
nzhewnvi.freewww.biz
nzuqojkf.freewww.biz
oboobx.freewww.biz
oevcrn.freewww.biz
oferts.net
ohnjckgo.freewww.biz
okles.lenuerry.com
oltpspeakers.pro
oneiricinfocenters.info
ones.myservicecomments.com
onlineadvertclick.eu
onlineadvertclick.info
onlineadvertclick.org
oovmmb.freewww.biz
operationseverlearn.pro
opticshoc.pro
originalchristopher.net
originatingpixelize.pro
ortide.afkepock.com
otscfr.com
overseassouth.net
ow42.org
ownorreverting.org
ownprice.net
paggpuvv.freewww.biz
palacio-casino.com
palacio-casino.in
palacio-casino.info
palacio-casino.me
palacio-casino.mobi
palermopoker.asia
palermopoker.biz
palermopoker.co
palermopoker.info
palermopoker.me
palermopoker.net
palermopoker.org
pamaetyd.cu.cc
panasoniccatnap.net
panasoniclibs4.biz
panasoniclibs4.net
paneheftier.info
parlorlimitsforemost.org
participaterevisions.info
pasrewder.cu.cc
passedtwitpic.pro
paszerqef.cu.cc
pawertyse.cu.cc
pbhukx.freewww.biz
pejot.freewww.biz
pfannengericht.com
pfvfsi.freewww.biz
photoemailingbrethren.pro
physicallyoffer.asia
picniksdistrict.info
pigrona5.com
piicentrally.org
pikkolorgy.org
pistolop.cu.cc
pityr.verikanam.com
plannerspressed.net
pmquggb.freewww.biz
pmxlzumf.freewww.biz
pnppz.freewww.biz
pocasredr.cu.cc
polaroidstylesaved.info
pomertax.cu.cc
pornooncar.pro
pornoseccasgirls.info
pornoseccasgirlss.net
pornostroycenters5v.net
portallnk.com
postprepminimize.pro
potar.lenuerry.com
potentlatency.net
povertzag.cu.cc
powertnoii.cu.cc
prettydik.net
privacyxslegacy.info
producercheesy.net
progresseddrilled.net
promoitaliane.tv
prosperplug.info
psgva.freewww.biz
pvsblues.info
pzdupny.freewww.biz
qadosiwixe4.pro
qadosiwixe45.pro
qadosiwixe5.pro
qgwbhqthc.freewww.biz
qiksmotorcycles.pro
qojnwkp.freewww.biz
qoyuhiwe.tk
qpxibesp.freewww.biz
quellesimple.com
quellesimple.info
quickcamsassembled.net
quickofficemosaic.info
quincypuublicschools.com
quittsfasaf14.net
quqzpzfwr.freewww.biz
qxwhucsruaifu.pro
radarholga.pro
ratzeputze.com
rayoperu.tk
rbeqj.freewww.biz
rcjdnesni.freewww.biz
receivesagillions.info
recklessblacklisting.net
recoffsets.net
redirestoodersfin.info
redownloadingraucously.info
redspeed.asia
redundantblockskew.pro
redut.is-leet.com
reinventsciti.pro
relatedfarsi.info
releasedoutofbox.info
reliabilitytedium.info
reliantscrambled.org
remissimpediments.net
rentalhummers.pro
rentedtransactions.info
repinvoiceover.info
reportingautomatingoutliners.info
repurposedsmtppop.asia
re-served.com
respectsprosuite.info
restoronsafe.info
reusemorepersonalized.org
revolutioncodehinting.pro
rewardbounces.info
rhacsy.freewww.biz
riatiapafor.dnset.com
rizapizda.com
rojoxal.tk
roomyqualysguard.info
rootkitsprintready.pro
roudroadersnetliker.com
roxjd.freewww.biz
rozohudu.tk
rubilonk.biz
rubilonk.com
rubilonk.info
rutes.lenuerry.com
rxkpd.freewww.biz
safaristereos.biz
safetywebclassifies.net
samcrop.info
santnhzg.freewww.biz
saucesensorlys.info
savedordernumbers.net
sbyaiqvpm.freewww.biz
scarcecookiecutter.pro
schirkaal.com
schneemen.info
schoolsreading.asia
scrot-um.biz
securemanagerspecialcollectlinesite.info
security-checking.info
sedukimozzaik4net.info
seewild.net
seinfeldwlpg.pro
selamoitoipour.com
selamoitoipour.net
selamoitoipour.org
selmoipourtoi.com
selmoipourtoi.net
separatedsurprises.com
sequentialbiotics.info
sexclub4h.net
sexgirlsmembers4g.net
sexmurenagirlssex.info
sexsexporno.info
sexxxstaz.org
sfhnvvs.freewww.biz
shareself.info
sharingdelays.pro
sharpeyedresizable.net
shepardforests.info
shizzledizle.com
shortlonglinks.com
siamanfocont.ddns.name
sidhpuwtvkwrtv.flu.cc
signingsample.pro
signupdestinations.org
similaritiesinverting.net
singlecolumnhalloween.asia
sitesstressadd.com
sitesstressadd.net
sjryycwpl.freewww.biz
ska9.info
skitchrestaurants.net
skjaqowjtr.all-emoticons.com
slackmultiline.info
slnhtkqu.freewww.biz
smoothlyexit.net
snailmailupdater.net
snamedb.com
snoopscooperate.pro
sometimescroogle.asia
sorryintellicookie.net
soulplacing.pro
speedanymore.net
speedyfraction.pro
stampedetarget.info
stat.sportspirate.net
stathemliberiy.com
stationscannons.net
statistic.kodiakwireline.ca
stereoobjects.info
stetomoney.org
stinglnk.com
stlpartnership.asia
stoppedcam.info
storagemediumfoolish.pro
streetpiloteffortlessly.biz
strnglink.com
stumbleuponbutlowerpriced.info
subjectslicing.net
sublistsvirus.info
suckro.lenuerry.com
sufopati.tk
sugad.afkepock.com
sunbeltinverting.pro
suncurrentlytransitstheconstellationoflibrafromoctober.info
superbrustramestraonline.org
supportflashoutlookstyle.pro
susssurrounds.info
suxoyad.tk
swallowsreenable.pro
sydzslq.freewww.biz
syenial.com
system0001.pro
taipeirazor.pro
talliedclassit.info
tares.verikanam.com
tauscansenders.info
tavawf.freewww.biz
tcpipbyfiletype.info
teddyderhund.com
teddyderhund.net
tekqswas.freewww.biz
tellementads.net
tenscrub.net
testr.pcanywhere.net
textingnode.info
thewirelesscaalog.com
theydlauncher.net
thrillededward.pro
thundercatsimplications.net
tibukns.freewww.biz
timingwaste.net
tisla.lenuerry.com
togglesengines.info
toolbarpcmag.info
totalethreetabbed.net
toypourtoy.info
toypourtoy.net
toyticket.info
tracklessactivedisk.info
trading-consult.info
trafficstock.net
transformspace.pro
trnio.lenuerry.com
troopersresided.info
truesamuraidns.com
tufbu.freewww.biz
turnkeynew.pro
twesst.afkepock.com
twitteresqueingenious.info
txdfldh.freewww.biz
txtbznqia.freewww.biz
tzhone.freewww.biz
uadwfj.freewww.biz
uatogspme.freewww.biz
ubiuzkfw.freewww.biz
uidlikmcr.freewww.biz
ujergbcfcskuxvd.dyndns-remote.com
unhuzrtje.freewww.biz
uninstallerthumbtack.asia
unprotectedepicture.info
unuere.freewww.biz
update-cdn.com
uptel.afkepock.com
ureqedaz.mrbasic.com
usdaqpl.freewww.biz
user2.lenuerry.com
usnet.lenuerry.com
usomainssinglwwerx.com
uszefhy.freewww.biz
uukdktlc.onmypc.us
uvvtscte.biz
uwndet.freewww.biz
uybeor.freewww.biz
uyfea.freewww.biz
uzvxb.freewww.biz
vabnoynua.freewww.biz
vabosaho.tk
validatorbasses.net
validfacts.info
vchysb.freewww.biz
veraconference.info
verghavinias.com
verisimilitudeguidelines.pro
viewsbootup.net
viiju.freewww.biz
viqrzfvi.freewww.biz
virginiacompanyron.com
visasunspot.net
vitres.verikanam.com
vjhgd.freewww.biz
vmteuayfi.freewww.biz
voltsdragandselect.net
voniucka.co.uk
vsddbm.freewww.biz
vvsgoqe.freewww.biz
vzfascinating.info
wallmountedsubprojects.info
watisawarosydok.org
waybunch.org
webcheckfinalizing.net
webdavinfluential.pro
webmasteraolcom.asia
websearchsite.net
weekdaysaccountif.org
wefirefoxs.info
wellreceivedrug.pro
wentovergomountain.net
wereworkstationlike.org
westlnk.com
wfslwzbmj.freewww.biz
whpdn.freewww.biz
wildcarddigest.org
wimipol.tk
winproducersdisks.asia
wirmsnetsreg.org
wizikohu.tk
wjtuvxr.freewww.biz
wlklayju.freewww.biz
wlvgkym.freewww.biz
womukul.tk
wordreg.com
worksheetrating.info
woteucv.freewww.biz
wouldstats.com
wpvrq.freewww.biz
wqolljp.freewww.biz
writexrealtek.pro
www.hornyfile.net
www.jscripttoughgeek.biz
www.livecamsxxxnow.com
www.schneemen.info
www.sexsexporno.info
wwwlogmeincomafflicts.net
xasnc.freewww.biz
xberfdpfo.freewww.biz
xcwalwbwg.freewww.biz
xerta.lenuerry.com
xfulu.freewww.biz
xgrvj.freewww.biz
xicajevi.tk
xkaceln.freewww.biz
xmlstructurednewegg-affiliate.asia
xmmtry.freewww.biz
xokildrgfht.dyndns-remote.com
xokildrggjy.dyndns-remote.com
xokildrghkuy.dyndns-remote.com
xptyhuob.serveusers.com
xrtecjq.freewww.biz
xvideotubehq.net
xvideotubehq.org
xvidious.co
xvidious.info
xvidious.net
xvidious.org
xvidstubes.asia
xvidstubes.biz
xvidstubes.co
xvidstubes.com
xvidstubes.info
xvidstubes.me
xvidstubes.mobi
xvuxl.freewww.biz
yabalvate.freewww.biz
yale.verikanam.com
ycwmpwmh.freewww.biz
ycwvoad.freewww.biz
ycxbecdci.freewww.biz
yfajapit.americanunfinished.com
yhejzgsc.freewww.biz
yhgqw.freewww.biz
yjihtguzr.freewww.biz
ykasszk.freewww.biz
ynerfklpgjazsc.servebbs.com
ynybaduv.itemdb.com
yourxvideos.asia
yuokmyxhk.freewww.biz
yuppiebatchmode.info
yvngzms.freewww.biz
ywtytciqr.freewww.biz
yyvpdr.almostmy.com
yzhhn.freewww.biz
yzmek.mynumber.org
yzociz.freewww.biz
z8s0.info
zawejame.tk
zegejic.tk
zenuxozo.tk
zenworksencourages.pro
zeroknowledgealwil.asia
zhnmnjtm.freewww.biz
zikertlijgyhku.dyndns-remote.com
zikertlzcsyvdx.dyndns-remote.com
zikertydhwegawd.dyndns-remote.com
zikertydhwegsd.dyndns-remote.com
zikrftgbaefas.dyndns-remote.com
zikrfvdeccsxw.dyndns-remote.com
ziniospdfs.org
zkpys.freewww.biz
zoom.verikanam.com
zoomedpentiumequipped.info
zvxct.freewww.biz
zywyr.freewww.biz