Something evil on 192.95.44.0/27 (OVH Canada)

192.95.44.0/27 (spotted by Frank Denis) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x.org / Penziatki although now OVH seem to be masking the customer details.

I can see the following active subdomains within this range, all of which can be assumed to be malicious:

2gj95630ug7y42qc1-3.advanceservere.ru
2689xn49409xt8t-c3ho.gatheradvertisinge.ru
4022800068-3.acquireconnectionse.ru
6j2o7eo032s53sb0mx-l3.acquireconnectionse.ru
1635860128-6.reachmape.ru
2081021085-6.reachmape.ru
2401174936-7.reachmape.ru
2856584186-7.reachmape.ru
3430887989-6.reachmape.ru
3518242412-6.reachmape.ru
3912597189-7.reachmape.ru
w617131vc75-6.reachmape.ru
370r20to0282ph-y7.reachmape.ru
u1942lf033q46pr-6.reachmape.ru
37l7li34g8c990r3-7.reachmape.ru
qg285868sh2t65s6-6.reachmape.ru
167ef0p379w2y86-r6x.reachmape.ru
2ox085sv7899en16-6s.reachmape.ru
3i20et519228u9qf-j6.reachmape.ru
1400m6j1pf74a9w6-z6f.reachmape.ru
15v84492j0v8km9w-zw6.reachmape.ru
ql2f1c90s9u0h6210u-a7.reachmape.ru
ys1r0oi5cj2jz907340x-ai6.reachmape.ru
y1c8cw2ng90eh8ag8553q-6tg.reachmape.ru
117062511-6.reachprotectione.ru
719921944-6.reachprotectione.ru
3938936024-6.reachprotectione.ru
4019504775-7.reachprotectione.ru
3la26x1462a78-6le.reachprotectione.ru
n237qk5iv7rm34u7r5-7.reachprotectione.ru
2uk6u7g41q8051jd8r-6x.reachprotectione.ru
34d6na3b67vc4gn893c-zi6.reachprotectione.ru
1eu1q1l2k5kd2l73fn2j8f-6.reachprotectione.ru
2nn3x7f57at3fs4o7zj5s-7e.reachprotectione.ru
af4n0aw17pp96b82o2-oz6ag.reachprotectione.ru
rv3459hf4i7pt7x93jj3zy-7.reachprotectione.ru
158209179-6.accruespecialiste.ru
1833575162-6.accruespecialiste.ru
3201225904-6.accruespecialiste.ru
3475495830-6.accruespecialiste.ru
3594898209-6.accruespecialiste.ru
3783691616-6.accruespecialiste.ru
4084210708-6.accruespecialiste.ru
2174bi44g602tq8-6.accruespecialiste.ru
uh95eu436f34n87-6.accruespecialiste.ru
430pr3eq0pe0x422-n6f.accruespecialiste.ru
oc43yq0300l4o2wb2-6fk.accruespecialiste.ru
vd1j61155bu2j43m5er-6.accruespecialiste.ru
ed13202bx94a4k28pz-6mr.accruespecialiste.ru
ii66bd84z63oi5bp18am-6.accruespecialiste.ru
u1n1nf1w64j3jt57ip2-6g.accruespecialiste.ru
t3gs5c6me71ky6031wi0-l6s.accruespecialiste.ru
kt1ft42qg5rm6q5g47q8f1-e6w.accruespecialiste.ru
jj2ca4zb72iy56ue57tz4r5nv-te6.accruespecialiste.ru

I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste.ru
reachprotectione.ru
reachmape.ru
acquireconnectionse.ru

Something evil on 173.212.223.249

There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US).

The infection chain I have spotted here starts with a typical compromised website, in this case:

[donotclick]onerecipedaily.com/prawn-patia-from-anjum-anands-i-love-curry/

A quick look at the URLquery report shows a general alert, but no smoking gun..

Is there some trickery at work here? Yes, there's a telltale sign in the HTTP Transactions graph:

Right at the end you can see a redirect to google.no..

This is a tell-tale sign that some malware is redirecting the URLquery probe to Google to protect itself. Usually it means that we don't have the right user agent, referrer string or perhaps the IP is blocked by the bad guys.

However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:

[donotclick]autoselectosperu.com/de11edf0bcf9b7ce8d3a128934acda75.php?q=d6f53936c38ddad58c5a69d1d36c4904

This then jumps to the presumed payload site at:

[donotclick]bkbr.beuqnyrtz.com/gikhqqkdjc

What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.

The following malicious subdomains are also active on 173.212.223.249:

bkbr.beuqnyrtz.com

syb.beuqnyrtz.com
sxxmxv.beuqnyrtz.info

The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:

173.212.223.249

beuqnyrtz.com

beuqnyrtz.info

"You have received new messages from HMRC" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson

The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca.com.au/directions/2503UKp.tis
[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".

I don't know what that is.. it reminds me of Hatefulness/Hatefulness though :)

Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca.com
aulbbiwslxpvvphxnjij.biz
qkdapcqinizsczxrwaelaimznfbqq.biz
hzdmjjneyeuxkpzkrunrgyqgcukf.org

.js injection leads to Fake Flash update hosted on OneDrive

This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a fake Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive.

The first step in the attack is through a vulnerable site such as this one [urlquery]. In turn, the infected .js file leads to [donotclick]alientechdesigns.com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns.com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery].

The link in the popup goes to a download loction at [donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe.

flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live.com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108

The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51. Malwr, Anubis and Comodo CAMAS show some working of this malware.

The second file is called update2.exe with a VirusTotal detection rate of 5/49. This seems somewhat resistant to automated analysis tools [1] [2] [3].

This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from.

Slartiblartfast "I see dead people" watch spam

I get a lot of watch spam, but I have to say this from Slartibartfast quoting the movie The Sixth Sense just tickled me somewhat..

Date:      Mon, 24 Mar 2014 23:45:50 -0500 [00:45:50 EDT]
From:      Slartiblartfast [dalero@pwc.utc.com]
Subject:      I see dead people.

WHY SHOULDN’T YOU WEAR ONE?
www.[redacted].com

If you are serious about placing an order with us then use the below coupon:

WEBSITE COUPON:
20save


Slartiblartfast
My real name is Arlen, Magill
S.R. Replications © 2014 

Well, Slarti. Thanks for the offer, but not thanks. So long and thanks for all the spam.

Malware sites to block 23/3/14 (P2P/Gameover Zeus)

These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie. I recommend that you block the IPs and/or domains listed as they are all malicious:

50.116.4.71 (Linode, US) [also mentioned here, here and here]
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
kblfxnrltorstolxcgqugbyyl.com
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
tceeaaetvgcypqfysqctam.com
twdepffvwpxxnbqyhgmtcx.org
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

178.79.178.243
aefaeamofemugdieddphebijb.org
aemfyldumrlithbaayzhib.com
auldivpzxeahilvcyvckrzpbepv.com
bjnovqmbkfqodiqiuwsqst.biz
jnhqtodhhgakndacuvojizdm.org
krwklrffanjydbimvbmgadmfydei.info
qkdapcqinizsczxrwaelaimznfbqq.biz
qkljydlcikfqktsunraynji.org
swsmjuseadpmrozdljofpddx.biz
tltdhasweiuorolzqweydmtdjr.biz
towohjnpxozxqwvbyxgayvc.info
usrgwobmqsxmruscudtgvwuccqvgwg.biz
vclytzcizhtyplbkrmfayburc.org
vwojamfqcipjnbobeafelvqprjzgacu.org
wceydihqmjexgtkvtqkdeh.com
yhzpojvizpbiztkjdaxzib.org
zxjzaypibnjayfmpzpalkbaunzl.com

212.71.235.232
ambaorbynbjrxwdeumvqohiytp.com
amxgeaehmpirsczhtdebunsc.info
fuambuvktwcnfddadytzrccmrsg.info
gajbceobcpvnvjbxomrnfgqlcu.org
hapeysdqhpjntcwcmrpqtcu.biz
hayzscyddatgfeyvwxgcuxifcy.org
izsodajzhrsingdygyvsvcmzlhyx.com
ldmbcqwsfuhebqlrfqmjpjtbm.net
lnipjrijfamnxkgenzypusztpnxhi.org
mbdaaywcbikbnzdiaebnzgaph.biz
peucehqxsgmzhgujfsoeihmpvhiz.info
pnfxwvsgqvctqkypwghlbnbiz.biz
qwlamzprordqxcyltgbqxqctgkfq.biz
rougorsxgeeiaqqclrmnxcnbdig.com
swhyijskpdxkzdfqeqlduydaet.org
uzhoxeuukrgprcxwjbdymbir.info
wcrydrkgzhqoeunduhttayh.biz
wsauqohqevirkreaocyzh.info
yfamzskpcikveahhynrztfa.org
ytsgugkfgadtkpjhmxsmjlkrnv.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

23.239.140.156
cedivwojozpjnmzphdmgscrkcqgq.info
dmeiljtpjfnrwolrucyppbqnjmn.biz
dqdycmfqbuxabufqhehejngapcy.biz
dtuwswgunvgayzpxolvclzaiw.com
hguvmrrgljldtkfcuuwmfhda.com
hqzdwauwkrvcpifdontobbat.org
hywkvojryttvwvkxccehmbadtcepz.biz
jnhqtodhhgakndacuvojizdm.org
lduemshmhceamlflrvoehrw.org
ltmbcqyheqjnrcuucwbipqsjnbe.biz
ojdqolcirkamyhursqozxin.com
pfceceprcxzhqstcyvodepzx.info
qcejrvgsydqpzzdixonvugysktk.com
qkfeutkgmfqxrwmbxgxcdymz.biz
tcvkwsbqnjhjobgyttklnfxo.com
udewxdqkxtwqwjvhvgbuzhx.org
vclytzcizhtyplbkrmfayburc.org
vxwdtkfjfqotkdaivkfqgaedx.biz
wslhrwfmwkhmozhambvwhuzpnb.net
xcvshidqgwotvfetvcydfajnof.com
zludaswlfrwphijtkknya.info

"CSR EXCELLENCE AWARD 2014" / csrawards.co.uk spam

Rule one of good customer service.. don't spam people like these jokers do:

From:     Green Organisation greenorganisation@rkwmail.co.uk
Date:     21 March 2014 07:02
Subject:     AO Corporate Social Responsibility Manager,

Is yours a company that cares?

     Do you help colleagues to reach their full potential?
     Are you a good neighbour in your local community?
     Do you show loyalty to your suppliers and customers?
    Are you reducing your negative impact on the environment?
    Do you support good causes and goodwill initiatives?

If you can answer YES to any of these questions,
you could win an

INTERNATIONAL CSR EXCELLENCE AWARD 2014

THIS is the perfect time to get the recognition you deserve for your Corporate Social Responsibility initiatives. NOW is the time to submit your free entry for an

INTERNATIONAL CSR EXCELLENCE AWARD

CLOSING DATE FOR FREE ENTRIES – MARCH 31

The CSR Excellence Awards are presented to companies that have a heart -

caring companies that use their privileged position to help their colleagues, communities, customers, suppliers, the environment and the less fortunate.

Caring companies can be a realistic force for good and change-for-the-better, and we want to recognise and reward their efforts with the CSR Excellence Awards

        Every company is entitled to a free entry

        All winners will be invited to the glittering presentation ceremony at The Crystal, Royal Victoria Docks, London

        The closing date for free entries is March 31, 2014

    We will plant a tree for every entry received.

There are THREE chances of success for each entry, as we will be presenting Gold, Silver and Bronze awards in every category – plus an overall winner.

If you are a company that cares, send your entry NOW!

    You can enter
        online at www.csrawards.co.uk
        by email to rich@eco-brand.co.uk
        or by post to

CSR Awards, Ecobrand, 97 Cock Lane, High Wycombe, Bucks HP13 7DZ

Responsible businesses can make an enormous difference to the quality of life and prospects of everyone touched by their corporate activities.

Show you care! Win a CSR Excellence Award!

Good luck with your entry.
Richard Collins
Campaign Organiser

I particularly like the address of 97 Cock Lane. Nuff said.

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com