Dynamoo's Blog

Tuesday 23 July 2013

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from your network, in fact I would personally recommend blocking ~~the whole 91.233.244.0/23 block~~ at least 91.233.244.96/28 (see why) . However, a (probably incomplete) list of suspect domains on this IP are as follows:

aabgxpqayus.com

adcjhjpalcljihgw.info

adwwlwgfgefmzcwg.info

aefbydtsxloe.org

anzku-bqe.net

aodpcm-foub.com

aodpcm-foubfkmp.info

aoflkpshxeoa.org

apsnxeyafofkqfql.ru

apvvkrodqlouyoso.ru

aydpgzxzyidbeqoq.ru

ayxksipvqfxvlfaq.ru

bhigmqckbqhleqlo.ru

cqfreoz-qwd.info

cqfreoz-qwdhmor.com

cuojshtbohnt.com

cuojshtbohnt.info

dfglsfvdyus.com

dgjrfwiwpgjrwdcg.info

dgmcaaliawgewghp.info

donotwantyou787.ru

dppukpdhxloa.org

drgsfp-irxei.com

dspukpshxeoa.org

dwofvs-jdoyhpe.in

eaxrm-xnesh.org

fafogzpvzbvorqkk.ru

fexwxvogrgvfqxzk.ru

feyvxryisqafrssy.ru

fiwiziccefirihhh.info

fjzgpahrgwrzcwle.info

ftiuhrc-tzgk.info

fwcfpfwggjgmfwhw.info

fwdgffzethwhgffp.info

fyqhxu-lfq.in

gffqihioodwfteii.info

ggprgzwfapwdwold.info

gooogleadsense.org

hccakpdhxloa.org

hcnvidjkpytou.com

hhmsobscuoxgqwkhtugpnr.com

hivqwbnkasisil.com

hmcakpshxeoa.org

igicpiipggljcwaf.info

ihwwwhwipfarwrtf.info

ijxsncuprepwqzlt.ru

iprdjrhfporqpgcg.info

ipwfwtdwgiwwehie.info

jdiiffgfgg.com

jecvydtsxloe.org

jeuvkpdhxloa.org

jyuvkpshxeoa.org

kdvmczv-k.in

kkagkpshxeoa.org

kkyqexfzsqzysrkl.ru

knuidyekzkyuhtpi.ru

kxpgydtsxloe.org

kynzmwh-y.info

kynzmwh-yelpu.com

lalcjrdwrqwgwerf.info

ljfwwtftwgiltwwp.info

ljhfhwgiwiwhpwrf.info

lomxtgmgrswlgrrn.ru

mapbo-jra.com

mapbo-jragnrw.info

mfgqnlbmyus.com

mpmeezpmowrgihzc.info

nealkpdhxloa.org

newlydtsxloe.org

nsjosicxuhpidhlp.ru

nwalkpshxeoa.org

ocunydtsxloe.org

ocurkpdhxloa.org

odzbgxfiipvkrqfa.ru

oghwrfhoyus.com

oiicmtkpkaocnm.com

peawrwfgtewchzjc.info

peijgfhwhoffgorf.info

powwrwllojfjgrfg.info

pqueaafqaeoqrqxq.ru

psknwsqsqognrpoo.ru

qablspvqyus.com

qflqqfqqwzazqzrw.ru

qqzewquorqiuqviv.ru

r5z7yy68.com

rfffnahfiywyd.com

rfffnahfiywyd.info

rgdgkpshxeoa.org

rpdgkpdhxloa.org

rpdtydtsxloe.org

rrilffoowjcrqpdw.info

rrrmpfqrgfgfmthj.info

rseibvaoopvkvxyp.ru

sdfsfjkhewsdfe.com

sodsvsyxfzelkknq.ru

soopqzxleaqlqqfi.ru

sownoyqkaqxpqqkp.ru

thwiv-qyhnuydf.info

twctqwaggdwfwhzd.info

uivh-cltqmhb.org

uquqlyyuivkogxyr.ru

vbkfrqqfovaqyeio.ru

viqtkpshxeoa.org

vjykxh-ajp.info

vjykxh-ajpwafh.com

vogxnkg-vgqz.in

vpftydtsxloe.org

vvteeuevhpbpepfi.ru

vxvhwcixcxqxd.com

walfyqoslwfzgxxf.ru

wcrcwwzwercejjjp.info

wfcwhhrfoacawllf.info

wfigeegwffwgoffj.info

wgfdwfhejieeppeo.info

wiafokpwyus.com

wqllweihhwawzctg.info

wwfcfpmfwpompwow.info

xlamzju-lr.com

xlamzju-lrychj.info

xloeydtsxloe.org

xwaqllqvdovqikyn.ru

xweexxdyiaoaskfy.ru

yalkzsvudybexfgd.ru

yirxzxffiedeqddo.ru

ylaqdsoorlrrfyke.ru

ylbaugjnfutivfupbojcybabmrax.com

ypfuidx-i.com

yqgeqwxyfqowoiko.ru

yrjaq-jeyjtckzn.in

zkafwwiilgszbeps.ru

zkzuqobzowqyuixg.ru

zvswwossogquwrfs.ru

zyvskwylixxfswkq.ru

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang. As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Monday 22 July 2013

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.

Date:     Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]
From:     "IRS.gov" [fraud.dep@irs.gov]
Subject:     Complaint Case #488870383295

You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/

Case Number: 488870383295

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.

The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

2013 Council of IRS, Inc. All Rights Reserved.

Attached to the email is a ZIP file Complaint_488870383295.zip which in turn contains an executable Complaint_07222013.exe which is bad news. VirusTotal detection rates are a so-so 14/47.

ThreatExpert and Comodo CAMAS give a little background information, but in this case the Malwr analysis seems to be the most comprehensive and shows traffic out the the following compromised sites:

prospexleads.com
phonebillssuck.com
moneyinmarketing.com
abbeyevents.co.uk
salsaconfuego.com
fales.info

The second part has a much lower detection rate of just 2/47. At the moment this second stage is still being analysed.

BMW spam / pagebuoy.net

This convincing looking BMW spam leads to malware on

Date:     Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]
From:     BMW of North America [womanliere75@postmaster.aa-mail.org]
Reply-To:     motherfuckinge926@m.aa-mail.com
Subject:     The BMW 6-Series M Sport Edition, M Universe, and more.

BMW’s 6-Series M Sport Edition     View Online
BMW
A 6 SERIES.
WITH M PANACHE.
Meet the 6-Series M Sport Edition. Available in all 6 series models, the M Sport Edition boasts premium features like M Aerodynamics, LED Adaptive Headlights, an M leather steering wheel, and Nappa Leather sport seats for a ride that’s a 6-Series inside and out.
LEARN MORE
Efficient Dynamics

Table of Contents

» BMW M Universe
» BMW Wins Again
» BMW i3 Design
» BMW Superbike
» BMW Collections

    WELCOME TO M’S
NEW HOME.

In the M Universe, your own M photos will become part of a visual timeline spanning all 40 award-winning years of the iconic M brand, from the classic 1972 to the new M6 Gran Coupe. To all you M fans, welcome home.

» ENTER BMW M UNIVERSE

    THE 3 SERIES WINS AGAIN

The BMW 3 Series continues to live up to its hard-earned reputation as the best compact sports sedan in the world. AUTOMOBILE MAGAZINE presented the 3 Series with the coveted 2013 All-Star award, making the number of AUTOMOBILE MAGAZINE awards won by the 3 Series alone over a dozen.

» BUILD YOUR OWN

    LIGHTWEIGHT, AGILE, AND STRONG

The Life Module of BMW i vehicles is a high–strength and lightweight passenger compartment made from carbon fiber reinforced plastic (CFRP). This, along with the use of aluminum, offsets the additional weight of the batteries of an electric car. And by reducing the weight, the number of batteries and the average battery charging time can also be reduced.

» LEARN MORE

    WORLD SUPERBIKE CHAMPIONSHIP UPDATE

Midway through an already successful season, the BMW Motorrad Goldbet SBK Team is getting ready for their next race in Imola, Italy. The team is coming off an impressive first-place finish by rider Marco Melandri in Portimão. Keep up with the latest news and updates from the team on the BMW Motorrad USA Facebook page.

» STAY CONNECTED

    2013 SPORT COLLECTIONS

BMW presents all-new sport collections. Apparel and accessories made from advanced materials with innovative designs so you can perform and look your best.

» LEARN MORE

EXPLORE THE BMW LINEUP



» Lease + Finance Offers
» Build Your Own

» Test Drive
» BMW Ultimate Service®

GET THE LATEST
BMW NEWS + UPDATES

Don’t forget to add bmwusa@emails.bmwusa.com to your Address Book to keep it from skipping your inbox or getting caught in spam filters.
ff
We want your experience with the BMW website to be as smooth and reassuring as driving a BMW. Accordingly, we diligently safeguard your privacy. If you wish to review our Privacy Policy at any time, please click on the link below, or copy and paste it into your Web browser’s location window. http://www.bmwusa.com/about/privacy.html

We’d like to keep you up-to-date on the latest BMW products, news and events via email. If, however, you’d like to stop receiving them, you can unsubscribe at any time.

Please note that we are located at 300 Chestnut Ridge Road, Woodcliff Lake, NJ 07677. ©2013 BMW of North America, LLC. The BMW name, model names and logo are registered trademarks. For more information call 1-800-831-1117 or go to www.bmwusa.com.

The link in the email goes through a legitimate hacked site and ends up on [donotclick]links.emails.bmwusa.com.open.pagebuoy.net/news/bmw-newmodel.php (report here) which is hosted on the same IP addresses as this spam run.

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:

From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the “Purchase” button on this email, or by using the “View/Change Reservations” section on www.aa.com.

left corners         left corners

This reservation is on HOLD until July 22, 2013 11:59 PM CDT (Central Daylight Time) .

Record Locator: LEBBGM             Purchase

left corners         left corners

Passengers

   Isabella Green

NOTE: This is not a ticket or electronic receipt

Carrier Flight
Number Departing Arriving Cabin

Booking Code Seats Meals

City Date & Time City Date & Time

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 2879 SPS Wichita Falls July 24, 2013 10:50 AM DFW Dallas/ Fort Worth July 24, 2013 11:43 AM Economy

M 32A Food For Purchase

AMERICAN AIRLINES 1795 DFW Dallas/ Fort Worth July 24, 2013 12:35 PM IAH Houston July 24, 2013 01:43 PM Economy

M 23A

AMERICAN AIRLINES 1690 IAH Houston July 26, 2013 02:20 PM DFW Dallas/ Fort Worth July 26, 2013 03:35 PM Economy

M 20C

AMERICAN AIRLINES OPERATED BY AMERICAN EAGLE AIRLINES 3294 DFW Dallas/ Fort Worth July 26, 2013 04:20 PM SPS Wichita Falls July 26, 2013 05:10 PM Economy

M 27B Food For Purchase

  Fare Summary

Average Fare per Person - 444.00 USD

Passenger Type Used in Pricing Fare per Person Additional Taxes and Fees per Person Total Price

1 Adult 442.90 USD 34.25 USD 490.95 USD

Total Price 495.49 USD

  Merchandising Summary

Flight Number Seat Number Seat Price Taxes Total Price

2879 0.00 USD 0.00 USD 0.00 USD

1795 14.00 USD 1.05 USD 15.05 USD

1690 14.00 USD 1.05 USD 15.05 USD

3294 0.00 USD 0.00 USD 0.00 USD

Total Price 30.10 USD

Please note the following:
• View Fare rules.
• Fares are only guaranteed up to 24 hours.
• Additional foreign taxes may apply.
• Additional fees may also apply for tickets not purchased through AA.com.

This is not the itinerary receipt that is required for identification purposes at the airport check-in. That receipt will be furnished upon purchase of this reservation.

In order to proceed to your gate you must present a government issued photo I.D. and either your boarding pass or a priority verification card at the screening security checkpoint.

If you are not a resident of the U.S., U.K., Canada or select countries in Latin America and the Caribbean, tickets must be purchased at an American Airlines ticketing location/airport, or by calling an American Airlines International Reservations office. Flights booked on carriers other than American Airlines, American Eagle® or AmericanConnection® are on a request basis only.

You've got payment options at AA.com! Make your dream vacation come true with the Fly Now Payment Plan, speed through checkout with PayPal, or use electronic checks to pay directly from your checking account. You can also pay in cash at participating Western Union locations or use a credit/debit card. Available payment options may vary by country.

The link in the email goes through a legitimate hacked site and ends up on a malware landing page at [donotclick]www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com/news/american-airlines-hold.php (report here) hosted on the following IPs:

50.97.253.162 (Softlayer, US)
95.111.32.249 (Megalan / Mobitel EAD, Bulgaria)
188.134.26.172 (Perspectiva Ltd, Russia)
209.222.67.251 (Razor Inc, US)

The WHOIS details for that domain are the characteristically fake ones associated with this gang:
        Michael Fenwick freehotjob@yahoo.com
        21 Fredricksburg Court
        State College
        PA
        16803
        US
        Phone: +1.8144411445

Recommended blocklist:
50.97.253.162
95.111.32.249
188.134.26.172
209.222.67.251
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
allgstat.ru
autorize.net.models-and-kits.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
firefoxupd.pw
firerice.com
fulty.net
gamnnbienwndd70.net
gebelikokulu.net
generationpasswaua40.net
gnanosnugivnehu.ru
gondamtvibnejnepl.net
greenleaf-investment.net
housesales.pl
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mifiesta.ru
motobrio.net
mycanoweb.com
onemessage.verizonwireless.com.verizonwirelessreports.com
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
privat-tor-service.com
prysmm.net
quipbox.com
rentipod.ru
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
sendkick.com
shanghaiherald.net
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net