By Andre' M. DiMino & Mila Parkour
I recently encountered a malware sample that when sandboxed, exhibited a great deal of DDoS-like activity toward a large number of URLs. When I looked at the network traffic a bit more closely, it reminded me of the Dirt Jumper DDoS bot that I read about in an excellent blog post by Curt Wilson of Arbor Networks. This particular version of Dirt Jumper is attacking a variety of organizations and companies in many different countries. The MD5 of this sample is f29b1089b3f5e076d4d4bd2a3a02d3cb using the domain 'asdaddddaaaa.com' for its Command and Control (C&C). Searching for a similar network traffic pattern yielded a number of sandbox analysis pages containing several more C&C servers and DDoS victims. This research also highlighted a lack of proper detection of this bot variant. Many antivirus companies change the name of this bot across variants, detecting it as zbot, pinkslipbot, Kryptic and others. Microsoft at least consistently detects Dirt Jumper as Dishigy.B, (Dishigy.A is a non-related keylogger with binary in the same directory) and this allowed us to find more examples and prompted further research. Dirt Jumper is proving to be as popular as Darkness/Optima bot we described earlier this year and is gaining more buyers in underground market due to easy implementation and powerful attack methods.
End-2012.com |
Table of Contents
September version control panel. Shopworld.biz |
- Binary analysis
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB - Memory analysis using Volatity 2.0MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
- Command & Control servers
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB - Dirt Jumper current versions and general information
- Review of other samples, command and control servers and DDoS actor groups
There are two ways that Dirt Jumper gets installed on a system - one, as a service, and two, by adding the malicious binary name to the "shell=" line in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon. Installation as a service is more common and this is the default method for versions 1-3 and v. September 2011. There are some private and custom versions of Dirt Jumper using the Explorer shell method.
The following system changes may indicated the presence of this bot
Size: 204800
MD5: F7C0314FB0FBD52AF9D4D721B2C897A2
MD5: F7C0314FB0FBD52AF9D4D721B2C897A2
Company Name Comma StoneFile Description Signs Blast Egypt AveryFile Version InternalName Wolff Diets Cowboy MigLegal Copyright Copyright Sobs Sift 1997-2011Original Filename Baby.exeProduct Name Picks AirProduct Version VarFileInfo
File properties
The following system changes may indicated the presence of this bot
- The presence of the following files:
- <system folder>\svdhalp.exe
- <system folder>\svdhalp.exe.ini
- <Windir>\syskey2i.drv - contains nothing but a 15 digit bot id number
Sets value: "Shell" With data: "explorer.exe, svdhalp.exe
INSTALLATION TYPE 2 -
AS A SERVICE
Size: 276480 AS A SERVICE
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
CompanyName Ohokls VwivanlFile Description Ohokls Uanvbnmsel QukxwdrbFile Version 25, 34, 66, 19 InternalName OhoklsLegal Copyright Copyright Ohokls Vwivanl 1997-2011Original Filename Ohokls.exe Product Name Ohokls Uanvbnmsel Qukxwdrb VarFileInfo
File properties
The following system changes may indicated the presence of this bot
- The presence of the following files:
- <system folder>\drivers\svgtook.exe File name varies, often starting with sv (e.g.svflooje.exe,svcgoow.exe)
- <Windir>\keys.ini - contains nothing but a 15 digit bot id number
- The presence of the registry modifications such as the following examples (name of the file may vary)HKLM\SYSTEM\CurrentControlSet\Services\svgtook HKLM\SYSTEM\CurrentControlSet\Services\svgtook\Security HKLM\SYSTEM\CurrentControlSet\Services\svgtook\Enum The traffic pattern:
As can be seen below, the two binaries show slight modifications of the same bot.
Comparison of two Dirt Jumper binaries |
The current IDS signatures for Dirt Jumper can be modified to match this additional version - The bot ID seems to be the current most common denominator, while C&C URLs and bot commands somewhat vary.
Emerging threats signature as proposed by Kevin Ross |
2. Memory Analysis using Volatility 2.0
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
I executed the malware in my sandbox lab under VMWare Version 7. One of the things I like about VMWare is that you can easily obtain a memory snapshot by suspending the virtual machine, and copying the .vmem file to your analysis directory. That .vmem file is an exact representation of the virtual machine's memory image. If you are not using VMWare, you can also easily snap memory via the MoonSols Windows Memory Toolkit.
The first step in any analysis using Volatility is to get information about the image. This is done via the 'imageinfo' command as seen below.
Volatility 'imageinfo' command |
Notice that the suggested profile is "WinXPSP3x86". We will specify this profile for all subsequent Volatility usage by using the '--profile=' option when invoking Volatility..
Now we wish to list all the active processes. This is done with the "pslist" command. Note the use of the "-P" switch to tell Volatility to display the physical memory offset rather than the virtual offset.
The timestamp indicates the date/time that the process started. Note that all the processes except for 'svgtook.exe' started within a few seconds of 00:12. 'svgtook.exe' has a Process ID (PID) of 1900 and began at 10/05/2011 at 00:14. It should also be noted that in this sandbox run, I initiated the malware execution immediately after booting. Note also that there is no browser process or anything else that should initiate an Internet connection.
I next run the Volatility 'connections' command to see all the active network connections. Note that the large number of remote address connections are all associated with PID 1900.
3. Command & Control servers
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
As of this writing, DNS results show that the C&C is running on IP address, 195.3.145.87 which managed by Altnet-Latvia (ASN41390). There are several other domains and nameservers running on that IP address, including:
It is often interesting to trace the routing information of the hosting provider in question. The diagram below was produced using BGPlay. BGPlay displays the routing information for a network prefix for a defined time period. In this case, I ran BGPlay for the prefix 195.3.144.0/22 from 09/9/2011 thru 10/9/2011. From the results, you can see that during this time, Altnet-Latvia had Telenet SIA in Latvia (ASN24589), as its only upstream. Walking "up the upstream", we see the following relationships:
As described in more detail later in this post, we have detected several other C&Cs that appear to be related to the same group operating asdaddddaaaa.com. Several of them continue to actively initiate DDoS attacks. We are currently monitoring these controllers and sharing the victim lists with appropriate law enforcement agencies and the victim organizations.
There is not much information about version 1 available. The one description found is the following:
Analysis of Dirt Jumper C&C servers and their victims was based on publicly available sandbox results from Threatexpert.com, Sssdsandbox.net, Anubis.iseclab.org, and others. The search yielded two dozen C&C servers with groups attackers that utilize both types of the bot described in Section 1 of this post, Binary analysis and comparison. These were frequently seen on the same domains. For example, http://wow-siti.ru/www/m_d.php (type 1) and http://wow-siti.ru/1/index.php (type 2)
The results showed similar naming conventions for the bot executable file name that is normally chosen by the botnet owner. This was seen as identical names or often starting with "sv" like in "sviooue.exe" and "svgtook.exe", as well as the GET or POST URLs for the drone.
In addition, some C&C servers had a history of being hosted on same IP addresses in the past and being moved simultaneously from one hosting provider to another. Other attribution points included seeing the same email addresses in the domain registration, and similar domain names (e.g.xruw0q.com, zprw6q.com and xzrw0q.com; jfasfasfasfasf.com and asdaddddaaaa.com). The resulting matrix clearly shows that seemingly unrelated C&C servers may be operated by the same actors.
The timestamp indicates the date/time that the process started. Note that all the processes except for 'svgtook.exe' started within a few seconds of 00:12. 'svgtook.exe' has a Process ID (PID) of 1900 and began at 10/05/2011 at 00:14. It should also be noted that in this sandbox run, I initiated the malware execution immediately after booting. Note also that there is no browser process or anything else that should initiate an Internet connection.
I next run the Volatility 'connections' command to see all the active network connections. Note that the large number of remote address connections are all associated with PID 1900.
Volatility 'connections' command |
The Volatility 'sockets' command will display the listening sockets for any protocol. In the figure below, we see many open sockets for both the UDP and TCP protocol. With one exception, all of these processes are again associated with Process ID 1900, 'svgtook.exe'. By virtue of its many open sockets and dozens of outbound connections, Process ID 1900 certainly seems worth a closer look.
Volatility 'sockets' command |
By the way, a great new feature of Volatility 2.0 is the 'netscan' plugin. This plugin will scan for network connection artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory artifacts. From the Volatility wiki, "To scan for network artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory dumps, use the netscan command. This finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only)."
Since I ran this analysis on a Windows XP system, I'm not able to show you a 'netscan' output for this particular instance. In a follow-up analysis, I'll utilize Volatility under Windows 7.
To look more closely at Process 1900, we can dump the process from physical memory. This allows us to examine the process in its executing context as opposed to a packed and possibly obfuscated state. One typical analysis step is to dump the process and use the 'strings' command to look for items of interest. Let's see the result of performing this against our Process 1900. Using the Volatility command 'procmemdump', the 'svgtook.exe' process (PID 1900) is dumped to the specified directory. The following image shows this command being run, followed by running strings against the dumped file, and using 'grep' to search for the string "http".
Volatility 'procdump' command |
The results show various strings containing "http" being discovered in the dumped file. These include various legitimate sites, as well as the string 'httpsend_s".
One of the best ways to discover evidence pertaining to a suspicious process is to dump the Virtual Address Descriptor (VAD) and examine the dumped sections with the 'strings' command. By examining the dumped VAD segments, you can get an excellent view of the "live" data associated with the examined process. A good reference for this can be found in the whitepaper, "The VAD tree: A process-eye view of physical memory" by Brendan Dolan-Gavitt. From the whitepaper," The Virtual Address Descriptor tree is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirutalAlloc, the memory manager creates an entry in the VAD tree." Since I'm particularly interested in any URLs or network connection remnants associated with Process 1900, I'll use the 'vaddump' command to dump the VAD memory segments associated with this process.
Volatility 'vaddump' command |
The result of this command leaves approx 950 files in the dump directory of the VAD segments associated with PID 1900. Running 'strings' and grepping for 'http' yields two segments of interest.
Examining VAD segments for the string "http" |
In the image above, we see VAD segment 'svgtook.exe.23ce450.00400000-00dadfff.dmp' reference the same web sites as seen in the dumped process, while 'svgtook.exe.23ce450.01420000-0151ffff.dmp' shows references to various DDoS target URLs received, as well as the C&C "http://asdaddddaaaa.com"
So in this brief analysis, we have been able to utilize Volatility to quickly extract key information about the running Dirt Jumper process. This also equips us to further investigate this process, as well as how other Windows processes may be affected. For example, Volatility allows for extensive registry carving and analysis as well as the use of plugins specifically designed for analyzing malicious code.3. Command & Control servers
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
Upon execution, Dirt Jumper sample f29b1089b3f5e076d4d4bd2a3a02d3cb attempted DNS resolution for the domain, asdaddddaaaa.com.
The domain registration information for asdaddddaaaa.com is:
Domain Name: ASDADDDDAAAA.COMRegistrar: BIZCN.COM, INC.Whois Server: whois.bizcn.comReferral URL: http://www.bizcn.comName Server: NS1.FREEDNS.WSName Server: NS2.FREEDNS.WSStatus: clientDeleteProhibitedStatus: clientTransferProhibitedUpdated Date: 19-jun-2011Creation Date: 18-feb-2011Expiration Date: 18-feb-2012Registrant Contact:Mark LivingstonMark Livingston j.hnvns.92@gmail.com+1.2147899961 fax: +1.2147899961446 Ridge Point drive Forney TX 75126
As of this writing, DNS results show that the C&C is running on IP address, 195.3.145.87 which managed by Altnet-Latvia (ASN41390). There are several other domains and nameservers running on that IP address, including:
- bestdumps.biz
- lost-pass.ru
- mail.asdaddddaaaa.com
- mittmax.com
- ns1.euro-2012portal.com
- ns1.euro2012-portal.com
- ns2.euro-2012portal.com
- ns2.euro2012-portal.com
- open-pass.com
- pizdaruliu.net
- skachatiskype.ru
- skype4download.ru
- www.mittmax.com
- www.skype-rf.ru
- www.skype4download.ru
- xaker.me
- 46.108.225.57 - AS50244 - ITELECOM - Romania
- 46.108.225.60 - AS50244 - ITELECOM - Romania
- 46.108.225.72 - AS50244 - ITELECOM - Romania
- 46.252.130.141 - Sagade - Latvia
- 46.252.130.150 - Sagade - Latvia
- 46.252.131.5 - Sagade - Latvia
- 46.252.131.7 - Sagade - Latvia
- 46.252.131.9 - Sagade - Latvia
- 94.244.80.217 - AS25190 - Kauno Interneto Sistemos - Lithuania
- 95.64.50.30 - AS48266 - Netserv Consult - Romania
- 141.136.16.100 - AS50515 - TIER-DATA-CENTER - Romania
- 223.25.242.107 - AS55720 - GIGABIT- Malaysia
- 223.25.242.196 - AS55720 - GIGABIT- Malaysia
- 195.3.145.87 - AS41390 - RN-DATA - Latvia
It is often interesting to trace the routing information of the hosting provider in question. The diagram below was produced using BGPlay. BGPlay displays the routing information for a network prefix for a defined time period. In this case, I ran BGPlay for the prefix 195.3.144.0/22 from 09/9/2011 thru 10/9/2011. From the results, you can see that during this time, Altnet-Latvia had Telenet SIA in Latvia (ASN24589), as its only upstream. Walking "up the upstream", we see the following relationships:
Telenet SIA (ASN24589) is the sole upstream for Alnet-Latvia
BKCNet Latvia (ASN6851) is the sole upstream for Telenet SIA
Telia Latvija (ASN5518) is the sole upstream for BKCNet Latvia
TeliaNet Sweden (ASN1299) is the sole upstream for Telia Latvija
Routeviews BGP Information for IP 195.3.145.87 |
Based on additional research I did, it's very clear that this Dirt Jumper C&C isn't the only malicious activity on Alnet-Latvia.
PhishTank Report
Spamhaus Report
malc0de Report
I wonder if the folks at TeliaNet Sweden, or the other upstreams to Alnet-Latvia are aware of this? This would also be a good time to remind hosting providers, ISPs, and network operators to subscribe to the Shadowserver ASN & Netblock Reporting Service.
DDoS Victims
This is a very active DDoS bot, with a wide variety of targets across many industries. Over a two week observation period, the asdaddddaaaa.com controller has targeted victims in the following industries:
PhishTank Report
Spamhaus Report
malc0de Report
I wonder if the folks at TeliaNet Sweden, or the other upstreams to Alnet-Latvia are aware of this? This would also be a good time to remind hosting providers, ISPs, and network operators to subscribe to the Shadowserver ASN & Netblock Reporting Service.
DDoS Victims
This is a very active DDoS bot, with a wide variety of targets across many industries. Over a two week observation period, the asdaddddaaaa.com controller has targeted victims in the following industries:
As described in more detail later in this post, we have detected several other C&Cs that appear to be related to the same group operating asdaddddaaaa.com. Several of them continue to actively initiate DDoS attacks. We are currently monitoring these controllers and sharing the victim lists with appropriate law enforcement agencies and the victim organizations.
4. Dirt Jumper current versions and general information
The bot is binary is relatively large, 170-270 kB and is packed with UPX. The bot tasks are not encrypted as you can see in the pcaps and on the C&C server.
Current Dirt Jumper Versions and Features
Version 3, "September", and private versions - 2011
Version 2 - 2010
Version 1
The bot is binary is relatively large, 170-270 kB and is packed with UPX. The bot tasks are not encrypted as you can see in the pcaps and on the C&C server.
DDoS task for bots as seen on a C&C page |
Current Dirt Jumper Versions and Features
Version 3, "September", and private versions - 2011
- Multipurpose flood (Light) – combination type of attack when packages with random data sent to the server. The bot uses a varying User Agent
Control Panel. Img.src: shopworld.biz - Multipurpose flood (Full) – Same as Multipurpose flood (Light) but POST data is added POST requests will exhaust server resources due to its need to process the data, requiring participation of apache, php, and any linked database. This also helps to avoid Anti-DDoS measures because it imitates random browser requests.
- HTTP flood (DJSFlood) – The author claims it is unique to his bot. The method is very similar to simple http, but at the same time is not standard structure. It's “something between http and udp”. This method can be used for port attacks. The syntax is: http://IP:PORT/ with 300-500 threads
- POST flood (TimeOut) - Same as above, but it is possible to send data using POST. There is the way to set timeouts for response after sending the data.
- Works with http, https
- Varied User Agent and Referer
- Multithreading, can attack up to 999 websites simultaneously
- Can attack by IP, domain name, port, ftp
- Access to the admin panel may be limited by IP. Additionally, the first level login page can be accessed only by specifying the correct GET-Passwd. The correct password then allows access to the next level, the regular login page.
- Can attack up to 999 sites simultaneously
Version 2 - 2010
Dirt Jumper v.2 Img.Src: Damagelab.org |
- HTTP flood: This type of attack can cause server overload due to frequent, repeated conventional HTTP requests. As soon as the webserver is ready to answer, the bot breaks the connection and sends a new request
- Synchronous flood: This method of attack is effective only when more than 150 threads in use. The bot makes 150+ simultaneous requests, waits until the server responds and repeats it
- Downloading flood: The bots download files from the website causing bandwidth saturation.
- POST flood: The bot can make GET and POST requests at the same time. That is, it can send a random usernames and passwords to website forms, causing a tremendous load on the server
Version 1
Dirt Jumper v.1 Control Panel. Img.Src: xaknet.ru |
- Multithreaded attack, number of threads can be changed without interrupting the attack
- Can attack http, https
- Can attack by DOMAIN:PORT
- Can attack several sites at once
- Can set up the time when you need to bot to call back
- Can change User Agent
- Bot is installed as a system service
- The bot owner can choose the name of the bot process
5. Review of other samples, command and control servers and DDoS actor groups
Analysis of Dirt Jumper C&C servers and their victims was based on publicly available sandbox results from Threatexpert.com, Sssdsandbox.net, Anubis.iseclab.org, and others. The search yielded two dozen C&C servers with groups attackers that utilize both types of the bot described in Section 1 of this post, Binary analysis and comparison. These were frequently seen on the same domains. For example, http://wow-siti.ru/www/m_d.php (type 1) and http://wow-siti.ru/1/index.php (type 2)
The results showed similar naming conventions for the bot executable file name that is normally chosen by the botnet owner. This was seen as identical names or often starting with "sv" like in "sviooue.exe" and "svgtook.exe", as well as the GET or POST URLs for the drone.
In addition, some C&C servers had a history of being hosted on same IP addresses in the past and being moved simultaneously from one hosting provider to another. Other attribution points included seeing the same email addresses in the domain registration, and similar domain names (e.g.xruw0q.com, zprw6q.com and xzrw0q.com; jfasfasfasfasf.com and asdaddddaaaa.com). The resulting matrix clearly shows that seemingly unrelated C&C servers may be operated by the same actors.
Group 1(abacava.net + asdaddddaaaa.com)Same email address in domain registration, same hosting+(jfasfasfasfasf.com)History of hosting on the same domains as C&C above+(xzrw0q.com+whozdadx.org)
Same bot name+(xruw0q.com+zprw6q.com)same domain naming convention as in xzrw0q.com above
Group 2(wow-siti.ru + mwas.ru)Same email address in domain registration, same hostng+(s0r.ru)Same hosting+(95.211.63.38) -Same bot file name
exe name CC IP IP location Domain URL Domain owner MD5
klhkg.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/s4/index.php Phinney Business Skye Phinney jh.nvns.92@gmail.com +1.7814548993 fax: +1.6612830438 8536 Kern canyon Road, Sp 35 Bakersfield CA 93306 United States 4C01B3D5B80E18CE2E981E25740B395A
svdhalp.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/f2/m_d.php Phinney Business Skye Phinney jh.nvns.92@gmail.com 2cc731473ef8d968050aa2c9e914150d
svgtook.exe 195.3.145.87 RN Data, SIA Latvia http://asdaddddaaaa.com/678/index.php Mark Livingston Mark Livingston j.hnvns.92@gmail.com +1.2147899961 fax: +1.2147899961 446 Ridge Point drive Forney TX 75126 United States f9a65bc3a197600d23557eceb1f3125c
svcghkkjl.exe 46.108.225.72 Pixel View SRL Romania http://jfasfasfasfasf.com/887/index.php Hartford Business Joe Hartford bezerosavyk@yahoo.com +1.7814548993 fax: +1.7814548993 32 Cedar Street,Apt. #4 Waltham MA 02453 United States C0FCBF7B96474DCF074339575EC1EF3B
svdhalp.exe 31.192.109.164 Mir Telematiki Ltd Russia http://xzrw0q.com/driver32/update/m_d.php BIZCN.COM, INC. f7c0314fb0fbd52af9d4d721b2c897a2
sviooue.exe 31.192.109.162 Ultra Web Solutions India http://xruw0q.com/fcfxD/load.php No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 China 6D54FB6753D719CA3EC991A9CBD9743C
svdhalp.exe 77.79.11.86 Webhosting, Lithuania http://whozdadx.org/c4/m_d.php Jabon Lorkan Inconmun Klopi 12 New-York 627f2bda0c5abe4d3e7ae68b877dcfd0
sviooue.exe 91.217.153.114 Alexey Klimenko Ukraine http://zprw6q.com/frexpex/index.php Whois Privacy gmvjcxkxhs@whoisservices.cn 79a9327dd9f9911c0f08fd4d3c3b26c8
svajnager.exe 184.22.118.89 NOC Scranton PA http://wow-siti.ru/1/index.php Private Person vzlomaem@xaker.ru ns1.antiddos-servis.ru. ns2.antiddos-servis.ru. 9277796C0F8EBF1078C52D88E8FAAA5D
svflooje.exe 184.22.118.89 NOC Scranton PA s0r.ru Private Person qwer.vdv@gmail.com 7CA86FB5C76B74390B4E7200E4A09514
svflooje.exe 184.22.118.89 NOC Scranton PA unknown unknown E7B65933F069A81AB089D055D6BDD17A
svflooje.exe 184.22.243.172 NOC Los Angeles CA http://mwas.ru/666/index.php Private Person vzlomaem@xaker.ru ns1.reg.ru. ns2.reg.ru. 6f610c089205a6433fc56c58e30840d1
svflooje.exe 95.211.63.38 LeaseWeb Netherlands http://95.211.63.38/index.php ip 5998968B6B92E8B8076A8D846C75B855
svsysnt.exe 78.108.84.160 Majordomo Llc Russia http://startraider.com/login/index.php smk.majordomo.ru Alex Leman () Fax: 226 E 45th St New York, NY 10017 United States D65C7F3B29F162F4104FC150614D5BE7
kmhfoot.exe 195.189.226.193 SERVER.UA Ukraine http://nntudazashel.ru/dj/a.php Private Person root@dgrad-host.ru ns1.vainet.ru. ns2.vainet.ru. fb88c02090d9a42fef851b600fd8ec8
svciyyyt.exe 46.252.130.102 users Latvia Andrejs Kaminskis http://46.252.130.102/www/index.php ip 4E89DF9540358C4524597856D6A08032
unknown 80.79.118.230 Aktsiaselts WaveCom Estonia http://hotklass.com/a2/index.php PrivacyProtect.org Domain Admin (contact@privacyprotect.org ) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 Australia Tel. +45.369466 ac65790032bbcdc7f35dce0c0e43c434
svlanager.exe 94.244.80.5 UAB KIS Lithuania unknown unknown 54DC76D3F0930A88211207453343E5008BA0161E
svlkanager.exe unknown unknown unknown unknown CDBF7C49E3FDDAACC3154F13CE93521D
svcgoow.exe unknown unknown unknown unknown f268ee8e4a5091139e5986b23389e80e
klhkg.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/s4/index.php Phinney Business Skye Phinney jh.nvns.92@gmail.com +1.7814548993 fax: +1.6612830438 8536 Kern canyon Road, Sp 35 Bakersfield CA 93306 United States 4C01B3D5B80E18CE2E981E25740B395A
svdhalp.exe 195.3.145.220 RN Data, SIA Latvia http://abacava.net/f2/m_d.php Phinney Business Skye Phinney jh.nvns.92@gmail.com 2cc731473ef8d968050aa2c9e914150d
svgtook.exe 195.3.145.87 RN Data, SIA Latvia http://asdaddddaaaa.com/678/index.php Mark Livingston Mark Livingston j.hnvns.92@gmail.com +1.2147899961 fax: +1.2147899961 446 Ridge Point drive Forney TX 75126 United States f9a65bc3a197600d23557eceb1f3125c
svcghkkjl.exe 46.108.225.72 Pixel View SRL Romania http://jfasfasfasfasf.com/887/index.php Hartford Business Joe Hartford bezerosavyk@yahoo.com +1.7814548993 fax: +1.7814548993 32 Cedar Street,Apt. #4 Waltham MA 02453 United States C0FCBF7B96474DCF074339575EC1EF3B
svdhalp.exe 31.192.109.164 Mir Telematiki Ltd Russia http://xzrw0q.com/driver32/update/m_d.php BIZCN.COM, INC. f7c0314fb0fbd52af9d4d721b2c897a2
sviooue.exe 31.192.109.162 Ultra Web Solutions India http://xruw0q.com/fcfxD/load.php No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 China 6D54FB6753D719CA3EC991A9CBD9743C
svdhalp.exe 77.79.11.86 Webhosting, Lithuania http://whozdadx.org/c4/m_d.php Jabon Lorkan Inconmun Klopi 12 New-York 627f2bda0c5abe4d3e7ae68b877dcfd0
sviooue.exe 91.217.153.114 Alexey Klimenko Ukraine http://zprw6q.com/frexpex/index.php Whois Privacy gmvjcxkxhs@whoisservices.cn 79a9327dd9f9911c0f08fd4d3c3b26c8
svajnager.exe 184.22.118.89 NOC Scranton PA http://wow-siti.ru/1/index.php Private Person vzlomaem@xaker.ru ns1.antiddos-servis.ru. ns2.antiddos-servis.ru. 9277796C0F8EBF1078C52D88E8FAAA5D
svflooje.exe 184.22.118.89 NOC Scranton PA s0r.ru Private Person qwer.vdv@gmail.com 7CA86FB5C76B74390B4E7200E4A09514
svflooje.exe 184.22.118.89 NOC Scranton PA unknown unknown E7B65933F069A81AB089D055D6BDD17A
svflooje.exe 184.22.243.172 NOC Los Angeles CA http://mwas.ru/666/index.php Private Person vzlomaem@xaker.ru ns1.reg.ru. ns2.reg.ru. 6f610c089205a6433fc56c58e30840d1
svflooje.exe 95.211.63.38 LeaseWeb Netherlands http://95.211.63.38/index.php ip 5998968B6B92E8B8076A8D846C75B855
svsysnt.exe 78.108.84.160 Majordomo Llc Russia http://startraider.com/login/index.php smk.majordomo.ru Alex Leman () Fax: 226 E 45th St New York, NY 10017 United States D65C7F3B29F162F4104FC150614D5BE7
kmhfoot.exe 195.189.226.193 SERVER.UA Ukraine http://nntudazashel.ru/dj/a.php Private Person root@dgrad-host.ru ns1.vainet.ru. ns2.vainet.ru. fb88c02090d9a42fef851b600fd8ec8
svciyyyt.exe 46.252.130.102 users Latvia Andrejs Kaminskis http://46.252.130.102/www/index.php ip 4E89DF9540358C4524597856D6A08032
unknown 80.79.118.230 Aktsiaselts WaveCom Estonia http://hotklass.com/a2/index.php PrivacyProtect.org Domain Admin (contact@privacyprotect.org ) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 Australia Tel. +45.369466 ac65790032bbcdc7f35dce0c0e43c434
svlanager.exe 94.244.80.5 UAB KIS Lithuania unknown unknown 54DC76D3F0930A88211207453343E5008BA0161E
svlkanager.exe unknown unknown unknown unknown CDBF7C49E3FDDAACC3154F13CE93521D
svcgoow.exe unknown unknown unknown unknown f268ee8e4a5091139e5986b23389e80e
No comments:
Post a Comment