98c9676d887d024defc1d340bd723073
Jump to navigation
Jump to search
Description
Summary
CryptoLocker is a ransomware trojan. It crypts personal data on the infected machine with a private RSA key stored on the remote C&C. The malware then displays a message which offers to decrypt the data if a payment of 400 USD is made by a stated deadline, and threatens to delete the private key if the deadline passes.
Identification
| MD5 | 98c9676d887d024defc1d340bd723073 |
|---|---|
| SHA1 | e075b3f7b594b442a6c9f7b2c34858db8bb0abfa |
| SHA256 | ef1bf0a5fb87f183f25d580c9bd09d732dbb68e213d3f4c186e6b819aae2ed15 |
| ssdeep | 6144:B/I4HDXpGzaTTYY26+MUqJmPvr8TETlV0Cx+lHnkUn7YukGkRX+twaxQXsn5VzB:VI41ys9yUmHAC0C0guztwaxQfuUD3q6 |
| imphash | 0591d31c7d7933b3119c407b8a61e0fa |
| File Name | Rldmydvjzrexhvf.exe |
| File size | 929.0 KB ( 951296 bytes ) |
| File type | Win32 EXE |
| Magic literal | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| TrID |
|
Antivirus detection
| Antivirus | Result | Update |
|---|---|---|
| Ad-Aware | Trojan.GenericKD.1637196 | 20140411 |
| AegisLab | 20140411 | |
| Agnitum | 20140410 | |
| AhnLab-V3 | Trojan/Win32.Zbot | 20140410 |
| AntiVir | 20140411 | |
| Antiy-AVL | 20140411 | |
| Avast | Win32:Malware-gen | 20140410 |
| AVG | Ransomer.DAV | 20140410 |
| Baidu-International | Trojan.Win32.Filecoder.BQ | 20140410 |
| BitDefender | Trojan.GenericKD.1637196 | 20140411 |
| Bkav | 20140410 | |
| ByteHero | 20140411 | |
| CAT-QuickHeal | 20140411 | |
| ClamAV | 20140411 | |
| CMC | 20140410 | |
| Commtouch | 20140411 | |
| Comodo | UnclassifiedMalware | 20140411 |
| DrWeb | 20140411 | |
| Emsisoft | Trojan.GenericKD.1637196 (B) | 20140411 |
| ESET-NOD32 | Win32/Filecoder.BQ | 20140410 |
| F-Prot | 20140410 | |
| F-Secure | Trojan.GenericKD.1637196 | 20140411 |
| Fortinet | W32/Filecoder.BQ!tr | 20140411 |
| GData | Trojan.GenericKD.1637196 | 20140411 |
| Ikarus | 20140411 | |
| Jiangmin | 20140411 | |
| K7AntiVirus | 20140410 | |
| K7GW | 20140410 | |
| Kaspersky | 20140411 | |
| Kingsoft | 20140411 | |
| Malwarebytes | 20140411 | |
| McAfee | Artemis!98C9676D887D | 20140411 |
| McAfee-GW-Edition | Artemis!98C9676D887D | 20140411 |
| Microsoft | 20140411 | |
| MicroWorld-eScan | Trojan.GenericKD.1637196 | 20140411 |
| NANO-Antivirus | 20140411 | |
| Norman | 20140410 | |
| nProtect | Trojan.GenericKD.1637196 | 20140410 |
| Panda | 20140410 | |
| Qihoo-360 | Win32/Trojan.e0d | 20140411 |
| Rising | 20140410 | |
| Sophos | Mal/Generic-S | 20140411 |
| SUPERAntiSpyware | 20140411 | |
| Symantec | WS.Reputation.1 | 20140411 |
| TheHacker | 20140410 | |
| TotalDefense | 20140410 | |
| TrendMicro | TROJ_KRYPTIK.YVS | 20140411 |
| TrendMicro-HouseCall | TROJ_KRYPTIK.YVS | 20140411 |
| VBA32 | 20140410 | |
| VIPRE | 20140410 | |
| ViRobot | 20140411 |
Links
Artifacts
Encryption of the personal data
Encryption process
Cryptolocker will encrypt users' files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while the private key is used for decryption, each the inverse of the other. Once the files have been encrypted by the malware, the private key is sent to the remote C&C and removed from the infected machine.
Impact
Once infected, the malware encrypts all personal data on the computer and modifies the desktop background:
It also shows the following message:
If you click Next, you are prompted to choose between 2 means of payment: MoneyPak (USA Only) or BitCoin.
As indicated by the message, you have approximatively 3 days to pay the ransom to decrypt your files before the key is removed from the C&C.
You can also view the list of encrypted files:
Persistence
To ensure persistence, the malware inserts following registry keys:
| Key | Name | Type | Value |
|---|---|---|---|
| HKCU\Software\Microsoft\Windowws\CurrentVersion\Run | CryptoLocker | REG_SZ | C:\Documents and Settings\malware\Local Settings\Application Data\Ljfmutwyfpezfp.exe |
| HKCU\Software\Microsoft\Windowws\CurrentVersion\RunOnce | *CryptoLocker | REG_SZ | C:\Documents and Settings\malware\Local Settings\Application Data\Ljfmutwyfpezfp.exe |
Registry keys
The malware creates a registry key in HKCU\Software\CryptoLocker_038\ where you can see the public key:
Also all encrypted files are listed under the HKCU\Software\CryptoLocker_038\Files subkey:
File system activities
Copy of the malware in %appdata%
The malware copies itself to %appdata% and removes itself from the initial location:
C:\Documents and Settings\malware\Local Settings\Application Data\Ljfmutwyfpezfp.exe
SoftwareDistribution DataStore
It also deletes following file:
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
It has an unknown type and has MD5 72de1589ff619488bc2d9d72d50defe2. Here is the hexadecimal view of its content:
00000000 78 8b 15 08 ef cd ab 89 20 06 00 00 00 00 00 00 |x....... .......| 00000010 06 00 00 00 00 00 00 00 5e e0 00 00 2e 22 0e 0b |........^...."..| 00000020 04 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.r..............| 00000030 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 2f 22 0e 0b 04 72 00 00 |......../"...r..| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000d0 00 00 00 00 01 00 00 00 05 00 00 00 01 00 00 00 |................| 000000e0 28 0a 00 00 03 00 00 00 09 00 00 00 00 10 00 00 |(...............| 000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000120 00 00 00 00 00 00 00 00 6f 00 00 00 6f 00 00 00 |........o...o...| 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000150 00 00 00 00 20 06 00 00 09 00 00 00 06 00 15 09 |.... ...........| 00000160 0b 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.q..............| 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000290 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................| 000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 78 8b 15 08 ef cd ab 89 20 06 00 00 00 00 00 00 |x....... .......| 00001010 06 00 00 00 00 00 00 00 5e e0 00 00 2e 22 0e 0b |........^...."..| 00001020 04 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.r..............| 00001030 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................| 00001040 00 00 00 00 00 00 00 00 2f 22 0e 0b 04 72 00 00 |......../"...r..| 00001050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000010d0 00 00 00 00 01 00 00 00 05 00 00 00 01 00 00 00 |................| 000010e0 28 0a 00 00 03 00 00 00 09 00 00 00 00 10 00 00 |(...............| 000010f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001120 00 00 00 00 00 00 00 00 6f 00 00 00 6f 00 00 00 |........o...o...| 00001130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001150 00 00 00 00 20 06 00 00 09 00 00 00 06 00 15 09 |.... ...........| 00001160 0b 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.q..............| 00001170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001290 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................| 000012a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00002000 00 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00 |................| 00002010 00 00 00 00 00 00 00 00 01 00 00 00 c4 0f 00 00 |................| 00002020 10 00 01 00 03 08 00 00 0e 00 00 00 00 00 00 00 |................| 00002030 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................| 00002040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00002ff0 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |................| 00003000 00 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 |................| 00003010 00 00 00 00 00 00 00 00 01 00 00 00 b6 0f 00 00 |................| 00003020 1a 00 02 00 23 08 00 00 00 00 00 00 00 00 00 00 |....#...........| 00003030 00 00 00 00 00 00 00 00 04 00 00 00 00 0e 0e 00 |................| 00003040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00003ff0 00 00 00 00 00 00 00 00 0a 00 10 00 10 00 00 00 |................| 00004000 00 00 00 00 03 00 00 00 06 00 00 00 00 00 00 00 |................| 00004010 00 00 00 00 00 00 00 00 01 00 00 00 b6 0f 00 00 |................| 00004020 1a 00 02 00 23 08 00 00 00 00 00 00 00 00 00 00 |....#...........| 00004030 00 00 00 00 00 00 00 00 04 00 00 00 00 0e 0b 00 |................| 00004040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00004ff0 00 00 00 00 00 00 00 00 0a 00 10 00 10 00 00 00 |................| 00005000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00010000
XML files in temp folder
3 copies of the same file (XML file, renamed randomly with a *.tmp extension) but with different names are created and deleted in %homepath%\Local Settings\Temp\:
- %homepath%\Local Settings\Temp\LLO34EC.tmp
- %homepath%\Local Settings\Temp\OEDE1C4.tmp
- %homepath%\Local Settings\Temp\UBA2B48.tmp
They all have the same MD5sum (8820c7d6e6ee359cacfa5a232c663a38) and have the following content:
<?xml version='1.0' encoding='UTF-8' standalone='yes'?><assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'><dependency><dependentAssembly><assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'/></dependentAssembly></dependency></assembly>
home[1] in Temporary Internet Files
The following file (unknown type, MD5sum: a45a21f762474ee71748b2833ff07f51) is also deleted:
%homepath%\Local Settings\Temporary Internet Files\Content.IE5\RHF2GBN1\home[1]
Here is the hexadecimal view of the file:
00000000 60 a7 70 91 8f c8 c7 9a 19 83 b8 a9 35 4a ab e1 |`.p.........5J..|
00000010 a2 7a f7 c4 5f 62 47 66 7c c8 0f 50 e3 57 3f 91 |.z.._bGf|..P.W?.|
00000020 2e 32 f7 86 2f 66 c8 c3 44 6d 6c 6f 0e 1b 20 e2 |.2../f..Dmlo.. .|
00000030 ad 58 e9 3f 42 58 98 55 42 22 1e 51 c9 46 48 6e |.X.?BX.UB".Q.FHn|
00000040 ce dd 6a 47 c0 7a f9 03 86 36 d5 ef 0d 95 99 64 |..jG.z...6.....d|
00000050 78 32 90 ff 8f c0 8d c4 26 5f c0 32 65 d9 02 5b |x2......&_.2e..[|
00000060 06 10 a7 94 e8 27 06 8f 5c 05 49 d1 15 a2 90 a6 |.....'..\.I.....|
00000070 63 78 d2 01 77 e6 73 8a 72 d9 e4 37 8e 4a 17 f1 |cx..w.s.r..7.J..|
00000080 37 b8 da e9 7d 2d f0 89 af 4c ae 07 59 30 94 73 |7...}-...L..Y0.s|
00000090 b5 9a 54 d5 6a 2f 1f 1c 46 5a 48 6e 1b 86 6c 65 |..T.j/..FZHn..le|
000000a0 47 97 7a f5 c0 d5 df 33 9a 74 22 06 da 65 f7 8a |G.z....3.t"..e..|
000000b0 ee 54 6b 7f 82 ba de ca 87 58 2b 2e ae c7 09 c7 |.Tk......X+.....|
000000c0 ad 0e bc be dc ed 31 33 48 3e 10 35 63 15 35 d5 |......13H>.5c.5.|
000000d0 0a 6b 6a b8 80 4f 40 5f b6 35 fb 87 5b 19 32 a3 |.kj..O@_.5..[.2.|
000000e0 ec 45 dc ef e8 5a 6e 5c 11 fc c7 db dc 8c 17 4d |.E...Zn\.......M|
000000f0 ec 9e 8c b2 31 60 a8 af b4 f4 c1 6e a6 8c ca ef |....1`.....n....|
00000100 bb 7a 86 ca a9 1f 0f 38 72 54 23 03 f7 eb fa 9b |.z.....8rT#.....|
00000110 02 cd e1 7f a8 b3 f6 55 22 44 8f 46 92 77 63 7c |.......U"D.F.wc||
00000120 37 4d de 9f c7 0a d2 7b f7 7b 8f 5a dd d9 ce 60 |7M.....{.{.Z...`|
00000130 9b 12 27 63 34 d1 3b f9 c4 fa 4c 61 98 38 af cf |..'c4.;...La.8..|
00000140 03 33 15 ca cc 55 5d 0b 81 0b 75 91 10 b1 8a b4 |.3...U]...u.....|
00000150 70 0c ed 00 4f 7c 0e 94 6b 5d 15 94 89 e6 1e 02 |p...O|..k]......|
00000160 05 a8 84 bd 3e ed 2e a1 6f 0c 86 ef 1e 56 47 8f |....>...o....VG.|
00000170 75 f5 7c 3d 1d fc 3b ff 92 4e 5b f3 23 06 19 f1 |u.|=..;..N[.#...|
00000180 d6 90 5f 87 65 17 04 c5 5c fd 67 fb 68 09 ad f4 |.._.e...\.g.h...|
00000190 69 17 4f 61 10 5e d9 fd 65 6b 3d 1a 92 3b 3c bc |i.Oa.^..ek=..;<.|
000001a0 18 41 0f e1 f0 44 6b 1d 73 40 61 34 0e 76 20 97 |[email protected] .|
000001b0 2a f7 ac 33 56 06 69 64 cf 52 02 b7 10 2c 22 0b |*..3V.id.R...,".|
000001c0 58 9f 73 d8 24 f1 63 03 d4 f0 08 cb 6e ea bf 63 |X.s.$.c.....n..c|
000001d0 99 e3 61 4d 0e 53 dc 95 a9 ca c4 48 19 84 ae d1 |..aM.S.....H....|
000001e0 f0 47 45 ad fa 2d a8 2e a5 b3 0b 00 1d ab 3e 0b |.GE..-........>.|
000001f0 d9 6c 5d e8 5a b8 7d 8c 50 d5 7f 8a 32 1c 10 91 |.l].Z.}.P...2...|
00000200
Network indicators
Contacted domains
The malware produces a list of random-looking server names in the domains .biz, .com, .co.uk, .info, .net, .org and .ru and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.
During the analysis, the following remote C&C was successfully reached:
| Domain | IP |
|---|---|
| xmpwxyspnmvbh.net |
|
Here are a few domains that can also be contacted:
- abyvegyvwecbim.com
- aempvcuakrixgw.org
- aesmplpbssrpfi.info
- afdvresnlkaunh.co.uk
- afgacqkgniwgvo.net
- agwuohuvburnu.ru
- aiqajdjymprdag.ru
- ajggxmetttgmks.net
- akcfelcpeivc.com
- akqlxhwkxrche.info
- akwufwvmcxlpuwv.org
- aleffeucwddhfi.net
- amgsmqbgxycmsnw.net
- amiahmeooqutdv.biz
- amkavpcfxuhjl.co.uk
- ananlxlukrbmtit.co.uk
- ansiwpmgtrqh.info
- anuavhdtdydfwm.com
- aogbieyyvnlnem.biz
- aoqljamqweix.com
- aovkirfpmlno.biz
- apbcbospvdilm.org
- apgsnkojfkkr.net
- apmnlbrfolqbgk.info
- aqsgrdbtuextm.net
- arctbbxyoycxq.com
- aronyrkrnrthqu.biz
- asrjbnrnblkvbs.co.uk
- atioeiywcnmdgdq.biz
- atssgyquknemhg.ru
- aumndpqwobys.info
- auuosbojyhjggbv.com
- auvunnoiwmwkfeu.org
- avgtsgjylkuhjmb.biz
- avhfuqskmddjpvp.info
- avqagrcanekik.com
- avqrnwskxpsjrr.ru
- awgrkdusxgkadd.co.uk
- axsbjswnbnrcr.net
- ayeqrapjcslyjh.co.uk
- ayqusjieadxeo.biz
- bahsplpexthlrno.ru
- baxxrgpakrmi.biz
- bbfranavdvmte.com
- bcavtognulcead.ru
- bckjebypvfqoonq.com
- bcxdyccnipue.co.uk
- beygnmsfowbk.org
- beyjsduapfswqq.info
- bfknlgsbgklqo.org
- bgnrmtfousulel.com
- bgwiaatetjhcos.info
- bgwnavlwavsjie.biz
- bgwripcpsnqch.ru
- bhfwbhuguipo.net
- bhhuwwhacqyoc.co.uk
- binoshbfwbucfr.co.uk
- bkxrsgdqxxbcnd.net
- blifeefqyvbsg.info
- blmbyuhdpyvb.biz
- blvabqdtpjllcs.biz
- blycexconnei.biz
- bmwjetxkgpnv.net
- bofvqqihopdeeg.biz
- bpuqogbwqnvyswm.info
- bqjbxrkifvnhcu.ru
- bqlcjxxapnsdk.info
- bqqoiabkosfi.ru
- brdetmoiqqgp.info
- brtkkuyhkqxw.com
- bshafjfeiwxrmn.ru
- bsmtjqkdpujyq.biz
- btcqpjwobgntgt.org
- btwxbjttqgtry.net
- buqigsxpqutiay.info
- bvfobqbnadqhges.biz
- bvqcbsnxpgduk.ru
- bxaykjqvelcd.biz
- bxhrnjxsxjrjxxl.com
- bxjpunfqssfqfce.ru
- bydbrccxuxcti.ru
- bydsqegxgtaut.info
- bynnwudjbury.com
- byxibipjfypdgwh.org
- cacuqrnuefmvgvi.net
- caiijrutyjauewx.info
- cbmpbhbgajlp.net
- cbpwevcgclfk.org
- cbqqkshgfemudr.com
- ccpriwfgwgwle.biz
- ccqexkhiiqksd.biz
- cdeskjsksnsbs.com
- cdfnwsddmycsxnt.biz
- cdiytroorxpu.com
- cdkqcfdkpfkv.net
- cdkroxlbgccdap.co.uk
- cefmhgfufubwwoe.net
- ceohshokgvivk.biz
- cfgtnvvquoxnm.net
- cgjhnvyqajvwdk.ru
- cgoimoxlhnvdt.co.uk
- cigorgrrcrow.org
- cikcvrgpxdycng.com
- ciplblpoahjpi.org
- ciwnyiiydvhtme.biz
- cjayhpqpbuuy.biz
- cjwxjcfgrors.info
- ckmrttfjhkaqdu.info
- cldiuoiulmjnxmh.biz
- clyricucrrpdwc.org
- cmdowwhhxagw.ru
- cmksulatohqkwk.info
- cmuuwucsunbs.org
- cnhfyddxrgnu.ru
- cnqfxvjndedyki.ru
- cpvjovprbprknu.ru
- cqsyhvjixbrgbv.org
- cuhxjygxrcbsp.ru
- cuqpbsaafokr.biz
- cveenrbudkyv.com
- cwnskxaifeyrlmx.org
- cwooijrkbtqk.biz
- cwtadwjppvkuyv.com
- cxdrgodirlghoq.co.uk
- cxsrrxlhbvdqwso.org
- cyotpyavxtxm.co.uk
- dabhsvtcugoc.net
- daypkifjjkxl.com
- dborhdgnrnlvkhx.co.uk
- dckxkydjljex.org
- dctsidrbrbvefik.co.uk
- dfaqabsfsuwfwui.ru
- dfbknkadfyhbwv.com
- dfduovigrqleh.net
- dfnromnhqisf.biz
- dgnoafhtisyj.info
- dgqtvfbboyifd.ru
- dhbadtsiylxik.net
- dhlqvkpwcydc.biz
- dhtdillrjrqndc.co.uk
- dhyiuekpijdet.com
- dijisshnwdurqf.net
- djqkmpwfniov.info
- dkbsronmeygq.co.uk
- dkkieeoeriyolt.org
- dkvmenobsfqgld.ru
- dmbykgdmgtbtjmp.com
- dmjndlapdipcwo.info
- dmwtgihmwlbha.co.uk
- dnnhkbcsujoqi.info
- dodimpqenjhirjf.net
- donskyldxpsecb.com
- douyuyhmfwjhf.co.uk
- doxqdfdqemlh.org
- dpdtefwllknehk.net
- dpehrwxwhqhagke.ru
- dphnhtrjafpj.ru
- dqbeexnfactwfdg.org
- dqlrrqgybqdofs.com
- dreuhkyoxejvbn.biz
- drygvqtlitkm.org
- dtwfdnocorpl.org
- dubyiirvjowjwfm.ru
- dumfxqsucpoejc.net
- dutaxbpcogktjl.co.uk
- dvcjukrreinfh.com
- dvrlmtrhjnil.info
- dxdgreyrplti.net
- dysyicprffthhs.net
- ebhrgvpaegbru.org
- ebiigvjptwbsxlt.info
- ebpdijeimfyt.net
- eceifjlsgkbx.biz
- ednuipcqoyobyht.info
- eeauwveefxcdydm.org
- eechmbgohahi.biz
- eflawnmsxvwfjru.info
- efvxlmtbdljcd.org
- efwobwnthhnk.ru
- egbhlatshybgd.org
- ejewcbuhipstg.biz
- elcawyfulfqos.biz
- ellomxsappgp.com
- elueytbfbqtfcx.info
- emtcvkcrwlvhwg.net
- emyebrabrghsda.org
- eokgnkxmuujghf.biz
- eorwhbamauhd.ru
- eowqtdkdquwdtt.net
- epniuyvohtraiif.ru
- eqifuhsdyhkfuq.biz
- erdnpvxxbfsslb.net
- esdkhncptsbhmk.org
- esgbatqeoigiie.org
- esuyonpcdxdm.info
- etinbyevmyip.org
- etlvuwtquvjtx.biz
- etqwmaavbesre.ru
- ettqsghhydxwovw.net
- eubndamhwgwverx.ru
- eucdbgdhvgrjeku.co.uk
- eusxvehmydjf.info
- evlyqxeakkekeps.co.uk
- evwbsgfvlxjuqu.ru
- ewhkuyiieprarl.biz
- ewsddgdwhihg.biz
- eybobcftoyhe.org
- eytgrqriauxf.net
- fbhoafvgbrwmv.org
- fccgvbslqdshgi.co.uk
- fcclsdwoigxka.biz
- fcnfrnelyvqu.ru
- fcrrolcefcisc.info
- fdcvgelugnsld.co.uk
- fddiifdcbdbl.info
- fdfcarbxxsmxii.org
- feajraovspbcewd.org
- feaqhtwoqrgkx.biz
- ferxnawvgcre.ru
- ffjhdeyrpbyfgqu.com
- fggepfoaimlcxbc.net
- fhjyffpaaogtbc.info
- fhovyuikfehoxnl.com
- fiiqvlhljagpm.ru
- fjmytssxkfjjram.com
- fjnxcluqqycrx.ru
- fjxqocauxgua.org
- flbofdrapdsbqt.biz
- fnynmtfwjopnem.biz
- fogfmvwsftfrfw.biz
- foxdgwgdhpqflp.co.uk
- fpcscqmnjdct.co.uk
- fptsygvabmgntq.org
- fqhwtrmjoeoex.com
- frenxjrcpjbq.biz
- fsbdcymidakkthn.biz
- fsnjkfdlmvsrsg.ru
- fsxrkiqwhapqcq.biz
- ftxsmenldfvotr.biz
- fubwujfguodjc.co.uk
- fuygwvpwylyhjsv.biz
- fvdxvxkuikkcjl.ru
- fvhpflcsyadc.co.uk
- fvjfvggyprmh.info
- fwthvawijdcbhli.org
- fwxofgmakcmjv.net
- fxbcddoqwkrptd.info
- fxbwdujymoyhou.ru
- fxdyxpiksyhf.org
- fxfqgdwdeuxv.co.uk
- fxrgpoujnxmqpq.org
- fyjdfcmhwbdq.co.uk
- fyjregybjltdv.org
- gairsqotpykr.info
- gatyycbndsii.info
- gbbpbsvrdxxlowb.co.uk
- gbeflkiqdnib.info
- gbyoyoijgqwxe.biz
- gcgqaijpqoqc.info
- gcrdfpjmefhchaw.info
- gcrxfvtrruvkocd.ru
- gcvkoprkyrwsd.ru
- gdaisbjqillva.co.uk
- gdcqgkiskxxsu.co.uk
- gdyupjrejppbcux.co.uk
- gehubryiasty.com
- gemvotxyhjamb.com
- ggohfsqmpuxk.org
- ggsdkabdlpccmai.co.uk
- ghaxrqfmtujpnb.com
- ghtnvtsdsvcnk.info
- ghxxvfobnhfowxi.net
- gilfxohpqsdgbr.net
- gjqnhrjsgqgwx.info
- gjvoyhdwapitp.com
- gkgnohncfqobpab.com
- gkhdmneceqjowpu.biz
- gkxtiftaleifwl.co.uk
- glvcdfyjxxjmv.info
- gmjqpqtxvtyvl.org
- gnoapqhrhxjhg.org
- gntfxcglvdhpk.info
- gphfcqpgpxfqwk.co.uk
- gptgrvyyktcxx.biz
- gqbipemulpaenc.ru
- grujgghppoijb.net
- gsojsyedyrvh.org
- gstgndpbhxtbyg.ru
- gsufnakacslbob.org
- gtewiljtilvafd.org
- guiohnsyovvnrj.org
- gurfuthlbbetew.ru
- gurkupbnhtambv.info
- gvatvlvikphq.co.uk
- gvfplrnwhcmk.ru
- gwfxowuvmiay.net
- gxnvqdckwxudvo.com
- gysongxoccxrtg.co.uk
- hanwvnwipimwqh.co.uk
- harofuhmikao.com
- hbxlrubvqwbp.com
- hcesfpfemtwrsfp.com
- hcowhlrxowxuef.net
- heqgjpdcijrqbl.com
- hfcvlpvkcptedm.ru
- hfukyjfaoxqgi.info
- hgcwhaurgfyj.net
- hgmogmclaylhq.org
- hgwkixntughhc.org
- hhhqxwccawctr.info
- hixecqvudnqwa.com
- hjdmaxuyvjhp.net
- hjfgrksuiwxxcg.info
- hjfvmobdnbprt.info
- hkgohqihtaslg.biz
- hkvuyhxbiinnuij.biz
- hlblhuppchmo.net
- hldfybgrciukix.info
- hlqytpnhgrhdmow.com
- hlyymkuuemxcfui.biz
- hmbfsqbqxjys.biz
- hmdgrnpbjnclv.co.uk
- hmxqejtsfythcad.info
- hnvrqbsuwdfo.ru
- hnxklnwutglkfy.net
- hoistdjtuwrya.co.uk
- hoojqbodugqgo.net
- hplnfmwtynpnxv.org
- hptdlrqmuhaic.biz
- hqegalldlpjyf.org
- hqgxibtvcredk.co.uk
- hqmgmalimmtph.net
- hqrbwautbofpwi.com
- hrckyyftrximft.info
- htfjdugeuwciemk.net
- hueeivvuriynov.com
- hvgfonggsfdrnrp.org
- hvmyyypfdudppo.ru
- hvyaltyvohqmer.co.uk
- hwlgpoyscibxtyl.org
- hwplghaxqkhb.co.uk
- hwsfpvttkqnki.ru
- hxuvctrrqcmb.info
- hyxrlsolggptdh.biz
- idosnfrinpesste.biz
- idsnxdwfwjga.net
- idyscbeyxfslck.ru
- idywwbwcftqthts.co.uk
- iesqsatnyjhe.net
- iflsocbouqlimoj.com
- igftvxuresajboe.net
- igmrgfillxoutc.co.uk
- igtdquskllpi.net
- igvdlvrncnuf.com
- iircxlghhiqu.net
- ijcuxcodnycfq.com
- ikmihxqdyqjs.ru
- iksgiyrejavhy.net
- ilaxstnpwhqxc.com
- imuntpvrnhoyqm.org
- intrnmcynqheu.net
- ipgfqultwgaad.net
- ipruijfnlnabk.net
- iptqiqdlwxxwswi.org
- iqeglvlkfcmae.info
- iqgpmawmlipqafe.biz
- iqxxaxhjvqgyyl.com
- irbcbwulxdmuv.com
- irhvfvwwvbpfls.net
- irmwengrvpfsi.ru
- iromhhapuoovuhp.ru
- iseubqsyrahggvr.biz
- ishisfxuvsuvg.biz
- isjuhivulvyoy.info
- ismgtikhdoilve.net
- istjmqfvauvw.co.uk
- isvchwcianfjfw.ru
- isvwhoytptqrwb.com
- itedjglkiyal.biz
- iuhxcggiolwjs.info
- ivoadfbidyymvb.biz
- iwefnmuuqiqngi.co.uk
- iwofrihutyacwq.co.uk
- iwwgabpwqukptv.biz
- ixlxehfkvxixxf.org
- ixximjeomhrc.ru
- iyffyelijhcfwf.net
- jabukoyvqsfsguh.info
- japbtnqvuxceuw.ru
- jcdqpelbhgunuib.ru
- jcgjggpcplmixmn.info
- jciqgefsltioax.co.uk
- jcuxvkukwceott.org
- jdmtcfbodsxj.com
- jeembdsqlwbfuym.info
- jfyuxytntspkn.info
- jgktpqmnxywwji.info
- jgynahacvoeylgu.net
- jhgygleolvpv.biz
- jhptenhvfohkrpb.ru
- jiiwlpimalpvsjr.co.uk
- jjitcqspdyxt.info
- jkmiyuwxnjefc.com
- jlrdwtgqffanbw.com
- jlrtlghyrppqp.net
- jnfjofiswpjphc.info
- jnnlanhmdhjk.ru
- jnpfrtxorhukch.net
- jpkadhvqfxdr.co.uk
- jsbhqjoooclh.org
- jsivudwpkcekox.org
- jssvhsvetfimx.com
- juyirgneynkv.org
- jvccufqutrwju.net
- jviucemyrfnrtq.biz
- jvtfjkawywfxm.org
- jvyfpohtolfv.ru
- jwfnbljxysgnly.ru
- jwksndsvqrkti.co.uk
- jwmikrrelrywd.ru
- jwmiqqfajeyfsvo.co.uk
- jxrkxbvjhqsna.org
- jycufpqxogtk.org
- jyknyjqfyvmux.ru
- jynewqwamcfkvt.info
- kapjfaussvxo.net
- kaukwdudmdwq.biz
- kbfbnfyioqwjsg.biz
- kbfpfodricnbg.org
- kbgmxtyauweakg.org
- kbwwlxmhusyu.co.uk
- kdbchvrqjxchlg.info
- kewpwogcojxi.biz
- kexmecvluayc.co.uk
- kfojkyingyocs.net
- kfyqtxegfipcwip.net
- kgvllsjiqwao.co.uk
- kgyksnqxsdbc.info
- khtmscrxwvpcumj.com
- kifwsycpeurjrg.com
- kiqrufteifsm.com
- kkbqepufslgrety.info
- kkdaouorjbaerer.info
- kkecqexeuvmu.ru
- kkspwgfqmhsk.net
- klillgyobqnfqp.net
- klwejqjmxlohobp.com
- klwihkjcoflgs.biz
- klwjjwmgqqjascs.ru
- kmfgxvbrxskpe.biz
- kmtjpdxgvjwabx.biz
- knjvpyokurjn.com
- knmxlltafrpcx.biz
- knqcccvvxifvjg.net
- knyypdoncwyst.info
- kpxjouqxrguyfcy.biz
- kqylbbtqvciio.ru
- kreubcojmyxru.ru
- ktsrpmcdvsejov.info
- kuiwahmdfbdlym.biz
- kuqsajcjdbdnqpd.org
- kusxhpninwjnr.ru
- kwjwllmdcbhcwo.co.uk
- kwtxuxifkepcg.net
- kyhmkwefytyic.org
- laeiwtftqpsuk.info
- lbfgrshevlrh.org
- lbqdpaqqbcqe.org
- lbwlxbwbdkmtt.co.uk
- ldccpjpijysy.com
- leflwlsracmu.info
- lfnbbphtvnow.ru
- lfvfkehsptwttl.com
- lgkhinwuaeinhd.com
- lgqmtvcmotdvffc.net
- lhjgnwvletbb.net
- lhlckguhgnfd.ru
- liytdfwepfvgsa.net
- lkamgvmskvmv.com
- lkewcfddjdjmxk.ru
- lkmftinxuoylq.ru
- lljyjwixyfyplgj.org
- llywvrdxxiuax.net
- lmriclwillallar.biz
- lmvthxkhyhbemya.com
- lndooooqhmirpw.biz
- lnojqoyromml.biz
- lnwckiykgcipe.net
- loaieewbefpam.ru
- lojyxsbrdsgtt.net
- losiulnlomciat.ru
- lotrkobleaee.biz
- lpymnfhjnnlsewv.net
- lqgexynjmuibqba.com
- lrabdlkitpkmc.com
- lrdchlnvsupql.org
- lrnueyvenefmai.biz
- luvfxkdcmiaamxw.org
- lvdxpysshhtfy.co.uk
- lwgkowyeyeskhr.com
- lwlgqybcvanc.info
- lxnwwkaucsqcesr.biz
- lxtsgurqnrhbny.com
- maiaapgalibkdgn.ru
- mbfttqjyxqofwp.ru
- mbrujuhfyvlnm.com
- mbvcnucvnstn.info
- mbwhdjcxoauyshw.com
- mcbykjvemsqd.info
- mdrpxgjcqmmfc.info
- medtgutycrkv.ru
- meycwklmgmgejk.net
- mhdcjrlrfndn.net
- mhfdlxqthdaimq.org
- miatlycjmqjh.biz
- miilelbfekvo.com
- mivqkmrfesvxt.info
- mjdemulvpuimjs.org
- mjgeqlhtptgj.org
- mjlkidaqspolew.co.uk
- mktwgnmgvbqsro.biz
- mkxptkdkyrgqr.com
- mljnepkwvdvierx.org
- mlkibfrgvmmu.biz
- mmtyrmucabgqsch.info
- mpkaafxlqechtwc.co.uk
- mrtpqnwltjgfdlo.biz
- msbhbetovksjyjr.net
- mskblbwmulrns.biz
- mtwsgpsotowuor.com
- mtxentjfyhubk.co.uk
- mutbwglofkeee.co.uk
- mwypstdmqwnyy.co.uk
- mxqgjmlfimnbfi.biz
- mywsnqgbotgvv.co.uk
- narwgpqytaonu.com
- nbpkopqpfckswq.net
- nchhlyocpvcajtl.biz
- ndawwyybemjrfn.org
- nfjxraxnpubuhb.ru
- nfnpbeymniku.co.uk
- ngcsavtbajtrwd.co.uk
- ngdlpaomexiewc.co.uk
- nglejtfrocjhudq.org
- ngpqsktjtxqot.biz
- nievtdpttkvp.org
- nipyljcfbkqtgfw.net
- njwtcacnncppgak.ru
- nkfnuegpquyj.net
- nlipctiuscqir.biz
- nmbtfhxsiftv.ru
- nmdovbffbgxx.net
- nnchwpujiapfkrn.co.uk
- nnleixjernmt.co.uk
- nnmjflpsotmxmc.info
- nojcesmrvhftle.com
- notepad-plus-plus.org
- npjajbiupbiwo.ru
- npjfjvhuhrqg.co.uk
- npkmbuqcimimdft.co.uk
- nqaijomdswtfiu.net
- nqeyaxqbchabaw.co.uk
- nquaiukprajirfi.com
- nscabupqkhupow.co.uk
- ntrgepoydqdyu.org
- nuhobyxcffwtmu.biz
- nvplgingcoflag.org
- nvxqvsrtbaat.net
- objsgjpwpfemg.com
- obonpwlrennnett.net
- ocagjyvdqskrut.ru
- ohvelnptrxhx.net
- oighmylwxrtpdee.co.uk
- oixosieoktdqvj.info
- ojaytyojcgxuwrl.ru
- ojoromuhfbvo.info
- ojtfmehprica.net
- okdrwejdvnrefb.info
- okhtkjhxhmahnqj.co.uk
- olakvfyogqnqew.com
- olpclndhobcddr.info
- oovsifwcuahym.net
- opduyeimqisrg.org
- opgiidvffpmf.info
- oqtxwcepwktlk.net
- orbkswtjmicrah.org
- ordgtxkleenrspk.info
- orehpbthqxrm.info
- orjpchmfsokvrlh.info
- ortpjumtuolq.co.uk
- oryqbkvqastt.info
- osadgfhndcugkuk.com
- osjpqmcclfvpwb.info
- oskbbbctrldgks.net
- otgwikkaycyoicw.ru
- othuqyptimoncjg.info
- otrbeumkcyfmx.org
- oucgmfbdemkas.info
- ovxafeyevoknyy.ru
- owewukpbfdfnm.ru
- oxsaroqxegdkns.biz
- oyalbprxlcmi.ru
- pbfyislvwvqhu.org
- pcilfasxcibrqm.com
- pcxstljfrkhs.ru
- pdqrnedyhxtsew.org
- pegkmduvsdyowf.biz
- pevtuiehcelw.ru
- pfpmmcrwqwardot.biz
- pokgaevuidpq.co.uk
- pomkvuwtqyxgmq.org
- pophrhtypwwc.info
- popmutsdxsbe.ru
- ppaxifvpsbeogx.info
- ppbjsnoqculdde.net
- pqnuhnnwksdjn.info
- prvdinvryloo.com
- prxyymehspklo.co.uk
- psjmvairjbok.net
- pslgngywxycqqd.info
- pugitqqvwopc.org
- puoxandojfcvqx.com
- pvbalsacfxtbqat.org
- pvkqsmsyjtdjqku.com
- pvkuwtjdgytvi.co.uk
- pvpvowroyqust.info
- pwamfbyytvxhsoc.info
- pwbcdnwpygssjcy.net
- pwetohocuscec.ru
- pwrhfkyuxgcy.com
- pxitnevyuvbrkkt.com
- pxowdacfgymot.co.uk
- pyctnhdivmhurfe.com
- pyesraweteeppmd.co.uk
- pypiobmiigsf.com
- pytcbkixtuwqwy.co.uk
- qaeapgdwaggk.info
- qaexvtnlflwpnu.com
- qamtvqispwrmrum.biz
- qarfvnrskcebq.info
- qbftimbohmukb.org
- qbhspcopmjhsuu.net
- qbiqgjvhbbywy.com
- qbkkugyurmtl.net
- qbwlrsgjxyvr.biz
- qbyvuimgaaycotr.info
- qcpiqerhoixrf.info
- qcpyqixaxrxis.info
- qdgncclvmwcii.com
- qepjkrgsjbtce.biz
- qfanyifvphas.co.uk
- qfdgesmcqwbibr.ru
- qfimlyxocdpur.net
- qgqmyoacoeynx.net
- qgyitbdtpblkxqf.com
- qhopnonabycbrnd.ru
- qhxoaywrpruu.co.uk
- qihjjlkxohwbfk.ru
- qjecimajyksnwr.org
- qjmucgqoqwgsues.ru
- qjwsqpcmntcpx.net
- qkcnhqfrblwwwjn.org
- qlgdlwunbiek.ru
- qlswuclvfvur.com
- qpadmqymbnwb.net
- qqhnyadyaoioll.co.uk
- qrbophjgtaurm.ru
- qrwyknoeyctg.org
- qsgvvujmtixmd.ru
- qsiyhvjrmaudm.com
- qtixvnbiokjp.com
- qtqhisismnoa.net
- qvgyfkvmvwax.com
- qvtspqrckhxspoh.net
- qwavwmesamctk.net
- qyhinymfsdaq.co.uk
- qyjroftneryoql.net
- qywnhdesvbpgl.org
- qyytwfxenjjugb.com
- rautgvxvbmqgxed.biz
- rbsbtytioedbwk.com
- rchhmiskhhqi.org
- rdaodtijmwasdur.net
- rdevmyqktgmrp.co.uk
- rdxnblacrpaut.co.uk
- refajoygvuqy.com
- reujqsqwqduhl.info
- rfajsblddletl.org
- rfbpihxivddoh.net
- rfcbbqtyhcuja.co.uk
- rfpkmsbftgav.biz
- rfxtrqljmnvujea.net
- rgfmwcerhbxuyr.co.uk
- rgirtbvsyijn.co.uk
- rgsmtidyvnamr.ru
- rhdqlhtjekhoa.biz
- rhnlnqyvjkei.biz
- riewmvpwplslma.co.uk
- riindsgvumrgsy.biz
- rkcaifqujeaiupl.org
- rkgoepfldmmuog.biz
- rlmnpgrvchexudl.info
- rloiixfmdtjwf.ru
- rlpqetttreuoqtu.org
- rmjlbordtergc.com
- rmopnylwgmil.biz
- rmtqfowaylgv.ru
- rncwaashopww.co.uk
- rnepumwklujlrd.ru
- rnfbfupluoqavg.co.uk
- rnntylwtdgswdmk.org
- rqqoqrxwinla.biz
- rrufperahbjqyaj.co.uk
- rummtmlqanbwrr.info
- rvaagxnbyaijah.net
- rvxyevknuqeu.co.uk
- rwhnbwxdulrddsh.biz
- rwknukjhrdjjdr.info
- rwuqgwtrfjnf.info
- rxbblpiyfdbe.net
- rxxbhobjwqmbex.net
- sayvcwvqmrsfk.co.uk
- sbimxfnfqppplxi.ru
- sbvqafpbbxxt.com
- scfjkmkhpnwekdn.org
- scgbdckjujik.biz
- sdrayeakenmnfa.net
- sdtqougblpbjot.ru
- secijwwpcurxx.net
- seecetbgamik.biz
- sfufeojhwfxrty.co.uk
- sfyvuxlctabfim.biz
- shfxaedlkftho.info
- shkomxnghiah.ru
- shwwvodxryrheb.biz
- sinqtqytxurgq.org
- sivjkbmgmrfvk.com
- sjdbuvgltvnpi.info
- sjgpatrrxlile.biz
- sjintvlisqfo.ru
- sjkmyrkpyrwf.com
- sksnqwqsqfet.co.uk
- sleuorxgfoavy.biz
- slysbxswsrpxijt.co.uk
- smutbikpfvtfhtw.co.uk
- sncoilcxsdjtkf.com
- snemaxcnkcgu.co.uk
- sowpgqpeisjxogd.biz
- spbixurfiqda.net
- spwoujgswlupgq.info
- spwwiihuvwbeq.ru
- sqklutepgxkmb.net
- srmhjiqkmtck.org
- srnbouwxnnvvsa.ru
- srscnoiigixyt.co.uk
- sruadyhjaduux.ru
- srurqfsjcrnoucu.co.uk
- stkisflotgss.org
- stubwyjtimjep.info
- suikcndnshxgby.com
- svveljpeayvqx.co.uk
- swdljapmccvsgn.org
- swhrqrrkniskqx.com
- sxbqnaodkhgsf.co.uk
- syfqxppmbstrla.com
- tahatmrprorngfs.net
- takyghsuikfvxv.ru
- tbtausuooogax.com
- tebfdhwkiliv.ru
- tfpscobevgspb.biz
- tfuttesccwbnx.ru
- tgfsjicsghafwmx.ru
- tggihuajlruqjrg.co.uk
- tgqyypmojeplqy.net
- tgyekynsjsjq.ru
- thkrqjutlfqgtyx.ru
- thoyaivhlyaon.com
- tjajminsbecq.org
- tkswaxoudmrqrq.com
- tlbtayeslniwd.ru
- tmnwmolvikaatv.info
- tmsmdisjcktbqh.org
- tnywuwksoubch.ru
- tpatrdyqjwilqgt.info
- tpbhmhiokstqdp.biz
- tqceaxaqtbidfjw.info
- trspkxwtaxygxut.com
- tsahuovrvnsncjt.info
- tsjnygtlsrctp.biz
- ttcirdnoefno.biz
- ttcyxsksfaev.com
- ttersfovrtnglm.co.uk
- ttnljiokrxekmpb.info
- tufbfioecwtvp.net
- tuhsnxwagnkls.biz
- tuugqystadlxev.net
- tuuityktmpvjuau.net
- tuyatewsoxwy.ru
- tvaaypfuptia.com
- tvcstvcepkrxic.co.uk
- tvfkykxbdmty.co.uk
- tvkquwudjlusrx.biz
- tvoaladdawiarn.org
- tywltcxehldrie.net
- uakkqwalssbf.info
- ualenkjlorhyjb.co.uk
- uaqjaeusyavmk.com
- uasedipebfgsccl.ru
- uasydoxgobgtcvd.com
- uavoovllhund.ru
- ubbjqetewibtp.biz
- ubrqqhexugufqb.biz
- ucilroqixvbf.info
- ucltbpbnjpwgd.com
- uddnhsdkisndiy.info
- udhhquruufxoun.net
- udwdyjmjslru.org
- udywqvkcpydofo.biz
- ueteiymiogmnurw.biz
- ufboijuggrefwm.info
- ufuotwbhhuews.ru
- ugftctfgdsiov.co.uk
- ugqadlpdetfw.org
- uharcakreyouukx.biz
- uiclmkfgyhvbe.net
- uilccuststatpm.biz
- uiwweettatnn.biz
- ujjuuhqvdkxrgb.org
- ukhvnqwkwwaemwm.net
- uknoleniqixqy.org
- ulpbnniicxhev.net
- ulunmnatogcc.co.uk
- umllhwdwcebcm.org
- unqsnjecwtyyu.org
- upeoxvsovrehqvf.org
- uqldhwuptbohdv.org
- uqspopieucmo.com
- urloixqjortyrn.net
- usbrvnxkarjt.info
- usqqpgvmuumg.com
- uthavrmrnpobq.co.uk
- uvhijhbnbkfv.ru
- uwkpmlgmjqjjo.ru
- uxndmmhhwtmspy.co.uk
- uxselhrswheke.com
- uyaanmsckmhn.org
- uyadbhivlehlqi.ru
- uyishdjmshdrb.ru
- uylhsxbomajldqx.net
- vaftdospdsrvgbh.org
- vakyvwuwumccqo.co.uk
- vantpgkruyvy.org
- vcfoqcmmgubq.com
- vcoedrnbnyfgox.info
- vdihyipjblcp.biz
- vdvlwmpndugex.ru
- vednxtduhccl.com
- vemdkppqbbtdrc.info
- vfcktaxaeuiwti.biz
- vghelfblclaiqye.ru
- vgyfanyolxldw.org
- vhnimvagrxryi.org
- vifhgvwmexksgrr.ru
- viledqcervfi.co.uk
- viuuuyykvdid.info
- viwomfppvgwnvy.org
- vjrarirsdvwwctn.org
- vkaifglouanogfo.co.uk
- vkroyjdewdmxte.ru
- vmcyqvdpgmkmlrm.biz
- vmdlgsbpuvgpm.biz
- vmfuhbldyicqhsn.co.uk
- vmqbwhblssscva.ru
- vnahvarktjbcl.ru
- vodavxodyyxsudm.co.uk
- vognncpjlkcil.co.uk
- vojfjyblvuugje.org
- voocxfyckibooh.ru
- vplwnoqdkvykd.co.uk
- vprimwhlbwmx.info
- vtlnqdkljaek.net
- vumhnhfnltvamow.net
- vwreewnoksam.co.uk
- vwrwjmdulnstc.info
- vwtqmpyikkpqg.org
- vxcmjpwidrwp.org
- vxmxxiwgmxgq.biz
- vxoqsotpbeksca.com
- wblydpjdjxkmgt.co.uk
- wbptlxxawdcnndx.info
- wbusauljbjwgo.co.uk
- wbxasvjvjoetx.biz
- wcdhywedvpuxu.biz
- wcxcmctuerongl.com
- wegutwidurunokv.co.uk
- weujqgffcdxr.net
- wflllppfbgpx.info
- wgvsgoyucsob.co.uk
- whjhsncvnfuv.ru
- whnmhcierdkpym.net
- withgvuxrkqnv.co.uk
- witrnlxyiyyg.co.uk
- wjhjomgrrgcban.ru
- wjrprcarkcuclb.com
- wktwuubauaxb.net
- wlfkpewoyugbsc.ru
- wluslpkdpgird.co.uk
- wmlevlmkmaway.info
- wmuajrbemeni.com
- wnsvgggetewca.co.uk
- wolgtmhfgnkpuy.org
- wowycwlfeqvi.org
- wpnxcqoykqcvs.com
- wppgusirdkgwko.co.uk
- wpxeopqyjpxxggo.com
- wpxyojpoqihauww.org
- wqcehgmymnmw.net
- wqgbdyjgidxwb.info
- wqjfbkfhtxlwwi.org
- wquadnynejva.org
- wrbhpintpxlqk.org
- wsfdagjupoxrdbs.ru
- wslnfojsnshfi.info
- wtyetteqqnntueu.info
- wuaggeeiggtye.com
- wudooynxemjb.biz
- wujstmphuvypk.info
- wvaafpnjrhvdlvn.biz
- wxcvklfyojcuomt.info
- wxcwrcpymjauc.net
- wymiefjjmarg.info
- xbxvofanmjbejet.org
- xdgcgupisnuufh.info
- xdsrndefxowhfkn.ru
- xeojhtrwxfrejv.net
- xfqucgnnocffmyu.com
- xgixjutfrxdbgx.com
- xgpnqlrgpfxd.biz
- xgyddhaouwhbob.net
- xhfvpolihhswhn.info
- xinjwxhlpsuyr.org
- xjijwaasmtom.org
- xkrhyogitenfqwu.co.uk
- xlcolrmlfbtoyt.org
- xlespknbeisr.ru
- xlgkxxcwcpns.org
- xmpwxyspnmvbh.net
- xnansjdtikqjbk.org
- xnimgqwosswtsiu.com
- xnsoohgwwlhgkv.net
- xnvrarwnygfs.ru
- xpktovtkldjbgat.net
- xqbawwnyaquwtt.co.uk
- xqgnskdvboavje.ru
- xqpxuqxnxqsefxk.com
- xrsrfhnfpveq.biz
- xsbdjhfpopdhj.com
- xslvlisnkfufhv.info
- xuagdlpayeialjk.org
- xugrftvtbuhqh.com
- xultlatjygmfa.biz
- xvewmioqwsigb.net
- xweuarctecavs.com
- xxrddnnsenfs.net
- xywaddjbfdxdufu.net
- ybakxwneorxto.biz
- ydiquvdajkwyfq.org
- ydpuywsgkuyr.ru
- ydxnsnjfspmee.biz
- yevehhfscrwhou.info
- yfspoxrajcrxe.org
- yhlbbhxagyoylt.com
- yhxcqosgankfi.org
- yicrcogkvcqdmru.ru
- yiprkexjqpnnou.net
- yiqnwsqjsqcidst.co.uk
- yjjccyownnsywh.com
- yjvhflvgcgchv.org
- yjxjfhmvjdfqp.info
- ykgrgelijqqv.com
- ykjwgaakehpffl.net
- ylaangwuekwre.ru
- ylvsebocwdulska.info
- ynjlkfmtdsvc.co.uk
- ynloncsoddsx.com
- ynriovllbqynxn.co.uk
- yognubcbkwfr.co.uk
- ypfvyypahyvok.com
- yphkrdojojgy.co.uk
- yprrptkbtilyia.biz
- yqerecxqejyqjn.com
- yqutwfyufntsgbt.ru
- yrausqdmjnbf.com
- yrjldvdtfcjxrvq.net
- yrpsqrmflggfjj.biz
- yshxcgqynbsu.info
- ysvftctsnlmkcj.info
- ytlufejxdcmsoqm.biz
- ytmcrlmfdnsbqit.co.uk
- ywvqsevdmbxsg.net
- yxyfbkhqsfvyop.org
- yxyysqkadfnqa.biz
Encrypted POST data
When the working C&C is found, it sends a unique machine ID and receives the public key for file encryption. All the communications between the infected machine and the remote C&C are encrypted as well.
POST /home/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: xmpwxyspnmvbh.net
Content-Length: 192
Connection: Close
...8J..$.r.."b.F......HO.Z..%..<......TX.<6...0..o4.89..23..
H5?........@
.+..6#:..1..Y...Hp...;6./..w....H.9b...>.. ....]..:K..V...j.Y6I1..d&..RGF......U...J6&K..F..AAmN....z.S.kQ.b.;E/.3....HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 11 Apr 2014 08:43:28 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close
200
.............X.....U.z...Q......=....";.......3...i...."(;-.....#....&I.rD(WQ.tH..a...e.".@..
{...p...G..X.F..\~....T..O.A....9...Y...Y.=.R7....~.......)I..9..B..W..i.......H~>...Q....*....8N..v~..1s.)A.`.....L..........R.....4$|...
.z.......V...H.2..%..^..~u.-.-.....n..3.,W....F..l"c.......Z3..z.......;..3..R..X.....H..Hm<.n..Y@.._...a...)..s...?.....r..&.G...........-.1..J...Pw...}.....`e.0W.3....B.,.....6.n..
|...g.....G...7fA./.../..#U..!...b..#.T.I...Z...~W.......c^i..j[......ln~%.t..^V..~.........^...D
0
POST /home/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Host: xmpwxyspnmvbh.net Content-Length: 208 Connection: Close .k.....-e..s.........@=....g.N..s.>..N0..Jx..c..$.C.[...,7..3.f..7p.I*P.4......[s..i..$.n.qzQ..B.k......*.........d.R5..T..)G......r.. T...C.!.+...C2.V............i....I..q.og.A.2|.X).......1.. ..D..YsGD.)..YHTTP/1.1 200 OK Server: nginx/1.4.7 Date: Fri, 11 Apr 2014 08:43:41 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close 10 .....r..VZ..?8.. 0
ProcDot map
Static analysis
Sections
Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------- .text 0x1000 0x1080a 0x10a00 6.605219 .rdata 0x12000 0x316d6 0x31800 6.354802 .data 0x44000 0x66644 0x51a00 4.556674 .rsrc 0xab000 0x542e8 0x54400 4.386447
Resources
Name RVA Size Lang Sublang Type -------------------------------------------------------------------------------- BIN 0xab490 0x50370 LANG_ENGLISH SUBLANG_ENGLISH_US data RT_ICON 0xfb800 0x25a8 LANG_ENGLISH SUBLANG_ENGLISH_US data RT_ICON 0xfdda8 0x10a8 LANG_ENGLISH SUBLANG_ENGLISH_US data RT_ICON 0xfee50 0x468 LANG_ENGLISH SUBLANG_ENGLISH_US GLS_BINARY_LSB_FIRST RT_GROUP_ICON 0xff2b8 0x30 LANG_ENGLISH SUBLANG_ENGLISH_US MS Windows icon resource - 3 icons, 48x48, 256-colors RT_VERSION 0xab1a0 0x2f0 LANG_ENGLISH SUBLANG_ENGLISH_US SysEx File - IDP
IAT
Version information
LegalCopyright: (c) 2009, AccessData Group InternalName: Paragraphleg FileVersion: 1.1.929.885 CompanyName: AccessData Group LegalTrademarks: Paragraphleg\xae ProductName: Paragraphleg ProductVersion: 1.1.929.885 FileDescription: Paragraphleg Translation: 0x0409 0x04e4
Strings
j@PQ
= "A
_^][Y
PPPP
t$ P
9t.9Q
QQSV
YYt9
QWSP
_@[^
F(@@;F,v
;F,v
j$Y3
hh+A
50!A
hT+A
tph@+A
t_h0+A
VWu*
=4#A
SVue
;(rWV
PVj0
54#A
s$_r
=@"A
tS9W
tS9W
VWvB
_^[]
t VP
u.;5
LSVWj
=hyI
=hyI
=,!A
8MZu
QQSVWd
PtYY
SVWUj
]_^[
t.;t$$t(
Y_^[
VC20XC00U
SVWU
tYVU
t?xH
]_^[
wLVWP
FVWS
h(3A
h83A
xd;=<MD
-_^u
WVS3
p`;5
[_^]
Wj@3
t6S
hH3A
hX3A
=xyI
ht3A
hd3A
u,hT`@
u79=
ht@D
uiSj
@_^[
j?^;
<Yv"
h`7A
QSVW
~\u
t$<"u 3
5`yI
0<=t
5`yI
>=Yt
t7VP
5`yI
Y]_^[
8"u&
QQSVW3
SUVW
tyf9
SSS+
@PVSS
t#SSUP
t$$VSS
_^][YY
YYt.
_^][
YYt-V
9x,t
9x4t
9x0t
9x@t
VWhl2A
50!A
h 8A
=8|I
h/a@
YYt+V
h,8A
h`7A
t&:a
8csm
Yt V
5H|I
YYu"
8csm
8csm
~=;F
>csm
h :A
sVS;7|B;w
;csm
>csm
;csm
YY_^[
8csm
u,9x
@_^]
^_[3
h0:A
u:Vj
u%9=
F<W3
F,98uX
9P,t
9P4t
9P0t
9P@t
80t.
Wj0S
_^[]
u8SS3
9] u
E SS
t-9]
t!SS9]
9] u
PPPPPPPP
PPPPPPPP
h8=A
t$hl2A
VWumh|2A
50!A
hx=A
h\=A
hD=A
A#D$
= RD
= RD
v N+D$
;5,SD
;A t
;p$t
;5HSD
PPPPPPPP
9~(~
VWj Y
SVWj ^
h`SD
hxSD
PPPP
PPPP
@PWV
_^[]
_^]t
6PWS
t WW
WWWWVSW
tCVj
t2WWVPVSW
HHtjHHtF
=(~I
=$~I
=,~I
= ~I
VWsX
~'WP
h(DA
tVPV
t/9U
+t"HHt
9~DO
j XO
HHu&
u 9}
hXDA
u.hPDA
hHDA
h@DA
h`DA
hpDA
t@VW
%0"A
%,"A
=hVD
t3SW
C ;C$
tC<Et?
t99\$
_^[]
_^][
u/9F
SSIQ
=@#A
=D#A
=4#A
E W3
SVux
u>9E
^[_]
=L#A
t59~
u09=`\I
9=`\I
5`\I
QSVW
QQSVW
F,L-A
tMVW
>(r-
8SVW
5$!A
Ph(/A
Q$_^
Q(_^
Q,_^
Q0_^
Q4_^
Q8_^
Q<_^
A$VW
Q@_^
QD_^
QP_^
QT_^
QX_^]
A$VW
Q\_^
Qd_^
Qh_^
Qh_^
tTh8/A
F,L-A
SVWu
S\_^[]
SVWu
S\_^[]
@O@u
SVWj(3
tLShD
hl'A
@_^[
0SVW
t39w
9w u
^8tI
t7j0
=X#A
9~Lu
9~Lt
9~Lu P
=$#A
=(#A
4SVW
9GHt
t 9p$u
9Htu
t ht0A
@t V
@uESW
@SVW
btZ-
=@yI
u;j0^V
YYtVj
=|"A
=L#A
u(;C
_^[d
VwltB
r0=8
97_u
Rh`/A
h(/A
h(/A
tLShD
FpW3
uG9~
F(Wt
)SS+
V,RW
QQSV
F,+F(_;E
^[s j
^(_^[]
=D A
=@ A
=L A
=P A
=< A
=0 A
=, A
=( A
=$ A
= A
tLShD
h@1A
tLShD
=4 A
=4 A
@t V
<A|2<Z
.<9~
1GG;E
CGGC
<A|@<Z
<<9~
1FF;E
t)PW
_^[]
u@Vj
QQSV
QQSVW
~A;{
QSVW
=H#A
=0#A
h`\I
=x^I
=x^I
_j X;
Q$_^
Q(_^
Q,_^
Q0_^
Q4_^
Q8_^
Q<_^
9M u
Q@_^]
QD_^
QP_^
QT_^
QX_^]
Q\_^]
Qd_^
h80A
%H"A
CInvalidArgException
CNotSupportedException
CMemoryException
CException
COleException
DISPLAY
CObject
Delete
NoRemove
ForceRemove
CMapPtrToPtr
CArchiveException
CCmdTarget
CWnd
AfxOldWndProc423
AfxWnd70s
AfxControlBar70s
AfxMDIFrame70s
AfxFrameOrView70s
AfxOleControl70s
EnumDisplayDevicesA
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
qInitCommonControlsEx
COMCTL32.DLL
F`/A
HtmlHelpA
hhctrl.ocx
#32768
commctrl_DragListMsg
CByteArray
CMenu
CGdiObject
CUserException
CResourceException
kernel32.dll
user32.dll
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6029
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
Program:
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
e+000
GAIsProcessorFeaturePresent
KERNEL32
(8PX
700WP
`h````
ppxxxx
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#INF
1#IND
1#SNAN
=L9o<
Invalid DateTime
Invalid DateTimeSpan
ForceRemove
NoRemove
Delete
AppID
CLSID
Component Categories
FileType
Interface
Hardware
Mime
SECURITY
SYSTEM
Software
TypeLib
KzIi
En1^
SIsHj
rq~e^
#[1=v9
b2|,
3PvY
"Vh!
@XRD|
"M]R
XZ)Br
A8m5
B^h-
;sd#?
1]R
kI@sE
<n'jf
Z.Y?
@\&c
Q$ji
IZ.]
F*#c
quj\
8oib
@z;1
jT%<b
HCI-
!=^J
i@a|
`aoc
'HnXs
OaGn
rZu
@ as
Z:aB
C7{<
RR}4
6b9F
8B~X
:8T
f0we
q!Qu[
Hioe
w@fq1E
FNqQ
oZ(e
qeHL
o`?|-1!<
hdLyJ
tgE 0
(VWq
Fw3
&[$2
v l)
4E@N
=EC]
2q\v
0W=I
J2H%
fqqjL
nJqe0f
??GT^
MRs^
w lr
'!bRA
WVo`:
:8CM
e=@3
on*4
#l?3
eWeq<
K2Mq3
WSm
weg{
ZrE5y
lWQnII
Z}yA*
M\uE
[A#8
AfFa
jj+=3
WR30
W,kI
GFSV
VF7n
lVQe5
-qv0
' rxf
62re
WUqW0
b%xe
wINfM
HimV
n;yW/[
Gl%W
YR4DL
OzLEl
$u[[
s(7d
[843
ew3
]0~"W
5Y$9
03I~h
L6fY
S$$E]
#6]L
VW#j
O*8
D6lq
0e"~O
]k=QZ
DGP'
jOi(I
^P!~K
(V&fL
Kg9V
WNvB
8CLu@
!F6b
k4L|3
w92
V/+,
Y/XBa!
$6AX
ZvD
Z2JF
e$OC
$J`d
bFF8
te_!
H7S^d
qwLx
ujwI
wh1/
bj,=
N[eV
G_I
3W$
h]SC
E%1$uL
>1W
0_7W
}<R]
bnxq
XER<
WigY
wqq[
q ]
+/q9
;mg7Uv
ffe]
. ,h
I\S
4GhA
rW|<
9Z8/
=sjc
5#aBi_
dReq
qwIWO
DLWf
EU$S
PDMf
_OA1$
Cb5ww
fwf4q
hZ_
vni~5Kq
-8+?
`t4kyD
^yVy0
eWmR
IJX:
I,)z
y3ht
$t]S
3`kr
w>+%
%nc^V
y1Oe
hQE\
}dV]
T)!_
g?TDZ
$,]$
C$DH
+Z_H
vfOD
a*Ff
!O c
WbM?
NwIw
dp$#
f71i
UO^p
{M=G
>zWW
m!qW
;dfq
0Q[*
d/Q4
R}nh6
e }E/
eU1N
!Tv`
Iz L
"6+L
A<_Q
S0[Z
wI<Y
MD~,S
VG*x
LC`:
pwz\
#n;R
{XCX
L(bns
RkRx
L#Bd
9DZd
H;(b
ji_?
(0"4
eV\Q
w9Kma
kp W
xh]C
8{_
[RP$
0I7h
:PSe
1)G8q
T$$}@
.O@
*b I
U7CT
R!%W
I}uq
e{G&
) )V
=FFe
"(a{@W
wwc=
q 5>
99N{yl
WqG$
UW6R
a#%dp
qDG^
-X@+
<2Kw
LccNA
7ju5
^%^c
FU=7
aQ@ O
q.W#
)Fh-h]
qqwW
,N"W
[dV~
1QPm
Ljx|
GeS_frf
WV3|>
Ve3W3
WFKJ
d|%L
i"fW
3[7e
tkN,
Z2@i
<6/%
CPpv
1$$t
,)i$
qe I
w L{
+P_0lYJ@E
6ALEk
0b>!
X<C|
LW3S
{t~y
nx]F
wq9>
LT`A_
,u W
WWL*
Z#FX
`8X o
f*slA
`kY_
)G|D
#mt?
c.mm
\?J!+
{#>a
$F^a
kLII
$sA$
Qf]$
M>#1Nk9^MVs
eLa*
WLww
m\D$
e;v2
ISV
IWS!
eofI
fLUf
:$kX
OQrR
wI t
V H
wfW6B
2`*S
|QkAv
r,RT
@;CP]
.qWq
+6hu
L"$v
p'9p5
R>PfV
m cOWt
e3G&
Lg^Z
gHj=
UD|1
%pt
Xeww
sD(b
V~D$e
Xu*0WOz
If:}
[_Iw
VNI9
:I)q
Wq#A|
poq3wW
W3WW
qQPs
}\rB
W7e&
_!#0
oK5Yr
ih3C
$*+q
\:0MH
33w0
HO-R
WfS{
Ky%q
[4OV
W,A\
1=5s
PIUF
anq
L M4
yxI
o,vCII
Ata3!
eWeI
r%hQ
qIVH
u@8Q<
b}QBs
B)*L
Zrs|
Z_gi
w~]F
z<Ww
3&I^
3wWw
~"Rw
lex+
@Ga[
mq30
48l9
0W21
v4AZ
4h>rL
:CPW
YE1r
Y$]^[
5C<`~r
N@ SX
alMv
q\Yy
.z&6
W-m]
4uhl
w/,e
]/{w
wqw,
U]f\
~.vI
$K,%$N
-OV
G&/ev,
>xPQ
9~:V
T_K]Og
kw8V
I%r'
Y79W
DW|_y
K_2.0
(xM&
<o'e
B_L3
f=5w
qqq
fqb[Ew
q*&G`
1mDLef
qOyC^Vr
,ke;
3l6e
uS3X
1V^:
6:t0
w0P{
qpbN^
oh]h
$}pu
^W_/
WWVIL
xTZ_
V{U'
[.J*
wfL3
0w4.
aF:0
bb\*
jT|T
Q,<e
$w"f
>KQo
3VRp
'+uG
HWf0
iDc@h
0q#c
)g5!!
Czh3
StJ_
qwZf
z<9$
,lltW
I6kJ
!v;L
'W&A)
4{lq
qIeW
lVzJ_
@9DA
9J4~#
")Mu}
mwwfV
)k]L
*]p,
P"Bq
9x}+
VIeu
.g~[
C[[W
,_8;Tq
BS$~T
qwI7
BI I
IVXD
<%.'
74pV
C$Mu
ffV[
Y.p.
f3qL
Q'*w3
v-@+
0WWW
5=bu1
F4kmg
G<0;
:{|4
FSPr
3N.6
,me0
wVj=
qe!!
(u
M*JN,
+B9VV
Cq e
0h{0
WR @
2O=W
$ASlDQ$_
SWW3L
t}gn
r9Q2
EW 0
bQq5
3>e
j$uU
*U6z
Ro&P
qZ^L
/`3W
tA]EU
27z6t
b [7
Ac-g
WmKI
_M+g
X:/<VA
VqWI
NCcW
&NIW
VD\m
Vdfw
'@B\
#(wq
pi?N
?"pp
0hj6
S H?g
SHrA
0eUEX0
3(,&
W0BY
7GuH
9_F)
*S]#
wz I
U:<t
Y33J
jKZw
VMdBR
]<k?
Pa|V
#+Ls
LDSV
(#HW
q3H|>
wqhU
tUCE
$$>C
c]$
wISj
'nx$
euM^@k
YQX1
TK 9v=
wILe\
R68r5_
jTyq
WeeV
@;"T
- `H
IVI2
(?1
@rAW
$A,Q
W0_>
WIL`
wW0@HJJ
Wq8y
*^9,
qfqf
NgQ3
?5rZ
e=CP
]dQw
aBL
;;z-
KSuQ
L~Is
r#$o
npD*
W3}d
ePWy
5I7Cs
rOh;W
]"{(
wW4m
11d f
I >;M
rIl#^
mLUi
Ww3MI
3Vu9
I6$qV
P`]/
qXN{
\KeW
)NT~
SH JbL[
`HLO1q
qa,u
f2'w qb
WW'hQN
t:m*
plaO
?42[O
VIr'
TUX$
cZqs
fu;}
[#xw
Y=@ bc
ihjF
Y:`
_)63
vPBW
{l.XAb
)FNN
E#?W
#P:L
0L]t
V{w
4iK\
qb^A
\#ec
BWo5
1zf
[[qq
qVpXo
uZ0k
^*cv
p$bE
I=7o
%3h0
IMgsY
"cqoD
Xq3q
e,t7T!
f:Nd
)^(\
VAu8\V
IffI
wh[Ff
.k1j
7fzQ
|&3
O[YM
T&P4
b6<W
7v`D.
W)_v
R?8)"#
fwbb
eWL@X
*ceCQ
P9^
w=T
&k)
D$E#
fIgq
nHK+
W'`3
d1j`
[JJ[
2yO,Sn
dEM8
J,{L
h%(.V
<F8d
mBux
e6iq
qW0f
LB##
PA@E
W^j"
@[<@
4lA#
47dy
8Dzp
!Qw
*-Z"1Z5
^"b-|
VIIf
U0-j
AIz ;f
*8zfw
\a6N
3-Re
w:1ke
Das?;
L=#~
fwLW
V0qpP/3
ef2uU
q\$t
W^!"
}\Jr
WBnu
60)_[W
0Mqf
~D}I
i3-v
V$[5
/yeq
'gkK4O
qPeVV
?u0;
Ay`I*
[1iM8
wS7+
3(Z#
p8jgmO
`oL0
D_It
NVD}
pw2h
`z9b
#Shs
wq0L
#E2
LjIV
Wg)8
2Xv|
_!Z+
!o%4i
fI0
VD!s
F%pH'
`]7.
ngFn
30
fWq3
a+wq
[(U5
%D$<
v%8LA
1A0$
$$u$
I V#Em
)E6a
`/_Lq
W=GM
A z3
Do- ]
Rz@W
V^[<
WL=00
Ir0O
EIwq
Cr]C
Wh[.L
0Vfe
I/Pbv
+ oc
@ul@
RSDSZ~
d:\Sharp\pattern\women\branch\Skill\Shoe\oil\Warm\yearSelect.pdb
GetNativeSystemInfo
lstrlenA
PeekNamedPipe
GetLocaleInfoA
MoveFileExA
FindCloseChangeNotification
GetCurrentThread
InitializeCriticalSection
WideCharToMultiByte
GetEnvironmentVariableA
GetACP
MultiByteToWideChar
RaiseException
InterlockedExchange
GetLastError
lstrcmpiA
GetThreadLocale
PrepareTape
ResetEvent
OpenMutexA
FindNextChangeNotification
FindFirstChangeNotificationA
CreateMutexA
VirtualProtect
GetFileTime
DeleteCriticalSection
DuplicateHandle
GetVersionExA
GetVersion
GetCurrentProcessId
DeleteFileA
lstrcpynA
SetLastError
LocalFree
FormatMessageA
GlobalUnlock
GlobalLock
GlobalAlloc
SizeofResource
LockResource
LoadResource
FindResourceA
GlobalFree
GetModuleFileNameA
LocalAlloc
LeaveCriticalSection
GlobalReAlloc
GlobalHandle
EnterCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
LocalReAlloc
TlsFree
InterlockedDecrement
InterlockedIncrement
CloseHandle
GetCurrentThreadId
lstrcmpA
GlobalFlags
GetProcAddress
GetModuleHandleA
lstrcmpW
lstrcatA
FreeLibrary
LoadLibraryA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
lstrcpyA
GetCPInfo
GetOEMCP
WriteFile
SetFilePointer
FlushFileBuffers
GetCurrentProcess
HeapFree
HeapAlloc
VirtualAlloc
GetSystemInfo
VirtualQuery
GetStartupInfoA
GetCommandLineA
ExitProcess
RtlUnwind
HeapReAlloc
HeapSize
TerminateProcess
HeapDestroy
HeapCreate
VirtualFree
IsBadWritePtr
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
KERNEL32.dll
UnregisterClassA
GetSubMenu
GetMenuItemCount
GetMenuItemID
GetMenuState
EnableWindow
IsWindowEnabled
GetLastActivePopup
GetWindowLongA
GetParent
MessageBoxA
SendMessageA
UnhookWindowsHookEx
GetSysColorBrush
GetSysColor
ReleaseDC
GetDC
GetSystemMetrics
LoadCursorA
ValidateRect
PeekMessageA
GetKeyState
DispatchMessageA
CallNextHookEx
SetWindowsHookExA
GetClassNameA
SetWindowTextA
GetWindowTextA
GetFocus
PtInRect
GetWindowRect
GetDlgCtrlID
GetWindow
ClientToScreen
LoadBitmapA
GetMenuCheckMarkDimensions
CheckMenuItem
EnableMenuItem
ModifyMenuA
SetMenuItemBitmaps
CopyRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
SetWindowPos
SetWindowLongA
CallWindowProcA
DefWindowProcA
RegisterClassA
GetClassInfoA
AdjustWindowRectEx
PostMessageA
GetMenu
GetClientRect
SetForegroundWindow
MapWindowPoints
LoadIconA
GetMessagePos
GetMessageTime
DestroyWindow
GetTopWindow
GetDlgItem
GetForegroundWindow
RemovePropA
GetPropA
SetPropA
GetClassInfoExA
GetClassLongA
CreateWindowExA
GetCapture
WinHelpA
RegisterWindowMessageA
DestroyMenu
TabbedTextOutA
DrawTextA
DrawTextExA
GrayStringA
PostQuitMessage
USER32.dll
GetDeviceCaps
DeleteObject
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
ExtTextOutA
SaveDC
RestoreDC
SetMapMode
PtVisible
RectVisible
TextOutA
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteDC
GetStockObject
GDI32.dll
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
CreateStdAccessibleObject
LresultFromObject
OLEACC.dll
SnmpMgrCtl
SnmpMgrGetTrap
SnmpMgrRequest
SnmpMgrStrToOid
mgmtapi.dll
.PAX
.PAVCObject@@
.PAVCException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCInvalidArgException@@
.?AVCObject@@
.?AVCException@@
.?AVCSimpleException@@
.?AVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCInvalidArgException@@
.?AVCOleException@@
.PAVCOleException@@
.?AVCNoTrackObject@@
.?AUCThreadData@@
.?AV_AFX_THREAD_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AUIUnknown@@
.?AUIAtlStringMgr@ATL@@
.?AVCAfxStringMgr@@
.?AVCCmdTarget@@
.?AVCMapPtrToPtr@@
.PAVCArchiveException@@
.?AVCArchiveException@@
.?AVCCmdUI@@
.?AVCHandleMap@@
.?AVXAccessible@CWnd@@
.?AVXAccessibleServer@CWnd@@
.?AVCWnd@@
.?AV_AFX_HTMLHELP_STATE@@
.?AVCTestCmdUI@@
.?AUIAccessibleProxy@@
.?AUIDispatch@@
.?AUIAccessible@@
.?AV?$IAccessibleProxyImpl@VCAccessibleProxy@ATL@@@ATL@@
.?AUIOleWindow@@
.?AVCComObjectRootBase@ATL@@
.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@
.?AVCAccessibleProxy@ATL@@
.?AV?$CMFCComObject@VCAccessibleProxy@ATL@@@@
.?AVCByteArray@@
.?AVCGdiObject@@
.?AVCMenu@@
.?AVCResourceException@@
.?AVCUserException@@
.?AVCDC@@
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
learn think
behindup color
wo#3
A n(
`q6R
?rJp
dPvL
a>ta
Kqr3
FKj0
hB*R
o9U7
WARe
8_D>
)a\Y
<;m4K
[]o|
u#hb
c,{o
V"Am
LL"xb
+Q#&
OrwV
_/1Z
eX!C
z@k`
|#;K
AP {
WAOo
4\n
bGR9
M~s!J
EUUS
SKh!
/'F$
t&P=X
01pN
{~rT`5
6~Vx
S7WCD2LG
1"Ax
@gil
p_1M
"uV48
]F@A
Ml3!
v2Sm
[a!I
Delj
G4RL
1k[K9
/7$Ta
Y0w4
'h`J
2hbe
J !k
xE`2
g?n8
Epe<
3zG
-1|h
A; V
A<wk
RYfl>
UE,n
<7*^
{DciIv
)";b
,Y4a
VU-xV
|\\J|:
U93K
iN7
'"G$
e-gI
DS C2
uk#Wq
"/D33
aBr<
y}q2
@iD@
:df4
TwSE
}*Hah
[xU8
Ayu`O>
C@*V
T?T
KhTA
q"N+^
/;&4
O8p6P
q&Ji
c%W
m9QH
_B.\
|)^J
jXv8
AP|<
Q. Yp
g~g{
6O#5
Szh_
#/Z#b
tgR_u
8%7T,
+y*q
W]fl
4kVkV
(@GE
(cKV
fxul
tjm\
tVel
p7b*
~-Fs/`
_dEz
fa-i
1\/!+2W~}
]NvB
Mt^]%%
&2J+
;sJX
RK{t
kH)X
8,,-2
CmjJ|
k([Z
?gXk
[6G)
qklx
=%>|
w4\",
x-te
^8[vG
f1o
T /1<
fRM&
V@jJ
b ?M
lg]
Mjw6
)u}+
3RGl
trt
@Fy2
d4Mh
/UGU
+;XX
;/[F
o]j(
v !t
l&Q7
ifW9{s
|P"j
ZzAjB)
\L<-
seVO
Ywy:H
^_A}
7lmN5{o
,7J$
5])a
oX[X
?>x
2c8'
{c#X
wZ*S
N4ivx
q!YAn
PmD-K-^
0Ij-
(hl1$
0ryZ
1h\r
rXep
x?};
v},1
6YLH
@y-Y-
,0$]J
)ct7
r}Lq
z)#Y
S$[ea
Bm{>
;^[)
EGIN[
!gLc,
<&9%
DPqg~
/`68
;NPr
yI.A
,M4t
Z^\0
1iBX
FaNw
O+G2
X,iN
Zeq/
/M&;A
FE{f
xn,5
3yy"7
$HI2
7o23
}Ey)
>t_?
G1{U8
?N{!
5H@:
V,)=
XN~
pgoN
"?:B
]pq9
{aj:
!%+^
b<jX
am$M
p#,;D*
\-q(
H*OE"
x2o3/
1k<d!
]|ga
8:7.
WR6K
Ntu!
t5PB
]g. :
`)n=
5;[
cuPe
|zVI
R%pB}r
E+gV
erPP
rU:B
+hM
g{q%
3WLVc
^R>
h/=a
-=_A
S.E>
Zd81z
d,(3E
nj%xS
Oh7|J
!+.z
EJS<
jh_21
sPJ@|A
Q5 '
_IpT
u`2A
^@Q1
c1n)85
Q?+[eJ
9]9"b,
_;Nwf
hhGR
[M F
eeKK
a}wl
T@5C
x\"&
%S:S
`_g:
F4?8
TELgj
4htq6
:Ai
BGf"
|`Gd
OIRs
eD.]evK
y Xu
zQdu
Hl>#
'OHQ
JDwd
-=Xq
_p%x
"c|$?
=I<y
dH!L
?!-C@
V57{;B(
] ;"
dhE3
~pUy
[^&;
$#BA
Q(5Di0S
HXZ:>>
NH>d9
nKe7
SIL0
@@@dA
m[2DZ
5:&p
xU!k
XCg,
_*RN
b+9t
'^Z`j
VYWZ
EttO
ia>{&
.K _
l <M
+?;z-
(X:%
EQ=>
-,w[
FZ]w
P(Qfb
<G|4
7're
gd_#
QW\_
FHwS3e
jdPqe
p?rS
L@3v
m|W@
4.^3
VFB9
sMXH
PB]S
lSBH
<Kc3Q
=?u.
c~H~Yj
&tH%
#7nx
&ld #
LUw>|
wd&q
4n1_8
Sqqn
wu^g
Ls rc
[<hF
{zM6
qX,y
fO\Tp
duV4
+FOz"
M6eepW
V"^Y
JRiO
v N}
m$)kW
'63N
:nst
$Q8`t
X$-4
uhXV
GJpi8
/Ht*
9|BL
v?*z
~g0j
<L&:l`M
IwT.i
,]6N
qv5e
Q`yD
5M?V
cnto@
,;+w
0NmcU
9J$Ofy
)_;1
9~VN0
/XF"
gRya
yFbF
=T\Q
pZrK
p9Ls
0ZJP|
]"Y7
HI290
1H:z
Y A]
UzB"
aBOC
k^-0a
}o"D
!yo>?
[s)[4
LBZI
/ZTY
JY(A
q(hnN
$-^r
(cMhaU
{F]T
_;0<
KiH"
O2hZ
-vtsY
@fb1>
gNW9
SNM!:q
.lR2
HJ/]Gc
an)G#
Y_T)
QLN3
HfcB
SLh
N2mpk
Y5J,
U$Odb
(ANy{
h*Wa
B1OI
Up!/
,$HY
eEf
hvl'
iU]4
`vbo
u.no
C'|]
bHD
bCKK[
I )'
iL'F9
oJnU
"*#W
g!YR
MnB5
e[(N
F <&
p5,8
(.\2
O_=!
V+|V8
=%Z>
V{~?
5yFz
& T&
Sc]N
(/mj
^_ Il
\9M?
<m\=
)^>@
ldu>
nZ;X
q{BhE
]@C-
?8'g
[5E.
MNb>P
P+OW
F4+S
5x-@
X'ytP
-nqK
ae.U
FIoR
@Tq`
5}AE
Ie,M
Ec,z
we;:~*
q+)u
H%.=
M51$
4PI&
yu@i@
?;DW
Dc_E
y$yH
.Ydh
yAG3Q
41Io
z}9y+@
S{Ad
wqnX
@HrA
>6^_
WKye
Ewit
u{D!
&)p0
'oO"h
q*;o
!,(d
YqtV_
]L|{
~5<|&
-DR7
|-l'9
DhQ9
bK)H
t$J!&
P0|[b
:6GZ
kcpB@
/*AQ
9c_@t
+TA^
_3JeUJ
4Inh<2
f[\;
{OLa
qGZ7
\p^|X
HV@
dm/q
n)V<
TA,]
Otg@
E(tb
}x]^
+MhY
`^sq
?G\f
Co/R_
*C:zn*
4 <S
rEY]
l_3H&
ABCb
g^#!P
$*M:
\-QJ
B:ff
_!Pc
%Y!{
l$MJK
X =>
.}Ei
_MR[
F[izj/[
WOlk
R#H
_ii>
YHEm
x sC
&;]"9
6 5.
3G?
ZkqK
F!XKY
"<r#
V+w6t5
wo@=2
*00t
]1ms
e?E1P
*x!W
{^{>
U7EX
^Tw_
CJ+f
&EGi
xea'
Jif&i
=vSj
_[6W
nnaO
@Gev
pOv'
qMqv
N"&Q~
x:l3#:
xBpF
9>Ir
sj8f
RAMY
~;!'/
0D##
Al*=
;8aEc
</2a
GL5|
p_'N
@a^:
@Ld'
Sw#a
\VD&
(qPS
_DJW
h: *])
|0zJ_
OX00
j`a1
6"9,
])]Z
QZG9#
s)L
]XF^
o<[S
r{rb
T:eJ
H^N0
Q3n+
/{uo
qN_sW
|a5MI
SQ$S
{yW#
5hHk
U6%j
xWjN+
>[4C
^^6A
A Jw
Vi:q
[Wy6
S,I!W
)06>
7F?{
XR"#)
B#T^
3/;{
q"yO
C|@0
V3cB
4mMC
kd=zh
AGn@
ROMI
A"{`
gr[|
l/C;
u$q,
4ecQ
=hHNO
YtP~
w\3}
=FCpF
=TOM
^ \oz
hBfkJ
=D&]P
M\,T
N<JB
"~ZZn
@Ya|
D0z<d
#R;"
Eh,T
e%;*
d-pY
1UNP
z79m
_,`+
J&:a
~fL 4
w4j]T
Rv U
4v}<
P[Lh~
wxQL
Jd#8'xEl
: {,
KYl 4
*DMt
KPhQ
R4wCT
ei"^
G/42
edaJ
^v#1
*l@X
tWl
]~<p
ccDK
keLU
q5D:
(-!C
)Q]T
jj\Q
c$@M
/5\
mh<P
nNPE
Hz9}
.VTj8
3\;A
+N-9i
KQ4S
w~r"
rwh%
ZHTg
_vK
Nag\
&5~{
hts1
]!aI
)O@:1:c
?U!#
mH*>e
Ksb{d
?]z@
xF:A
`4 >%
lSqH,
m%"|
MRD+
9h*}Z
`v&K
)0g1
#F@d
,3@8
5Jgh
51I7
ctkx
MWk>
QV"U
d#`d
vKBK
FB{O
Ksk
:,Ib
Kb<A
lO*X
mlx"
`W#Vx
H t7
i5d@
!BS18
tcpI
k.y.
M-lgC
+9aw
~]|L%
mOZ
Oq5}
x3Z9
|_PV:
oKK
IE7
/mMg
|iU<
!e<o
wy,yo
Aj+B
!\"7
M%ne
0YzU
~toE7
v4hw
#2pU
"MNG
Z+H;
*|qh
gg-`
I[Lx
o'fs
O@x`
=n;d
5O$N
*Of[
o)T-
8 )/
t `J
t`IR
?t}@
3v,i
?Dr*
yyez
yk0c
QjZB
)^p8|
}-R29
9|Z(
@y&W9
.1H51z
%C^K;h
}PW:
:QV@
V8',
3Og8
!*YA
zG~_<AK
,"IB
Q@]E
]J8#
`%O9
# #[4N
rdt{
x}Ax
fP0s}
04JbA
) ^io
Y1x<<
1@GW>
Z{K0
AB30
!hkX
*vwc
\3JY
]=Q}XC[IX
kp"+
sCH1\
_dE:
Ex"-
k\p#2
(vQ{
IzPmB
N+;P3
o-@Y
\c'2
iwL`
-JZQ
$y&2
erAtc
?\xC
|I7pB
H!Gse
5.uX
Ot=d
bfp?
ail@
m@ct
o|a!
R}>2
dGb2
l5M=
+}`(f
EQ|;@
ap{7
9QiO
&8=t
QdSeB
iswA
^:U&
EK+uhq
$i<%
^"]e
(t:-
4 EJ
DaZ"
~ RH
aT7G!#}
sxOK
b.m :
F(ik
,Oek
SB,Q+a
fmH}
[bk[
T"1F
/hFs
w{,t%
?5I]i
OHPl
0Cz3
"_G?
M8DI
raCL
mT^v
/=sU
]h+R
[U}!
Oz:C
RGc`
&JJ
Y:q>4
"J^U
Fszv
MB bq
>|(!
\?5C
{%|>=mT
1}p\
yt"j?
PDaO3
2\M/
/q:w
y/{c:
e(=%]i
P(,n
w'wE
B=^EV
|)qJ
[(eT|M
|Z12~
(h!)
MnBt
3\\g[(
w.4*
}wc2
Cs:aG
Kra\e8\
>kaV
whcE
]R#Ee"7
7{2jI
w%[K(0
8fGb
6yF\IF
C\,{
b}!X
hH("
|=kB
?Zp.
sp5g
FUGRM'
rsGa
TEgl
vfpS
\r(d
@Xg-"
R^l{
QH5l
bE/`
uD4vuK
s=.`
Pai>
$)t&0
O>TD
Y@"e
F9sY{
6`fe
P=`F
tWZj
9~Ow(
vR%s
;-vN
QLL"4
nWbX
3f-zf
X89a
xE|_G
V&|>p
AQ>D
0kFo
$|'K
a3Jk
4Rd$
KBSR
rEca
` 4]<
fYDz
VNdK
4"U\
ZZM<
Zd,q
!h[n
|_@0
<SXb
KWoO
'.+l
(zQ(\
D9ODA
2k:=
8vFq
zz7z^
tLl5
4x`N
d~ehm
Wd9K
{NDG
<h&q
dM-K
:[P\b
%q2a
'=~F[
i(98
OBf%
o:l{
+SEqF
7mQC
T#]K
k}50
kdvj
AJCz
`G1^
Sh;F
%}L/
E!a1
]8CM
TFB]
P_r,
JHP2
ir4o
v V=
p 4_
0DtU)7
Wo0@
na!?
wq0?g
l%Alt
xQ\t
3esZ
Qe`d
r<Vk
e/O
e`oX
(&Ev
ktSuz
ymV]_m
Ec#%n
Z)VB"J
_Z%"H1
@&+V
~fEG
>!jF"
eFOT
F&CPa
ocg`
cBxy+
gw|@
#U9%
ExD{
NWQ0
4*pI.
egp+
&fk|
Ymmk=@k
>Y;AO2?
#lY[
;x&i
yR4-
!MRV
XT Z
_5L<
a^9O:s
dc$d
.(;
LCS99iQ
#mcm
Q-UT
\VZ8s`n1
11..X
m/GK
eq[:^g
!\{m
UXgc
DBlj
w"s78G
+*C(
a"j=X
d=OS
^fh[|+
dIXS
"QrS8UO
a;-6
*4zlJ
!')S
$A $
jAFP
UO*N
(EK
&|&r
DaE{
(j(DX
ibzz
CWT
|U1J*
Y|va
*bb_
~KxW
fo'c
FqA\
&TvF
p2y"m
nGa/w
e?pG
R? =
8^Ix
Lus~A
/g,8
~G5H
u]Y"
~;|#
W6?
i`9*
j6&kt
v8w/X
{~F|Rw
=S{H
+&N^B7
jMvJ
s Xi?
:c~n
~SS s
vZ}]
. #\
r\jo
Cssr
QE+c
01k2?
2]>L<
Ln^"w&
tnV.
, {0
V5S}
vDzt
gWvz
AZ&PW
VT00
GVfJ
nq\)
Vd?q
%t+O
!KNVp
*:y4
wU<n
Zwyh
||7_d
Vc<3
4~W|
{cTM
/io'
-R{_
-gtD
!C7t
I)#=
aNL,
-_e"
] Sc
$Slf
|25V
{>J;
Rnk"
V`-
RJPs
h-YvB
'As/
}p:=
h@"H
pzEJ
c6ab
ijB+
~bab
t[h$
[r=$
Kr90
J8x9
=7Ho
E?^I O
"Uqr1
FPE@C
HH,Vy
OJ e
~ES[
'l)J
`h*7
~yqnS[Y
a#D4
Q2@(
' X>
t"&P$
vP9*;_1
.IOw]
sZ<I
l2 [E
JM::
XA%CE
I%rX
n/|/)8
rnO&;
cyKa
v+z(,
3@6<
io@@
rZa8&
iJOW
NL7 J
*^D\
O5g#?
Z'Z>
|d|'
Pbw*
U*r`p(
:ura
zdNQ
T) +Z
w&v}
L=r?
["i<2
]!!'
k?cB
GgyY
S Bo
ZxL7)Z
1V"D
'"MR
duF3
-hBMA
A;_;
foUUn
WJgM
:IHU
j%Tm
]u!+K
=m^v
" 40
4CFZ
Q,=~
I?B*
M+^BJ
_L3@
Jb4&|
sd$>.<
Lf4}
+uY;
F8B`
bbl]
YB[L
,.iG
|}a^
f&)]
W2/l>Y0
*odR
YIFV
;"Y&
n5U)
o7a,
*j+;
P );/
)?>]
<{@e
-ufH
@P&9
rw,R
l5F
&WA[L
?3gjX
P(<P[q
\ `W
E.pd9
xN f
2hS"
FkM<
f(iq=
d\AV5
dSE
P R?:
SA-]
L}N~
&P2(
FYx $E
a7tv6
wKE]oL
|5QQ]
8w%:
=z`G
xQkd
wvy{
Fs6k
"V@=
@`>R
a+cTUH
]TZr
Q}9xR
v.1m
a2Zy
x}p"
3h9B
F.N_
D$rL
VOS
Rk_H
3I59
'y)5
*"&-cF2 2LH
7] z
)"P\
%UQ*
HKLEb
aZUs
7d&
4\uj/m\)
t+^J
|Agw2
_F'!
vHN,
iGXZ
7B,>K
G~CYTx
HrVh
iN0kX
gS+m
N /%
9B"yL`f
eOQ<
FPD47
6kvmu
45r@
w7?~
\Zz{,
I(-+
sEbU
b(vqZ
_cfR
OvP^
f=.y
&A09/4
/R!g
l/>!
A\>\
$kQg
(HPY
xo\@
,c+z
tQ5$D
Iiy4
zw?%
+hDR
LY5yi
J'3H
9WyAn
rd5m
T4Z$
cLBc
+Y=v
5!^&
;;>
8kIB
>BK,
bXK"
OJssY
hNWc}
s64c
(q<I
DfQM\E
{!L2
}1)W
0B&D
_U=WP
b&[&
k=L4i
)g1
;Jz=
*tkr
W!q3(
K*uv
p#T<
srtg
E) e
%*ryG
@#c;v
D2F8V
S0C0&
$.lG{o
vPK]
;ZfDVc
}jNX}o
[fRu
ywz*
-!oJ
hIRx
dVtztz
s_ug
c{V5
kR=_
\U{E
fOKD
BQwY
<XS5=
HkS:
F9l^
aR$q
)010
f~tA
&D}u)\q
[hq:
iANq!
s*aT
kar'
dX.I
vw)Y
F fnT
1x~'
5\bA
d.i&S
}_NA
@F`{
`|dVD
N}Q-
pPsh3y
!JnJ
i$##7
dSlH
|:T
OY[]n
n6!^
C(jhX
rX5j]o
QcB<
Dx'[
y.VS
ehO@
Y89>
A4p}
-X(I
yecfq
3yz/
4Bw
oIHWl
~,Bp
&`z^
mX9F
[AF1
*7x;
c!?@
SkOV
$2>q
mzGk
UjP{
%<I.
f'=G;4
<T9d}f
%iXg
%3JS
ypkq@]
F(W({
Qk_
v3e6
_PrB=
?5h-Y~
9;p<%Z
>Nz85
9O>s
SaQ^-
y+yL
"|#k
8pRZ
#S&$
B$w|
Dh,X
zro/
1PX
[He\
nZ4>#
vm:I
^>Q5
aQv
ik+zk
^~pP
AlyG
w.-Uw
2]"%/
ApGmr
4QNp3h
s#E""
@Hr8
%5I[
P6Eh
P~1
Kx)n
if-P
Db4(S
IXZ=
-JD;
`.L9
D3W5
%W;|
^MXV.
`:an
Ft0x
$cG<d
b!s7
A1HV
,S]h
B:*a
6Qj?<
P=7d*
/+|kA
]{mg*
%vi(
GJjk
[Uho6
^BSf
ps:f
l\P%
YHox
'3G;
LwD"
zj5Y+
v<@C
4?%#
-GK>
_/fFS>
dm@
%E,/
[vM0
xOUI
gX{p
+3?k
bAmu
$Ht\
d_ _+
([7n
I}Ij
63j\
2VD.
J4YD:
g_7A
I b%
kAlb
TaQ U
{m#R7
&]Yw
J%PFE
yr<H
.$*MV
$ :#`m
j:|E
P& ^
QfEm
4MJS
c`Is
fl6M
bXz@?
6_9b
9XK<
y6gw+p
4pR.U
CEzN
,_{!.^
vN5l
&:+/
^lOMf
2 C\
&mI/
r'E1
3j/QE
/67'
D=WO
TYa)w
%yGZ
UX6P
91!O
(4k8Z
5Y[
:eeq
M+Lo6e
sO~PK]fi
,DLq;-
EGwUi
'e$`+
&Q6k
n)%5
Bf5Q
7{5o
- uhvK
?}R1
N_}c
NaBU&
WghAV
RMR%
LR%,
F&.K/
Sva]9
i!jK
:tWUf
}mH74
Lz%P[
9HPT
J8vv
o^'BB
s\52
apll
Cw"}7
^FA>
/pyI
I+>qE
Vz%Jwj
YIiM
g+*q
GA][j
AH=t
?hOR.
l(FL
h@Y
_" L
;A/z
vy>|
90jE
4XSm
$h
yx`P!
lQm&
;y!b
kXWu[
0t3i
>vl@
t'RB
<1PO$
,faK[I
;?Ql
/Lq4%F
&BD)
*sSf
fTjP
8-y]
]c]gp
yKXP
WVz[x
?z15
XDHR-
{Ji|
9!s.
E:xC
/n$9
@-t@
ku4!
XT5D-n
jJhj
n77-U
nWY,
2em(
DOn9
{*`P
YFhX
Yti-
-N=J
aW[+k
)'i>
`W[\
V140_
)W=@2
d\Uh
sv,Y
.r9m
}(t*u
)P!.
u"qa
G,?*
wQ%1
|oTV
m?DVc
\ S
`C/]J
QcF|
%ilG
B%Rm
-$KS
m`U;p
1*)I
{V-DD
p*f'
EXn(
PJ\a
<m'cv
T"+;
NxK|
+MTS
v<M.
rqpj
_7i4
yBwF
qtm{nI
C"1"
w^Md
]Z+
Od8@U
6p/"
w&Nb
WL $R-
WJ$ %K*
WJ$ %K*
WJ$ %K*
K$ XQ#
iQ.')\#
N+$bN2+'>8
X4/<b>9
\60@_97
X8/B[@4
X60Rb@8
tM" .
S*$H`1$
T/(dZ1%%\4
Remediation
Malware Removal
You can use MalwareBytes to get rid of this malware. However, please keep in mind that it will effectively remove the malware but won't recover the encrypted files.
Restoring your encrypted files
- If you have a recent backup of your data, you can restore the encrypted data.
- If you have restore points, you can try to recover previous versions of your files. See here for more details
- Besides the native Windows functionality, you can use ShadowExplorer to restore previous version of entire folders (does not work on Windows XP)
- It has been reported that it would be possible to recover encrypted files with PhotoRec. Read more: http://www.expertreviews.co.uk/general/1307248/how-to-recover-files-from-cryptolocker-for-free
- Unless you get the private key that has been used to crypt the files, there is unfortunately no other known remediation to recover your encrypted files.
Comments
Keywords: CryptoLocker Ransomware asymetric encryption RSA AES DGA 98c9676d887d024defc1d340bd723073