Ransom.Win32.SODINOKIBI.AUWUJDEM
別名:
Ransom:Win32/Sodinokibi.DSB!MTB(MICROSOFT);Trojan-Ransom.Sodinokibi(IKARUS)
プラットフォーム:
Windows
危険度:
ダメージ度:
感染力:
感染確認数:
情報漏えい:
マルウェアタイプ:
身代金要求型不正プログラム(ランサムウェア)
破壊活動の有無:
なし
暗号化:
はい
感染報告の有無 :
はい
概要
感染経路 インターネットからのダウンロード
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
身代金要求文書のファイルを作成します。 以下のファイル拡張子を持つファイルは暗号化しません。
詳細
ファイルサイズ 119,296 bytes
タイプ EXE
メモリ常駐 はい
発見日 2020年7月24日
ペイロード メッセージボックスの表示, ファイルの暗号化, プロセスの強制終了, 情報収集
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のファイルを作成します。
- %User Temp%\{random characters}.bmp → Used as wallpaper
(註:%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。)
マルウェアは、以下のプロセスを追加します。
- powershell -e {base-64 encoded command} → Deletes Shadow Copies
- If sample is executed without administrative privileges:
- {malware filepath}\MPLWatcher.exe → run as admin
マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。
- Global\B6CC837D-86BE-A32B-F1A9-2E0B99BA279D
自動実行方法
マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Z5egGonjst = {full path of malware}
他のシステム変更
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
k8q = {hex values}
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
TiuD = {hex values}
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
TMjCE = {hex values}
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
bfWmiW = {hex values}
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
RFY8wJD = .{appended extension}
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
Ul4OFJ5S = {hex values}
マルウェアは、以下のレジストリ値を変更し、デスクトップの壁紙を変更します。
HKEY_CURRENT_USER\Control Panel\desktop
Wallpaper = %User Temp%\{random characters}.bmp
マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。
プロセスの終了
マルウェアは、感染コンピュータ上で確認した以下のサービスを終了します。
- svc$
- mepocs
- sql
- backup
- vss
- veeam
- sophos
- memtas
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- ocssd
- thebat
- ocautoupds
- excel
- steam
- dbsnmp
- winword
- synctime
- infopath
- msaccess
- oracle
- xfssvccon
- sqbcoreservice
- wordpad
- ocomm
- dbeng50
- outlook
- visio
- mydesktopqos
- isqlplussvc
- firefox
- encsvc
- sql
- mydesktopservice
- powerpnt
- tbirdconfig
- thunderbird
- agntsvc
- onenote
- mspub
情報漏えい
マルウェアは、以下の情報を収集します。
- Computer name
- Operating System name
- System Architecture
- Username
- Workgroup
情報収集
マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。
- https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
- where {domain} can be one of the following:
- {BLOCKED}gowrie.com
- {BLOCKED}vrachi.ru
- {BLOCKED}tarhd.online
- {BLOCKED}k.com.ua
- {BLOCKED}am.es
- {BLOCKED}eus.nl
- {BLOCKED}play.com.hk
- {BLOCKED}40konkatsu.net
- {BLOCKED}questions.org
- {BLOCKED}t.guru
- {BLOCKED}ubeautysalon.com
- {BLOCKED}9nohate.org
- {BLOCKED}ritpatel.com
- {BLOCKED}vorg.com
- {BLOCKED}tur-undwieweiter.de
- {BLOCKED}1.net
- {BLOCKED}gadoengijon.es
- {BLOCKED}gados-en-alicante.es
- {BLOCKED}gadosaccidentetraficosevilla.es
- {BLOCKED}gadosadomicilio.es
- {BLOCKED}elos.com
- {BLOCKED}ountancywijchen.nl
- {BLOCKED}-media.nl
- {BLOCKED}mprarseguidores.com
- {BLOCKED}ecfoundation.org
- {BLOCKED}os-gleitlager.de
- {BLOCKED}ptioperheet.fi
- {BLOCKED}ltgamezone.com
- {BLOCKED}izewealth.com
- {BLOCKED}okathuset.dk
- {BLOCKED}nce-chocolat-noir.com
- {BLOCKED}nce-referencement-naturel-geneve.net
- {BLOCKED}end.com.au
- {BLOCKED}useforlease.com
- {BLOCKED}spt.jp
- {BLOCKED}conditioning-waalwijk.nl
- {BLOCKED}a-stroy72.com
- {BLOCKED}ashem.net
- {BLOCKED}-turtles.com
- {BLOCKED}amatberedare.se
- {BLOCKED}entownpapershow.com
- {BLOCKED}fortheloveofyou.com
- {BLOCKED}ure-cosmetics.at
- {BLOCKED}osthomedogrescue.dog
- {BLOCKED}ace-first.com
- {BLOCKED}en-mebel63.ru
- {BLOCKED}inschwartz.wordpress.com
- {BLOCKED}sonhoward.com
- {BLOCKED}ricafirstcommittee.org
- {BLOCKED}rikansktgodis.se
- {BLOCKED}naboutique247.com
- {BLOCKED}isolabergeggi.it
- {BLOCKED}lendscrestview.com
- {BLOCKED}liticapublica.es
- {BLOCKED}ersongilmour.co.uk
- {BLOCKED}blinova.wordpress.com
- {BLOCKED}werstest.ru
- {BLOCKED}enanavi.com
- {BLOCKED}eniti.com
- {BLOCKED}honystreetrimming.com
- {BLOCKED}iaginghealthbenefits.com
- {BLOCKED}onmack.de
- {BLOCKED}bookreader.de
- {BLOCKED}aichandung.com
- {BLOCKED}lomarcas.com
- {BLOCKED}rendrelaudit.com
- {BLOCKED}sformacpc.com
- {BLOCKED}epol.com
- {BLOCKED}hitecturalfiberglass.org
- {BLOCKED}hitekturbuero-wagner.net
- {BLOCKED}enblogs.com.ar
- {BLOCKED}os.wityu.fund
- {BLOCKED}2gointerieurprojecten.nl
- {BLOCKED}allnightdc.com
- {BLOCKED}eservicefabbro.com
- {BLOCKED}ige.com
- {BLOCKED}otelamsterdam.com
- {BLOCKED}lbermachen.com
- {BLOCKED}estion.com
- {BLOCKED}luxury.com
- {BLOCKED}ociacioesportivapolitg.cat
- {BLOCKED}ociationanalytics.com
- {BLOCKED}urancesalextrespaille.fr
- {BLOCKED}eriag.com
- {BLOCKED}lent.fi
- {BLOCKED}liergamila.com
- {BLOCKED}os-show.com
- {BLOCKED}zdistribution.co.uk
- {BLOCKED}enta.com
- {BLOCKED}exis.ch
- {BLOCKED}um-juweliere.de
- {BLOCKED}air.com.au
- {BLOCKED}beverage.com.au
- {BLOCKED}tinlchurch.com
- {BLOCKED}odemontagenijmegen.nl
- {BLOCKED}odujos.lt
- {BLOCKED}ofolierung-lu.de
- {BLOCKED}opfand24.de
- {BLOCKED}cockchurch.org
- {BLOCKED}kstreetpub.com
- {BLOCKED}uncs.org
- {BLOCKED}ticdentists.com
- {BLOCKED}ticdermatology.lt
- {BLOCKED}tisttabernacle.com
- {BLOCKED}gningavesta.se
- {BLOCKED}gningharnosand.se
- {BLOCKED}onloan.org
- {BLOCKED}isschooldezonnewijzer.nl
- {BLOCKED}tutunnan.se
- {BLOCKED}ertree.com
- {BLOCKED}mkuchenexpo.jp
- {BLOCKED}stb.de
- {BLOCKED}legacy.com
- {BLOCKED}oga.co.uk
- {BLOCKED}mobler.se
- {BLOCKED}conhealthsystem.org
- {BLOCKED}utychance.se
- {BLOCKED}4win.com
- {BLOCKED}avioralmedicinespecialists.com
- {BLOCKED}lin-bamboo-bikes.org
- {BLOCKED}liner-versicherungsvergleich.de
- {BLOCKED}tbet.com
- {BLOCKED}ttechie.com
- {BLOCKED}ter.town
- {BLOCKED}ondmarcomdotcom.wordpress.com
- {BLOCKED}lawfirm.com
- {BLOCKED}pi-coaching.fr
- {BLOCKED}rensgebakkramen.nl
- {BLOCKED}asgrup.com
- {BLOCKED}baguettes.eu
- {BLOCKED}ler-hrconsulting.ch
- {BLOCKED}dungsunderlebnis.haus
- {BLOCKED}napratica.com
- {BLOCKED}der-buerotechnik.at
- {BLOCKED}gonearme.org
- {BLOCKED}rtaggivaldelsa.com
- {BLOCKED}nam-wood.com
- {BLOCKED}cksirius.de
- {BLOCKED}wback.com
- {BLOCKED}r.be
- {BLOCKED}g.solutionsarchitect.guru
- {BLOCKED}gdecachorros.com
- {BLOCKED}ggyboulga.net
- {BLOCKED}od-sports.net
- {BLOCKED}ssombeyond50.com
- {BLOCKED}menhof-wegleitner.at
- {BLOCKED}kamp.com
- {BLOCKED}y-armour.online
- {BLOCKED}y-guards.it
- {BLOCKED}yforwife.com
- {BLOCKED}yfulls.com
- {BLOCKED}danpeptine.ro
- {BLOCKED}sehosting.net
- {BLOCKED}dcitydowntown.com
- {BLOCKED}kspeopleplaces.com
- {BLOCKED}mpinoy.com
- {BLOCKED}sthybrid.com.au
- {BLOCKED}dercollie-nim.nl
- {BLOCKED}anicinnovations.com
- {BLOCKED}ldercafe-wuppertal.de
- {BLOCKED}lderwelt-muenchen-west.de
- {BLOCKED}ncingbonanza.com
- {BLOCKED}quet-de-roses.com
- {BLOCKED}engroup.com.au
- {BLOCKED}dmaluku.com
- {BLOCKED}dynursery.com
- {BLOCKED}ffinjurylawfirm.com
- {BLOCKED}ndl-blumen.de
- {BLOCKED}wnmediany.com
- {BLOCKED}vitempore.net
- {BLOCKED}cotienda.com
- {BLOCKED}dgeloanslenders.com
- {BLOCKED}gitte-erler.com
- {BLOCKED}stolaeroclub.co.uk
- {BLOCKED}seller.com
- {BLOCKED}ship.com
- {BLOCKED}buryfreightservices.com.au
- {BLOCKED}dabergeyeclinic.com.au
- {BLOCKED}kert-ideenreich.de
- {BLOCKED}oludo.nl
- {BLOCKED}medical.biz
- {BLOCKED}f.info
- {BLOCKED}.co.in
- {BLOCKED}-poitiers.com
- {BLOCKED}tusthebrand.com
- {BLOCKED}emattmeera.com
- {BLOCKED}feinternet.it
- {BLOCKED}abasasdigest.com
- {BLOCKED}xplus.eu
- {BLOCKED}pus2day.de
- {BLOCKED}pusoutreach.org
- {BLOCKED}sadviser.com
- {BLOCKED}dyhouseusa.com
- {BLOCKED}ibbeansunpoker.com
- {BLOCKED}ibdoctor.org
- {BLOCKED}losja.com
- {BLOCKED}olinepenn.com
- {BLOCKED}riagehousesalonvt.com
- {BLOCKED}rybrands.nl
- {BLOCKED}tillobalduz.es
- {BLOCKED}holicmusicfest.com
- {BLOCKED}broadband.com
- {BLOCKED}d.info.tr
- {BLOCKED}eclub.org
- {BLOCKED}ularity.com
- {BLOCKED}tromarysalud.com
- {BLOCKED}trospgolega.com
- {BLOCKED}turyrs.com
- {BLOCKED}ebralforce.net
- {BLOCKED}es.org.au
- {BLOCKED}ndlerpd.com
- {BLOCKED}otrang.com
- {BLOCKED}rlesreger.com
- {BLOCKED}rlottepoudroux-photographie.fr
- {BLOCKED}tizel-paysage.fr
- {BLOCKED}vesdoareeiro.com
- {BLOCKED}fdays.de
- {BLOCKED}minpsy.fr
- {BLOCKED}issieperry.com
- {BLOCKED}ist-michael.net
- {BLOCKED}istinarebuffetcourses.com
- {BLOCKED}anchesterescorts.co.uk
- {BLOCKED}ugiauretra.es
- {BLOCKED}e4me.org
- {BLOCKED}ymax-cr.com
- {BLOCKED}yorchardhtx.com
- {BLOCKED}ssycurtainsltd.co.uk
- {BLOCKED}liaekiko.online
- {BLOCKED}s-galant.com
- {BLOCKED}ia.org
- {BLOCKED}stalbridgeadvisors.com
- {BLOCKED}ing-machine.com
- {BLOCKED}ing-marking.com
- {BLOCKED}freo.biz
- {BLOCKED}laborativeclassroom.org
- {BLOCKED}orofhorses.com
- {BLOCKED}arenterprises.com
- {BLOCKED}mercialboatbuilding.com
- {BLOCKED}monground-stories.com
- {BLOCKED}paratif-lave-linge.fr
- {BLOCKED}pleteweddingkansas.com
- {BLOCKED}pliancesolutionsstrategies.com
- {BLOCKED}asmanagement.de
- {BLOCKED}exa4papers.trade
- {BLOCKED}nectedace.com
- {BLOCKED}sultaractadenacimiento.com
- {BLOCKED}troldekk.com
- {BLOCKED}ystar.co.uk
- {BLOCKED}elifenutrition.com
- {BLOCKED}endonhotels.com
- {BLOCKED}ola.es
- {BLOCKED}ona-handles.com
- {BLOCKED}tec-neuro.com
- {BLOCKED}rsio.com
- {BLOCKED}rteney-cox.net
- {BLOCKED}ftleathermnl.com
- {BLOCKED}igmccabe.fun
- {BLOCKED}igvalentineacademy.com
- {BLOCKED}nleighscoutgroup.org
- {BLOCKED}amery201.com
- {BLOCKED}ative-waves.co.uk
- {BLOCKED}diacces.com
- {BLOCKED}ftprecision.co.uk
- {BLOCKED}sspointefellowship.church
- {BLOCKED}wcanyon.com
- {BLOCKED}wd-patch.co.uk
- {BLOCKED}ospeltips.se
- {BLOCKED}ler.cn
- {BLOCKED}pacap.com
- {BLOCKED}soporcelanatoliquido.online
- {BLOCKED}sosgratuitosnainternet.com
- {BLOCKED}pdental.com
- {BLOCKED}itservices.co.uk
- {BLOCKED}tox.com
- {BLOCKED}ranchise.com
- {BLOCKED}arketing.co.uk
- {BLOCKED}lesa.de
- {BLOCKED}holzmann.com
- {BLOCKED}iel-akermann-architektur-und-planung.ch
- {BLOCKED}ielblum.info
- {BLOCKED}skretursystem.dk
- {BLOCKED}ubecloud.com
- {BLOCKED}eckleyministries.com
- {BLOCKED}nallwellbeing.org.uk
- {BLOCKED}renkeslerministries.com
- {BLOCKED}acenters-in-europe.com
- {BLOCKED}psouthclothingcompany.com
- {BLOCKED}roenetunnel.com
- {BLOCKED}kinngay.com
- {BLOCKED}o4you.at
- {BLOCKED}awarecorporatelaw.com
- {BLOCKED}chacay.com.ar
- {BLOCKED}tacleta.cat
- {BLOCKED}ifl-consulting.at
- {BLOCKED}ovofoodsgroup.com
- {BLOCKED}udedorpskernnoordwijk.nl
- {BLOCKED}robatehelp.com
- {BLOCKED}chl.net
- {BLOCKED}ert-trails.com
- {BLOCKED}pedidascostablanca.es
- {BLOCKED}tinationclients.fr
- {BLOCKED}laur.com
- {BLOCKED}ok.info
- {BLOCKED}style.org
- {BLOCKED}atec.es
- {BLOCKED}i-talents.com
- {BLOCKED}ivod.de
- {BLOCKED}slips.se
- {BLOCKED}ectwindowco.com
- {BLOCKED}ittosanitario.biz
- {BLOCKED}og.fr
- {BLOCKED}-vertriebsforschung.de
- {BLOCKED}ersiapsicologia.es
- {BLOCKED}.berlin
- {BLOCKED}pr-beskid.com.ua
- {BLOCKED}tpassthepepper.com
- {BLOCKED}-as-a-service.com
- {BLOCKED}pipi.de
- {BLOCKED}seleznev.com
- {BLOCKED}tremel-rednitzhembach.de
- {BLOCKED}magickcom.wordpress.com
- {BLOCKED}oyle.com
- {BLOCKED}nkseed.com
- {BLOCKED}ice.de
- {BLOCKED}gdevice.org
- {BLOCKED}-ip.de
- {BLOCKED}likator.com
- {BLOCKED}new.com
- {BLOCKED}scollective.com
- {BLOCKED}ontSellsHomes.com
- {BLOCKED}ganews.com
- {BLOCKED}hka.ua
- {BLOCKED}chbrewingcoffee.com
- {BLOCKED}chcoder.nl
- {BLOCKED}css.de
- {BLOCKED}smurraypugh.com
- {BLOCKED}lemeetstiger.de
- {BLOCKED}ytrans.com.au
- {BLOCKED}tveilig.nl
- {BLOCKED}-southafrica.com
- {BLOCKED}ledansemulhouse.fr
- {BLOCKED}pro-kanto.com
- {BLOCKED}media.vn
- {BLOCKED}lman.jp
- {BLOCKED}ewoodestates.org
- {BLOCKED}creditservices.nl
- {BLOCKED}car.org
- {BLOCKED}-live.de
- {BLOCKED}ortlesspromo.com
- {BLOCKED}ectonk.online
- {BLOCKED}mchan.com
- {BLOCKED}a.se
- {BLOCKED}gmbh.ch
- {BLOCKED}racinghiscall.com
- {BLOCKED}loyeesurveys.com
- {BLOCKED}vos.de
- {BLOCKED}opic.com
- {BLOCKED}ritescom.wordpress.com
- {BLOCKED}orastudio.com
- {BLOCKED}tatningsadvokaterne.dk
- {BLOCKED}pe-formation.fr
- {BLOCKED}o-trend.pl
- {BLOCKED}ngelische-pfarrgemeinde-tuniberg.de
- {BLOCKED}rgreen-fishing.com
- {BLOCKED}logic-technologies.com
- {BLOCKED}cutiveairllc.com
- {BLOCKED}nberger.at
- {BLOCKED}andet.dk
- {BLOCKED}ensionmaison.info
- {BLOCKED}raordinaryoutdoors.com
- {BLOCKED}ettenreich27.de
- {BLOCKED}rfriends18.de
- {BLOCKED}zanullah.com
- {BLOCKED}cou.fr
- {BLOCKED}ilypark40.com
- {BLOCKED}nmedias.com
- {BLOCKED}haani.com
- {BLOCKED}oairporttransfers.net
- {BLOCKED}onics.com
- {BLOCKED}freezingmachines.com
- {BLOCKED}-payday-loans.com
- {BLOCKED}recreations.com
- {BLOCKED}xarxa.cat
- {BLOCKED}sterbau-ziegler.de
- {BLOCKED}rofolliculoma.info
- {BLOCKED}ura.team
- {BLOCKED}mstreamingvfcomplet.be
- {BLOCKED}mvideoweb.com
- {BLOCKED}ancescorecard.com
- {BLOCKED}de-deine-marke.de
- {BLOCKED}ediningweek.pl
- {BLOCKED}st-2-aid-u.com
- {BLOCKED}stpaymentservices.com
- {BLOCKED}calsort.com
- {BLOCKED}nessbazaar.com
- {BLOCKED}nessingbyjessica.com
- {BLOCKED}ovitaforum.com
- {BLOCKED}zl.ru
- {BLOCKED}xicloud.hk
- {BLOCKED}estlakeuca.org.au
- {BLOCKED}etprivee.ca
- {BLOCKED}skolorna.org
- {BLOCKED}yourhealth.live
- {BLOCKED}oideaymedia.es
- {BLOCKED}oscondron.com
- {BLOCKED}nsespiegels.nl
- {BLOCKED}ie-baugutachterpraxis.de
- {BLOCKED}ie-gewerkschaften.de
- {BLOCKED}endsandbrgrs.com
- {BLOCKED}ntierweldingllc.com
- {BLOCKED}.or.at
- {BLOCKED}c.es
- {BLOCKED}daciongregal.org
- {BLOCKED}jose.org.gt
- {BLOCKED}getedges.com
- {BLOCKED}am.nl
- {BLOCKED}leryartfair.com
- {BLOCKED}serwis.pl
- {BLOCKED}esboard.info
- {BLOCKED}tungankunciakrilikbandung.com
- {BLOCKED}age-lecompte-rouen.fr
- {BLOCKED}barre.com
- {BLOCKED}olspecialisten.se
- {BLOCKED}tsicht.de
- {BLOCKED}kwork.pl
- {BLOCKED}sterradler.de
- {BLOCKED}eentehetkompas.nl
- {BLOCKED}ffreymeuli.com
- {BLOCKED}lillamarketing.com
- {BLOCKED}nnroberts.co.nz
- {BLOCKED}bal-kids.info
- {BLOCKED}bedivers.wordpress.com
- {BLOCKED}o.fr
- {BLOCKED}zalezfornes.es
- {BLOCKED}dgirlrecovery.com
- {BLOCKED}ackapp.com
- {BLOCKED}rf.fr
- {BLOCKED}tispresent.se
- {BLOCKED}enfieldoptimaldentalcare.com
- {BLOCKED}enko.pl
- {BLOCKED}enpark.ch
- {BLOCKED}lot-home.com
- {BLOCKED}upe-cets.com
- {BLOCKED}upe-frayssinet.fr
- {BLOCKED}pocarvalhoerodrigues.com.br
- {BLOCKED}guilds.org
- {BLOCKED}nasedumanagement.com
- {BLOCKED}r-spange.com
- {BLOCKED}rnetty.wordpress.com
- {BLOCKED}rstylesnow.site
- {BLOCKED}di-jack-llc.com
- {BLOCKED}nah-fink.de
- {BLOCKED}pyeasterimages.org
- {BLOCKED}dinggroup.com
- {BLOCKED}emnick.com
- {BLOCKED}pershologram.wordpress.com
- {BLOCKED}veybp.com
- {BLOCKED}hkasolutindo.com
- {BLOCKED}ech.io
- {BLOCKED}ecamerawilltravel2017.wordpress.com
- {BLOCKED}lthyyworkout.com
- {BLOCKED}kft.hu
- {BLOCKED}delbergartstudio.gallery
- {BLOCKED}enekowalsky.com
- {BLOCKED}ikoptervluchtnewyork.nl
- {BLOCKED}iomotion.com
- {BLOCKED}lohope.com
- {BLOCKED}ricekupper.com
- {BLOCKED}bayupro.com
- {BLOCKED}bstfeststaefa.ch
- {BLOCKED}rigen-bauer.at
- {BLOCKED}creatives.co
- {BLOCKED}ourier.com
- {BLOCKED}dencitysecrets.com.au
- {BLOCKED}adograsoweb.com
- {BLOCKED}himpactoutdoors.net
- {BLOCKED}hlinesouthasc.com
- {BLOCKED}aho.com
- {BLOCKED}-reise.de
- {BLOCKED}danmark.dk
- {BLOCKED}agestore.com
- {BLOCKED}ecomingstudio.com
- {BLOCKED}esdollar.com
- {BLOCKED}ng.net
- {BLOCKED}eledenpadova.it
- {BLOCKED}elsolbh.com.br
- {BLOCKED}elzentral.at
- {BLOCKED}seofplus.com
- {BLOCKED}britelefon.hr
- {BLOCKED}horst.nl
- {BLOCKED}hnerauge-entfernen.de
- {BLOCKED}sges-gruppe.de
- {BLOCKED}oversichert.de
- {BLOCKED}ssier-creteil.com
- {BLOCKED}ancondition.com
- {BLOCKED}anityplus.org
- {BLOCKED}havefritid.dk
- {BLOCKED}cfloorcare.com
- {BLOCKED}ozentrum.com
- {BLOCKED}rslan.de
- {BLOCKED}rust.dk
- {BLOCKED}aswanson.com
- {BLOCKED}cnj.org
- {BLOCKED}et-d.fr
- {BLOCKED}vet.com
- {BLOCKED}mblogs.com
- {BLOCKED}ap.com
- {BLOCKED}rbarbosa.com
- {BLOCKED}ealestate.com
- {BLOCKED}-news.jp
- {BLOCKED}ds.org
- {BLOCKED}dover.com
- {BLOCKED}ve.lt
- {BLOCKED}o.net
- {BLOCKED}darchid.com
- {BLOCKED}ginado.de
- {BLOCKED}erfectstore.com
- {BLOCKED}ortardechina.info
- {BLOCKED}ote.fi
- {BLOCKED}-professional.ru
- {BLOCKED}idegarage.pl
- {BLOCKED}igniapmg.com
- {BLOCKED}p.bi
- {BLOCKED}tatron.net
- {BLOCKED}ecwi.com
- {BLOCKED}eractcenter.org
- {BLOCKED}ernational-sound-awards.com
- {BLOCKED}oneszervizbudapest.hu
- {BLOCKED}alscientific.com
- {BLOCKED}naverwer.com
- {BLOCKED}shmachineryauctions.com
- {BLOCKED}lagen.com
- {BLOCKED}miniua.com
- {BLOCKED}aggisonciliegie.it
- {BLOCKED}vo.es
- {BLOCKED}lt.de
- {BLOCKED}.nl
- {BLOCKED}hayki.nl
- {BLOCKED}ngaryogacharlotte.com
- {BLOCKED}i360.com
- {BLOCKED}quin-maquettes.com
- {BLOCKED}walbolanet.info
- {BLOCKED}ekozmor.com
- {BLOCKED}eskibbie.com
- {BLOCKED}daonline.com
- {BLOCKED}onbaileystudio.com
- {BLOCKED}jw.com
- {BLOCKED}nlouissibomana.com
- {BLOCKED}niferandersonwriter.com
- {BLOCKED}ling.de
- {BLOCKED}oc.com
- {BLOCKED}centerkenya.com
- {BLOCKED}map.at
- {BLOCKED}nsonfamilyfarmblog.wordpress.com
- {BLOCKED}ly-events.com
- {BLOCKED}gobe.at
- {BLOCKED}econstela.com
- {BLOCKED}rneybacktolife.com
- {BLOCKED}eriaorindia.com
- {BLOCKED}g.com
- {BLOCKED}ithjansen.com
- {BLOCKED}is-lsa.de
- {BLOCKED}eauopioidworkgroup.org
- {BLOCKED}ibe.com
- {BLOCKED}tinvieira.com
- {BLOCKED}nvlietdichter.nl
- {BLOCKED}design.com
- {BLOCKED}esignandbuild.co.uk
- {BLOCKED}u.ch
- {BLOCKED}iber.co.jp
- {BLOCKED}kulator-oszczednosci.pl
- {BLOCKED}ahouse.net
- {BLOCKED}ienny-dywan24.pl
- {BLOCKED}inscy.com
- {BLOCKED}potpepper.gives
- {BLOCKED}.at
- {BLOCKED}tikkustomz.com
- {BLOCKED}acaoglu.nl
- {BLOCKED}iokids.com
- {BLOCKED}h-kirche-gera.de
- {BLOCKED}iekerr.co.uk
- {BLOCKED}ketytaanet.fi
- {BLOCKED}ak.de
- {BLOCKED}hnoithatgo.com
- {BLOCKED}injodea.com
- {BLOCKED}lowroermond.nl
- {BLOCKED}bucketlist.com.au
- {BLOCKED}edeoliveira.com
- {BLOCKED}dersitze-vergleich.de
- {BLOCKED}gfamily.construction
- {BLOCKED}kepartner.dk
- {BLOCKED}planning.com.au
- {BLOCKED}sit.ca
- {BLOCKED}mt2012.info
- {BLOCKED}sbeter.nl
- {BLOCKED}shipping.co.uk
- {BLOCKED}wledgemuseumbd.com
- {BLOCKED}ima-shihou.com
- {BLOCKED}insaisei.info
- {BLOCKED}en-voor-baby.nl
- {BLOCKED}o-nora.dk
- {BLOCKED}tenlose-webcams.com
- {BLOCKED}terra.com
- {BLOCKED}ove-zily.eu
- {BLOCKED}osdavid.com
- {BLOCKED}tokeskusrok.fi
- {BLOCKED}ze-immobilien.de
- {BLOCKED}obit.it
- {BLOCKED}hofikschiet.nl
- {BLOCKED}elirante.fr
- {BLOCKED}ge.host
- {BLOCKED}inlviasennus.fi
- {BLOCKED}invihreat.fi
- {BLOCKED}mangfpt.info.vn
- {BLOCKED}cuola.nl
- {BLOCKED}estmodsapks.com
- {BLOCKED}ribuessentielle.com
- {BLOCKED}nchhubl.com
- {BLOCKED}rshift.eu
- {BLOCKED}framingelectrical.com
- {BLOCKED}ther-factory.co.jp
- {BLOCKED}ellevue.fr
- {BLOCKED}antou-coworking.com
- {BLOCKED}a-ukraine.com.ua
- {BLOCKED}mes.ru
- {BLOCKED}uwardenstudentcity.nl
- {BLOCKED}umetdesdombes.com
- {BLOCKED}reactiv-shop.ru
- {BLOCKED}ben.at
- {BLOCKED}comtesdemean.be
- {BLOCKED}dittliv.se
- {BLOCKED}ihotelspa.fi
- {BLOCKED}hencafe.com
- {BLOCKED}or43.de
- {BLOCKED}htair.com
- {BLOCKED}iercenter-sachsen.de
- {BLOCKED}kelataamo.fi
- {BLOCKED}iesandbeauties.org
- {BLOCKED}legrandpalais.com
- {BLOCKED}assoldriving.com
- {BLOCKED}nankellari.fi
- {BLOCKED}nware.de
- {BLOCKED}tlebird.salon
- {BLOCKED}e-con-arte.de
- {BLOCKED}e-your-life.jp
- {BLOCKED}eottelut.com
- {BLOCKED}ydconstruction.com
- {BLOCKED}provisions.com
- {BLOCKED}opaedie-blomberg.de
- {BLOCKED}gislandelderlaw.com
- {BLOCKED}rus.pl
- {BLOCKED}enacarnero.com
- {BLOCKED}e30-chanko.com
- {BLOCKED}etkinmediacompanies.com
- {BLOCKED}idinvestbank.com
- {BLOCKED}kypatcher-apkz.com
- {BLOCKED}eshepley.wordpress.com
- {BLOCKED}ak.at
- {BLOCKED}urytv.jp
- {BLOCKED}keliv.net
- {BLOCKED}sayshepherd.co.uk
- {BLOCKED}sreusel.nl
- {BLOCKED}abaneaupaysflechois.com
- {BLOCKED}inblack.com
- {BLOCKED}neemploymentlawyerblog.com
- {BLOCKED}eflowers.ru
- {BLOCKED}eitcount.at
- {BLOCKED}eurvoiceheard.com
- {BLOCKED}ychanieruchomoscipremium.com
- {BLOCKED}ifestinglab.com
- {BLOCKED}ijaipur.com
- {BLOCKED}k.de
- {BLOCKED}utouchmassage.com
- {BLOCKED}awood.com
- {BLOCKED}athonerpaolo.com
- {BLOCKED}atonaclubedeportugal.com
- {BLOCKED}chand-sloboda.com
- {BLOCKED}cuswhitten.site
- {BLOCKED}denherefordshire-pc.gov.uk
- {BLOCKED}ietteaernoudts.nl
- {BLOCKED}iposapropaneaz.com
- {BLOCKED}kelbroch.com
- {BLOCKED}ketingsulweb.com
- {BLOCKED}yloutaylor.com
- {BLOCKED}tertechengineering.com
- {BLOCKED}reenbreezedancetheater.org
- {BLOCKED}adams.london
- {BLOCKED}agency.com
- {BLOCKED}vii.com
- {BLOCKED}cares.com
- {BLOCKED}-mediadesign.de
- {BLOCKED}iaacademy-iraq.org
- {BLOCKED}iaclan.info
- {BLOCKED}iaplayertest.net
- {BLOCKED}aag.com
- {BLOCKED}avex.nl
- {BLOCKED}cantedifiori.com
- {BLOCKED}zi.info
- {BLOCKED}sharklinithome.wordpress.com
- {BLOCKED}hdu-delom.ru
- {BLOCKED}ahkoleoso.de
- {BLOCKED}haelsmeriglioracing.com
- {BLOCKED}ro-automation.de
- {BLOCKED}rocirc.net
- {BLOCKED}mohandyman.com
- {BLOCKED}eramirezcpa.com
- {BLOCKED}anonotai.it
- {BLOCKED}estoneshows.com
- {BLOCKED}ltimber.aberdeen.sch.uk
- {BLOCKED}sing.hr
- {BLOCKED}dpackstudios.com
- {BLOCKED}ipara.com
- {BLOCKED}-na-iznanku.com
- {BLOCKED}aclediet.fun
- {BLOCKED}iamgrimm.de
- {BLOCKED}jamholleman.nl
- {BLOCKED}jamholleman.nl
- {BLOCKED}koreisser.de
- {BLOCKED}douai.fr
- {BLOCKED}amilyon.com
- {BLOCKED}elmaking.nl
- {BLOCKED}estmanagement.com
- {BLOCKED}ark.com
- {BLOCKED}trium.com
- {BLOCKED}glee.com
- {BLOCKED}reslawngarden.com
- {BLOCKED}shine.com
- {BLOCKED}awe-krueger.de
- {BLOCKED}ntaintoptinyhomes.com
- {BLOCKED}ntsoul.de
- {BLOCKED}sepad-direkt.de
- {BLOCKED}eonnews.com
- {BLOCKED}fieldskc.com
- {BLOCKED}plans.net
- {BLOCKED}our.site
- {BLOCKED}ermon.de
- {BLOCKED}muadolls.com
- {BLOCKED}ictreehouse.net
- {BLOCKED}ealth.net.au
- {BLOCKED}ostcloud.com
- {BLOCKED}olis.com
- {BLOCKED}ovelybluesky.com
- {BLOCKED}oneyforex.com
- {BLOCKED}eamgenius.com
- {BLOCKED}echnoway.com
- {BLOCKED}k.site
- {BLOCKED}headache.com
- {BLOCKED}hhilfe-unterricht.com
- {BLOCKED}ktfalter.de
- {BLOCKED}upunafoundation.org
- {BLOCKED}cy-informatique.fr
- {BLOCKED}distribution.nl
- {BLOCKED}cert.com
- {BLOCKED}wrrg.org
- {BLOCKED}aschawessels.com
- {BLOCKED}iveformulas.com
- {BLOCKED}uralrapids.com
- {BLOCKED}uravetal.hr
- {BLOCKED}urstein-hotte.de
- {BLOCKED}yfederalautooverseas.com
- {BLOCKED}d.bc.ca
- {BLOCKED}-graphic-studio.com
- {BLOCKED}ccr.org
- {BLOCKED}tor-swiss.ch
- {BLOCKED}schelectrical.co.za
- {BLOCKED}.devon.gov.uk
- {BLOCKED}stap.com.ng
- {BLOCKED}you.at
- {BLOCKED}datcanho247.com
- {BLOCKED}oleaeschbachorg.wordpress.com
- {BLOCKED}aplay.com
- {BLOCKED}ec.com
- {BLOCKED}plans.com
- {BLOCKED}sis.tech
- {BLOCKED}xdecocom.fr
- {BLOCKED}esvilledentistry.com
- {BLOCKED}ovirus-ratgeber.de
- {BLOCKED}pol-yachting.com
- {BLOCKED}kierrenteria.com
- {BLOCKED}uchthingasgovernment.com
- {BLOCKED}missingout.com
- {BLOCKED}silentmd.org
- {BLOCKED}c.se
- {BLOCKED}turingwisdom.com
- {BLOCKED}ech.com
- {BLOCKED}oodwerks.com
- {BLOCKED}anastudios.com
- {BLOCKED}clinic.org
- {BLOCKED}ands.dk
- {BLOCKED}icehymy.com
- {BLOCKED}roadbeasts.com
- {BLOCKED}envision.com
- {BLOCKED}design.com
- {BLOCKED}schoolfun.net
- {BLOCKED}jack.ru
- {BLOCKED}arrot.com
- {BLOCKED}heartwarriors.at
- {BLOCKED}plusresource.org
- {BLOCKED}ybacklink.com
- {BLOCKED}yresultsmarketing.com
- {BLOCKED}railsandboulevards.com
- {BLOCKED}trovanie-ako.sk
- {BLOCKED}raslovakia.sk
- {BLOCKED}-it.de
- {BLOCKED}omf.no
- {BLOCKED}erberg.fi
- {BLOCKED}heimer.at
- {BLOCKED}u-bon.com
- {BLOCKED}o-bollmann.de
- {BLOCKED}youngminds.wordpress.com
- {BLOCKED}comeisincome.com
- {BLOCKED}elsandwichmadrid.es
- {BLOCKED}adicepacks.com
- {BLOCKED}ebrise-tla.fr
- {BLOCKED}kcf.nl
- {BLOCKED}king.netgateway.eu
- {BLOCKED}ks-nuernberg.de
- {BLOCKED}kstreetauto.net
- {BLOCKED}tnertaxi.sk
- {BLOCKED}ivect.co.uk
- {BLOCKED}venska.se
- {BLOCKED}rickfoundation.net
- {BLOCKED}lisdogshop.de
- {BLOCKED}suppetlovers.com
- {BLOCKED}4essays.net
- {BLOCKED}mybill.guru
- {BLOCKED}-nc.com
- {BLOCKED}rofessor.com
- {BLOCKED}orus.group
- {BLOCKED}co.ie
- {BLOCKED}ple-biz.com
- {BLOCKED}budget.com
- {BLOCKED}sonalenhancementcenter.com
- {BLOCKED}erstrobos.com
- {BLOCKED}nest.ir
- {BLOCKED}rdebiester.de
- {BLOCKED}ntastyk.com
- {BLOCKED}lippedebroca.com
- {BLOCKED}siofischer.de
- {BLOCKED}jeppesen.dk
- {BLOCKED}kanose.com
- {BLOCKED}r40forall.org
- {BLOCKED}rrehale.com
- {BLOCKED}kexcel.com
- {BLOCKED}oineetc.fr
- {BLOCKED}elarttees.com
- {BLOCKED}nchaavapor.net
- {BLOCKED}ntag.de
- {BLOCKED}stidip.com.ar
- {BLOCKED}tformier.com
- {BLOCKED}tlinecreative.com
- {BLOCKED}.media
- {BLOCKED}-services.de
- {BLOCKED}impact.com
- {BLOCKED}ket-opera.de
- {BLOCKED}sosnami.ru
- {BLOCKED}ypneu.sk
- {BLOCKED}ntos.com
- {BLOCKED}ychromelabs.com
- {BLOCKED}ymedia.dk
- {BLOCKED}zine.net
- {BLOCKED}odori-pizzeria.de
- {BLOCKED}no-gringo.com
- {BLOCKED}toesdofarrobo.com
- {BLOCKED}ltrypartners.nl
- {BLOCKED}xis-foerderdiagnostik.de
- {BLOCKED}xis-management-plus.de
- {BLOCKED}cisionbevel.com
- {BLOCKED}sseclub-magdeburg.de
- {BLOCKED}doxmaterieel.nl
- {BLOCKED}chain-voyage.net
- {BLOCKED}fectis.de
- {BLOCKED}jetlyonturin.fr
- {BLOCKED}malaga.es
- {BLOCKED}mesapuertorico.com
- {BLOCKED}udground.org
- {BLOCKED}-sec.de
- {BLOCKED}.de
- {BLOCKED}academy.in
- {BLOCKED}arnold.de
- {BLOCKED}web.carnet.hr
- {BLOCKED}rtamatic.es
- {BLOCKED}chbaby.com
- {BLOCKED}poseadvisorsolutions.com
- {BLOCKED}design.de
- {BLOCKED}g.de
- {BLOCKED}litaetstag.de
- {BLOCKED}litus.com
- {BLOCKED}margrasa.net
- {BLOCKED}ckyfunds.com
- {BLOCKED}zzingbee.com
- {BLOCKED}staudte.de
- {BLOCKED}aradvies.nl
- {BLOCKED}aut.com
- {BLOCKED}ister.co.uk
- {BLOCKED}chlosser.de
- {BLOCKED}ensnesthomegoods.com
- {BLOCKED}dberserk.com
- {BLOCKED}l-estate-experts.com
- {BLOCKED}eccarisher.com
- {BLOCKED}dysbakery.com
- {BLOCKED}luxreducer.com
- {BLOCKED}abilitationcentersinhouston.net
- {BLOCKED}cakram.com
- {BLOCKED}ergysolution.com
- {BLOCKED}ekatu.com
- {BLOCKED}ortmtn.com
- {BLOCKED}taurantesszimmer.de
- {BLOCKED}roearthstudio.com
- {BLOCKED}ezlimage.com
- {BLOCKED}nosfootballacademy.com
- {BLOCKED}hard-felix.co.uk
- {BLOCKED}ed.de
- {BLOCKED}borsobancario.net
- {BLOCKED}business.com
- {BLOCKED}dwarrior.app
- {BLOCKED}ketccw.com
- {BLOCKED}lingrockcolumbia.com
- {BLOCKED}eguidedvisit.com
- {BLOCKED}avalamedahr.com
- {BLOCKED}toncastings.co.uk
- {BLOCKED}a-installations.co.uk
- {BLOCKED}golden.com
- {BLOCKED}emondcoaching.nl
- {BLOCKED}ahminangberdaya.com
- {BLOCKED}4study.com
- {BLOCKED}alarcoiris.com
- {BLOCKED}hhourappliances.com
- {BLOCKED}rland-thermen-resort.com
- {BLOCKED}el-bf.com
- {BLOCKED}hnendoc.com
- {BLOCKED}adc.com
- {BLOCKED}alstore.com
- {BLOCKED}raku.net
- {BLOCKED}a.gr
- {BLOCKED}newbyjax.com
- {BLOCKED}aia.com
- {BLOCKED}dd.nl
- {BLOCKED}yue119.com
- {BLOCKED}batkhalsafoundation.org
- {BLOCKED}yayoga.de
- {BLOCKED}schneider.info
- {BLOCKED}tec.com
- {BLOCKED}nepublique.net
- {BLOCKED}lafsack-test.net
- {BLOCKED}malhorst.de
- {BLOCKED}malhorst.de
- {BLOCKED}oellhammer.com
- {BLOCKED}oolofpassivewealth.com
- {BLOCKED}raven.de
- {BLOCKED}utting-info.nl
- {BLOCKED}gatesthreecharters.com
- {BLOCKED}urityfmm.com
- {BLOCKED}villa-dr-sturm.at
- {BLOCKED}tzdruck.com
- {BLOCKED}foutlet.com
- {BLOCKED}inoc.com
- {BLOCKED}son.fi
- {BLOCKED}roc.hn
- {BLOCKED}ce.info.pl
- {BLOCKED}vicegsm.net
- {BLOCKED}enadvertising.com
- {BLOCKED}andfessenjoon.wordpress.com
- {BLOCKED}debarandgrillorlando.com
- {BLOCKED}ealthlaw.com
- {BLOCKED}ftinspiration.com
- {BLOCKED}resresidential.com
- {BLOCKED}nacox.com
- {BLOCKED}thepapercut.com
- {BLOCKED}iconbeach-realestate.com
- {BLOCKED}uet-decor.ru
- {BLOCKED}oneblum.de
- {BLOCKED}pkinsedwards.co.uk
- {BLOCKED}pliza.com
- {BLOCKED}plyblessedbykeepingitreal.com
- {BLOCKED}ulatebrain.com
- {BLOCKED}al.org
- {BLOCKED}stroysochi.ru
- {BLOCKED}nah.com
- {BLOCKED}ltogprint.no
- {BLOCKED}-paris.com
- {BLOCKED}shdb.com
- {BLOCKED}mani.net
- {BLOCKED}midealherbal.com
- {BLOCKED}verse.com
- {BLOCKED}petzky.at
- {BLOCKED}gs.org
- {BLOCKED}le-opticiens.nl
- {BLOCKED}lltownideamill.wordpress.com
- {BLOCKED}rt-light.co.uk
- {BLOCKED}rtypractice.com
- {BLOCKED}jump.co.th
- {BLOCKED}ssier.com
- {BLOCKED}ydro.com.pl
- {BLOCKED}thmediastrategies.com
- {BLOCKED}gathon.com
- {BLOCKED}keysstoves.com
- {BLOCKED}reholanda.com
- {BLOCKED}ialonemedia.com
- {BLOCKED}strp.org
- {BLOCKED}avietxinh.com
- {BLOCKED}tsproductkey.com
- {BLOCKED}amindbody.com
- {BLOCKED}erluethi-allart.ch
- {BLOCKED}haug.tk
- {BLOCKED}inegraphic.com
- {BLOCKED}gunceliptv.com
- {BLOCKED}sioloogia.ee
- {BLOCKED}theasternacademyofprosthodontics.org
- {BLOCKED}ce.ua
- {BLOCKED}cecitysisters.org
- {BLOCKED}rgel-kochen.de
- {BLOCKED}-ehningen.de
- {BLOCKED}ctrmash.ru
- {BLOCKED}nheal.ru
- {BLOCKED}rthamper.com
- {BLOCKED}rtiomsportfondsen.nl
- {BLOCKED}rtsmassoren.com
- {BLOCKED}rtverein-tambach.de
- {BLOCKED}shomeworkhelp.com
- {BLOCKED}lista.com
- {BLOCKED}cyloeb.com
- {BLOCKED}llbyggen.se
- {BLOCKED}mpagrafica.es
- {BLOCKED}rsarecircular.org
- {BLOCKED}ampluscarpetandfloors.com
- {BLOCKED}fanpasch.me
- {BLOCKED}menstilte.nl
- {BLOCKED}mplusacademy.com
- {BLOCKED}rlingessay.com
- {BLOCKED}ngraybeach.com
- {BLOCKED}eberstuuv.de
- {BLOCKED}eferlehalle.de
- {BLOCKED}neys.ch
- {BLOCKED}pilhan.com
- {BLOCKED}rmwall.se
- {BLOCKED}andcampingdoonbeg.com
- {BLOCKED}ategicstatements.com
- {BLOCKED}eamerzradio1.site
- {BLOCKED}pbratt.no
- {BLOCKED}mitmarketingstrategies.com
- {BLOCKED}crestcabinets.ca
- {BLOCKED}portsumba.nl
- {BLOCKED}espark.org.uk
- {BLOCKED}m.ru
- {BLOCKED}ering.fr
- {BLOCKED}phonyenvironmental.com
- {BLOCKED}dikat-asphaltfieber.de
- {BLOCKED}lab.lt
- {BLOCKED}temate.dk
- {BLOCKED}eflat.com
- {BLOCKED}entwunder.com
- {BLOCKED}paallen.com
- {BLOCKED}ciu.com
- {BLOCKED}dartspraktijkhartjegroningen.nl
- {BLOCKED}dartspraktijkheesch.nl
- {BLOCKED}zprojekt.com
- {BLOCKED}zschule-kieber.de
- {BLOCKED}otdeseidel.com
- {BLOCKED}tewilliamsburg.com
- {BLOCKED}m-montage.dk
- {BLOCKED}nojobsnet.com
- {BLOCKED}zowadolina.bytom.pl
- {BLOCKED}noz.net
- {BLOCKED}acitytenfold.com
- {BLOCKED}nisclubetten.nl
- {BLOCKED}esianmedia.org
- {BLOCKED}tcoreprohealthuk.com
- {BLOCKED}tzandbakmetmening.online
- {BLOCKED}info.in
- {BLOCKED}ilandholic.com
- {BLOCKED}ysa.com
- {BLOCKED}-domain-trader.com
- {BLOCKED}-virtualizer.com
- {BLOCKED}adventureedge.com
- {BLOCKED}apifactory.com
- {BLOCKED}clubms.com
- {BLOCKED}dad.com
- {BLOCKED}dresserie.com
- {BLOCKED}duke.de
- {BLOCKED}e.network
- {BLOCKED}fixhut.com
- {BLOCKED}letter.company
- {BLOCKED}madbotter.com
- {BLOCKED}newrejuveme.com
- {BLOCKED}shungiteexperience.com.au
- {BLOCKED}wellnessmimi.com
- {BLOCKED}mas-hospital.de
- {BLOCKED}masvicino.com
- {BLOCKED}sltd.com
- {BLOCKED}koff-mobayl.ru
- {BLOCKED}yagency.com
- {BLOCKED}s.technology
- {BLOCKED}ocaracoles.com
- {BLOCKED}aso.gr
- {BLOCKED}oiyuma.com
- {BLOCKED}elektro.nl
- {BLOCKED}gdaifpthaiphong.net
- {BLOCKED}humanservicescourses.com
- {BLOCKED}onlinecasinosuk.co.uk
- {BLOCKED}eria.es
- {BLOCKED}gbodenbollnas.se
- {BLOCKED}ckyourconstruction.com
- {BLOCKED}diematepro.com.au
- {BLOCKED}nsliminaltribe.wordpress.com
- {BLOCKED}nsportesycementoshidalgo.es
- {BLOCKED}piantofue.it
- {BLOCKED}velffeine.com
- {BLOCKED}actis.com
- {BLOCKED}ggi.de
- {BLOCKED}egs.com
- {BLOCKED}enyc.co
- {BLOCKED}lynolen.co.uk
- {BLOCKED}stana.com
- {BLOCKED}logistik.eu
- {BLOCKED}affing.nl
- {BLOCKED}sawaterheaterinstallation.com
- {BLOCKED}kcaparbariatrics.com
- {BLOCKED}liautio.fi
- {BLOCKED}-espacios.com
- {BLOCKED}hourswithlena.wordpress.com
- {BLOCKED}aan.fi
- {BLOCKED}ssemarketing.com
- {BLOCKED}tica.fr
- {BLOCKED}svenskarna.se
- {BLOCKED}m.su
- {BLOCKED}rkt.co
- {BLOCKED}landsspar.se
- {BLOCKED}nus.nl
- {BLOCKED}lan.net
- {BLOCKED}st-bogatyr.ru
- {BLOCKED}asiimariiuniri.ro
- {BLOCKED}montanacommittee.us
- {BLOCKED}couver-print.ca
- {BLOCKED}nesteconstruct.be
- {BLOCKED}swigchemdesign.com
- {BLOCKED}erg-autoimport.nl
- {BLOCKED}tti.com.ar
- {BLOCKED}bisonline.com
- {BLOCKED}ifort-capital.de
- {BLOCKED}moote.de
- {BLOCKED}ytycs.com
- {BLOCKED}inhnha.com.vn
- {BLOCKED}apharma.fr
- {BLOCKED}bachcenter.de
- {BLOCKED}ehouse.rw
- {BLOCKED}ethink.net
- {BLOCKED}kiegrayimages.com
- {BLOCKED}toriousfestival.co.uk
- {BLOCKED}eomarketing.pro
- {BLOCKED}tlawconsultancy.com
- {BLOCKED}annesporssi.fi
- {BLOCKED}la-marrakesch.de
- {BLOCKED}iativ-industry.fr
- {BLOCKED}alyscenter.es
- {BLOCKED}avia.lt
- {BLOCKED}eren-nu.nl
- {BLOCKED}otauu.ru
- {BLOCKED}-surveys.com
- {BLOCKED}ino-zhulebino-24.ru
- {BLOCKED}ochamber.com
- {BLOCKED}rmetauscher-berechnen.de
- {BLOCKED}kingdeadnj.com
- {BLOCKED}ter-lemm.de
- {BLOCKED}i.com.pe
- {BLOCKED}machtmeinfonds.at
- {BLOCKED}eneyrivercentre.co.uk
- {BLOCKED}nela.com
- {BLOCKED}withwords.net
- {BLOCKED}.ion.ag
- {BLOCKED}codingstudio.com
- {BLOCKED}hostingsrbija.rs
- {BLOCKED}master-peloton.com
- {BLOCKED}lplast.se
- {BLOCKED}kkring.nl
- {BLOCKED}tdeptfordbuyrite.com
- {BLOCKED}ttier5k.com
- {BLOCKED}interestingly.ru
- {BLOCKED}n-mitte.co.at
- {BLOCKED}race.no
- {BLOCKED}hahmed.com
- {BLOCKED}admin.com
- {BLOCKED}f-glas-und-kunst.de
- {BLOCKED}dleyacademy.org
- {BLOCKED}dworkersolution.com
- {BLOCKED}k2live.de
- {BLOCKED}ldhealthbasicinfo.com
- {BLOCKED}ithco.com
- {BLOCKED}il.com.sg
- {BLOCKED}mpower.at
- {BLOCKED}1.proresult.no
- {BLOCKED}howanieprzedszkolne.pl
- {BLOCKED}ay.ca
- {BLOCKED}rge.at
- {BLOCKED}yu.com
- {BLOCKED}-fn-kka.no
- {BLOCKED}-fnsterputssollentuna-39b.se
- {BLOCKED}-logopdie-leverkusen-kwb.de
- {BLOCKED}-rumung-bua.online
- {BLOCKED}-singlebrsen-vergleich-nec.com
- {BLOCKED}-thucmctc-13a1357egba.com
- {BLOCKED}-vrftet-pua.biz
- {BLOCKED}bigail.com
- {BLOCKED}track.com
- {BLOCKED}rchive.com
- {BLOCKED}alevents.com
- {BLOCKED}sir.pro
- {BLOCKED}a-cw.org.uk
- {BLOCKED}-bysia.com.au
- {BLOCKED}robgyn.net
- {BLOCKED}say.site
- {BLOCKED}derthelender.com
- {BLOCKED}vicethai.co.th
- {BLOCKED}atchers.com
- {BLOCKED}as.com
- {BLOCKED}gler-praezisionsteile.de
- {BLOCKED}glerbrothers.de
- {BLOCKED}merei-deboer.de
- {BLOCKED}merei-fl.de
- {BLOCKED}amovie21.net
- {BLOCKED}-mannheim.de
- {BLOCKED}erscreatives.nl
- {BLOCKED}jtsgls.com
- where {string 1} can be one of the following:
- admin
- content
- data
- include
- news
- static
- uploads
- wp-content
- where {string 2} can be one of the following:
- assets
- game
- graphic
- image
- images
- pics
- pictures
- temp
- tmp
- where {string 3} can be one of the following:
- jpg
- png
- gif
- where {domain} can be one of the following:
その他
マルウェアは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
マルウェアは、以下を実行します。
- It accepts the following parameters:
- -silent ? skips the following:
- Termination of blacklisted processes and services
- Removal of shadow copies
- -path ? specifies directory to be encrypted
- -nolocal ? avoids encrypting fixed and removable drives
- -nolan ? avoids encrypting network and shared drives
- -fast ? fast encryption mode
- -silent ? skips the following:
- It will terminate itself if the affected system's keyboard layout is any of the following:
- Arabic-Syria
- Armenian-Armenia
- Azerbaijani (Cyrillic)-Azerbaijan
- Azerbaijani (Latin)-Azerbaijan
- Belarusian
- Georgian-Georgia
- Kazakh-Kazakhstan
- Kyrgyz-Kyrgyzstan
- Romanian-Moldova
- Russian
- Russian-Moldova
- Tajik
- Tatar-Russia
- Turkmen-Turkmenistan
- Ukrainian
- Uzbek (Cyrillic) - Uzbekistan
- Uzbek (Latin)-Uzbekistan
- It searches for files to encrypt in remote drives, fixed drives, removable drives, and network resources.
- It checks if its privilege level is on SYSTEM level. If it is, it will impersonate the user that ran the first explorer.exe it has found.
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- ntuser.dat
- thumbs.db
- bootsect.ba
- autorun.inf
- boot.ini
- desktop.ini
- ntldr
- iconcache.db
- bootfont.bin
- ntuser.dat.log
- ntuser.ini
- {Appended File Extension}-readme.txt
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- intel
- msocache
- appdata
- $windows.~bt
- programdata
- boot
- perflogs
- program files
- application data
- mozilla
- $windows.~ws
- program files (x86)
- tor browser
- $recycle.bin
- windows.old
- system volume information
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .{random characters}
マルウェアが作成する以下のファイルは、脅迫状です。
- {Encrypted Directory}\{appended extension}-readme.txt
マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。
以下のファイル拡張子を持つファイルについては暗号化しません:
- 386
- adv
- ani
- bat
- bin
- cab
- cmd
- com
- cpl
- cur
- deskthemepack
- diagcab
- diagcfg
- diagpkg
- dll
- drv
- exe
- hlp
- hta
- icl
- icns
- ico
- ics
- idx
- key
- lnk
- lock
- mod
- mpa
- msc
- msi
- msp
- msstyles
- msu
- nls
- nomedia
- ocx
- prf
- ps1
- rom
- rtp
- scr
- shs
- spl
- sys
- theme
- themepack
- wpx
対応方法
対応検索エンジン: 9.850
初回 VSAPI パターンバージョン 16.122.08
初回 VSAPI パターンリリース日 2020年7月24日
VSAPI OPR パターンバージョン 16.123.00
VSAPI OPR パターンリリース日 2020年7月25日
手順 1
トレンドマイクロの機械学習型検索は、マルウェアの存在を示す兆候が確認された時点で検出し、マルウェアが実行される前にブロックします。機械学習型検索が有効になっている場合、弊社のウイルス対策製品はこのマルウェアを以下の機械学習型検出名として検出します。
- Troj.Win32.TRX.XXPE50FFF036
手順 2
Windows 7、Windows 8、Windows 8.1、および Windows 10 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 3
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 4
Windowsをセーフモードで再起動します。
[ 詳細 ]
手順 5
このレジストリ値を削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Z5egGonjst = {full path of malware}
- Z5egGonjst = {full path of malware}
手順 6
このレジストリキーを削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
手順 7
以下のファイルを検索し削除します。
[ 詳細 ]
コンポーネントファイルが隠しファイル属性に設定されている場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。 - %User Temp%\{random characters}.bmp
- {Encrypted Directory}\\{appended extension}-readme.txt
手順 8
デスクトッププロパティを修正します。
[ 詳細 ]
手順 9
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「Ransom.Win32.SODINOKIBI.AUWUJDEM」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 10
暗号化されたファイルをバックアップから復元します。
ご利用はいかがでしたか? アンケートにご協力ください