Back to Security Snacks

Spoofing

Gaming

Fraud

Pay to Lose: Dubious Online Gambling Games

Published on:

January 21, 2026

On This Page

Before trying out your new year luck, be wary of online gambling apps and real money games. This report details an investigation into multiple clusters of dubious Android applications created in the past few weeks that are engaged in predatory gambling and real money gaming apps. Notably, these are not registered apps. They are intentionally misleading users into thinking they are legitimate and reputable through multiple tactics like spoofing the Google Play Store, creating fake reviews, generating fake public win declarations, and creating entire brands with marketing campaigns and broad distribution tactics. These clusters also attempt to evade detection and analysis by having post install code and configuration retrievals from actor controlled sites, which serve a dual purpose of distributing region specific content to users post installation.

The report is segmented into three distinct infrastructure clusters. Each cluster appears to target a general set of countries including Nigeria, India, Pakistan, and the Philippines. They also appear to have non-region specific user base targeting, including English, Portuguese, and Bengali speaking users. Despite the wide range of targets, the clusters share a common theme of mobile-focused gaming or gamified gambling apps to attract users for financial gain.

Details

The three clusters spoof the Google Play Store with fake app reviews and downloadable Android applications. Clusters 1 and 2 involve Android application delivery campaigns that utilize the Cocos2d game engine to obfuscate code setup,load external code and configuration details, and send device and user telemetry to actor controlled domains. These applications are distributed via hundreds of websites spoofing as Google Play Store installation pages with fake reviews. Search Engine Optimization (SEO) manipulation techniques are used to drive traffic to these sites.

Cluster 1: AA Game: Aviator

Approximately 180 domains since March, 2025,170 of which were first seen on 2025-12-14. They host nearly identical websites and serve primarily the same APK file with a few exceptions in older versions. The apps appear to feature crash-gambling mechanics, a style of game where users attempt to collect as much money as possible before the game crashes.

‍

‍

The reviews are clearly fake. They are hardcoded into the HTML, there are multiple identical reviews under different names, and they all share the exact same review id such as “data-review-id="13dc2fa2-4acc-4923-8a55-be2f20d1841a". In a real database, every review has a unique ID. Here, the scammers just copied and pasted the same HTML template.

‍

“Aviator” games are also commonly used themes for unregulated, illegal gambling crash style games. The example app above uses terms like “Get Rich”, and has fake reviews like “I also get rich as a result!” and “Because I made more money than you can imagine!". Legitimate apps on the Play Store are strictly regulated; Google does not allow apps to promise that you will "get rich." These are social engineering tactics used to play on people's desire for easy money.

‍

Brief details of connective tissue

Baidu Tracking ID: 49521a05cd400ce694691ca2cfd38453

IP ISP: Defender Cloud International LLC

Registrar:

Metaregistrar BV
Bangning Digital Technology Co.,Ltd

Name Server Domain: share-dns[.]net, share-dns[.]com

Server Type: nginx

SSL Hashes

bc1f466a2c1c4b885adac674e39e8fe22d26d4a5
b9e8c8b5ddba6935c82fd5e192e4171d005b0d8c
134a16bfde5eb4d3908a53aa9a18a50c7b129c29

Website Title: AA Game:Aviator - Apps on Google Play

‍

AA: Aviator Application‍

AAGame-new523y.apk 3860ffaa621b26c742dcfce52b916ddad6f7f4056045a0fadaf3434fc978c9ad 6da17544754706b86042b1646b6ae7101b549f539b69c5be5b68594cd9cfa969 83332d680ed84f222a5b9f2085b4fa9523e98c80d65eeecde6d4cb65d3075110 32a7c4a4dc4b14988adfa65a1c5d55df2ca39852c5e7aa61187df306436f58d7

india-aagame-7000003.apk 9a7495bb56e05389c00e4702a53eed6d946d265b20be766c92ef15e00d69ca6b

‍

A defining characteristic of these applications is the use of the Cocos2d framework. In this model, the Android Java layer (DEX) acts as a minimal host for a native C++ engine (libcocos.so), which in turn executes encrypted, compiled JavaScript code.

‍

Although some of the analyzed application’s code paths and text suggested they were targeting Nigerian based users, there were also samples focused on the Indian rupee (INR). Though remnants of what could be past regional targeting were observed, it's unclear if a specific user base is currently being targeted in this cluster.

Analysis of an older development variant of the Android application revealed a module called hall_marqueen. This module is hard-coded to generate fake withdrawal notifications, creating the illusion of a highly active and profitable user base:

code JavaScript
downloadcontent_copy
expand_less
   setHallLabelText() {
    let e = "";
    // 5% chance of a "realistic" name, 95% chance of a generic "UserXXXXX"
    if (p.instance.getIntRandom(0, 20) > 19)
        e = p.instance.getRandomName();
    else {
        let t = p.instance.getIntRandom(0, 3e5).toString();
        while (t.length < 5) t = "0" + t;
        e = "User" + t;
    }
    
    // Randomized fake withdrawal amounts
    let t = ["100", "200", "500", "1000", "5000", "10000", "20000"];
    const n = Math.floor(Math.random() * t.length);
    return e + " successfully withdraws ₹" + t[n];
}

Cluster 2: DK777

Cluster 2 is a more generalized gambling Android app delivery. Sixteen domains registered on the same day host similar websites spoofing the Google Play store to deliver the same APK file. The application "DK777" features slots and multi-game halls, with visual assets emphasizing "big wins" and "jackpots”. The application also uses a Cocos2d framework with a more complex range of obfuscation techniques, including over 1,000 obfuscated files within the application’s classes dex file and 50+ encrypted JSC files. Multiple presumably actor-controlled sites with backups were identified that are used to send device telemetry and retrieve additional configuration and code for execution. Some of the configurations were set to use the Pakistani rupee. Languages in the apps included English, Portuguese, and Bengali.

Initial delivery domains spoof the Google Play Store for DK777 Android app delivery, including the following:

q2f8wqxxg[.]com
65qwjz8[.]com
y4371k1[.]com
djfh94d7[.]com
agwfecr[.]com
zeecuiwb[.]com
2nw0gc5m[.]com
f14bftyi[.]com
kr3qf54[.]com
gmo6svzj5[.]com
uxlvyj[.]com
al1xjwykv[.]com
dgg8tp7de[.]com
rzol91[.]com
jmozf[.]com
p4qfq4[.]com

‍

‍

Brief details of connective tissue

ISP: CloudFlare Inc.

Registrar:

Metaregistrar BV
Gname[.]com Pte. Ltd.

Name Server Domain: cloudflare[.]com

Website Title: DK777 – Apps on Google Play

All the initial delivery domains download the same APK.

DK777_1000.apk 7da0e56d4c0669647aec7ea3645b882b793d4de20ab14718d4d6698fe9b3b8a2

The app retrieves external code and configuration details from actor-controlled domains.

res.dq8bnzuu[.]com
login.dq8bnzuu[.]com
wss.dq8bnzuu[.]com
res.qhxcdas9[.]com
res.dku53mp[.]com
res.6n7d3avr[.]com
res.hfb76esx[.]cc
res.qfwozvner[.]vip

All six domains were registered the same day (2025-12-08) with similar registration and hosting configurations. Pivoting on these configurations revealed over 120 other domains dating back to as early as 2022-01 with similar gambling themes, including "192bet[.]com" and "pak111[.]com".

Screenshots from websites in this cluster show an ongoing theme of targeting Pakistani users along with English, Spanish, and Vietnamese speakers.

‍

Cluster 3: LG Sabong

This cluster has approximately 196 domains. The bulk of registrations occurred between November and 2025-12 with related domains observed as early as 2025-05. The websites have aspects suggesting some localization for Filipino-speaking users. The nomenclature "Sabong" (cockfighting) suggests a focus on a culturally specific gambling market in the Philippines, while some variations of the randomized display images use the Filipino language.

Brief details of connective tissue‍

Google Tag Manager: GTM-M899ZXM

ISP: CloudFlare Inc.

Registrar: Dynadot Inc

Name Server Domain: cloudflare[.]com

Server Type: AliyunOSS

Website Title:

LG - Apps
LGParty - Apps
LGParty - Apps on Google Play

‍

The sites use a "Cloaking" or "Bridge Page" system typically used in the gambling industry to bypass ad platform restrictions (like Facebook or Google Ads).

The code does not build a real functional website with buttons and text. Instead, it renders a hardcoded "lgpartyShareLand" component, which are PNG images displayed as the site content. These images are randomly selected during page load from two arrays stored on an Aliyun (Alibaba Cloud) server. There are 12 different sets of images for "LGParty" and 9 sets for "LG111". This is likely done so that ad reviewers see different "innocent" versions of the page, making it harder for automated bots to flag the site as a gambling portal.Deceptive Asset URLs

https[:]//static.lg1313abcwsx[.]com/googleInstall/lgparty_shareland_[1-12].png
https[:]//static.lg1313abcwsx[.]com/site/ind/shareLand/page_[1-9].png

The images display download or install buttons, but the entire site is set up as an onClick event wrapper, which triggers a jumpHander function. The jumpHander does three things:

Generates or retrieves a fbFingerId (Facebook Fingerprint ID) and stores it in the user’s localStorage
Runs a Facebook Pixel event (PageView and ClickLand) to track that a "lead" clicked the ad.
Redirects the user’s browser to a new URL, often to open a "Google Play" style link or an "intent" (to force open the browser on Android) to a subdomain like: https://pllay-godgle.{actor domain}.com

In the redirect action, the system uses "Jump Links" to move the user from the "Bridge Page" (the fake UI) to the actual malicious payload.

‍

var o = "https://pllay-godgle.".concat(location.hostname).concat(location.search);

return "intent://".concat(e.replace(/^https?:\/\//, ""), "#Intent;scheme=").concat(a, ";package=com.android.chrome;end")

The final goal is to force the installation of a "Waistcoat" APK. The script contains a utility function to trigger a silent download and communicates with a backend API at /x2/lg-waistcoat/delivery/. The term "waistcoat" (马甲包) is a Chinese industry term for "shell apps" or "wrapper apps" — fake apps used to hide gambling content inside an innocent-looking shell to get past Apple/Google app store reviewers.

‍

APK Filename: Dynamically generated as LGParty.apk or LG111.apk depending on the site configuration.

Download URL Pattern: https://apk-[current-domain]/apks/[siteName].apk?_ts=[timestamp]

Execution Logic: The code creates a hidden anchor element (__apk_dl_anchor__), sets the download attribute, and programmatically clicks it:

function c() {
    var e = "".concat(o.Z.siteName, ".apk"); // "LGParty.apk"
    var a = "https://apk-".concat(location.host, "/apks/").concat(o.Z.siteName, ".apk");
    var n = document.createElement("a");
    n.id = "__apk_dl_anchor__";
    n.href = a;
    n.download = e;
    n.click(); // Triggers immediate browser download
}

The goal is likely application side-loading. Google Play Store policy is quite clear on gambling and real money apps. They must have licenses to operate and complete an application process to be approved among other requirements. Because Google Play Store bans or prevents unlicensed or fraudulent real-money and gambling apps, groups may use "Waistcoat" (shell) pages, images, and fake Play Store UIs to trick the user into downloading a "verified" file from the real Play Store while trying to avoid detection. Once the .apk is installed, the app likely shows an innocent game (like a flight sim or puzzle) until it connects to its server, which can then flip a switch to load in and show the actual illegal gambling interface. In the case of these clusters, the external code update functionality suggests they were or could be used in this manner but there were no identified apps currently in the legitimate Google Play Store.
‍

‍

Broader Outlook and Trend Analysis

The architecture observed here, specifically the Cocos2d native bridge combined with bytecode encryption, is a hallmark of "Shell" applications used in financial fraud. By separating the distribution (spoofed websites) from the logic (encrypted JavaScript), threat actors can pivot regional themes (India vs. Philippines) with minimal changes to the underlying technical framework. With Clusters 1 and 2, this appeared to be the case as the applications sent device telemetry to external servers, then retrieved and loaded configuration and code from those external actor-controlled domains at runtime. It is suspected that both clusters operated with regional and device profile-based configurations. These configurations also enable the actor to change the behavior of the application at any time to load in malicious code after installation.

While there is no direct attribution identified thus far, this pattern has previously been associated with professional syndicates operating out of Southeast Asia that manage high-volume gambling and investment scams.

The core strategy relies on delivering illegitimate applications that deceive users into trusting them. This is accomplished through various deceptive tactics, including the spoofing of the Google Play Store, the fabrication of social proof such as reviews and win declarations, and the establishment of dedicated brand identities with widespread distribution. A key feature of these operations is the attempt to evade analysis by utilizing post-installation code and configuration fetched from actor-controlled domains.

While the applications do not appear to be overtly malicious in nature, as with typical malware granting remote access to user’s devices or stealing credentials, these applications pose as gambling and real money games with no regulation, oversight, or legitimacy. They can and likely do manipulate the gambling app behaviors such as having rigged results or non randomized outcomes.

Security Advice and Conclusion

This campaign highlights the critical role of managed app stores in the mobile ecosystem.

Sideloading Risks: The primary defense against these campaigns is avoiding APK installations from non-standard sources. These apps require sideloading specifically because their core logic — such as the fake marquee module — would be flagged by the automated and manual review processes of legitimate stores such as Google Play Store.
Fabricated Social Proof: Users should be informed that download counts, ratings, and reviews on spoofed websites are cosmetic HTML elements and do not reflect the application's actual standing or security.
Managed Environments: Organizations should leverage Managed Google Play or Mobile Device Management (MDM) solutions to restrict the installation of apps from untrusted sources, as the "hot-update" capabilities of these frameworks allow an app to change its behavior entirely after it has been installed.

‍

IOCs

Cluster 1: AA Aviator Game

mdxs6fm[.]com	dbhl3e2[.]com	zxif22u[.]com
3scksa1[.]com	e2zff2t[.]com	8jp3cug[.]com
qmr81gi[.]com	uv1hhyt[.]com	c1jcmtd[.]com
e713hxm[.]com	jqyyrql[.]com	m5bd526[.]com
v75c8sm[.]com	ihfal17[.]com	8zbjrx1[.]com
jiatg2y[.]com	qdz3epw[.]com	pc8060n[.]com
uqonbai[.]com	e3jw95u[.]com	lfy0kn7[.]com
w23rhsj[.]com	ugq7c78[.]com	a18ox1o[.]com
l47pbi7[.]com	kgecenu[.]com	oq5jsa0[.]com
aijox3n[.]com	jyow5mu[.]com	50gw9q3[.]com
13c32mw[.]com	lhhtumh[.]com	at11bfp[.]com
lm954jz[.]com	jtviq27[.]com	fe539ej[.]com
0uwribs[.]com	lvotff2[.]com	hvp1inv[.]com
Byz6ii0[.]com	mlt9v6n[.]com	otueptj[.]com
37qo19r[.]com	Ziauhrr[.]com	o1298d9[.]com
obsgx89[.]com	emg0ndw[.]com	w23avgq[.]com
j9fanes[.]com	fnmu2se[.]com	90q5fxp[.]com
rgomt97[.]com	arkx4ay[.]com	9k8z1ww[.]com
out96gp[.]com	n5g14ry[.]com	6xy7puo[.]com
9du5468[.]com	yiktkbp[.]com	foyfvvl[.]com
wbsbs6u[.]com	e7nsklq[.]com	jtk3447[.]com
xxnp010[.]com	l483osg[.]com	outz338[.]com
mktwibx[.]com	onodror[.]com	h8ghn0v[.]com
fkhy4p0[.]com	tuv9wxz[.]com	vwcqhzg[.]com
wysowfx[.]com	8esm3oa[.]com	l6x2126[.]com
hh921jg[.]com	gyn5bvv[.]com	n38dxtk[.]com
h7zn50z[.]com	bxvv4z9[.]com	014xuq9[.]com
xbxwfr2[.]com	0frikxu[.]com	7npufqk[.]com
il4g7te[.]com	740z2o3[.]com	ruif74g[.]com
vk5uj0x[.]com	itiwq8z[.]com	n4kx2rt[.]com
7eweyph[.]com	o4nzmvp[.]com	qovoj5w[.]com
5brgv2b[.]com	3ni5dbj[.]com	8hgngja[.]com
mudddk7[.]com	gc0or29[.]com	tszk5zw[.]com
ewdnq4r[.]com	rp5h5qs[.]com	sq878jr[.]com
ut9hawr[.]com	4dzotlk[.]com	b6gh50u[.]com
si0qh2f[.]com	4yqwwh4[.]com	vpwts2a[.]com
lyhwprj[.]com	rndj471[.]com	27gerrr[.]com
ti4ny84[.]com	gpn1jzo[.]com	l4y857g[.]com
2jzknsn[.]com	i01y8wm[.]com	m30u7qb[.]com
8b1mrv4[.]com	lr1on8l[.]com	c7799xp[.]com
qndpyio[.]com	yzkxvb6[.]com	x5xt5f7[.]com
xtxqhk7[.]com	3egwuww[.]com	vxff3xv[.]com
jc4x3xp[.]com	dgh0f8r[.]com	k1tuj0x[.]com
dno1l9p[.]com	uej1w0p[.]com	bxvi6z4[.]com
6zg4qdr[.]com	0jl0bay[.]com	qcly11m[.]com
Fuprfea[.]com	g30vpk7[.]com	e2mf5hy[.]com
gk4x2kb[.]com	hm35qdj[.]com	r39y1gh[.]com
q80kr9m[.]com	v2pn4xp[.]com	bh93dlh[.]com
wvai55c[.]com	eq7g8g0[.]com	j3gy47y[.]com
b9a7fzg[.]com	bc7wxfd[.]com	faw6soa[.]com
3cbk83s[.]com	lsmmerc[.]com	j65fen4[.]com
iboh7u8[.]com	jaa6b8l[.]com	sdtrm9l[.]com
mpqz0os[.]com	jt4i3sp[.]com	8z6t55s[.]com
gbibn8n[.]com	1g08vxl[.]com	ac0kkep[.]com
43rvny2[.]com	349wqcv[.]com	f0l53xs[.]com
ghm117y[.]com	b310zsg[.]com	bxvckmh[.]com
rd41xtk[.]com	76tngmz[.]com	dnv8t0w[.]com
hte9mp1[.]com	zuuo3a4[.]com	gl6xd60[.]com
9czrogf[.]com	763jxs5[.]com	3y0kra1[.]com
mpal63h[.]com	kbyaeow[.]com	aopmhrl[.]com
Zssjdcz[.]top	mykexin[.]com

‍

Cluster 2: DK777 Related Apps

q2f8wqxxg[.]com	65qwjz8[.]com	y4371k1[.]com
djfh94d7[.]com	agwfecr[.]com	zeecuiwb[.]com
2nw0gc5m[.]com	f14bftyi[.]com	kr3qf54[.]com
gmo6svzj5[.]com	uxlvyj[.]com	al1xjwykv[.]com
dgg8tp7de[.]com	rzol91[.]com	jmozf[.]com
p4qfq4[.]com	ppewhod38[.]com	dku53mp[.]com
hfb76esx[.]cc	u54uuobu8[.]com	6n7d3avr[.]com
dk777[.]cc	6i6s3ujuq[.]com	dq8bnzuu[.]com
dk777[.]me	qfwozvner[.]vip	dk777[.]vip
fcy7y8rkcy[.]com	khr24mdpz4[.]cc	2twbwgyuv9[.]vip
cwhgm8nrh[.]com	yu8wun79[.]com	a4afyw6xm[.]cc
3vqkgkxz4i[.]vip	7wmx3n7vs[.]cc	jgtxg7rfz[.]com
q8srwtuc5[.]com	83kisattf3[.]com	pjhjd3qhb[.]com
324864[.]com	7686343[.]com	864524[.]com
764244[.]com	2101089[.]com	njbzaunt[.]vip
wa777[.]me	e4tvigye[.]vip	wa777[.]cc
j36vdbdi[.]vip	sxwgdgex[.]cc	9mzuktg[.]cc
ewp9w9tfw5[.]com	vz9pk4kgqnr[.]vip	rdaec2g9unn4ai2[.]com
8zmgmv9qfcnakcb[.]vip	27kqm6tk4if7[.]com	izeinaiccpqx6[.]cc
vsp777facai666[.]com	vsp777facai777[.]com	pjr37qi3kvw84j[.]cc
vsp777facai999[.]com	vsp777facai888[.]com	pkvvvvvipp[.]com
pk67ii[.]com	pk67i[.]com	pkshoooopp[.]com
pk67in[.]com	vhiuqnbbcc[.]com	pk68ii[.]com
pk68i[.]com	asdnfuibuiss[.]com	pk68in[.]com
rs777i[.]com	rs777in[.]com	rsslotggamee[.]com
playslotsss[.]com	happy06[.]cc	happy06[.]me
happy06[.]net	happy06[.]club	nrfewilh[.]com
hwctfgtw[.]com	uheolvgv[.]com	tkvedhvi[.]com
hvitpteo[.]com	guiwuzox[.]com	ontfdbxh[.]com
uakwajiv[.]com	ojajgnmh[.]com	Vbvwfmcj[.]com
ht777[.]io	hlktze[.]cc	sgoepysw3tccs[.]com
g1ugbq4gufl[.]com	xkips2vw0qurl0[.]com	0wtko4g[.]cc
wb9gjnjfkwv[.]com	cso09c7rfb[.]com	naasa0nqwf[.]com
nffrpp3[.]cc	9q8c5qpjva[.]com	5e4wpk0eywf[.]com
ht777[.]info	ov6uz2x[.]vip	rvoy2k[.]vip
zmymmgghnnm[.]net	qaifkgnlkfngoad[.]net	jj99[.]top
6e23fgdh[.]com	5h5zpt3w[.]com	3bl6il8ii[.]com
8k1h8w3k[.]com	jj999[.]org	fdsui[.]cc
cxnui[.]cc	pak111[.]com	exgameban[.]com
exgmban[.]com	joygame88[.]com	slotsbigwin[.]vip
bestgame88[.]cc	bestgame888[.]cc	bestgame88j[.]com
bestgame88[.]org	bestgame888[.]org	bigwinzf[.]com
bigwinht[.]com	bigwinslots9[.]com	bigwinslots8[.]com
Bigwinldy1[.]com	lk777[.]xyz	lk777[.]cyou
2101069[.]com	2101063[.]com	2101062[.]com
1601468[.]com	2101068[.]com	1601469[.]com
1601467[.]com	1601470[.]com	516744[.]com
192bet[.]com	jj99[.]com

‍

Cluster 3: LG Sabong App

s1i4ucspb[.]com	partylgok629[.]com	partylgok846[.]com
partylgok738[.]com	partylgok189[.]com	partylgok437[.]com
partylgok223[.]com	partylgok356[.]com	partylgok134[.]com
partylgok905[.]com	lgpartyml112[.]com	lgpartyxb536[.]com
lgpartyml118[.]com	lgpartygo269[.]com	lgpartylo223[.]com
lgpartyml111[.]com	lgpartygo235[.]com	c7qoy3vowho5jz2h[.]com
7x45iemwafxnpgbb[.]com	xyfv9s6s3ios02g5[.]com	wgja8rg2y32p3dwk[.]com
7yts0c3d0ijie6q8[.]com	rz4727ycpopttn58[.]com	zwew0oprfsoxpz2c[.]com
r6fs7wh35drbfwv1[.]com	7ag56yke01akumfg[.]com	4nrv1uo4e[.]com
332s67td7[.]com	3io6zbc4z[.]com	9u8t5ph2d[.]com
eer0m14gb[.]com	cloudarivato[.]com	datarevolino[.]com
waveclarivon[.]com	brightelivro[.]com	novarelutiva[.]com
foxerivalto[.]com	luminexarion[.]com	sunloriventa[.]com
starvolarion[.]com	Mintaverion[.]com	datelira[.]com
corezaro[.]com	pulsevra[.]com	logicvra[.]com
novaviro[.]com	novaerio[.]com	primevra[.]com
minterix[.]com	primezoa[.]com	datalaro[.]com
mintavro[.]com	cloudvaro[.]com	k8zrqn4m[.]com
m6qyzp8r[.]com	z2kyh8pm[.]com	h4wnq7zb[.]com
b6pvq4ntz[.]com	s4dzmp9q[.]com	t5rmbq9v[.]com
p7xkdr3m[.]com	c9tsh2kx[.]com	v3plxn7d[.]com
t2hkr9me[.]com	v7mka2tp[.]com	k3ynz7dp[.]com
s9bnd3qa[.]com	u2vhg9km[.]com	f2wht8ks[.]com
h7rpl5vq[.]com	w4nzk8sj[.]com	a5mbz9wy[.]com
e7ghq4nt[.]com	j8rxm2fd[.]com	c6mvq4hp[.]com
b8wqf6ny[.]com	g4pzn8wr[.]com	l8stp6rq[.]com
y9hwc3mt[.]com	m5cxr2gt[.]com	n3ksy9tw[.]com
r3kps8jw[.]com	z6lqv8hs[.]com	q9sdm4tx[.]com
x4tpm9ke[.]com	p5qln7vg[.]com	d7qfx5lr[.]com
refantalix[.]com	yofaltreni[.]com	xeravoltem[.]com
Selparokit[.]com	holperavik[.]com	navoprelix[.]com
tondarepix[.]com	favontrika[.]com	kumarteros[.]com
belorantix[.]com	sumeloprix[.]com	rimalokten[.]com
nemoraptil[.]com	zantelokar[.]com	zenoraltim[.]com
v3u2k8n1[.]com	w1m6f4r9[.]com	g8q5p2r9[.]com
s1y8c7p4[.]com	c2u5h3j9[.]com	m1p5v7n4[.]com
q9u4k1w6[.]com	z1w7q5t8[.]com	k2r8f3z1[.]com
x5p2z8u6[.]com	y6m4d9j2[.]com	j4y6u2m8[.]com
v8j3y5b2[.]com	f3x1v8m5[.]com	d9k4w2p1[.]com
z6x9q2t3[.]com	y3d7k1n9[.]com	h3x9b1v6[.]com
o8g2t3h9[.]com	b4r1m7v8[.]com	e7y6n3z0[.]com
u0k7n4q8[.]com	r5z6m3x2[.]com	t2v9h5m3[.]com
h2u4j7w3[.]com	i9v6k1t4[.]com	fcnycvj[.]com
dxytscj[.]com	rvwvcen[.]com	vktndyd[.]com
mvyxpcu[.]com	mngafbc[.]com	mqgptwr[.]com
csduczx[.]com	psyvmey[.]com	pftdcyk[.]com
trbfrhq[.]com	cxfaurv[.]com	kgvwrhc[.]com
pjupyty[.]com	xxhdvxf[.]com	cscmndt[.]com
psurrvd[.]com	ffesncx[.]com	tr8yka1[.]com
lgs2k8b[.]com	lgl2x5n[.]com	lgc6y2v[.]com
fna7c2x[.]com	jdu4s7p[.]com	lga8t9q[.]com
nl1zrk7[.]com	sz4mqu5[.]com	lge4r6b[.]com
zqn8u6b[.]com	vnh2q5c[.]com	dnj7x9g[.]com
gb2vkp9[.]com	xuh4z9p[.]com	lwj3y8r[.]com
lgw3z5r[.]com	lgu9f4m[.]com	mzg5r2w[.]com
pz3mle6[.]com	lgj7u3p[.]com	tpa4w7s[.]com
lgx1p7d[.]com	ycp9d2t[.]com	kx7rta9[.]com
wra8e4j[.]com	lgq5h9s[.]com	rkg2a8p[.]com
hvb6e1w[.]com	lgpartyapp[.]com	lgpartygo[.]com
lgpartyzone[.]com	lgpartynet[.]com	lgpartypro[.]com
lgpartywin[.]com	lgpartyplus[.]com	lgpartyclub[.]com
lgpartyhub[.]com	lgpartyfun[.]com	lgax9[.]com
lg7k2m[.]com	lgqzxt[.]com	lgp39bw[.]com
lg92xkz[.]com	lgparty-zb[.]com	wexnuv[.]com
lgf42a[.]com	lgqzly[.]com	lgypj9[.]com
lgeppm[.]com