{ "Event": { "analysis": "2", "date": "2014-10-27", "extends_uuid": "", "info": "OSINT APT28: A Window into Russia\u00e2\u20ac\u2122s Cyber Espionage Operations? blog post by FireEye", "publish_timestamp": "1498163632", "published": true, "threat_level_id": "2", "timestamp": "1498163533", "uuid": "544fee45-f108-4fa6-ace9-3989950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#12e000", "local": false, "name": "misp-galaxy:threat-actor=\"Sofacy\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414524506", "to_ids": false, "type": "link", "uuid": "544fee5a-2d54-45c7-96ae-4193950d210b", "value": "http://www.fireeye.com/blog/technical/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414524506", "to_ids": false, "type": "link", "uuid": "544fee5a-07ec-4539-803c-4ec7950d210b", "value": "http://www.fireeye.com/resources/pdfs/apt28.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414524517", "to_ids": false, "type": "text", "uuid": "544fee65-d4e8-4b02-a4db-073f950d210b", "value": "APT28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615650", "to_ids": false, "type": "comment", "uuid": "544fee73-8964-4c74-a279-b8e1950d210b", "value": "Data entered by David Andr\u00c3\u00a9 with CIRCL collaboration" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526045", "to_ids": true, "type": "domain", "uuid": "544ff45d-2f3c-4809-9279-3989950d210b", "value": "kavkazcentr.info" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-39b0-4303-9ba7-3989950d210b", "value": "rnil.am" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-a25c-46b3-9505-3989950d210b", "value": "standartnevvs.com" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-c6c0-4b28-9733-3989950d210b", "value": "novinitie.com" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-e07c-4056-99a5-3989950d210b", "value": "n0vinite.com" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-4d2c-49ab-bf10-3989950d210b", "value": "qov.hu.com" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-de0c-406b-b09b-3989950d210b", "value": "q0v.pl" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-3774-4904-9235-3989950d210b", "value": "nato.nshq.in" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-dc88-4862-a57a-3989950d210b", "value": "natoexhibitionff14.com" }, { "category": "Network activity", "comment": "Phishing domains", "deleted": false, "disable_correlation": false, "timestamp": "1414526046", "to_ids": true, "type": "domain", "uuid": "544ff45e-e8bc-40be-8afc-3989950d210b", "value": "login-osce.org" }, { "category": "Network activity", "comment": "Phishing hostnames", "deleted": false, "disable_correlation": false, "timestamp": "1414615582", "to_ids": true, "type": "hostname", "uuid": "544ff471-3828-428e-90a6-47e1950d210b", "value": "mail.q0v.pl" }, { "category": "Network activity", "comment": "Phishing hostnames", "deleted": false, "disable_correlation": false, "timestamp": "1414615582", "to_ids": true, "type": "hostname", "uuid": "544ff472-726c-4994-bb01-4d53950d210b", "value": "poczta.mon.q0v.pl" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526082", "to_ids": true, "type": "md5", "uuid": "544ff482-06e0-40ab-a168-52be950d210b", "value": "272f0fde35dbdfccbca1e33373b3570d" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-93ec-4a79-b783-52be950d210b", "value": "8b92fe86c5b7a9e34f433a6fbac8bc3a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-fb00-4642-b300-52be950d210b", "value": "9eebfebe3987fec3c395594dc57a0c4c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-dd28-48ac-a3a8-52be950d210b", "value": "da2a657dc69d7320f2ffc87013f257ad" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-0214-4d43-ae3d-52be950d210b", "value": "1259c4fe5efd9bf07fc4c78466f2dd09" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-8e0c-4abe-8c30-52be950d210b", "value": "3b0ecd011500f61237c205834db0e13a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-3fa0-4d2b-bfa8-52be950d210b", "value": "5882fda97fdf78b47081cc4105d44f7c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-af00-4c6c-a454-52be950d210b", "value": "791428601ad12b9230b9ace4f2138713" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-7b7c-4e49-88c5-52be950d210b", "value": "ead4ec18ebce6890d20757bb9f5285b1" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-f044-4c5b-a1f8-52be950d210b", "value": "48656a93f9ba39410763a2196aabc67f" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526083", "to_ids": true, "type": "md5", "uuid": "544ff483-c8dc-4aa7-9aea-52be950d210b", "value": "8c4fa713c5e2b009114adda758adc445" }, { "category": "Network activity", "comment": "CnC servers", "deleted": false, "disable_correlation": false, "timestamp": "1414526106", "to_ids": true, "type": "domain", "uuid": "544ff49a-5084-4354-bf30-3989950d210b", "value": "adobeincorp.com" }, { "category": "Network activity", "comment": "CnC servers", "deleted": false, "disable_correlation": false, "timestamp": "1414526106", "to_ids": true, "type": "domain", "uuid": "544ff49a-9d70-430a-a6d7-3989950d210b", "value": "windows-updater.com" }, { "category": "Network activity", "comment": "CnC servers", "deleted": false, "disable_correlation": false, "timestamp": "1414526106", "to_ids": true, "type": "domain", "uuid": "544ff49a-57fc-4f67-ad9f-3989950d210b", "value": "adawareblock.com" }, { "category": "Network activity", "comment": "CnC servers", "deleted": false, "disable_correlation": false, "timestamp": "1414526106", "to_ids": true, "type": "domain", "uuid": "544ff49a-dfe0-4466-ba42-3989950d210b", "value": "windous.kz" }, { "category": "Network activity", "comment": "CnC servers", "deleted": false, "disable_correlation": false, "timestamp": "1414526106", "to_ids": true, "type": "domain", "uuid": "544ff49a-9920-4e52-8790-3989950d210b", "value": "wind0ws.kz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526146", "to_ids": true, "type": "email-dst", "uuid": "544ff4c2-914c-482f-aa29-4c43950d210b", "value": "lisa.cuddy@wind0ws.kz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414526146", "to_ids": true, "type": "email-dst", "uuid": "544ff4c2-6e34-48b8-ac27-4730950d210b", "value": "dr.house@wind0ws.kz" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567513", "to_ids": false, "type": "filename", "uuid": "8041a130-1ead-43b7-9e3d-a8e19057292d", "value": "Application Data\\Microsoft\\MediaPlayer\\" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567513", "to_ids": false, "type": "other", "uuid": "23755a4c-fdfa-420e-964d-565ce679332f", "value": "ProcessItem/name: updatewindws.exe" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567513", "to_ids": false, "type": "filename", "uuid": "ef486ea3-4023-4fcc-960a-58eb87d77a03", "value": "updatewindws.exe" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567513", "to_ids": false, "type": "comment", "uuid": "54509659-ab28-4778-9e1a-449d950d210b", "value": "long_info: OLDBAIT is a credential harvester. Both the internal strings and logic are obfuscated and are unpacked at startup. It harvests credentials from Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client made by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both email or HTTP to send out the collected credentials." }, { "category": "External analysis", "comment": "OpenIOC import source file", "data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE0MzhjYWViLTk2ZGQtNDIyNS04NTNjLWZjNTkxMDk4MDk2MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTQzOGNhZWItOTZkZC00MjI1LTg1M2MtZmM1OTEwOTgwOTYxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQxOjQ4WiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPk9MREJBSVQgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5PTERCQUlUIGlzIGEgY3JlZGVudGlhbCBoYXJ2ZXN0ZXIuIEJvdGggdGhlIGludGVybmFsIHN0cmluZ3MgYW5kIGxvZ2ljIGFyZSBvYmZ1c2NhdGVkIGFuZCBhcmUgdW5wYWNrZWQgYXQgc3RhcnR1cC4gSXQgaGFydmVzdHMgY3JlZGVudGlhbHMgZnJvbSBJbnRlcm5ldCBFeHBsb3JlciwgTW96aWxsYSBGaXJlZm94LCBFdWRvcmEsIFRoZSBCYXQhIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIE1vbGRvdmFuIGNvbXBhbnkpLCBhbmQgQmVja3khIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIEphcGFuZXNlIGNvbXBhbnkpLiAgSXQgY2FuIHVzZSBib3RoIGVtYWlsIG9yIEhUVFAgdG8gc2VuZCBvdXQgdGhlIGNvbGxlY3RlZCBjcmVkZW50aWFscy4KPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjAyOjUyWjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0iY2F0ZWdvcnkiPkNyZWRlbnRpYWwgU3RlYWxlcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5PTERCQUlUPC9saW5rPgogICAgPGxpbmsgcmVsPSJsaWNlbnNlIj5BcGFjaGUgMi4wPC9saW5rPgogIDwvbGlua3M+CiAgPGRlZmluaXRpb24+CiAgICA8SW5kaWNhdG9yIGlkPSJlOTkxNmZjMC03ODI1LTRmYTEtOWY2ZC1jNTQwYTVjZjZkNWUiIG9wZXJhdG9yPSJPUiI+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MDQxYTEzMC0xZWFkLTQzYjctOWUzZC1hOGUxOTA1NzI5MmQiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9GdWxsUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5BcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxNZWRpYVBsYXllclw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzNzU1YTRjLWZkZmEtNDIwZS05NjRkLTU2NWNlNjc5MzMyZiIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL25hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZWY0ODZlYTMtNDAyMy00ZmNjLTk2MGEtNThlYjg3ZDc3YTAzIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vRmlsZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K", "deleted": false, "disable_correlation": false, "timestamp": "1414567513", "to_ids": false, "type": "attachment", "uuid": "54509659-bbf4-4523-a9db-42a6950d210b", "value": "a438caeb-96dd-4225-853c-fc5910980961.ioc" }, { "category": "External analysis", "comment": "OpenIOC import source file", "data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIDBmZjU4YmY5LTFjMDctNDJmNi1iMTM1LWIxOGMxMzlmNjMxYS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iMGZmNThiZjktMWMwNy00MmY2LWIxMzUtYjE4YzEzOWY2MzFhIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE3VDIwOjU0OjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkFQVDI4IERPTUFJTlMgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5Eb21haW5zIHVzZWQgYnkgQVBUMjguPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjA0OjM0WjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iY2ZiNDYyMzQtMDEyYS00M2M4LWE3NjMtZjYzNmMwNTY2MDZlIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNTQ0ODFjNDItZWZmYi00MzZiLWI0ZDItY2ZmMWNiZDA5YTY2IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmthdmthemNlbnRyLmluZm88L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImI4Yjc0MmQ1LTVkZmYtNGYwZi1iZGE4LTBjODc4YzFkZDFlMSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ybmlsLmFtPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJhZjM2YzliMy1kNTU0LTQ2ZGUtOTUyNS1jMDVhMDc1OWEzOTkiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+c3RhbmRhcnRuZXZ2cy5jb208L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjM4OWM5YzAzLWVhZjQtNDI1OS05NGU1LTYyMzMzNGNlYTI2ZSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ub3Zpbml0aWUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJjMTdkMDAxYy1kZjg5LTQwZmYtODdkZS1lODliZGU5ZjE0MjUiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+bjB2aW5pdGUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIxMTUwMzFiZi1mMzQyLTRiZDAtOWY5Yy1hNWQ4ZTExMTEyODEiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+cW92Lmh1LmNvbTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMjAxZGE1YmEtYzMyNy00ZTliLWIwYWYtZGIxNjMyZDc0MmNiIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPnEwdi5wbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZDY5YjFmYjEtZjMxZS00OWUyLTlhZTEtZTRkNTA1N2QyMTQyIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm1haWwuZzB2LnBsPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI3YTFkYzViNi1mNTU1LTQ0ZTItYjZhMy1lZmQzMzQxODNmOWMiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+cG9jenRhLm1vbi5xMHYucGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImNhM2I5MWZlLTM2ZWMtNDc1NC05N2ZkLTY1ZjM2NzM5ZjRkMSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5iYWx0aWNob3N0Lm9yZzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iM2I5ZjJiMDItOTE2OC00N2E4LTk0YjQtY2MxZjVlYzUwNWQ0IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5hdG8ubnNocS5pbjwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNzk4ODc0ZGMtMTAyYi00YzVhLWJkNDgtNmUwNzM2MmM3MjExIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5hdG9leGhpYml0aW9uZmYxNC5jb208L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjE5NjUxNWVjLTRjMTctNDA2Yi1hMDY3LTUwM2ExNzU5MTRlZCIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5sb2dpbi1vc2NlLm9yZzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNjNjNjk2ZTUtYTk4Yi00NDU5LWFlZWEtYjg4MTI0ZTZlZDI5IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPnNtaWdyb3VwLW9ubGluZS5jby51azwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K", "deleted": false, "disable_correlation": false, "timestamp": "1414567563", "to_ids": false, "type": "attachment", "uuid": "5450968b-cab4-4442-9cc7-4e1c950d210b", "value": "0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567621", "to_ids": false, "type": "filename", "uuid": "0195bdbb-61bd-4fdd-bc80-cc130234b0a9", "value": "netui.dll" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567621", "to_ids": false, "type": "other", "uuid": "d96396b2-672a-4518-87a2-53c66d20676a", "value": "ProcessItem/SectionList/MemorySection/Name: \\netui.dll" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567621", "to_ids": false, "type": "comment", "uuid": "545096c5-e860-4c9c-97fc-4d8c950d210b", "value": "long_info: This backdoor has been delivered through the SOURFACE downloader to gain system access for reconnaissance, monitoring, credential theft, and shellcode execution." }, { "category": "External analysis", "comment": "OpenIOC import source file", "data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE2YzZkYmYwLWQ3MmEtNGYwNy04YjExLTU1NTI3YWVmNDc1NS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTZjNmRiZjAtZDcyYS00ZjA3LThiMTEtNTU1MjdhZWY0NzU1IiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQyOjIxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkVWSUxUT1NTIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+VGhpcyBiYWNrZG9vciBoYXMgYmVlbiBkZWxpdmVyZWQgdGhyb3VnaCB0aGUgU09VUkZBQ0UgZG93bmxvYWRlciB0byBnYWluIHN5c3RlbSBhY2Nlc3MgZm9yIHJlY29ubmFpc3NhbmNlLCBtb25pdG9yaW5nLCBjcmVkZW50aWFsIHRoZWZ0LCBhbmQgc2hlbGxjb2RlIGV4ZWN1dGlvbi48L2Rlc2NyaXB0aW9uPgogIDxrZXl3b3Jkcy8+CiAgPGF1dGhvcmVkX2J5PkZpcmVFeWU8L2F1dGhvcmVkX2J5PgogIDxhdXRob3JlZF9kYXRlPjIwMTQtMTAtMTdUMDI6MDA6NTdaPC9hdXRob3JlZF9kYXRlPgogIDxsaW5rcz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Y2F0ZWdvcnkiPkFQVDwvbGluaz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Z3JvdXAiPkFQVDI4PC9saW5rPgogICAgPGxpbmsgcmVsPSJjYXRlZ29yeSI+QmFja2Rvb3I8L2xpbms+CiAgICA8bGluayByZWw9ImZhbWlseSI+RVZJTFRPU1M8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImM2ZTI1NjdiLTg0NjYtNDRlZC05ZmQyLTJlOTJmNTMyZmEwYyIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjAxOTViZGJiLTYxYmQtNGZkZC1iYzgwLWNjMTMwMjM0YjBhOSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5ldHVpLmRsbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZDk2Mzk2YjItNjcyYS00NTE4LTg3YTItNTNjNjZkMjA2NzZhIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vU2VjdGlvbkxpc3QvTWVtb3J5U2VjdGlvbi9OYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPlxuZXR1aS5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgIDwvSW5kaWNhdG9yPgogIDwvZGVmaW5pdGlvbj4KPC9pb2M+Cg==", "deleted": false, "disable_correlation": false, "timestamp": "1414567621", "to_ids": false, "type": "attachment", "uuid": "545096c5-f8c8-49ac-9b71-4e72950d210b", "value": "a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414616373", "to_ids": true, "type": "filename", "uuid": "30842d86-e073-4b6e-a5e0-d6b354f6847a", "value": "edg6EF885E2.tmp" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567659", "to_ids": false, "type": "other", "uuid": "a0e443e4-6a41-4856-8c14-d1a271ba7b6b", "value": "ProcessItem/HandleList/Handle/Name: \\Device\\Mailslot\\check_mes_v5555" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567659", "to_ids": false, "type": "comment", "uuid": "545096eb-1e24-4dd2-861e-46b7950d210b", "value": "long_info: CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This framework allows for a diverse set of capabilities across malware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP." }, { "category": "External analysis", "comment": "OpenIOC import source file", "data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGJkZjc5MjljLTNmMGItNGZkZC1iY2M1LWI0YTgyNTU0YWQ5Mi5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYmRmNzkyOWMtM2YwYi00ZmRkLWJjYzUtYjRhODI1NTRhZDkyIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIwVDE4OjUwOjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkNIT1BTVElDSyAoUkVQT1JUKTwvc2hvcnRfZGVzY3JpcHRpb24+CiAgPGRlc2NyaXB0aW9uPkNIT1BTVElDSyBpcyBhIGJhY2tkb29yIHRoYXQgdXNlcyBhIG1vZHVsYXJpemVkLCBvYmplY3Qtb3JpZW50ZWQgZnJhbWV3b3JrIHdyaXR0ZW4gaW4gQysrLiBUaGlzIGZyYW1ld29yayBhbGxvd3MgZm9yIGEgZGl2ZXJzZSBzZXQgb2YgY2FwYWJpbGl0aWVzIGFjcm9zcyBtYWx3YXJlIHZhcmlhbnRzIHNoYXJpbmcgYSBjb21tb24gY29kZSBiYXNlLiAgQ0hPUFNUSUNLIG1heSBjb21tdW5pY2F0ZSB3aXRoIGV4dGVybmFsIHNlcnZlcnMgdXNpbmcgU01UUCBvciBIVFRQLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xN1QwMjowMjowMlo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5CYWNrZG9vcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5DSE9QU1RJQ0s8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImRkYzg4MGE0LTM2ZDEtNDUxNC1hZGYxLTNjNWI4ZjRmNmVmOCIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjMwODQyZDg2LWUwNzMtNGI2ZS1hNWUwLWQ2YjM1NGY2ODQ3YSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmVkZzZFRjg4NUUyLnRtcDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYTBlNDQzZTQtNmE0MS00ODU2LThjMTQtZDFhMjcxYmE3YjZiIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vSGFuZGxlTGlzdC9IYW5kbGUvTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5cRGV2aWNlXE1haWxzbG90XGNoZWNrX21lc192NTU1NTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9yIGlkPSIwZmM5ZTUzNC01MzI5LTRhMzEtODVkMi00M2I0MjYyZTFlZDkiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI5NWUyMmVhZC0xM2VmLTQ3OTctYjNiNi1kMDkwMjdkODU2MDIiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlJlZ2lzdHJ5SXRlbSIgc2VhcmNoPSJSZWdpc3RyeUl0ZW0vUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPk1pY3Jvc29mdFxNZWRpYVBsYXllclx7RTY2OTYxMDUtRTYzRS00RUYxLTkzOUUtMTVEREQ4M0I2NjlBfTwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzODg3OThhLWUxZTItNDI1MS1hMDFjLTc5M2QyY2VkYWFhOSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUmVnaXN0cnlJdGVtIiBzZWFyY2g9IlJlZ2lzdHJ5SXRlbS9WYWx1ZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5jaG5ubDwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K", "deleted": false, "disable_correlation": false, "timestamp": "1414567659", "to_ids": false, "type": "attachment", "uuid": "545096eb-3080-401b-9a3a-4f7f950d210b", "value": "bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "5ea9f200-01f1-411e-94e3-49903f14d6f9", "value": "8c4fa713c5e2b009114adda758adc445" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "3f83ca5b-9a2c-4aeb-94ef-28093f6709f8", "value": "3b0ecd011500f61237c205834db0e13a" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "3fe4547e-5e19-4bb3-9792-eb382de45eb0", "value": "791428601ad12b9230b9ace4f2138713" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "020e58f2-e4f2-4801-b731-d26589bd96b6", "value": "5882fda97fdf78b47081cc4105d44f7c" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "b48a7011-59d9-4c53-8d6c-2710d705b0c6", "value": "48656a93f9ba39410763a2196aabc67f" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "9106bde9-52f4-49db-86a1-13f4363bc029", "value": "9eebfebe3987fec3c395594dc57a0c4c" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "8253e6f6-4248-4751-a818-f5d77efd469c", "value": "8b92fe86c5b7a9e34f433a6fbac8bc3a" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "b707e318-bb58-4965-be62-a15ccf896891", "value": "ead4ec18ebce6890d20757bb9f5285b1" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "51c11809-d0be-45e0-a035-e5d63686e889", "value": "1259c4fe5efd9bf07fc4c78466f2dd09" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "21169314-ed29-4148-a70e-e9798894ea55", "value": "272f0fde35dbdfccbca1e33373b3570d" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "other", "uuid": "87ba0439-df69-4c21-9013-be773de352ce", "value": "ProcessItem/SectionList/MemorySection/Name: AppData\\Local\\conhost.dll" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "other", "uuid": "2660589c-6263-44e1-b4de-484db317f93c", "value": "ProcessItem/SectionList/MemorySection/Name: Local Settings\\Application Data\\conhost.dll" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "other", "uuid": "e3fad633-2b34-4bdb-864e-be495f549e2a", "value": "ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName: coreshell.dll" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "other", "uuid": "820fc95e-3d6f-4771-a592-fb60811fa0c0", "value": "ProcessItem/SectionList/MemorySection/Name: \\netids.dll" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "filename", "uuid": "e704246d-ecca-4ac5-82a7-404c93aab893", "value": "Local Settings\\Application Data\\svchost.exe" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "filename", "uuid": "91b06096-1333-470f-8d49-f408b51d84a1", "value": "Local Settings\\Application Data\\conhost.dll" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "filename", "uuid": "37148f5b-fff5-4c9e-98aa-f52fb01a3547", "value": "AppData\\Local\\svchost.exe" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567718", "to_ids": false, "type": "filename", "uuid": "09dd2172-ed97-433f-9c59-517161b78b2d", "value": "AppData\\Local\\conhost.dll" }, { "category": "Network activity", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567719", "to_ids": false, "type": "ip-src", "uuid": "590e7aef-7df8-47cd-916a-360d83f132f5", "value": "70.85.221.10" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567719", "to_ids": false, "type": "filename", "uuid": "5fa65919-9467-4de8-9cb7-8574ff86b85d", "value": "netids.dll" }, { "category": "Payload installation", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414615546", "to_ids": true, "type": "md5", "uuid": "ec771d67-32c0-4076-8e9f-d9ce6b9f2a80", "value": "da2a657dc69d7320f2ffc87013f257ad" }, { "category": "Other", "comment": "OpenIOC import", "deleted": false, "disable_correlation": false, "timestamp": "1414567719", "to_ids": false, "type": "comment", "uuid": "54509725-4978-4706-bf95-4638950d210b", "value": "long_info: SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, usually compiled with the DLL name 'coreshell.dll'. These variants are distinct from the older versions so we refer to it as SOURFACE/CORESHELL or simply CORESHELL." }, { "category": "External analysis", "comment": "OpenIOC import source file", "data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGUxY2JmN2NhLTQ5MzgtNGQzYy1hN2U2LTNmZjk2NjUxNjE5MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iZTFjYmY3Y2EtNDkzOC00ZDNjLWE3ZTYtM2ZmOTY2NTE2MTkxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIxVDEzOjA4OjQxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPlNPVVJGQUNFIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+U09VUkZBQ0UgaXMgYSBkb3dubG9hZGVyIHRoYXQgb2J0YWlucyBhIHNlY29uZC1zdGFnZSBiYWNrZG9vciBmcm9tIGEgQzIgc2VydmVyLiAgT3ZlciB0aW1lIHRoZSBkb3dubG9hZGVyIGhhcyBldm9sdmVkIGFuZCB0aGUgbmV3ZXIgdmVyc2lvbnMsIHVzdWFsbHkgY29tcGlsZWQgd2l0aCB0aGUgRExMIG5hbWUgJ2NvcmVzaGVsbC5kbGwnLiAgVGhlc2UgdmFyaWFudHMgYXJlIGRpc3RpbmN0IGZyb20gdGhlIG9sZGVyIHZlcnNpb25zIHNvIHdlIHJlZmVyIHRvIGl0IGFzIFNPVVJGQUNFL0NPUkVTSEVMTCBvciBzaW1wbHkgQ09SRVNIRUxMLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xNlQyMDo1ODoyMVo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5Eb3dubG9hZGVyPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFLkNPUkVTSEVMTDwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iZTE2ZTYyOTktZjc1Yi00MjIzLThkOGQtMjkwY2QwYmYxYjQxIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNWVhOWYyMDAtMDFmMS00MTFlLTk0ZTMtNDk5MDNmMTRkNmY5IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjhjNGZhNzEzYzVlMmIwMDkxMTRhZGRhNzU4YWRjNDQ1PC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIzZjgzY2E1Yi05YTJjLTRhZWItOTRlZi0yODA5M2Y2NzA5ZjgiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9Im1kNSI+M2IwZWNkMDExNTAwZjYxMjM3YzIwNTgzNGRiMGUxM2E8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjNmZTQ1NDdlLTVlMTktNGJiMy05NzkyLWViMzgyZGU0NWViMCIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL01kNXN1bSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ibWQ1Ij43OTE0Mjg2MDFhZDEyYjkyMzBiOWFjZTRmMjEzODcxMzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMDIwZTU4ZjItZTRmMi00ODAxLWI3MzEtZDI2NTg5YmQ5NmI2IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjU4ODJmZGE5N2ZkZjc4YjQ3MDgxY2M0MTA1ZDQ0ZjdjPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiNDhhNzAxMS01OWQ5LTRjNTMtOGQ2Yy0yNzEwZDcwNWIwYzYiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9Im1kNSI+NDg2NTZhOTNmOWJhMzk0MTA3NjNhMjE5NmFhYmM2N2Y8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjkxMDZiZGU5LTUyZjQtNDlkYi04NmExLTEzZjQzNjNiYzAyOSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL01kNXN1bSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ibWQ1Ij45ZWViZmViZTM5ODdmZWMzYzM5NTU5NGRjNTdhMGM0YzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iODI1M2U2ZjYtNDI0OC00NzUxLWE4MTgtZjVkNzdlZmQ0NjljIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjhiOTJmZTg2YzViN2E5ZTM0ZjQzM2E2ZmJhYzhiYzNhPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiNzA3ZTMxOC1iYjU4LTQ5NjUtYmU2Mi1hMTVjY2Y4OTY4OTEiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9Im1kNSI+ZWFkNGVjMThlYmNlNjg5MGQyMDc1N2JiOWY1Mjg1YjE8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjUxYzExODA5LWQwYmUtNDVlMC1hMDM1LWU1ZDYzNjg2ZTg4OSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL01kNXN1bSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ibWQ1Ij4xMjU5YzRmZTVlZmQ5YmYwN2ZjNGM3ODQ2NmYyZGQwOTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMjExNjkzMTQtZWQyOS00MTQ4LWE3MGUtZTk3OTg4OTRlYTU1IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjI3MmYwZmRlMzVkYmRmY2NiY2ExZTMzMzczYjM1NzBkPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4N2JhMDQzOS1kZjY5LTRjMjEtOTAxMy1iZTc3M2RlMzUyY2UiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJQcm9jZXNzSXRlbSIgc2VhcmNoPSJQcm9jZXNzSXRlbS9TZWN0aW9uTGlzdC9NZW1vcnlTZWN0aW9uL05hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+QXBwRGF0YVxMb2NhbFxjb25ob3N0LmRsbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMjY2MDU4OWMtNjI2My00NGUxLWI0ZGUtNDg0ZGIzMTdmOTNjIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vU2VjdGlvbkxpc3QvTWVtb3J5U2VjdGlvbi9OYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkxvY2FsIFNldHRpbmdzXEFwcGxpY2F0aW9uIERhdGFcY29uaG9zdC5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImUzZmFkNjMzLTJiMzQtNGJkYi04NjRlLWJlNDk1ZjU0OWUyYSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL1NlY3Rpb25MaXN0L01lbW9yeVNlY3Rpb24vUEVJbmZvL0V4cG9ydHMvRGxsTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5jb3Jlc2hlbGwuZGxsPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MjBmYzk1ZS0zZDZmLTQ3NzEtYTU5Mi1mYjYwODExZmEwYzAiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJQcm9jZXNzSXRlbSIgc2VhcmNoPSJQcm9jZXNzSXRlbS9TZWN0aW9uTGlzdC9NZW1vcnlTZWN0aW9uL05hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+XG5ldGlkcy5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImU3MDQyNDZkLWVjY2EtNGFjNS04MmE3LTQwNGM5M2FhYjg5MyIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0Z1bGxQYXRoIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkxvY2FsIFNldHRpbmdzXEFwcGxpY2F0aW9uIERhdGFcc3ZjaG9zdC5leGU8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjkxYjA2MDk2LTEzMzMtNDcwZi04ZDQ5LWY0MDhiNTFkODRhMSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0Z1bGxQYXRoIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkxvY2FsIFNldHRpbmdzXEFwcGxpY2F0aW9uIERhdGFcY29uaG9zdC5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjM3MTQ4ZjViLWZmZjUtNGM5ZS05OGFhLWY1MmZiMDFhMzU0NyIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0Z1bGxQYXRoIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkFwcERhdGFcTG9jYWxcc3ZjaG9zdC5leGU8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjA5ZGQyMTcyLWVkOTctNDMzZi05YzU5LTUxNzE2MWI3OGIyZCIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0Z1bGxQYXRoIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkFwcERhdGFcTG9jYWxcY29uaG9zdC5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjU5MGU3YWVmLTdkZjgtNDdjZC05MTZhLTM2MGQ4M2YxMzJmNSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlBvcnRJdGVtIiBzZWFyY2g9IlBvcnRJdGVtL3JlbW90ZUlQIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJJUCI+NzAuODUuMjIxLjEwPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI1NjBkYjI0Yi0xZDAzLTQ2MjQtYWZkOS0wNTNlMjlkNzU0MTEiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL1JlY29yZE5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+YWRhd2FyZWJsb2NrLmNvbTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNDFlMDUwMjQtNmM3Mi00OWQ3LThjMTktYjUzM2YwMDIxMjRkIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9SZWNvcmROYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmNoZWNrbWFsd2FyZS5vcmc8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImJhMmIwMmY2LTc4YjgtNDU4OS1iZDFhLTI2NjY3ZjgxOTM0ZiIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vUmVjb3JkTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5tYWx3YXJlY2hlY2suaW5mbzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNTY4NDdhZDctOGVkZS00OTVmLTk5OGUtNTAyYWUwMDQwZmQ2IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9SZWNvcmROYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPnNjYW5tYWx3YXJlLmluZm88L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjVmYTY1OTE5LTk0NjctNGRlOC05Y2I3LTg1NzRmZjg2Yjg1ZCIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5ldGlkcy5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImVjNzcxZDY3LTMyYzAtNDA3Ni04ZTlmLWQ5Y2U2YjlmMmE4MCIgY29uZGl0aW9uPSJpcyIgcHJlc2VydmUtY2FzZT0iZmFsc2UiIG5lZ2F0ZT0iZmFsc2UiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIgLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPmRhMmE2NTdkYzY5ZDczMjBmMmZmYzg3MDEzZjI1N2FkPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3IgaWQ9ImY0ZWExOWI4LWFhNDktNDljNC05ZTA5LWEzZjhiZTA5NzhjOSIgb3BlcmF0b3I9IkFORCI+CiAgICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzNzQ2MWJiLTk0MmQtNDRlNy05YTM5LTZjZDdjOTg0ZDM1NyIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vbmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPnN2Y2hvc3QuZXhlPC9Db250ZW50PgogICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICA8SW5kaWNhdG9yIGlkPSJmNTgzOTNlYi02YTdiLTQ0NDktYmI4MS03YjFjMjY0YmI1MDYiIG9wZXJhdG9yPSJPUiI+CiAgICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMTkwOGE4NDQtYWJhMi00ZTdjLWEyMzAtZDUzZTVlM2NkODZmIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL3BhdGgiIHR5cGU9Im1pciIvPgogICAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkxvY2FsIFNldHRpbmdzXEFwcGxpY2F0aW9uIERhdGE8L0NvbnRlbnQ+CiAgICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNTNmNGYzZDItYTVkOC00MWY4LTk3ZWMtMDc1NTFmNWU5YTU3IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL3BhdGgiIHR5cGU9Im1pciIvPgogICAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkFwcERhdGFcTG9jYWw8L0NvbnRlbnQ+CiAgICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPC9JbmRpY2F0b3I+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgICA8SW5kaWNhdG9yIGlkPSIwNDIyNTgzYy05MDFhLTRhNmUtYjc2YS01NmNmMjk0NGYxNWMiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiOGIyMjE1MC01NGE4LTRlNmItOTEwMC1kZDIxNjhiM2JhYzgiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL25hbWUiIHR5cGU9Im1pciIvPgogICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ydW5kbGwzMi5leGU8L0NvbnRlbnQ+CiAgICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MjMyZWIxMi1iNGMzLTRlMTQtYmEwZi00N2M5MmY5ODBlMGMiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL2FyZ3VtZW50cyIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPiMxPC9Db250ZW50PgogICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICA8SW5kaWNhdG9yIGlkPSI4MTMwNjEwNy0wNjU1LTQxNjEtODkxNi1iNzYwZmYwZjFiNGIiIG9wZXJhdG9yPSJPUiI+CiAgICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMmFlNmRkM2EtNjM1YS00NjkzLWJmZjktNzM2ZmJlMGIwYmE5IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL2FyZ3VtZW50cyIgdHlwZT0ibWlyIi8+CiAgICAgICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+QXBwRGF0YVxMb2NhbFxjb25ob3N0LmRsbDwvQ29udGVudD4KICAgICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIwMzIzMjRlNy01YzE3LTQ3MjAtYTdkNS1mZWFkZjY3ZGM3YTMiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vYXJndW1lbnRzIiB0eXBlPSJtaXIiLz4KICAgICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5Mb2NhbCBTZXR0aW5nc1xBcHBsaWNhdGlvbiBEYXRhXGNvbmhvc3QuZGxsPC9Db250ZW50PgogICAgICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICAgIDwvSW5kaWNhdG9yPgogICAgICA8L0luZGljYXRvcj4KICAgICAgPEluZGljYXRvciBpZD0iNDZjOTQ0NzUtNmNmNy00NzgzLTljZDUtMDg1ZGM5YmIwN2ZlIiBvcGVyYXRvcj0iQU5EIj4KICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYWI2ODc5MzUtNzM2NC00NWRhLWIzZDQtZTc2NmI2Yzk2ODc1IiBjb25kaXRpb249ImlzIj4KICAgICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9QRUluZm8vRXhwb3J0cy9OdW1iZXJPZkZ1bmN0aW9ucyIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJpbnQiPjE8L0NvbnRlbnQ+CiAgICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICAgIDxJbmRpY2F0b3IgaWQ9ImM5ZjA1MTJkLWM2ZjItNGI0NS1hZGJkLTAyN2UyOWQ3YjdkZCIgb3BlcmF0b3I9Ik9SIj4KICAgICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJmNDMwM2E3Zi0wYjY0LTQ3ODEtYjYwYy03ZDVjMmQ2ODJlZTgiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vUEVJbmZvL0V4cG9ydHMvRGxsTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+Y29yZXNoZWxsLmRsbDwvQ29udGVudD4KICAgICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIzYjc5M2Y3Ny0xODE4LTRkYjUtYWRlNy1kOWU1YTQ5OWZhYTYiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vUEVJbmZvL0V4cG9ydHMvRGxsTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+ZGxsLmRsbDwvQ29udGVudD4KICAgICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICA8L0luZGljYXRvcj4KICAgICAgICA8SW5kaWNhdG9yIGlkPSIwMjVmZDlkZi1jN2QzLTQ3N2ItYWIzMS05MjVjZDJjODBkOTMiIG9wZXJhdG9yPSJPUiI+CiAgICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYjNmODJlMDUtOGYzNi00OTk4LTkxZGUtZWE2MDg1MTQwZWY2IiBjb25kaXRpb249ImlzIj4KICAgICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL1BFSW5mby9FeHBvcnRzL0V4cG9ydGVkRnVuY3Rpb25zL3N0cmluZyIgdHlwZT0ibWlyIi8+CiAgICAgICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+SW5pdGlhbGl6ZTwvQ29udGVudD4KICAgICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiNjM3MTVjNy0xZDRjLTQ5MGQtODU1MS02ZWY5MjE3ZDMyMmMiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vUEVJbmZvL0V4cG9ydHMvRXhwb3J0ZWRGdW5jdGlvbnMvc3RyaW5nIiB0eXBlPSJtaXIiLz4KICAgICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5Jbml0MTwvQ29udGVudD4KICAgICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJhZTZhOWMxNC1lMGEzLTQzMTAtYTI1Ni0zNzAyOWEzZGU2NmMiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vUEVJbmZvL0V4cG9ydHMvRXhwb3J0ZWRGdW5jdGlvbnMvc3RyaW5nIiB0eXBlPSJtaXIiLz4KICAgICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5BcHBsaWNhdGU8L0NvbnRlbnQ+CiAgICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPC9JbmRpY2F0b3I+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgICA8SW5kaWNhdG9yIGlkPSJjNmM2ZWUwMC01MWYzLTQ0ODEtYmM4Zi1kMjhiZmYwNDg0MWYiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJhNmIyZmIwOS0yZDdkLTQ4ZjQtOTM3MC1iYWE3MGRjOTc3NGQiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL1BFSW5mby9WZXJzaW9uSW5mb0xpc3QvVmVyc2lvbkluZm9JdGVtL0ZpbGVEZXNjcmlwdGlvbiIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPkNvcmUgU2hlbGwgUnVudGltZSBTZXJ2aWNlPC9Db250ZW50PgogICAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMTgyOTE2MTItOWNhOS00ZjZjLThkYjUtNDRjYTY4NjVkYWViIiBjb25kaXRpb249ImlzIj4KICAgICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9QRUluZm8vVmVyc2lvbkluZm9MaXN0L1ZlcnNpb25JbmZvSXRlbS9PcmlnaW5hbEZpbGVuYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+Y29yZXNoZWxsLmRsbDwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K", "deleted": false, "disable_correlation": false, "timestamp": "1414567719", "to_ids": false, "type": "attachment", "uuid": "54509725-678c-4a8c-a283-4c8c950d210b", "value": "e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-0784-49fe-bdff-b9b0950d210b", "value": "https://github.com/fireeye/iocs/tree/master/APT28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-3364-46b3-9145-b9b0950d210b", "value": "https://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-b254-4a77-8bc0-b9b0950d210b", "value": "https://github.com/fireeye/iocs/blob/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-b94c-41ae-9be0-b9b0950d210b", "value": "https://github.com/fireeye/iocs/blob/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-354c-4406-8bde-b9b0950d210b", "value": "https://github.com/fireeye/iocs/blob/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-24ac-4754-a2a6-b9b0950d210b", "value": "https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-969c-4f4b-a2c1-b9b0950d210b", "value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-dd3c-426c-ae5a-b9b0950d210b", "value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-60d4-4a77-b1c4-b9b0950d210b", "value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-bbc8-45b9-899f-b9b0950d210b", "value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615410", "to_ids": false, "type": "link", "uuid": "54515172-e024-4106-9098-b9b0950d210b", "value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414615472", "to_ids": true, "type": "domain", "uuid": "545151b0-b7b4-4d33-a3c6-6181950d210b", "value": "smigroup-online.co.uk" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616303", "to_ids": false, "type": "text", "uuid": "545154ef-0bac-4215-ba2d-4ab3950d210b", "value": "OLDBAIT" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616303", "to_ids": false, "type": "text", "uuid": "545154ef-3db8-4a5a-9726-47c9950d210b", "value": "EVILTOSS" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616303", "to_ids": false, "type": "text", "uuid": "545154ef-3854-4a2b-9b51-403e950d210b", "value": "CHOPSTICK" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616303", "to_ids": false, "type": "text", "uuid": "545154ef-7dfc-4e2c-88b8-4fab950d210b", "value": "SOURFACE" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616475", "to_ids": true, "type": "domain", "uuid": "5451559b-be98-46ff-9f68-800f950d210b", "value": "g0v.pl" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616475", "to_ids": true, "type": "domain", "uuid": "5451559b-5a28-4c55-ba34-800f950d210b", "value": "nshq.in" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616475", "to_ids": true, "type": "domain", "uuid": "5451559b-69cc-4db0-a51c-800f950d210b", "value": "baltichost.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616529", "to_ids": true, "type": "hostname", "uuid": "545155d1-e76c-4f65-aae3-b9b0950d210b", "value": "mail.g0v.pl" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1414616529", "to_ids": true, "type": "hostname", "uuid": "545155d1-4304-461e-9615-b9b0950d210b", "value": "nato.nshq.in" }, { "category": "External analysis", "comment": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)", "deleted": false, "disable_correlation": false, "timestamp": "1455833017", "to_ids": true, "type": "sha1", "uuid": "56c63fb9-0644-4c76-b9d5-c653950d210f", "value": "f5b3e98c6b5d65807da66d50bd5730d35692174d" }, { "category": "External analysis", "comment": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)", "deleted": false, "disable_correlation": false, "timestamp": "1455833020", "to_ids": true, "type": "sha1", "uuid": "56c63fbc-c38c-4ebe-a6b2-40e8950d210f", "value": "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca" }, { "category": "External analysis", "comment": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)", "deleted": false, "disable_correlation": false, "timestamp": "1455833023", "to_ids": true, "type": "sha1", "uuid": "56c63fbf-d514-4dbf-b3dc-599c950d210f", "value": "ed48ef531d96e8c7360701da1c57e2ff13f12405" }, { "category": "External analysis", "comment": "Automatically added (via 791428601ad12b9230b9ace4f2138713)", "deleted": false, "disable_correlation": false, "timestamp": "1455833025", "to_ids": true, "type": "sha1", "uuid": "56c63fc1-5308-452f-8ea2-4958950d210f", "value": "367d40465fd1633c435b966fa9b289188aa444bc" }, { "category": "External analysis", "comment": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)", "deleted": false, "disable_correlation": false, "timestamp": "1455833028", "to_ids": true, "type": "sha1", "uuid": "56c63fc4-59e8-4951-8576-c652950d210f", "value": "cf3220c867b81949d1ce2b36446642de7894c6dc" }, { "category": "External analysis", "comment": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)", "deleted": false, "disable_correlation": false, "timestamp": "1455833030", "to_ids": true, "type": "sha1", "uuid": "56c63fc6-f364-4e59-a679-c650950d210f", "value": "682e49efa6d2549147a21993d64291bfa40d815a" }, { "category": "External analysis", "comment": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)", "deleted": false, "disable_correlation": false, "timestamp": "1455833033", "to_ids": true, "type": "sha1", "uuid": "56c63fc9-2818-407f-8c13-42f1950d210f", "value": "d9c53adce8c35ec3b1e015ec8011078902e6800b" }, { "category": "External analysis", "comment": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)", "deleted": false, "disable_correlation": false, "timestamp": "1455833036", "to_ids": true, "type": "sha1", "uuid": "56c63fcc-fa60-440b-bb3f-59a1950d210f", "value": "6316258ca5ba2d85134ad7427f24a8a51ce4815b" }, { "category": "External analysis", "comment": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)", "deleted": false, "disable_correlation": false, "timestamp": "1455833039", "to_ids": true, "type": "sha1", "uuid": "56c63fcf-2d28-4d26-b266-c652950d210f", "value": "e2450dffa675c61aa43077b25b12851a910eeeb6" }, { "category": "External analysis", "comment": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)", "deleted": false, "disable_correlation": false, "timestamp": "1455833041", "to_ids": true, "type": "sha1", "uuid": "56c63fd1-439c-4d04-9e0d-c651950d210f", "value": "85522190958c82589fa290c0835805f3d9a2f8d6" }, { "category": "External analysis", "comment": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)", "deleted": false, "disable_correlation": false, "timestamp": "1455833044", "to_ids": true, "type": "sha1", "uuid": "56c63fd4-1d2c-453b-873d-5ca1950d210f", "value": "d87b310aa81ae6254fff27b7d57f76035f544073" }, { "category": "External analysis", "comment": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)", "deleted": false, "disable_correlation": false, "timestamp": "1455833019", "to_ids": true, "type": "sha256", "uuid": "56c63fbb-19c0-43af-a6b7-599f950d210f", "value": "d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a" }, { "category": "External analysis", "comment": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)", "deleted": false, "disable_correlation": false, "timestamp": "1455833021", "to_ids": true, "type": "sha256", "uuid": "56c63fbd-3ca8-4b5b-91d1-4b0d950d210f", "value": "c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946" }, { "category": "External analysis", "comment": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)", "deleted": false, "disable_correlation": false, "timestamp": "1455833024", "to_ids": true, "type": "sha256", "uuid": "56c63fc0-ec50-4ce9-95e1-599d950d210f", "value": "7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683" }, { "category": "External analysis", "comment": "Automatically added (via 791428601ad12b9230b9ace4f2138713)", "deleted": false, "disable_correlation": false, "timestamp": "1455833026", "to_ids": true, "type": "sha256", "uuid": "56c63fc2-d3a8-4484-977c-44e8950d210f", "value": "29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787" }, { "category": "External analysis", "comment": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)", "deleted": false, "disable_correlation": false, "timestamp": "1455833029", "to_ids": true, "type": "sha256", "uuid": "56c63fc5-4654-4248-b045-599c950d210f", "value": "744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39" }, { "category": "External analysis", "comment": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)", "deleted": false, "disable_correlation": false, "timestamp": "1455833032", "to_ids": true, "type": "sha256", "uuid": "56c63fc8-fe70-4a09-8e89-c651950d210f", "value": "7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965" }, { "category": "External analysis", "comment": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)", "deleted": false, "disable_correlation": false, "timestamp": "1455833034", "to_ids": true, "type": "sha256", "uuid": "56c63fca-b464-4f85-8926-59a2950d210f", "value": "102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a" }, { "category": "External analysis", "comment": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)", "deleted": false, "disable_correlation": false, "timestamp": "1455833037", "to_ids": true, "type": "sha256", "uuid": "56c63fcd-0868-4b54-a95d-5ca1950d210f", "value": "d54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7" }, { "category": "External analysis", "comment": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)", "deleted": false, "disable_correlation": false, "timestamp": "1455833040", "to_ids": true, "type": "sha256", "uuid": "56c63fd0-08cc-4889-8343-4d32950d210f", "value": "e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75" }, { "category": "External analysis", "comment": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)", "deleted": false, "disable_correlation": false, "timestamp": "1455833042", "to_ids": true, "type": "sha256", "uuid": "56c63fd2-40b8-4459-8d9a-c653950d210f", "value": "03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69" }, { "category": "External analysis", "comment": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)", "deleted": false, "disable_correlation": false, "timestamp": "1455833045", "to_ids": true, "type": "sha256", "uuid": "56c63fd5-98f8-4ed5-bc19-c654950d210f", "value": "423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f" } ] } }