{"id":19017,"date":"2022-05-11T12:40:07","date_gmt":"2022-05-11T20:40:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/11\/news-12750\/"},"modified":"2022-05-11T12:40:07","modified_gmt":"2022-05-11T20:40:07","slug":"news-12750","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/11\/news-12750\/","title":{"rendered":"Please Confirm You Received Our APT"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Because we are constantly monitoring the threat landscape, FortiGuard Labs has the opportunity to see many unique and novel attacks. Recently, one of our sample collectors was able to find one such incident. It began with a spearphishing email to a diplomat in Jordan. Like many of these attacks, the email contained a malicious attachment. However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs). Based on the techniques used in this attack, it appears to be another campaign launched by APT34. The rest of this blog will analyze the attack chain associated with this email and the traits that set it apart from average malware, such as DNS tunneling and stateful programming. <\/p>\n<p style=\"margin-left: 40.0px;\"><b>Affected Platforms:<\/b> Microsoft Windows<br \/> <b>Impacted Users:<\/b> Targeted Windows users<br \/> <b>Impact: <\/b>Collects sensitive information from the compromised machine<br \/> <b>Severity Level: <\/b>Medium<\/p>\n<h2>Spearphishing Email<\/h2>\n<p>This spearphishing attack targeted a Jordanian diplomat, with the sender pretending to be a colleague from the IT department of the same governmental organization.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652286789306\/img1.png\" alt=\"screenshot of spearphishing email\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Spearphishing email<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Looking at the headers of the email, we can determine that the email originated from outside the organization. But while it came from an external email address, it used the first and last name of an employee in the IT department. The alert diplomat decided to forward this to the real employee. This may have been done to verify the authenticity of the original email or, more likely, for further analysis within the IT department. As suggested in the email body, the attached Excel file contained a confirmation form for the targeted diplomat to fill out.<\/p>\n<p>For those technically inclined, the next few sections break down the \u201chow\u201d and \u201cwhat happened\u201d of this malware. Other readers should feel free to skip to the \u201cC2 Servers\u201d section for details on how to protect your organization.<\/p>\n<h2>Malicious Excel File<\/h2>\n<p>The attached Excel file contains a malicious VBA (Visual Basic Application) macro as opposed to the Excel MacroSheets that other malware such as Emotet and QBot typically use. In many cases, a malicious macro may install some sort of stager, such as those deployed by Cobalt Strike or Metasploit. In other cases, the macro may use living-off-the-land techniques to download and execute a second-stage binary. Another option a macro may use is to simply drop and run a malicious binary. In this attack, the macro uses the latter option. This, however, was where similarities to other phishing attacks end.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_16857651.img.png\/1652286843479\/img2.png\" alt=\"screenshot of Macro opening\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Macro opening<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>One of the unique techniques seen in this macro is the toggling of sheet visibility. In most attacks involving Excel, no hidden sheets are used. And in those cases where hidden sheets are used, the hidden sheet typically holds the malicious code. In this attack, however, the visibility of two sheets is quickly switched as soon as the workbook is opened. One possible reason for this may be as an anti-emulation technique. Emulators (such as the freely available ViperMonkey) may or may not support all Excel functionality, such as the hiding of sheets.<\/p>\n<p>Incidentally, lines 16 and 17 are commented out. Perhaps these lines were used for testing purposes or were part of a different lure, one in which <i>TeamViewer<\/i> (remote access and control software used for device maintenance) was used.<\/p>\n<p>The astute observer may have also noticed line 25 in the previous image. Line 25 calls a function that contacts the C2 server.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1557914539.img.png\/1652286889016\/img3.png\" alt=\"example of C2 contact\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. C2 contact<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Unlike most malicious macros, this one uses WMI (Windows Management Instrumentation) to ping the C2 server instead of a more commonly used tool, such as PowerShell or CMD. Furthermore, this function is called multiple times during macro execution. It basically works as a state monitor to keep track of what\u2019s happening during the attack. The\u00a0<span style=\"color: rgb(230,126,34);\"><i><u>tMsg<\/u><\/i><\/span><span style=\"color: rgb(142,68,173);\"><i>\u00a0<\/i><\/span>variable changed during different stages of the attack, allowing the attackers to view their network logs to see the state of their macro. The\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>rds<\/i><\/u><\/span><span style=\"color: rgb(142,68,173);\">\u00a0<\/span>variable is a random four-digit number, with the same four digits used consistently throughout the macro state check-in process.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"text-align:center\"><span style=\"color:#7f8c8d\">Figure 4. Table of states<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As alluded to in the table above, the macro has the capability to create three files. A malicious PE file was created as\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>%LocalAppData%MicrosoftUpdateupdate.exe<\/i><\/u><\/span>. A configuration file was created as\u00a0<u><span style=\"color: rgb(230,126,34);\"><i>%LocalAppData%MicrosoftUpdateupdate.exe.config<\/i><\/span><\/u>. And the third file,\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>%LocalAppData%MicrosoftUpdateMicrosoft.Exchange.WebServices.dll<\/i>,<\/u><\/span> was signed and clean.<\/p>\n<p>While the malware authors decided to store these three files inside the Excel file, they again chose to do so in a way that is not commonly seen.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_812580897.img.png\/1652287290532\/img5.png\" alt=\"Form caption example\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Form caption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Three user forms are stored inside the Excel file. Each user form has a label, and each label has a caption. As seen in the image above, the caption contains base64 encoded data. Form1 contains the malicious update.exe file. Form2 contains the configuration file. And Form3 contains the clean Microsoft file. We will explore these files further later in this blog.<\/p>\n<p>The malware authors also used the Excel macro to create a persistence method for their update.exe file. They accomplished this by setting a scheduled task.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_2085614270.img.png\/1652287360910\/img6.png\" alt=\"Scheduled task example\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Scheduled task<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The task is named\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>MicrosoftUpdate<\/i><\/u><\/span>\u00a0and repeats every 4 hours. The macro also uses deprecated\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>IdleSettings<\/i><\/u><\/span>\u00a0properties, such as\u00a0<span style=\"color: rgb(230,126,34);\"><i>Duration<\/i><\/span>\u00a0(which starts the task only if the computer has been idle for ten minutes) and\u00a0<i><span style=\"color: rgb(230,126,34);\"><u>WaitTimeout<\/u><\/span>\u00a0<\/i>(which determines how long to wait for an idle condition). This task was set to allow 20 days to complete. Taking into account the date of the email and assuming the task ran immediately, the task would run until at least May 16, 2022.<\/p>\n<p>In addition to the visibility switch technique described earlier, a second technique was also seen in this macro to possibly avoid automated analysis. This macro does this by checking for the existence of a mouse. If a mouse is not connected, the macro does not create any of the three files. There are a couple of instances where a mouse would not be attached to a computer. First, a mouse is not necessarily needed if the computer is controlled remotely. The only mouse needed would be installed on the controlling computer. And second, a mouse is not needed if an analysis machine is simply processing and emulating Office files. A script can be created to automatically perform all the actions necessary without a mouse.<\/p>\n<p>As far as malicious macros go, this one contains several techniques not normally seen in most attacks. This suggests that more time and care have been given to developing this portion of the attack. In the next section, we will look at the files that were created by this macro.<\/p>\n<h2>Dropped Files<\/h2>\n<p>As explained earlier, this malicious Excel macro includes the ability to create three files. In this section, we will look at them individually, starting with the two benign files.<\/p>\n<p>A signed file was embedded inside the Excel file and dropped to the following location:\u00a0<span style=\"color: rgb(230,126,34);\"><i>%LocalAppData%MicrosoftUpdateMicrosoft.Exchange.WebServices.dll<\/i>.<\/span> Another innocuous file was dropped as\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>%LocalAppData%MicrosoftUpdateupdate.exe.config<\/i>.<\/u><\/span> Its contents are to be used as configuration data. Here are the contents after decoding:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_70450257.img.png\/1652287534684\/fig-7.png\" alt=\"Config data example\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Config data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The third file is the actual malware. It was created in the same location as the two previously dropped files, as\u00a0<span style=\"color: rgb(230,126,34);\"><u><i>%LocalAppData%MicrosoftUpdateupdate.exe<\/i>.<\/u><\/span> It was a .NET binary and contained the main payload.<\/p>\n<p>This malware binary was certainly developed by the same group that created the Excel macro, as there are similarities between the two. One similarity deals with the idea of states and the tracking of what was happening at any given point in time within the execution flow. Since .NET is a more robust programming language than the scripting nature of VBA, the malware binary has a much easier way of keeping state.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_710219508.img.png\/1652287627598\/img8.png\" alt=\"Dictionary of states\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Dictionary of states<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The figure above shows a partial state dictionary defined by the malware. Depending on the execution flow and what state the malware lands in, certain delays are introduced.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1788664866.img.png\/1652287682118\/img9.png\" alt=\"example of Delay times in milliseconds\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Delay times in milliseconds<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>These delays are executed by calling the Sleep() function. In .NET, Sleep() accepts values in milliseconds. In certain cases, for example, from\u00a0<span style=\"color: rgb(230,126,34);\"><i>DelayMinAlive<\/i>\u00a0<\/span>to\u00a0<span style=\"color: rgb(230,126,34);\"><i>DelayMaxAlive<\/i><\/span>, the malware can sleep anywhere from 6 to 8 hours!<\/p>\n<p>While this malware sleeps in certain program states, other program states require it to contact the C2 server. Like the Excel macro, it contacts seemingly random subdomains. However, in actuality, it uses a\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_generation_algorithm\" target=\"_blank\">domain generation algorithm (DGA)<\/a>\u00a0to calculate a subdomain.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1867776014.img.png\/1652287790377\/img10.png\" alt=\"DGA example\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. DGA<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The malware constructs the DGA by first randomly assigning a value to\u00a0<span style=\"color: rgb(142,68,173);\"><i>_AgentID<\/i><\/span>. This value is then fed as a seed into the\u00a0<span style=\"color: rgb(39,174,96);\"><i>RandomMersenneTwister<\/i><\/span>\u00a0function, highlighted above. It then performs further calculations using the\u00a0<span style=\"color: rgb(230,126,34);\"><i>haruto<\/i><\/span>\u00a0string as well as the strings found in the\u00a0<span style=\"color: rgb(142,68,173);\"><i>CharsDomain<\/i><\/span>\u00a0and\u00a0<span style=\"color: rgb(142,68,173);\"><i>CharsCounter<\/i><\/span>\u00a0variables. Once a subdomain string is generated, the malware randomly chooses one of three domains to concatenate with (<span style=\"color: rgb(230,126,34);\"><i>joexpediagroup[.]com<\/i><\/span>,\u00a0<span style=\"color: rgb(230,126,34);\"><i>asiaworldremit[.]com<\/i><\/span>, or\u00a0<span style=\"color: rgb(230,126,34);\"><i>uber-asia[.]com<\/i><\/span>).<\/p>\n<p>Once the URL is generated, the next step the malware takes is to check for the C2 server\u2019s DNS data.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_253503599.img.png\/1652288008299\/fig11.png\" alt=\"DNS\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. DNS<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When DNS is queried for a domain, a DNS server returns an IP address that points to the requested domain. The malware then checks the first octet of the IP address to ensure the value is at least 128 to be considered valid. Perhaps this is a way for the malware to avoid internal IP addresses, such as the 127[.]0[.]0[.]1 local loopback address or the 10[.]0[.]0[.]0 internal subnet.\u00a0<span style=\"color: rgb(52,152,219);\"><i>Lines 260-261<\/i><\/span>\u00a0are used to define the byte array\u00a0<i><span style=\"color: rgb(52,152,219);\">DnsClass.<\/span><span style=\"color: rgb(142,68,173);\">_ReceiveData<\/span><\/i><span style=\"color: rgb(142,68,173);\">\u00a0<\/span>with a size defined by the remaining octets. For example, a DNS test server is set up to return the IP address 192[.]5[.]4[.]3 for any DNS requests. That means the byte array has a size of\u00a0<i>0x050403<\/i>. Later in the malware\u2019s execution flow, this data from the DNS request is used to define\u00a0<span style=\"color: rgb(52,152,219);\"><i>TaskClass<\/i>\u00a0<\/span>properties.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_13533176.img.png\/1652288110861\/img12.png\" alt=\"DNS tunneling\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. DNS tunneling<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Specifically on\u00a0<span style=\"color: rgb(52,152,219);\"><i>line 245<\/i><\/span>,\u00a0<i><span style=\"color: rgb(52,152,219);\">TaskClass.<\/span><span style=\"color: rgb(142,68,173);\">ListData<\/span><\/i>\u00a0is set to the received data from the DNS request. In the end, this basically means that this malware is receiving tasks inside a DNS response. Apparently, this malware uses DNS tunneling to communicate with its C2. APT34 has historically used DNS for communications as well.<\/p>\n<p>Several types of tasks are defined for this malware.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1764169676.img.png\/1652288200305\/fhfd.png\" alt=\"Task types\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Task types<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This malware has the ability to take a DNS response and create an arbitrary file on the infected machine if that was the task the malware authors wanted to perform.\u00a0<span style=\"color: rgb(142,68,173);\"><i>File<\/i>\u00a0<\/span>and\u00a0<span style=\"color: rgb(142,68,173);\"><i>CompressedFile<\/i><\/span>\u00a0are task types used to create a file. The remaining task types are used to send backdoor commands to the malware. These backdoor commands are meant to be executed through PowerShell or through the Windows CMD interpreter. The following table lists supported commands.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<table align=\"center\" cellspacing=\"0\" class=\"MsoTable15Grid4Accent2\" style=\"border-collapse:collapse; border:none; width:631px\">\n<tbody>\n<tr>\n<td style=\"background-color:#ed7d31; border-bottom:1px solid #ed7d31; border-left:1px solid #ed7d31; border-right:none; border-top:1px solid #ed7d31; vertical-align:top; width:64px\">\n<p style=\"text-align:center\"><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\"><strong><span style=\"color:white\">Command<\/span><\/strong><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#ed7d31; border-bottom:1px solid #ed7d31; border-left:none; border-right:none; border-top:1px solid #ed7d31; vertical-align:top; width:68px\">\n<p style=\"text-align:center\"><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\"><strong><span style=\"color:white\">Interpreter<\/span><\/strong><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#ed7d31; border-bottom:1px solid #ed7d31; border-left:none; border-right:1px solid #ed7d31; border-top:1px solid #ed7d31; vertical-align:top; width:499px\">\n<p style=\"text-align:center\"><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\"><strong><span style=\"color:white\">Payload<\/span><\/strong><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">1<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">2<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-NetNeighbor -AddressFamily IPv4 | Select-Object &quot;IPADDress&quot;<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">3<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">CMD<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">whoami<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">4<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">[System.Environment]::OSVersion.VersionString<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">5<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">CMD<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">net user<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">7<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-ChildItem -Path &quot;C:Program Files&quot; | Select-Object Name<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">8<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-ChildItem -Path &#39;C:Program Files (x86)&#39; | Select-Object Name<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">9<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-ChildItem -Path &#39;C:&#39; | Select-Object Name<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">10<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">CMD<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">hostname<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">11<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-NetTCPConnection | Where-Object {$_.State -eq &quot;Established&quot;} | Select-Object &quot;LocalAddress&quot;, &quot;LocalPort&quot;, &quot;RemoteAddress&quot;, &quot;RemotePort&quot;<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">12<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.65.4.50 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.4.51 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.65.65 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.53.53 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.21.200 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">13<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">nslookup ise-posture.mofagov.gover.local | findstr \/i Address;nslookup webmail.gov.jo | findstr \/i Address<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">14<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.10.21.201 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.19.201 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.19.202 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.24.200 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">15<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.10.10.4 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.50.10 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.22.50 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">16<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.65.51.11 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.6.1 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.52.200 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.6.3 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">17<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.65.45.18 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.28.41 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.36.13 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.51.10 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">18<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.10.22.42 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.23.200 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr \/i ttl) -eq $null;$(ping -n 1 10.10.19.50 | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">19<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">$(ping -n 1 10.65.45.3 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.4.52 | findstr \/i ttl) -eq $null;$(ping -n 1 10.65.31.155 | findstr \/i ttl) -eq $null;$(ping -n 1 ise-posture.mofagov.gover.local | findstr \/i ttl) -eq $null<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">20<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object NextHop<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">21<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">PS<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object SERVERAddresses<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:64px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">22<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:68px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">CMD<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:499px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">systeminfo | findstr \/i &quot;Domain&quot;<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align:center\"><span style=\"color:#7f8c8d\">Figure 14. Table of backdoor commands<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The <i>6<\/i> command is actually missing from this malware. Whether a file is uploaded or a backdoor command is executed, there is some sort of output. This output is then formatted and compressed using .NET\u2019s compression mode. After the result is encoded with base32, this new result is then incorporated into the DGA. Base32 is also the same encoding scheme that APT34 has used.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1239592580.img.png\/1652288772747\/dfg.png\" alt=\"DNS exfiltration\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. DNS exfiltration<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This is how the malware exfiltrated the data. It may look like a simple DNS request in a network log, but the exfiltrated data is actually built into the DNS request.<\/p>\n<p>With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers. Perhaps to avoid triggering any behavioral detections, this malware also does not create any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task. Since Excel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines. The problem with using a scheduled task as a persistence mechanism, however, is that it runs the risk of having multiple copies of itself running concurrently. To avoid this problem, the malware creates a mutex. A\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Lock_(computer_science)\">mutex<\/a>\u00a0(mutual exclusion object) is a program object that is created so multiple program threads can take turns sharing the same resource. In its most basic definition, it is simply a locking mechanism. If a mutex with a value of\u00a0<span style=\"color: rgb(230,126,34);\"><i>726a06ad-475b-4bc6-8466-f08960595f1e<\/i><\/span>\u00a0already exists on the system, it means there is already a previous instance of the malware running on the infected computer. As a result, if a scheduled task starts another copy of the malware, the malware detects the mutex, and it is terminated immediately.<\/p>\n<h2>C2 Servers<\/h2>\n<p>This malware has the ability to contact three domains (<span style=\"color: rgb(230,126,34);\"><i>joexpediagroup[.]com<\/i><\/span>,\u00a0<span style=\"color: rgb(230,126,34);\"><i>asiaworldremit[.]com<\/i><\/span>,\u00a0<span style=\"color: rgb(230,126,34);\"><i>uber-asia[.]com<\/i><\/span>). Similarly, the Excel macro is able to contact the\u00a0<span style=\"color: rgb(230,126,34);\"><i>joexpediagroup[.]com<\/i><\/span>\u00a0domain.<\/p>\n<h3>Uber-asia[.]com<\/h3>\n<p>This domain, which may be imitating Uber rideshare for Asia, was registered slightly more than two months ago, on February 27, 2022. According to passive DNS records, this domain resolves to 127[.]0[.]0[.]1. Interestingly enough, VirusTotal was able to record a DNS entry.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image_1616091911.img.png\/1652288761273\/ghkhgk.png\" alt=\"Virustotal DNS results\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Virustotal DNS results<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This certainly fits the format used by the malware. The subdomain appears to be a DGA. The first octet of the IP address is greater than 128, and the remaining octets define the size of the command to be executed. Unfortunately, the rest of the DNS data is not available. This suggests that the malware operators are closely monitoring this C2 server and only activate it when necessary.<\/p>\n<h3>Joexpediagroup[.]com<\/h3>\n<p>This domain, which may be imitating Expedia travel for Jordan, was created earlier this year, on January 20, 2022. Sometime after April 20, 2022, this domain also started resolving to 127[.]0[.]0[.]1, most likely for the same reason as above. Prior to that, however, the domain resolved to 45[.]11[.]19[.]47. The server also had SSH port 22 open. Our own Fortinet telemetry detected someone connecting to this IP address from the country of Jordan.<\/p>\n<h3>Asiaworldremit[.]com<\/h3>\n<p>This domain, which may be imitating WorldRemit for Asia, was created on the same day as the first C2 server, on February 27, 2022. Around April 19, 2022, this domain also resolved to 127[.]0[.]0[.]1. Prior to that, however, it resolved to 193[.]239[.]84[.]207. In the past, this IP address has been used by the NSO group with their Pegasus spyware. According to our telemetry, this IP address has also been used by APT34\/OilRig\/Helix Kitten and GoziIFSB. It has also been used as a VPN address. Passive DNS records indicate the IP address is currently hosting several suspiciously-named domains, some of which are listed below.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<table align=\"center\" cellspacing=\"0\" class=\"MsoTable15Grid4Accent2\" style=\"border-collapse:collapse; border:none\">\n<tbody>\n<tr>\n<td style=\"background-color:#ed7d31; border-bottom:1px solid #ed7d31; border-left:1px solid #ed7d31; border-right:none; border-top:1px solid #ed7d31; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\"><strong><span style=\"color:white\">Registered Domain<\/span><\/strong><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#ed7d31; border-bottom:1px solid #ed7d31; border-left:none; border-right:1px solid #ed7d31; border-top:1px solid #ed7d31; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\"><strong><span style=\"color:white\">Attempting to masquerade as<\/span><\/strong><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">astrazeneeca[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">AstraZeneca<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">astrazencea[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">AstraZeneca<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">hsbcbkcn[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">HSBC Bank China<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">valtronics-ae[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Valtronics AE<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">ntu-sg-edu[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Nanyang Technological University Singapore<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">theworldbank[.]uk<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">World Bank Group<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">coinbasedeutschland[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color:#fbe4d5; border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Coinbase for Germany<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom:1px solid #f4b083; border-left:1px solid #f4b083; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:186px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">cisco0[.]com<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom:1px solid #f4b083; border-left:none; border-right:1px solid #f4b083; border-top:none; vertical-align:top; width:286px\">\n<p><span style=\"font-size:12px\"><span style=\"font-family:Calibri,sans-serif\">Cisco<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align:center\"><span style=\"color:#7f8c8d\">Figure 17. Fake domains<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The three C2 domains used by this malware seem to have a similar naming convention as the other domains found on this IP address.<\/p>\n<h2>Conclusion<\/h2>\n<p>The amount of effort put into developing this attack is much higher than the average run-of-the-mill phishing\/spam campaign, putting it on the level of an APT attack. From the start, the attackers posed as a valid user and kept the email short without any grammatical errors. They then proceeded to use an Excel macro with advanced techniques, including possible anti-analysis techniques with the mouse check and the sheet visibility switch.<\/p>\n<p>Furthermore, while state programming is rarely used in malware, in this attack, both the Excel macro and the malware make use of it. After checking in, the malware sleeps for 6-8 hours. One likely reason might be that the threat actors expected the diplomat to open the spearphishing email in the morning and then leave at the end of the day. At that point, the attackers would be free to operate.<\/p>\n<p>While using DNS tunneling for C2 communications is nothing new, it is rarely seen in practice. Their backdoor also supports a long list of very specific commands. From the looks of things, the threat actors did their homework since their backdoor commands clearly demonstrate they already had prior knowledge of their target\u2019s internal network infrastructure. This indicates that the threat actors most likely gained limited access somewhere else before this spearphishing attempt was made.<\/p>\n<p>Looking at their C2 servers, two out of the three seem to be tightly controlled. They were only brought up at specific times. The third C2 server has been lumped in with various other domains to further complicate proper attribution. Given all the breadcrumbs, this campaign looks to be another one launched by APT34. They have demonstrated they possess the resources necessary to infiltrate a government network and are no strangers to using more advanced techniques.<\/p>\n<h3><b>Fortinet Protections<\/b><\/h3>\n<p>Fortinet customers are protected from this malware by FortiGuard\u2019s <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, AntiVirus, <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a>, and CDR (content disarm and reconstruction) services:<\/p>\n<p>The FortiGuard Antivirus service detects and blocks the malicious Excel file as MSExcel\/Agent.7CCA!tr and the malware binary as MSIL\/Agent.A52D!tr.<\/p>\n<p>The malicious macros inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> detects the Excel file and the malware binary as malicious based on their behavior.<\/p>\n<p>Fortinet customers are protected from this malicious Excel file and malware binary by FortiGuard AntiVirus, which is included in <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>. It detects all malicious macro file types, including Excel 4.0 Macro samples.<\/p>\n<p>All relevant URLs have been rated as &quot;Malicious Websites&quot; by the FortiGuard Web Filtering service.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"font-size: 14.0pt;\">IOCs<\/span><\/b><\/span><\/span><\/p>\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">Files<\/span><\/span><\/p>\n<table cellspacing=\"0\" class=\"MsoTable15Grid4Accent2\" style=\"border: none;width: 542.0px;\">\n<tbody>\n<tr>\n<td style=\"background-color: rgb(237,125,49);border-bottom: 1.0px solid rgb(237,125,49);border-left: 1.0px solid rgb(237,125,49);border-right: none;border-top: 1.0px solid rgb(237,125,49);vertical-align: top;width: 172.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: white;\">Indicator<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(237,125,49);border-bottom: 1.0px solid rgb(237,125,49);border-left: none;border-right: 1.0px solid rgb(237,125,49);border-top: 1.0px solid rgb(237,125,49);vertical-align: top;width: 370.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: white;\">SHA256<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 172.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">Confirmation Receive Document.xls<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 370.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">82A0F2B93C5BCCF3EF920BAE425DD768371248CDA9948D5A8E70F3C34E9F7CCA<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 172.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">Microsoft.Exchange.WebServices.dll<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 370.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">7EBBEB2A25DA1B09A98E1A373C78486ED2C5A7F2A16EEC63E576C99EFE0C7A49<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 172.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">update.exe.config<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 370.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">C744DA99FE19917E09CD1ECC48B563F9525DAD3916E1902F61B79BDA35298D87<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 172.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">update.exe<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 370.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">E0872958B8D3824089E5E1CFAB03D9D98D22B9BCB294463818D721380075A52D<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">Other<\/span><\/span><\/p>\n<table cellspacing=\"0\" class=\"MsoTable15Grid4Accent2\" style=\"border: none;\">\n<tbody>\n<tr>\n<td style=\"background-color: rgb(237,125,49);border-bottom: 1.0px solid rgb(237,125,49);border-left: 1.0px solid rgb(237,125,49);border-right: none;border-top: 1.0px solid rgb(237,125,49);vertical-align: top;width: 86.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: white;\">Indicator<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(237,125,49);border-bottom: 1.0px solid rgb(237,125,49);border-left: none;border-right: 1.0px solid rgb(237,125,49);border-top: 1.0px solid rgb(237,125,49);vertical-align: top;width: 201.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: white;\">Value<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 86.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">Mutex<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 201.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">726a06ad-475b-4bc6-8466-f08960595f1e<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 86.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">C2 domain<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 201.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">joexpediagroup[.]com<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 86.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">C2 domain<\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 201.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">asiaworldremit[.]com<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 86.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">C2 domain<\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 201.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\">uber-asia[.]com<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\">Mitre TTPs<\/span><\/span><\/p>\n<table cellspacing=\"0\" class=\"MsoTable15Grid6ColorfulAccent2\" style=\"border: none;\">\n<tbody>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 2.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: 1.0px solid rgb(244,176,131);vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Initial Access<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1566.001<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Spearphishing<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Execution<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p>\u00a0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1059.001<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">PowerShell<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1059.003<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Windows Command Shell<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1053.005<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Scheduled Task<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1204.002<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Malicious File<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1047<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Windows Management Instrumentation<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Persistence<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1053.005<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Scheduled Task<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Defense Evasion<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1480<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Execution Guardrails<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Discovery<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1087.001<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Local Account<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1083<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">File and Directory Discovery<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1049<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">System Network Connections Discovery<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Command and Control<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1071.004<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">DNS<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1132.002<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Non-Standard Encoding<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1568.002<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Domain Generation Algorithms<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\" style=\"border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 259.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><b><span style=\"color: rgb(196,89,17);\">Exfiltration<\/span><\/b><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: 1.0px solid rgb(244,176,131);border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 65.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">T1041<\/span><\/span><\/span><\/p>\n<\/td>\n<td style=\"background-color: rgb(251,228,213);border-bottom: 1.0px solid rgb(244,176,131);border-left: none;border-right: 1.0px solid rgb(244,176,131);border-top: none;vertical-align: top;width: 194.0px;\">\n<p><span style=\"font-size: 12.0px;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: rgb(196,89,17);\">Exfiltration Over C2 Channel<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/please-confirm-you-received-our-apt\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/please-confirm-you-received-our-apt\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652286789306\/img1.png\"\/><br \/>FortiGuard Labs researchers recently examined a spearphishing attack targeting a Jordanian diplomat. This blog analyzes the attack chain associated with this email and the traits that set it apart from average malware. Read more. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-19017","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19017"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19017\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19017"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}