A tool for decoding IcedID arrays

## decode.vbs
' Usage: cscript decode.vbs <array>
' Example:
' cscript decode.vbs "Array(g6,u7,s8,d4,z3,u7,b6,l5,j4,e9,k7,z1,k7)"
' returns qMUuDMFaZ.txt
conST r2=27
CONsT rr2=38
coNSt C5=42
cOnST D4=130
ConST t=132
coNst g2=146
COnst A3=203
const L9=60
const S5=63
consT ss5=213
cONsT p5=72
cOnST j3=64
coNST E=228
cONST T3=257
cONst Tt3=295
ConSt j2=191
conST h6=78
CONSt hH6=227
CoNST i8=200
cONsT l4=157
CoNst G1=94
cONsT gg1=261
CONST f5=39
cOnst D3=109
ConST T4=247
cOnsT N2=166
COnst U7=90
const M2=234
conST q9=57
cONST n3=235
coNsT nN3=392
COnSt x2=255
cOnsT V5=221
COnst O6=74
CoNSt C6=70
CONST g7=111
CONsT B9=240
ConST Bb9=471
cONSt s8=98
CONst N4=246
consT w3=219
CONST o7=61
coNSt OO7=241
consT A7=152
conST z6=205
conSt t5=25
cOnST tT5=29
cOnst a9=85
CoNsT Aa9=133
cOnSt p2=46
cOnSt i6=131
COnst D7=265
ConST j8=77
cOnsT F2=163
CoNst V4=261
COnSt vv4=417
const g4=108
CoNSt V=96
coNST z5=187
cOnst H2=122
consT R4=207
ConSt m3=144
CoNst z=43
conSt o=123
CoNsT Q6=35
Const Qq6=145
conST J5=188
conST Jj5=441
conSt w7=88
cOnSt Ww7=122
CoNSt F8=101
COnSt G=30
cONsT f1=223
CONst ff1=406
cONSt C9=104
ConST X1=67
cONSt XX1=133
cOnST Y6=143
consT d1=22
conSt O4=214
ConSt q3=14
CoNST A2=75
ConSt n1=220
CoNst V2=148
coNSt vV2=171
CoNSt f=227
coNst u3=226
CONsT a6=179
CONsT k5=177
COnST m6=190
CoNst U=53
conSt UU=109
cOnSt L7=206
coNst ll7=383
conST p4=93
CoNST a1=140
CONSt t2=183
cONST K7=129
COnsT kK7=325
ConST b2=258
cOnsT K2=16
CoNSt K9=233
CoNst y1=58
coNSt YY1=234
ConSt v8=244
COnST C4=263
cOnsT D=161
ConSt T9=139
coNsT s7=216
cONsT M8=114
ConSt H=50
conST hh=248
CoNSt S=13
conSt c7=106
consT Cc7=328
cONST l=15
cOnST G9=196
const h4=262
Const F3=44
COnSt a8=164
cOnsT x=151
COnsT y7=230
cOnsT i3=245
consT n6=125
coNst i9=86
cOnsT l5=110
Const C8=38
ConsT S3=66
CoNst S6=160
cONst S4=185
COnST D9=17
ConsT X4=134
coNsT W8=267
cOnST y3=170
COnSt h3=33
ConST hh3=162
coNSt s1=116
ConsT b1=167
cONSt BB1=400
Const E7=194
cONST v1=21
CONSt I4=91
Const II4=327
COnSt M4=197
COnST e8=264
CONST U4=84
CoNST R1=256
CONSt R7=250
CoNst RR7=403
ConSt J7=76
cOnst j4=103
cOnsT b5=184
COnsT p3=171
consT L2=224
CoNst B3=20
ConsT N7=213
cOnsT z9=73
const zz9=123
conST a=182
CONsT F6=249
CoNsT U6=19
ConSt e3=242
cONSt x8=172
Const Z3=81
COnST k1=173
CoNst F9=239
cONst H1=89
conST m5=232
COnST X6=45
coNst z8=48
cOnSt H8=169
coNsT z4=69
CoNst i1=113
coNst C2=80
coNsT I=229
coNsT E2=193
const V7=55
conST s2=127
CONst E4=222
CONsT A5=202
CoNst p1=54
const i2=145
cOnST B=210
ConsT C=248
const cc=317
cONST Q7=105
CoNst r6=141
COnST Q2=201
CONsT N8=217
cOnsT u5=238
CoNst m=243
cONst i5=211
CoNST K3=142
CoNsT c1=100
CONST l1=115
ConST y9=251
Const l6=62
ConsT f4=178
cOnst x3=236
cONST Y2=147
cOnSt l8=266
CoNsT b8=215
ConSt bb8=397
const I7=37
cONST H9=99
conST HH9=297
ConST o5=128
coNST V6=92
cONST U1=107
coNSt m9=204
COnsT o1=149
COnST oO1=355
ConST s9=31
CONsT r=241
conSt N=208
coNST nn=368
cONsT y5=41
cONST E5=218
coNSt Ee5=251
cONST Q5=18
const b7=65
CoNst x9=252
CoNST j=181
coNst y4=32
consT V3=136
CONST e9=59
conSt j6=212
ConST U2=79
COnSt M1=97
coNsT Q4=118
CoNST r9=209
COnSt o9=176
CONsT x7=189
const a4=28
COnst v9=195
cONSt E1=254
cONst u9=117
CONst K6=154
ConsT j9=51
cOnsT W4=47
CONsT u8=95
coNsT o8=155
CoNST y=268
cOnsT yY=435
CONsT z1=133
COnst q8=162
cOnsT QQ8=349
CONsT y8=119
cOnSt YY8=336
CONsT B6=83
coNSt T6=52
CoNSt t8=56
CoNsT w2=68
CoNsT K=159
COnsT Kk=310
coNST R8=87
CoNsT k4=165
coNsT Kk4=408
CoNsT o3=174
conST Q1=120
cOnST G8=26
COnSt T7=71
conST Tt7=309
CoNsT n9=180
COnST k8=23
CONsT t1=225
conST w5=192
CoNsT O2=112
consT d2=231
ConsT g6=126
ConsT p=40
cONsT c3=102
ConsT R5=24
coNST G5=124
coNSt gg5=142
CoNSt f7=138
cOnsT X5=199
cOnst W1=168
coNST B4=237
coNST h5=259
ConSt e6=150
cONsT ee6=189
COnSt D6=49
ConST r3=137
ConSt RR3=236
COnst w9=260
coNST z7=156
consT g3=36
cOnST GG3=235
COnst n5=153
CONSt d5=253
const z2=29
conST q=34
conSt qQ=122
CoNsT D8=186
cOnst w6=158
cONSt h7=82
cOnST L3=135
conST J1=198
conSt M7=175
coNsT w=121
CONsT Ww=274


' Decode array -> str (val - 13)
Function GeRSvfK(ins)
  idx=0
  outs=""
  do while idx <= ubound(ins)
    outs=outs+ChrW(ins(idx)-13)
    idx=idx+1
  loop
  GeRSvfK = outs
End Function
Set objStdOut = WScript.StdOut

Function Base64Encode(sText)
 Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
 oNode.dataType = "bin.base64"
 oNode.nodeTypedValue =sText
 Base64Encode = oNode.text
 Set oNode = Nothing
End Function


objStdOut.Write(GeRSvfK(Eval(WScript.Arguments.Item(0))))
' Useful for binary:
' objStdOut.Write(Base64Encode(GeRSvfK(Eval(WScript.Arguments.Item(0)))))
	' Usage: cscript decode.vbs <array>
	' Example:
	' cscript decode.vbs "Array(g6,u7,s8,d4,z3,u7,b6,l5,j4,e9,k7,z1,k7)"
	' returns qMUuDMFaZ.txt
	conST r2=27
	CONsT rr2=38
	coNSt C5=42
	cOnST D4=130
	ConST t=132
	coNst g2=146
	COnst A3=203
	const L9=60
	const S5=63
	consT ss5=213
	cONsT p5=72
	cOnST j3=64
	coNST E=228
	cONST T3=257
	cONst Tt3=295
	ConSt j2=191
	conST h6=78
	CONSt hH6=227
	CoNST i8=200
	cONsT l4=157
	CoNst G1=94
	cONsT gg1=261
	CONST f5=39
	cOnst D3=109
	ConST T4=247
	cOnsT N2=166
	COnst U7=90
	const M2=234
	conST q9=57
	cONST n3=235
	coNsT nN3=392
	COnSt x2=255
	cOnsT V5=221
	COnst O6=74
	CoNSt C6=70
	CONST g7=111
	CONsT B9=240
	ConST Bb9=471
	cONSt s8=98
	CONst N4=246
	consT w3=219
	CONST o7=61
	coNSt OO7=241
	consT A7=152
	conST z6=205
	conSt t5=25
	cOnST tT5=29
	cOnst a9=85
	CoNsT Aa9=133
	cOnSt p2=46
	cOnSt i6=131
	COnst D7=265
	ConST j8=77
	cOnsT F2=163
	CoNst V4=261
	COnSt vv4=417
	const g4=108
	CoNSt V=96
	coNST z5=187
	cOnst H2=122
	consT R4=207
	ConSt m3=144
	CoNst z=43
	conSt o=123
	CoNsT Q6=35
	Const Qq6=145
	conST J5=188
	conST Jj5=441
	conSt w7=88
	cOnSt Ww7=122
	CoNSt F8=101
	COnSt G=30
	cONsT f1=223
	CONst ff1=406
	cONSt C9=104
	ConST X1=67
	cONSt XX1=133
	cOnST Y6=143
	consT d1=22
	conSt O4=214
	ConSt q3=14
	CoNST A2=75
	ConSt n1=220
	CoNst V2=148
	coNSt vV2=171
	CoNSt f=227
	coNst u3=226
	CONsT a6=179
	CONsT k5=177
	COnST m6=190
	CoNst U=53
	conSt UU=109
	cOnSt L7=206
	coNst ll7=383
	conST p4=93
	CoNST a1=140
	CONSt t2=183
	cONST K7=129
	COnsT kK7=325
	ConST b2=258
	cOnsT K2=16
	CoNSt K9=233
	CoNst y1=58
	coNSt YY1=234
	ConSt v8=244
	COnST C4=263
	cOnsT D=161
	ConSt T9=139
	coNsT s7=216
	cONsT M8=114
	ConSt H=50
	conST hh=248
	CoNSt S=13
	conSt c7=106
	consT Cc7=328
	cONST l=15
	cOnST G9=196
	const h4=262
	Const F3=44
	COnSt a8=164
	cOnsT x=151
	COnsT y7=230
	cOnsT i3=245
	consT n6=125
	coNst i9=86
	cOnsT l5=110
	Const C8=38
	ConsT S3=66
	CoNst S6=160
	cONst S4=185
	COnST D9=17
	ConsT X4=134
	coNsT W8=267
	cOnST y3=170
	COnSt h3=33
	ConST hh3=162
	coNSt s1=116
	ConsT b1=167
	cONSt BB1=400
	Const E7=194
	cONST v1=21
	CONSt I4=91
	Const II4=327
	COnSt M4=197
	COnST e8=264
	CONST U4=84
	CoNST R1=256
	CONSt R7=250
	CoNst RR7=403
	ConSt J7=76
	cOnst j4=103
	cOnsT b5=184
	COnsT p3=171
	consT L2=224
	CoNst B3=20
	ConsT N7=213
	cOnsT z9=73
	const zz9=123
	conST a=182
	CONsT F6=249
	CoNsT U6=19
	ConSt e3=242
	cONSt x8=172
	Const Z3=81
	COnST k1=173
	CoNst F9=239
	cONst H1=89
	conST m5=232
	COnST X6=45
	coNst z8=48
	cOnSt H8=169
	coNsT z4=69
	CoNst i1=113
	coNst C2=80
	coNsT I=229
	coNsT E2=193
	const V7=55
	conST s2=127
	CONst E4=222
	CONsT A5=202
	CoNst p1=54
	const i2=145
	cOnST B=210
	ConsT C=248
	const cc=317
	cONST Q7=105
	CoNst r6=141
	COnST Q2=201
	CONsT N8=217
	cOnsT u5=238
	CoNst m=243
	cONst i5=211
	CoNST K3=142
	CoNsT c1=100
	CONST l1=115
	ConST y9=251
	Const l6=62
	ConsT f4=178
	cOnst x3=236
	cONST Y2=147
	cOnSt l8=266
	CoNsT b8=215
	ConSt bb8=397
	const I7=37
	cONST H9=99
	conST HH9=297
	ConST o5=128
	coNST V6=92
	cONST U1=107
	coNSt m9=204
	COnsT o1=149
	COnST oO1=355
	ConST s9=31
	CONsT r=241
	conSt N=208
	coNST nn=368
	cONsT y5=41
	cONST E5=218
	coNSt Ee5=251
	cONST Q5=18
	const b7=65
	CoNst x9=252
	CoNST j=181
	coNst y4=32
	consT V3=136
	CONST e9=59
	conSt j6=212
	ConST U2=79
	COnSt M1=97
	coNsT Q4=118
	CoNST r9=209
	COnSt o9=176
	CONsT x7=189
	const a4=28
	COnst v9=195
	cONSt E1=254
	cONst u9=117
	CONst K6=154
	ConsT j9=51
	cOnsT W4=47
	CONsT u8=95
	coNsT o8=155
	CoNST y=268
	cOnsT yY=435
	CONsT z1=133
	COnst q8=162
	cOnsT QQ8=349
	CONsT y8=119
	cOnSt YY8=336
	CONsT B6=83
	coNSt T6=52
	CoNSt t8=56
	CoNsT w2=68
	CoNsT K=159
	COnsT Kk=310
	coNST R8=87
	CoNsT k4=165
	coNsT Kk4=408
	CoNsT o3=174
	conST Q1=120
	cOnST G8=26
	COnSt T7=71
	conST Tt7=309
	CoNsT n9=180
	COnST k8=23
	CONsT t1=225
	conST w5=192
	CoNsT O2=112
	consT d2=231
	ConsT g6=126
	ConsT p=40
	cONsT c3=102
	ConsT R5=24
	coNST G5=124
	coNSt gg5=142
	CoNSt f7=138
	cOnsT X5=199
	cOnst W1=168
	coNST B4=237
	coNST h5=259
	ConSt e6=150
	cONsT ee6=189
	COnSt D6=49
	ConST r3=137
	ConSt RR3=236
	COnst w9=260
	coNST z7=156
	consT g3=36
	cOnST GG3=235
	COnst n5=153
	CONSt d5=253
	const z2=29
	conST q=34
	conSt qQ=122
	CoNsT D8=186
	cOnst w6=158
	cONSt h7=82
	cOnST L3=135
	conST J1=198
	conSt M7=175
	coNsT w=121
	CONsT Ww=274


	' Decode array -> str (val - 13)
	Function GeRSvfK(ins)
	idx=0
	outs=""
	do while idx <= ubound(ins)
	outs=outs+ChrW(ins(idx)-13)
	idx=idx+1
	loop
	GeRSvfK = outs
	End Function
	Set objStdOut = WScript.StdOut

	Function Base64Encode(sText)
	Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
	oNode.dataType = "bin.base64"
	oNode.nodeTypedValue =sText
	Base64Encode = oNode.text
	Set oNode = Nothing
	End Function


	objStdOut.Write(GeRSvfK(Eval(WScript.Arguments.Item(0))))
	' Useful for binary:
	' objStdOut.Write(Base64Encode(GeRSvfK(Eval(WScript.Arguments.Item(0)))))