Automated Malware Analysis Report for ttwJuxNsg0 - Generated by ...
Automated Malware Analysis Report for as6xxgzNFj.xls - Generated ...
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of Automated Malware Analysis Report for as6xxgzNFj.xls - Generated ...
ID: 424660Sample Name: as6xxgzNFj.xlsCookbook:defaultwindowsofficecookbook.jbsTime: 08:36:53Date: 26/05/2021Version: 32.0.0 Black Diamond
255555555555566666667888899999999
1010111111111111111212141414141414141515151515
15
Table of Contents
Table of ContentsAnalysis Report as6xxgzNFj.xls
OverviewGeneral InformationDetectionSignaturesClassification
Process TreeMalware ConfigurationYara Overview
Memory DumpsSigma Overview
System Summary:Signature Overview
AV Detection:Software Vulnerabilities:E-Banking Fraud:System Summary:Persistence and Installation Behavior:
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic OLE Info
GeneralOLE File "as6xxgzNFj.xls"IndicatorsSummaryDocument SummaryStreams with VBA
VBA File Name: Sheet1.cls, Stream Size: 991General
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 2 of 69
151515
16161616
16161616
17171717
17191919
19212121
22242424
25262626
26303030
30343535
35383838
38424243
43474747
4751
515151515152525252525252525353535353535353545454545454545455555555555555
VBA CodeVBA File Name: Sheet2.cls, Stream Size: 991General
VBA Code KeywordsVBA CodeVBA File Name: Sheet3.cls, Stream Size: 991General
VBA Code KeywordsVBA CodeVBA File Name: ThisWorkbook.cls, Stream Size: 1779General
VBA Code KeywordsVBA CodeVBA File Name: abusersimputativemisguggle.bas, Stream Size: 4658General
VBA Code KeywordsVBA CodeVBA File Name: acaciaromanticallylamprophyres.bas, Stream Size: 4484General
VBA Code KeywordsVBA CodeVBA File Name: adventuringequalitycrosswords.bas, Stream Size: 6739General
VBA Code KeywordsVBA CodeVBA File Name: counterclaimedattractantsblasp.bas, Stream Size: 3737General
VBA Code KeywordsVBA CodeVBA File Name: filingschoicenessesfunnelingsy.bas, Stream Size: 44360General
VBA Code KeywordsVBA CodeVBA File Name: intitulesalertheterosporiesamp.bas, Stream Size: 155385General
VBA Code KeywordsVBA CodeVBA File Name: nucleidesdisgestedmercerisesdu.bas, Stream Size: 7272General
VBA Code KeywordsVBA CodeVBA File Name: schlubupleaningfarmhouse.bas, Stream Size: 12837General
VBA Code KeywordsVBA CodeVBA File Name: surveyalscosmotheticalmarcesce.bas, Stream Size: 19978General
VBA Code KeywordsVBA CodeVBA File Name: zoographistsuphuddentiltsnoven.bas, Stream Size: 20066General
VBA Code KeywordsVBA Code
StreamsStream Path: \x1CompObj, File Type: data, Stream Size: 107GeneralStream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 284GeneralStream Path: \x5SummaryInformation, File Type: data, Stream Size: 320GeneralStream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 52696GeneralStream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 1424GeneralStream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 1001GeneralStream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 8464GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 4241GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 1176GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_10, File Type: data, Stream Size: 306GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_11, File Type: data, Stream Size: 362GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_12, File Type: data, Stream Size: 171GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_13, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_14, File Type: data, Stream Size: 171GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_15, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 171GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 502
Copyright Joe Security LLC 2021 Page 3 of 69
55555656565656565656565757575757575757585858585858
585859606161616161616262626262636364
646464
686869
6969
GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 618GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 171GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_8, File Type: data, Stream Size: 261GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_9, File Type: data, Stream Size: 298GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_a, File Type: data, Stream Size: 171GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_b, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_c, File Type: data, Stream Size: 170GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_d, File Type: data, Stream Size: 156GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_e, File Type: data, Stream Size: 208GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_f, File Type: data, Stream Size: 234GeneralStream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: MIPSEB MIPS-III ECOFF executable not stripped - version 72.3, Stream Size: 1604General
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTPS Packets
Code ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: EXCEL.EXE PID: 2312 Parent PID: 584GeneralFile Activities
File CreatedFile DeletedFile MovedFile Written
Registry ActivitiesKey CreatedKey Value Created
Analysis Process: WMIC.exe PID: 2344 Parent PID: 2312GeneralFile Activities
DisassemblyCode Analysis
Copyright Joe Security LLC 2021 Page 4 of 69
Analysis Report as6xxgzNFj.xls
Overview
General Information
Sample Name:
as6xxgzNFj.xls
Analysis ID: 424660
MD5: 662ed1aced50ca…
SHA1: 59b1bb6143562fb…
SHA256: 995cc400362eaa…
Tags: xls
Infos:
Most interesting Screenshot:
Detection
DridexDridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Document exploit detected (creates
Document exploit detected (creates
Document exploit detected (creates
Document exploit detected (creates
Document exploit detected (creates
Document exploit detected (creates
Document exploit detected (creates Document exploit detected (creates ……
Document exploit detected (drops P
Document exploit detected (drops P
Document exploit detected (drops P
Document exploit detected (drops P
Document exploit detected (drops P
Document exploit detected (drops P
Document exploit detected (drops PDocument exploit detected (drops P……
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Office document tries to convince vi
Office document tries to convince vi
Office document tries to convince vi
Office document tries to convince vi
Office document tries to convince vi
Office document tries to convince vi
Office document tries to convince viOffice document tries to convince vi……
Yara detected Dridex unpacked file
Yara detected Dridex unpacked file
Yara detected Dridex unpacked file
Yara detected Dridex unpacked file
Yara detected Dridex unpacked file
Yara detected Dridex unpacked file
Yara detected Dridex unpacked fileYara detected Dridex unpacked file
Contains functionality to create proc
Contains functionality to create proc
Contains functionality to create proc
Contains functionality to create proc
Contains functionality to create proc
Contains functionality to create proc
Contains functionality to create procContains functionality to create proc……
Creates processes via WMI
Creates processes via WMI
Creates processes via WMI
Creates processes via WMI
Creates processes via WMI
Creates processes via WMI
Creates processes via WMICreates processes via WMI
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document exploit detected (process
Document exploit detected (process
Document exploit detected (process
Document exploit detected (process
Document exploit detected (process
Document exploit detected (process
Document exploit detected (processDocument exploit detected (process……
Found PHP interpreter
Found PHP interpreter
Found PHP interpreter
Found PHP interpreter
Found PHP interpreter
Found PHP interpreter
Found PHP interpreterFound PHP interpreter
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for droppMachine Learning detection for dropp……
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for sampMachine Learning detection for samp……
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE fileOffice process drops PE file
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office Pr
Sigma detected: Microsoft Office PrSigma detected: Microsoft Office Pr……
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI Ex
Sigma detected: Suspicious WMI ExSigma detected: Suspicious WMI Ex……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains embedded VBA
Document contains embedded VBA
Document contains embedded VBA
Document contains embedded VBA
Document contains embedded VBA
Document contains embedded VBA
Document contains embedded VBA Document contains embedded VBA ……
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE filesDrops PE files
Drops files with a non-matching file e
Drops files with a non-matching file e
Drops files with a non-matching file e
Drops files with a non-matching file e
Drops files with a non-matching file e
Drops files with a non-matching file e
Drops files with a non-matching file eDrops files with a non-matching file e……
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has noFound dropped PE file which has no……
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in co
JA3 SSL client fingerprint seen in coJA3 SSL client fingerprint seen in co……
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detectedPotential document exploit detected……
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detectedPotential document exploit detected……
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detected
Potential document exploit detectedPotential document exploit detected……
Classification
Malware Configuration
Sigma Overview
System Summary:
Sigma detected: Microsoft Office Product Spawning Windows Shell
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w7x64
EXCEL.EXE (PID: 2312 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
WMIC.exe (PID: 2344 cmdline: 'C:\Windows\System32\wbem\WMIC.exe' process call create 'rundll32.exe 'C:\Users\user\AppData\Roaming\25793.dll' CscNetApiGetInterface'
MD5: FD902835DEAEF4091799287736F3A028)cleanup
No configs have been found
Source Rule Description Author Strings
00000006.00000002.2350333688.000000006FBA1000.00000020.00020000.sdmp
JoeSecurity_Dridex_1 Yara detected Dridex unpacked file
Joe Security
Process Tree
Yara Overview
Memory Dumps
Copyright Joe Security LLC 2021 Page 5 of 69
Sigma detected: Suspicious WMI Execution Using Rundll32
Signature Overview
• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Software Vulnerabilities:
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
E-Banking Fraud:
Yara detected Dridex unpacked file
System Summary:
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Found PHP interpreter
Office process drops PE file
Persistence and Installation Behavior:
Creates processes via WMI
Mitre Att&ck MatrixCopyright Joe Security LLC 2021 Page 6 of 69
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
ValidAccounts
WindowsManagementInstrumentation 2 1
PathInterception
ProcessInjection 1
Masquerading 1 1 OSCredentialDumping
Virtualization/SandboxEvasion 1
RemoteServices
Data fromLocalSystem
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 2
Eavesdrop onInsecureNetworkCommunication
DefaultAccounts
Scripting 5 2 Boot orLogonInitializationScripts
Boot orLogonInitializationScripts
Disable or ModifyTools 1
LSASSMemory
File and DirectoryDiscovery 1
RemoteDesktopProtocol
Data fromRemovableMedia
ExfiltrationOverBluetooth
Ingress ToolTransfer 1
Exploit SS7 toRedirect PhoneCalls/SMS
DomainAccounts
Exploitation for ClientExecution 3 3
Logon Script(Windows)
LogonScript(Windows)
Virtualization/SandboxEvasion 1
SecurityAccountManager
System InformationDiscovery 4
SMB/WindowsAdmin Shares
Data fromNetworkSharedDrive
AutomatedExfiltration
Non-ApplicationLayerProtocol 1
Exploit SS7 toTrack DeviceLocation
LocalAccounts
At (Windows) Logon Script(Mac)
LogonScript(Mac)
Process Injection 1 NTDS System NetworkConfigurationDiscovery
DistributedComponentObject Model
InputCapture
ScheduledTransfer
ApplicationLayerProtocol 1 2
SIM CardSwap
CloudAccounts
Cron NetworkLogon Script
NetworkLogonScript
Scripting 5 2 LSASecrets
Remote SystemDiscovery
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common Obfuscated Files orInformation 1
CachedDomainCredentials
System Owner/UserDiscovery
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
ExternalRemoteServices
Scheduled Task StartupItems
StartupItems
Software Packing 1 DCSync Network Sniffing WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-FiAccess Points
Behavior GraphID: 424660
Sample: as6xxgzNFj.xls
Startdate: 26/05/2021
Architecture: WINDOWS
Score: 100
Multi AV Scanner detectionfor submitted file
Document exploit detected(drops PE files)
Office document triesto convince victim to
disable security protection(e.g. to enable ActiveX
or Macros)
13 other signatures
EXCEL.EXE
61 26
started
gettingreadytolearn.co.uk
109.169.78.226, 443, 49167
IOMART-APAC-ASAPACandMiddleEastFR
United Kingdom
C:\Users\user\AppData\Roaming\25793.dll, PE32
dropped
C:\Users\user\AppData\...\BeAsmBuB[1].php, PE32
dropped
Document exploit detected(creates forbidden files)
WMIC.exe
started
Creates processes viaWMI
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
Behavior Graph
Copyright Joe Security LLC 2021 Page 7 of 69
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source Detection Scanner Label Link
as6xxgzNFj.xls 32% Virustotal Browse
as6xxgzNFj.xls 22% ReversingLabs Script-Macro.Dropper.Maldade
as6xxgzNFj.xls 100% Joe Sandbox ML
Screenshots
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Copyright Joe Security LLC 2021 Page 8 of 69
Source Detection Scanner Label Link
C:\Users\user\AppData\Roaming\25793.dll 100% Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BeAsmBuB[1].php
100% Joe Sandbox ML
No Antivirus matches
Source Detection Scanner Label Link
gettingreadytolearn.co.uk 0% Virustotal Browse
Source Detection Scanner Label Link
https://bonsaisupreme.com/old-data/wp-includes/js/tinymce/langs/I0UM7jBKmZmJB.php 1% Virustotal Browse
https://bonsaisupreme.com/old-data/wp-includes/js/tinymce/langs/I0UM7jBKmZmJB.php 0% Avira URL Cloud safe
https://661partyrentals.com/wp-content/plugiG 0% Avira URL Cloud safe
www.php.netD 0% Avira URL Cloud safe
https://app6.salesdatagenerator.com/wp-conten 0% Avira URL Cloud safe
https://gettingreadytolearn.co. 0% Avira URL Cloud safe
https://tsc-somali.com/wordpress/wp-includes/sodium_compat/src/Core/FO8NNRuR.phpka;t_yu1 0% Avira URL Cloud safe
https://ms-onlinestore.com/wp-content/plugins/edgtf-membership/widgets/l 0% Avira URL Cloud safe
servername/isapibackend.dll 0% Avira URL Cloud safe
https://getitsolutions.in/lib/boot 0% Avira URL Cloud safe
https://afemnor.es/wp-content/themes/dt-the7 0% Avira URL Cloud safe
https://scgtech.in 0% Avira URL Cloud safe
Name IP Active Malicious Antivirus Detection Reputation
gettingreadytolearn.co.uk 109.169.78.226 true false 0%, Virustotal, Browse unknown
Name Source Malicious Antivirus Detection Reputation
https://bonsaisupreme.com/old-data/wp-includes/js/tinymce/langs/I0UM7jBKmZmJB.php
as6xxgzNFj.xls false 1%, Virustotal, BrowseAvira URL Cloud: safe
unknown
https://661partyrentals.com/wp-content/plugiG as6xxgzNFj.xls false Avira URL Cloud: safe unknown
www.php.netD 25793.dll.0.dr false Avira URL Cloud: safe unknown
https://app6.salesdatagenerator.com/wp-conten as6xxgzNFj.xls false Avira URL Cloud: safe unknown
https://gettingreadytolearn.co. as6xxgzNFj.xls false Avira URL Cloud: safe unknown
https://tsc-somali.com/wordpress/wp-includes/sodium_compat/src/Core/FO8NNRuR.phpka;t_yu1
as6xxgzNFj.xls false Avira URL Cloud: safe unknown
https://ms-onlinestore.com/wp-content/plugins/edgtf-membership/widgets/l
as6xxgzNFj.xls false Avira URL Cloud: safe unknown
servername/isapibackend.dll WMIC.exe, 00000003.00000002.2087122583.0000000001BC0000.00000002.00000001.sdmp
false Avira URL Cloud: safe low
https://getitsolutions.in/lib/boot as6xxgzNFj.xls false Avira URL Cloud: safe unknown
https://afemnor.es/wp-content/themes/dt-the7 as6xxgzNFj.xls false Avira URL Cloud: safe unknown
https://scgtech.in as6xxgzNFj.xls false Avira URL Cloud: safe unknown
Dropped Files
Unpacked PE Files
Domains
URLs
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Contacted IPs
Copyright Joe Security LLC 2021 Page 9 of 69
General Information
Joe Sandbox Version: 32.0.0 Black Diamond
Analysis ID: 424660
Start date: 26.05.2021
Start time: 08:36:53
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 4m 37s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: as6xxgzNFj.xls
Cookbook file name: defaultwindowsofficecookbook.jbs
Analysis system description: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name: Without Instrumentation
Number of analysed new started processes analysed: 7
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.troj.expl.evad.winXLS@3/6@1/1
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Domain Country Flag ASN ASN Name Malicious
109.169.78.226 gettingreadytolearn.co.uk United Kingdom 25108 IOMART-APAC-ASAPACandMiddleEastFR
false
Public
Copyright Joe Security LLC 2021 Page 10 of 69
EGA Information: Failed
HDC Information: Failed
HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .xlsFound Word or Excel or PowerPoint or XPS ViewerAttach to Office via COMScroll downClose Viewer
Warnings:Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exeTCP Packets have been reduced to 100Excluded IPs from analysis (whitelisted): 93.184.221.240Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net
Time Type Description
08:37:40 API Interceptor 9x Sleep call for process: WMIC.exe modified
No context
No context
No context
Match Associated Sample Name / URL SHA 256 Detection Link Context
7dcce5b76c8b17472d024758970a406b analysis-580578951.xls Get hash malicious Browse 109.169.78.226
Contract 2021080378818.xlsx Get hash malicious Browse 109.169.78.226
PO 474050.xls Get hash malicious Browse 109.169.78.226
research-1748832384.xls Get hash malicious Browse 109.169.78.226
c9d2a3fKe7.xls Get hash malicious Browse 109.169.78.226
daa5376b_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
analysis-558814486.xls Get hash malicious Browse 109.169.78.226
14faa410_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
diagram-673579741.xls.xls Get hash malicious Browse 109.169.78.226
Soumissions-993235.doc Get hash malicious Browse 109.169.78.226
analysis-1134364064.xls Get hash malicious Browse 109.169.78.226
f2079b30_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
8b664227_by_Libranalysis.ppt Get hash malicious Browse 109.169.78.226
Show All
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Copyright Joe Security LLC 2021 Page 11 of 69
2a8091dd_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
research-2042572821.xls Get hash malicious Browse 109.169.78.226
a9afdac1_by_Libranalysis.docx Get hash malicious Browse 109.169.78.226
bd42b1ee_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
0b6536b0_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
9d2c79aa_by_Libranalysis.xls Get hash malicious Browse 109.169.78.226
research-1043030079.xls Get hash malicious Browse 109.169.78.226
Match Associated Sample Name / URL SHA 256 Detection Link Context
No context
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: Microsoft Cabinet archive data, 59863 bytes, 1 file
Category: dropped
Size (bytes): 59863
Entropy (8bit): 7.99556910241083
Encrypted: true
SSDEEP: 1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
MD5: 15775D95513782F99CDFB17E65DFCEB1
SHA1: 6C11F8BEE799B093F9FF4841E31041B081B23388
SHA-256: 477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
SHA-512: AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
Malicious: false
Reputation: moderate, very likely benign file
Preview:MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 326
Entropy (8bit): 3.149293041712097
Encrypted: false
SSDEEP: 6:kKRpkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:5phZkPlE99SNxAhUeSKO
MD5: E16FE0624DE8BB9F7DAD9C594CDE6138
SHA1: 994E0F2FC5C14C2D7FB218E68E2B12A1042426FE
SHA-256: D8D0C09CD7C5DB1B1A00EBE50A02188096F25A3A7C6FDBA67E117533B1594036
SHA-512: 2543D8DCF26D6C41CFB3034CDE3DA56CDD3E1F8FCA36D9126A8E6733702F1D178A37C4E6375F5CB8CF385C1A13B0C0EBDEAF029389B888BA23F0DFA100AD9581
Malicious: false
Reputation: low
Preview:p...... ........^.'.ER..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BeAsmBuB[1].php
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category: downloaded
Size (bytes): 175616
Entropy (8bit): 7.528421123053496
Encrypted: false
SSDEEP: 3072:y6A3/0n2RB7qAPI6wnX9kWRx5lUgMSmgEogJmPIpalYWX2:yJ3/02bWAANnX97LUgR+ogJRoYa
MD5: 4749F961A93FE814B1267C9AC2678317
Dropped Files
Created / dropped Files
Copyright Joe Security LLC 2021 Page 12 of 69
SHA1: 6A6A058B75951BF688605FB5DBE358CC50778E5E
SHA-256: C0802735A537B2F8A908FB58B05B38CAB10DC67497A9D67FA8BA96A01C0208AA
SHA-512: B67B1D66D05131B90C357C130D7A42A8E52F4B669A5A8F7F05B4F5DC64A37B8F97EA6201A2DFF81A81D088FAEF65CDAC2CC527CEA947CA0CBB79450CD142FE61
Malicious: true
Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%
Reputation: low
IE Cache URL: https://gettingreadytolearn.co.uk/portal/wall/posts/157/thumbs/BeAsmBuB.php
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.3.[.`.[.`.[.`..p`6[.`!.;`.Z.`.".`2Z.`.[.`.[.`..(` Z.`6.*`.Z.`...`.Z.`..`*Z.`F..a.Z.`.-x`-Z.`f..a.Z.`../`.Z.`f..aW[.`...`.[.`!.;`.[.`Rich.[.`....................................................................................................................PE..L.....`...........!.........f.......m.......p............................................@..........................z..[...h{..........p...........................0`..8............................................p..T............................text...N_.......`.................. ..`.rdata.......p.......d..............@[email protected]....`C.......([email protected]...............................@[email protected][email protected]....................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BeAsmBuB[1].php
C:\Users\user\AppData\Local\Temp\CabD26C.tmp
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: Microsoft Cabinet archive data, 59863 bytes, 1 file
Category: dropped
Size (bytes): 59863
Entropy (8bit): 7.99556910241083
Encrypted: true
SSDEEP: 1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
MD5: 15775D95513782F99CDFB17E65DFCEB1
SHA1: 6C11F8BEE799B093F9FF4841E31041B081B23388
SHA-256: 477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
SHA-512: AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
Malicious: false
Reputation: moderate, very likely benign file
Preview:MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
C:\Users\user\AppData\Local\Temp\TarD26D.tmpProcess: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 156386
Entropy (8bit): 6.3086528024913715
Encrypted: false
SSDEEP: 1536:ZlI6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMyGr:ZBUJcCyZfdmoku2SL3kMnBGyA
MD5: 78CABD9F1AFFF17BB91A105CF4702188
SHA1: 52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7
SHA-256: C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
SHA-512: F0BF5DFBAB47CC6A3D1BF03CEC3FDDA84537DB756DA97E6D93CF08A5C750EABDFBF7FCF7EBDFFF04326617E43F0D767E5A2B7B68C548C6D9C48F36493881F62B
Malicious: false
Reputation: moderate, very likely benign file
Preview:0..b...*.H.........b.0..b....1.0...`.H.e......0..R...+.....7.....R.0..R.0...+.....7........5XY._...210419201239Z0...+......0..R.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". [email protected]..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
C:\Users\user\AppData\Roaming\25793.dll
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category: dropped
Size (bytes): 175616
Entropy (8bit): 7.528421123053496
Encrypted: false
SSDEEP: 3072:y6A3/0n2RB7qAPI6wnX9kWRx5lUgMSmgEogJmPIpalYWX2:yJ3/02bWAANnX97LUgR+ogJRoYa
MD5: 4749F961A93FE814B1267C9AC2678317
SHA1: 6A6A058B75951BF688605FB5DBE358CC50778E5E
Copyright Joe Security LLC 2021 Page 13 of 69
Static File Info
GeneralFile type: Composite Document File V2 Document, Little Endian,
Os: Windows, Version 6.2, Code page: 1252, Title: bifidly bilocations, Subject: microelectronically mercerises, Author: monstruosities electrophoretograms, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 25 14:23:06 2021, Last Saved Time/Date: Tue May 25 14:23:07 2021, Security: 0
Entropy (8bit): 6.928686153702721
TrID: Microsoft Excel sheet (30009/1) 47.99%Microsoft Excel sheet (alternate) (24509/1) 39.20%Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name: as6xxgzNFj.xls
File size: 479232
MD5: 662ed1aced50cad399d305467f290fea
SHA1: 59b1bb6143562fbf14663ee4fb2a6cde5febeb6f
SHA256: 995cc400362eaa95d528dffef31bb08e173f2cabb8b5fb0e02f2134388800c48
SHA512: 65fc3d9c7b8db4f930664f38a148db7b753154cfe547cada0e0ee110cf3a097099ba2c942a0bf21ab121a3b540860008587fdf5dda2dd760e64f23a44c77e2c6
SSDEEP: 6144:zk3hOdsylKlgryzc4bNhZF+E+W2knASxHvCpo7lnc+ydd38kSosKpyFGXnq3DqiU:g6pec+OJs2XEqHK9m17TR/iGTk/Vu
File Content Preview: ........................>...................................j...................|.......&.......q..............................................................................................................................................................
File Icon
Icon Hash: e4eea286a4b4bcb4
SHA-256: C0802735A537B2F8A908FB58B05B38CAB10DC67497A9D67FA8BA96A01C0208AA
SHA-512: B67B1D66D05131B90C357C130D7A42A8E52F4B669A5A8F7F05B4F5DC64A37B8F97EA6201A2DFF81A81D088FAEF65CDAC2CC527CEA947CA0CBB79450CD142FE61
Malicious: true
Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%
Reputation: low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.3.[.`.[.`.[.`..p`6[.`!.;`.Z.`.".`2Z.`.[.`.[.`..(` Z.`6.*`.Z.`...`.Z.`..`*Z.`F..a.Z.`.-x`-Z.`f..a.Z.`../`.Z.`f..aW[.`...`.[.`!.;`.[.`Rich.[.`....................................................................................................................PE..L.....`...........!.........f.......m.......p............................................@..........................z..[...h{..........p...........................0`..8............................................p..T............................text...N_.......`.................. ..`.rdata.......p.......d..............@[email protected]....`C.......([email protected]...............................@[email protected][email protected]....................................................................................................................................................................
C:\Users\user\AppData\Roaming\25793.dll
GeneralDocument Type: OLE
Number of OLE Files: 1
IndicatorsHas Summary Info: True
Application Name: Microsoft Excel
Encrypted Document: False
Contains Word Document Stream: False
Contains Workbook/Book Stream: True
Contains PowerPoint Document Stream: False
Contains Visio Document Stream: False
Static OLE Info
OLE File "as6xxgzNFj.xls"
Copyright Joe Security LLC 2021 Page 14 of 69
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros: True
Indicators
SummaryCode Page: 1252
Title: bifidly bilocations
Subject: microelectronically mercerises
Author: monstruosities electrophoretograms
Last Saved By: user
Create Time: 2021-05-25 13:23:06
Last Saved Time: 2021-05-25 13:23:07
Creating Application: Microsoft Excel
Security: 0
Document SummaryDocument Code Page: 1252
Thumbnail Scaling Desired: False
Company: vassalized aquamarine
Contains Dirty Links: False
Shared Document: False
Changed Hyperlinks: False
Application Version: 983040
General
Stream Path: _VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name: Sheet1.cls
Stream Size: 991
Data ASCII: . . . . . . . . . . . . . . . . . . . h N . . . . . | . . V . . . l B . . . . . v { . f . . % " . . . # . . x p h . . . k . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z. x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 e5 da 1d 68 4e 91 af d8 93 e4 7c cf d6 56 0e 87 fc 6c 42 e7 dd 9e 9c b7 76 7b b6 66 a9 90 25 22 8c 0e 13 23 ea ee 78 70 68 bb c1 db 6b e3 80 17 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
General
Stream Path: _VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name: Sheet2.cls
Stream Size: 991
Streams with VBA
VBA File Name: Sheet1.cls, Stream Size: 991
VBA Code Keywords
VBA File Name: Sheet2.cls, Stream Size: 991
Copyright Joe Security LLC 2021 Page 15 of 69
Data ASCII: . . . . . . . . . . . . . . . . . . . h N . . . . . | . . V . . . . . . . . . . . . . O . i . . . . . # . . x p h . . . k . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 e5 da 1d 68 4e 91 af d8 93 e4 7c cf d6 56 0e 87 9c 87 92 cb 1b 10 ed 1c cd cc de 4f b1 69 e7 cf 8c 0e 13 23 ea ee 78 70 68 bb c1 db 6b e3 80 17 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
VBA Code
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
General
Stream Path: _VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name: Sheet3.cls
Stream Size: 991
Data ASCII: . . . . . . . . . . . . . . . . . . . h N . . . . . | . . V . . . . . . . . . . . O 4 . . . . . . . . # . . x p h . . . k . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z .x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 e5 da 1d 68 4e 91 af d8 93 e4 7c cf d6 56 0e 87 00 00 00 00 00 01 00 00 00 4f 34 87 e9 00 00 ff 8c 0e 13 23 ea ee 78 70 68 bb c1 db 6b e3 80 17 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
General
Stream Path: _VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name: ThisWorkbook.cls
Stream Size: 1779
Data ASCII: . . . . . . . . . * . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . O 4 . . . . . . . . # . . x p h . . . k . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VBA Code Keywords
VBA File Name: Sheet3.cls, Stream Size: 991
VBA Code Keywords
VBA File Name: ThisWorkbook.cls, Stream Size: 1779
Copyright Joe Security LLC 2021 Page 16 of 69
Data Raw: 01 16 03 00 00 f0 00 00 00 2a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 31 03 00 00 e5 04 00 00 00 00 00 00 01 00 00 00 4f 34 da fd 00 00 ff 8c 0e 13 23 ea ee 78 70 68 bb c1 db 6b e3 80 17 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
VBA Code
Keyword
resorcinscolludersfeatheredges
"OK",
VB_Name
VB_Creatable
"ThisWorkbook"
VB_Exposed
acidimetricallyinterconvertflu
Err.HelpFile,
Err.Number
underachieveddeicespoppiedlevo
VB_Customizable
"Thank
Err.HelpContext
Error
You!"
VB_TemplateDerived
(intitulesalertheterosporiesamp.dowdiestlowsed(upknitbedsoniamagnetics))
False
Attribute
Workbook_Open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
MsgBox
resorcinscolludersfeatheredges:
General
Stream Path: _VBA_PROJECT_CUR/VBA/abusersimputativemisguggle
VBA File Name: abusersimputativemisguggle.bas
Stream Size: 4658
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . O 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 30 03 00 00 a8 0b 00 00 00 00 00 00 01 00 00 00 4f 34 aa 2e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
silvereye
deterio
pyrokinesis
daywearsupward
quaestionaryundertakable
bulldoze
unweariedlylenis
erotology
ecesis
restorableridderslegendizeimmo
couchees
VBA Code Keywords
VBA File Name: abusersimputativemisguggle.bas, Stream Size: 4658
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 17 of 69
jinkeringmedalingdorbascoldly
'rookyconinggabling
peninsular
'filibustering
mistreat
ulziesdiscriminatoryreanointed
subtask
increaser
fractioustularemia
kernicterusesdevilryoversleepe
legalisms
'unworshipped
stonespolygraphthumpsbacterise
'outplace
nanoplanktons
mowdiewortunderstandingsimmobi
gnarrspulsingmiscorrectscataca
recontaminatesjourneyer
chambranlesjilgie
'enroundingascertainableguitars
maist
'polydaemonism
unmoulddisesteemingcinerariasw
motherlinesses
pasquilling
factionalistmulligatawniesmeat
interfemoralembassadeballplaye
'feuilletonistsmarid
lepercarbonylatedslumgumnutria
vivres
shiveredgranters
reckdivinifystroddling
parclos
cyclizeopenhandednesses
deprivementsahistorical
'dispropriate
'attributesholocaustalnervule
lyceum
pascual
"abusersimputativemisguggle"
worshipless
goldsticks
anlagen
impoliterrubbitbedumbing
endemiology
outmarchin
raciation
tirritallureshindering
CreateObject(staunchlycremsinpapyrusesdaygi)
foliolate
colorimetricalbanteredratifica
permit
stumblebums
tussal
anaesth
photostatted
overorname
dvandvapallescentpentathlums
'antipleasurehypocoristicallyun
holyday
photoduplicateabrazos
hangs
'brucineudaemon
jirbles
Keyword
Copyright Joe Security LLC 2021 Page 18 of 69
VBA Code
'preasses
etherealisedbedlams
maculasdespumating
warblingly
loupes
skrieched
Attribute
misconducting
inductile
slugabedunlock
etherealisedbedlams(staunchlycremsinpapyrusesdaygi)
'canistelscarragheenanslingprea
'pathnamesreechoingwastewaterci
VB_Name
yikkering
graines
carksunfavorablenessesforestal
capriciouslymarripluralisesgem
steeper
Function
'pteridologyleasts
equivalently
priss
'sarcophagal
precipice
backcross
workforce
epaulets
embittererech
electromagnet
elfishnessstairworkmatchlessco
packboard
centralizati
scoffl
discursive
therapeutist
banksia
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/acaciaromanticallylamprophyres
VBA File Name: acaciaromanticallylamprophyres.bas
Stream Size: 4484
Data ASCII: . . . . . . . . . . . . . . . . + . . G . " . z . . . . d # . . . . . . . . . . . O 4 . y . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . uz . x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 2b 95 0f 47 d8 22 85 7a cc ef d2 a8 64 23 d5 fd 00 00 00 00 00 01 00 00 00 4f 34 8f 79 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
acolouthoses
deiseals
splitting
atsrestorephotism
megilphs
riffages
VBA File Name: acaciaromanticallylamprophyres.bas, Stream Size: 4484
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 19 of 69
phenomenologylevellingspestles
intolerable
'apophysisexpletivedisconsolate
hypermilings
unfruitfulautecologiescarboxyl
perts
offhanded
return
preseason
cowfeteriasnametapeflagelloman
denticulated
jollyboat
undiscipli
kerria
nanomaterials
remises
'nutpicksspermatoblasts
'unstacked
'carbonado
'deconstructs
readmittances
invaluable
preexil
epigaean
'unchastestpropretors
unparasitized
mischannels
levatorsfascinated
alodiums
supportabilities
cutters
horridestoverblousecanonisatio
anabiotic
angliciseagregationchrysophyte
malimprinting
'trouncings
ashkeysdadoeslamebrainconcerta
pasteurises
'coronisterpenes
'southwests
counterinsurgentvarioloidantiv
darzis
cirrhipede
mainlinesuperhypingblondest
sendedglomeratingbeneficiateco
counterclaimant
palatably
estafettebackliftsmoneymakings
'skivvies
'planometricallysongfully
fluffed
sloganise
disherited
cannonaded
clicheed
'skyboxes
pultrusions
pretrim
redshirted
decontamin
'bathyscaphsstagilywrinkledverb
sporozo
tassiesresittrundledpteridospe()
purposely
Keyword
Copyright Joe Security LLC 2021 Page 20 of 69
VBA Code
vampirisedextremophilesunteste
rummlegumptions
spitchcocking
pericarpic
convincer
apomictic
exclaustration
metamers
autocrosses
scorifications
Attribute
aliening
lindworms
hyphening
hattingclerkship
chlordans
honeymoonjargonelspheroidizati
VB_Name
nonmeasurable
prograde
Environ(schlubupleaningfarmhouse.circumduceremorsefulnessesveni(gibberellinsfeerstoreymultimed))
Function
soakaway
quinolines
'ancomesnixednonloving
spiraster
"acaciaromanticallylamprophyres"
skyjacker
dubitationzoographicbrutismsde
'frizzinghomologises
burbot
polonisingunaidable
tassiesresittrundledpteridospe
fowle
lonesome
skyrock
asphalting
sicks
killcows
blitter
whitishpaludicolousvetkoeks
orogens
sijos
orphanhood
reexplain
skivie
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/adventuringequalitycrosswords
VBA File Name: adventuringequalitycrosswords.bas
Stream Size: 6739
Data ASCII: . . . . . . . . . . . . . . . . . ; . . . . . * . . . ! . . . . . . . . . . . . . O 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 03 00 00 d4 00 00 fc 3b 02 c4 86 2e c1 2a e5 90 89 21 18 f4 a6 ab 00 00 00 00 00 01 00 00 00 4f 34 92 90 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA File Name: adventuringequalitycrosswords.bas, Stream Size: 6739
Copyright Joe Security LLC 2021 Page 21 of 69
Keyword
hippen
resocializing
rabbl
loeriessimitars
upbuoyance
academiapickelhaubecloseacumin
gramarye
closestoolsspelksmudloggings
'jarta
templars
'corruptiblesemipalmationcyanin
monocycles
answeruntreadingintermedincons
'grubbinessestemperances
reamier
facialistsgraylingsargyriasdis
cuisserreagenciesswineherds
'mammalspuckouthydrostaticalalm
'murrelet
vaccinias
thermoplasticsdisallowsgallona
noncarrier
daubs
thawed
freaky
formantprejudicationsaniclesli
hucksterageschutneesphotoengra
viceroyalties
marsports
anguipede
undeviatingly
'sternutator
alleviator
clauts
intranationalcarambolesgraviti
fifedpollingremunerations
arbores
pharmaceut
unrelated
'hemstitchers
spleenless
spelders
anviltetrarchs
suborbicular
lollapaloozas
skewest
juliennes
upwafts
bisymmetrieslineationsredbays
precontr
ligative
peritonitides
anyroadcaaingoverpowersautogir
interc
palas
bettingoperositydisavowedly
cancha
syrphids
orthotungstic
salicylisms
"adventuringequalitycrosswords"
encyclics
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 22 of 69
oceanographermiscomprehension
jasperize
fleering
guillotinersendoskeletonscircu
'transcendencebondmaidmethemogl
paleoclimatologists
sprushes
misraising
wickape
caparisons
'stilettoed
megascopes
sesterceslanuginousnessperinea(preambulatoryrubellanguqins)
promisedlivraisonsrestriveburs
'timeouts
tangent
agoraphobiashammies
flinches
subaquaticanthotaxytorcher
super
sclerodermata
sesterceslanuginousnessperinea
simpers
recitations
suburbanized
sermonizer
paranephros
subperiods
'somatologies
grammaticize
lycopodium
palaebiologies
smoketightfearsomely
limitmucopeptide
'detrusors
physaliapauncesmemorativemoes
russetting
immies
ozonation
homebodies
'chilliness
'trinitrotoluols
thirties
concretionsleafless
roughr
dakoiti
thermidor
paedomorphosesbirkiercatechise
tirrivees
coburg
reflectographazymesrecruitable
kooks
'naphthols
'ethylationsbrassarts
golgotha
barleycornunsalariedorthopods
tricep
pyaemiastestrils
acetanilids
backcourtmen
tractabilitiesminded
drumliestdefinitudes
kitchenets
deracializes
Keyword
Copyright Joe Security LLC 2021 Page 23 of 69
VBA Code
splenitises
recrudescencesnonfinancialhair
epicediumwrangle
Attribute
avoures
allice
missives
mozespulselesshoveddisrespecta
heliolatriesbashings
shamiyanahpuerilismsaffreightm
spurtle
loanwords
coapt
VB_Name
esquisse
'embodimentpaulownias
sawah
kromeskies
amotion
destructstoppling
Function
'retieingofficeringoutsprangsus
frescoedthecaeimpetuosities
vindemiates
isogenymalleolus
protophyt
summitsdermsvapidnessunnatural
defraudmentbolometricallynonre
fosterings
homelyn
homefeltfinancialisttrustingne
microenviron
monosyllabic
'derationed
extollswainish
Join(Array(promisedlivraisonsrestriveburs))
tallents
naethings
'carbiesovermanages
dekamete
'respondenciescacodyls
unclasping
despicableness
queencakebarmyreselectionfroze
overexplo
iratestconvoking
'zopilote
draughtswomen
swingboa
'spook
begroaned
theatricizingmiscoinbusyworks
leveraged
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/counterclaimedattractantsblasp
VBA File Name: counterclaimedattractantsblasp.bas
Stream Size: 3737
VBA File Name: counterclaimedattractantsblasp.bas, Stream Size: 3737
Copyright Joe Security LLC 2021 Page 24 of 69
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . 7 # . . . . b " . . M } . 6 . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z. x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 30 03 00 00 fc 08 00 90 a9 37 23 d4 0f 9b c6 62 22 e9 dd 4d 7d 81 36 ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
Keyword
creamwove
ramous
Debug.Print
unsliced
filingschoicenessesfunnelingsy.haremsuavelykeepsensoriumstegs(readjustsmansuetudes)
amphiscian
depeincts
clishmaclaver
kimonos
'seigniors
understated
'scriked
Chr(CLng((Asc("'"))))
wussiest
schlubupleaningfarmhouse.sarabandsreorchestrated(researchersincorruptibilitiesk)
characterizable
inflammables
redate
rikishi
immanently
adventuringequalitycrosswords.sesterceslanuginousnessperinea(singletonsunintelligiblenessby)
earliness
caillach
prepotent
officeredreofferingsclerenchym
jargonises
armloadsdisarminglyrezeroaccin
'fettasunqueensmimeographs
chickenshit
'nanastenderisercutersumphishne
'staidnesspolingpastoraleantipo
cyanotypesgreedless(iontophoresisgraphitisationsde)
hashheads
skepfulbuppyfraudsmennonpar
plenism
feyly
unwontedly
rainwaters
mercerizers
reddlemenunionisticethnicismma
haosbegemmedlithologistscrypto
franchised
repertoirespinioningoddestnomo
'lymphadenopathyexsectingentran
'individualizer
'deriggedkitdivvier
"counterclaimedattractantsblasp"
woodrooftriliteralismeyetoothl
centroidal
Attribute
'nanoscale
neanderthals
uranalysis
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 25 of 69
VBA Code
VB_Name
joliotium
Function
serfship
firefloatmulligatawniesbobbled
automobilisms
acaciaromanticallylamprophyres.tassiesresittrundledpteridospe()
prick
citizenisedforetoothsnobograph
'precommitments
wolffishoccupativeoroideslight
vulgarisessigmatedangiomasanal
ambivalences
motorcade
hedonism
bifoliate
recomfort
supersmoothchyackinginvitedogg
cyanotypesgreedless
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/filingschoicenessesfunnelingsy
VBA File Name: filingschoicenessesfunnelingsy.bas
Stream Size: 44360
Data ASCII: . + . . 0 ` . . . w ` t s Z + . . . . . . . . . . . . . . g . . . . . . . . . . O 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 18 2b 99 ae 30 60 ee c3 df 77 60 20 74 73 5a 2b 00 b0 01 00 00 ff ff ff ff a8 06 00 00 00 67 00 00 00 00 00 00 01 00 00 00 4f 34 8b c0 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
culturatirobust
assembler
linguinis
dromical
polymor
setoutsmidlandpogonotomies
'dynatronsmaladministering
overissuance
survivereliabilitiessuccuba
'pedagoguedabhorrencesbimillena
neurines
iodizations
ribibes
'machoismsunbathesperturbedly
estrays
'pitchstonerosettings
hyperrealities
prothoracicapoptotic
remailsguidebook
fadable
farcicalities
concaved
implanting
eventrates
VBA File Name: filingschoicenessesfunnelingsy.bas, Stream Size: 44360
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 26 of 69
'disforests
commodify
leadwork
minuscu
issuable
timberedthoracoplasties
'unmannered
urases
sobersid
Replace("Wscript.ShellKAv:(KAv:(KAv:(KAv:(KAv:(",
'oophoron
serjeants
reactivates
anesthesiascoralroots
signeted
counte
deoxidizes
tallats
propagators
'steaming
airshowsaltlessfetologyswears
penselcrepey
zinebsganderingredeny
'telferingprankledcaliologiessh
mediate
mirthlessness
hemiparasites
rimless
coextensive
leptocephalousimplosivehoofmom
vagotonias
pseudologue
ideopolises
lickerishnessesorchesticslusti
deaminizatio
canzoni
quarrel
pints
parotoidsenrichesdisulfides
microfaunaeconfinednessconjunc
choriambabledundersign
squilgees
redemands
unweldeddignificationperspicuo
electropl
ordinari
hoodooed
countermures
'sinuations
bonsai
retrosexuals
downhaul
chairpersons
caups
bhistees
hespspleniumssteamyhomosexuali
unpitifulness
diptero
doilies
neutralities
quonkedsoftishadulterateskempt
histrionically
pseudomorph
clapper
Keyword
Copyright Joe Security LLC 2021 Page 27 of 69
idiotypes
piums
foreshocks
omnira
sublessor
untentnonfunctioning
skepped
'irising
'convolutestheosophism
antiscor
bivoua
'demystifiedmonogramdiaperbesti
palaeographists
postbellum
twits
'terrine
reclassifications
aport
relishes
episcopising
joannes
shoutier
prelingually
desexedthiophene
bucketings
clarets
geminallylacunaryvapidity
erngreenerieshypsophobeslacuno
arthroscopesextendabilitiespog
'disintegrable
instigati
'vanessid
plastogamycoffers
butterbursmagnetises
bissonpagandoms
patrolledgifteecavallamiscapti
crampier
playbills
'sodic
monocarps
saladinorganicallylaterizing
scutellated
'matings
whipster
dodgeball
brickwork
compositous
teletext
comforter
tintacks
payload
usurer
tangi
scrimshaws
nephropathictottered
durative
noints
nemertians
conveyorisationetcherdomal
macada
aerospheresosteoplastieseffigu
isonomic
theologisati
rhabdoliths
Keyword
Copyright Joe Security LLC 2021 Page 28 of 69
trisemicroughcasttrolliuses
hallucination
mispositioning
VB_Name
vituline
haremsuavelykeepsensoriumstegs(bobletmuslinrelearntexplicativ)
detersive
capitati
drumbeaterintegrationistskines
holodiscuses
dichroiticmabestardommonolingu
nazirlozellanodizes
'barding
bulgurstogepaleomagnetist
querimonious
smurred
medullardisapplicationsunstick
jiggliestpandurated
'wireworks
trophology
bimanuallycompendious
calamancoes
affranchisesescheatmentreinfor
bioethicalsquilla
neuroendocrinologica
medicat
stratop
volvulus
'flaught
abracadabrasubprimesgopuram
intreatments
'sometimevibrationsighers
subculturin
insurgences
'ebulliometerabandoners
coordinat
cynicalnessratlingscousin
uncharteredsacculationsmediant
nosewheels
donging
corrading
enragingpectoralsdelectatedgas
sabulose
'ablush
goethitesdowpheterographicsqua
britskas
deathwatches
'microdetectorstachyphylaxis
earthstarephorbemistheifer
catholicizatio
dividings
sporogonyepigonismdismantlers
homolosinehelicities
nosepieces
symphyloussnapshotting
bioterrorsconfiguratingfunhous
enwrappings
electrodep
superspeculation
'clappersupstreamtrumpeting
tazzas
ginkgoes
bummest
'raggiermispatchhydrolyzation
Keyword
Copyright Joe Security LLC 2021 Page 29 of 69
VBA Code
globalism
visnomiefreres
shaver
underparts
leudspantographersgriths
termagan
electrovale
argus
bredies
receiver
dynastyliberalisingdevotes
refractortrichloroaceticdeadli
saltcellars
rootstalks
boxier
barorece
knowns
'vesiculatedparsimoniesexudinga
monology
'backscatterings
pithily
laicis
platitudinise
balkanization
overti
ascospores
'luminariesfestivenesses
'caramelise
lymphangiogram
assythment
agrostology
toolkit
gelatines
eighteen
splendour
redire
woolled
snobbery
wound
bioterrorsconfiguratingfunhous(meliorationpitchpoledmiswentza)
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/intitulesalertheterosporiesamp
VBA File Name: intitulesalertheterosporiesamp.bas
Stream Size: 155385
Data ASCII: . . . . . . . . . . . . . . . . P C . i . . . . 5 . . . H . 8 . . . . . . . . . . O 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . uz . x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 03 00 00 d4 00 00 50 43 e7 69 a5 aa 81 ad 35 de 97 ca 48 8f 38 d5 00 00 00 00 00 01 00 00 00 4f 34 8c fa 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
shambly
philibeg
agonises
VBA File Name: intitulesalertheterosporiesamp.bas, Stream Size: 155385
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 30 of 69
percheronscamphirestabouringge
carvacrolbeathedlevities
obstruction
'badmouths
medevacs
habiliments
'realtersalchemizes
rampart
qawwaliscoaxer
totient
condemno
enamelists
skeleton
beadsmen
abhenry
gravlaxesoverplans
newfangledlytillingsuntranquil
besmear
salamandroids
physios
unwhitebaccy
'governmentalist
antidepressantcopals
exomionsovergiving
placental
acoustically
walks
kernmantel
under
zarnichs
scarmoges
'stupasmicrometeoroids
phormingesstolidestbaetylstegm,
adoptin
remint
superinfected
cenotaphicfilariidabridgment
'individually
arointaggrosdreidels
'dishabiting
hydranths
preadult
disinfestant
porterhouses
yaffing
betters
seemsbollocksingencapsule
'acari
hoteldoms
digitalizingdepauperisesswardi
'inaccurate
bursicons
progression
parenthetic
accessorises
jarringly
unblurred
grunions
monohulls
'keycorconstitutionalizeblephar
neglectfully
tetragonalnesstimbermenyoop
'piggedoblatesbroughpreclassica
enjambemen
Keyword
Copyright Joe Security LLC 2021 Page 31 of 69
tearfulscuppernongsresinisedea
paddymelons
cringle
incondite
'automobilistsclausalovercoolin
heliocentric
'twirpvirtue
fairingssummarinesspretravel
emeticarmourerexpeditershydroe
scurril
folkies
infringed
quilt
'extralegalgourastwanglingegoce
spoilageblockersvirtuosos
unplace
palpi
randomizeschorizontistsaudacio
strabismicchainsneeshingdialog
convertiblyelectrofishings
'coshererscrucifier
'semisyntheticpanderousadoringl
internist
'pyknosesvesuvianpenniform
phonec
onagers
dassie
swingsvulgarizeupbroken
'mensural
hopscotch
turnbacksmicrofossilshoneytrap
'efficaciously
tirelessly
'vibracularium
poulard
kirbigrips
locusting
hawkweed
queerdoms
warmongering
'grasperstrochisksralliform
bentier
updateablefippencetripy
nubia
sonorously
moderatrix
succumbers
pavanweigherquoddedoverassessm
overnew
afterswarmsubcurativesdikierac
festive
overpoised
'ordinantstrifoliategomphosisnu
pennywise
cockatielsai
tanrecs
punch
blithesomely
handprints
'figmentboardroomeiderdown
thromboses
waring
'skiddoosmetaversehydrochore
unconceala
Keyword
Copyright Joe Security LLC 2021 Page 32 of 69
fairyisms
licenced
geneticists
boppermenudocarbazole
'equal
nationaliseeisell
embitterments
tranquillizer
counterreactions
cyanamides
affears
pooling
mannerist
beryline
mudlogger
phlegmasias
signalising
unthinkabilitiessubordinatecyc
'bookiebattlepiecesmoguledcling
ordoplaudite
sciomanciesdissimilarlycogshan
roasts
semitone
overfavors
'indirectionbuoyage
cytasesphysicist
throughlycompounds
proslambanomenephenylthioureas
pownie
unbindsexoplanet
inmigrants
elateriums
quagmiringunhandicappedphilant
ginzoesquestingundepreciated
precessiona
currentn
popsocks
heeler
broadcasters
alkylatingsighter
taphono
frangi
beadworksjejunelydiscos
overclassificationspiddlingly
upmaker
overclubbed
kirbigripmaubies
inculpableness
leaki
doorknock
'marmelise
subprofessionals
unveilunchoke
abators
nonnovels
veenaashetunderutilization
parkin
'whitherwardmanpowersnuggestmen
pouping
disinclosed
inoculanthutzpas
broacher
vacantness
geggie
Keyword
Copyright Joe Security LLC 2021 Page 33 of 69
VBA Code
wefted
'rhabdomyosarcomata
'eringoescinematographypullup
'sellmortadellas
nonnormal
canalise
parade
'swingle
correspondingly
'senegasfibromyalgia
preconsciou
'guberniya
loons
'aspiratae
personatings
'euphemizedmissishnessthroughwa
flora
soliquidsstuccoesrubefiesfeyes
palmerwor
divorcee
adherentlyjudiciouslyhalachics
azoic
exceptiona
whimple
'inseamshackliestinvolucrum
'trapballswail
remanufacture
muntjaksreconditioning
muskitssiamezingrestringbumpki
ostracizes
pipefittings
glowfliesshrewdnessanlas
wearisomeness
abundancy
absits
emulgen
marathonings
goestsustainings
galling
waqfs
flunking
scotomiasgovernablenessprescri
purgative
encolpium
tinchel
philateliccommissionedgarrotte
'tralatitious
tokomaks
defec
punctations
dehortativeevidentiallyambient
'muggedauspicate
weighable
supercargos
doiltest
pipit
'zingaroopercelesbeachcomber
intangibly
subdistricts
'marginalistsmemorycocineras
zinge
Keyword
Copyright Joe Security LLC 2021 Page 34 of 69
VBA Code
General
Stream Path: _VBA_PROJECT_CUR/VBA/nucleidesdisgestedmercerisesdu
VBA File Name: nucleidesdisgestedmercerisesdu.bas
Stream Size: 7272
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . O 4 L ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z .x W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 30 03 00 00 b8 11 00 00 00 00 00 00 01 00 00 00 4f 34 4c 7e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
anamor
fortuitouslyminutedprinked
reagencyoutpourstirled
mentations
inclementness
kwela
quercetic
monads
'jewellinghalfpenny
laconicalvaleratesreduces
'reddling
helistop
aneurysmal
suffer
feedstock
hatteringirefulnessesmuttonfis
diaristic
remounted
lalland
'trompeddefusermalleable
interpretershipschlockmeisterb
replantingdartingly
libra
masterlyworrimentallowance
nonanthropologist
candygrams
'stanzoheterogeny
skippiersolatiumdiel
resojets
nasalisationscointreauphaeisml
pindling
cloop
fother
sockdologer
depolarizers
plumbum
knapping
scrutinously
sicking
thawer
cryoscopicgypseousvildly
hexamine
tophes
nicotianassindingscompellerswo
sorgorabbiniteremnant
VBA File Name: nucleidesdisgestedmercerisesdu.bas, Stream Size: 7272
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 35 of 69
foyboatintenerationscomposture
'transposablebronchospasmsprout
toged
hypercon
nettling
counterclaimedattractantsblasp.cyanotypesgreedless(hypalgesiahomosexualismstheodo),
psalmbook
'hookednesses
stratocrat
enrapture
giglets
rusas
cable
taroks
insnarement
'brollygaliot
miscegine
chansonette
macrocopy
mazhbisgipsyinganalogouslyswag
reacquiring
aboideaus
osculaevilnessesseined
customarinesses
'biodegradations
balklines
hartebeests
'restrengthensearnersnonrecogni
intimaters
oxygenases
nonroutinesgrandioselyjapanize
domesticsclerenchymalantana
mulloway
slipsheetsazzes
echograms
deutoplasmseemlihedtargeted
'prothalamion
feminines
casingtawingpopulars
radicands
wilily
sportswears
august
'refrigeration
substructing
callipygian
rerolling
louser
'imitating
basestintercampusapocryphonsoc
markhors
porphyrogenites
hypergamous
bronzen
'nourishednanoplanktonparamedic
brominatedridgetreeloudliest
sonobuoys
xenograft
violence
simillimum
rollmops
tensons
decompressing
mistimingendolymphsconstatehar
Keyword
Copyright Joe Security LLC 2021 Page 36 of 69
ultracentrifuging
hexametersorganist
sestett
lustrel
alfaquins
unventilated
cyclog
divesture
aestheti
morphemically
theoreticsrenunciatoryaulnages
sciaticascheloneshomeland
'resplendentlymisconjecturesbig
misvalue
tastingsunpliantcerebella
'cybercast
'prosodical
'civie
parhy
restorationists
insoles
kettles
'crochetingsencolpium
lysols
'assais
pettifogged
cervelases
unlearnable
"nucleidesdisgestedmercerisesdu"
purtraid
retagging
motoricallylutenistshillbillyo
bygones
delivers
annulates
'perlustratesenorswimmingshared
capillaceous
paralleled
falxdolium
hylicismbioethicmedicinedrefec
transpierces
Attribute
siffleurs
serigraphy
placed
deserpidinesforgoneextremistir
untwilled
dyscratic
cosmos
staginesses
'beignet
druidry
scleritises
galuts
wriggled
undenie
VB_Name
'frontiersmentetrodotoxin
'homophobias
pandurastruepenniesparalogists
eutaxias
marinaraavoidersproteasupernat
incre
'kahuna
Keyword
Copyright Joe Security LLC 2021 Page 37 of 69
VBA Code
hypodermic
pedagog
chartas
Function
homolograph
spiflicate
declared
pneumodynamics
calendulas
loaving
succubae
'conglobingtwiddlemagging
'coolies
demesne
pignorat
dismalitiesrouthutopianismshel(rivalisedpreimposingslattingsc)
conducive
sluggardise
placabilities
subvened
'leptospiral
hogen
zephyrdemonstrativenesses
mulct
crumen
pisolite
cosmeticizing
nonpaiddonnardredistributes
quarterlife
biftahsdisemboguingfanum
bletheri
'placentologyparasiticidal
lamppostcrayrethread
graplements
rivalisedpreimposingslattingsc
feeblemindedness
enarm
barilla
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/schlubupleaningfarmhouse
VBA File Name: schlubupleaningfarmhouse.bas
Stream Size: 12837
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . 4 . . . . . . ' . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 82 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff b0 03 00 00 70 1e 00 ce 13 2e 34 fd fa 92 e1 a9 11 27 a3 4a c2 b4 8d ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
'bream
intravasationssubtreasuriesreg
zoist
obnubilatedpeytral
faitour
VBA File Name: schlubupleaningfarmhouse.bas, Stream Size: 12837
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 38 of 69
sufferer
robed
invulnerabilitieshippocampipyr
clairschach
unpleasurablerectricialimbathe
oxyphenbutazones
irresolutionlimelightedcrazywe
'soaplandssanitizations
roneoing
adjurorsladanums
hypermnesic
convokefantasists
rescaleminutemenbivvied
'apostasies
kything
unheard
enantiomorphismswoadwaxcorkage
ossivorous
affectedsparkliest
lemans
xenophoby
reutilising
yantraspock
adduction
fantasticalitiesoutwhirlingdog
antalgics
airfields
tracheobr
pyknics
legend
urgersparaboloidsquarterfinal
menstruated
spheroidises
unforested
pawnshops
saltationismundernourishesexpe
bradawl
stinginesses
dispermous
lordomas
falderaling
upleads
archbishopric
sacroiliitises
'repressiveness
contemplativenessesvoyeuristic
wheyfaced
ashier
'indelibleness
videodiscs
reconciliatory
suburbanizes
dickers
'zoeticsubappearancesalcoholizi
cohortative
lowlifes
obelizes
freshes
'cyclogenesesgapless
incudate
kishkes
gangbusterssulfinpyrazonessire
subspeciality
huicbucolic
Keyword
Copyright Joe Security LLC 2021 Page 39 of 69
periscopes
'unusualnessesnonemploymentspre
circuitries
pilgrimising
guttating
'nonincreasingsitiologiescrapeh
'dominating
philosophi
'disconfirmationintramuralovern
egenceslinguisticiansencounter
'cogence
checkerboard
antirecessionary
romanisationsrefitting
langlaufers
unsettledness
bespedscrawnilycomparability
'inconsequentialitydonenesseste
grampa
drillingspinnerulestuddingsail
coenaesthesesunamusablepopular
'nominalizinginoperabilitiespun
synonymicalretimed
stoneshots
Join(Array(rickingopercule))
valleculaeupholding
tjantings
coercivities
accessoriuszestfullysearchingl
jingoists
lionisationswangles
cheateries
ruefully
scaphoid
baymen
guffawedinformatorygalactosemi
achier
spado
creophagy
taekwon
carsharings
abidunsluicestarsiasforesays
circumduceremorsefulnessesveni(dotsketchupsgnosticism)
bushingovertalks
'carminativessnebbe
daguerreotype
ibrik
intermembrane
parabioses
carefreenesses
'trapnests
evets
congreeting
foible
notary
unlatches
'profitable
sphairistikefruitfulnessmegahe
prodigal
cartwhee
'pikeperches
chevisance
quirkiness
posingly
Keyword
Copyright Joe Security LLC 2021 Page 40 of 69
poundrenestsribibesmanifolding
lenifying
'infamizetauhouspackthreadsvega
lulled
glissaders
netful
revive
becquerel
resurrecti
isophotes
piscivores
fizzed
mislabelled
gowled
hyraxes
'behavingdoumshierographersallo
bewailer
halfness
stubby
standfastsdiagraphicglobetrott
'steels
sonnetiseallegorisermesophiles
interdistrict
rickingopercule
cezve
civics
'ladyhoodsijtihad
impudencymaltase
unsurmountable
chigger
'solidungulate
preassure
semipolitical
graupel
medical
opisthotonic
succor
connectively
aviationsensationaledgebones
mussitation
dought
augurs
sheik
vulgarises
apollosneuropath
dejectoryhoordnondialyzable
structuralizing
'antineutronsferriagestrendzygo
cuboid
shends
outdriving
rejoiced
intervisitationsreformattedpos
'curtestaduststrompes
floatation
geote
'atmolyzes
'proceed
overexpansions
hexavalent
macrophageneutralisationslacta
moond
caveating
'vasoinhibitorsoverbeaten
Keyword
Copyright Joe Security LLC 2021 Page 41 of 69
VBA Code
epidermolyse
plumpened
chairborne
etherifies
meningococci
rachillasunblooded
lifelikeness
catalexes
syndactylous
circumduceremorsefulnessesveni
alphametics
'eggy
lippierduodecillionsmetacognit
'teleselling
undulancescardiomyopathiesinco
overstaff
predestin
spang
bullbriermesenchymal
unsteadylongbowman
beshivers
hooplike
oppugnant
recontoured
'gemologistshopefullystrifeful
librettist
'perambulatoryintrogressants
carsicknesseszarebas
gemmological
'unprecedented
quassinspreinserting
VB_Name
symposiacsjacquardsgayeties
blunderers
sarabandsreorchestrated
exsanguinatesdepilatorycandida
multiton
bulbuls
stevenoversimply
dulia
acropetally
onloading
earbudquonkedsemistiff
spoliative
celom
ventri
'revascularizations
moveablenessesephebustroublesh
wifehoods
outrebo
attrapitinerationforcipaterepr
bedpansprescorepandiculationso
decoy
epoch
titanisms
blasphem
'filoselle
hoveredamphisbaenaemehndi
propodeum
Keyword
VBA File Name: surveyalscosmotheticalmarcesce.bas, Stream Size: 19978
Copyright Joe Security LLC 2021 Page 42 of 69
General
Stream Path: _VBA_PROJECT_CUR/VBA/surveyalscosmotheticalmarcesce
VBA File Name: surveyalscosmotheticalmarcesce.bas
Stream Size: 19978
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O 4 C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 82 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff b0 04 00 00 b8 2e 00 00 00 00 00 00 01 00 00 00 4f 34 43 82 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
racecourses
'distingueeblacknessescineole
CLng((Not
tombs
accoutre
'chairwoman
marbleizing
pardonerchapteraldisseatswherr(foresightedlyoverburtheningavo)
prisonment
repressurising
pyrocatecholeyebrightsnipterox
whipsaw
'methodologist
quantical
enzoningstrengthenerkerosinelu
'domicil
unrideable
screwdriver
seignory
subemployments
airing
peloriaspangrammatistunclosefe
'tuskiest
mobbles
recit
chamaeleon
upstirlordlingfurbearermyelocy
ethoses
gaieties
underminde
bantamrespirationcavitiesingra
antilifershoghtransportational
gyving
acronicallyregroups
'hackamore
noxal
bogginess
'hyper
catatonia
pinaceou
macrofossils
stood
caseworms
extralegalintuitivelyinvarianc
'transcendedprothonotaries
'millicuries
triggerman
terpinol
chitteredswindledgeekinessabsi
mainstreamings
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 43 of 69
fiducial
apocopate
queenlier
'wackethinnish
unperishabletowy
interavailabilities
bluntes
boughlessdotcomstanchingsstang
coelostat
exemplified
wilfulnessskulks
metre
tooting
deers
coelostatstranquilisebedumbed
antemor
arsonists
'stickup
marcelled
extinctions
indeciduate
containerisations
casketethnohistoriesregelates
zoonotic
acupunctures
casevacs
cardialgic
restimulatespavanegroned
inconformitiesutricles
overpedalled
levigatingtidytips
jockteleg
phorate
engender
spoliating
mirex
hadromeunpossessing
undyin
circumfu
sculduddry
'whuppingsresistors
euphausiaceans
matchmakeknubblier
misstepped
osteosarcoma
parosmias
mandomdrongoesgreenshank
'intrapreneurialdecerebrisesimm
innerving
vortexesgumboilseuphon
'picturizationswoodlotsmicrofil
shelfroom
fatwah
churls
metayage
colourantexpended
counteradvertising
warmings
cliquie
psyches
permean
'colourisationmicromanagergalac
pinschers
kantelas
Keyword
Copyright Joe Security LLC 2021 Page 44 of 69
sparkled
'blooie
'stewartryenjoinappropriationov
nailbrushes
epigonusphacolithsguiders
shippie
'scrowling
'hazers
sandpumps
signifiesperfectionists
basters
unslingfundraisingsdreary
bastardly
tubificidsbescrawling
'chaserputteneconometricsyllogi
lozens
subdialects
calandriascharlatanicalbotulis
sigmoid
infec
distinguishment
mistrusts
backclothgogglesgrimierstronti
representationalismspreclearan
taxonomists
misspelled
homiletical
goodish
uglifierflyableneckweed
comous
bardolater
endeavorer
divebombe
unacceptability
sneeziestretainerships
gadges
liturgistpretendershipssheetie
sacrosanctities
tsardom
mollycoddlertopsoilingsoptimis
bizarrelymidcultshrinkingrhyne
phaticallyretyingcalibrates
oarweed
'campanologists
tichy
francises
vesuvianflavorfully
affiant
tactless
healeepilferies
Join(Array(educableskyphoi))
'papillotesmordaciouslyfireboat
handymenforejudgements
mesoblastsaffectationaccommoda
medalplay
triblets
'bearsnuggertroped
essoin
homomorphosisoukssilkolines
neatening
adhere
increase
slumbe
triclads
Keyword
Copyright Joe Security LLC 2021 Page 45 of 69
goosefleshbackloggeddilettante
caloricanimadversionsbruncherp
pantaleonbayous
gooliesspitstickerspermatogeni
tylectom
theorisation
locatorsintertrialprankiest
photobiologist
advening
gironnyisometrymixtions
mercilessnessesconfessionaryri
'leresinfibulateoverspeculation
unlivesmonosyllabicpiculetbasi
'spinule
covelets
'tarantism
insentiencesinterventioniststi
'puddly
belars
stripling
operablyfixturelessintrudingge
torsktabourinsstilettoesoutrea
remoralize
duplicitousineffectuallycuatro
madbra
brakemen
bellowgraywateraugmentsnonrumi
gladlier
xanthine
parasitolog
unshirtedfrostnips
missionisers
nonmetals
'niacinamiderepugnances
'overzealhomoeomorphy
illogicalnesses
convena
hoarselyhummockytelescoped
refilmed
lickspittl
'unpracticalness
impatiences
umpteendiazotizinggabledhindwi
lieves
'dietitians
putrescibilitysocketingredcurr
'jailhouses
somerset
yOcJl%.JR",
tongers
gerundsgroundbaitnursledresple
Join(Array(triskelionsyncretisticaccusato))
encryptioncramoisycollaret
tablespoonfuls
unbroken
gratinee
unmaskingssalinesecoclimate
reproachingly
elegizedcoinfersleakinesses
VB_Name
hippogriff
haddocks
wristwatches
compul
Keyword
Copyright Joe Security LLC 2021 Page 46 of 69
VBA Code
cramboclink
sightedconsuetudes
hemiacetal
philhorses
tattler
perfectionistic
hurraying
dunderpa
herborised
misplacing
esloinsfrogspawnsbashfulness
polyacrylamides
bioengineeri
convokingpedicellate
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/zoographistsuphuddentiltsnoven
VBA File Name: zoographistsuphuddentiltsnoven.bas
Stream Size: 20066
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . / . . . . . . . . . . O 4 . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . ~ . * o B L . . . . # . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . K . . . u z . xW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 03 00 03 f0 00 00 00 02 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 30 04 00 00 20 2f 00 00 00 00 00 00 01 00 00 00 4f 34 ed 2f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
saimin
solacious
bumkin
restrikinggrowlpantheologies
toadyisms
funkia
circuitry
barracoons
farads
miscoding
raiking
achoo
laureatingcryobiologistsflix
epicalyxes
kiboshing
overegg
priestintercalar
watercours
schmalzy
malaxesnonplus
shrinkerssubocularbreadwinnera
insalubr
lustring
Join(Array(quinchedanticlinoriumpigoutres))
blagueurstelethonwarted
'sulfuratenoncredentialed
overoptimisticallyuninterested
juxtaposition
fivers
VBA File Name: zoographistsuphuddentiltsnoven.bas, Stream Size: 20066
VBA Code Keywords
Copyright Joe Security LLC 2021 Page 47 of 69
pantalooneuphenics
poorwills
mujahidin
conglomeration
'shipperrespectsnuggerestrepeme
chelipeds
'minifications
'prefecturallaminar
vicegerents
corsivecircumventorwhortleberr
oesophagussocialismscharleston
'bacteriostatsvigilantnesses
obtruncating
bioturbat
'aborterscircumductory
beglad
kibitka
hallowers
monological
strodled
fixings
'fasciately
blousy
method
mithridatismlaxistslandgraviat
quartesignitersshampooerquanda
interfacial
chapmanships
mountenance
tarantist
'wrickingimmaturenessesresectop
'multirangeplaisterdecorativebe
themself
toboggins
erasing
feazed
metallics
ravels
extensors
rotativehighlighters
disapplied
'encliticlinoleumoverbrowsing
'jock
'confuseequilibrity
paramorph
matchmaking
proked
ricksha
winteredhaematologic
spurts
manni
crystallitismatronize
'rattletraprubboardsunfunnier
polylysines
starklycontrollershipmicropunc
wizautomatablefantasises
implore
ceasmimsiercismontanehall
polecat
conciliarredistrictshinderings
ingeminatetalant
slangily
shaloms
"zoographistsuphuddentiltsnoven"
Keyword
Copyright Joe Security LLC 2021 Page 48 of 69
trichologists
reissues
'vigilantesdialecticianpangram
youngth
improvisatescrouchingabrin
lineable
fearsomenessfenagledsifts
jilgie
'corollacongealmentszoosporangi
cohibitive
pyreneite
'hangared
commentat
'superencipheredterracelessrake
congenetic
tormentils
ordinals
irresponsiblecrackjaws
chemoautrophs
'yawper
solives
bathythermographs
'dopedtranquilisinglybosses
collegially
gaffes
'thermosetdapperlingsopenhearte
chunkinesses
forsakenlyunselfishlypusillani
interlappinghardokes
cloverleafs
mithridatismlaxistslandgraviat(sparrerssubmarginallycoworkers)
snelled
stilettoes
zygomorphisms
'indigentscrowregisters
showerproof
concretisms
'gutcherscaffeines
bindery
capitalisedlongheadednessesgum
wimping
brazen
'unhead
'bonibells
'misdemeanour
odontophore
outgeneralingbolarshylysprues
labourisms
darkener
overreacher
dipnet
ogresseshoon
jackaroo
fictitious
lifelesspomeroys
durocs
plasterboard
glycols
unrulimentmudders
'reconsiders
'overwithholdingsubmultiples
interpones
dioramic
introspectreinette
Keyword
Copyright Joe Security LLC 2021 Page 49 of 69
agnosticisms
caulking
penitentiallycartonagesstereom
perfect
pervertednessspammypreinserted
Join(Array(strodledphotobiologyvacillator))
quinchedanticlinoriumpigoutres
whombled
'longanimityminutialoverachieve
harmonics
vodcast
sleekier
slighter
cedularesplendoutnumberedseptu
firedamppreshrinks
chondrichthyan
'hypersomniamaenadicallyunpolar
sheepshearings
undermasted
lungan
orphaned
cantankerously
pycnoconidi
cheveron
jambing
hereticallyquitclaiming
rompish
anodisingnubbrodkins
semiflexibl
pouldres
piercingnessespuppyish
fourteener
burdener
cinemago
vivisections
morrhuas
disculpating
strodledphotobiologyvacillator
preexistence
recaption
undervaluing
photodissociatingelatedmilleri
concelebrant
massiest
pectization
menorrhagic
'shatwahoosbeliesbowerbird
dactylographerbotanizedsquirar
urinalyses
barrackings
written
scintilla
indestructibilities
fumaricgatemen
seamset
tsesarevichesindrenchchlamydos
'outyelling
oppigneratedmurkiness
asanas
yarked
officialties
corrosion
unassailableness
thiblesrearplebbyalgerines
Keyword
Copyright Joe Security LLC 2021 Page 50 of 69
VBA Code
unisonally
modishne
beflower
'clubbier
northwestwards
hypatessclerousvibsuncased
'bandingsstuffyfoodfulzelatrice
giftwraps
estrepe
apophony
'punchbowls
impudicity
unstalkedcostatetapescriptoutt
redisbursing
night
'layeragesdemographicallyhomoge
ticklish
'sirnames
percentage
gulleys
unprofitability
haver
tatevintagerposseddeconcentrat
'cholesterinruminative
platformed
pseudoscientific
reticulating
florescententhalpies
floristryperineuriumconjuror
beton
monosyllables
northeasternsidepiecesunciform
antih
envois
unceded
Keyword
General
Stream Path: \x1CompObj
File Type: data
Stream Size: 107
Entropy: 4.18482950044
Base64 Encoded: True
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: \x5DocumentSummaryInformation
File Type: data
Stream Size: 284
Entropy: 3.25903717535
Base64 Encoded: False
Streams
Stream Path: \x1CompObj, File Type: data, Stream Size: 107
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 284
Copyright Joe Security LLC 2021 Page 51 of 69
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . .. x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a s s a li z e d a q u a m a r i n e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . .
Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 78 00 00 00 0b 00 00 00 80 00 00 00 10 00 00 00 88 00 00 00 13 00 00 00 90 00 00 00 16 00 00 00 98 00 00 00 0d 00 00 00 a0 00 00 00 0c 00 00 00 c9 00 00 00
General
General
Stream Path: \x5SummaryInformation
File Type: data
Stream Size: 320
Entropy: 4.03399889752
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . .. . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b i f i d ly b i l o c a t i o n s . . . . . . . . m i c r o e l e c t r o n i c a l l y m e r c e r i s e s . . . . . . $ . . . m o n s t r u o s i t i e s e l e c t r o p h o r e t o g r a m s . . . . . . . . . .
Data Raw: fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 10 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 02 00 00 00 58 00 00 00 03 00 00 00 74 00 00 00 04 00 00 00 9c 00 00 00 08 00 00 00 c8 00 00 00 12 00 00 00 d8 00 00 00 0c 00 00 00 f0 00 00 00 0d 00 00 00 fc 00 00 00 13 00 00 00 08 01 00 00
General
Stream Path: Workbook
File Type: Applesoft BASIC program data, first line number 16
Stream Size: 52696
Entropy: 6.51767192282
Base64 Encoded: True
Data ASCII: . . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . u s e r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . = . . . . . . . ` T . , 8 . . . . . .
Data Raw: 09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 75 73 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
General
Stream Path: _VBA_PROJECT_CUR/PROJECT
File Type: ASCII text, with CRLF line terminators
Stream Size: 1424
Entropy: 5.32375715904
Base64 Encoded: True
Data ASCII: I D = " { C 9 0 D 9 8 C E - 5 5 0 4 - 4 D 8 7 - A C 8 9 - 0 4 6 7 3 A 4 E 1 E 8 6 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a b u s e r s i m p u t a t i v e m i s g u g g l e . . M o d u l e = f i l i n g s c h o i c e n e s s e s f u n n e l i n g s y . . M o d u l e = c o u n t e r c l a i m
Data Raw: 49 44 3d 22 7b 43 39 30 44 39 38 43 45 2d 35 35 30 34 2d 34 44 38 37 2d 41 43 38 39 2d 30 34 36 37 33 41 34 45 31 45 38 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
General
Stream Path: _VBA_PROJECT_CUR/PROJECTwm
File Type: data
Stream Size: 1001
Entropy: 3.66930649648
Base64 Encoded: False
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 320
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 52696
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 1424
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 1001
Copyright Joe Security LLC 2021 Page 52 of 69
Data ASCII: T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . a b u s e r s i m p u t a t i v e m i s g u g g l e . a . b . u . s . e . r . s . i . m . p . u . t . a . t . i . v . e . m . i . s . g . u . g . g . l . e . . . f i l i n g s c h o i c e n e s s e s f u n n e l i n g s y . f . i . l . i . n . g . s . c . h . o . i . c . e . n . e . s . s . e . s . f . u .
Data Raw: 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 61 62 75 73 65 72 73 69 6d 70 75 74 61 74 69 76 65 6d 69 73 67 75 67 67 6c 65
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type: data
Stream Size: 8464
Entropy: 5.03397938103
Base64 Encoded: False
Data ASCII: . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 .0 . . . . . . W @ . . . . - . ~ / . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B. a . s . i . c .
Data Raw: cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 8b ce 82 d4 d5 57 40 c3 04 17 9d 2d b4 7e 2f bb 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0
File Type: data
Stream Size: 4241
Entropy: 3.64795104946
Base64 Encoded: False
Data ASCII: . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . r U @ . . .
Data Raw: 93 4b 2a a6 03 00 20 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 00 00 06 00 00 00 00 00 01 00 02 00 06 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 01 00 02 00 07 00 00 00 00 00 01 00 00 00 08 00 00 00 00 00 01 00 02 00 08 00 00 00 00 00 01 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1
File Type: data
Stream Size: 1176
Entropy: 3.7915801423
Base64 Encoded: False
Data ASCII: r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . s t
Data Raw: 72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_10
File Type: data
Stream Size: 306
Entropy: 2.17347444928
Base64 Encoded: False
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 8464
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 4241
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 1176
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_10, File Type: data, Stream Size: 306
Copyright Joe Security LLC 2021 Page 53 of 69
Data ASCII: r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . a . . . . . . . . . . . " . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . . . a . . . . . . . . . . .. . . . . . . . . . . . . . . " . . . . . . . . . a . . . . . . .
Data Raw: 72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 11 00 10 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_11
File Type: data
Stream Size: 362
Entropy: 2.10998495002
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . .O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . .. . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 10 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 10 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_12
File Type: data
Stream Size: 171
Entropy: 1.66868613229
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . .. . . a . . . . 0 . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 13 00 10 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_13
File Type: data
Stream Size: 170
Entropy: 1.7675916358
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. . . . . . . b . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 12 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 12 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_14
File Type: data
Stream Size: 171
Entropy: 1.66868613229
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . .. . . a . . . . 0 . . . . . . . . . . . . . . .
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_11, File Type: data, Stream Size: 362
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_12, File Type: data, Stream Size: 171
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_13, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_14, File Type: data, Stream Size: 171
Copyright Joe Security LLC 2021 Page 54 of 69
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 15 00 10 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_15
File Type: data
Stream Size: 170
Entropy: 1.7675916358
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. . . . . . . b . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 14 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 14 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2
File Type: data
Stream Size: 171
Entropy: 1.66868613229
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . .. . . a . . . . 0 . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3
File Type: data
Stream Size: 170
Entropy: 1.71872765488
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. . . . . . . b . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4
File Type: data
Stream Size: 502
Entropy: 2.35925347469
Base64 Encoded: False
Data ASCII: r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . . . . . a . . . . . . . . . . . . . . . . .. . . . . . . . . " . . . . . . . . . a . . . . . . . . . . . .
Data Raw: 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_15, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 171
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 502
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 618Copyright Joe Security LLC 2021 Page 55 of 69
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5
File Type: data
Stream Size: 618
Entropy: 2.20744408856
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . O . @ . . . . . .. . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6
File Type: data
Stream Size: 171
Entropy: 1.68479658552
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . .. . . a . . . . 0 . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 07 00 10 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7
File Type: data
Stream Size: 170
Entropy: 1.7675916358
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . .O . . . . . . . b . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 06 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_8
File Type: data
Stream Size: 261
Entropy: 2.06288893904
Base64 Encoded: False
Data ASCII: r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . .. . . . . . . . " . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . . . a . . . . . . . . . . . . . . . . . . . .. . . . . . " . . . . . . . . . a . . . . L . . . . . . . . . .
Data Raw: 72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 09 00 10 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_9
File Type: data
Stream Size: 298
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 171
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_8, File Type: data, Stream Size: 261
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_9, File Type: data, Stream Size: 298
Copyright Joe Security LLC 2021 Page 56 of 69
Entropy: 2.0231102223
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . .. . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 08 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 08 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_a
File Type: data
Stream Size: 171
Entropy: 1.68479658552
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . " . . . . . .. . . a . . . . 0 . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0b 00 10 00 00 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_b
File Type: data
Stream Size: 170
Entropy: 1.75582692992
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. . . . . . . b . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0a 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 0a 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_c
File Type: data
Stream Size: 170
Entropy: 1.63817063364
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . .. . . Z . . . 2 . . . . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0d 00 10 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_d
File Type: data
Stream Size: 156
Entropy: 1.63365900945
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . .. . . . . . . .
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_a, File Type: data, Stream Size: 171
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_b, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_c, File Type: data, Stream Size: 170
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_d, File Type: data, Stream Size: 156
Copyright Joe Security LLC 2021 Page 57 of 69
Network Port Distribution
Total Packets: 38
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0c 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_e
File Type: data
Stream Size: 208
Entropy: 1.90179293393
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . .. " . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . . . a . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0f 00 10 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0c 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_f
File Type: data
Stream Size: 234
Entropy: 1.95127834957
Base64 Encoded: False
Data ASCII: r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O. @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . . . . . . . b . .. . . . . . . . . . . . .
Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0e 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 f1 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 60 04 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/dir
File Type: MIPSEB MIPS-III ECOFF executable not stripped - version 72.3
Stream Size: 1604
Entropy: 6.90291012299
Base64 Encoded: True
Data ASCII: . @ . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r. . . . . . . . . k . . b 0 . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0. 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 DF 8 D 0 4 C . -
Data Raw: 01 40 b6 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 6b 1e a2 62 30 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
Network Behavior
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_e, File Type: data, Stream Size: 208
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_f, File Type: data, Stream Size: 234
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: MIPSEB MIPS-III ECOFF executable not stripped - version72.3, Stream Size: 1604
Copyright Joe Security LLC 2021 Page 58 of 69
• 53 (DNS)
• 443 (HTTPS)
Timestamp Source Port Dest Port Source IP Dest IP
May 26, 2021 08:37:44.247261047 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.300303936 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.300492048 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.307503939 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.360985041 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.361032009 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.361080885 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.361123085 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.361141920 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.361213923 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.361253023 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.361258984 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.366106033 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.366276979 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.378063917 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:44.433562040 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:44.433794022 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.420053959 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.513699055 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526562929 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526626110 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526659966 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526701927 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526741982 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526812077 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526844025 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526875019 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526882887 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.526913881 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526918888 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.526925087 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.526940107 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.526952028 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.526981115 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.526999950 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.530826092 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.579910994 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.579955101 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.579982042 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580009937 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580034971 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580059052 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580085993 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580102921 CEST 443 49167 109.169.78.226 192.168.2.22
TCP Packets
Copyright Joe Security LLC 2021 Page 59 of 69
May 26, 2021 08:37:45.580121994 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580130100 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580146074 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580163002 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580179930 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580193043 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580199003 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580216885 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580231905 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580245018 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580256939 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580270052 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580272913 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580281973 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580301046 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.580305099 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580343962 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580368042 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.580593109 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.583282948 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633559942 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633596897 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633613110 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633655071 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633682013 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633711100 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633728981 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633747101 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633788109 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633821964 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633843899 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633851051 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633876085 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633877993 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633882999 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633887053 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633908033 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633908987 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633924961 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633939981 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633944035 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633956909 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633960962 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.633969069 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.633981943 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634005070 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634016991 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634028912 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634041071 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634049892 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.634053946 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634071112 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634077072 CEST 49167 443 192.168.2.22 109.169.78.226
May 26, 2021 08:37:45.634083986 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634100914 CEST 443 49167 109.169.78.226 192.168.2.22
May 26, 2021 08:37:45.634119987 CEST 49167 443 192.168.2.22 109.169.78.226
Timestamp Source Port Dest Port Source IP Dest IP
Timestamp Source Port Dest Port Source IP Dest IP
May 26, 2021 08:37:44.029602051 CEST 52197 53 192.168.2.22 8.8.8.8
May 26, 2021 08:37:44.230050087 CEST 53 52197 8.8.8.8 192.168.2.22
May 26, 2021 08:37:44.811110020 CEST 53099 53 192.168.2.22 8.8.8.8
May 26, 2021 08:37:44.861131907 CEST 53 53099 8.8.8.8 192.168.2.22
UDP Packets
Copyright Joe Security LLC 2021 Page 60 of 69
Code Manipulations
Statistics
Behavior
• EXCEL.EXE
• WMIC.exe
May 26, 2021 08:37:44.872011900 CEST 52838 53 192.168.2.22 8.8.8.8
May 26, 2021 08:37:44.924586058 CEST 53 52838 8.8.8.8 192.168.2.22
Timestamp Source Port Dest Port Source IP Dest IP
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
May 26, 2021 08:37:44.029602051 CEST 192.168.2.22 8.8.8.8 0xad13 Standard query (0)
gettingreadytolearn.co.uk
A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
May 26, 2021 08:37:44.230050087 CEST
8.8.8.8 192.168.2.22 0xad13 No error (0) gettingreadytolearn.co.uk
109.169.78.226 A (IP address) IN (0x0001)
Timestamp Source IPSourcePort Dest IP
DestPort Subject Issuer
NotBefore
NotAfter
JA3 SSL ClientFingerprint JA3 SSL Client Digest
May 26, 2021 08:37:44.366106033 CEST
109.169.78.226 443 192.168.2.22 49167 CN=gettingreadytolearn.co.uk CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Fri Mar 19 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004
Fri Jun 18 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029
771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0
7dcce5b76c8b17472d024758970a406b
CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Mon May 18 02:00:00 CEST 2015
Sun May 18 01:59:59 CEST 2025
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Thu Jan 01 01:00:00 CET 2004
Mon Jan 01 00:59:59 CET 2029
DNS Queries
DNS Answers
HTTPS Packets
Copyright Joe Security LLC 2021 Page 61 of 69
Click to jump to process
System Behavior
File ActivitiesFile Activities
Start time: 08:37:33
Start date: 26/05/2021
Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit): false
Commandline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase: 0x13fd40000
File size: 27641504 bytes
MD5 hash: 5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Local read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
Analysis Process: EXCEL.EXE PID: 2312 Parent PID: 584Analysis Process: EXCEL.EXE PID: 2312 Parent PID: 584
General
File CreatedFile Created
Copyright Joe Security LLC 2021 Page 62 of 69
C:\Users\user\AppData\Roaming read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Local read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision
1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Roaming\25793.dll read attributes | synchronize | generic write
device sequential only | synchronous io non alert | non directory file
success or wait 1 7FEEA8BFD74 unknown
C:\Users\user\AppData\Local\Temp\3516.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 14008EC83 GetTempFileNameW
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\imgs_files\stylesheet.cs~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\tabstrip.ht~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet001.ht~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\image002.pn~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet002.ht~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet003.ht~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\filelist.xm~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs.rcv success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs.ht~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\3516.tmp success or wait 1 1402FB818 DeleteFileW
Old File Path New File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\imgs_files\stylesheet.css C:\Users\user\AppData\Local\Temp\imgs_files\stylesheet.cs~.. success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\tabstrip.htm C:\Users\user\AppData\Local\Temp\imgs_files\tabstrip.ht~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet001.htm C:\Users\user\AppData\Local\Temp\imgs_files\sheet001.ht~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\image002.png C:\Users\user\AppData\Local\Temp\imgs_files\image002.pn~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet002.htm C:\Users\user\AppData\Local\Temp\imgs_files\sheet002.ht~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet003.htm C:\Users\user\AppData\Local\Temp\imgs_files\sheet003.ht~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\filelist.xml C:\Users\user\AppData\Local\Temp\imgs_files\filelist.xm~s~ success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\stylesheet.cs_ C:\Users\user\AppData\Local\Temp\imgs_files\stylesheet.css.. success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\tabstrip.ht_ C:\Users\user\AppData\Local\Temp\imgs_files\tabstrip.htmss success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet001.ht_ C:\Users\user\AppData\Local\Temp\imgs_files\sheet001.htmss success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\image003.pn_ C:\Users\user\AppData\Local\Temp\imgs_files\image003.pngss success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet002.ht_ C:\Users\user\AppData\Local\Temp\imgs_files\sheet002.htmss success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\sheet003.ht_ C:\Users\user\AppData\Local\Temp\imgs_files\sheet003.htmss success or wait 1 7FEEA859AC0 unknown
C:\Users\user\AppData\Local\Temp\imgs_files\filelist.xm_ C:\Users\user\AppData\Local\Temp\imgs_files\filelist.xmlss success or wait 1 7FEEA859AC0 unknown
File DeletedFile Deleted
File MovedFile Moved
Copyright Joe Security LLC 2021 Page 63 of 69
Registry ActivitiesRegistry Activities
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\25793.dll unknown 2048 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d0 3a 8b 33 94 5b e5 60 94 5b e5 60 94 5b e5 60 8a 09 70 60 36 5b e5 60 21 c5 3b 60 86 5a e5 60 e9 22 04 60 32 5a e5 60 94 5b e4 60 b4 5b e5 60 b3 9d 28 60 20 5a e5 60 36 9c 2a 60 8d 5a e5 60 b3 9d 99 60 cb 5a e5 60 f2 b5 2e 60 2a 5a e5 60 46 00 e1 61 9b 5a e5 60 fb 2d 78 60 2d 5a e5 60 66 02 e5 61 bd 5a e5 60 0f b0 2f 60 11 5a e5 60 66 02 e4 61 57 5b e5 60 0f b0 2e 60 a2 5b e5
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.3.[.`.[.`.[.`..p`6[.`!.;`.Z.`.".`2Z.`.[.`.[.`..(` Z.`6.*`.Z.`...`.Z.`...`*Z.`F..a.Z.`.-x`-Z.`f..a.Z.`../`.Z.`f..aW[.`...`.[.
success or wait 86 7FEEA8BFD74 unknown
File Path Offset Length Completion CountSourceAddress Symbol
Key Path Completion CountSourceAddress Symbol
HKEY_CURRENT_USER\Software\Microsoft\VBA success or wait 1 7FEEA86E72B RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0 success or wait 1 7FEEA86E72B RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common success or wait 1 7FEEA86E72B RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Offline\Options success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F3746 success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F39B6 success or wait 1 7FEEA859AC0 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
ah8 binary 61 68 38 00 08 09 00 00 02 00 00 00 00 00 00 00 52 00 00 00 01 00 00 00 1E 00 00 00 28 00 00 00 61 00 73 00 36 00 78 00 78 00 67 00 7A 00 6E 00 66 00 6A 00 2E 00 78 00 6C 00 73 00 00 00 62 00 69 00 66 00 69 00 64 00 6C 00 79 00 20 00 62 00 69 00 6C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 73 00 00 00
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display dword 25 success or wait 1 7FEEA859AC0 unknown
File WrittenFile Written
Key CreatedKey Created
Key Value CreatedKey Value Created
Copyright Joe Security LLC 2021 Page 64 of 69
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Max Display dword 25 success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 1 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3771420242.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 2 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\5795694722.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 3 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\6516896632.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 4 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9713424497.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 5 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\0887538035.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 6 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\8416751812.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 7 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3580751004.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 8 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\5367203117.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 9 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3764832265.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 10 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3013890265.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 11 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\0615447233.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 12 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\4144085054.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 13 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\2109793820.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 14 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1417002460.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 15 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1387277564.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 16 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9281004682.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 17 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1169381505.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 18 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9801086636.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 19 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\7838756049.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 20 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\8416181845.xlsx
success or wait 1 7FEEA859AC0 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2021 Page 65 of 69
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F3746
F3746 binary 04 00 00 00 08 09 00 00 2A 00 00 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 41 00 6C 00 62 00 75 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 00 00 00 00 22 00 00 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 41 00 6C 00 62 00 75 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 01 00 00 00 01 00 00 00 5E 9B 62 1E 45 52 D7 01 46 37 0F 00 46 37 0F 00 00 00 00 00 B8 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display dword 25 success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Max Display dword 25 success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 1 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3771420242.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 2 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\5795694722.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 3 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\6516896632.xlsx
success or wait 1 7FEEA859AC0 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2021 Page 66 of 69
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 4 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9713424497.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 5 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\0887538035.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 6 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\8416751812.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 7 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3580751004.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 8 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\5367203117.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 9 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3764832265.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 10 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\3013890265.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 11 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\0615447233.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 12 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\4144085054.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 13 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\2109793820.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 14 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1417002460.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 15 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1387277564.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 16 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9281004682.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 17 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\1169381505.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 18 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\9801086636.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 19 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\7838756049.xlsx
success or wait 1 7FEEA859AC0 unknown
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
Item 20 unicode [F00000000][T01D1BB6D4B429860][O00000000]*C:\Users\user\Desktop\8416181845.xlsx
success or wait 1 7FEEA859AC0 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2021 Page 67 of 69
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F39B6
F39B6 binary 04 00 00 00 08 09 00 00 2A 00 00 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 41 00 6C 00 62 00 75 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 00 00 00 00 22 00 00 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 41 00 6C 00 62 00 75 00 73 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 01 00 00 00 01 00 00 00 5E 9B 62 1E 45 52 D7 01 B6 39 0F 00 B6 39 0F 00 00 00 00 00 B8 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
success or wait 1 7FEEA859AC0 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
Start time: 08:37:39
Start date: 26/05/2021
Path: C:\Windows\System32\wbem\WMIC.exe
Analysis Process: WMIC.exe PID: 2344 Parent PID: 2312Analysis Process: WMIC.exe PID: 2344 Parent PID: 2312
General
Copyright Joe Security LLC 2021 Page 68 of 69
Disassembly
Code Analysis
File ActivitiesFile Activities
Wow64 process (32bit): false
Commandline: 'C:\Windows\System32\wbem\WMIC.exe' process call create 'rundll32.exe 'C:\Users\user\AppData\Roaming\25793.dll' CscNetApiGetInterface'
Imagebase: 0xffa70000
File size: 566272 bytes
MD5 hash: FD902835DEAEF4091799287736F3A028
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: moderate
File Path Offset Length Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2021 Page 69 of 69