34.0.0 Boulder Opal
IR
528738
CloudBasic
18:17:26
25/11/2021
MT_1O1_SWIFt.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
9a802b83f597cbb0adaabed57442bc50
b2b9b3fb8a423885f2971fe557637ab7bf84f53d
a3f600d0d1de53ee5f125b1fe51f90c393f74125767abe5bb7cb07725124d76d
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe
true
F65B0793251364C03D06E8E7134FC21B
7BC80E89BBC7C10B974462E748849F9056D20D4A
A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15885F16.wmf
false
C1B62208EAE785B0A7BFE08CE5F0FCB0
D20B6C8067B41B1C586323F393FB3A6DA5AE635E
5BFF8E7E1EB6B3C2EDC7664EBB219A3F73EC8C039FA745FE6904929E20C48E9A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B006329.png
false
8A078367DBE602A417C14BB8A8F7C2FC
E7D2CF54CB630EF9FAB5EDE7EB08BF9FD7B00EE1
418ED15779765242680625FC748E3A73704694D2E1334FE6A129A6237F515DEA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{CE51F4FB-5B7A-4326-8F7C-4F6978BC9343}.tmp
false
B212CAA82F9DE5593CCB91D013AF5BC4
845A3DFF5E654A4EB3B81D0C1232D4AF0A211ADA
063F825229B690C742E9D00E191EF92C91E4A5BA85C5385D1400D37A3EE4113A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AEBC8812-958C-44EE-8AED-8858BB920BA5}.tmp
false
A3D9AAD2B1B41B333DDFAD23AA3E710B
8B14EB8479CA04073D29E0766C9DEE9F46B7C501
3132FEF76D9F4FD8BD2212EE35FAC953586DF6B7B572BFE1C108A19D34D1E4D7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E96B34F0-7523-4243-9DA6-1F3FD956FE04}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EBB6311B-66D7-463B-B2C9-86511D155F63}.tmp
false
CC3AB9E593CECF2048AEE342EDDD148B
58CE30C48B5774ACDD4E6A44C9ECC67C24E9EBEE
88C7A3672408B7EEF5135FD0DEA603A0876892E861C000BE8DEE9AA270E20EEE
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
true
D7753A0D10BA8D799FC357F6DCCBDC11
70D84C351FC1727F67078FCC6E1F9A28E69800E3
72260141E67D297A5FEF365882819BFDE2FD988D2A47ABC5598B85E247183BB5
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
false
FBCCF14D504B7B2DBCB5A5BDA75BD93B
D59FC84CDD5217C6CF74785703655F78DA6B582B
EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
C:\Users\user\AppData\Local\Temp\tmp3794.tmp
true
2FB2F595006AB549A4C00CC852A1F691
9B8CFA7A4D43ADF4C3ADEA923AE5AFDDE3A40314
5466C2D681BB5F3A6B50D13FD153C920D963FE658574BBD123371BC02FAC0E86
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MT_1O1_SWIFt.LNK
false
6037290229C92EB012B5E0FFFF768CF3
FB8659D009CA301293C1D8E80F9FB4DD07BA6115
9B0BE02A9FF6F390EE4DB2DF6FE36B92CC47775D1C5F61FE52271EE8A4B685D2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
D9727B02ED11948740985CBF371DBB89
9F5438BF4E2820D41D82A315FEBEAE4CC99BEF47
14C038F86F48609F22EA85CBDC4A72DA9556FD61255B1BBEADBA40B2767EE361
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BTQ2CWP06U44J4VW23J.temp
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O2YN4D646O0GDJJK3ZZ8.temp
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SWTEXUYGJII0O8O9V6FS.temp
false
3241235D465CDB7FFE6C18BA8DF09D99
41E8CAE16DA3FD1A45EE73E0A4283EB3E22C6270
80127B486FBBD28639B2A7329546F4C6A05F01C47457713049D660AAC4C51FD9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UHZRB3V0JU1J7RFEXRK5.temp
false
F77E31703484611D6E72FF2154C7C3E8
B8BE68A8C03DBBA0923DA0ABB8A882D330E36EDD
B5DF447EA40042BF9ADAE373C645BC7F05666DEC529D8DF560841A7EB3BFB7EE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
false
F77E31703484611D6E72FF2154C7C3E8
B8BE68A8C03DBBA0923DA0ABB8A882D330E36EDD
B5DF447EA40042BF9ADAE373C645BC7F05666DEC529D8DF560841A7EB3BFB7EE
C:\Users\user\AppData\Roaming\SzfukVRF.exe
true
F65B0793251364C03D06E8E7134FC21B
7BC80E89BBC7C10B974462E748849F9056D20D4A
A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
C:\Users\user\AppData\Roaming\nfaaxqn4.3to\Chrome\Default\Cookies
false
903C35B27A5774A639A90D5332EEF8E0
5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
C:\Users\user\AppData\Roaming\nfaaxqn4.3to\Firefox\Profiles\7xwghk55.default\cookies.sqlite
false
1138F6578C48F43C5597EE203AFF5B27
9B55D0A511E7348E507D818B93F1C99986D33E7B
EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
C:\Users\user\AppData\Roaming\task.exe
true
F65B0793251364C03D06E8E7134FC21B
7BC80E89BBC7C10B974462E748849F9056D20D4A
A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
C:\Users\user\Desktop\~$_1O1_SWIFt.doc
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
208.91.198.143
208.91.199.225
208.91.199.224
173.232.204.89
us2.smtp.mailhostbox.com
false
208.91.199.224
Tries to steal Mail credentials (via file / registry access)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document contains OLE streams with names of living off the land binaries
Document exploit detected (drops PE files)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Document exploit detected (creates forbidden files)
Adds a directory exclusion to Windows Defender
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Microsoft Office creates scripting files
Installs a global keyboard hook
Found malware configuration
Office process drops PE file
Injects files into Windows application
Tries to harvest and steal ftp login credentials
Bypasses PowerShell execution policy
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Powershell download and execute file
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Sigma detected: Powershell Defender Exclusion
Found suspicious RTF objects
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)