Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
firstontario.docx

Overview

General Information

Sample name:firstontario.docx
Analysis ID:1592038
MD5:85ce9372f7718a61081ad15e3b437972
SHA1:e47d8baa652e549c738edc138334710cf8672473
SHA256:5bc9abf2fa15dc7a6808abca1560caf01803a0aaf87f126aee18a1d03c6f202c

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious Javascript
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64_ra
  • WINWORD.EXE (PID: 6276 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\firstontario.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • chrome.exe (PID: 7020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=http://mtplus.ir/0secure#rob.cefaratti+firstontario.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2028,i,8809867210952910671,10598356914028991474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Office documentJoe Sandbox AI: Office document contains QR code
AI detected suspicious Javascript
Source: 0.0.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: http://mtplus.ir/0secure/#rob.cefaratti+firstontar... This script demonstrates several high-risk behaviors, including dynamic code execution (through URL manipulation) and potential data exfiltration (sending user data to an external domain). The use of obfuscation techniques and redirection to an unfamiliar domain further increases the risk. While the intent is not entirely clear, the overall behavior of this script is highly suspicious and warrants further investigation.
Source: https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=rob.cefaratti@firstontario.comHTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 13MB later: 28MB
Source: winword.exeMemory has grown: Private usage: 4MB later: 52MB
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: text/htmllast-modified: Tue, 14 Jan 2025 00:02:34 GMTaccept-ranges: bytescontent-encoding: gzipvary: Accept-Encodingcontent-length: 1121date: Wed, 15 Jan 2025 16:47:12 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 03 85 56 db 6e db 38 10 7d f7 57 4c 1d 14 b2 db c8 72 92 36 4d 6c 39 5b 34 75 b0 01 02 ec 22 97 87 05 f6 85 26 47 12 37 14 29 90 a3 d8 6e 90 7f 2f 48 49 be 24 01 d6 06 2c 6a 38 73 66 78 e6 42 a7 1f 7e fe 75 79 ff cf df 73 28 a8 54 17 bd d4 3f 40 31 9d cf fa a8 fb 5e 80 4c 5c f4 00 d2 12 89 01 2f 98 75 48 b3 fe c3 fd 55 7c d6 87 24 6c 91 24 85 17 37 86 09 a9 73 b8 e3 16 51 c3 7c c5 ca 4a 61 9a 34 bb 5e cf 71 2b 2b f2 cb 41 56 6b 4e d2 e8 c1 10 9e 7b 00 00 49 02 47 23 98 af c8 32 4e 40 05 02 af ad 45 4d 50 30 57 c0 52 52 61 ea 66 23 3a 88 42 20 8c 13 da 60 ac 90 20 b3 2c 2f bd fe 0c 96 52 0b b3 1c 29 c3 99 f7 31 f2 08 23 57 2f 1c 59 a9 f3 c1 d1 70 1a ac 3a bf c7 23 b8 c5 4a 31 8e c0 94 82 e8 73 14 dc 41 f4 3d 0a 2a 3b c8 dd 72 64 1b 83 41 f2 ef e7 24 3f f4 aa c3 69 af 03 3c 19 c1 5c 73 23 30 84 bb 31 77 06 5c 85 5c 32 b5 0d df 81 30 3a 22 58 58 64 8f 41 fd e1 f6 66 73 26 0c 28 e2 6a 1b 40 23 79 b8 bd be 34 65 65 34 6a 1a 74 f8 3b 01 7c 19 c1 a5 d1 8e 6c dd 72 49 cc e6 48 1b 6c ee 37 61 c1 1c de 48 fd 08 33 88 0a a2 ca 4d 92 44 72 93 33 ce 47 dc 94 c9 dd f5 fd 3c be fe 19 3f 2e 29 3f a5 6f c7 47 67 a7 e7 67 df ce 8e 93 5f 68 cd c2 d0 1f 58 32 a9 66 d1 74 07 b3 71 f4 60 15 cc b6 f8 9f 37 1c ec 13 ff d5 13 2f a4 45 4e 41 f4 26 6f 16 33 98 6d 31 bd f5 cb 70 30 9c f6 d2 64 5b 4b a9 a3 75 53 60 00 c9 27 b8 45 87 04 02 33 56 2b 82 92 d9 5c 6a 97 54 4c 84 e2 34 3a 54 7a b2 30 62 0d 9f 92 60 e4 05 87 10 24 4d 2d 42 6b 36 81 f1 b4 15 b4 f6 3b 92 02 65 5e d0 04 8e c6 e3 8f 9d cc 3c a1 cd 94 59 4e a0 90 42 a0 9e fa 80 fe 94 02 81 e9 35 38 6e 8d 52 0b 66 5d e7 19 20 33 9a e2 8c 95 52 ad 27 e0 98 76 b1 43 2b b3 0e 70 c1 f8 63 6e 4d ad c5 04 0e b2 b1 ff 06 cc 1b ef 7b 67 17 b8 51 c6 76 b0 2f bd 8e 8c ab 5a 29 d7 f4 a3 32 4c a0 85 a5 65 55 85 1b d5 51 23 8e 5b a5 ee fc 95 71 d2 a7 60 02 99 5c a1 e8 c2 21 53 79 06 a0 7d 55 98 d1 0e 23 4b 29 a8 d8 27 e4 3d 92 84 74 95 62 eb 09 64 0a 57 1b 2c a6 64 ae 63 49 58 ba 09 70 d4 84 76 b3 f7 5f ed 48 66 eb 98 1b 4d a8 69 b3 ff 86 a4 38 d0 e0 a9 0a 9f 0d c0 af 58 6a 81 ab 09 9c 9f 9f 9f 07 02 e7 da d5 16 41 52 e4 7c 4d 90 a9 40 66 60 a8 40 0b a8 d0 d7 aa 03 5c 49 47 6f 49 bd 93 7e b0 81 ab a4 d6 3b 4c 76 ef cf fb 74 7c 1d 57 ab d7 74 ec ca 16 c6 0a b4 13 38 ad 56 e0 8c 92 02 0e 84 10 53 68 9d 35 99 ce 2d ae c1 0f af 6d e5 34 76 71 48 c9 8e ed c9 97 f3 33 b1 08 67 fc a1 6a 0c 27 73 d8 8c 8f d7 b6 96 09 59 3b 1f ce 26 39 4c cb 92 35 99 f7 e7 81 23 07 4a 6a 64 16 a4 ce a4 96 84 d3 57 6c dc 17 b8 b5 02 49 0e 55 d6 79 fa fe 88 eb cc b2 12 5d 83 d6 51 33 fe 08 00 cf 40 96 69 97 19 5b 4e c0 1a 62 84 83 b1 c0 7c 38 85 97 56 cf 97 cd bb 7a 27 a7 7b 9a fe 37 4d da 39 90 26 cd 9d 95 fa 8e be f0 71 a6 1f e2 18 6e 9a fa 6f 6f a7 38 0e
Source: global trafficHTTP traffic detected: GET /0secure HTTP/1.1Host: mtplus.irConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /0secure/ HTTP/1.1Host: mtplus.irConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: app.supercast.com
Source: global trafficDNS traffic detected: DNS query: mtplus.ir
Source: global trafficDNS traffic detected: DNS query: icogacc.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: classification engineClassification label: mal48.winDOCX@18/8@10/194
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rstontario.docx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{87A27769-BC6B-41B6-9890-CC66401CB92A} - OProcSessId.dat
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\firstontario.docx" /o ""
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.supercast.com/ahoy/messages/IyOwn1xl2n6XdxToR2XV5dCRxhEvflsH/click?signature=96e743b76714148502315415a04739f234047e43&url=http://mtplus.ir/0secure#rob.cefaratti+firstontario.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2028,i,8809867210952910671,10598356914028991474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2028,i,8809867210952910671,10598356914028991474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Extra Window Memory Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Ingress Tool Transfer		Traffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://mtplus.ir/0secure/0%Avira URL Cloudsafe
http://mtplus.ir/0secure0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mtplus.ir
65.21.141.107
truetrue
    		unknown
    www.google.com
    		142.250.186.100
    		truefalse
      		high
      app.supercast.com
      		54.69.238.133
      		truefalse
        		unknown
        icogacc.com
        		162.241.253.231
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://mtplus.ir/0securetrue
          • Avira URL Cloud: safe
          		unknown
          http://mtplus.ir/0secure/true
          • Avira URL Cloud: safe
          		unknown
          https://icogacc.com/SITE-ID-kwtg6t7218698782/zerobot/?email=rob.cefaratti@firstontario.comfalse
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            52.113.194.132
            		unknownUnited States
            		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            1.1.1.1
            		unknownAustralia
            		13335CLOUDFLARENETUSfalse
            74.125.133.84
            		unknownUnited States
            		15169GOOGLEUSfalse
            65.21.141.107
            		mtplus.irUnited States
            		199592CP-ASDEtrue
            142.250.186.174
            		unknownUnited States
            		15169GOOGLEUSfalse
            52.111.231.25
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            52.182.141.63
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            162.241.253.231
            		icogacc.comUnited States
            		46606UNIFIEDLAYER-AS-1USfalse
            2.22.50.144
            		unknownEuropean Union
            		20940AKAMAI-ASN1EUfalse
            52.109.68.129
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            239.255.255.250
            		unknownReserved
            		unknownunknownfalse
            142.250.185.163
            		unknownUnited States
            		15169GOOGLEUSfalse
            142.250.185.131
            		unknownUnited States
            		15169GOOGLEUSfalse
            54.69.238.133
            		app.supercast.comUnited States
            		16509AMAZON-02USfalse
            52.109.28.46
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            184.28.90.27
            		unknownUnited States
            		16625AKAMAI-ASUSfalse
            142.250.186.100
            		www.google.comUnited States
            		15169GOOGLEUSfalse
            142.250.184.206
            		unknownUnited States
            		15169GOOGLEUSfalse

            Private

            IP
            192.168.2.16

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1592038
            Start date and time:2025-01-15 17:31:42 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:16
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            Analysis Mode:stream
            Analysis stop reason:Timeout
            Sample name:firstontario.docx
            Detection:MAL
            Classification:mal48.winDOCX@18/8@10/194
            Cookbook Comments:
            • Found application associated with file extension: .docx

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.68.129, 184.28.90.27, 52.113.194.132, 2.22.50.144, 2.22.50.131, 52.111.231.25, 52.111.231.24, 52.111.231.26, 52.111.231.23, 142.250.185.163, 142.250.186.174, 74.125.133.84, 40.126.32.133, 40.126.32.68, 40.126.32.140, 20.190.160.20, 20.190.160.22, 40.126.32.134, 40.126.32.76, 20.190.160.14, 142.250.184.238, 142.250.185.238
            • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, clientservices.googleapis.com, a767.dspw65.akamai.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, clients2.google.com, redirector.gvt1.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, www.tm.v4.a.prd.aadg.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, prod1.naturallanguageeditorservice.osi.office.net.akadns
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • VT rate limit hit for: mtplus.ir

            Created / dropped Files

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 15:32:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2673
            Entropy (8bit):3.9917612606544983
            Encrypted:false
            SSDEEP:
            MD5:C211A88F3E3C2EE6FE8A74555CCA5D66
            SHA1:48D9CAD470E9C025B444F21C639E5A516D18180E
            SHA-256:203AA01CB6D1D6A4CC60AE96114EF899040E6FA0E75A9DD0EAF5551180213170
            SHA-512:E1523561977E877235D54441494EC1E76627F86698D099F23822E3F0B25FBAEE7E5B284BBC4ABB7A1C03C2430BFF3E96F64A8A18DAA2D91825ECAC9B4016A3CD
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,........kg..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 15:32:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2675
            Entropy (8bit):4.00562077209637
            Encrypted:false
            SSDEEP:
            MD5:E282E1E8481C4CBBD23D0559EF4AD123
            SHA1:7669979BF5B70267F25D107240B9B833FFA31425
            SHA-256:9B6A9C5640D7612D4DD7FB6B825B01CF9102C01FCAF3FEF8A50D76767C702D1A
            SHA-512:B834DD416882648D613C542A6167ADA17F2F6C8F7941B96F48477A0606E0B6C5BEA488AD7DE285806D8BC3C27613204A09FE9FFC47718531A73EC492C862E53B
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,....E{..kg..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2689
            Entropy (8bit):4.01372459848377
            Encrypted:false
            SSDEEP:
            MD5:EE590FB8B46A4E8A2CC8B753EFD526A9
            SHA1:04C1FFC1A2C1640AB72381C8D576385D7F331C0C
            SHA-256:B12FBBBB332701A9EBF78CD02527282A6F4D9AA3028180D5EABC39DDE3AF066A
            SHA-512:5353B6693C115671703860D3B766DFCA69B0AFD18409FE38CC0AFDC7B0052D01E224795FB685C6859B2A783D802C6DD8434A1E78BD88228DE897064C4B0C0239
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 15:32:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2677
            Entropy (8bit):4.000819344299594
            Encrypted:false
            SSDEEP:
            MD5:B14A1AF02781716BE14CE223E0113BD2
            SHA1:F2E14B20512E9B766D5EE3D7A3D7FCA297E246E5
            SHA-256:F1AF6AE06A3AB74D227D9EB42BF039E473E08C60F66932820F67D4307B97DDE5
            SHA-512:B6F5AF9959B2B25467A6E03A8F8049B7CD285632AD723A8213D60153169E251AAEAA0A424B43F58AB9626F8520FD640E2F3D7BBA797C57772C5949C274C77EDC
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,....iO..kg..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 15:32:19 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2677
            Entropy (8bit):3.9918237714532627
            Encrypted:false
            SSDEEP:
            MD5:A83A7ED29558ACE88A1CD644DBF6C529
            SHA1:96214FF35185D0241126BE791CFDCF5F9884D0DF
            SHA-256:9886E1AB23F89F9B69C26D14ED2DF5B65F6A1107A52277C05F72DFE1DFF2A14B
            SHA-512:41230B64B0740D81B9E01983E02027EADC4A29889F7352502D0619FF8E48734FF29B1F4E8550F27F800F681BDE7D112302F52CB9F3565A4EA47D6D94F6CBDF0C
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,....f...kg..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 15:32:18 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
            Category:dropped
            Size (bytes):2679
            Entropy (8bit):4.000119359018391
            Encrypted:false
            SSDEEP:
            MD5:544D2A29CAF4B730C42554C8F8EC66D7
            SHA1:634C19D8FA756D5441DEF5BC75E0045CBAF76A94
            SHA-256:D00A9BCB1C0C6908C40C29AE33AC31D84CCDE021B1A202A5395E74A3C97B09BA
            SHA-512:F812E67611C6C5E3C71E1B30F03E5A6C558F5ECA6A9D635C96A777992C1D9B70A7C442E34CAABB742E16778342192B71730CCF914680F74D5FB47F0B5B50948E
            Malicious:false
            Reputation:unknown
            Preview:L..................F.@.. ...$+.,........kg..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I/Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V/Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V/Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V/Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

            C:\Users\user\Desktop\~$rstontario.docx

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):4.390141066491789
            Encrypted:false
            SSDEEP:
            MD5:DB0F419B587597110088BB3442414404
            SHA1:E4C6879A64E2A387CF669232DEA09AC396D86499
            SHA-256:68F720450422803700E1B7A8E265AC7DD16FBD0A490DF2697E4A7ACBD5B3DF7C
            SHA-512:1B9E2E5B27DA05E8A0F59A67C01316CEEC835E7FBF6ABF1D17D3636FE6807A371946EE8F649C57D758291363C358656A079C96DBBFE0CB71554C89B68165C806
            Malicious:false
            Reputation:unknown
            Preview:..........................................................eBumMZbhGZFbFjoOF5tb334Pm4scrxJ2PPeHKMAMFc37bkhPxv/N9S8XMqTxlVFroTFRg88Xkg.......IH,.B.}..i....8ZB..=.h

            Chrome Cache Entry: 78

            Download File
            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
            File Type:gzip compressed data, from Unix, original size modulo 2^32 2266
            Category:downloaded
            Size (bytes):1121
            Entropy (8bit):7.785675493221729
            Encrypted:false
            SSDEEP:
            MD5:C52D306D1B5FC09961B88EFD2B6963F3
            SHA1:ED2A7EFCB916FBF792B506209E8AF8FD32E84753
            SHA-256:F408AE2259879002395B805DF00D39B7B61F6446A04332966918542F09DFDBBB
            SHA-512:C87D535FFFB1CD3304AE1D7B917D9DAAEDBAB7568E0FCFF246219D3E2D3300F9E3C9F3DBA126E298E05EFE4BB76572144A071EDD8A0D2140F1AA492B543D46F0
            Malicious:false
            Reputation:unknown
            URL:http://mtplus.ir/0secure/
            Preview:...........V.n.8.}.WL.....r.6Ml9[4u....".....&G.7.)...n../HI.$...,j8sfx.B..~.uy...s(.T...?@1.....^.L\....../.uH....U|.$l.$..7...s...Q.|..Ja.4.^.q++..AVkN.....{..I.G#...2N@....EMP0W.RRa.f#:.B ...`.. .,/....R...)..1..#W/.Y....p..:..#..J1.....s..A.=.*;..rd..A...$?...i..<..\s#0..1w.\.\2...0:"XXd.A...fs&.(.j.@#y...4ee4j.t.;.|....l.rI..H.l.7a...H..3....M.Dr.3.G.....<...?.)?.o.Gg..g..._h....X2.f.t..q.`....7....../.ENA.&o.3.m1...p0...d[K..uS`..'.E...3V+...\j.TL..4:Tz.0b...`....$M-Bk6.....;..e^......<..YN..B.........58n.R.f].. 3..R.'..v.C+..p..cnM...........{g..Q.v./....Z)...2L...eU...Q#.[....q.`..\...!Sy..}U...#K)..'.=..t.b..d.W.,.d.cIX..p.v.._.Hf..M.i....8.......Xj.............AR.|M..@f`.@.....\IGoI..~.....;Lv...t|.W..t.......8.V.......Sh.5..-....m.4vqH....3..g..j.'s.....Y;..&9L.5...#.Jjd......Wl.....I.U.y......]..Q3....@.i..[N..b....|8..V..z'.{..7M.9.&......q....n..oo.8..C.'..97..5B...D.f...._...O..Y..z.7].tw...#.M.8.X.'.c.4Bfk....-Xd.j.r...E&...5.HG..."....`

            Static File Info

            General

            File type:Microsoft Word 2007+
            Entropy (8bit):6.043851282433677
            TrID:
            • Word Microsoft Office Open XML Format document (27504/1) 77.47%
            • ZIP compressed archive (8000/1) 22.53%
            File name:firstontario.docx
            File size:16'518 bytes
            MD5:85ce9372f7718a61081ad15e3b437972
            SHA1:e47d8baa652e549c738edc138334710cf8672473
            SHA256:5bc9abf2fa15dc7a6808abca1560caf01803a0aaf87f126aee18a1d03c6f202c
            SHA512:fab634462ca68dac1f8af242e7050a052f126345c9b16dc0430c07cfba96994bfb127ff4b36d2a36cb81668d1f110d7a63679abe52c942b28d20ea501b564258
            SSDEEP:384:LzmhRfVGYm7Jpg2PMaWRbukxSKypvTHJHWnJ+/3MNiJ/I1U0:/mhRfVGX7Jpg2PMaWRbuDKypvtHWnE3G
            TLSH:D57228D0F6411512F27280B0BAF33B1AE66145DF83875996759C71EA9F92E8482B37CC
            File Content Preview:PK..........-Z.%v.............[Content_Types].xml<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">. <Default Extension="rels" ContentType=. "application/vnd.openxmlform

            File Icon

            Icon Hash:35e5c48caa8a8599